diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index b5af98f31..6e5e1614f 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -1,4 +1,5 @@ # linux/2021.FontOnLake/45E9.elf: critical +3P/elastic/rootkit: high 3P/elastic/rootkit_fontonlake: critical anti-static/packer/upx: high c2/addr/ip: high diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index 51b89261a..00f6b179e 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff index b3befcc33..6a76d5292 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple index 0f76eff0d..25fc2cb5d 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple @@ -1,8 +1,6 @@ # macOS/2023.3CX/libffmpeg.dirty.dylib: critical 3P/sig_base/3cxdesktopapp_backdoor: critical 3P/sig_base/nk_3cx_dylib: critical -3P/sig_base/susp_xored_mozilla: critical -3P/volexity/iconic: critical anti-static/xor/user_agent: critical c2/addr/url: low c2/tool_transfer/arch: low diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff index b3befcc33..6a76d5292 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff and b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff index b3befcc33..6a76d5292 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff differ diff --git a/tests/windows/2024.aspdasdksa2/callback.bat.json b/tests/windows/2024.aspdasdksa2/callback.bat.json index f16a7eb3b..79aa78a6c 100644 --- a/tests/windows/2024.aspdasdksa2/callback.bat.json +++ b/tests/windows/2024.aspdasdksa2/callback.bat.json @@ -12,11 +12,11 @@ ], "RiskScore": 4, "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/Neo23x0/signature-base/blob/b1bc331bada41a30f3b2f8943e750798f7aaa1a9/yara/gen_powershell_susp.yar#L52-L91", + "RuleURL": "https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_powershell_susp.yar#L52-L91", "ReferenceURL": "Internal%20Research", "RuleAuthor": "Florian Roth (Nextron Systems)", "RuleLicense": "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE", - "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/b1bc331bada41a30f3b2f8943e750798f7aaa1a9/LICENSE", + "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/LICENSE", "ID": "3P/sig_base/powershell_webdownload", "RuleName": "SIGNATURE_BASE_Suspicious_Powershell_Webdownload_1" }, diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index f4039d392..565e340cc 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20241208 +20241215 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index 06fb55eb7..bd8ac24e0 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,15 +12,15 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2024-12-08 - * Number of Rules: 12311 + * Creation Date: 2024-12-15 + * Number of Rules: 12313 * Skipped: 0 (age), 222 (quality), 7 (score), 0 (importance) */ /* * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: 9bcb61c86aa4583e393269828225349a81ea08a4 * Number of Rules: 1218 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -55,13 +55,13 @@ rule REVERSINGLABS_Win32_Exploit_CVE20200601 : TC_DETECTION MALICIOUS EXPLOIT CV meta: description = "Yara rule that detects CVE-2020-0601 exploit." author = "ReversingLabs" - id = "6a03fd5e-3b7f-5b71-b897-5cac81721a56" + id = "c97026c5-0147-569b-a369-8eaa747f213f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/exploit/Win32.Exploit.CVE20200601.yara#L3-L253" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e4d915560ad72e0fde63276f9ffece00535c7983125efaa8298adc11d5e54817" + logic_hash = "v1_sha256_e4d915560ad72e0fde63276f9ffece00535c7983125efaa8298adc11d5e54817" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, EXPLOIT, CVE-2020-0601, FILE" @@ -274,20 +274,20 @@ rule REVERSINGLABS_Win32_Exploit_CVE20200601 : TC_DETECTION MALICIOUS EXPLOIT CV } condition: - uint16(0)==0x5A4D and ($oid_prime_explicit) and ( any of ($ecc_public_key_*)) and (pe.number_of_signatures>0) + uint16( 0 ) == 0x5A4D and ( $oid_prime_explicit ) and ( any of ( $ecc_public_key_* ) ) and ( pe.number_of_signatures > 0 ) } rule REVERSINGLABS_Linux_Backdoor_GTPDOOR : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GTPDOOR backdoor." author = "ReversingLabs" - id = "9e6df856-fe54-504c-8530-321adc91cd5a" + id = "4c2a886c-7a59-5e99-972f-8513d229f4d9" date = "2024-09-10" modified = "2024-09-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.GTPDOOR.yara#L1-L264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7b4b33b7838142e34c6d02260b6585305c4730c90e12b1adc099f9aeecf071a" + logic_hash = "v1_sha256_b7b4b33b7838142e34c6d02260b6585305c4730c90e12b1adc099f9aeecf071a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -504,20 +504,20 @@ rule REVERSINGLABS_Linux_Backdoor_GTPDOOR : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and ((( all of ($send_result_to_peer_v1_p*)) and ($execute_remote_command_v1) and ( all of ($send_reply_v1_p*)) and ($daemon_already_running_check_v1)) or (( all of ($send_result_to_peer_v2_p*)) and ($execute_remote_command_v2) and ( all of ($main_routine_v2_p*)))) + uint32( 0 ) == 0x464C457F and ( ( ( all of ( $send_result_to_peer_v1_p* ) ) and ( $execute_remote_command_v1 ) and ( all of ( $send_reply_v1_p* ) ) and ( $daemon_already_running_check_v1 ) ) or ( ( all of ( $send_result_to_peer_v2_p* ) ) and ( $execute_remote_command_v2 ) and ( all of ( $main_routine_v2_p* ) ) ) ) } rule REVERSINGLABS_Win64_Backdoor_Voldemort : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Voldemort backdoor." author = "ReversingLabs" - id = "d770bd79-5141-50a0-8cf7-bca1cf5f23e1" + id = "6c681727-7dd8-5780-9545-0750a5163bb1" date = "2024-10-09" modified = "2024-10-09" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Voldemort.yara#L1-L208" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1fe2abe17436d2965e34d1f10223af50d9600809fdef234e7d89c74fa33228a9" + logic_hash = "v1_sha256_1fe2abe17436d2965e34d1f10223af50d9600809fdef234e7d89c74fa33228a9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -693,20 +693,20 @@ rule REVERSINGLABS_Win64_Backdoor_Voldemort : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($decrypt_configuration_p*)) and ($decryption_algorithm) and ( all of ($request_access_token_p*)) and ( all of ($network_communication_p*)) and ( all of ($download_data_from_c2_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $decrypt_configuration_p* ) ) and ( $decryption_algorithm ) and ( all of ( $request_access_token_p* ) ) and ( all of ( $network_communication_p* ) ) and ( all of ( $download_data_from_c2_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Njrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects NjRAT backdoor." author = "ReversingLabs" - id = "578c813f-4bba-52cd-bcc7-4de2c3943cf7" + id = "28f657a1-3290-599f-b2fc-677f07520873" date = "2024-07-31" modified = "2024-07-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.NjRAT.yara#L1-L266" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "eeecf90965e6952d8b9efc9d1e96eaa47709b1d69fc7d435f4aebaaf0191f317" + logic_hash = "v1_sha256_eeecf90965e6952d8b9efc9d1e96eaa47709b1d69fc7d435f4aebaaf0191f317" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -923,20 +923,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Njrat : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ((( all of ($persistence_mechanism_v1_p*)) and ( all of ($connect_v1_p*)) and ($send_v1) and ( all of ($receive_v1_p*))) or (($connect_v2) and ($receive_v2) and ( all of ($get_system_information_v2_p*)) and ($send_v2))) + uint16( 0 ) == 0x5A4D and ( ( ( all of ( $persistence_mechanism_v1_p* ) ) and ( all of ( $connect_v1_p* ) ) and ( $send_v1 ) and ( all of ( $receive_v1_p* ) ) ) or ( ( $connect_v2 ) and ( $receive_v2 ) and ( all of ( $get_system_information_v2_p* ) ) and ( $send_v2 ) ) ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Agentracoon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AgentRacoon backdoor." author = "ReversingLabs" - id = "ad74d530-ffbd-589f-b941-3a5d9ec737b6" + id = "f8b49ced-5a19-5837-b446-b6934e4ff6df" date = "2023-12-15" modified = "2023-12-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara#L1-L128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3ba73f19f59c2e5880df820c52f16997047d7299eb14d421ae2ed8f3790bcfe9" + logic_hash = "v1_sha256_3ba73f19f59c2e5880df820c52f16997047d7299eb14d421ae2ed8f3790bcfe9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1036,20 +1036,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Agentracoon : TC_DETECTION MALICIOUS M } condition: - uint16(0)==0x5A4D and ( all of ($unpack_response_p*)) and ($upload) and ($perform_request) and ($get_txt_record) and ($main_loop) + uint16( 0 ) == 0x5A4D and ( all of ( $unpack_response_p* ) ) and ( $upload ) and ( $perform_request ) and ( $get_txt_record ) and ( $main_loop ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Limerat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LimeRAT backdoor." author = "ReversingLabs" - id = "c2ef6f27-3fb8-55f4-97a6-9e25a3d1ce49" + id = "7d124765-4fef-5f39-920c-447302378ff8" date = "2024-03-04" modified = "2024-03-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03eaa2ac41950f036601222b32a28c03aae3b3445501e988e2f87e231a1a1522" + logic_hash = "v1_sha256_03eaa2ac41950f036601222b32a28c03aae3b3445501e988e2f87e231a1a1522" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1116,20 +1116,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Limerat : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ($persistence_mechanism) and ($crypto_miner) and ($downloader) and ( all of ($network_communication_p*)) + uint16( 0 ) == 0x5A4D and ( $persistence_mechanism ) and ( $crypto_miner ) and ( $downloader ) and ( all of ( $network_communication_p* ) ) } rule REVERSINGLABS_Win32_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Konni backdoor." author = "ReversingLabs" - id = "6fe230b1-357a-54f7-a9a8-15d0369fec71" + id = "3adee6b6-f4a2-56fb-9de9-07b61006faa9" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win32.Backdoor.Konni.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7907a657d804d485718ba13bb23513de0b909e7d455c2b3ee193b5329edd3ac6" + logic_hash = "v1_sha256_7907a657d804d485718ba13bb23513de0b909e7d455c2b3ee193b5329edd3ac6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1291,20 +1291,20 @@ rule REVERSINGLABS_Win32_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($network_communication_p*)) and ( all of ($handle_c2_commands_p*)) and ( all of ($create_cab_file_and_upload_p*)) and ($cmd_expand_payload) + uint16( 0 ) == 0x5A4D and ( all of ( $network_communication_p* ) ) and ( all of ( $handle_c2_commands_p* ) ) and ( all of ( $create_cab_file_and_upload_p* ) ) and ( $cmd_expand_payload ) } rule REVERSINGLABS_Win64_Backdoor_Sidetwist : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects SideTwist backdoor." author = "ReversingLabs" - id = "979b442e-8739-54a8-b486-39fc5673791e" + id = "37766cd5-d063-5994-b1ca-fe511e60d4db" date = "2024-03-18" modified = "2024-03-18" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.SideTwist.yara#L1-L154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "811fa73ede59493c71435743848a3fce3a1604ec4065ffcb0b43e9715dfa5c31" + logic_hash = "v1_sha256_811fa73ede59493c71435743848a3fce3a1604ec4065ffcb0b43e9715dfa5c31" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1426,20 +1426,20 @@ rule REVERSINGLABS_Win64_Backdoor_Sidetwist : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($anti_sandbox_detect_environment) and ($collect_host_information) and ($contact_c2_server) and ($parse_c2_response) and ( all of ($download_file_from_c2_p*)) and ($reply_to_c2_server) + uint16( 0 ) == 0x5A4D and ( $anti_sandbox_detect_environment ) and ( $collect_host_information ) and ( $contact_c2_server ) and ( $parse_c2_response ) and ( all of ( $download_file_from_c2_p* ) ) and ( $reply_to_c2_server ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Orcusrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects OrcusRAT backdoor." author = "ReversingLabs" - id = "d4700cd1-73a4-552d-bc27-7408508a28e7" + id = "2045e507-5dd2-5b84-babb-ed28fc3993fc" date = "2024-09-10" modified = "2024-09-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.OrcusRAT.yara#L1-L134" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "17a85613e9e4c862ce81fee49065c250381dbf8a50cf07d496f5fd2c1b82d92e" + logic_hash = "v1_sha256_17a85613e9e4c862ce81fee49065c250381dbf8a50cf07d496f5fd2c1b82d92e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1543,20 +1543,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Orcusrat : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and (($get_tcp_connections) or ( all of ($get_operating_system_information_p*)) or ($take_screenshot) or ($get_passwords) or ($process_key_action)) + uint16( 0 ) == 0x5A4D and ( ( $get_tcp_connections ) or ( all of ( $get_operating_system_information_p* ) ) or ( $take_screenshot ) or ( $get_passwords ) or ( $process_key_action ) ) } rule REVERSINGLABS_Win32_Backdoor_Minodo : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Minodo backdoor." author = "ReversingLabs" - id = "0eeff863-1a46-5b25-8780-5cd887e3b1e2" + id = "c215948c-79af-5f96-b975-0d3dcf304fad" date = "2023-06-07" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Minodo.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "807408699fe00c8d1170598050e533dd0d79bb170f2538b6b6227cda7410060b" + logic_hash = "v1_sha256_807408699fe00c8d1170598050e533dd0d79bb170f2538b6b6227cda7410060b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1639,20 +1639,20 @@ rule REVERSINGLABS_Win32_Backdoor_Minodo : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($generate_system_id) and ($generate_encrypt_and_send_key) and ($get_encrypt_and_send_system_info) and ($copy_payload_into_allocated_memory) and ($execute_payload_from_temp) + uint16( 0 ) == 0x5A4D and ( $generate_system_id ) and ( $generate_encrypt_and_send_key ) and ( $get_encrypt_and_send_system_info ) and ( $copy_payload_into_allocated_memory ) and ( $execute_payload_from_temp ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Asyncrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AsyncRAT backdoor." author = "ReversingLabs" - id = "78ff36e1-1620-50f4-8abd-adcf8b1242da" + id = "80672778-cc1f-5bd5-a997-0ab67ac3dece" date = "2024-05-22" modified = "2024-05-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "53a13975cd53b571910f951adc44707c11b86c003eeb7b88dbe701253645ac89" + logic_hash = "v1_sha256_53a13975cd53b571910f951adc44707c11b86c003eeb7b88dbe701253645ac89" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1763,20 +1763,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Asyncrat : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ((($read_server_data_v1) and ($send_v1) and ( all of ($read_packet_v1_p*))) or (($send_v2) and ($open_url_v2) and ($monitoring_v2))) + uint16( 0 ) == 0x5A4D and ( ( ( $read_server_data_v1 ) and ( $send_v1 ) and ( all of ( $read_packet_v1_p* ) ) ) or ( ( $send_v2 ) and ( $open_url_v2 ) and ( $monitoring_v2 ) ) ) } rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Menorah : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Menorah backdoor." author = "ReversingLabs" - id = "4f13a6c6-bd97-58aa-ac3b-399866b5c63b" + id = "97f0b6c1-baa3-5d5b-8475-79ab46b109dc" date = "2024-05-10" modified = "2024-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara#L1-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "770aefca192ceb3a778c0b1259105ace8e64cb35d0c34acb15c45fb6f22ad94b" + logic_hash = "v1_sha256_770aefca192ceb3a778c0b1259105ace8e64cb35d0c34acb15c45fb6f22ad94b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1922,20 +1922,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Menorah : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ( all of ($send_fingerprint_to_c2_p*)) and ( all of ($get_files_and_directories_p*)) and ( all of ($upload_file_to_c2_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $send_fingerprint_to_c2_p* ) ) and ( all of ( $get_files_and_directories_p* ) ) and ( all of ( $upload_file_to_c2_p* ) ) } rule REVERSINGLABS_Linux_Backdoor_Krasue : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Krasue backdoor." author = "ReversingLabs" - id = "3187eebf-ef70-585f-85cf-5813025c785e" + id = "06135c47-e3d8-5599-9c74-f7958e82f445" date = "2024-03-04" modified = "2024-03-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.Krasue.yara#L1-L127" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e2daa35ef9e0793062c9fb3bd8e4838e1e81ee3d228d8117b1c3b0e72eb8e151" + logic_hash = "v1_sha256_e2daa35ef9e0793062c9fb3bd8e4838e1e81ee3d228d8117b1c3b0e72eb8e151" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2033,20 +2033,20 @@ rule REVERSINGLABS_Linux_Backdoor_Krasue : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and ($switch_server) and ($get_hostname) and ( all of ($start_server_p*)) and ($send_encrypt) and ($notify_server) + uint32( 0 ) == 0x464C457F and ( $switch_server ) and ( $get_hostname ) and ( all of ( $start_server_p* ) ) and ( $send_encrypt ) and ( $notify_server ) } rule REVERSINGLABS_Linux_Trojan_Chinaz : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ChinaZ trojan." author = "ReversingLabs" - id = "f99c224b-db54-5cae-b5fb-8939ebee3250" + id = "bb31f71d-f8e7-57fb-b745-e7f727a9b6a8" date = "2024-07-31" modified = "2024-07-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Trojan.ChinaZ.yara#L1-L246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d8d08f4f3f36ecc7b219b6b1aae3c76d26e8fb3a44444763929190c6124532ff" + logic_hash = "v1_sha256_d8d08f4f3f36ecc7b219b6b1aae3c76d26e8fb3a44444763929190c6124532ff" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2243,20 +2243,20 @@ rule REVERSINGLABS_Linux_Trojan_Chinaz : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and ((( all of ($collect_system_information_32_p*)) and ($send_system_info_32) and ($parse_c2_commands_32) and ( all of ($dns_flood_32_p*))) or (( all of ($collect_system_information_64_p*)) and ($send_system_info_64) and ($parse_c2_commands_64) and ( all of ($dns_flood_64_p*)))) + uint32( 0 ) == 0x464C457F and ( ( ( all of ( $collect_system_information_32_p* ) ) and ( $send_system_info_32 ) and ( $parse_c2_commands_32 ) and ( all of ( $dns_flood_32_p* ) ) ) or ( ( all of ( $collect_system_information_64_p* ) ) and ( $send_system_info_64 ) and ( $parse_c2_commands_64 ) and ( all of ( $dns_flood_64_p* ) ) ) ) } rule REVERSINGLABS_Linux_Backdoor_Noodrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects NoodRAT backdoor." author = "ReversingLabs" - id = "ac5eae27-dc42-5060-b639-c23c0bbabb50" + id = "8a2bded9-1c95-584d-ab0a-f654373db615" date = "2024-08-26" modified = "2024-08-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.NoodRAT.yara#L1-L162" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2ec4a8ba7428054edb4dcdb6a00015b9758badf515f2c210bb946ba5402674d2" + logic_hash = "v1_sha256_2ec4a8ba7428054edb4dcdb6a00015b9758badf515f2c210bb946ba5402674d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2390,20 +2390,20 @@ rule REVERSINGLABS_Linux_Backdoor_Noodrat : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and (( all of ($change_name_on_system_p*)) and ( all of ($decrypt_configuration_p*)) and ($encrypt_and_send_data) and ($receive_and_decrypt_data)) + uint32( 0 ) == 0x464C457F and ( ( all of ( $change_name_on_system_p* ) ) and ( all of ( $decrypt_configuration_p* ) ) and ( $encrypt_and_send_data ) and ( $receive_and_decrypt_data ) ) } rule REVERSINGLABS_Win64_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Konni backdoor." author = "ReversingLabs" - id = "c45c23c6-be15-58cc-ae4d-631bed4a3bb2" + id = "4e42748c-63d0-504f-8200-0e2956842dbe" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Konni.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "37c45e3ed23ca9f4de876f666c9f6d9bf7eee5cb1650b02cdd9f58e2ccc4b5cb" + logic_hash = "v1_sha256_37c45e3ed23ca9f4de876f666c9f6d9bf7eee5cb1650b02cdd9f58e2ccc4b5cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2579,20 +2579,20 @@ rule REVERSINGLABS_Win64_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($network_communication_p*)) and ( all of ($handle_c2_commands_p*)) and ( all of ($create_cab_file_and_upload_p*)) and ( all of ($cmd_expand_payload_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $network_communication_p* ) ) and ( all of ( $handle_c2_commands_p* ) ) and ( all of ( $create_cab_file_and_upload_p* ) ) and ( all of ( $cmd_expand_payload_p* ) ) } rule REVERSINGLABS_Linux_Backdoor_Linodas : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Linodas backdoor." author = "ReversingLabs" - id = "2b197346-abce-5cff-938f-bb8742e03168" + id = "59e8249b-b374-596c-aebb-6f77f2bf5ca5" date = "2024-05-22" modified = "2024-05-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.Linodas.yara#L1-L216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "12445771106e36b74b1ea292a8a25cab66bcaf0a08cf88d39a9f1bb13c6f525b" + logic_hash = "v1_sha256_12445771106e36b74b1ea292a8a25cab66bcaf0a08cf88d39a9f1bb13c6f525b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2760,20 +2760,20 @@ rule REVERSINGLABS_Linux_Backdoor_Linodas : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and (($persistence_mechanism_ubuntu) and ( all of ($network_communication_*)) and ((($change_timestamp_and_read_config_v11) and ($persistence_mechanism_redhat_v11) and ($generate_machine_id_v11)) or (($persistence_mechanism_redhat_v7) and ($get_device_name_v7) and ($generate_machine_id_v7)))) + uint32( 0 ) == 0x464C457F and ( ( $persistence_mechanism_ubuntu ) and ( all of ( $network_communication_* ) ) and ( ( ( $change_timestamp_and_read_config_v11 ) and ( $persistence_mechanism_redhat_v11 ) and ( $generate_machine_id_v11 ) ) or ( ( $persistence_mechanism_redhat_v7 ) and ( $get_device_name_v7 ) and ( $generate_machine_id_v7 ) ) ) ) } rule REVERSINGLABS_Win32_Downloader_Dlmarlboro : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects dlMarlboro downloader." author = "ReversingLabs" - id = "4c99b5a4-dc6b-579b-b1bd-bd4c93c6e68c" + id = "cb634c2d-9bd2-5d9e-9a94-084c1b958fef" date = "2020-07-23" modified = "2020-07-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/downloader/Win32.Downloader.dlMarlboro.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "465a3b3a9686889001ac0b929d0349e44b6015eaeed3386361366def5013164a" + logic_hash = "v1_sha256_465a3b3a9686889001ac0b929d0349e44b6015eaeed3386361366def5013164a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2842,20 +2842,20 @@ rule REVERSINGLABS_Win32_Downloader_Dlmarlboro : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and $ping_apnic and $download_bin_1 and $download_bin_2 + uint16( 0 ) == 0x5A4D and $ping_apnic and $download_bin_1 and $download_bin_2 } rule REVERSINGLABS_Win32_PUA_Domaiq : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Domaiq potentially unwanted application." author = "ReversingLabs" - id = "44129e4b-7dc2-5af0-b466-80dc4f4d6388" + id = "b4a275a4-b66e-55fe-88ac-08bcaaaddb53" date = "2020-07-28" modified = "2020-07-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/pua/Win32.PUA.Domaiq.yara#L1-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e291a639aa027a2257eec2853e40a222afabf23b32898326a1d5b48be823202c" + logic_hash = "v1_sha256_e291a639aa027a2257eec2853e40a222afabf23b32898326a1d5b48be823202c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2986,20 +2986,20 @@ rule REVERSINGLABS_Win32_PUA_Domaiq : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $payload and ($NSIS_CheckIntegrity or ($UPX_Decompression and $UPX_Encrypting) or $NSIS_ErrorPart or $dumping_functionv2014 or $dumping_functionMidVersion or ($exception1 and $exception2 and $exceptionallock) or $dumping_functionP or $dumping_functionE or $dumping_functionB or $dumping_function111 or $dumping_function2 or $lib_loader) + uint16( 0 ) == 0x5A4D and $payload and ( $NSIS_CheckIntegrity or ( $UPX_Decompression and $UPX_Encrypting ) or $NSIS_ErrorPart or $dumping_functionv2014 or $dumping_functionMidVersion or ( $exception1 and $exception2 and $exceptionallock ) or $dumping_functionP or $dumping_functionE or $dumping_functionB or $dumping_function111 or $dumping_function2 or $lib_loader ) } rule REVERSINGLABS_Win32_Trojan_Trickbot : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TrickBot trojan." author = "ReversingLabs" - id = "4ed253cc-0398-542b-a2b7-c42a0b9431fb" + id = "3e2397ba-02cf-509f-8767-397770d07585" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.TrickBot.yara#L1-L46" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e10f16c70f1ff7cf11d3e25f06e4c5d9e20c51688582d2b51322f768a8e06d7e" + logic_hash = "v1_sha256_e10f16c70f1ff7cf11d3e25f06e4c5d9e20c51688582d2b51322f768a8e06d7e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3030,20 +3030,20 @@ rule REVERSINGLABS_Win32_Trojan_Trickbot : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $entry_setup and ($decrypt_function_snippet or $decrypt_function_snippet_wrapper) + uint16( 0 ) == 0x5A4D and $entry_setup and ( $decrypt_function_snippet or $decrypt_function_snippet_wrapper ) } rule REVERSINGLABS_Linux_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BiBiWiper trojan." author = "ReversingLabs" - id = "c370dde0-71ff-5832-b131-6d61beb02b9b" + id = "02f6df69-b20d-5341-af11-78bcb31d3412" date = "2023-11-28" modified = "2023-11-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Linux.Trojan.BiBiWiper.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8f290141d5da660463dede6df571d774448e136e2993a0a4c706245464e1239e" + logic_hash = "v1_sha256_8f290141d5da660463dede6df571d774448e136e2993a0a4c706245464e1239e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3106,20 +3106,20 @@ rule REVERSINGLABS_Linux_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and ( all of ($destroy_files_p*)) + uint32( 0 ) == 0x464C457F and ( all of ( $destroy_files_p* ) ) } rule REVERSINGLABS_Win32_Trojan_Emotet : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Emotet trojan." author = "ReversingLabs" - id = "9742743d-753a-582b-9701-7278c8ed0e4e" + id = "7b53dbaf-9563-5400-ad3f-9f4fd82ba3fb" date = "2021-11-16" modified = "2021-11-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.Emotet.yara#L1-L182" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "747d603c9849a66782c95050a4a634ffdb4ce2882adcfc5d63e1f1ea1651b25e" + logic_hash = "v1_sha256_747d603c9849a66782c95050a4a634ffdb4ce2882adcfc5d63e1f1ea1651b25e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3252,20 +3252,20 @@ rule REVERSINGLABS_Win32_Trojan_Emotet : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($decrypt_resource_v1 and $generate_filename_v1) or ($decrypt_resource_v2 and $generate_filename_v2) or ($decrypt_resource_v3 and $generate_filename_v3) or ($decrypt_resource_v4 and $generate_filename_snippet_v4) or ($decrypt_resource_snippet_v5 and all of ($liblzf_decompression_*)) or ($decrypt_resource_snippet_v6 and all of ($liblzf_decompression_*)) or ($decrypt_resource_snippet_v7 and $state_machine_snippet_v7) + uint16( 0 ) == 0x5A4D and ( $decrypt_resource_v1 and $generate_filename_v1 ) or ( $decrypt_resource_v2 and $generate_filename_v2 ) or ( $decrypt_resource_v3 and $generate_filename_v3 ) or ( $decrypt_resource_v4 and $generate_filename_snippet_v4 ) or ( $decrypt_resource_snippet_v5 and all of ( $liblzf_decompression_* ) ) or ( $decrypt_resource_snippet_v6 and all of ( $liblzf_decompression_* ) ) or ( $decrypt_resource_snippet_v7 and $state_machine_snippet_v7 ) } rule REVERSINGLABS_Win32_Trojan_Dridex : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Dridex trojan." author = "ReversingLabs" - id = "bc68aca1-69e6-57e6-9277-70c89fda1e5d" + id = "bab5036c-68a3-5fb5-a48d-e0d065eb69a0" date = "2020-09-16" modified = "2020-09-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.Dridex.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7eddc8f33846dfb61302b7d7fddd8dec59a1bde05b14135c14131a02e2c19600" + logic_hash = "v1_sha256_7eddc8f33846dfb61302b7d7fddd8dec59a1bde05b14135c14131a02e2c19600" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3325,20 +3325,20 @@ rule REVERSINGLABS_Win32_Trojan_Dridex : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( any of ($resolve_api_wrapper_*) and any of ($find_first_file_snippet_*)) + uint16( 0 ) == 0x5A4D and ( any of ( $resolve_api_wrapper_* ) and any of ( $find_first_file_snippet_* ) ) } rule REVERSINGLABS_Linux_Trojan_Acidrain : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AcidRain trojan." author = "ReversingLabs" - id = "802c7eb7-d407-5b07-a6b4-4648d3ad80e9" + id = "2b4638c1-6d93-5513-8063-80efe3c43815" date = "2024-05-10" modified = "2024-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Linux.Trojan.AcidRain.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5b47a0de8bda09d217f8a148e561f3da7ce4945f011f4a9b5dbbca88157d3080" + logic_hash = "v1_sha256_5b47a0de8bda09d217f8a148e561f3da7ce4945f011f4a9b5dbbca88157d3080" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3386,20 +3386,20 @@ rule REVERSINGLABS_Linux_Trojan_Acidrain : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint32(0)==0x464C457F and ($destroy_files_using_ioctls) and ($destroy_files_using_overwrite) and ($redundant_reboot_attempts) + uint32( 0 ) == 0x464C457F and ( $destroy_files_using_ioctls ) and ( $destroy_files_using_overwrite ) and ( $redundant_reboot_attempts ) } rule REVERSINGLABS_Win32_Trojan_Isaacwiper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects IsaacWiper trojan." author = "ReversingLabs" - id = "c0924e5e-a942-57a3-a9f9-e6be6efa4c73" + id = "d4b32bc7-dc28-5977-8620-688cfb1202ff" date = "2022-03-02" modified = "2022-03-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.IsaacWiper.