/* -------------------------
------ NanoCore ------------
--------------------------- */
rule NanoCoreByName
{
meta:
author = "@neonprimetime"
description = "NanoCore"
strings:
$string0 = "NanoCore Client" nocase
$string1 = "NanoCore.Client" nocase
$string2 = "NanoCoreBase" nocase
$string5 = "NanoCoreSwiss" nocase
$string6 = "NanoCoreStressTester" nocase
condition:
1 of them
}
rule NanoCoreByKeyword
{
meta:
author = "@neonprimetime"
description = "NanoCore"
strings:
$string1 = "NanoBrowser" nocase
$string2 = "NanoScript" nocase
$string3 = "SurveillanceEx" nocase
$string4 = "NanoCoreStressTester" nocase
$string5 = "accident-investigation.aero" nocase
$string6 = "KeyboardLogging" nocase
condition:
3 of them
}
/* -------------------------
------ Remcos RAT-----------
--------------------------- */
rule RemcosRATByName
{
meta:
author = "@neonprimetime"
description = "Remcos RAT"
strings:
$string0 = "Software\\Remcos" nocase
$string1 = "\\remcos\\" nocase
$string2 = "REMCOS v" nocase
$string4 = "Remcos_" nocase
condition:
1 of them
}
rule RemcosRATByKeyword
{
meta:
author = "@neonprimetime"
description = "Remcos RAT"
strings:
$string1 = "Keylogger Started" nocase
$string2 = "Connected to C&C" nocase
$string3 = "Screenshots" nocase
$string4 = "OpenCamera" nocase
$string5 = "Uploading file to C&C" nocase
$string6 = "Initializing connection to C&C" nocase
$string7 = "cleared!]" nocase
$string8 = "EnableLUA /t REG_DWORD /d 0" nocase
$string9 = "RemWatchdog" nocase
$string10 = "restarted by watchdog" nocase
condition:
3 of them
}
/* -------------------------
------ Revil/Sodinokibi Ransomware-----------
--------------------------- */
rule RevilRansomwareByName
{
meta:
author = "@neonprimetime"
description = "Revil/Sodinokibi Ransomware"
strings:
$string1 = "Sodinokibi" nocase
$string2 = "For google: Revil" nocase
condition:
any of them
}
rule RevilRansomwareByKeyword
{
meta:
author = "@neonprimetime"
description = "Revil/Sodinokibi Ransomware"
strings:
$string1 = "decryptor.top" nocase
$string2 = "nbody" nocase
$string3 = "bedbg" nocase
condition:
3 of them
}
/* -------------------------
------ NjRat -------------
--------------------------- */
rule NjRatByKeyword
{
meta:
author = "@neonprimetime"
description = "NjRat"
strings:
$string0 = "vitimas_" nocase
$string1 = "|'|'||'|'|" nocase
condition:
1 of them
}
/* -------------------------
------ Lokibot -------------
--------------------------- */
rule LokibotByKeyword
{
meta:
author = "@neonprimetime"
description = "Lokibot"
strings:
$string0a = "five/fre.php" nocase
$string0b = "Panel/five" nocase
$string1 = "fre.php" nocase
$string2 = "Yandex\\YandexBrowser" nocase
$string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase
$string4 = "POP3 Password" nocase
$string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase
$string6 = "EasyFTP\\data" nocase
$string7 = "aPLib v1.01" nocase
$string8 = "wcx_ftp.ini" nocase
condition:
$string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8))
}
/* -------------------------
------ Revenge RAT -------------
--------------------------- */
rule RevengeRATByName
{
meta:
author = "@neonprimetime"
description = "Revenge RAT"
strings:
$string0 = "Revenge-RAT" nocase
condition:
1 of them
}
rule RevengeRATByKeyword
{
meta:
author = "@neonprimetime"
description = "Revenge RAT"
strings:
$capture1 = "Start Capture" nocase
$capture2 = "CaptureScreen" nocase
$dotnet1 = ".NET" nocase
$agent1 = "FirewallProduct" nocase
$agent2 = "AntiVirusProduct" nocase
$exfil1 = "USERDOMAIN=" nocase
condition:
$dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1
}
