rule VXVault_match { meta: author = "iam-py-test" description = "Autogenerated YARA rule checking for URLs listed in VXVault" updated = "08/02/2026" strings: $url1 = "http://45.133.74.103/x86" ascii wide $url2 = "https://marsalek.cy/static/abcfg.exe" ascii wide $url3 = "https://marsalek.cy/static/Pjibf2.exe" ascii wide $url4 = "http://190.198.218.210:1171/i" ascii wide $url5 = "http://176.97.210.242/bins/skid.x86" ascii wide $url6 = "https://raw.githubusercontent.com/lenkonftw/Project-Admini/refs/heads/main/pdf.exe" ascii wide $url7 = "https://raw.githubusercontent.com/lenkonftw/Project-Admini/refs/heads/main/decryptor.exe" ascii wide $url8 = "http://86.54.24.29/Renewable.exe" ascii wide $url9 = "http://178.16.55.189/amka/random.exe" ascii wide $url10 = "http://178.16.55.189/files/unique2/random.exe" ascii wide $url11 = "http://178.16.55.189/modka/duna.exe" ascii wide $url12 = "http://178.16.55.189/files/mr/random.exe" ascii wide $url13 = "http://178.16.55.189/files/8233900432/o7Hjuu7.exe" ascii wide $url14 = "http://216.126.239.11/alfa.exe" ascii wide $url15 = "http://172.86.123.179/inihiddenngentod/zerobotv9.x86_64" ascii wide $url16 = "https://bdddda.cfd/ddq1.exe" ascii wide $url17 = "https://hody-musique.com/modules/blog/oc.exe" ascii wide $url18 = "http://62.60.226.16:5553/dva.exe" ascii wide $url19 = "https://i-slept-with-ur.mom/Stb/Retev.php?bl=TGPEbjtXDrfj2U5fJTPRE008.txt" ascii wide $url20 = "https://vcc-library.uk/Stb/Retev.php?bl=QTuVl0PCseGLafunsZPRE008.txt" ascii wide $url21 = "http://176.46.152.62:5858/7526e77af84e4d3da650295a11488a99_crypted_build.exe" ascii wide $url22 = "http://178.16.55.189/files/6331503294/nGFFa2Q.exe" ascii wide $url23 = "http://178.16.55.189/files/5917492177/Mwt6qk5.exe" ascii wide $url24 = "http://144.172.107.244/frost.x86_64" ascii wide $url25 = "http://162.0.225.149/XjeelShZ/build.exe" ascii wide $url26 = "http://108.181.161.143:1911/build.exe" ascii wide $url27 = "http://178.16.55.189/files/7968590541/T7V02QZ.exe" ascii wide $url28 = "http://185.238.191.89:5554/beba.exe" ascii wide $url29 = "http://94.154.34.240:8000/Muzul.exe" ascii wide $url30 = "http://94.154.34.240:8000/Manya.exe" ascii wide $url31 = "http://94.154.34.240:8000/atrix.exe" ascii wide $url32 = "http://94.154.34.240:8000/linux.exe" ascii wide $url33 = "http://213.209.150.48/arm7" ascii wide $url34 = "http://185.39.207.117/ppc" ascii wide $url35 = "http://103.175.16.117/mips" ascii wide $url36 = "http://31.170.22.205/bins/whisper.x64" ascii wide $url37 = "http://196.251.115.212/x86_64" ascii wide $url38 = "https://github.com/deripascod/coderoom/raw/refs/heads/main/kythkkaewdth.exe" ascii wide $url39 = "https://raw.githubusercontent.com/XeroxzB/weqeq/main/XClient.exe" ascii wide $url40 = "http://62.60.226.112/file/590_9883.exe" ascii wide $url41 = "https://recursoscompartidos.xyz/pora/csc.exe" ascii wide $url42 = "http://176.65.134.5/arm" ascii wide $url43 = "http://176.65.134.62/bins/morte.x86" ascii wide $url44 = "http://hybridemails.ae/esign-app.exe" ascii wide $url45 = "http://37.44.238.88/l7vmra" ascii wide $url46 = "http://37.44.238.88/spim" ascii wide $url47 = "http://185.232.205.104/bins/g4za.arm7" ascii wide $url48 = "https://github.com/temperloin/piponis/raw/refs/heads/main/plrifjidicfid.exe" ascii wide $url49 = "https://github.com/temperloin/piponis/raw/refs/heads/main/jtunuhhrr.exe" ascii wide $url50 = "https://github.com/temperloin/piponis/raw/refs/heads/main/jrirkfiweid.exe" ascii wide $url51 = "http://filter.trueddns.com:18066/x/encode/ntoskrnl.b64" ascii wide $url52 = "https://github.