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c9fa43f44c33816a66f61255d101294da63df1afc5a27ed5817072040cd1eec5" + logic_hash = "v1_sha256_c9fa43f44c33816a66f61255d101294da63df1afc5a27ed5817072040cd1eec5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3464,20 +3464,20 @@ rule REVERSINGLABS_Win32_Trojan_Isaacwiper : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enumerate_physical_drives and $corrupt_drive_thread) + uint16( 0 ) == 0x5A4D and ( $enumerate_physical_drives and $corrupt_drive_thread ) } rule REVERSINGLABS_Win32_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BiBiWiper trojan." author = "ReversingLabs" - id = "8462ceb8-ec54-5f92-a3e7-c96e52647ca7" + id = "98a2bc59-6e22-54bb-979f-0f5b10790580" date = "2023-11-28" modified = "2023-11-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.BiBiWiper.yara#L1-L102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d75954c05a8f82ad90a4adf6a2a3748928488ddebe40d8f8a790bfcde0b02a11" + logic_hash = "v1_sha256_d75954c05a8f82ad90a4adf6a2a3748928488ddebe40d8f8a790bfcde0b02a11" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3562,20 +3562,20 @@ rule REVERSINGLABS_Win32_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($delete_shadow_copies_p*)) and ( all of ($destroy_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $delete_shadow_copies_p* ) ) and ( all of ( $destroy_files_p* ) ) } rule REVERSINGLABS_Win32_Trojan_Hermeticwiper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HermeticWiper trojan." author = "ReversingLabs" - id = "252dfb3d-9d4e-51a4-80c9-64e17922d997" + id = "167e4cda-7bb8-565e-99ec-b82d3e9f10d9" date = "2022-02-24" modified = "2022-02-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.HermeticWiper.yara#L1-L50" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0fa519ce8285ffe4e49c2a301e8a0fd0516a05dc6b41ee0b010fdc76dd6e195e" + logic_hash = "v1_sha256_0fa519ce8285ffe4e49c2a301e8a0fd0516a05dc6b41ee0b010fdc76dd6e195e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3615,20 +3615,20 @@ rule REVERSINGLABS_Win32_Trojan_Hermeticwiper : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($corrupt_physical_drive) + uint16( 0 ) == 0x5A4D and ( $corrupt_physical_drive ) } rule REVERSINGLABS_Win32_Trojan_Caddywiper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CaddyWiper trojan." author = "ReversingLabs" - id = "ad437f29-4ad8-5a88-a0b6-03de55e7375f" + id = "4d605eea-b7d0-5095-91e6-f29b42720522" date = "2022-03-15" modified = "2022-03-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.CaddyWiper.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "178ff4171c09866f6b303bdff234beff1116d268995ee4dc236332e472d645b1" + logic_hash = "v1_sha256_178ff4171c09866f6b303bdff234beff1116d268995ee4dc236332e472d645b1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3702,20 +3702,20 @@ rule REVERSINGLABS_Win32_Trojan_Caddywiper : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($destroy_if_not_controller) and ($erase_drive_data) and ( all of ($erase_drives_recursively_*)) + uint16( 0 ) == 0x5A4D and ( $destroy_if_not_controller ) and ( $erase_drive_data ) and ( all of ( $erase_drives_recursively_* ) ) } rule REVERSINGLABS_Win32_Ransomware_Dualshot : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Dualshot ransomware." author = "ReversingLabs" - id = "17828c85-0f1b-581b-842a-24e6f26e0b4d" + id = "1c060c6b-b231-538e-b103-143b53b53276" date = "2020-11-20" modified = "2020-11-20" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dualshot.yara#L1-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a401369357901f42ad83227b025d3b14b3acd1f50705da82afbe8e4f85501919" + logic_hash = "v1_sha256_a401369357901f42ad83227b025d3b14b3acd1f50705da82afbe8e4f85501919" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3806,20 +3806,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dualshot : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($internal_encrypt_file) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $internal_encrypt_file ) } rule REVERSINGLABS_Win64_Ransomware_Seedlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects SeedLocker ransomware." author = "ReversingLabs" - id = "efa3dd2e-faf4-5882-aef8-85189e65f0f9" + id = "afdf575a-4c54-5e6d-adbe-34f8168db3c2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.SeedLocker.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a478efcfb03e3eeebe72d9a71629456cf061c3c779fbdde99539854caf8c7c33" + logic_hash = "v1_sha256_a478efcfb03e3eeebe72d9a71629456cf061c3c779fbdde99539854caf8c7c33" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3899,20 +3899,20 @@ rule REVERSINGLABS_Win64_Ransomware_Seedlocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and $search_files and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and $search_files and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Hentaioniichan : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Hentai Oniichan ransomware." author = "ReversingLabs" - id = "cd5e916f-7195-5bb6-abff-b08231053f9a" + id = "963df5fd-ffe0-5a40-aa44-90ade5e7ff5b" date = "2021-03-05" modified = "2021-03-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HentaiOniichan.yara#L1-L140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "153526e5a2f05bc8e3f77d83eefce6b4cd962ea093b6f1c0ab8fcabe8d8a7ad9" + logic_hash = "v1_sha256_153526e5a2f05bc8e3f77d83eefce6b4cd962ea093b6f1c0ab8fcabe8d8a7ad9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4027,20 +4027,20 @@ rule REVERSINGLABS_Win32_Ransomware_Hentaioniichan : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ($inject_code_into_process) and ( all of ($find_files_p*)) and ($encrypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $inject_code_into_process ) and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Knot : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Knot ransomware." author = "ReversingLabs" - id = "4dfe9da5-7ab1-57dc-95fc-b05777f235b8" + id = "da7ae347-ceaf-5150-bf77-2457dd40d52e" date = "2021-03-19" modified = "2021-03-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Knot.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a7a3e13139d68314e583ec225a5d56373a551e67d46984dcf9a228a1f7275f14" + logic_hash = "v1_sha256_a7a3e13139d68314e583ec225a5d56373a551e67d46984dcf9a228a1f7275f14" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4137,20 +4137,20 @@ rule REVERSINGLABS_Win32_Ransomware_Knot : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Serpent : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Serpent ransomware." author = "ReversingLabs" - id = "0757ad7c-b2b1-5323-960a-55ffe3eaed12" + id = "b421570c-73d7-5754-8ebc-62e66a8200ae" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Serpent.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5e1917e8d23a5edc65ac423f3d18cc78c3848bd6c1ccc67d052eb37172857081" + logic_hash = "v1_sha256_5e1917e8d23a5edc65ac423f3d18cc78c3848bd6c1ccc67d052eb37172857081" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4261,20 +4261,20 @@ rule REVERSINGLABS_Win32_Ransomware_Serpent : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and $do_dll_stuff_and_create_thread and $find_files and $remote_connection and $remote_ftp_connection + uint16( 0 ) == 0x5A4D and $do_dll_stuff_and_create_thread and $find_files and $remote_connection and $remote_ftp_connection } rule REVERSINGLABS_Win64_Ransomware_Rook : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Rook ransomware." author = "ReversingLabs" - id = "60bbfd57-18bb-58b3-9abc-ab30943bbddd" + id = "f0d22841-c3e0-54ec-9a32-b9ad96717fd2" date = "2022-01-17" modified = "2022-01-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Rook.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dc8b37e55b634de52855dd851dbaaf3e690adfb2e875d0e0c9ef5f4846c6ff30" + logic_hash = "v1_sha256_dc8b37e55b634de52855dd851dbaaf3e690adfb2e875d0e0c9ef5f4846c6ff30" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4371,20 +4371,20 @@ rule REVERSINGLABS_Win64_Ransomware_Rook : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_shares) and ($enum_procs) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_shares ) and ( $enum_procs ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Farattack : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects FarAttack ransomware." author = "ReversingLabs" - id = "7ee7121a-4ca2-513c-96dc-53b5c48d719f" + id = "0d886f84-d417-5c45-b279-2c677d98fcae" date = "2022-06-21" modified = "2022-06-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FarAttack.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "af22b8110c2b545f083b443c7a1fa7e7639324e9188eefadfe1fe70ebb1bb7fb" + logic_hash = "v1_sha256_af22b8110c2b545f083b443c7a1fa7e7639324e9188eefadfe1fe70ebb1bb7fb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4457,20 +4457,20 @@ rule REVERSINGLABS_Win32_Ransomware_Farattack : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and ($create_key) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $create_key ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Winword64 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WinWord64 ransomware." author = "ReversingLabs" - id = "a5f7967d-58f4-5fdd-b67f-5f5dbfec0f4b" + id = "626128d7-7a36-5d82-aa87-b46f525a68dc" date = "2021-02-11" modified = "2021-02-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WinWord64.yara#L1-L215" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73d8c4f1b3bed365320b26332f1f1b49404d8e6536f3e25042f5f64e5bc09bd4" + logic_hash = "v1_sha256_73d8c4f1b3bed365320b26332f1f1b49404d8e6536f3e25042f5f64e5bc09bd4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4659,20 +4659,20 @@ rule REVERSINGLABS_Win32_Ransomware_Winword64 : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Princesslocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects PrincessLocker ransomware." author = "ReversingLabs" - id = "b76ef137-aa0b-5fd3-9876-2459cb6535ff" + id = "765d0f55-b40f-57cd-8441-23e3079c8cff" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.PrincessLocker.yara#L1-L92" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5be4ca3bd0b0afed1d2f3a59e2951d74a8de94c5a4d5a2c6cc29add49eab9ec0" + logic_hash = "v1_sha256_5be4ca3bd0b0afed1d2f3a59e2951d74a8de94c5a4d5a2c6cc29add49eab9ec0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4754,20 +4754,20 @@ rule REVERSINGLABS_Win32_Ransomware_Princesslocker : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and $encrypt_files and $remote_connection_1 and $remote_connection_2 + uint16( 0 ) == 0x5A4D and $encrypt_files and $remote_connection_1 and $remote_connection_2 } rule REVERSINGLABS_Win32_Ransomware_Ouroboros : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ouroboros ransomware." author = "ReversingLabs" - id = "af0b9311-a7dd-56e8-a004-0828af5af5ef" + id = "b1396afd-627a-5a77-b461-fa9705b69cb2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ouroboros.yara#L1-L175" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b573f303318452010ff46f21a02b6290820f9a27bf4c51b72f6ed15263b5f433" + logic_hash = "v1_sha256_b573f303318452010ff46f21a02b6290820f9a27bf4c51b72f6ed15263b5f433" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4913,20 +4913,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ouroboros : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and (( all of ($encrypt_files_p*)) or ($encrypt_files_angus_version)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( ( all of ( $encrypt_files_p* ) ) or ( $encrypt_files_angus_version ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cring : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cring ransomware." author = "ReversingLabs" - id = "76530a6d-145b-5316-8200-4b191d0754fd" + id = "b4417071-575b-5c0f-b957-af762dbc00ee" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "05cf60ad39c9dcc592345f13b63c99b153b9253297a8ad9e52e0439081d8c796" + logic_hash = "v1_sha256_05cf60ad39c9dcc592345f13b63c99b153b9253297a8ad9e52e0439081d8c796" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4976,20 +4976,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cring : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Harpoonlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HarpoonLocker ransomware." author = "ReversingLabs" - id = "3605d354-5a33-54b1-83ad-ad514c78357b" + id = "b1dfc37c-d721-5edf-9628-d50526aa0798" date = "2022-01-27" modified = "2022-01-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "20587f9dce5981934498d9979843a090224ba649def8b694adf7799b7060cc25" + logic_hash = "v1_sha256_20587f9dce5981934498d9979843a090224ba649def8b694adf7799b7060cc25" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5065,20 +5065,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Harpoonlocker : TC_DETECTION MALICIO } condition: - uint16(0)==0x5A4D and ($change_boot) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $change_boot ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Rokku : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Rokku ransomware." author = "ReversingLabs" - id = "8722ed4a-b480-57ec-bba7-ce7d0f3704b9" + id = "d6709e78-3cd0-538a-aa63-56b973b29bee" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Rokku.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fefb342f8a9afac3b40c343b830f334225ff4198d55504846aa855acf5dfc9ba" + logic_hash = "v1_sha256_fefb342f8a9afac3b40c343b830f334225ff4198d55504846aa855acf5dfc9ba" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5203,20 +5203,20 @@ rule REVERSINGLABS_Win32_Ransomware_Rokku : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_folders and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*))) + uint16( 0 ) == 0x5A4D and ( $find_folders and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Medusalocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MedusaLocker ransomware." author = "ReversingLabs" - id = "8bfcfe13-b519-5c03-9770-cf245b01c395" + id = "991bd5c5-6b0f-547c-9daf-bea5dbb30ee4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MedusaLocker.yara#L1-L174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73f915d476d1411d2e008d00c5ffa03596e3b62bcdbc4d91dc7226599a066c08" + logic_hash = "v1_sha256_73f915d476d1411d2e008d00c5ffa03596e3b62bcdbc4d91dc7226599a066c08" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5356,20 +5356,20 @@ rule REVERSINGLABS_Win32_Ransomware_Medusalocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($kill_processes_call) and ($kill_processes) and ($enum_resources) and ( all of ($search_files_*)) and ( all of ($encrypt_files_p*)) and ($enum_resources_call) + uint16( 0 ) == 0x5A4D and ( $kill_processes_call ) and ( $kill_processes ) and ( $enum_resources ) and ( all of ( $search_files_* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $enum_resources_call ) } rule REVERSINGLABS_Win32_Ransomware_Termite : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Termite ransomware." author = "ReversingLabs" - id = "350011fa-1e3c-5079-8fe7-968340a3aca0" + id = "cacfa08f-2fbb-5743-a2d6-c9d0a6b5d474" date = "2020-08-31" modified = "2020-08-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Termite.yara#L1-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "df273de81fc58cb0bacf021ee539ec6dbfa1f1a3e13bd46519ee313595cafb4c" + logic_hash = "v1_sha256_df273de81fc58cb0bacf021ee539ec6dbfa1f1a3e13bd46519ee313595cafb4c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5500,20 +5500,20 @@ rule REVERSINGLABS_Win32_Ransomware_Termite : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BlackBasta ransomware." author = "ReversingLabs" - id = "7a4ad567-0612-5a9c-8a06-4d615bc7e24a" + id = "fceb40c0-723e-567b-9d3e-15926eb486d7" date = "2022-12-13" modified = "2022-12-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.BlackBasta.yara#L1-L293" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "79c81a4470e9eabbd714b1a91621c7b2bbe42d5371ba2c799529662d5f5c479a" + logic_hash = "v1_sha256_79c81a4470e9eabbd714b1a91621c7b2bbe42d5371ba2c799529662d5f5c479a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5747,20 +5747,20 @@ rule REVERSINGLABS_Win64_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ((($find_files) and ( all of ($find_system_volumes_v1_p*)) and ( all of ($set_default_icon_p*)) and ($cmd_prompt) and ($exclude_from_encryption) and ($encrypt_files_v1)) or (($find_files) and ($cmd_prompt) and ($find_system_volumes_v2) and ($drop_ransom_note) and ( all of ($encrypt_files_v2_p*)))) + uint16( 0 ) == 0x5A4D and ( ( ( $find_files ) and ( all of ( $find_system_volumes_v1_p* ) ) and ( all of ( $set_default_icon_p* ) ) and ( $cmd_prompt ) and ( $exclude_from_encryption ) and ( $encrypt_files_v1 ) ) or ( ( $find_files ) and ( $cmd_prompt ) and ( $find_system_volumes_v2 ) and ( $drop_ransom_note ) and ( all of ( $encrypt_files_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Garrantydecrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GarrantyDecrypt ransomware." author = "ReversingLabs" - id = "0aa05f06-1773-5ce8-892d-04468f5deccc" + id = "f89cab43-4e85-5a80-a7ab-9e1ab699d30f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7194c1e0e15a89f2c691a7d586b9db68295cc52a5f042d0f7eb558c326430444" + logic_hash = "v1_sha256_7194c1e0e15a89f2c691a7d586b9db68295cc52a5f042d0f7eb558c326430444" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5829,20 +5829,20 @@ rule REVERSINGLABS_Win32_Ransomware_Garrantydecrypt : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and $find_files and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and $find_files and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Albabat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Albabat ransomware." author = "ReversingLabs" - id = "11941c0d-45fb-5746-bbad-f43f336d4b1d" + id = "ea9bb46e-2790-503e-88da-8bd6270124b4" date = "2024-03-18" modified = "2024-03-18" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Albabat.yara#L1-L139" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "38ec8388b9006f6ab9a397858b89f4bfd7def2ffcf525cfc736abae49bc6034a" + logic_hash = "v1_sha256_38ec8388b9006f6ab9a397858b89f4bfd7def2ffcf525cfc736abae49bc6034a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5956,21 +5956,21 @@ rule REVERSINGLABS_Win64_Ransomware_Albabat : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($drop_ransom_note) and ($change_desktop_wallpaper) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $drop_ransom_note ) and ( $change_desktop_wallpaper ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" - id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" - date = "2024-10-08" - date = "2024-10-08" + id = "d054239a-564e-5f1a-a380-62dadb020d8d" + date = "2024-10-15" + date = "2024-10-15" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3973794d6bf26eaa752cfc70a217c059a190c63a0dd92b06de7c0893d92d9e88" + logic_hash = "v1_sha256_3973794d6bf26eaa752cfc70a217c059a190c63a0dd92b06de7c0893d92d9e88" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6018,20 +6018,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($collect_env_and_start_enc_proc) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $collect_env_and_start_enc_proc ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Policerecords : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects PoliceRecords ransomware." author = "ReversingLabs" - id = "bacd3f98-a069-58ca-8423-01fcef7d4062" + id = "ec46da8b-cc38-5c6d-925a-b88da22095cc" date = "2022-08-02" modified = "2022-08-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "55cb1a5d030c47abb1a9ca9970fb19b3124128e409bc9515c173c33b2bb49a16" + logic_hash = "v1_sha256_55cb1a5d030c47abb1a9ca9970fb19b3124128e409bc9515c173c33b2bb49a16" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6087,20 +6087,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Policerecords : TC_DETECTION MALICIO } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($desktop_kill_tick) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $desktop_kill_tick ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Delphimorix : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Delphimorix ransomware." author = "ReversingLabs" - id = "1f964601-9819-5597-ba6e-db3a30e3aa5a" + id = "3630e7d1-e9a2-5abb-b1ca-7dd87a87932b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Delphimorix.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6d401d488d57b2d75e93a1dfd47ece687a5791d1f0a52768300f4af8a8787212" + logic_hash = "v1_sha256_6d401d488d57b2d75e93a1dfd47ece687a5791d1f0a52768300f4af8a8787212" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6151,20 +6151,20 @@ rule REVERSINGLABS_Win32_Ransomware_Delphimorix : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Denizkizi : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DenizKizi ransomware." author = "ReversingLabs" - id = "e16a00d6-d5b8-5702-9cd7-d037b0ff46a3" + id = "dbc4d6fd-4983-520e-99cb-76b19e95c65e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DenizKizi.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbeb01263d6f68141e094ba8fb1c1a54c601ab24292f5c6b0eb8cb0c49f46afc" + logic_hash = "v1_sha256_fbeb01263d6f68141e094ba8fb1c1a54c601ab24292f5c6b0eb8cb0c49f46afc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6233,20 +6233,20 @@ rule REVERSINGLABS_Win32_Ransomware_Denizkizi : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($delete_shadow_copies) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $delete_shadow_copies ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Apis : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Apis ransomware." author = "ReversingLabs" - id = "63791250-e21e-53d1-932c-9b5d16a7cad9" + id = "55ff2db5-a9fd-55d8-90ca-749cb60b464c" date = "2021-11-25" modified = "2021-11-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0915469884a268f124da348d6a182eb4a0f69063d4041b46628794ab011227ef" + logic_hash = "v1_sha256_0915469884a268f124da348d6a182eb4a0f69063d4041b46628794ab011227ef" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6302,20 +6302,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Apis : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($setup_env) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $setup_env ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostbin : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ghostbin ransomware." author = "ReversingLabs" - id = "4d576854-7a30-527d-9a7a-f22018183540" + id = "548c3089-cc4b-56d9-9109-529fca0f4f72" date = "2021-09-06" modified = "2021-09-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara#L1-L61" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3881e1c83ac2a31fdd8a081d3e6e6ea759771dbc183c3af9528930619bcddf9e" + logic_hash = "v1_sha256_3881e1c83ac2a31fdd8a081d3e6e6ea759771dbc183c3af9528930619bcddf9e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6357,20 +6357,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostbin : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and ($setup_env) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $setup_env ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Tblocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TBLocker ransomware." author = "ReversingLabs" - id = "91793018-baf6-5e70-83b6-8793482c3bec" + id = "822548b4-9389-51ab-aec3-c300b1b0cd79" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TBLocker.yara#L1-L85" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "81f0077655ac0e59cd8dc05be602ae500c938668bd57d3cf4a51fbff2a5b6b83" + logic_hash = "v1_sha256_81f0077655ac0e59cd8dc05be602ae500c938668bd57d3cf4a51fbff2a5b6b83" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6437,20 +6437,20 @@ rule REVERSINGLABS_Win32_Ransomware_Tblocker : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and (( all of ($main_ransomware_function_p*)) and $search_files and $encrypt_files) + uint16( 0 ) == 0x5A4D and ( ( all of ( $main_ransomware_function_p* ) ) and $search_files and $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Clop : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Clop ransomware." author = "ReversingLabs" - id = "0ea63119-3773-5404-b332-8e3966fd35df" + id = "5d7a4d58-6836-5110-be34-05c4fddccdeb" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Clop.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0b63db16a4b1cae27a97d0ff9df692a63f1a11120ffac69c05a5c71fbd224007" + logic_hash = "v1_sha256_0b63db16a4b1cae27a97d0ff9df692a63f1a11120ffac69c05a5c71fbd224007" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6538,20 +6538,20 @@ rule REVERSINGLABS_Win32_Ransomware_Clop : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($uninstall_eset_av) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $uninstall_eset_av ) } rule REVERSINGLABS_Win32_Ransomware_Dearcry : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DearCry ransomware." author = "ReversingLabs" - id = "6e2097e0-6495-5185-bbbc-e8168fa0ca7f" + id = "64304d23-9ba6-526c-abde-17840142e65e" date = "2021-03-12" modified = "2021-03-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DearCry.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40dde232255018e1bc0aadf2378a7a86a99327d13dda58d8ffc5bb38e164de26" + logic_hash = "v1_sha256_40dde232255018e1bc0aadf2378a7a86a99327d13dda58d8ffc5bb38e164de26" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6630,20 +6630,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dearcry : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($drop_ransom_note_p*)) and ( all of ($find_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $drop_ransom_note_p* ) ) and ( all of ( $find_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Kovter : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Kovter ransomware." author = "ReversingLabs" - id = "9362ac5a-0b6c-5ac5-ac2b-59dcc1191dc6" + id = "6786410f-59ba-555c-b633-9ef0a6ad531e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kovter.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3082e036b54a73ce8397cfa6e8dc2a807c587d9f17286e75af6cdbe622fae1e1" + logic_hash = "v1_sha256_3082e036b54a73ce8397cfa6e8dc2a807c587d9f17286e75af6cdbe622fae1e1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6772,20 +6772,20 @@ rule REVERSINGLABS_Win32_Ransomware_Kovter : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $find_files and $decrypt_payload_script and ( all of ($remote_connection_*)) + uint16( 0 ) == 0x5A4D and $find_files and $decrypt_payload_script and ( all of ( $remote_connection_* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_EAF : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects EAF ransomware." author = "ReversingLabs" - id = "6903030e-b1a1-5238-b377-ce8e4b18d3f3" + id = "8f7a1015-41b8-5a53-bc16-bfd870856cb5" date = "2022-07-22" modified = "2022-07-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3d10c852f95e8aa9bcd3543b96650b98ac57bcd2aa2b374e0badb63b5a4c0396" + logic_hash = "v1_sha256_3d10c852f95e8aa9bcd3543b96650b98ac57bcd2aa2b374e0badb63b5a4c0396" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6853,20 +6853,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_EAF : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($destroy_exe_file) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $destroy_exe_file ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cobralocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CobraLocker ransomware." author = "ReversingLabs" - id = "dada6370-3ae3-5931-ba9f-da56ebbcd8c8" + id = "d32a3414-b8e5-589e-84ac-46a94d57457d" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara#L1-L59" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "95f4c645c7c237d23b5028f824f78a5f9f8f0a4737b391d877582afe08264d7e" + logic_hash = "v1_sha256_95f4c645c7c237d23b5028f824f78a5f9f8f0a4737b391d877582afe08264d7e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6910,20 +6910,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cobralocker : TC_DETECTION MALICIOUS } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Plague17 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Plague17 ransomware." author = "ReversingLabs" - id = "065c47b5-f459-529e-8046-7394a742b50a" + id = "a91de3a9-225f-5450-8e42-4e2b1b10842f" date = "2021-02-19" modified = "2021-02-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Plague17.yara#L1-L263" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e0e518fc83a62d70b83df273c6ba469e6f0fdf9c035126428ec7561e04437b6f" + logic_hash = "v1_sha256_e0e518fc83a62d70b83df273c6ba469e6f0fdf9c035126428ec7561e04437b6f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7156,20 +7156,20 @@ rule REVERSINGLABS_Win32_Ransomware_Plague17 : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Ransomexx : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ransomexx ransomware." author = "ReversingLabs" - id = "5e62660d-2696-56c7-9322-fed6ce9d36ff" + id = "b5dc5ed0-12f5-5bcb-83e0-469f061d4324" date = "2020-11-26" modified = "2020-11-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ransomexx.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "27b4132b7f16cafc40687e96a552ce59cc24ebf7679575680f170e3beee8a0a9" + logic_hash = "v1_sha256_27b4132b7f16cafc40687e96a552ce59cc24ebf7679575680f170e3beee8a0a9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7293,20 +7293,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ransomexx : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($enum_network_resources) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_network_resources ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Khonsari : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Khonsari ransomware." author = "ReversingLabs" - id = "c3c64256-af1f-5a9d-8a59-8d72993bb8da" + id = "a1e5a56e-361a-59b6-b7a2-35e31607b41f" date = "2022-01-27" modified = "2022-01-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1003b7863215bcd8e5cdce8ce40551105fb668ea2b8ac765909f9fa5373e6ca" + logic_hash = "v1_sha256_f1003b7863215bcd8e5cdce8ce40551105fb668ea2b8ac765909f9fa5373e6ca" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7355,20 +7355,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Khonsari : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and ($find_files) and ($get_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $get_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Wsir : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WsIR ransomware." author = "ReversingLabs" - id = "cb4ab736-9421-5b92-b4a5-c5db0b61725a" + id = "f4364c88-f9ff-549f-add9-69ae98993c09" date = "2022-08-02" modified = "2022-08-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WsIR.