/* -------------------------
------ BrushaLoader -------------
--------------------------- */
rule BrushaLoaderByKeyword
{
meta:
author = "@neonprimetime"
description = "BrushaLoader"
strings:
$vbe = ".shellexecute" nocase
$xyzdomain = "xyz" nocase
$google = "www.google.com" nocase
condition:
$vbe and $xyzdomain and $google
}
/* -------------------------
------ Agent Tesla -------------
--------------------------- */
rule AgentTeslaByKeyword
{
meta:
author = "@neonprimetime"
description = "Agent Tesla"
strings:
$checkip1 = "checkip.aws" nocase
$checkip2 = "checkip.amazon" nocase
$smtpexfil1 = "smtp." nocase
$smtpexfil2 = ":587" nocase
$dotnet1 = ".net" nocase
condition:
($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1
}
/* -------------------------
------ Trickbot ------------
--------------------------- */
rule TrickbotByKeyword
{
meta:
author = "@neonprimetime"
description = "Trickbot"
strings:
$string1 = "serialNumber=" nocase
$string2 = "emailAddress=" nocase
$string3 = "/snapshot/" nocase
$string4 = "Login Data.bak" nocase
$string5 = "Grab_Passwords_Chrome" nocase
$string6 = "Dinkumware" nocase
$string7 = "tablecredit_cards" nocase
$string8 = "server_addresses" nocase
condition:
3 of them
}
/* -------------------------
------ Azorult -------------
--------------------------- */
rule AzorultByKeyword
{
meta:
author = "@neonprimetime"
description = "Azorult"
strings:
$string1 = "wallet.dat" nocase
$string2 = "PasswordsList.txt" nocase
$string3 = "timeout.exe" nocase
$string4 = "Wscript.Shell" nocase
$string5 = "dotbit.me" nocase
condition:
3 of them
}
/* -------------------------
------ Netwire -------------
--------------------------- */
rule NetwireByName
{
meta:
author = "@neonprimetime"
description = "Netwire"
strings:
$string1 = "SOFTWARE\\NetWire" nocase
condition:
1 of them
}
/* ------------------------------
-------- Emotete by Keyword -----
-------------------------- */
rule EmotetByKeyword
{
meta:
author = "@neonprimetime"
description = "Emotet Keyword"
strings:
$string1 = "acquiremailbox.exe" nocase
$string2 = "fillmailbox.exe" nocase
$string3 = "inboxmailbox.exe" nocase
$string4 = "mailboxacquire.exe" nocase
$string5 = "mailboxinbox.exe" nocase
$string6 = "mailboxmailbox.exe" nocase
$string7 = "manualmailbox.exe" nocase
$string8 = "monthlymailbox.exe" nocase
$string9 = "pdfmailbox.exe" nocase
$string10 = "publishmailbox.exe" nocase
$string11 = "deployinbox.exe" nocase
$string12 = "inboxinbox.exe" nocase
$string13 = "inboxnetsh.exe" nocase
$string14 = "mailboxinbox.exe" nocase
$string15 = "netshinbox.exe" nocase
$string16 = "createatargets.exe" nocase
$string17 = "ducktargets.exe" nocase
$string18 = "restoretargets.exe" nocase
$string19 = "sendtargets.exe" nocase
condition:
1 of them
}
/* -------------------------
------ Phoenix Keylogger -------------
--------------------------- */
rule PhoenixKeyloggerByName
{
meta:
author = "@neonprimetime"
description = "Phoenix Keylogger"
strings:
$string1 = "Phoenix Keylogger" nocase
condition:
1 of them
}
/* -------------------------
------ BetaBot -------------
--------------------------- */
rule BetaBotByKeyword
{
meta:
author = "@neonprimetime"
description = "BetaBot"
strings:
$string1 = "OnAsyncDestroy" nocase
$string2 = "OnDestroySubject" nocase
$string3 = "OnRemoveExisting" nocase
$string4 = "ccnumber" nocase
condition:
all of them
}
/* -------------------------
------ Generic Malware -------------
--------------------------- */
rule GenericDotNetFramework
{
meta:
author = "@neonprimetime"
description = "Generic .NET Framework detection"
strings:
$string1 = ".NETFramework"
condition:
1 of them
}
rule GenericBitcoinStealer
{
meta:
author = "@neonprimetime"
description = "Generic Bitcoin Stealer"
strings:
$string1 = "wallet.dat" nocase
$string2 = "\\wallets\\" nocase
$string3 = "\\Electrum" nocase
$string4 = "Coins\\" nocase
$string5 = "\\bitcoin" nocase
$string6 = "\\monero" nocase
$string7 = "electrum.dat" nocase
$string8 = "wallet_path" nocase
condition:
1 of them
}
rule GenericUPXPacker
{
meta:
author = "@neonprimetime"
description = "Generic UpX packet"
strings:
$string1 = "UPX" nocase
condition:
1 of them
}
rule GenericAutoItPacker
{
meta:
author = "@neonprimetime"
description = "Generic AutoItPacker"
strings:
$string1 = "AutoIt" nocase
$string2 = "Auto-It" nocase
condition:
1 of them
}
rule GenericCreditCardStealer
{
meta:
author = "@neonprimetime"
description = "Generic Credit Card Stealer"
strings:
$string1 = "ccnumber" nocase
$string2 = "expirationmonth" nocase
$string3 = "monthexpiration" nocase
$string4 = "card_number" nocase
$string5 = "securitycode=" nocase
$string6 = "=amex" nocase
$string7 = "=visa" nocase
$string8 = "cardnumber" nocase
condition:
1 of them
}
rule GenericWebTraffic
{
meta:
author = "@neonprimetime"
description = "Generic Web Traffic"
strings:
$string1 = "Server: lighttpd" nocase
$string2 = "Host: %s" nocase
$string3 = "POST %s" nocase
$string4 = ".php" nocase
condition:
1 of them
}
rule GenericNetworkTraffic
{
meta:
author = "@neonprimetime"
description = "Generic Network Traffic"
strings:
$string1 = /\..{2,3}\:\d+/ nocase
condition:
1 of them
}
rule GenericScheduledTask
{
meta:
author = "@neonprimetime"
description = "Generic Scheduled Task"
strings:
$string1 = "schtasks" nocase
condition:
1 of them
}
rule GenericDomainFlag
{
meta:
author = "@neonprimetime"
description = "Generic Domain Flag from AD"
strings:
$string1 = "/domain" nocase
condition:
1 of them
}
rule GenericCreateFlag
{
meta:
author = "@neonprimetime"
description = "Generic Create Flag from AD"
strings:
$string1 = "/create" nocase
condition:
1 of them
}
rule GenericAddFlag
{
meta:
author = "@neonprimetime"
description = "Generic Add Flag from AD"
strings:
$string1 = "/add" nocase
condition:
1 of them
}
rule GenericSpamMailer
{
meta:
author = "@neonprimetime"
description = "Generic Spam Mailer"
strings:
$string1 = "SEND FROM:" nocase
$string2 = ":587" nocase
$string3 = "smtp." nocase
condition:
1 of them
}
rule GenericIPLookup
{
meta:
author = "@neonprimetime"
description = "Generic IP Lookup"
strings:
$string1 = "checkip.amazonaws.com" nocase
$string2 = "check-ip.aws." nocase
$string3 = "ipecho.net" nocase
condition:
1 of them
}
rule GenericWebcamAccess
{
meta:
author = "@neonprimetime"
description = "Generic Webcam Access"
strings:
$string1 = "webcam" nocase
$string2 = "OpenCamera" nocase
$string3 = "CloseCamera" nocase
condition:
1 of them
}
rule GenericScreenCapture
{
meta:
author = "@neonprimetime"
description = "Generic Screen Capture"
strings:
$string1 = "CaptureScreen" nocase
condition:
1 of them
}
rule GenericCredentialStealer
{
meta:
author = "@neonprimetime"
description = "Generic Credential Stealer"
strings:
$string1 = "Profiles\\Outlook" nocase
$string2 = "Login Data" nocase
$string3 = "encryptedPassword" nocase
$string4 = "HTTP Password" nocase
$string5 = "\\profiles.ini" nocase
$string6 = "\\POP3 Password" nocase
$string7 = "PuTTY\\Sessions" nocase
$string8 = "EasyFTP\\data" nocase
$string9 = "Ftplist.txt" nocase
$string10 = "\\Login Data" nocase
$string11 = "\\ws_ftp.ini" nocase
$string13 = "\\accounts.ini" nocase
$string14 = "\\accounts.dat" nocase
$string15 = "CREATE TABLE logins" nocase