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/raw/refs/heads/main/Encryptor.exe" ascii wide $url53 = "http://194.37.81.64/Aqua.x86_64" ascii wide $url54 = "http://185.81.68.147/Build.exe" ascii wide $url55 = "http://185.81.68.147/zx.exe" ascii wide $url56 = "http://185.81.68.147/ssg.exe" ascii wide $url57 = "http://185.81.68.147/Update.exe" ascii wide $url58 = "https://kiltone.top/stelin/Gosjeufon.cpl" ascii wide $url59 = "https://dominikatracy.com/audidg.exe" ascii wide $url60 = "http://zakazbuketov.kz/audiodf.exe" ascii wide $url61 = "http://80.82.65.70/dl?name=mixthree.exe^" ascii wide $url62 = "http://176.113.115.37/ScreenUpdateSync.exe" ascii wide $url63 = "http://185.81.68.147/gfx.exe" ascii wide $url64 = "http://185.81.68.147/ctx.exe" ascii wide $url65 = "http://185.81.68.147/AsyncClient.exe" ascii wide $url66 = "http://185.81.68.147/fcxcx.exe" ascii wide $url67 = "http://185.81.68.147/vvv.exe" ascii wide $url68 = "http://185.215.113.16/inc/Dynpvoy.exe" ascii wide $url69 = "http://74.50.95.117/files/Pkaffth.exe" ascii wide $url70 = "http://74.50.95.117/files/Hkrrl.exe" ascii wide $url71 = "http://45.131.135.227/Captcha.exe" ascii wide $url72 = "http://185.7.78.88/bot.arm" ascii wide $url73 = "https://mapimwp.org/wp-content/images/pic8.jpg" ascii wide $url74 = "https://nasa.r2cloudhikepoo2.shop/NHFMUBEFH4C9ARNQC6U9.bin" ascii wide $url75 = "http://83.217.208.37/app/upd.exe" ascii wide $url76 = "https://durraactive.com.my/wp-content/images/pic11.jpg" ascii wide $url77 = "http://66.63.187.231/657/caspol.exe" ascii wide $url78 = "http://66.63.187.150/file/build3.exe" ascii wide $url79 = "http://66.63.187.150/file/build2.exe" ascii wide $url80 = "http://66.63.187.150/file/build.exe" ascii wide $url81 = "https://aquafusion.com.co/ngbx/ngown.exe" ascii wide $url82 = "http://59.99.215.146:49697/Mozi.m" ascii wide $url83 = "https://github.com/clipaCHEAT/chaaa/raw/refs/heads/main/Built.exe" ascii wide $url84 = "https://github.com/Abdulah345/pizdaporc/raw/refs/heads/main/XClient.exe" ascii wide $url85 = "https://newvideo.link/temp/xnsjjxja.exe" ascii wide $url86 = "http://185.215.113.16/off/def.exe" ascii wide $url87 = "https://dewatabalirental.com/4.exe" ascii wide $url88 = "https://dewatabalirental.com/3.exe" ascii wide $url89 = "https://dewatabalirental.com/2.exe" ascii wide $url90 = "https://dewatabalirental.com/1.exe" ascii wide $url91 = "https://samzafood.com.my/wp-content/images/pic5.jpg" ascii wide $url92 = "https://samzafood.com.my/wp-content/images/pic6.jpg" ascii wide $url93 = "https://bitwelly.design/2.exe" ascii wide $url94 = "https://bitwelly.design/1.exe" ascii wide $url95 = "http://assets.padmamuseum.gov.bd/css/7d26acda3d7c.exe" ascii wide $url96 = "http://72.5.42.222:8568/api/dll/zetta" ascii wide $url97 = "https://files.catbox.moe/rutcsx.dhj" ascii wide $url98 = "http://185.215.113.103/steam/random.exe" ascii wide $url99 = "http://185.215.113.103/test/num.exe" ascii wide $url100 = "http://185.215.113.103/luma/random.exe" ascii wide $url101 = "http://176.113.115.95/thebig/swf.exe" ascii wide condition: any of them }