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c22c01f93945c7721ebfe5e7a09c3bf2b9d0ad95740bc0a76b4e61741f61d82c" + logic_hash = "v1_sha256_c22c01f93945c7721ebfe5e7a09c3bf2b9d0ad95740bc0a76b4e61741f61d82c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7422,20 +7422,20 @@ rule REVERSINGLABS_Win32_Ransomware_Wsir : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($exec_proc) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $exec_proc ) } rule REVERSINGLABS_Win32_Ransomware_Lorenz : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Lorenz ransomware." author = "ReversingLabs" - id = "cc97dd15-d518-5d9f-9384-3dcf81e34e81" + id = "3d89b04b-b752-5086-b1be-cab417c385c5" date = "2022-10-24" modified = "2022-10-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Lorenz.yara#L1-L252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b8668fcc560d264c37e3fbb52d5a5f1223a282abd9e984b3109efe9ab454be9f" + logic_hash = "v1_sha256_b8668fcc560d264c37e3fbb52d5a5f1223a282abd9e984b3109efe9ab454be9f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7634,20 +7634,20 @@ rule REVERSINGLABS_Win32_Ransomware_Lorenz : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ((( all of ($encrypt_files_v1_p*)) and ( all of ($find_files_v1_p*)) and ($create_scheduled_task_v1) and ($remote_connection_v1) and ($check_mutex_v1)) or (($find_files_v2) and ( all of ($encrypt_files_v2_p*)) and ($remote_connection_v2) and ( all of ($drop_ransom_note_v2_p*)))) + uint16( 0 ) == 0x5A4D and ( ( ( all of ( $encrypt_files_v1_p* ) ) and ( all of ( $find_files_v1_p* ) ) and ( $create_scheduled_task_v1 ) and ( $remote_connection_v1 ) and ( $check_mutex_v1 ) ) or ( ( $find_files_v2 ) and ( all of ( $encrypt_files_v2_p* ) ) and ( $remote_connection_v2 ) and ( all of ( $drop_ransom_note_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Ophionlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects OphionLocker ransomware." author = "ReversingLabs" - id = "75335749-66bd-539e-92b3-dd92c0b332d8" + id = "2e2ff287-c593-5923-833e-c83da7f3237b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.OphionLocker.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c54a948a6a45ec5f5bc32fbbdbc8822f402b1332e9109b20b90635464dbe2ac" + logic_hash = "v1_sha256_3c54a948a6a45ec5f5bc32fbbdbc8822f402b1332e9109b20b90635464dbe2ac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7739,20 +7739,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ophionlocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and (($ol_do_filetypes_1 and $ol_do_filetypes_2 and $ol_do_filetypes_3) and ($ol_ecies_key_1 and $ol_ecies_key_2 and $ol_ecies_key_3)) + uint16( 0 ) == 0x5A4D and ( ( $ol_do_filetypes_1 and $ol_do_filetypes_2 and $ol_do_filetypes_3 ) and ( $ol_ecies_key_1 and $ol_ecies_key_2 and $ol_ecies_key_3 ) ) } rule REVERSINGLABS_Win64_Ransomware_Curator : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Curator ransomware." author = "ReversingLabs" - id = "401f1d64-afd9-55b1-8e87-b808d4679e9a" + id = "ed64eaea-054c-5063-8878-7f66ded9cfd0" date = "2021-04-22" modified = "2021-04-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Curator.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8bd29195cea0f1194e27c48ed07c52100abb7dd3de2ef7f51a645d32c3527eb3" + logic_hash = "v1_sha256_8bd29195cea0f1194e27c48ed07c52100abb7dd3de2ef7f51a645d32c3527eb3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7826,20 +7826,20 @@ rule REVERSINGLABS_Win64_Ransomware_Curator : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win64_Ransomware_Pandora : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Pandora ransomware." author = "ReversingLabs" - id = "18182bbe-1678-5d0b-a7ee-80c4bbaee99e" + id = "62ed0685-edc2-5c48-9a09-f9fedbac615c" date = "2022-06-01" modified = "2022-06-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Pandora.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6576bde36ae9a9bc2e9dd878db788c608083b84d96d31e6898f48a264c6b7f1a" + logic_hash = "v1_sha256_6576bde36ae9a9bc2e9dd878db788c608083b84d96d31e6898f48a264c6b7f1a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7914,7 +7914,7 @@ rule REVERSINGLABS_Win64_Ransomware_Pandora : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($generate_key) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $generate_key ) and ( $drop_ransom_note ) } import "pe" @@ -7923,13 +7923,13 @@ rule REVERSINGLABS_Win32_Ransomware_Wannacry : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects WannaCry ransomware." author = "ReversingLabs" - id = "61734d47-2525-5e3a-94b4-60493dfe2b93" + id = "4ae1a076-eff1-5692-93b6-eb7c6cf952ae" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WannaCry.yara#L3-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fed58b533a9f7c3eb1b3e4f8fbe1f519aab94d1c066ae6937c21876693be0eac" + logic_hash = "v1_sha256_fed58b533a9f7c3eb1b3e4f8fbe1f519aab94d1c066ae6937c21876693be0eac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8042,20 +8042,20 @@ rule REVERSINGLABS_Win32_Ransomware_Wannacry : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($entrypoint_all at pe.entry_point) and ($main_1 or $main_2 or ($main_3 and $start_service_3) or $main_4 or $main_5 or ($main_6 and ($set_reg_key_6 or $download_tor_6)) or $main_7 or $main_8) + uint16( 0 ) == 0x5A4D and ( $entrypoint_all at pe.entry_point ) and ( $main_1 or $main_2 or ( $main_3 and $start_service_3 ) or $main_4 or $main_5 or ( $main_6 and ( $set_reg_key_6 or $download_tor_6 ) ) or $main_7 or $main_8 ) } rule REVERSINGLABS_Linux_Ransomware_Kraken : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Kraken ransomware." author = "ReversingLabs" - id = "7c302c2e-6ffc-5f51-90f4-c4ebd6c1c28b" + id = "4415659c-7465-5982-862b-4b4b29ecba20" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kraken.yara#L1-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4a3867aba4dbdce5d008331a3058f57b00db246975fc4d77b79ab49d5f0bbb15" + logic_hash = "v1_sha256_4a3867aba4dbdce5d008331a3058f57b00db246975fc4d77b79ab49d5f0bbb15" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8181,20 +8181,20 @@ rule REVERSINGLABS_Linux_Ransomware_Kraken : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_volumes and $find_files and ( all of ($enum_shares_p*)) and ( all of ($encrypt_files_p*))) + uint16( 0 ) == 0x5A4D and ( $enum_volumes and $find_files and ( all of ( $enum_shares_p* ) ) and ( all of ( $encrypt_files_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Reveton : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Reveton ransomware." author = "ReversingLabs" - id = "14446b94-cd57-5930-b0af-b21091b61f68" + id = "8f4a8a63-426e-5253-8c17-f13faba15a57" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Reveton.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2d316c558cdb5591788ef89c6e20327882a118f2928f4a31fb5b8b3083931ac5" + logic_hash = "v1_sha256_2d316c558cdb5591788ef89c6e20327882a118f2928f4a31fb5b8b3083931ac5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8293,20 +8293,20 @@ rule REVERSINGLABS_Win32_Ransomware_Reveton : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and (($http_connection_1 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3 and $raw_socket_connection_1_1 and $raw_socket_connection_1_2 and $raw_socket_connection_1_3 and $raw_socket_connection_1_4 and $raw_socket_connection_1_5) or ($raw_socket_connection_2 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3)) + uint16( 0 ) == 0x5A4D and ( ( $http_connection_1 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3 and $raw_socket_connection_1_1 and $raw_socket_connection_1_2 and $raw_socket_connection_1_3 and $raw_socket_connection_1_4 and $raw_socket_connection_1_5 ) or ( $raw_socket_connection_2 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3 ) ) } rule REVERSINGLABS_Win64_Ransomware_Solaso : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Solaso ransomware." author = "ReversingLabs" - id = "53f56ad8-ccdf-58f0-a5d9-e58f2c18ac76" + id = "ff512105-0f98-51e4-a8f1-4eb60e1e63a0" date = "2021-11-02" modified = "2021-11-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Solaso.yara#L1-L171" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "368a80a9f2e264d17c61d6ed4c22baec838ba0b0bc2e5c79344830bf861aa5a2" + logic_hash = "v1_sha256_368a80a9f2e264d17c61d6ed4c22baec838ba0b0bc2e5c79344830bf861aa5a2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8455,20 +8455,20 @@ rule REVERSINGLABS_Win64_Ransomware_Solaso : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Pacman : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Pacman ransomware." author = "ReversingLabs" - id = "a440769b-030b-5b72-a6f2-cf478dd7acd2" + id = "2df67e17-4ecd-54f9-9691-8426f2338d58" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0634303a4db2631edb40a9435444f3bdc4bc6eb745c7e43a54478e54e7507403" + logic_hash = "v1_sha256_0634303a4db2631edb40a9435444f3bdc4bc6eb745c7e43a54478e54e7507403" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8526,20 +8526,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Pacman : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ($pacman_find_encrypted_1 and $pacman_find_encrypted_2 and $pacman_encrypt) + uint16( 0 ) == 0x5A4D and ( $pacman_find_encrypted_1 and $pacman_find_encrypted_2 and $pacman_encrypt ) } rule REVERSINGLABS_Win32_Ransomware_Marsjoke : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MarsJoke ransomware." author = "ReversingLabs" - id = "8164c586-f548-5414-9df8-61e0c51cbe29" + id = "eb5030ca-99ea-5891-9a2f-8d60dc473805" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MarsJoke.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "298b2fd99793a15b3537853289e1337648d3fa84f12038e6f6831741404b7c5c" + logic_hash = "v1_sha256_298b2fd99793a15b3537853289e1337648d3fa84f12038e6f6831741404b7c5c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8686,20 +8686,20 @@ rule REVERSINGLABS_Win32_Ransomware_Marsjoke : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $search_and_encrypt_files and $remote_connection_1 and $remote_connection_2 + uint16( 0 ) == 0x5A4D and $search_and_encrypt_files and $remote_connection_1 and $remote_connection_2 } rule REVERSINGLABS_Win32_Ransomware_Lechiffre : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LeChiffre ransomware." author = "ReversingLabs" - id = "5d2698fe-9a0b-549d-9a83-72e2ccfc1966" + id = "98839690-ee79-5bf4-88d7-7ff727ef659c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LeChiffre.yara#L1-L123" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0b96f5f48700f2cba22da91187b3111946074e9cc58a502f25d7b96059a043cb" + logic_hash = "v1_sha256_0b96f5f48700f2cba22da91187b3111946074e9cc58a502f25d7b96059a043cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8809,20 +8809,20 @@ rule REVERSINGLABS_Win32_Ransomware_Lechiffre : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and $find_files and $encrypt_files_1 and $encrypt_files_2 and $remote_connection_1 and $remote_connection_2 and $remote_connection_3 + uint16( 0 ) == 0x5A4D and $find_files and $encrypt_files_1 and $encrypt_files_2 and $remote_connection_1 and $remote_connection_2 and $remote_connection_3 } rule REVERSINGLABS_Win32_Ransomware_Encoded01 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Encoded01 ransomware." author = "ReversingLabs" - id = "923d987e-f888-5b6a-9ebd-ee1257124aed" + id = "f449107a-d02c-5901-86b4-0d32f11317a4" date = "2021-12-16" modified = "2021-12-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Encoded01.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6f872290f15f4c564911bb099824c47cb13164457e1bcdb02dee441bc2d6b6a" + logic_hash = "v1_sha256_f6f872290f15f4c564911bb099824c47cb13164457e1bcdb02dee441bc2d6b6a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8938,20 +8938,20 @@ rule REVERSINGLABS_Win32_Ransomware_Encoded01 : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($enum_resources) and ( all of ($find_files_p*)) and ($encrypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Acepy : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Acepy ransomware." author = "ReversingLabs" - id = "3ffb45b1-6bde-5bf8-957e-433b9488ba91" + id = "7793fb34-bc87-5750-991e-5ae216541779" date = "2022-08-04" modified = "2022-08-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Acepy.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "92c543a0b8c3c884f83647119d32c7b46f5fe839694bb8a8de0146c5c77bc587" + logic_hash = "v1_sha256_92c543a0b8c3c884f83647119d32c7b46f5fe839694bb8a8de0146c5c77bc587" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8999,7 +8999,7 @@ rule REVERSINGLABS_Win32_Ransomware_Acepy : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (($find_files) and ($encrypt_files) and ($drop_ransom_note)) + uint16( 0 ) == 0x5A4D and ( ( $find_files ) and ( $encrypt_files ) and ( $drop_ransom_note ) ) } import "pe" @@ -9008,13 +9008,13 @@ rule REVERSINGLABS_Win32_Ransomware_Archiveus : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Archiveus ransomware." author = "ReversingLabs" - id = "89e5af93-1153-5367-a539-6af77c99c214" + id = "2fc61910-e1d4-5016-8204-28d877f89225" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Archiveus.yara#L3-L50" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b8a42b98ab3e8b97d2e226e979f342a6a72f21d8f068f59c21ad95764077f8a" + logic_hash = "v1_sha256_2b8a42b98ab3e8b97d2e226e979f342a6a72f21d8f068f59c21ad95764077f8a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9050,20 +9050,20 @@ rule REVERSINGLABS_Win32_Ransomware_Archiveus : TC_DETECTION MALICIOUS MALWARE F $instruction_string = "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" wide condition: - uint16(0)==0x5A4D and ($entry_point at pe.entry_point) and $dump_instruction and $extension_rule and $instruction_string + uint16( 0 ) == 0x5A4D and ( $entry_point at pe.entry_point ) and $dump_instruction and $extension_rule and $instruction_string } rule REVERSINGLABS_Win32_Ransomware_Meow : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Meow ransomware." author = "ReversingLabs" - id = "7cebb04d-1cda-5ad1-b412-8b38df7b2550" + id = "b4170467-44e2-5364-bff6-0bb09943c21f" date = "2022-10-24" modified = "2022-10-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Meow.yara#L1-L84" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b00753d2b150a815279297ddf40d70051d25de1c32bb90f5b706ea7fd36bb871" + logic_hash = "v1_sha256_b00753d2b150a815279297ddf40d70051d25de1c32bb90f5b706ea7fd36bb871" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9127,20 +9127,20 @@ rule REVERSINGLABS_Win32_Ransomware_Meow : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Dragon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Dragon ransomware." author = "ReversingLabs" - id = "dbeab955-f1fe-57eb-a9a4-c8c885ab7fad" + id = "ba8cbb0e-d70f-5bae-9106-ea598e893276" date = "2020-10-30" modified = "2020-10-30" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dragon.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7298c5681deaf04abb6a656cefc09b5ee4096ff7a5028caab1d7b107e97be90a" + logic_hash = "v1_sha256_7298c5681deaf04abb6a656cefc09b5ee4096ff7a5028caab1d7b107e97be90a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9263,20 +9263,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dragon : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($skip_hk_china_taiwan_p*)) and ( all of ($find_files_*)) and ($crypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $skip_hk_china_taiwan_p* ) ) and ( all of ( $find_files_* ) ) and ( $crypt_files ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Cryptojoker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CryptoJoker ransomware." author = "ReversingLabs" - id = "50a9280b-a352-5a2b-acee-5690e509dfd7" + id = "f4c5dba6-49e0-5600-950e-6ff2bed86b7a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoJoker.yara#L1-L140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "42ee1e63ada1ae986f43a1300eda0b1fa7b54c26be31ef5637bb321defffbe40" + logic_hash = "v1_sha256_42ee1e63ada1ae986f43a1300eda0b1fa7b54c26be31ef5637bb321defffbe40" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9400,20 +9400,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptojoker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (($call_encrypt and $encrypt_files and $start_process) or ($msgbox_timer) or ($unzip_packed_file and $resolve_assembly)) + uint16( 0 ) == 0x5A4D and ( ( $call_encrypt and $encrypt_files and $start_process ) or ( $msgbox_timer ) or ( $unzip_packed_file and $resolve_assembly ) ) } rule REVERSINGLABS_Win32_Ransomware_Thanatos : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Thanatos ransomware." author = "ReversingLabs" - id = "190adbd0-30a7-5619-ab70-3ab031ece2f7" + id = "31e0482f-8f39-5393-a03d-8b4b1c0f33b5" date = "2020-11-13" modified = "2020-11-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Thanatos.yara#L1-L85" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a51fa9cf1a08e4cd252a8b385be3bfde909585e2a799baaede977e40ecff5313" + logic_hash = "v1_sha256_a51fa9cf1a08e4cd252a8b385be3bfde909585e2a799baaede977e40ecff5313" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9482,20 +9482,20 @@ rule REVERSINGLABS_Win32_Ransomware_Thanatos : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Bandarchor : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BandarChor ransomware." author = "ReversingLabs" - id = "c645a081-7ff6-58fc-af8e-55f43f56d0ea" + id = "3d7334cf-9035-58d2-bbd8-94facaf44413" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BandarChor.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1c0c33ef7de089fc7ed6b364c7693499d1a93f79a48d6f2a5c375e47aea176bc" + logic_hash = "v1_sha256_1c0c33ef7de089fc7ed6b364c7693499d1a93f79a48d6f2a5c375e47aea176bc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9577,20 +9577,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bandarchor : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (($file_extensions_1 and $file_extensions_2 and $file_extensions_3 and $file_extensions_4 and $file_extensions_5) and $parse_server_commands) + uint16( 0 ) == 0x5A4D and ( ( $file_extensions_1 and $file_extensions_2 and $file_extensions_3 and $file_extensions_4 and $file_extensions_5 ) and $parse_server_commands ) } rule REVERSINGLABS_Win32_Ransomware_Teslacrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Teslacrypt ransomware." author = "ReversingLabs" - id = "842dae76-573c-564d-b658-ccdda451df21" + id = "5b78ea5c-7327-5930-a21e-caf59e9bfb45" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Teslacrypt.yara#L1-L665" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cc054be68d833d9f29a4ebd1c202922881b0d22a2605edc7def1048dc08f6325" + logic_hash = "v1_sha256_cc054be68d833d9f29a4ebd1c202922881b0d22a2605edc7def1048dc08f6325" score = 75 quality = 65 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10170,20 +10170,20 @@ rule REVERSINGLABS_Win32_Ransomware_Teslacrypt : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (($file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_2_6a_1 and $encrypt_file_0_2_6a_2 and $server_communication_0_2_6a_1 and $server_communication_0_2_6a_2) or ($file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_3_1 and $server_communication_0_3_1_1 and $server_communication_0_3_1_2) or ($file_search_0_3_3_1 and $file_search_0_3_3_2 and $encrypt_file_0_3_3_1 and $encrypt_file_0_3_3_2 and $server_communication_0_3_3_1 and $server_communication_0_3_3_2) or ($file_search_0_3_4a_1 and $file_search_0_3_4a_2 and $encrypt_file_0_3_4a_1 and $encrypt_file_0_3_4a_2 and $server_communication_0_3_4a_1 and $server_communication_0_3_4a_2) or ($file_search_0_3_5a_1 and $file_search_0_3_5a_2 and $encrypt_file_0_3_5a_1 and $encrypt_file_0_3_5a_2 and $server_communication_0_3_5a_1 and $server_communication_0_3_5a_2) or ($server_communication_2_0_4e and $search_and_encrypt_2_0_4e_1 and $search_and_encrypt_2_0_4e_2 and $search_and_encrypt_2_0_4e_3 and $search_and_encrypt_2_0_4e_4 and $search_and_encrypt_2_0_4e_5) or ($server_communication_4_0_1 and $server_communication_4_0_2 and $server_communication_4_0_3 and $file_search_4_0_1 and $file_search_4_0_2 and $file_search_4_0_3) or ($file_search_4_1b_1 and $file_search_4_1b_2 and $file_search_4_1b_3 and $server_communication_4_1b_1 and $server_communication_4_1b_2 and $server_communication_4_1b_3 and $server_communication_4_1b_4 and $server_communication_4_1b_5) or ($file_search_4_2_1 and $file_search_4_2_2 and $server_communication_4_1b_1 and $server_communication_4_2_1 and $server_communication_4_2_2 and $server_communication_4_2_3 and $server_communication_4_2_4 and $server_communication_4_2_5) or ($server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_1_1 and $file_search_3_1_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4) or ($server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_2_1 and $file_search_3_2_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4)) + uint16( 0 ) == 0x5A4D and ( ( $file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_2_6a_1 and $encrypt_file_0_2_6a_2 and $server_communication_0_2_6a_1 and $server_communication_0_2_6a_2 ) or ( $file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_3_1 and $server_communication_0_3_1_1 and $server_communication_0_3_1_2 ) or ( $file_search_0_3_3_1 and $file_search_0_3_3_2 and $encrypt_file_0_3_3_1 and $encrypt_file_0_3_3_2 and $server_communication_0_3_3_1 and $server_communication_0_3_3_2 ) or ( $file_search_0_3_4a_1 and $file_search_0_3_4a_2 and $encrypt_file_0_3_4a_1 and $encrypt_file_0_3_4a_2 and $server_communication_0_3_4a_1 and $server_communication_0_3_4a_2 ) or ( $file_search_0_3_5a_1 and $file_search_0_3_5a_2 and $encrypt_file_0_3_5a_1 and $encrypt_file_0_3_5a_2 and $server_communication_0_3_5a_1 and $server_communication_0_3_5a_2 ) or ( $server_communication_2_0_4e and $search_and_encrypt_2_0_4e_1 and $search_and_encrypt_2_0_4e_2 and $search_and_encrypt_2_0_4e_3 and $search_and_encrypt_2_0_4e_4 and $search_and_encrypt_2_0_4e_5 ) or ( $server_communication_4_0_1 and $server_communication_4_0_2 and $server_communication_4_0_3 and $file_search_4_0_1 and $file_search_4_0_2 and $file_search_4_0_3 ) or ( $file_search_4_1b_1 and $file_search_4_1b_2 and $file_search_4_1b_3 and $server_communication_4_1b_1 and $server_communication_4_1b_2 and $server_communication_4_1b_3 and $server_communication_4_1b_4 and $server_communication_4_1b_5 ) or ( $file_search_4_2_1 and $file_search_4_2_2 and $server_communication_4_1b_1 and $server_communication_4_2_1 and $server_communication_4_2_2 and $server_communication_4_2_3 and $server_communication_4_2_4 and $server_communication_4_2_5 ) or ( $server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_1_1 and $file_search_3_1_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4 ) or ( $server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_2_1 and $file_search_3_2_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4 ) ) } rule REVERSINGLABS_Win32_Ransomware_Zhen : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Zhen ransomware." author = "ReversingLabs" - id = "ce6bc48d-934b-582c-8ce7-3dd595cbf5dd" + id = "381ddd93-8849-5d84-81ba-f846d3308630" date = "2021-04-28" modified = "2021-04-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zhen.yara#L1-L176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "17b24e7baeccd90b8695eb8d21d9ee4a317806ed7713252d315d06bee3f93e65" + logic_hash = "v1_sha256_17b24e7baeccd90b8695eb8d21d9ee4a317806ed7713252d315d06bee3f93e65" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10335,20 +10335,20 @@ rule REVERSINGLABS_Win32_Ransomware_Zhen : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($scan_network_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $scan_network_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Afrodita : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Afrodita ransomware." author = "ReversingLabs" - id = "513963fd-5f3d-5d31-a65a-37f6f5c72260" + id = "9f0e2173-c44d-5084-a666-26f146f55c53" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Afrodita.yara#L1-L119" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ce7cc445d4c1f59c25b9505fc1f7f9dd0d286ab80510e2977b50ff15433aea60" + logic_hash = "v1_sha256_ce7cc445d4c1f59c25b9505fc1f7f9dd0d286ab80510e2977b50ff15433aea60" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10441,20 +10441,20 @@ rule REVERSINGLABS_Win32_Ransomware_Afrodita : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) and (($exclude_directories_and_drop_ransom_note) or ($drop_ransom_note_no_dir_exclusion)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) and ( ( $exclude_directories_and_drop_ransom_note ) or ( $drop_ransom_note_no_dir_exclusion ) ) } rule REVERSINGLABS_Win32_Ransomware_Ragnarok : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ragnarok ransomware." author = "ReversingLabs" - id = "263a671e-dfdb-5ab8-9bb9-355c76a88c10" + id = "3e4094cc-3408-5299-82f4-0edae31a0d6a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ragnarok.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aaa17ab98b59a5c8c71a2b82a9bf29dd3a1a1719deaf08a3bafa77895bc10311" + logic_hash = "v1_sha256_aaa17ab98b59a5c8c71a2b82a9bf29dd3a1a1719deaf08a3bafa77895bc10311" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10543,20 +10543,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ragnarok : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($disable_fw_and_delete_shadow_volumes) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $disable_fw_and_delete_shadow_volumes ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Guscrypter : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GusCrypter ransomware." author = "ReversingLabs" - id = "64aa468c-ec24-58aa-8ea9-23f0cebed227" + id = "c166a4e9-bec1-5e14-9885-320fdc75e017" date = "2020-11-26" modified = "2020-11-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GusCrypter.yara#L1-L129" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cfe6005028c0e5f5d713af2a549574203678bab2ee48acc1727702bcf91522b1" + logic_hash = "v1_sha256_cfe6005028c0e5f5d713af2a549574203678bab2ee48acc1727702bcf91522b1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10663,20 +10663,20 @@ rule REVERSINGLABS_Win32_Ransomware_Guscrypter : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($misc_checks_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $misc_checks_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Sherminator : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sherminator ransomware." author = "ReversingLabs" - id = "99792a22-8027-557f-927f-30eac4d1e690" + id = "a3783699-c093-537d-a676-1537c04b9428" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sherminator.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "22ac61b95f6ca4530e81a23fdd05be93e368647ca7100097a94eae3c6ce3b7d1" + logic_hash = "v1_sha256_22ac61b95f6ca4530e81a23fdd05be93e368647ca7100097a94eae3c6ce3b7d1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10809,20 +10809,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sherminator : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($enum_resources_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_resources_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Ladon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ladon ransomware." author = "ReversingLabs" - id = "ebc8f957-cdcf-54eb-bd02-74088cf51768" + id = "6a9ae2c4-3ce4-523f-80ed-7a1514ccc18e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ladon.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "979e3f3bf6a67bf10b6bfdd2eeb722d8836096076b7e88c6d4aca041a1a9eecb" + logic_hash = "v1_sha256_979e3f3bf6a67bf10b6bfdd2eeb722d8836096076b7e88c6d4aca041a1a9eecb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10903,20 +10903,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ladon : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Gibon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Gibon ransomware." author = "ReversingLabs" - id = "3f1a5bee-8fc0-5596-b898-e97073731930" + id = "70b6f314-cc26-5112-83de-58ce2d9f0475" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gibon.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cace0f35529307487f39aace6ae8989c7b878f82ebe890b256dfac563551a099" + logic_hash = "v1_sha256_cace0f35529307487f39aace6ae8989c7b878f82ebe890b256dfac563551a099" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11020,20 +11020,20 @@ rule REVERSINGLABS_Win32_Ransomware_Gibon : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($remote_server_connection_1_0 and $remote_server_connection_1_1 and ( all of ($encryption_loop_1_*))) + uint16( 0 ) == 0x5A4D and ( $remote_server_connection_1_0 and $remote_server_connection_1_1 and ( all of ( $encryption_loop_1_* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Satan : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Satan ransomware." author = "ReversingLabs" - id = "7ec379d8-172c-52ee-9284-6898dd446468" + id = "4f3d1d04-0ae0-5718-a041-933afcfcbce3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Satan.