$string16 = "CREATE INDEX logins_signon" nocase
$string17 = "DecryptIePassword" nocase
$string18 = "GetSavedPasswords" nocase
$string19 = "\\Passwords\\" nocase
$string20 = "WinSCP 2\\Sessions" nocase
$string21 = "\\HTTP Password" nocase
$string22 = "\\IMAP Password" nocase
$string23 = "\\SMTP Password" nocase
$string24 = "\\HTTP Password" nocase
$string25 = "[passwords]" nocase
$string26 = "login-form" nocase
$string27 = "recentservers.xml" nocase
$string28 = "type=passwords" nocase
$string29 = "user-password" nocase
$string30 = "PasswordsList.txt" nocase
condition:
1 of them
}
rule GenericBrowserHistoryStealer
{
meta:
author = "@neonprimetime"
description = "Generic Browser History Stealer"
strings:
$string1 = "from urls" nocase
$string2 = "from moz_places" nocase
condition:
1 of them
}
rule GenericDataStealer
{
meta:
author = "@neonprimetime"
description = "Generic Data Stealer"
strings:
$string0 = "\\User Data" nocase
$string1 = "360Chrome\\" nocase
$string2 = "7Star\\" nocase
$string3 = "Cyberfox\\" nocase
$string4 = "Amigo\\" nocase
$string5 = "Apple Computer\\" nocase
$string6 = "BraveSoftware\\" nocase
$string7 = "CatalinaGroup\\" nocase
$string8 = "CentBrowser\\" nocase
$string9 = "Chedot\\" nocase
$string10 = "Chromium\\" nocase
$string11 = "Claws-mail\\" nocase
$string12 = "CocCoc\\" nocase
$string13 = "Comodo\\" nocase
$string14 = "Coowon\\" nocase
$string15 = "CoreFTP\\" nocase
$string16 = "Elements Browser\\" nocase
$string17 = "Epic Privacy Browser\\" nocase
$string18 = "falkon\\" nocase
$string19 = "Fenrir Inc\\" nocase
$string20 = "FileZilla\\" nocase
$string21 = "Flock\\" nocase
$string22 = "FTPGetter\\" nocase
$string23 = "Google\\" nocase
$string24 = "Ipswitch\\" nocase
$string25 = "Iridium\\" nocase
$string26 = "K-Meleon\\" nocase
$string27 = "Kometa\\" nocase
$string28 = "liebao\\" nocase
$string29 = "MapleStudio\\" nocase
$string31 = "Moonchild Productions\\" nocase
$string32 = "Mozilla\\" nocase
$string35 = "NETGATE Technologies\\" nocase
$string36 = "Opera Mail\\" nocase
$string37 = "Opera Software\\" nocase
$string38 = "Orbitum\\" nocase
$string39 = "Pocomail\\" nocase
$string40 = "Postbox\\" nocase
$string41 = "Psi\\" nocase
$string42 = "Psi+\\" nocase
$string43 = "QIP Surf\\" nocase
$string45 = "SmartFTP\\" nocase
$string46 = "Sputnik\\" nocase
$string47 = "Tencent\\" nocase
$string48 = "The Bat!" nocase
$string49 = "Thunderbird\\" nocase
$string50 = "Torch\\" nocase
$string51 = "Trillian\\" nocase
$string52 = "UCBrowser\\" nocase
$string53 = "uCozMedia\\" nocase
$string54 = "VirtualStore\\" nocase
$string55 = "Vivaldi\\" nocase
$string56 = "Waterfox\\" nocase
$string57 = "Yandex\\" nocase
$string58 = "keychain.plist" nocase
$string59 = "GetSavedCookies" nocase
$string60 = "wcx_ftp.ini" nocase
$string61 = "Start Capture" nocase
$string62 = "\\accounts.xml" nocase
$string63 = "\\places.sqlite" nocase
$string67 = "cookies.sqlite" nocase
condition:
1 of them
}
rule GenericDeletesItself
{
meta:
author = "@neonprimetime"
description = "Generic Deletes Itself"
strings:
$string1 = "DEL /s" nocase
$string2 = "cmd /c del" nocase
$string3 = "deleteSelf" nocase
$string4 = "/c del %s" nocase
$string5 = "%del" nocase
$string6 = "& del" nocase
condition:
1 of them
}
rule GenericMaliciousCommand
{
meta:
author = "@neonprimetime"
description = "Generic Malicious Command"
strings:
$string1 = "CompSpec" nocase
condition:
1 of them
}
rule GenericKeylogger
{
meta:
author = "@neonprimetime"
description = "Generic Keylogger"
strings:
$string1 = "Keylog" nocase
$string2 = "KeyboardLogging" nocase
$string3 = "[Enter]" nocase
$string4 = "[Ctrl + C]" nocase