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0074090c2a6cc483deffdc83dc1c0bfbd150e201c27e54f998dd2c0a7660f917" + logic_hash = "v1_sha256_0074090c2a6cc483deffdc83dc1c0bfbd150e201c27e54f998dd2c0a7660f917" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11164,20 +11164,20 @@ rule REVERSINGLABS_Win32_Ransomware_Satan : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($search_processes and ( all of ($search_files_in_specific_folders_p*)) and $encrypt_files and $remote_connection) + uint16( 0 ) == 0x5A4D and ( $search_processes and ( all of ( $search_files_in_specific_folders_p* ) ) and $encrypt_files and $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_MZP : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MZP ransomware." author = "ReversingLabs" - id = "c08a4080-fa26-5b7b-869d-5f59096b1a12" + id = "e249b807-3ef2-568e-b7c5-eebdc60d917f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MZP.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "724ae1033bfb8ff494b30e6b3333e6c848375f1b001b75e71c9444c9f9f31251" + logic_hash = "v1_sha256_724ae1033bfb8ff494b30e6b3333e6c848375f1b001b75e71c9444c9f9f31251" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11295,20 +11295,20 @@ rule REVERSINGLABS_Win32_Ransomware_MZP : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($search_config_file) and ( all of ($find_files_p*)) and ($track_mouse_event_for_entropy) and ($encrypt_files) and ( all of ($show_ransom_note_p*)) + uint16( 0 ) == 0x5A4D and ( $search_config_file ) and ( all of ( $find_files_p* ) ) and ( $track_mouse_event_for_entropy ) and ( $encrypt_files ) and ( all of ( $show_ransom_note_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Braincrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BrainCrypt ransomware." author = "ReversingLabs" - id = "190798d5-594d-5b80-aa0e-8d7ff167f1c0" + id = "98889b01-942e-569f-aabf-a64355631bc3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BrainCrypt.yara#L1-L121" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "85866d6ffa136bf3ed27bbab55ae5430af4a1363930ebacab0df9ad24f8734cb" + logic_hash = "v1_sha256_85866d6ffa136bf3ed27bbab55ae5430af4a1363930ebacab0df9ad24f8734cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11415,20 +11415,20 @@ rule REVERSINGLABS_Win32_Ransomware_Braincrypt : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (($get_files_for_encryption_32 and $encrypt_file_32 and $attach_to_server_32) or ($get_files_for_encryption_64 and $encrypt_file_64 and $attach_to_server_64)) + uint16( 0 ) == 0x5A4D and ( ( $get_files_for_encryption_32 and $encrypt_file_32 and $attach_to_server_32 ) or ( $get_files_for_encryption_64 and $encrypt_file_64 and $attach_to_server_64 ) ) } rule REVERSINGLABS_Win32_Ransomware_Magniber : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Magniber ransomware." author = "ReversingLabs" - id = "07b6c938-aa25-5ff6-95d2-9e0f84c41b41" + id = "350da96b-7f4b-5893-9dda-00e0fd1f4cb4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Magniber.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "05b516f9b466489ea3a30e2fe5eb08290e85ece7a63e29e8bbbeb81c87d0a6f1" + logic_hash = "v1_sha256_05b516f9b466489ea3a30e2fe5eb08290e85ece7a63e29e8bbbeb81c87d0a6f1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11525,20 +11525,20 @@ rule REVERSINGLABS_Win32_Ransomware_Magniber : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($search_files and ( all of ($encrypt_files_*)) and $remote_connection) + uint16( 0 ) == 0x5A4D and ( $search_files and ( all of ( $encrypt_files_* ) ) and $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Desucrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DesuCrypt ransomware." author = "ReversingLabs" - id = "b9b3ce2b-f184-5bfa-8e1c-a7b996ac708a" + id = "1ca7dbed-d5ed-5887-af4f-010c962186c8" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DesuCrypt.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bd3ba8ea0fc16aad859a73628d0eda180d49298162fe239acf81c7c4e371eaad" + logic_hash = "v1_sha256_bd3ba8ea0fc16aad859a73628d0eda180d49298162fe239acf81c7c4e371eaad" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11616,7 +11616,7 @@ rule REVERSINGLABS_Win32_Ransomware_Desucrypt : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files and $encrypt_files and $enum_shares) + uint16( 0 ) == 0x5A4D and ( $find_files and $encrypt_files and $enum_shares ) } import "pe" @@ -11625,13 +11625,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptowall : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects CryptoWall ransomware." author = "ReversingLabs" - id = "06d8b106-d69a-526a-8e16-c95d39eb2993" + id = "eaa68024-0428-5461-a6a9-8b9f0a8efdbc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoWall.yara#L3-L312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "74baa04ee506732e0bb64a77cfd2d2216fcc978f13447ef07862e0116c093c14" + logic_hash = "v1_sha256_74baa04ee506732e0bb64a77cfd2d2216fcc978f13447ef07862e0116c093c14" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11905,20 +11905,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptowall : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ((($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_1_find_file_1 and $v30_1_find_file_2 and $v30_1_encrypt_file_1 and $v30_1_encrypt_file_2 and $v30_1_encrypt_file_3) or (($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_2_find_file_1 and $v30_2_find_file_2 and $v30_2_encrypt_file_1 and $v30_2_encrypt_file_2 and $v30_2_encrypt_file_3) or (($v20_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_2_find_file_1 and $v30_2_find_file_2 and $v20_1_encrypt_file_1 and $v20_1_encrypt_file_2 and $v20_1_encrypt_file_3) or (($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_3_find_file_1 and $v30_3_find_file_2 and $v30_3_encrypt_file_1 and $v30_3_encrypt_file_2 and $v30_3_encrypt_file_3)) + uint16( 0 ) == 0x5A4D and ( ( ( $v30_entrypoint at pe.entry_point ) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_1_find_file_1 and $v30_1_find_file_2 and $v30_1_encrypt_file_1 and $v30_1_encrypt_file_2 and $v30_1_encrypt_file_3 ) or ( ( $v30_entrypoint at pe.entry_point ) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_2_find_file_1 and $v30_2_find_file_2 and $v30_2_encrypt_file_1 and $v30_2_encrypt_file_2 and $v30_2_encrypt_file_3 ) or ( ( $v20_entrypoint at pe.entry_point ) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_2_find_file_1 and $v30_2_find_file_2 and $v20_1_encrypt_file_1 and $v20_1_encrypt_file_2 and $v20_1_encrypt_file_3 ) or ( ( $v30_entrypoint at pe.entry_point ) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and $v30_3_find_file_1 and $v30_3_find_file_2 and $v30_3_encrypt_file_1 and $v30_3_encrypt_file_2 and $v30_3_encrypt_file_3 ) ) } rule REVERSINGLABS_Win32_Ransomware_Flamingo : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Flamingo ransomware." author = "ReversingLabs" - id = "333ef1f9-ac54-5a3d-9b2b-50483eeb93e1" + id = "74b8a575-df86-55a1-ab91-d481ffd88134" date = "2021-04-14" modified = "2021-04-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Flamingo.yara#L1-L54" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "446c0d332af01c0fceb0356d5ab273eb55764869cc8343468b75625e5d4d1036" + logic_hash = "v1_sha256_446c0d332af01c0fceb0356d5ab273eb55764869cc8343468b75625e5d4d1036" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11957,20 +11957,20 @@ rule REVERSINGLABS_Win32_Ransomware_Flamingo : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Good : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Good ransomware." author = "ReversingLabs" - id = "e0f97200-7fe9-5811-b6cd-708ecc3a2fbc" + id = "e0f3fb76-021b-5e71-b687-c2ee1766b04a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Good.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6737853a77a6008f9fd2141bb6b13d595f1cb7e832be944596f709e1fcdf8003" + logic_hash = "v1_sha256_6737853a77a6008f9fd2141bb6b13d595f1cb7e832be944596f709e1fcdf8003" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12033,20 +12033,20 @@ rule REVERSINGLABS_Win32_Ransomware_Good : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Fenixlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects FenixLocker ransomware." author = "ReversingLabs" - id = "4868ced4-885d-548c-993c-ae25ab188172" + id = "92b5822a-2539-56e2-819b-256c0966f76f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FenixLocker.yara#L1-L143" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "72712616df2c73c5c17696a7c5cb93f767910acf5f49cda27373fccfa29c5a4d" + logic_hash = "v1_sha256_72712616df2c73c5c17696a7c5cb93f767910acf5f49cda27373fccfa29c5a4d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12176,20 +12176,20 @@ rule REVERSINGLABS_Win32_Ransomware_Fenixlocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($encrypt_files_1 and $encrypt_files_2 and $encrypt_files_3) or ($encrypt_files_1 and $encrypt_files_4 and $encrypt_files_5) + uint16( 0 ) == 0x5A4D and ( $encrypt_files_1 and $encrypt_files_2 and $encrypt_files_3 ) or ( $encrypt_files_1 and $encrypt_files_4 and $encrypt_files_5 ) } rule REVERSINGLABS_Win32_Ransomware_Infodot : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects InfoDot ransomware." author = "ReversingLabs" - id = "2f6447f4-523b-5ea1-a16d-d68bb9bcc79d" + id = "5e4ce52c-2366-5910-9066-096d44fdd705" date = "2021-02-16" modified = "2021-02-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.InfoDot.yara#L1-L115" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24a1c25c1d70c21323417ae0892c613361c4bfc829737ef86b6fa7616ae668c6" + logic_hash = "v1_sha256_24a1c25c1d70c21323417ae0892c613361c4bfc829737ef86b6fa7616ae668c6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12286,20 +12286,20 @@ rule REVERSINGLABS_Win32_Ransomware_Infodot : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Techandstrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TechandStrat ransomware." author = "ReversingLabs" - id = "525d0b48-2018-5848-b9e7-def8395254eb" + id = "73d7d56b-a692-5a04-b447-306aff43e4da" date = "2021-05-17" modified = "2021-05-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TechandStrat.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "80e201cf91adeee100e05af3ba5227fc61968bb6e0ce602107ba1217a7a62856" + logic_hash = "v1_sha256_80e201cf91adeee100e05af3ba5227fc61968bb6e0ce602107ba1217a7a62856" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12383,20 +12383,20 @@ rule REVERSINGLABS_Win32_Ransomware_Techandstrat : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ( all of ($enum_shares_p*)) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_shares_p* ) ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Jemd : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Jemd ransomware." author = "ReversingLabs" - id = "ef981ffa-8801-50f0-9441-5f2bfcf44133" + id = "5f055fc7-1694-5d47-8606-b5a9f4b26169" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jemd.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "552e0fc118031e953dee2e7c6bf8234a5a90de8c34b0e2724dfe99f2b28b8c51" + logic_hash = "v1_sha256_552e0fc118031e953dee2e7c6bf8234a5a90de8c34b0e2724dfe99f2b28b8c51" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12480,20 +12480,20 @@ rule REVERSINGLABS_Win32_Ransomware_Jemd : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($main_routine) and ( all of ($find_files_*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $main_routine ) and ( all of ( $find_files_* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Blackmoon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BlackMoon ransomware." author = "ReversingLabs" - id = "95ebb6c4-b0c9-5f9a-8424-a2f4d33953eb" + id = "2f4bac0f-186b-5182-9401-7a6094893ca0" date = "2020-11-11" modified = "2020-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackMoon.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "428409096a8637978bf2a1efb3238e4ba87715a909693b0cd26c0f689d567a09" + logic_hash = "v1_sha256_428409096a8637978bf2a1efb3238e4ba87715a909693b0cd26c0f689d567a09" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12547,20 +12547,20 @@ rule REVERSINGLABS_Win32_Ransomware_Blackmoon : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Pay2Key : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Pay2Key ransomware." author = "ReversingLabs" - id = "2e482222-0483-5fe3-bb87-cfadda8e7e7a" + id = "e37df21a-02bf-55df-8622-6b4e64015a36" date = "2021-04-14" modified = "2021-04-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Pay2Key.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2497504f3afc99523cb29e51652a24f4374316d57d4baf5cde8d22e75a425585" + logic_hash = "v1_sha256_2497504f3afc99523cb29e51652a24f4374316d57d4baf5cde8d22e75a425585" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12638,20 +12638,20 @@ rule REVERSINGLABS_Win32_Ransomware_Pay2Key : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Linux_Ransomware_Redalert : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RedAlert ransomware." author = "ReversingLabs" - id = "ec7567bf-2c39-529f-ae93-74270a161827" + id = "4adbf149-d96c-5299-ba96-fa3ee0848cf6" date = "2022-09-01" modified = "2022-09-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.RedAlert.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fe0d10c2ef1dacdb5374f319e470274b91f4f171db49de8c89e8aaa9aa75a45c" + logic_hash = "v1_sha256_fe0d10c2ef1dacdb5374f319e470274b91f4f171db49de8c89e8aaa9aa75a45c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12772,20 +12772,20 @@ rule REVERSINGLABS_Linux_Ransomware_Redalert : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint32(0)==0x464C457F and ($setup_environment) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($make_configuration) + uint32( 0 ) == 0x464C457F and ( $setup_environment ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $make_configuration ) } rule REVERSINGLABS_Win32_Ransomware_Velso : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Velso ransomware." author = "ReversingLabs" - id = "72c7baaa-4f83-54c5-ba71-2b45e5eeefd2" + id = "cddd3bea-33e4-5abd-ba2b-9363f50aa900" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Velso.yara#L1-L230" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "602be848a26106a1bd46cfc515578f0628687e6cb352e609a274220a61bcb620" + logic_hash = "v1_sha256_602be848a26106a1bd46cfc515578f0628687e6cb352e609a274220a61bcb620" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12985,20 +12985,20 @@ rule REVERSINGLABS_Win32_Ransomware_Velso : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($enum_resources_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_resources_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Zerolocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ZeroLocker ransomware." author = "ReversingLabs" - id = "291b5640-387c-54d9-97a6-13823932fa60" + id = "f527aa4d-48d8-5c20-9530-3afc3a8257d1" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "147e4b390bcfaff8f05059c1d9a98b50f544fc32e820406417894fe5046e0f71" + logic_hash = "v1_sha256_147e4b390bcfaff8f05059c1d9a98b50f544fc32e820406417894fe5046e0f71" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13058,20 +13058,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Zerolocker : TC_DETECTION MALICIOUS } condition: - uint16(0)==0x5A4D and ($encrypt_routine_1 and $encrypt_routine_2 and $encrypt_routine_3) + uint16( 0 ) == 0x5A4D and ( $encrypt_routine_1 and $encrypt_routine_2 and $encrypt_routine_3 ) } rule REVERSINGLABS_Win32_Ransomware_HDMR : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HDMR ransomware." author = "ReversingLabs" - id = "97b5020c-6cb1-5ec6-84a4-2f35eae761c2" + id = "4f928d8b-7df6-5ea7-8d07-642dfaa9ac1a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HDMR.yara#L1-L161" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "035c6596db8dc14a663679c1f7e682b85963927cc034b01e390cc22fdee3334a" + logic_hash = "v1_sha256_035c6596db8dc14a663679c1f7e682b85963927cc034b01e390cc22fdee3334a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13208,20 +13208,20 @@ rule REVERSINGLABS_Win32_Ransomware_HDMR : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($find_MS_xchange_backups_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $find_MS_xchange_backups_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Conti : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Conti ransomware." author = "ReversingLabs" - id = "548b8836-83cb-560c-af5f-33bdb24d15ed" + id = "4a148961-2c6f-53ed-a5ad-25af113aeb17" date = "2020-12-14" modified = "2020-12-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Conti.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4f2b96c8eaf8d112a7bb60647db49616935a336396c705d39d5bb51dfd90c60b" + logic_hash = "v1_sha256_4f2b96c8eaf8d112a7bb60647db49616935a336396c705d39d5bb51dfd90c60b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13279,20 +13279,20 @@ rule REVERSINGLABS_Win32_Ransomware_Conti : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Crypmic : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Crypmic ransomware." author = "ReversingLabs" - id = "0d5c2141-c0ca-53c8-91fd-ec2d5f163df2" + id = "8ef9aef9-7673-52f3-8665-7ec394c48bca" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crypmic.yara#L1-L56" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ee97c4d35cee68e080a4e9e0a21ecd3698da638463881a58f5daaf906ef86f75" + logic_hash = "v1_sha256_ee97c4d35cee68e080a4e9e0a21ecd3698da638463881a58f5daaf906ef86f75" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13336,20 +13336,20 @@ rule REVERSINGLABS_Win32_Ransomware_Crypmic : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and (( all of ($search_and_encrypt_*))) + uint16( 0 ) == 0x5A4D and ( ( all of ( $search_and_encrypt_* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_District : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects District ransomware." author = "ReversingLabs" - id = "fc6abbc7-66f9-56e6-8106-5f360f25b092" + id = "1e9ed54c-9415-5233-88a0-82fad7ad6c9f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.District.yara#L1-L194" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9ce395636fd7719f503726df82998e1ac72e9e80fd7a4534bd2251ac9283af38" + logic_hash = "v1_sha256_9ce395636fd7719f503726df82998e1ac72e9e80fd7a4534bd2251ac9283af38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13514,20 +13514,20 @@ rule REVERSINGLABS_Win32_Ransomware_District : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($encrypt_files_p*)) and ($find_files) and ( all of ($enum_resources_1_p*)) and ( all of ($enum_resources_2_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $encrypt_files_p* ) ) and ( $find_files ) and ( all of ( $enum_resources_1_p* ) ) and ( all of ( $enum_resources_2_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Atlas : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Atlas ransomware." author = "ReversingLabs" - id = "2c702b24-4b7e-505c-a694-0d915cc47315" + id = "28069774-438c-5150-87df-9e7c3ec3dcd1" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Atlas.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1486f931ec096a00d913de0568ddd8aa5a091256445bc28aba90e3e194ebd045" + logic_hash = "v1_sha256_1486f931ec096a00d913de0568ddd8aa5a091256445bc28aba90e3e194ebd045" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13614,20 +13614,20 @@ rule REVERSINGLABS_Win32_Ransomware_Atlas : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $encrypt_files and $remote_server_1 and $remote_server_2 and $send_post_packet and $send_get_request + uint16( 0 ) == 0x5A4D and $encrypt_files and $remote_server_1 and $remote_server_2 and $send_post_packet and $send_get_request } rule REVERSINGLABS_Win32_Ransomware_Defray : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Defray ransomware." author = "ReversingLabs" - id = "bc9e2dfe-168b-5b99-8523-07bfdcba44f2" + id = "de8a10a9-835c-51f4-9816-8fc63dd05aa0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Defray.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "82d883c77f49e50edbc7af05a108d4d54a46dca7661e4d0cd8aeffa19cb8df98" + logic_hash = "v1_sha256_82d883c77f49e50edbc7af05a108d4d54a46dca7661e4d0cd8aeffa19cb8df98" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13755,20 +13755,20 @@ rule REVERSINGLABS_Win32_Ransomware_Defray : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($find_special_folders) and ($encrypt_files_1) and ( all of ($encrypt_files_2_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $find_special_folders ) and ( $encrypt_files_1 ) and ( all of ( $encrypt_files_2_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Motocos : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Motocos ransomware." author = "ReversingLabs" - id = "cda44b86-c747-5b48-acd8-e68311ab24a3" + id = "4bc92f3f-e8b7-5be5-903c-d1e08d1fc785" date = "2021-09-17" modified = "2021-09-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Motocos.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "34b99847f029a291808f08ba6e6ae62a54e6fed5acc928fe4828054801786881" + logic_hash = "v1_sha256_34b99847f029a291808f08ba6e6ae62a54e6fed5acc928fe4828054801786881" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13824,20 +13824,20 @@ rule REVERSINGLABS_Win32_Ransomware_Motocos : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($generate_key) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $generate_key ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Zeoticus : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Zeoticus ransomware." author = "ReversingLabs" - id = "483b20a4-2c16-5509-a503-2462a53d4d31" + id = "f27a220f-5072-5605-8b2b-3f4204444470" date = "2021-03-19" modified = "2021-03-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zeoticus.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "adf42b96139ad98f4253f3eba2c4af1be9545825605e0851185cc15284d9e9a0" + logic_hash = "v1_sha256_adf42b96139ad98f4253f3eba2c4af1be9545825605e0851185cc15284d9e9a0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13907,20 +13907,20 @@ rule REVERSINGLABS_Win32_Ransomware_Zeoticus : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ( all of ($enum_shares_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( all of ( $enum_shares_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Maktub : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Maktub ransomware." author = "ReversingLabs" - id = "23ca4232-77ff-5519-b6b0-ccec6cb35fe1" + id = "165affc7-9b68-5058-b0c0-145e2372f386" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Maktub.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ee3213213e9521f7d19ce6340cd2f98057c22b1188ceefc30c17c18b6ec54e20" + logic_hash = "v1_sha256_ee3213213e9521f7d19ce6340cd2f98057c22b1188ceefc30c17c18b6ec54e20" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14026,20 +14026,20 @@ rule REVERSINGLABS_Win32_Ransomware_Maktub : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $search_files and $previous_encrypt_files and $encrypt_files + uint16( 0 ) == 0x5A4D and $search_files and $previous_encrypt_files and $encrypt_files } rule REVERSINGLABS_Win32_Ransomware_Dmalocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DMALocker ransomware." author = "ReversingLabs" - id = "3ddef0f1-61c9-59f6-a02c-35768c2cd4d6" + id = "5b236427-3f05-5a6c-9726-84e85aeb99db" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DMALocker.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "107dbc4cacd9d451e9c6fe8aa91cd612f70ac767ee70f74f3a77d1e5548b054f" + logic_hash = "v1_sha256_107dbc4cacd9d451e9c6fe8aa91cd612f70ac767ee70f74f3a77d1e5548b054f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14167,20 +14167,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dmalocker : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1) or ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_2) or ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_3) or ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1 and $dmalock_v2_enum_logical_disks) or ($dmalock_v4_encrypt_file_1 and $dmalock_v4_encrypt_file_2 and $dmalock_v4_remote_server_communication and $dmalock_v2_enum_logical_disks) + uint16( 0 ) == 0x5A4D and ( $dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1 ) or ( $dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_2 ) or ( $dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_3 ) or ( $dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1 and $dmalock_v2_enum_logical_disks ) or ( $dmalock_v4_encrypt_file_1 and $dmalock_v4_encrypt_file_2 and $dmalock_v4_remote_server_communication and $dmalock_v2_enum_logical_disks ) } rule REVERSINGLABS_Win32_Ransomware_Henry : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Henry ransomware." author = "ReversingLabs" - id = "63627f2b-3205-5790-ba97-8e0d1da39d7c" + id = "c308ea61-2ccd-51a0-b00b-7f4b3d4e1852" date = "2021-06-14" modified = "2021-06-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Henry.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e6ab2a8a344d40407118e29ff78f5a0144f42a0fbdee19a80b341b59f056d292" + logic_hash = "v1_sha256_e6ab2a8a344d40407118e29ff78f5a0144f42a0fbdee19a80b341b59f056d292" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14237,20 +14237,20 @@ rule REVERSINGLABS_Win32_Ransomware_Henry : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($setup_environment) and ($init_components) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $setup_environment ) and ( $init_components ) } rule REVERSINGLABS_Win32_Ransomware_Darkside : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DarkSide ransomware." author = "ReversingLabs" - id = "061b00cb-9b70-521f-ab3f-7e6b3c129194" + id = "4cc1e6bc-4b97-52df-8ab3-9378008ef9b7" date = "2021-05-17" modified = "2021-05-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DarkSide.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "128af9a1b143e4b0928dd2b243e69497be906175f44815cc5703f17cce48ec9d" + logic_hash = "v1_sha256_128af9a1b143e4b0928dd2b243e69497be906175f44815cc5703f17cce48ec9d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14321,20 +14321,20 @@ rule REVERSINGLABS_Win32_Ransomware_Darkside : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and (($find_files_v1 and $enumerate_drives and $escalate_privileges) or ($find_files_v2 and $enumerate_netshare)) + uint16( 0 ) == 0x5A4D and ( ( $find_files_v1 and $enumerate_drives and $escalate_privileges ) or ( $find_files_v2 and $enumerate_netshare ) ) } rule REVERSINGLABS_Win32_Ransomware_MRAC : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MRAC ransomware." author = "ReversingLabs" - id = "135c3dc9-bf08-5f00-bade-7054d9f33830" + id = "9dc78634-5a27-5daa-a307-dfc9b0b9cd63" date = "2022-02-21" modified = "2022-02-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MRAC.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "04e8364dc9c726f4bb2d3035e5b7e8dab4cae124b2f047be6f11b865fab557a7" + logic_hash = "v1_sha256_04e8364dc9c726f4bb2d3035e5b7e8dab4cae124b2f047be6f11b865fab557a7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14384,20 +14384,20 @@ rule REVERSINGLABS_Win32_Ransomware_MRAC : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($import_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $import_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostencryptor : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GhosTEncryptor ransomware." author = "ReversingLabs" - id = "9f035e39-e0fe-54f3-8206-08fbbd9206b4" + id = "6992ae36-f5a1-5a8c-a1f6-ad0755c93d38" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "85c1f6e5acf746388b0a9ddeb1f0ad1d2219fff7358c9a981849863155c13e3c" + logic_hash = "v1_sha256_85c1f6e5acf746388b0a9ddeb1f0ad1d2219fff7358c9a981849863155c13e3c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14445,20 +14445,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostencryptor : TC_DETECTION MALICI } condition: - uint16(0)==0x5A4D and ($enum_folders) and ( all of ($deep_search_p*)) and ( all of ($encrypt_folder_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_folders ) and ( all of ( $deep_search_p* ) ) and ( all of ( $encrypt_folder_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Hakunamatata : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HakunaMatata ransomware." author = "ReversingLabs" - id = "17438fcd-7a51-5fb6-96ac-38523bc1744f" + id = "8ec11cae-346e-5486-82ba-6084d1d29803" date = "2020-11-11" modified = "2020-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HakunaMatata.yara#L1-L373" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e363ff93fce286d60a3f5ea20ba3ec03564b7a5321c3f6448cc82187f23e8a9f" + logic_hash = "v1_sha256_e363ff93fce286d60a3f5ea20ba3ec03564b7a5321c3f6448cc82187f23e8a9f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14806,20 +14806,20 @@ rule REVERSINGLABS_Win32_Ransomware_Hakunamatata : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and (($search_files and $encrypt_files and $remote_connection) or ($encrypt_files_2 and $remote_connection and $search_files) or ($search_files_2 and $encrypt_files_3 and $remote_connection_2) or ($install_service and $search_files_3 and $encrypt_files_4) or ($search_files_4 and $encrypt_files_5 and $remote_connection_3)) + uint16( 0 ) == 0x5A4D and ( ( $search_files and $encrypt_files and $remote_connection ) or ( $encrypt_files_2 and $remote_connection and $search_files ) or ( $search_files_2 and $encrypt_files_3 and $remote_connection_2 ) or ( $install_service and $search_files_3 and $encrypt_files_4 ) or ( $search_files_4 and $encrypt_files_5 and $remote_connection_3 ) ) } rule REVERSINGLABS_Win32_Ransomware_Crysis : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Crysis ransomware." author = "ReversingLabs" - id = "bba2bbf5-ff77-5ec4-ae7f-afae1b564fb7" + id = "dd48f136-bfe6-5734-a28e-46e6a0926569" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crysis.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c9250206f94ac65c1fc24e83cf8cdd76d10066086ef1f34ec14791d237c0263" + logic_hash = "v1_sha256_3c9250206f94ac65c1fc24e83cf8cdd76d10066086ef1f34ec14791d237c0263" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14910,20 +14910,20 @@ rule REVERSINGLABS_Win32_Ransomware_Crysis : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enumerate_resources and $enumerate_files and $encrypt_files and $remote_connection_1) + uint16( 0 ) == 0x5A4D and ( $enumerate_resources and $enumerate_files and $encrypt_files and $remote_connection_1 ) } rule REVERSINGLABS_Win32_Ransomware_Marlboro : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Marlboro ransomware." author = "ReversingLabs" - id = "7cd3b436-47e3-5711-9b59-cef70efe3b45" + id = "8663cc6c-8bb4-5187-93a3-e196ce3aca33" date = "2020-07-23" modified = "2020-07-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Marlboro.yara#L1-L117" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d36c3cf52af47e9f638f58aabc19298e8c58831c3083f82e4c194319503eeaaa" + logic_hash = "v1_sha256_d36c3cf52af47e9f638f58aabc19298e8c58831c3083f82e4c194319503eeaaa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15022,20 +15022,20 @@ rule REVERSINGLABS_Win32_Ransomware_Marlboro : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $ping_apnic and $remote_server_connection_1 and $remote_server_connection_2 and $remote_server_connection_3 and $remote_server_connection_4 and $encrypt_file + uint16( 0 ) == 0x5A4D and $ping_apnic and $remote_server_connection_1 and $remote_server_connection_2 and $remote_server_connection_3 and $remote_server_connection_4 and $encrypt_file } rule REVERSINGLABS_Win64_Ransomware_Seth : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Seth ransomware." author = "ReversingLabs" - id = "001de900-4556-5428-a243-7ec07a7ed05e" + id = "8489530f-f881-50c3-8bd0-872de4df79ea" date = "2021-04-02" modified = "2021-04-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Seth.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "72a9d902eea2381f40d42faa7f1686c4ca54d364af0cbd8711697bbc1a235646" + logic_hash = "v1_sha256_72a9d902eea2381f40d42faa7f1686c4ca54d364af0cbd8711697bbc1a235646" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15136,20 +15136,20 @@ rule REVERSINGLABS_Win64_Ransomware_Seth : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Dharma : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Dharma ransomware." author = "ReversingLabs" - id = "8157b20b-717c-581f-83c1-5fc8d2312238" + id = "3a66c2bd-d806-5c29-8e03-fdf5d63da420" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dharma.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6f33281523b462aaff68bb04f2f6869c3e6cd60cd9306ed80bb0c3e3b699f315" + logic_hash = "v1_sha256_6f33281523b462aaff68bb04f2f6869c3e6cd60cd9306ed80bb0c3e3b699f315" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15245,20 +15245,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dharma : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $file_search and $enum_shares and $file_encrypt_1 and $file_encrypt_2 + uint16( 0 ) == 0x5A4D and $file_search and $enum_shares and $file_encrypt_1 and $file_encrypt_2 } rule REVERSINGLABS_Win32_Ransomware_Saturn : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Saturn ransomware." author = "ReversingLabs" - id = "70a8d937-aee5-54d8-9409-c5d2d0830a2b" + id = "7624b920-beb6-5c96-81c9-6d980d4ac506" date = "2020-10-19" modified = "2020-10-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Saturn.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "efa748346ad8c46e654542d302e81d633a2d12f421636c477431a12a34636132" + logic_hash = "v1_sha256_efa748346ad8c46e654542d302e81d633a2d12f421636c477431a12a34636132" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15345,20 +15345,20 @@ rule REVERSINGLABS_Win32_Ransomware_Saturn : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Gpcode : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Gpcode ransomware." author = "ReversingLabs" - id = "168833dd-44ab-59e1-a610-b9219b2907ff" + id = "1fc4c6ae-d8c8-5b6a-96a0-fb483d49965a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gpcode.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "329309873977f73a8ebe758018ebc8ba42e15c3c7cbb9a65865631d235f5bb48" + logic_hash = "v1_sha256_329309873977f73a8ebe758018ebc8ba42e15c3c7cbb9a65865631d235f5bb48" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15410,20 +15410,20 @@ rule REVERSINGLABS_Win32_Ransomware_Gpcode : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($drive_loop and $encrypt_routine and $set_ransom_wallpaper and $read_config_file) + uint16( 0 ) == 0x5A4D and ( $drive_loop and $encrypt_routine and $set_ransom_wallpaper and $read_config_file ) } rule REVERSINGLABS_Win32_Ransomware_Bluelocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BlueLocker ransomware." author = "ReversingLabs" - id = "145ff05e-c90d-598a-a3d5-220bd6df718a" + id = "53f13a5c-9f46-53e5-b4f6-49e46f0f89c9" date = "2022-08-04" modified = "2022-08-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlueLocker.yara#L1-L130" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbe5f246f4554e63b5da6a0aca169e8221a84fce18fd437ae7ad9b068e9ca576" + logic_hash = "v1_sha256_fbe5f246f4554e63b5da6a0aca169e8221a84fce18fd437ae7ad9b068e9ca576" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15531,20 +15531,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bluelocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($create_crypt_context) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $create_crypt_context ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Wasplocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WaspLocker ransomware." author = "ReversingLabs" - id = "596bf965-700a-58f5-b0e5-61ec57c23a3e" + id = "f0b53b72-a2d6-59b1-972b-ee81b9614fc5" date = "2022-06-28" modified = "2022-06-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WaspLocker.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "852ec52328fca36d651e3176ac33a57ce26cefecadc2aad27235548e5b9813c1" + logic_hash = "v1_sha256_852ec52328fca36d651e3176ac33a57ce26cefecadc2aad27235548e5b9813c1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15601,20 +15601,20 @@ rule REVERSINGLABS_Win32_Ransomware_Wasplocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($find_files) and ($drop_aux_files) and ($drop_ransom_notes) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $drop_aux_files ) and ( $drop_ransom_notes ) } rule REVERSINGLABS_Linux_Ransomware_Luckyjoe : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LuckyJoe ransomware." author = "ReversingLabs" - id = "8dc98d71-b79d-5b09-9383-11f2b57baeb5" + id = "9e1cfe30-04d8-5c20-9617-1157f032c3dc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.LuckyJoe.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1e7df2c45bee072af233cf8f355a84ec931fe96afa3fbdcd225dded1b75ea961" + logic_hash = "v1_sha256_1e7df2c45bee072af233cf8f355a84ec931fe96afa3fbdcd225dded1b75ea961" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15737,20 +15737,20 @@ rule REVERSINGLABS_Linux_Ransomware_Luckyjoe : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint32(0)==0x464C457F and ( all of ($main_call_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($encrypt_internal_message_p*)) + uint32( 0 ) == 0x464C457F and ( all of ( $main_call_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $encrypt_internal_message_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Shadowcryptor : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ShadowCryptor ransomware." author = "ReversingLabs" - id = "983e8927-4829-540f-9697-886226fd54ce" + id = "b2253d8f-9cf8-5f6b-8173-73f0f9523e8e" date = "2021-02-11" modified = "2021-02-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ShadowCryptor.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "875150db9fc36cd992988bba7d0c05487418b901980bf428ebd427c82fbcacd7" + logic_hash = "v1_sha256_875150db9fc36cd992988bba7d0c05487418b901980bf428ebd427c82fbcacd7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15819,20 +15819,20 @@ rule REVERSINGLABS_Win32_Ransomware_Shadowcryptor : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ( all of ($terminate_antivirus_processes_p*)) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $terminate_antivirus_processes_p* ) ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Networm : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Networm ransomware." author = "ReversingLabs" - id = "3b17b97d-c882-5f65-8b89-847e2300873c" + id = "41e4e5e7-ae32-5baf-9478-3a58ec724cdc" date = "2021-07-05" modified = "2021-07-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Networm.yara#L1-L103" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ff9bcb9868522f9d4abf2ab9f94d5b7c9b009e5c6d0cf832c7d052f18e048b31" + logic_hash = "v1_sha256_ff9bcb9868522f9d4abf2ab9f94d5b7c9b009e5c6d0cf832c7d052f18e048b31" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15914,20 +15914,20 @@ rule REVERSINGLABS_Win32_Ransomware_Networm : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Bam2021 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Bam2021 ransomware." author = "ReversingLabs" - id = "31ae99e3-223c-51fb-97c1-353ff063057f" + id = "4eb74707-9fec-5d76-b47e-4c4f73467735" date = "2021-09-17" modified = "2021-09-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Bam2021.yara#L1-L167" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5b717510991b78f07806e88f3dfe1c27d6ec1ec21af61a7c4f1edf7c915785d5" + logic_hash = "v1_sha256_5b717510991b78f07806e88f3dfe1c27d6ec1ec21af61a7c4f1edf7c915785d5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16064,20 +16064,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bam2021 : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($enum_shares) and ( all of ($find_files_p*)) and ($generate_key) and ( all of ($encrypt_files_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $enum_shares ) and ( all of ( $find_files_p* ) ) and ( $generate_key ) and ( all of ( $encrypt_files_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Vegalocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects VegaLocker ransomware." author = "ReversingLabs" - id = "53eec8d1-bab0-5556-92c0-1b70eb763fa5" + id = "55ca45a5-74bd-566d-91f7-32a8741696b9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.VegaLocker.yara#L1-L100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8616e72fc435676179e83a304d4111c8f29ebf3cd79ff5b2d229cca8fc97c2a3" + logic_hash = "v1_sha256_8616e72fc435676179e83a304d4111c8f29ebf3cd79ff5b2d229cca8fc97c2a3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16160,20 +16160,20 @@ rule REVERSINGLABS_Win32_Ransomware_Vegalocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Moisha : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Moisha ransomware." author = "ReversingLabs" - id = "c72f654f-955e-5ff6-ac91-19fbb858265c" + id = "55148aa0-0685-56ec-b854-127f9a54b878" date = "2022-10-11" modified = "2022-10-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "89cefbbb8ec722216721bb43eb14cc33fcd4671585051359a06b62236cbf3a6c" + logic_hash = "v1_sha256_89cefbbb8ec722216721bb43eb14cc33fcd4671585051359a06b62236cbf3a6c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16238,20 +16238,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Moisha : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($import_priv_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $import_priv_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timecrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TimeCrypt ransomware." author = "ReversingLabs" - id = "38a0c383-8be6-5258-aa93-0cf09b18e5f7" + id = "a705b8f2-f9b9-537f-bb5c-fcaba3d37d11" date = "2021-12-06" modified = "2021-12-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6849d6d5010d7bcb4052c10d5bd7cc29320ffc986f36289b272a1e9a8d14fab9" + logic_hash = "v1_sha256_6849d6d5010d7bcb4052c10d5bd7cc29320ffc986f36289b272a1e9a8d14fab9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16297,20 +16297,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timecrypt : TC_DETECTION MALICIOUS M } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($send_http_request) and ($send_dns_request) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $send_http_request ) and ( $send_dns_request ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Eternity : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Eternity ransomware." author = "ReversingLabs" - id = "7bb0f3b0-a8c0-5239-a1b4-532d403f59bc" + id = "3a85c694-9b64-5b12-a206-1b8effff0c83" date = "2022-07-22" modified = "2022-07-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a2298a26e9bbe2b779eb2afeeda28d4321bc2d26db46bbb377bf86abaf8fa929" + logic_hash = "v1_sha256_a2298a26e9bbe2b779eb2afeeda28d4321bc2d26db46bbb377bf86abaf8fa929" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16361,20 +16361,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Eternity : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($aes_encrypt) and ($encrypt_pass) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $aes_encrypt ) and ( $encrypt_pass ) } rule REVERSINGLABS_Win64_Ransomware_DST : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DST ransomware." author = "ReversingLabs" - id = "bcc9933d-14eb-5f83-a136-5f009c7a3282" + id = "9c58c08d-73f3-5481-9e38-713314578c91" date = "2021-12-06" modified = "2021-12-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.DST.yara#L1-L170" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b658093232a2265d425e3b38758268c116bbac51fa5eed372b5b4f00de4c6880" + logic_hash = "v1_sha256_b658093232a2265d425e3b38758268c116bbac51fa5eed372b5b4f00de4c6880" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16520,20 +16520,20 @@ rule REVERSINGLABS_Win64_Ransomware_DST : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($kill_procs_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $kill_procs_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Retis : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Retis ransomware." author = "ReversingLabs" - id = "3d1de7c2-abb7-5411-a598-6bc68229a22a" + id = "90889c95-ba2e-5081-907c-818b8f3a92e3" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3e3429041acc5730b009916efbcd35c7cfd2b2877dc1d2cf980f7fb7d399d532" + logic_hash = "v1_sha256_3e3429041acc5730b009916efbcd35c7cfd2b2877dc1d2cf980f7fb7d399d532" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16591,20 +16591,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Retis : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ($search_files and $search_drives and $encrypt_files) + uint16( 0 ) == 0x5A4D and ( $search_files and $search_drives and $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Zeppelin : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Zeppelin ransomware." author = "ReversingLabs" - id = "f5cf514d-4dd0-58b7-82d0-5cb516a139a3" + id = "a05a39f6-c12a-5565-9ec3-ffc5bc26873f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zeppelin.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8fb07e49d2ff9d497fb36a5d901748315ae519f5ef845d1a5ec6341d0eb1f68c" + logic_hash = "v1_sha256_8fb07e49d2ff9d497fb36a5d901748315ae519f5ef845d1a5ec6341d0eb1f68c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16689,20 +16689,20 @@ rule REVERSINGLABS_Win32_Ransomware_Zeppelin : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($kill_processes) and ($enum_shares) and ( all of ($search_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $kill_processes ) and ( $enum_shares ) and ( all of ( $search_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Kawaiilocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects KawaiiLocker ransomware." author = "ReversingLabs" - id = "8c368e2d-3c6f-5c4b-880b-ebdb06dcf901" + id = "f2b6e9d8-5020-56fd-9076-5bfa1525e890" date = "2020-08-17" modified = "2020-08-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.KawaiiLocker.yara#L1-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d86b41ef1c43da55869ad26facd5efdf232277f0e33483690a69a04c4ba8f7da" + logic_hash = "v1_sha256_d86b41ef1c43da55869ad26facd5efdf232277f0e33483690a69a04c4ba8f7da" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16826,20 +16826,20 @@ rule REVERSINGLABS_Win32_Ransomware_Kawaiilocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and $search_files and $encrypt_files and $remote_connection + uint16( 0 ) == 0x5A4D and $search_files and $encrypt_files and $remote_connection } rule REVERSINGLABS_Win32_Ransomware_Cuba : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cuba ransomware." author = "ReversingLabs" - id = "b2c81849-9fa6-58b6-b6fe-4d9a5f0923ea" + id = "a1ea23a4-ef35-56a2-8bbb-971fb26a31d3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cuba.yara#L1-L126" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0a8dea6e38a6407897b994ea119bc8b0712a94363b7b3942dcd32c65ee5548d4" + logic_hash = "v1_sha256_0a8dea6e38a6407897b994ea119bc8b0712a94363b7b3942dcd32c65ee5548d4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16944,20 +16944,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cuba : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_resources) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Telecrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TeleCrypt ransomware." author = "ReversingLabs" - id = "c4eada2d-72c0-5efe-bf2b-8f053348d89d" + id = "27a18ed0-6f9b-5624-aa49-5c94e8428230" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TeleCrypt.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9d856eae4369cd7ba1d88bd6ef37931e069127e2c05a84a44f5274f681e83fc0" + logic_hash = "v1_sha256_9d856eae4369cd7ba1d88bd6ef37931e069127e2c05a84a44f5274f681e83fc0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17052,7 +17052,7 @@ rule REVERSINGLABS_Win32_Ransomware_Telecrypt : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and (($generate_strings_to_encrypt and $encrypt_file and $server_communication and $exec_payload) or ($encrypt_file and $server_communication_1 and $copy_payload)) + uint16( 0 ) == 0x5A4D and ( ( $generate_strings_to_encrypt and $encrypt_file and $server_communication and $exec_payload ) or ( $encrypt_file and $server_communication_1 and $copy_payload ) ) } import "pe" @@ -17061,13 +17061,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dirtydecrypt : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects DirtyDecrypt ransomware." author = "ReversingLabs" - id = "f4d69c3e-a082-5bc9-bf72-4cc330d3de74" + id = "fd29d316-d249-5c1c-8985-e001782b46ce" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara#L3-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "eb6a1c376b0739848b523e741d0d1ebdbc87056d51931fb94c744aa094d6479f" + logic_hash = "v1_sha256_eb6a1c376b0739848b523e741d0d1ebdbc87056d51931fb94c744aa094d6479f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17160,20 +17160,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dirtydecrypt : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($dd_ep at pe.entry_point) and $dd_hash and $dd_getkey and $dd_destroykey and $dd_importkey and $dd_decrypt and $dd_encrypt and $dd_provparam and $dd_acquirecontext and $dd_mrwhite + uint16( 0 ) == 0x5A4D and ( $dd_ep at pe.entry_point ) and $dd_hash and $dd_getkey and $dd_destroykey and $dd_importkey and $dd_decrypt and $dd_encrypt and $dd_provparam and $dd_acquirecontext and $dd_mrwhite } rule REVERSINGLABS_Win64_Ransomware_Awesomescott : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AwesomeScott ransomware." author = "ReversingLabs" - id = "36d3b801-dbdb-585a-ac80-1827a6749c87" + id = "8cffdd89-8188-54e6-bbcf-2c4dc6ae830e" date = "2020-09-16" modified = "2020-09-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.AwesomeScott.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ed8096a4abbd015f79f4ec7239cd4070194ad70fa03da6714e499a41f9fb9423" + logic_hash = "v1_sha256_ed8096a4abbd015f79f4ec7239cd4070194ad70fa03da6714e499a41f9fb9423" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17263,20 +17263,20 @@ rule REVERSINGLABS_Win64_Ransomware_Awesomescott : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and $find_files and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and $find_files and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Nokoyawa : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Nokoyawa ransomware." author = "ReversingLabs" - id = "31470ce4-381f-50d2-bbca-03c592e62a7d" + id = "c960ed63-5b79-5def-9957-26b583bfa5ed" date = "2022-06-06" modified = "2022-06-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Nokoyawa.yara#L1-L104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "85b7d93db06007d0043b1489b532410ccc700cf082b641fff8a09de2ffe9101d" + logic_hash = "v1_sha256_85b7d93db06007d0043b1489b532410ccc700cf082b641fff8a09de2ffe9101d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17360,20 +17360,20 @@ rule REVERSINGLABS_Win64_Ransomware_Nokoyawa : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($enum_shares) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $enum_shares ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timetime : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TimeTime ransomware." author = "ReversingLabs" - id = "27bff941-01ce-5bf7-a9d8-d01d2db3bfd3" + id = "5ce2657d-32d2-5c4c-aa14-63d5ee30c11f" date = "2022-02-21" modified = "2022-02-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "43867dd793bc84e6f39ca2de1aff4047a742b295dc4df94cd337bd2ef89e4a62" + logic_hash = "v1_sha256_43867dd793bc84e6f39ca2de1aff4047a742b295dc4df94cd337bd2ef89e4a62" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17425,20 +17425,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timetime : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($encrypt_folder) and ($rename_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $encrypt_folder ) and ( $rename_files ) } rule REVERSINGLABS_Win32_Ransomware_Sifrelendi : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sifrelendi ransomware." author = "ReversingLabs" - id = "b9083b7c-eb09-52da-a240-39b51df892f9" + id = "d1aca0b5-47a2-53f2-83c4-795d91e66b5f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sifrelendi.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "430d3877c10c86fcb19b5624dd8886d61e54ccd0453678329309b49712c6d5c6" + logic_hash = "v1_sha256_430d3877c10c86fcb19b5624dd8886d61e54ccd0453678329309b49712c6d5c6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17490,20 +17490,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sifrelendi : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($search_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $search_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Sarbloh : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sarbloh ransomware." author = "ReversingLabs" - id = "532abd77-f091-5c54-87a3-7e8be5253efd" + id = "61207ca2-c42f-5e2e-881d-e3093bfbd654" date = "2021-05-21" modified = "2021-05-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sarbloh.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7259aa9d1fe657db220ee50f1610e6439ff61673d92f46ebc3b8cadd990f002c" + logic_hash = "v1_sha256_7259aa9d1fe657db220ee50f1610e6439ff61673d92f46ebc3b8cadd990f002c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17574,20 +17574,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sarbloh : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Gomer : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Gomer ransomware." author = "ReversingLabs" - id = "b76ac856-2abe-531d-b093-461569b9afb7" + id = "0b9421a2-ae37-5abc-8003-4779be8ab886" date = "2020-10-08" modified = "2020-10-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gomer.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a53d37fcb877a12a4969a6ea1aaa67fc4106c3fbdd80a4fd39ad5a66a9df47fc" + logic_hash = "v1_sha256_a53d37fcb877a12a4969a6ea1aaa67fc4106c3fbdd80a4fd39ad5a66a9df47fc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17672,20 +17672,20 @@ rule REVERSINGLABS_Win32_Ransomware_Gomer : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($enum_drives_p*)) and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_drives_p* ) ) and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Badblock : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BadBlock ransomware." author = "ReversingLabs" - id = "a5afb7d6-4bc1-5465-a35d-fe40e7f11c3e" + id = "7b160f80-7450-5fc9-972e-e9c4a2e21cbf" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BadBlock.yara#L1-L100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "421e6a3772eeec6ef0cbb2427b7e044b450a2b2146cee2ca7d8c3a3a92918557" + logic_hash = "v1_sha256_421e6a3772eeec6ef0cbb2427b7e044b450a2b2146cee2ca7d8c3a3a92918557" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17770,20 +17770,20 @@ rule REVERSINGLABS_Win32_Ransomware_Badblock : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($search_files and $encrypt_files and $remote_connection) + uint16( 0 ) == 0x5A4D and ( $search_files and $encrypt_files and $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Torrentlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TorrentLocker ransomware." author = "ReversingLabs" - id = "64bdb0db-ea0c-5a0d-9d3e-db1df86c132b" + id = "1415bb79-c0cb-5cb3-833d-a304b908133e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TorrentLocker.yara#L1-L98" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1aa523fa95e142b7e421286d26918e3da4bd3e268fef3f98f00820296291bfc" + logic_hash = "v1_sha256_f1aa523fa95e142b7e421286d26918e3da4bd3e268fef3f98f00820296291bfc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17866,20 +17866,20 @@ rule REVERSINGLABS_Win32_Ransomware_Torrentlocker : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and (($tlocker_ep and $tlocker_get_server_data and $tlocker_remove_shadow_copies and $tlocker_find_files) and ($tlocker_contact_server_1 or ($tlocker_contact_server_2_1 and $tlocker_contact_server_2_2))) + uint16( 0 ) == 0x5A4D and ( ( $tlocker_ep and $tlocker_get_server_data and $tlocker_remove_shadow_copies and $tlocker_find_files ) and ( $tlocker_contact_server_1 or ( $tlocker_contact_server_2_1 and $tlocker_contact_server_2_2 ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Ransoc : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ransoc ransomware." author = "ReversingLabs" - id = "a990754e-eafa-5501-a123-bcbd5aa26ca6" + id = "7d9244ff-d20c-5dc5-a37d-a8d16fbd5e30" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ransoc.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1f48f1b713c18b099e863d8a11e872ae84df0ea355f01cba765e8333d8d98575" + logic_hash = "v1_sha256_1f48f1b713c18b099e863d8a11e872ae84df0ea355f01cba765e8333d8d98575" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17982,20 +17982,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ransoc : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $scan_for_services and $find_files and $encrypt_files and $remote_connection + uint16( 0 ) == 0x5A4D and $scan_for_services and $find_files and $encrypt_files and $remote_connection } rule REVERSINGLABS_Win32_Ransomware_Avaddon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Avaddon ransomware." author = "ReversingLabs" - id = "f3a57482-5799-594b-bcfa-1137ca04dfd5" + id = "4e67c4c4-1a0c-59dc-9c88-ea2b270eddfe" date = "2020-10-19" modified = "2020-10-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Avaddon.yara#L1-L148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1b2c449d5bad02dd06cb4a980fcca1feaf02b1d8127096bb39deecbc544272a6" + logic_hash = "v1_sha256_1b2c449d5bad02dd06cb4a980fcca1feaf02b1d8127096bb39deecbc544272a6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18115,20 +18115,20 @@ rule REVERSINGLABS_Win32_Ransomware_Avaddon : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($enum_resources_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $enum_resources_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Cryakl : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cryakl ransomware." author = "ReversingLabs" - id = "5c668278-458e-5b13-83c4-63beab5249ed" + id = "c9687951-e436-5e67-8771-d0df5e829222" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cryakl.yara#L1-L64" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "51d50ab1ce021e2facbca3a35af372186287a8d69b66651c9804234a409d9932" + logic_hash = "v1_sha256_51d50ab1ce021e2facbca3a35af372186287a8d69b66651c9804234a409d9932" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18180,20 +18180,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryakl : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (( all of ($enum_and_encrypt_files_*))) + uint16( 0 ) == 0x5A4D and ( ( all of ( $enum_and_encrypt_files_* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Jamper : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Jamper ransomware." author = "ReversingLabs" - id = "9ba9358e-8f67-5d0e-a9bc-b3b10cd3a8b2" + id = "1472d212-2676-5fd9-ba49-21bdc4d3c905" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jamper.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "826f8fa7cc92b279c609a9ab6a87c32940e37b4c2476854af75bbed29cb3eaf2" + logic_hash = "v1_sha256_826f8fa7cc92b279c609a9ab6a87c32940e37b4c2476854af75bbed29cb3eaf2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18283,20 +18283,20 @@ rule REVERSINGLABS_Win32_Ransomware_Jamper : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_5Ss5C : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects 5ss5c ransomware." author = "ReversingLabs" - id = "c69f44de-8e48-518d-87bf-d21d11223a2f" + id = "3abf3e50-c374-51de-939d-008799856a45" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.5ss5c.yara#L1-L267" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "74fcec568906a01dade7091c63cffbe4afa49c4705d9c1f21d10b4eee655a805" + logic_hash = "v1_sha256_74fcec568906a01dade7091c63cffbe4afa49c4705d9c1f21d10b4eee655a805" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18533,20 +18533,20 @@ rule REVERSINGLABS_Win32_Ransomware_5Ss5C : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Wastedlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WastedLocker ransomware." author = "ReversingLabs" - id = "68090960-9878-5836-8caa-bf8f408a474e" + id = "92e2ebe8-5c29-5fd1-a30f-eb7b130c4939" date = "2020-12-07" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Wastedlocker.