$string5 = "[Ctrl + V]" nocase
condition:
1 of them
}
rule GenericDelay
{
meta:
author = "@neonprimetime"
description = "Generic Delay"
strings:
$string1 = "ping 192" nocase
$string2 = "ping 127" nocase
condition:
1 of them
}
rule GenericSecurityToolDetection
{
meta:
author = "@neonprimetime"
description = "Generic Security Tool Detection"
strings:
$string1 = "FROM FirewallProduct" nocase
$string2 = "from AntiVirusProduct" nocase
condition:
1 of them
}
rule GenericDisableAntivirus
{
meta:
author = "@neonprimetime"
description = "Generic Disable AntiVirus"
strings:
$string1 = "DisableBehaviorMonitoring" nocase
$string2 = "DisableOnAccessProtection" nocase
$string3 = "DisableScanOnRealtime" nocase
$string4 = "DisableRealtimeMonitoring" nocase
$string5 = "DisableBlockAtFirstSeen" nocase
$string6 = "DisableIOAVProtection" nocase
$string7 = "DisableAntiSpyware" nocase
$string8 = "DisableArchiveScanning" nocase
$string9 = "DisableScriptScanning" nocase
$string10 = "Set-MpPreference" nocase
condition:
1 of them
}
rule GenericFirewallModification
{
meta:
author = "@neonprimetime"
description = "Generic Firewall Modifiction"
strings:
$string1 = "netsh advfirewall" nocase
$string2 = "firewall add" nocase
condition:
1 of them
}
rule GenericPHPPanel
{
meta:
author = "@neonprimetime"
description = "Generic PHP Panel"
strings:
$string1 = "/gate.php" nocase
$string2 = "/fre.php" nocase
condition:
1 of them
}
rule GenericBase64
{
meta:
author = "@neonprimetime"
description = "Generic PHP Panel"
strings:
$string1 = /\=\=\r\n/ nocase
condition:
1 of them
}
rule GenericDynamicDns
{
meta:
author = "@neonprimetime"
description = "Generic Dynamic DNS"
strings:
$string1 = ".duckdns.org" nocase
condition:
1 of them
}
rule GenericVisualBasicScript
{
meta:
author = "@neonprimetime"
description = "Generic Visual Basic Script"
strings:
$string1 = ".shellexecute" nocase
$string2 = "shell.application" nocase
$string3 = "Wscript.Sleep" nocase
$string4 = "ExecuteGlobal" nocase
$string5 = "Shell.run" nocase
$string6 = "Scripting.FileSystemObject" nocase
$string7 = ":::const " nocase
$string8 = "vbscontent" nocase
$string9 = "Execute(" nocase
$string10 = "ChrW(48) & ChrW(" nocase
$string11 = "ChrW(48)&ChrW(" nocase
condition:
1 of them
}
rule GenericHackerTerms
{
meta:
author = "@neonprimetime"
description = "Generic Hacker Terms"
strings:
$string1 = "payloadpath" nocase
$string2 = "payloadexist" nocase
condition:
1 of them
}
rule GenericAntiDebug
{
meta:
author = "@neonprimetime"
description = "Generic Anti Debug techniques"
strings:
$string1 = "CheckRemoteDebuggerPresent" nocase
condition:
1 of them
}
rule GenericTor
{
meta:
author = "@neonprimetime"
description = "Generic Tor Dark Web"
strings:
$string1 = "torproject.org" nocase
$string2 = ".onion" nocase
$string3 = "TOR browser" nocase
condition:
1 of them
}
rule GenericPasswordList
{
meta:
author = "@neonprimetime"
description = "Generic Password List"
strings:
$string1 = "peternorth" nocase
$string2 = "motherfucker" nocase
$string3 = "pimpdaddy" nocase $string4 = "ihavenopass" nocase
$string5 = "fuckoff" nocase
$string6 = "dickhead" nocase
$string7 = "passw0rd" nocase
$string8 = "changeme" nocase
condition:
1 of them
}
rule GenericUserAgent
{
meta:
author = "@neonprimetime"
description = "Generic User Agents oddities"
strings:
$string1 = "User-Agent: curl" nocase
$string2 = "User-Agent: wget" nocase
condition:
1 of them
}
rule GenericWebServer
{
meta:
author = "@neonprimetime"
description = "Generic Web Server info"
strings:
$string1 = "nginx"
$string2 = "apache"
condition:
1 of them
}
No comments:
Post a Comment