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0899d3cc3bcea8eae60689a54f34e57bdc52088c879c8420b8e6d0b1969cb186" + logic_hash = "v1_sha256_0899d3cc3bcea8eae60689a54f34e57bdc52088c879c8420b8e6d0b1969cb186" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18615,20 +18615,20 @@ rule REVERSINGLABS_Win32_Ransomware_Wastedlocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Lolkek : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Lolkek ransomware." author = "ReversingLabs" - id = "441badd6-3708-5f74-90f3-4d3a0fc45aff" + id = "96c1a4c0-2b33-569b-92bc-321cc3d0f683" date = "2020-10-23" modified = "2020-10-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Lolkek.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d18545b25a33bba1a6e01ab37768bd4f15fb125dcb8cbe7909d9a8bbe08e63fa" + logic_hash = "v1_sha256_d18545b25a33bba1a6e01ab37768bd4f15fb125dcb8cbe7909d9a8bbe08e63fa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18713,20 +18713,20 @@ rule REVERSINGLABS_Win32_Ransomware_Lolkek : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_volumes_p*)) and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_volumes_p* ) ) and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Tarrak : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TaRRaK ransomware." author = "ReversingLabs" - id = "a783df87-0c9b-5868-9af0-c32b11e8b71b" + id = "f92f25f2-2187-5c7c-bdf8-d50ab90b9b5b" date = "2021-09-06" modified = "2021-09-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a8c4c4a501d94da94ae4a2e1eb2846e841249659be64dd45f46584885d000635" + logic_hash = "v1_sha256_a8c4c4a501d94da94ae4a2e1eb2846e841249659be64dd45f46584885d000635" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18795,20 +18795,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Tarrak : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($change_desktop) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $change_desktop ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Redeemer : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Redeemer ransomware." author = "ReversingLabs" - id = "080ab595-862b-5dc2-aaff-a0efd819a9fa" + id = "af98af44-30d0-57f6-92d1-05bdae9e807f" date = "2022-01-17" modified = "2022-01-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Redeemer.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "28287f6620a2f7a90057d1f97947e065721119e26398fe659331dc5fe99761de" + logic_hash = "v1_sha256_28287f6620a2f7a90057d1f97947e065721119e26398fe659331dc5fe99761de" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18892,20 +18892,20 @@ rule REVERSINGLABS_Win32_Ransomware_Redeemer : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($modify_processes_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $modify_processes_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Koxic : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Koxic ransomware." author = "ReversingLabs" - id = "73c4afb0-cfa8-5bc5-bca3-49a7710f4ab9" + id = "1b90094f-407f-58de-b956-a0c315d4ef95" date = "2022-04-21" modified = "2022-04-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Koxic.yara#L1-L87" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "739faf047b95fd538422a42943fcaad6538549bf4cf33ed91385c61365af4f09" + logic_hash = "v1_sha256_739faf047b95fd538422a42943fcaad6538549bf4cf33ed91385c61365af4f09" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18972,20 +18972,20 @@ rule REVERSINGLABS_Win32_Ransomware_Koxic : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ( all of ($enum_shares_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( all of ( $enum_shares_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Nefilim : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Nefilim ransomware." author = "ReversingLabs" - id = "aec298c1-abf8-5446-9dbb-795f9fcf8e94" + id = "2c8eec2d-fa30-53d6-b90d-d130eb4cfa52" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Nefilim.yara#L1-L150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fae0350e51aee2777475d2222848b30fd39fa39ceea260132b0c7fbc536b3a86" + logic_hash = "v1_sha256_fae0350e51aee2777475d2222848b30fd39fa39ceea260132b0c7fbc536b3a86" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19108,20 +19108,20 @@ rule REVERSINGLABS_Win32_Ransomware_Nefilim : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_*)) and ($create_encryption_key) and ($encrypt_encryption_key) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_* ) ) and ( $create_encryption_key ) and ( $encrypt_encryption_key ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Paradise : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Paradise ransomware." author = "ReversingLabs" - id = "9a92a05c-5f26-59ed-9934-a24bb7c31d8d" + id = "eaed8348-f339-5336-84c9-ea106cb4a722" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Paradise.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fc029bee999ec72416ac91d8386d4d270070035ad078bcab1dec11eea032c10b" + logic_hash = "v1_sha256_fc029bee999ec72416ac91d8386d4d270070035ad078bcab1dec11eea032c10b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19191,20 +19191,20 @@ rule REVERSINGLABS_Win32_Ransomware_Paradise : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $search_files and $http_remote_connection and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and $search_files and $http_remote_connection and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Revil : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Revil ransomware." author = "ReversingLabs" - id = "67c2f49e-b9dc-5900-a89d-49ba41088ac3" + id = "ae170044-52fd-5494-8f4e-871e7b536a2b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Revil.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24a79477eb797d7a7121d1248ebbece833ccd256de55729ff96084135ce8d426" + logic_hash = "v1_sha256_24a79477eb797d7a7121d1248ebbece833ccd256de55729ff96084135ce8d426" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19282,20 +19282,20 @@ rule REVERSINGLABS_Win32_Ransomware_Revil : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($search_files) and ($encrypt_files) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $search_files ) and ( $encrypt_files ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects KillDisk ransomware." author = "ReversingLabs" - id = "bd04ac88-987a-58f0-8f0a-508662b3c930" + id = "3ea3a2c4-c5b1-56c2-b6c9-fdc383b96a9f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.KillDisk.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6148e6fc1363ff8995a9100e07139bfa658c72892db4d30a973bad0f2b3e6c3f" + logic_hash = "v1_sha256_6148e6fc1363ff8995a9100e07139bfa658c72892db4d30a973bad0f2b3e6c3f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19365,20 +19365,20 @@ rule REVERSINGLABS_Win32_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $encrypt_files and $app_whitelisting_1 and $app_whitelisting_2 + uint16( 0 ) == 0x5A4D and $encrypt_files and $app_whitelisting_1 and $app_whitelisting_2 } rule REVERSINGLABS_Win32_Ransomware_Makop : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Makop ransomware." author = "ReversingLabs" - id = "9b7d42f3-0417-5228-8b25-244224cbc414" + id = "aa48c700-4ae7-5e21-98a4-554d80bb6d5a" date = "2020-10-30" modified = "2020-10-30" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Makop.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ff4739d32b4a775d07a5f22d551ed67025681d4986e4404c9a01ad4078468f3" + logic_hash = "v1_sha256_0ff4739d32b4a775d07a5f22d551ed67025681d4986e4404c9a01ad4078468f3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19457,20 +19457,20 @@ rule REVERSINGLABS_Win32_Ransomware_Makop : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($enum_network_resources) and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $enum_network_resources ) and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Goodwill : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GoodWill ransomware." author = "ReversingLabs" - id = "66358802-450b-5276-8088-b3550519b1e8" + id = "d1687ecf-5483-50e8-895a-d2e0aac14de6" date = "2022-06-28" modified = "2022-06-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "94e2950f415ba737fe5ca9d32a3d850dd5744e547c4ca094ad28545e19033cb2" + logic_hash = "v1_sha256_94e2950f415ba737fe5ca9d32a3d850dd5744e547c4ca094ad28545e19033cb2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19535,20 +19535,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Goodwill : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_file) and ($aes_encrypt) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_file ) and ( $aes_encrypt ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Prometey : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Prometey ransomware." author = "ReversingLabs" - id = "a5902fc6-2752-520f-be84-df9ea7b1e27d" + id = "e817c47a-ece1-5859-b34e-90f03b91645a" date = "2021-06-07" modified = "2021-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Prometey.yara#L1-L156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f14c9605e2d375176b461fd396be66754b0ace7dcaada8ca33ad86f6eda10b73" + logic_hash = "v1_sha256_f14c9605e2d375176b461fd396be66754b0ace7dcaada8ca33ad86f6eda10b73" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19681,7 +19681,7 @@ rule REVERSINGLABS_Win32_Ransomware_Prometey : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) and ( all of ( $remote_connection_p* ) ) } import "pe" @@ -19690,13 +19690,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptolocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects CryptoLocker ransomware." author = "ReversingLabs" - id = "8cc3ac4b-9179-5e2c-97e1-65304f9dfe22" + id = "81baddbc-6483-549f-a924-b93f80bdd855" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoLocker.yara#L3-L154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08430b0c5689840d592bdda5dbc2ed06e0d0fa1e2c0f19aff4316580c6a0b23d" + logic_hash = "v1_sha256_08430b0c5689840d592bdda5dbc2ed06e0d0fa1e2c0f19aff4316580c6a0b23d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19823,20 +19823,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptolocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ((($file_loop_1 and $encrypt_data_1 and $decrypt_data_1 and $decrypt_strings_1 and $decrypt_1) or ($file_loop_2 and $encrypt_data_2 and $decrypt_data_2 and $decrypt_strings_2 and $decrypt_2) or ($file_loop_3 and $encrypt_data_3 and $decrypt_data_3 and $decrypt_3)) and ($entrypoint_all at pe.entry_point)) + uint16( 0 ) == 0x5A4D and ( ( ( $file_loop_1 and $encrypt_data_1 and $decrypt_data_1 and $decrypt_strings_1 and $decrypt_1 ) or ( $file_loop_2 and $encrypt_data_2 and $decrypt_data_2 and $decrypt_strings_2 and $decrypt_2 ) or ( $file_loop_3 and $encrypt_data_3 and $decrypt_data_3 and $decrypt_3 ) ) and ( $entrypoint_all at pe.entry_point ) ) } rule REVERSINGLABS_Win32_Ransomware_Nanolocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects NanoLocker ransomware." author = "ReversingLabs" - id = "a31dad2e-2738-527b-a6e9-322757e2ec30" + id = "ea1f8987-3112-507e-8e4e-84b2f3d8a187" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NanoLocker.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7fdb021f22d97bf8a00fd856ef913695a0d6fbaad1138b5a5cc2cc8768b130be" + logic_hash = "v1_sha256_7fdb021f22d97bf8a00fd856ef913695a0d6fbaad1138b5a5cc2cc8768b130be" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19903,20 +19903,20 @@ rule REVERSINGLABS_Win32_Ransomware_Nanolocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $remote_server_1 and $remote_server_2 and $enum_shares_and_encrypt_files + uint16( 0 ) == 0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $remote_server_1 and $remote_server_2 and $enum_shares_and_encrypt_files } rule REVERSINGLABS_Win32_Ransomware_Alcatraz : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Alcatraz ransomware." author = "ReversingLabs" - id = "7ff37483-ae63-5c82-a355-81ef68e2f663" + id = "1703e33f-493a-5921-9487-392b67b089ca" date = "2020-07-28" modified = "2020-07-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Alcatraz.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ddd35c8da0c08bce17cacfba8bb8a8b8a8c08c3e59261a88a79c63b03d29000f" + logic_hash = "v1_sha256_ddd35c8da0c08bce17cacfba8bb8a8b8a8c08c3e59261a88a79c63b03d29000f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19997,7 +19997,7 @@ rule REVERSINGLABS_Win32_Ransomware_Alcatraz : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $encrypt_files and $remote_server and $remote_server_2 + uint16( 0 ) == 0x5A4D and $encrypt_files and $remote_server and $remote_server_2 } import "pe" @@ -20006,13 +20006,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bitcrypt : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects BitCrypt ransomware." author = "ReversingLabs" - id = "f00a0fd8-31a9-5ee6-b560-09ccf6fe490b" + id = "ced7d4d8-cbf5-5bb5-9f9f-6e41a183630e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BitCrypt.yara#L3-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "66cfe16a182e7f20d6358be9569ada5e6c36c94d44781d8c741638e1b174d44e" + logic_hash = "v1_sha256_66cfe16a182e7f20d6358be9569ada5e6c36c94d44781d8c741638e1b174d44e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20106,20 +20106,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bitcrypt : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($bc_main_1 at pe.entry_point) and $bc_main_2 and $bc_main2 and $bc_bcdedit and $bc_enum_drives_a_z and $bc_do_extensions_1 and $bc_do_extensions_2 and $bc_do_files_1 and $bc_do_files_2 + uint16( 0 ) == 0x5A4D and ( $bc_main_1 at pe.entry_point ) and $bc_main_2 and $bc_main2 and $bc_bcdedit and $bc_enum_drives_a_z and $bc_do_extensions_1 and $bc_do_extensions_2 and $bc_do_files_1 and $bc_do_files_2 } rule REVERSINGLABS_Win32_Ransomware_Lockbit : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LockBit ransomware." author = "ReversingLabs" - id = "9a6405dc-da1f-5426-a424-a73bceb1928c" + id = "c51b16bb-3e7b-56a6-ab9c-83e6ea0f782d" date = "2022-03-31" modified = "2022-03-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LockBit.yara#L1-L282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "030222bd659c7e0e03858fa062067b1483aca3b7973cce19a1e7cdbb48d4405c" + logic_hash = "v1_sha256_030222bd659c7e0e03858fa062067b1483aca3b7973cce19a1e7cdbb48d4405c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20349,20 +20349,20 @@ rule REVERSINGLABS_Win32_Ransomware_Lockbit : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ((($enum_resources_v1) and ( all of ($find_files_v1_*)) and ( all of ($encrypt_files_v1_*))) or (($check_blacklisted_languages_v2) and ($fnv1a_hashing_v2) and ($create_net_host_trav_threads_v2) and ( all of ($decrypt_configuration_v2_*)) and ( all of ($encrypt_files_v2_p*)))) + uint16( 0 ) == 0x5A4D and ( ( ( $enum_resources_v1 ) and ( all of ( $find_files_v1_* ) ) and ( all of ( $encrypt_files_v1_* ) ) ) or ( ( $check_blacklisted_languages_v2 ) and ( $fnv1a_hashing_v2 ) and ( $create_net_host_trav_threads_v2 ) and ( all of ( $decrypt_configuration_v2_* ) ) and ( all of ( $encrypt_files_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Sevensevenseven : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects SevenSevenSeven ransomware." author = "ReversingLabs" - id = "049531bd-9505-5da1-9512-980383c8c5ec" + id = "30629ea0-ba08-5455-b408-2a5077212cf6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara#L1-L148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "583a8ac746cd749bd3927f10c864a3ac84f82f8bbd8d0ebf117e22b016d7ca94" + logic_hash = "v1_sha256_583a8ac746cd749bd3927f10c864a3ac84f82f8bbd8d0ebf117e22b016d7ca94" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20474,20 +20474,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sevensevenseven : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and ( all of ($file_search_p*)) and ((($encrypt_file_1) and ($remote_server_1)) or (($encrypt_file_2) and ($remote_server_2))) + uint16( 0 ) == 0x5A4D and ( all of ( $file_search_p* ) ) and ( ( ( $encrypt_file_1 ) and ( $remote_server_1 ) ) or ( ( $encrypt_file_2 ) and ( $remote_server_2 ) ) ) } rule REVERSINGLABS_Linux_Ransomware_Gwisinlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GwisinLocker ransomware." author = "ReversingLabs" - id = "9f00e1b4-3692-5824-b614-724073532c1f" + id = "e8e7151a-bc99-5280-8791-13ec0c052a4c" date = "2022-10-11" modified = "2022-10-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.GwisinLocker.yara#L1-L354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c23c0b73bbefbd644ffe1398e1f14eec3a89945cb3c3ccbc6f46c57046b53505" + logic_hash = "v1_sha256_c23c0b73bbefbd644ffe1398e1f14eec3a89945cb3c3ccbc6f46c57046b53505" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20783,20 +20783,20 @@ rule REVERSINGLABS_Linux_Ransomware_Gwisinlocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint32(0)==0x464C457F and ((( all of ($find_files_v1_p*)) and ( all of ($kill_processes_v1_p*)) and ($init_key_v1) and ( all of ($encrypt_files_v1_p*)) and ($shut_down_esxi_v1)) or (( all of ($find_files_v2_p*)) and ( all of ($kill_processes_v2_p*)) and ($init_key_v2) and ( all of ($encrypt_files_v2_p*)))) + uint32( 0 ) == 0x464C457F and ( ( ( all of ( $find_files_v1_p* ) ) and ( all of ( $kill_processes_v1_p* ) ) and ( $init_key_v1 ) and ( all of ( $encrypt_files_v1_p* ) ) and ( $shut_down_esxi_v1 ) ) or ( ( all of ( $find_files_v2_p* ) ) and ( all of ( $kill_processes_v2_p* ) ) and ( $init_key_v2 ) and ( all of ( $encrypt_files_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Cicada3301 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cicada3301 ransomware." author = "ReversingLabs" - id = "c1a60870-0b68-5f2f-a74f-34e493a5e251" + id = "65af6436-83c2-5d93-b08b-bd067ed78f8d" date = "2024-10-09" modified = "2024-10-09" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cicada3301.yara#L1-L309" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9479667fd4c7f865607ece6af985ab6fa7b62f98738c338e4155059551db8a21" + logic_hash = "v1_sha256_9479667fd4c7f865607ece6af985ab6fa7b62f98738c338e4155059551db8a21" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21066,20 +21066,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cicada3301 : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($collect_files_recursively_p*)) and ($get_valid_drives) and ((( all of ($encrypt_files_full_v1_p*))) or (( all of ($encrypt_files_full_v2_p*)))) + uint16( 0 ) == 0x5A4D and ( all of ( $collect_files_recursively_p* ) ) and ( $get_valid_drives ) and ( ( ( all of ( $encrypt_files_full_v1_p* ) ) ) or ( ( all of ( $encrypt_files_full_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Teslarvng : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Teslarvng ransomware." author = "ReversingLabs" - id = "7045b13e-95a5-54da-b540-75d464e7673d" + id = "060b098c-64fb-5f81-8311-4474be306bf9" date = "2020-12-14" modified = "2020-12-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Teslarvng.yara#L1-L137" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "670621aa196a80fbb694e4b1690d7da60e881c5b826133939e61cd6c2406ea98" + logic_hash = "v1_sha256_670621aa196a80fbb694e4b1690d7da60e881c5b826133939e61cd6c2406ea98" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21194,20 +21194,20 @@ rule REVERSINGLABS_Win32_Ransomware_Teslarvng : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ( all of ($enum_shares_p*)) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_shares_p* ) ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_FCT : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects FCT ransomware." author = "ReversingLabs" - id = "ea3d5514-d6f2-5fd0-9247-a3f6b920d8d9" + id = "d50f50ce-42e7-5532-9606-236d3b6823d5" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FCT.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b158ad56c92a926f7398a27b3576c259e39c9716ef192fa5944ce3cffdc6d7d0" + logic_hash = "v1_sha256_b158ad56c92a926f7398a27b3576c259e39c9716ef192fa5944ce3cffdc6d7d0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21276,20 +21276,20 @@ rule REVERSINGLABS_Win32_Ransomware_FCT : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Hydracrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HydraCrypt ransomware." author = "ReversingLabs" - id = "2e780f7c-8d6d-51c8-b65e-330cc3b17bb7" + id = "4a24ea1f-08f8-594f-93c6-c03cc0213d04" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HydraCrypt.yara#L1-L174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "910a6f23f06cecb8d3115ebfed42a66412dbd0d3a519e39f21df81b0c2028f48" + logic_hash = "v1_sha256_910a6f23f06cecb8d3115ebfed42a66412dbd0d3a519e39f21df81b0c2028f48" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21432,20 +21432,20 @@ rule REVERSINGLABS_Win32_Ransomware_Hydracrypt : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (($encrypt_files_1 and $remote_connection_1 and $remote_connection_2 and $remote_connection_3) or ($encrypt_files_2 and $encrypt_files_3 and $encrypt_files_4 and $remote_connection_4 and $remote_connection_5)) + uint16( 0 ) == 0x5A4D and ( ( $encrypt_files_1 and $remote_connection_1 and $remote_connection_2 and $remote_connection_3 ) or ( $encrypt_files_2 and $encrypt_files_3 and $encrypt_files_4 and $remote_connection_4 and $remote_connection_5 ) ) } rule REVERSINGLABS_Win32_Ransomware_Xorist : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Xorist ransomware." author = "ReversingLabs" - id = "804ae039-fc3b-5f19-860e-df9efe87ee4d" + id = "4c1710ed-be11-5d31-b0dc-01c41e23c5b9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Xorist.yara#L1-L150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c428838cdd103f62508a23c9333b08567625291e110aa437324ecf37c62dca36" + logic_hash = "v1_sha256_c428838cdd103f62508a23c9333b08567625291e110aa437324ecf37c62dca36" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21565,20 +21565,20 @@ rule REVERSINGLABS_Win32_Ransomware_Xorist : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (($extract_rsrc_v1) and ( all of ($search_and_encrypt_v1_p*))) or (($extract_rsrc_v2) and ( all of ($search_and_encrypt_v2_p*))) + uint16( 0 ) == 0x5A4D and ( ( $extract_rsrc_v1 ) and ( all of ( $search_and_encrypt_v1_p* ) ) ) or ( ( $extract_rsrc_v2 ) and ( all of ( $search_and_encrypt_v2_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Nemty : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Nemty ransomware." author = "ReversingLabs" - id = "c56ecd32-5903-5bcc-aa69-a070f2c247c4" + id = "da3216eb-b3bd-5656-976b-6e7cd21cfcdb" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Nemty.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dc8cfdcdea8ecb2018b1b04bb1b645f6dbdc6c07357719100677c75945edef40" + logic_hash = "v1_sha256_dc8cfdcdea8ecb2018b1b04bb1b645f6dbdc6c07357719100677c75945edef40" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21750,20 +21750,20 @@ rule REVERSINGLABS_Win32_Ransomware_Nemty : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_1_p*)) and ( all of ($find_files_2_p*)) and ( all of ($enum_resources_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_1_p* ) ) and ( all of ( $find_files_2_p* ) ) and ( all of ( $enum_resources_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Notpetya : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects NotPetya ransomware." author = "ReversingLabs" - id = "ea655048-4ef7-5dd7-872e-f1c2e38234cf" + id = "61a218f3-1c98-5204-af76-34dede62cfbb" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NotPetya.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "328f0e527fee2145879ee13c003d375db832f7f3eacf7a1eb303393c1c8b5a36" + logic_hash = "v1_sha256_328f0e527fee2145879ee13c003d375db832f7f3eacf7a1eb303393c1c8b5a36" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21824,20 +21824,20 @@ rule REVERSINGLABS_Win32_Ransomware_Notpetya : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and $encrypt_file and $main and $encryption_loop and $shutdown + uint16( 0 ) == 0x5A4D and $encrypt_file and $main and $encryption_loop and $shutdown } rule REVERSINGLABS_Win32_Ransomware_Jsworm : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects JSWorm ransomware." author = "ReversingLabs" - id = "a4702cc3-1e08-5631-b832-5d28cb92a819" + id = "ccdfa97c-ca84-5741-b00f-26cb9b2b4ee3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.JSWorm.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8ba5e2f29f5f06e6e6714bbba1129862da8c3a83bf7f296818eddee2593cae38" + logic_hash = "v1_sha256_8ba5e2f29f5f06e6e6714bbba1129862da8c3a83bf7f296818eddee2593cae38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21918,20 +21918,20 @@ rule REVERSINGLABS_Win32_Ransomware_Jsworm : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $find_drives and $find_files and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and $find_drives and $find_files and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Babuk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Babuk ransomware." author = "ReversingLabs" - id = "8a96f400-193f-5fd1-ba03-4da464345e1c" + id = "74ae99f1-4046-504f-adfb-e11775adb15e" date = "2021-01-26" modified = "2021-01-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Babuk.yara#L1-L117" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "70327b3f9d0b0505ade7ee6de6d7facf56820c7e8477bd172f738f374311144f" + logic_hash = "v1_sha256_70327b3f9d0b0505ade7ee6de6d7facf56820c7e8477bd172f738f374311144f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22027,20 +22027,20 @@ rule REVERSINGLABS_Win32_Ransomware_Babuk : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($enum_resources) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $enum_resources ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Invert : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Invert ransomware." author = "ReversingLabs" - id = "7ef77946-a902-5dc6-9b3c-b7b6a687eb96" + id = "4b14fa6d-14bd-5e50-8c95-94f5f3ed262c" date = "2021-11-11" modified = "2021-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1608b8bbfc03b18a79752e60f211da7d7703862bc06b2ddf094074ae5efd0d14" + logic_hash = "v1_sha256_1608b8bbfc03b18a79752e60f211da7d7703862bc06b2ddf094074ae5efd0d14" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22087,20 +22087,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Invert : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ($get_file_list) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $get_file_list ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Jormungand : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Jormungand ransomware." author = "ReversingLabs" - id = "418c3d9f-2338-593f-a8ec-a1e25afa50d4" + id = "9299fd4c-e337-5c60-b685-b5cdf5ba6fa9" date = "2021-10-22" modified = "2021-10-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jormungand.yara#L1-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "049eb4533b37d8d72e50dd1e803a897758386643770d47b3e7690f58e44d5236" + logic_hash = "v1_sha256_049eb4533b37d8d72e50dd1e803a897758386643770d47b3e7690f58e44d5236" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22210,20 +22210,20 @@ rule REVERSINGLABS_Win32_Ransomware_Jormungand : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_*)) and ( all of ($remote_connection_p*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_* ) ) and ( all of ( $remote_connection_p* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Ragnarlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RagnarLocker ransomware." author = "ReversingLabs" - id = "3bc3765a-f1f8-59bc-bbe8-6821654b334f" + id = "69f546bd-78e1-50f7-880d-d7b3eadeb9fa" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RagnarLocker.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "398f0e5e003f87edf90cdea718be6b10470df317214d00db4dc6c4cccc5b6748" + logic_hash = "v1_sha256_398f0e5e003f87edf90cdea718be6b10470df317214d00db4dc6c4cccc5b6748" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22312,20 +22312,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ragnarlocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Erica : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Erica ransomware." author = "ReversingLabs" - id = "38f57157-bd49-5a63-8c69-497eb9efe274" + id = "f556e8fd-4948-5cc3-ac3f-0b6209bde869" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Erica.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "93512091943f3a3b395c38fa3b0f5ecdbbf1cdf967ccfea4d7145c940076e046" + logic_hash = "v1_sha256_93512091943f3a3b395c38fa3b0f5ecdbbf1cdf967ccfea4d7145c940076e046" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22385,20 +22385,20 @@ rule REVERSINGLABS_Win32_Ransomware_Erica : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_NB65 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects NB65 ransomware." author = "ReversingLabs" - id = "1aba009e-8065-5fb0-98e7-a595cb324076" + id = "a239df8f-f3ea-587e-b35c-5ce8a0253115" date = "2022-06-01" modified = "2022-06-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NB65.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f8a0e265fc72a9f017b37ce4b6dbb878285a5d298ab1b8c69f9fde7159426981" + logic_hash = "v1_sha256_f8a0e265fc72a9f017b37ce4b6dbb878285a5d298ab1b8c69f9fde7159426981" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22447,20 +22447,20 @@ rule REVERSINGLABS_Win32_Ransomware_NB65 : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($enum_procs) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $enum_procs ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Juicylemon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects JuicyLemon ransomware." author = "ReversingLabs" - id = "35e4bbd6-422b-562e-98fc-fe932270dbb8" + id = "4c0f3f01-29e4-5bba-8258-9fa9757800c0" date = "2020-08-17" modified = "2020-08-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.JuicyLemon.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "596d89843793307f4940dbb85b2e7081f02250f6adfdcd01f2d3c5f2b8b90875" + logic_hash = "v1_sha256_596d89843793307f4940dbb85b2e7081f02250f6adfdcd01f2d3c5f2b8b90875" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22566,20 +22566,20 @@ rule REVERSINGLABS_Win32_Ransomware_Juicylemon : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and $find_files_and_encrypt and $remote_connection_1 and $remote_connection_2 + uint16( 0 ) == 0x5A4D and $find_files_and_encrypt and $remote_connection_1 and $remote_connection_2 } rule REVERSINGLABS_Win32_Ransomware_Crypren : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Crypren ransomware." author = "ReversingLabs" - id = "9a6ff190-b26b-5b75-9103-95a3b2e80701" + id = "e19efa6c-afc4-53ea-b72a-9ec01f75290e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crypren.yara#L1-L144" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7047d48782762e42544063fde6f2be62eb19f22853ea84abb5bce67c962da172" + logic_hash = "v1_sha256_7047d48782762e42544063fde6f2be62eb19f22853ea84abb5bce67c962da172" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22698,20 +22698,20 @@ rule REVERSINGLABS_Win32_Ransomware_Crypren : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and (( all of ($enum_directories_p*)) and ( all of ($enum_drives_p*)) and ( all of ($encrypt_files_p*))) + uint16( 0 ) == 0x5A4D and ( ( all of ( $enum_directories_p* ) ) and ( all of ( $enum_drives_p* ) ) and ( all of ( $encrypt_files_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Mountlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MountLocker ransomware." author = "ReversingLabs" - id = "8ce7e5c4-9eca-5dd2-ab92-39b915900d72" + id = "463dedc6-95e7-5d3c-aa77-a91e7dbb5f7c" date = "2021-03-25" modified = "2021-03-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MountLocker.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d203217c229d54802e96e19dc66d38ecb0443d19e0492efe337df471a99559dc" + logic_hash = "v1_sha256_d203217c229d54802e96e19dc66d38ecb0443d19e0492efe337df471a99559dc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22780,20 +22780,20 @@ rule REVERSINGLABS_Win32_Ransomware_Mountlocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Vhdlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects VHDLocker ransomware." author = "ReversingLabs" - id = "696f8145-342b-5da5-b9ec-6f0d16afc465" + id = "33ecee3f-b31f-5b96-bb66-178f11643df4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.VHDLocker.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "39d1fbfc79d5ea866498bb1e40d2290469df774ce65b1da04a85c0e4e5b4493c" + logic_hash = "v1_sha256_39d1fbfc79d5ea866498bb1e40d2290469df774ce65b1da04a85c0e4e5b4493c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22922,20 +22922,20 @@ rule REVERSINGLABS_Win32_Ransomware_Vhdlocker : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ( all of ($get_logical_drives_list_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $get_logical_drives_list_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wildfire : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WildFire ransomware." author = "ReversingLabs" - id = "0c44f017-703c-5db7-b777-62fcd181af9a" + id = "1df2a243-2ba1-5198-8da8-0d6dc31d8621" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara#L1-L77" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d3be2eac7967853aae6e1317d9c22d95a3dc4b3e5bf8acbe97a7bbeabc9eab38" + logic_hash = "v1_sha256_d3be2eac7967853aae6e1317d9c22d95a3dc4b3e5bf8acbe97a7bbeabc9eab38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23001,20 +23001,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wildfire : TC_DETECTION MALICIOUS MA } condition: - uint16(0)==0x5A4D and $enum_drives and $file_search and $encrypt_files and $remote_server_communication_1 + uint16( 0 ) == 0x5A4D and $enum_drives and $file_search and $encrypt_files and $remote_server_communication_1 } rule REVERSINGLABS_Win32_Ransomware_Fuxsocy : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects FuxSocy ransomware." author = "ReversingLabs" - id = "f4a45469-9d51-523f-8238-c7044f353cf6" + id = "04f68f21-3158-5248-a160-5b66bd75befc" date = "2021-03-01" modified = "2021-03-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FuxSocy.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8b3c04eb5d60fcc82e47cb8e78da0a98642666546d6799baef24b56926e3aceb" + logic_hash = "v1_sha256_8b3c04eb5d60fcc82e47cb8e78da0a98642666546d6799baef24b56926e3aceb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23110,20 +23110,20 @@ rule REVERSINGLABS_Win32_Ransomware_Fuxsocy : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_*)) and ( all of ($encrypt_files_*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_* ) ) and ( all of ( $encrypt_files_* ) ) } rule REVERSINGLABS_Win32_Ransomware_Major : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Major ransomware." author = "ReversingLabs" - id = "0c85aff8-1fb5-5e47-ae49-72445a000eaa" + id = "76b0e4bc-47c2-586f-9bb5-88996b6be84e" date = "2021-01-26" modified = "2021-01-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Major.yara#L1-L261" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "16fb7763e3806fca6937fef7e8b3d8bccd61cb39549061d359d630c7d266c270" + logic_hash = "v1_sha256_16fb7763e3806fca6937fef7e8b3d8bccd61cb39549061d359d630c7d266c270" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23357,20 +23357,20 @@ rule REVERSINGLABS_Win32_Ransomware_Major : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and $remote_connection) + uint16( 0 ) == 0x5A4D and ( ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Blackcat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BlackCat ransomware." author = "ReversingLabs" - id = "e623340d-8df8-5f13-b75f-379bd0038f64" + id = "145b65fa-267e-58be-9e65-0b63f07b686c" date = "2022-02-14" modified = "2022-02-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackCat.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24932baa625aedd14b5776ba3209c9ee330e84538c5267eeb5e09e352f655835" + logic_hash = "v1_sha256_24932baa625aedd14b5776ba3209c9ee330e84538c5267eeb5e09e352f655835" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23454,20 +23454,20 @@ rule REVERSINGLABS_Win32_Ransomware_Blackcat : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($enum_procs) and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_procs ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Matsnu : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Matsnu ransomware." author = "ReversingLabs" - id = "2f0bddd5-bd48-5d38-84f4-2dbccbe04a46" + id = "4f81e07e-2260-521c-a683-29d70e15556e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Matsnu.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "76ef1b4a292f27ccd904e80f0279a7a327f7399a21f2266ef3ea959e5339ffac" + logic_hash = "v1_sha256_76ef1b4a292f27ccd904e80f0279a7a327f7399a21f2266ef3ea959e5339ffac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23571,20 +23571,20 @@ rule REVERSINGLABS_Win32_Ransomware_Matsnu : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $enum_files_1 and $enum_files_2 and $crypto_file and $crypt_file and $remote_connection + uint16( 0 ) == 0x5A4D and $enum_files_1 and $enum_files_2 and $crypto_file and $crypt_file and $remote_connection } rule REVERSINGLABS_Win32_Ransomware_Buran : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Buran ransomware." author = "ReversingLabs" - id = "c2a36a8b-5c21-5c31-994d-b424c038dd21" + id = "74865ff1-dcf3-5571-94b1-e9019d1a1fd7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Buran.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5606e0acecd99ccf2feaa995353211302903a09bb2c4ec65903566215e2d5ca4" + logic_hash = "v1_sha256_5606e0acecd99ccf2feaa995353211302903a09bb2c4ec65903566215e2d5ca4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23655,20 +23655,20 @@ rule REVERSINGLABS_Win32_Ransomware_Buran : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Spora : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Spora ransomware." author = "ReversingLabs" - id = "f07ee1d4-d99b-5cbf-a1f0-a3802d9e3b47" + id = "2c01082a-d96f-5816-b00c-0cab015a270b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Spora.yara#L1-L124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4e18bb42277ce9194bf75fa45d95ea7e2bd51c5d7791d3d6e013fc07626e65b0" + logic_hash = "v1_sha256_4e18bb42277ce9194bf75fa45d95ea7e2bd51c5d7791d3d6e013fc07626e65b0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23778,20 +23778,20 @@ rule REVERSINGLABS_Win32_Ransomware_Spora : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (($create_key_file and $create_lst_file and $enumerate_resources and $encrypt_files) or ($create_key and $enumerate_resources and $encrypt_files)) + uint16( 0 ) == 0x5A4D and ( ( $create_key_file and $create_lst_file and $enumerate_resources and $encrypt_files ) or ( $create_key and $enumerate_resources and $encrypt_files ) ) } rule REVERSINGLABS_Win32_Ransomware_IFN643 : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects IFN643 ransomware." author = "ReversingLabs" - id = "a4d211a7-6735-541e-885d-555bbc11e2cf" + id = "713e6789-9353-57c2-ae66-8a9e3dbb5fbc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.IFN643.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ced234018f1f05601dd3be55eaecd2a1e116ad0b7bb9e0292434f11f19916ebe" + logic_hash = "v1_sha256_ced234018f1f05601dd3be55eaecd2a1e116ad0b7bb9e0292434f11f19916ebe" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23870,20 +23870,20 @@ rule REVERSINGLABS_Win32_Ransomware_IFN643 : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and $search_files_1 and $search_files_2 and $encrypt_files + uint16( 0 ) == 0x5A4D and $search_files_1 and $search_files_2 and $encrypt_files } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Venom : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Venom ransomware." author = "ReversingLabs" - id = "72149ec2-888e-5bed-baf1-0ec44e48328e" + id = "e6d9fcb4-2483-5517-9582-116d435bfc82" date = "2022-06-06" modified = "2022-06-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5817ece6a1cc304835f7fc243c4cfdc3c7cacd2251a9ac294a6662b58d2552e8" + logic_hash = "v1_sha256_5817ece6a1cc304835f7fc243c4cfdc3c7cacd2251a9ac294a6662b58d2552e8" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23932,20 +23932,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Venom : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ($setup_env) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $setup_env ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win64_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ako ransomware." author = "ReversingLabs" - id = "fce98a6a-f7bd-52ee-a2b8-31b48f6134ca" + id = "6c33e546-a1f6-56bb-8d3e-a7ae355c86e3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Ako.yara#L1-L173" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8321a4ace66ae48e3a6896daf02c184fa7767fa6bd10cd83b322ad01698008cf" + logic_hash = "v1_sha256_8321a4ace66ae48e3a6896daf02c184fa7767fa6bd10cd83b322ad01698008cf" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24095,20 +24095,20 @@ rule REVERSINGLABS_Win64_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files_win64) and ( all of ($encrypt_files_win64_p*)) and ( all of ($encrypt_network_shares_win64_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files_win64 ) and ( all of ( $encrypt_files_win64_p* ) ) and ( all of ( $encrypt_network_shares_win64_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Chupacabra : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ChupaCabra ransomware." author = "ReversingLabs" - id = "e44a101d-53c3-51f2-84ca-f6a5858c169b" + id = "baf9bd45-3e5b-5dde-8908-6e0c91323154" date = "2021-10-12" modified = "2021-10-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7f247778e0bd8057670abf42b2d1011ebae891ffcb21ebad50060f9a7986bf93" + logic_hash = "v1_sha256_7f247778e0bd8057670abf42b2d1011ebae891ffcb21ebad50060f9a7986bf93" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24177,20 +24177,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Chupacabra : TC_DETECTION MALICIOUS } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Cybervolk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CyberVolk ransomware." author = "ReversingLabs" - id = "4d8bf096-d5c9-5a77-99e6-2c66e480da36" + id = "bd76fc9e-c52f-5be3-be3e-db6321f20734" date = "2024-11-27" modified = "2024-11-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CyberVolk.yara#L1-L293" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "59ed7c4f576fa7cd4cceb724d14f258598c140e434ed309fe2e599c3aaa667d9" + logic_hash = "v1_sha256_59ed7c4f576fa7cd4cceb724d14f258598c140e434ed309fe2e599c3aaa667d9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24443,20 +24443,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cybervolk : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ( all of ($manage_gui_p*)) and ((( all of ($find_files_v1_p*)) and ( all of ($encrypt_files_v1_p*))) or (( all of ($find_files_v2_p*)) and ( all of ($encrypt_files_v2_p*)))) + uint16( 0 ) == 0x5A4D and ( all of ( $manage_gui_p* ) ) and ( ( ( all of ( $find_files_v1_p* ) ) and ( all of ( $encrypt_files_v1_p* ) ) ) or ( ( all of ( $find_files_v2_p* ) ) and ( all of ( $encrypt_files_v2_p* ) ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Mafia : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Mafia ransomware." author = "ReversingLabs" - id = "67f09000-751f-539a-b222-25b1502c2728" + id = "c1408b50-2233-5a66-a081-aed696fb99dd" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Mafia.yara#L1-L142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5c17b799f0b4f1f8f72a2e4203a6606f7783ceec2034694f8a21ff65e5afdb26" + logic_hash = "v1_sha256_5c17b799f0b4f1f8f72a2e4203a6606f7783ceec2034694f8a21ff65e5afdb26" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24575,20 +24575,20 @@ rule REVERSINGLABS_Win32_Ransomware_Mafia : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Vovalex : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Vovalex ransomware." author = "ReversingLabs" - id = "dd4d7969-1afc-5e5d-9324-89f432523173" + id = "06cfa4bf-a8d6-5945-a822-71fbba681ce2" date = "2021-03-12" modified = "2021-03-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Vovalex.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0c0f065224988bcba45b5aba2dceb080479b0bab235d544daabc3cae72e48318" + logic_hash = "v1_sha256_0c0f065224988bcba45b5aba2dceb080479b0bab235d544daabc3cae72e48318" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24653,20 +24653,20 @@ rule REVERSINGLABS_Win64_Ransomware_Vovalex : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Dogecrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DogeCrypt ransomware." author = "ReversingLabs" - id = "e0ca22a5-70bb-5d2c-bce4-bac49c2a81d2" + id = "02134ccd-416a-5fd0-801d-4edea616554c" date = "2021-04-28" modified = "2021-04-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DogeCrypt.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1c19862884cf1e59d12c84f5ff6f799a4087ddc8bd887e0d2ce7da053642b851" + logic_hash = "v1_sha256_1c19862884cf1e59d12c84f5ff6f799a4087ddc8bd887e0d2ce7da053642b851" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24760,20 +24760,20 @@ rule REVERSINGLABS_Win32_Ransomware_Dogecrypt : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($decrypt_DesucryptKeyContainer_DogeCrypt) and ($find_files_DogeCrypt) and ( all of ($encrypt_files_DogeCrypt_p*)) + uint16( 0 ) == 0x5A4D and ( $decrypt_DesucryptKeyContainer_DogeCrypt ) and ( $find_files_DogeCrypt ) and ( all of ( $encrypt_files_DogeCrypt_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Cryptofortress : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CryptoFortress ransomware." author = "ReversingLabs" - id = "460289b1-f775-5e0b-8c44-4f6e5c92da60" + id = "34f8c19c-2ce3-53f0-ae30-64d0fcc3660c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoFortress.yara#L1-L162" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "474893b63523de5ff9eb8a0c91b0677b99ce65056af7f5d02a73e43fa65453c9" + logic_hash = "v1_sha256_474893b63523de5ff9eb8a0c91b0677b99ce65056af7f5d02a73e43fa65453c9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24908,20 +24908,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptofortress : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and (($read_config_file and $file_type_loop and $encrypt_routine) or ($enum_drives and $enum_shared_resources and $find_files and $encrypt_files)) + uint16( 0 ) == 0x5A4D and ( ( $read_config_file and $file_type_loop and $encrypt_routine ) or ( $enum_drives and $enum_shared_resources and $find_files and $encrypt_files ) ) } rule REVERSINGLABS_Win32_Ransomware_Ferrlock : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ferrlock ransomware." author = "ReversingLabs" - id = "745ce529-46d0-56ed-a8fa-b41b26b068f4" + id = "d2c00d5c-e9b0-57d6-9337-75c05da100b7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ferrlock.yara#L1-L131" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b94bc77489dbb74573813631009e605bc848e17995a0a512d08b194ee3020b75" + logic_hash = "v1_sha256_b94bc77489dbb74573813631009e605bc848e17995a0a512d08b194ee3020b75" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25026,20 +25026,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ferrlock : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($enum_rsrc) and ( all of ($search_files_p*)) and ( all of ($create_test_file_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_rsrc ) and ( all of ( $search_files_p* ) ) and ( all of ( $create_test_file_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Antiwar : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AntiWar ransomware." author = "ReversingLabs" - id = "3113ec26-e149-527b-9478-4dd86c7fa464" + id = "695dff11-4454-5247-bdf0-58f2a4ece393" date = "2022-04-21" modified = "2022-04-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.AntiWar.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2d885f35454aaf7cb33f03c30b6681aa16cbe8353003bbae0b1e9fdecb2ff8a7" + logic_hash = "v1_sha256_2d885f35454aaf7cb33f03c30b6681aa16cbe8353003bbae0b1e9fdecb2ff8a7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25160,20 +25160,20 @@ rule REVERSINGLABS_Win64_Ransomware_Antiwar : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and (( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($enum_shares)) + uint16( 0 ) == 0x5A4D and ( ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $enum_shares ) ) } rule REVERSINGLABS_Win64_Ransomware_Redroman : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RedRoman ransomware." author = "ReversingLabs" - id = "c860586a-fa50-5bb4-a3b4-13506f9d6030" + id = "0cc3a539-d201-58f3-b91d-ad0ebb6cd199" date = "2021-05-10" modified = "2021-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.RedRoman.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6fb2ac0e7f7ac095766e27c057e5124406dc493c08d01a7e5381403d794c7240" + logic_hash = "v1_sha256_6fb2ac0e7f7ac095766e27c057e5124406dc493c08d01a7e5381403d794c7240" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25239,20 +25239,20 @@ rule REVERSINGLABS_Win64_Ransomware_Redroman : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Kangaroo : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Kangaroo ransomware." author = "ReversingLabs" - id = "ec4342c1-adc9-5ddb-b403-83c2b1ce5899" + id = "6d04fc64-f4de-5d28-8c1c-932c771817c0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kangaroo.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1078fb3d47ad737548419e5ee66e686f705c02fea27a58c0097446547325772c" + logic_hash = "v1_sha256_1078fb3d47ad737548419e5ee66e686f705c02fea27a58c0097446547325772c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25323,20 +25323,20 @@ rule REVERSINGLABS_Win32_Ransomware_Kangaroo : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($enum_resources) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $enum_resources ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Povlsomware : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Povlsomware ransomware." author = "ReversingLabs" - id = "317d7cca-4fe8-55ab-8f5f-e42be727ec26" + id = "013359d7-6904-5ac0-bf46-76b75bee6555" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara#L1-L64" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "465dc1b1d7e9eb3091f36efb51029cd3383d05ece054e814b18f379e58c7e457" + logic_hash = "v1_sha256_465dc1b1d7e9eb3091f36efb51029cd3383d05ece054e814b18f379e58c7e457" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25381,20 +25381,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Povlsomware : TC_DETECTION MALICIOUS } condition: - uint16(0)==0x5A4D and ($setup_attack) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $setup_attack ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BlackBasta ransomware." author = "ReversingLabs" - id = "7c451fde-b8b1-5a35-855e-7e30f3e75cbb" + id = "eb74273e-c6ac-5094-a012-afe5645ddeff" date = "2022-12-13" modified = "2022-12-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackBasta.yara#L1-L531" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c68671e51489af00e9e0cf28373e5ec01bda042653dbcca8843357eede41f27f" + logic_hash = "v1_sha256_c68671e51489af00e9e0cf28373e5ec01bda042653dbcca8843357eede41f27f" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25785,20 +25785,20 @@ rule REVERSINGLABS_Win32_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ((($find_files) and ($encrypt_files_v1) and ($cmd_prompt) and ($exclude_from_encryption_v1)) or (($find_files) and ($cmd_prompt) and ($ldap_connect) and ($encrypt_files_v2) and ($exclude_from_encryption_v1)) or (($find_files) and ($cmd_prompt) and ($ldap_connect) and ($encrypt_files_v3) and ($exclude_from_encryption_v1)) or (($find_files) and ($encrypt_files_v4) and ($drop_ransom_note_v1) and ( all of ($exclude_from_encryption_v2_p*))) or (($find_files) and ($exclude_from_encryption_v1) and ( any of ($encrypt_files_v5)) and ( all of ($find_system_volumes_v2_p*))) or (( all of ($encrypt_files_v5_p*)) and ( all of ($set_default_icon_p*)) and ($find_system_volumes) and ( all of ($drop_ransom_note_v2_p*)) and ($find_files)) or (( all of ($encrypt_files_v6_p*)) and ( all of ($set_default_icon_p*)) and ( all of ($drop_ransom_note_v2_p*)) and ($find_files))) + uint16( 0 ) == 0x5A4D and ( ( ( $find_files ) and ( $encrypt_files_v1 ) and ( $cmd_prompt ) and ( $exclude_from_encryption_v1 ) ) or ( ( $find_files ) and ( $cmd_prompt ) and ( $ldap_connect ) and ( $encrypt_files_v2 ) and ( $exclude_from_encryption_v1 ) ) or ( ( $find_files ) and ( $cmd_prompt ) and ( $ldap_connect ) and ( $encrypt_files_v3 ) and ( $exclude_from_encryption_v1 ) ) or ( ( $find_files ) and ( $encrypt_files_v4 ) and ( $drop_ransom_note_v1 ) and ( all of ( $exclude_from_encryption_v2_p* ) ) ) or ( ( $find_files ) and ( $exclude_from_encryption_v1 ) and ( any of ( $encrypt_files_v5 ) ) and ( all of ( $find_system_volumes_v2_p* ) ) ) or ( ( all of ( $encrypt_files_v5_p* ) ) and ( all of ( $set_default_icon_p* ) ) and ( $find_system_volumes ) and ( all of ( $drop_ransom_note_v2_p* ) ) and ( $find_files ) ) or ( ( all of ( $encrypt_files_v6_p* ) ) and ( all of ( $set_default_icon_p* ) ) and ( all of ( $drop_ransom_note_v2_p* ) ) and ( $find_files ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Bananacrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BananaCrypt ransomware." author = "ReversingLabs" - id = "9e47d094-d7fc-57dd-826c-5321d0219273" + id = "d0677fd0-6654-5db4-abe8-d1168dd7e842" date = "2020-09-14" modified = "2020-09-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BananaCrypt.yara#L1-L103" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6bde4430e438947b0d7f10c4de11216929ec03af81b3d74f8b7bb8ed134d08d2" + logic_hash = "v1_sha256_6bde4430e438947b0d7f10c4de11216929ec03af81b3d74f8b7bb8ed134d08d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25883,20 +25883,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bananacrypt : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Hotcoffee : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HotCoffee ransomware." author = "ReversingLabs" - id = "11b26b91-96ae-58d3-8a8a-02a3e7d0b82e" + id = "3ffb7dc9-c571-51a8-bd51-c08189dfa69f" date = "2021-11-25" modified = "2021-11-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.HotCoffee.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "15ae428c37fcc5a09d324fd9be5a8df3a812e6459cb1ce8eec56eabf785b4c05" + logic_hash = "v1_sha256_15ae428c37fcc5a09d324fd9be5a8df3a812e6459cb1ce8eec56eabf785b4c05" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25983,20 +25983,20 @@ rule REVERSINGLABS_Win64_Ransomware_Hotcoffee : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($enum_drives) and ($find_files) and ( all of ($encrypt_files_p*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $enum_drives ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Fantom : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Fantom ransomware." author = "ReversingLabs" - id = "cd32de8b-2c14-5fb4-be79-365d9848f341" + id = "e6a91181-dbbf-5d6d-b20c-add58f1b0098" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f2aaa9776b7ca302052b3303d45df24cc151a4efc7ea9f4bb3c1f53d10ded03a" + logic_hash = "v1_sha256_f2aaa9776b7ca302052b3303d45df24cc151a4efc7ea9f4bb3c1f53d10ded03a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26075,20 +26075,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Fantom : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and (( all of ($encrypt_files_*)) and $lockfile and $lockdir and $sendkey) + uint16( 0 ) == 0x5A4D and ( ( all of ( $encrypt_files_* ) ) and $lockfile and $lockdir and $sendkey ) } rule REVERSINGLABS_Win32_Ransomware_Outsider : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Outsider ransomware." author = "ReversingLabs" - id = "44edccb1-9e2a-5ff9-b4b5-72ceec2f7947" + id = "23f5d65c-d318-5f0d-94b8-fb1254fe67f4" date = "2020-10-23" modified = "2020-10-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Outsider.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "80c5a93b5b72b7b66e36f1726486b0c7620588d05bd925510d76f020a40b124c" + logic_hash = "v1_sha256_80c5a93b5b72b7b66e36f1726486b0c7620588d05bd925510d76f020a40b124c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26156,20 +26156,20 @@ rule REVERSINGLABS_Win32_Ransomware_Outsider : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_DMR : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects DMR ransomware." author = "ReversingLabs" - id = "45d8f91f-d2d0-5c6e-a29e-b8c9c29dc296" + id = "27cefe87-afb3-53cc-886c-6a55e0e37d0c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DMR.yara#L1-L214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "55e19f3017c2cc8355c27f9a516e611b58b108f15bfed41b88d5662b55677a59" + logic_hash = "v1_sha256_55e19f3017c2cc8355c27f9a516e611b58b108f15bfed41b88d5662b55677a59" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26359,20 +26359,20 @@ rule REVERSINGLABS_Win32_Ransomware_DMR : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Chichi : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ChiChi ransomware." author = "ReversingLabs" - id = "95062789-a55d-5c1c-a359-206b58f311e5" + id = "822cfd19-71f4-5303-a544-dc8ff1093e5b" date = "2022-02-14" modified = "2022-02-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ChiChi.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "863a30e4c708e13ea0f4c6ad42a919de463926508783d6552c0cec746730baa5" + logic_hash = "v1_sha256_863a30e4c708e13ea0f4c6ad42a919de463926508783d6552c0cec746730baa5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26419,20 +26419,20 @@ rule REVERSINGLABS_Win32_Ransomware_Chichi : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($generate_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $generate_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wormlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WormLocker ransomware." author = "ReversingLabs" - id = "6d7b55b7-2e1b-56e0-950f-07a2d3fa17ae" + id = "2b49e09a-17ac-5080-b183-efd5a74faa42" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "87a4f805de78d7e7dffb176302407453108ca01552c682aeee38f8d0201263c9" + logic_hash = "v1_sha256_87a4f805de78d7e7dffb176302407453108ca01552c682aeee38f8d0201263c9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26481,20 +26481,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wormlocker : TC_DETECTION MALICIOUS } condition: - uint16(0)==0x5A4D and ($set_environment) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $set_environment ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Montserrat : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Montserrat ransomware." author = "ReversingLabs" - id = "deeb5f1a-1329-5964-93e1-8ca6a20fcd89" + id = "9204116c-399d-50e9-87e9-fae2ce6da73f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Montserrat.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c8782a8cb2b87e76ff1f804ee8affd01405827d0914ea725bb0e9ddace7dde10" + logic_hash = "v1_sha256_c8782a8cb2b87e76ff1f804ee8affd01405827d0914ea725bb0e9ddace7dde10" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26590,20 +26590,20 @@ rule REVERSINGLABS_Win32_Ransomware_Montserrat : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($shutdown_services_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $shutdown_services_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Sage : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sage ransomware." author = "ReversingLabs" - id = "81f4c666-93f9-51bb-8dda-431ef7a81b74" + id = "f5f41fd2-5c17-58ef-a2f6-99998fd076dd" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sage.yara#L1-L77" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "69079b7176050096cdbaaaff30dd0359366b3a6a74e8bc17db348794388f71ba" + logic_hash = "v1_sha256_69079b7176050096cdbaaaff30dd0359366b3a6a74e8bc17db348794388f71ba" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26661,20 +26661,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sage : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Satana : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Satana ransomware." author = "ReversingLabs" - id = "8dc5bf7c-d4cb-5961-804b-035676dacbc0" + id = "75c4a0cd-dfd0-5b8b-99fb-39f00da5ce7a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Satana.yara#L1-L123" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5deb6ac2e8b64fb6f7af8c41a9b9e695668ca66c96c65f0c7350b11cd4ae0c50" + logic_hash = "v1_sha256_5deb6ac2e8b64fb6f7af8c41a9b9e695668ca66c96c65f0c7350b11cd4ae0c50" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26776,20 +26776,20 @@ rule REVERSINGLABS_Win32_Ransomware_Satana : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($remote_connection and ( all of ($search_files_p*)) and ( all of ($encrypt_files_p*))) + uint16( 0 ) == 0x5A4D and ( $remote_connection and ( all of ( $search_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Globeimposter : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GlobeImposter ransomware." author = "ReversingLabs" - id = "6634a554-b4bb-503d-a4f1-9997b4caa1f0" + id = "7dc040e8-e5f8-5ed1-ac83-13394951a161" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GlobeImposter.yara#L1-L171" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4345a767f270428f3b509fdad5a96bf9b494b190d3a836c4bf53dfd75da5bacb" + logic_hash = "v1_sha256_4345a767f270428f3b509fdad5a96bf9b494b190d3a836c4bf53dfd75da5bacb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26928,21 +26928,21 @@ rule REVERSINGLABS_Win32_Ransomware_Globeimposter : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and (($search_files_1 and $encrypt_files_1 and $kill_specific_processes_1) or ($search_files_1 and $encrypt_files_2 and $kill_specific_processes_2) or ($search_files_2 and $encrypt_files_3 and $kill_specific_processes_3)) + uint16( 0 ) == 0x5A4D and ( ( $search_files_1 and $encrypt_files_1 and $kill_specific_processes_1 ) or ( $search_files_1 and $encrypt_files_2 and $kill_specific_processes_2 ) or ( $search_files_2 and $encrypt_files_3 and $kill_specific_processes_3 ) ) } rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" - id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" - date = "2024-12-08" - date = "2024-12-08" + id = "dff47f41-92e1-5a62-933e-cada3a698604" + date = "2024-12-15" + date = "2024-12-15" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "685abf5a5edba5bae19faaf6521ce617370cdab1404fe84d846e82a60182dfff" + logic_hash = "v1_sha256_685abf5a5edba5bae19faaf6521ce617370cdab1404fe84d846e82a60182dfff" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27004,20 +27004,20 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($search_processes) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $search_processes ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Linux_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects KillDisk ransomware." author = "ReversingLabs" - id = "af6652dd-c668-5ae1-b51b-e272cb440c20" + id = "7c9c113f-2e7d-5b1e-a6e9-3cdae37c9499" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.KillDisk.yara#L1-L144" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3ed1fb2b7b24cd4d5100d93ed53a9ab28e1482bd0998a0538d8710a962ee839f" + logic_hash = "v1_sha256_3ed1fb2b7b24cd4d5100d93ed53a9ab28e1482bd0998a0538d8710a962ee839f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27143,20 +27143,20 @@ rule REVERSINGLABS_Linux_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint32(0)==0x464C457F and ($search_files and ( all of ($encrypt_files_*)) and ( all of ($subvert_grub_*))) + uint32( 0 ) == 0x464C457F and ( $search_files and ( all of ( $encrypt_files_* ) ) and ( all of ( $subvert_grub_* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Ransomplus : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RansomPlus ransomware." author = "ReversingLabs" - id = "ee96eab6-104d-560f-adae-6d5f0ba5d469" + id = "02e8240a-c6d6-559f-bc7a-d80c802a1373" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RansomPlus.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8ab18c6bcb939eac0e74f015dea773141b5086c5fcb4783666eeac1f395bc208" + logic_hash = "v1_sha256_8ab18c6bcb939eac0e74f015dea773141b5086c5fcb4783666eeac1f395bc208" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27240,20 +27240,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ransomplus : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and $find_files_1_0 and $find_files_1_1 and $find_files_1_2 and $encrypt_files + uint16( 0 ) == 0x5A4D and $find_files_1_0 and $find_files_1_1 and $find_files_1_2 and $encrypt_files } rule REVERSINGLABS_Win32_Ransomware_Hermes : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Hermes ransomware." author = "ReversingLabs" - id = "1f1f363a-5be0-59e5-b1c1-5e277922790c" + id = "3e1dcb0e-59e6-5dbb-b48c-17a754fc5c5c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Hermes.yara#L1-L284" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6db95c422ee2f9dd8a1795031ee8d7d5ed84e16cde47512becc006b6a849e890" + logic_hash = "v1_sha256_6db95c422ee2f9dd8a1795031ee8d7d5ed84e16cde47512becc006b6a849e890" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27492,20 +27492,20 @@ rule REVERSINGLABS_Win32_Ransomware_Hermes : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ((( all of ($hermes_find_files_v1_p*)) and ( all of ($hermes_encrypt_files_v1_p*))) or (( all of ($hermes_find_files_v2_p*)) and ( all of ($hermes_encrypt_files_v2_p*)))) and ( any of ($hermes_enum_resources_v*)) + uint16( 0 ) == 0x5A4D and ( ( ( all of ( $hermes_find_files_v1_p* ) ) and ( all of ( $hermes_encrypt_files_v1_p* ) ) ) or ( ( all of ( $hermes_find_files_v2_p* ) ) and ( all of ( $hermes_encrypt_files_v2_p* ) ) ) ) and ( any of ( $hermes_enum_resources_v* ) ) } rule REVERSINGLABS_Win32_Ransomware_Ryuk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ryuk ransomware." author = "ReversingLabs" - id = "179c9277-0bdc-522a-a822-cf93febff408" + id = "14332f05-2428-5c37-8edb-b165e9d0b582" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ryuk.yara#L1-L199" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bf93892b281be20917656e242cbb0f3b3694439556b7e5e40a424ba1aa909105" + logic_hash = "v1_sha256_bf93892b281be20917656e242cbb0f3b3694439556b7e5e40a424ba1aa909105" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27679,20 +27679,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ryuk : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Antefrigus : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AnteFrigus ransomware." author = "ReversingLabs" - id = "903ac92c-1a4a-5645-92db-d00b3bfd6ada" + id = "79657c2b-611e-56cd-82b8-a5ea9d78dcc2" date = "2021-03-05" modified = "2021-03-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.AnteFrigus.yara#L1-L210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b84c01da0ee97a4eb8bf099c71094f994feb4c7185ad75b8b2ccda5eee283a92" + logic_hash = "v1_sha256_b84c01da0ee97a4eb8bf099c71094f994feb4c7185ad75b8b2ccda5eee283a92" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27876,20 +27876,20 @@ rule REVERSINGLABS_Win32_Ransomware_Antefrigus : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Cryptobit : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects CryptoBit ransomware." author = "ReversingLabs" - id = "8566e516-9884-5b20-90c4-7ed38fa96999" + id = "89e39f4f-6bcd-577e-be63-6ddeebbb7886" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoBit.yara#L1-L113" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ccc8a0f1c5e11211649992d0f2b309968c97b49f1c7359e62d622f364e117429" + logic_hash = "v1_sha256_ccc8a0f1c5e11211649992d0f2b309968c97b49f1c7359e62d622f364e117429" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27981,20 +27981,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptobit : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($remote_connection and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*))) + uint16( 0 ) == 0x5A4D and ( $remote_connection and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Hddcryptor : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HDDCryptor ransomware." author = "ReversingLabs" - id = "2c6a8ca3-0f7a-52b7-af6d-74fa9407feca" + id = "9d9d7c94-2850-589e-8224-93af2a20a8b7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HDDCryptor.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "47915f315bb4956507362f56024f5632cb1bcec569ceaf77fe9d7cb9c25d1d8a" + logic_hash = "v1_sha256_47915f315bb4956507362f56024f5632cb1bcec569ceaf77fe9d7cb9c25d1d8a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28109,20 +28109,20 @@ rule REVERSINGLABS_Win32_Ransomware_Hddcryptor : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ((($deploy_components) and ($get_shares_info) and ($encrypt_discs)) or (($extract_diskcryptor_from_resources) and ($create_diskcryptor_service) and ( all of ($encrypt_files_using_diskcryptor_p*)) and ($reboot))) + uint16( 0 ) == 0x5A4D and ( ( ( $deploy_components ) and ( $get_shares_info ) and ( $encrypt_discs ) ) or ( ( $extract_diskcryptor_from_resources ) and ( $create_diskcryptor_service ) and ( all of ( $encrypt_files_using_diskcryptor_p* ) ) and ( $reboot ) ) ) } rule REVERSINGLABS_Win32_Ransomware_Bkransomware : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects BKRansomware ransomware." author = "ReversingLabs" - id = "88dc5c4a-046a-52e2-b108-0a90b91d4fb6" + id = "12f8e9a3-70c6-51ed-bee3-346fa751b0fe" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BKRansomware.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3118098f05a13bd161af0cb1ec322878b371ff70b9f3815a04115a214c0965a2" + logic_hash = "v1_sha256_3118098f05a13bd161af0cb1ec322878b371ff70b9f3815a04115a214c0965a2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28185,20 +28185,20 @@ rule REVERSINGLABS_Win32_Ransomware_Bkransomware : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($search_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $search_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Armage : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Armage ransomware." author = "ReversingLabs" - id = "94cf639b-7d9e-51ca-b547-e0d591581df2" + id = "f5773231-475a-5775-8848-404b6e017280" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Armage.yara#L1-L128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa8ddcbb0fdcad15e603e000db1d4f86eae7d42efce1c1d21dc3dd57ee9f4319" + logic_hash = "v1_sha256_aa8ddcbb0fdcad15e603e000db1d4f86eae7d42efce1c1d21dc3dd57ee9f4319" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28304,20 +28304,20 @@ rule REVERSINGLABS_Win32_Ransomware_Armage : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($enum_resources_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_resources_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Targetcompany : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects TargetCompany ransomware." author = "ReversingLabs" - id = "7e6983f9-2aca-5cfa-aad6-38aa64fa2062" + id = "534b1b27-933f-55fd-a223-ee6b2343902d" date = "2021-09-27" modified = "2021-09-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TargetCompany.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "05fa81afa8aa1e3b9955ad24a274ddef4fb32d678902af7aae6d6c67ed3bf0fd" + logic_hash = "v1_sha256_05fa81afa8aa1e3b9955ad24a274ddef4fb32d678902af7aae6d6c67ed3bf0fd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28432,20 +28432,20 @@ rule REVERSINGLABS_Win32_Ransomware_Targetcompany : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($generate_key) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $generate_key ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Howareyou : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HowAreYou ransomware." author = "ReversingLabs" - id = "998fbebe-099d-5779-ad4a-91b7b6c8ad6b" + id = "1224d329-1fd2-5829-9871-0f07ab947ce0" date = "2021-06-14" modified = "2021-06-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HowAreYou.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "90568365aac61d120886f9efa9822ccc23df79a1a55e522c81db6e77477c4f04" + logic_hash = "v1_sha256_90568365aac61d120886f9efa9822ccc23df79a1a55e522c81db6e77477c4f04" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28624,20 +28624,20 @@ rule REVERSINGLABS_Win32_Ransomware_Howareyou : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Retmydata : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RetMyData ransomware." author = "ReversingLabs" - id = "f7a091d9-7ace-5aad-95b4-d5101fa7fdea" + id = "deedb074-eae8-5330-a994-016aae9dd6d0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RetMyData.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "54ce38d75e9ab82a77b9c338f75e180e19ac745f149289c7478a4aa3b44d70fd" + logic_hash = "v1_sha256_54ce38d75e9ab82a77b9c338f75e180e19ac745f149289c7478a4aa3b44d70fd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28697,20 +28697,20 @@ rule REVERSINGLABS_Win32_Ransomware_Retmydata : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Monalisa : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Monalisa ransomware." author = "ReversingLabs" - id = "34addb63-2426-59a2-b79b-052a9161d361" + id = "eee02601-2cc3-5a69-a0bd-9e4125f6115c" date = "2022-05-13" modified = "2022-05-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Monalisa.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0bcb79dff111ec05ac93bbe9a777546bd6234dc60d9f6982c03cd0bc3b26b038" + logic_hash = "v1_sha256_0bcb79dff111ec05ac93bbe9a777546bd6234dc60d9f6982c03cd0bc3b26b038" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28770,20 +28770,20 @@ rule REVERSINGLABS_Win32_Ransomware_Monalisa : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ($write_proc_mem) and ($generate_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $write_proc_mem ) and ( $generate_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Win64_Ransomware_Wintenzz : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Wintenzz ransomware." author = "ReversingLabs" - id = "6bf569e8-b050-51ef-a948-0eb294248d63" + id = "92035bb8-06bc-5338-b0b9-249636741402" date = "2021-11-02" modified = "2021-11-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Wintenzz.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ff4bdf2f6ee185b98d0014b3066806fe7e25ea94f46837948bc5262440bf8a56" + logic_hash = "v1_sha256_ff4bdf2f6ee185b98d0014b3066806fe7e25ea94f46837948bc5262440bf8a56" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28846,20 +28846,20 @@ rule REVERSINGLABS_Win64_Ransomware_Wintenzz : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Sepsis : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sepsis ransomware." author = "ReversingLabs" - id = "0c26d6e0-1d64-5f47-8e21-6710a531bc74" + id = "4f36609d-23d5-5aa7-a573-4ebe20cfab44" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sepsis.yara#L1-L126" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "171ad074a780b45195c6e02b111b3883c58a4028e635c4d6b8ce27c5e05e35d7" + logic_hash = "v1_sha256_171ad074a780b45195c6e02b111b3883c58a4028e635c4d6b8ce27c5e05e35d7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28963,20 +28963,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sepsis : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($search_files_*)) and ( all of ($encrypt_files_*)) + uint16( 0 ) == 0x5A4D and ( all of ( $search_files_* ) ) and ( all of ( $encrypt_files_* ) ) } rule REVERSINGLABS_Win32_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Ako ransomware." author = "ReversingLabs" - id = "00d67696-998c-5bc3-95e7-0320ca558cdb" + id = "abfc6e91-5850-5ef7-934e-c01c612d098a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ako.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "488e9b528f75fcfaa8dd19859801e6e5a73575c33cd70c98ebaa9ae93025018b" + logic_hash = "v1_sha256_488e9b528f75fcfaa8dd19859801e6e5a73575c33cd70c98ebaa9ae93025018b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29104,20 +29104,20 @@ rule REVERSINGLABS_Win32_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_win32_p*)) and ( all of ($encrypt_files_win32_p*)) and ( all of ($encrypt_network_shares_win32_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_win32_p* ) ) and ( all of ( $encrypt_files_win32_p* ) ) and ( all of ( $encrypt_network_shares_win32_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_FLKR : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects FLKR ransomware." author = "ReversingLabs" - id = "7f3abcd0-8dfa-5914-9ad0-566c16c2e2ab" + id = "05157ff7-f17e-5d29-94a8-0b75bb10026b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FLKR.yara#L1-L71" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4ab00ba82baceec9899556d3a774ec08c83c10930cec194e18e3b4e16ebacb58" + logic_hash = "v1_sha256_4ab00ba82baceec9899556d3a774ec08c83c10930cec194e18e3b4e16ebacb58" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29178,20 +29178,20 @@ rule REVERSINGLABS_Win32_Ransomware_FLKR : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($search_and_encrypt_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $search_and_encrypt_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Sanwai : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sanwai ransomware." author = "ReversingLabs" - id = "01912621-4a34-5e34-8542-5b561e8da567" + id = "6cf7b717-e235-5500-8481-c44526159b8a" date = "2021-11-11" modified = "2021-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sanwai.yara#L1-L71" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a7a95b2403fe539dce0d856cc1c04d15440677ea39c0a22e818b42333a64e92c" + logic_hash = "v1_sha256_a7a95b2403fe539dce0d856cc1c04d15440677ea39c0a22e818b42333a64e92c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29243,20 +29243,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sanwai : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($import_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $import_key ) and ( $encrypt_files ) } rule REVERSINGLABS_Win64_Ransomware_Whiteblackcrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects WhiteBlackCrypt ransomware." author = "ReversingLabs" - id = "9855c10d-563d-54e0-bc79-945daef947de" + id = "a4edb094-8984-5491-9db7-bf8db4994b7c" date = "2021-07-05" modified = "2021-07-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "37b95cc3412f2f2d02d19c4c15b529c4f67453cb195627b5bab2f353e7602354" + logic_hash = "v1_sha256_37b95cc3412f2f2d02d19c4c15b529c4f67453cb195627b5bab2f353e7602354" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29327,20 +29327,20 @@ rule REVERSINGLABS_Win64_Ransomware_Whiteblackcrypt : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and ( all of ($register_service_p*)) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $register_service_p* ) ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Hog : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Hog ransomware." author = "ReversingLabs" - id = "b4f26acf-5ff1-5c49-8cfa-8f619af84efd" + id = "ffd17025-4aa9-57cd-a0c8-d564e61087c8" date = "2021-10-12" modified = "2021-10-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c5cbc79fee9083ed3befa6b0d348f2d38064bb9012b8f0ca11afd7137243866d" + logic_hash = "v1_sha256_c5cbc79fee9083ed3befa6b0d348f2d38064bb9012b8f0ca11afd7137243866d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29390,20 +29390,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Hog : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($find_files) and ($generate_key) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $generate_key ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Thanos : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Thanos ransomware." author = "ReversingLabs" - id = "e607255d-45a6-573d-956e-f6faa2aa7e9f" + id = "4c3a7afd-e2a6-5ed5-8830-78dcf6e4e56f" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6bc0c2188a04d2fb2a82a6b6d6cdf7763c32047bec725fe07f01415edf0b4cd" + logic_hash = "v1_sha256_f6bc0c2188a04d2fb2a82a6b6d6cdf7763c32047bec725fe07f01415edf0b4cd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29488,20 +29488,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Thanos : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Cincoo : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cincoo ransomware." author = "ReversingLabs" - id = "c7c2773c-5056-5127-8af7-7f5c5a8ea8a1" + id = "888eb475-1f81-5769-b8a7-e62e739e6ca0" date = "2022-06-21" modified = "2022-06-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cincoo.yara#L1-L78" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6a7562cae90754ea75a9fb98ce73ebdb9acf1ad7f28f2240abe6cb592d717ca3" + logic_hash = "v1_sha256_6a7562cae90754ea75a9fb98ce73ebdb9acf1ad7f28f2240abe6cb592d717ca3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29560,20 +29560,20 @@ rule REVERSINGLABS_Win32_Ransomware_Cincoo : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Namaste : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Namaste ransomware." author = "ReversingLabs" - id = "e85d7ec3-367b-5bde-a570-8caa1f6cd61b" + id = "0e9afc57-2a0a-54ef-a1c6-eda77c9ce559" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a952276f41b5524bcb82a9ceb076983d2faf2864b3bbd0a06d49bbd5edc1e0e" + logic_hash = "v1_sha256_5a952276f41b5524bcb82a9ceb076983d2faf2864b3bbd0a06d49bbd5edc1e0e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29636,20 +29636,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Namaste : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Regretlocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects RegretLocker ransomware." author = "ReversingLabs" - id = "c4e515cc-b0c2-57b2-a230-619ec01ac8d4" + id = "77d0d3e5-816b-596f-accb-1c8e8d994ff4" date = "2021-04-02" modified = "2021-04-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RegretLocker.yara#L1-L206" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3927dfecacd74f60a169f82b68df5747daa90eaba77f24c5e730ce4c48d426a3" + logic_hash = "v1_sha256_3927dfecacd74f60a169f82b68df5747daa90eaba77f24c5e730ce4c48d426a3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29830,20 +29830,20 @@ rule REVERSINGLABS_Win32_Ransomware_Regretlocker : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Badbeeteam : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Badbeeteam ransomware." author = "ReversingLabs" - id = "39490b21-34b9-51cb-a3ed-672b3186a233" + id = "a32fad99-9ebe-526e-abbd-5e2cde7bb262" date = "2020-11-13" modified = "2020-11-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Badbeeteam.yara#L1-L137" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9b5367655c7c70958332d31524833d96d03027aab693393b19f478a80482abd0" + logic_hash = "v1_sha256_9b5367655c7c70958332d31524833d96d03027aab693393b19f478a80482abd0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29958,20 +29958,20 @@ rule REVERSINGLABS_Win32_Ransomware_Badbeeteam : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ( all of ($drop_hta_file_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( all of ( $drop_hta_file_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Hermeticransom : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects HermeticRansom ransomware." author = "ReversingLabs" - id = "6aaf89f4-0cf8-5f0e-b89d-01ac7edd06c0" + id = "780dc0e8-9acc-5a99-80d8-5a897e39866f" date = "2022-05-13" modified = "2022-05-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.HermeticRansom.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "123d569a9d9b9d855b3baafd6194f102d82a594fd7a2bba073843a8654a317cb" + logic_hash = "v1_sha256_123d569a9d9b9d855b3baafd6194f102d82a594fd7a2bba073843a8654a317cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -30056,20 +30056,20 @@ rule REVERSINGLABS_Win64_Ransomware_Hermeticransom : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($drop_ransom_note) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $drop_ransom_note ) } rule REVERSINGLABS_Win32_Ransomware_Horsedeal : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Horsedeal ransomware." author = "ReversingLabs" - id = "c722bc5b-756e-5d46-8530-e20ebb73737c" + id = "f720a697-a862-59a2-b7e8-59bdf6ee9269" date = "2020-10-01" modified = "2020-10-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Horsedeal.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fa8c425b08606399b5dc7673f3898e3dba7efb6a62e56db8f500cf5072bb590b" + logic_hash = "v1_sha256_fa8c425b08606399b5dc7673f3898e3dba7efb6a62e56db8f500cf5072bb590b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -30151,20 +30151,20 @@ rule REVERSINGLABS_Win32_Ransomware_Horsedeal : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($search_processes) and ($find_files) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $search_processes ) and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Gandcrab : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GandCrab ransomware." author = "ReversingLabs" - id = "a09ed7e6-f3a6-5f44-9d5b-a9c529cf1190" + id = "1c6a2318-4d84-53ab-8b9a-e15944627277" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GandCrab.yara#L1-L892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "79381635681482fc90defe4e10e97bf16d534837518fc06ae579822e9d77b461" + logic_hash = "v1_sha256_79381635681482fc90defe4e10e97bf16d534837518fc06ae579822e9d77b461" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31001,20 +31001,20 @@ rule REVERSINGLABS_Win32_Ransomware_Gandcrab : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and (($search_antivirus_processes and $find_files and $crypt_files and $remote_connection) or ($find_files_v2 and $crypt_files_v2 and $search_antivirus_processes_v2 and $remote_connection_v2) or ($search_antivirus_processes_v2 and $find_files_v2_1 and $crypt_files_v2_1 and $remote_connection_v2_1) or ($search_antivirus_processes_v4_1_2 and $find_files_v4_1_2 and $crypt_files_v4_1_2 and $remote_connection_v4_1_2 and $url_parameters_setup_v4_1_2) or ($search_antivirus_processes_v4 and $find_files_v4 and $crypt_files_v4 and $url_parameters_setup_v4) or ($search_antivirus_processes_v2 and $find_files_v2_1 and $remote_connection_v2_1 and $crypt_files_v3) or ($search_antivirus_processes_v5 and $find_files_v5 and $crypt_files_v5 and $remote_connection_v5 and $url_parameters_setup_v5) or ($search_antivirus_processes_v5_0_1 and $find_files_v5_0_1 and $crypt_files_v5_0_1 and $url_parameters_setup_v5_0_1 and $remote_connection_v5_0_1) or ($search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_2 and $set_url_parameters_v5_0_2 and $remote_connection_v5_0_2) or ($search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_3 and $set_url_parameters_v5_0_3 and $remote_connection_v5_0_3)) + uint16( 0 ) == 0x5A4D and ( ( $search_antivirus_processes and $find_files and $crypt_files and $remote_connection ) or ( $find_files_v2 and $crypt_files_v2 and $search_antivirus_processes_v2 and $remote_connection_v2 ) or ( $search_antivirus_processes_v2 and $find_files_v2_1 and $crypt_files_v2_1 and $remote_connection_v2_1 ) or ( $search_antivirus_processes_v4_1_2 and $find_files_v4_1_2 and $crypt_files_v4_1_2 and $remote_connection_v4_1_2 and $url_parameters_setup_v4_1_2 ) or ( $search_antivirus_processes_v4 and $find_files_v4 and $crypt_files_v4 and $url_parameters_setup_v4 ) or ( $search_antivirus_processes_v2 and $find_files_v2_1 and $remote_connection_v2_1 and $crypt_files_v3 ) or ( $search_antivirus_processes_v5 and $find_files_v5 and $crypt_files_v5 and $remote_connection_v5 and $url_parameters_setup_v5 ) or ( $search_antivirus_processes_v5_0_1 and $find_files_v5_0_1 and $crypt_files_v5_0_1 and $url_parameters_setup_v5_0_1 and $remote_connection_v5_0_1 ) or ( $search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_2 and $set_url_parameters_v5_0_2 and $remote_connection_v5_0_2 ) or ( $search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_3 and $set_url_parameters_v5_0_3 and $remote_connection_v5_0_3 ) ) } rule REVERSINGLABS_Win32_Ransomware_Sifreli : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sifreli ransomware." author = "ReversingLabs" - id = "974f81e2-6907-54da-97e3-3116c41b5ed4" + id = "ca2b2e89-8703-59c5-8365-fe9d438c0762" date = "2020-10-08" modified = "2020-10-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sifreli.yara#L1-L119" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "48f6cc678bea81afece0ae203fb27b61e2c6e4f7188a3bd260190f568c9a8a06" + logic_hash = "v1_sha256_48f6cc678bea81afece0ae203fb27b61e2c6e4f7188a3bd260190f568c9a8a06" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31110,7 +31110,7 @@ rule REVERSINGLABS_Win32_Ransomware_Sifreli : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_*)) and ( all of ($remote_connection_p*)) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_* ) ) and ( all of ( $remote_connection_p* ) ) } import "pe" @@ -31119,13 +31119,13 @@ rule REVERSINGLABS_Win32_Ransomware_Petya : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Petya ransomware." author = "ReversingLabs" - id = "93d9fb33-88d1-50ec-bf99-1888201c0ec2" + id = "43994b48-374a-5d79-83c8-c3de6444d4ac" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Petya.yara#L3-L58" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d2adafcb21b627d614eab79e64e2b96ad09fae796d0670452a19490d8781ce99" + logic_hash = "v1_sha256_d2adafcb21b627d614eab79e64e2b96ad09fae796d0670452a19490d8781ce99" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31169,20 +31169,20 @@ rule REVERSINGLABS_Win32_Ransomware_Petya : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($entry_point at pe.entry_point) and $shutdown_pattern and $sectionxxxx_pattern and $crypt_gen_pattern + uint16( 0 ) == 0x5A4D and ( $entry_point at pe.entry_point ) and $shutdown_pattern and $sectionxxxx_pattern and $crypt_gen_pattern } rule REVERSINGLABS_Win32_Ransomware_Blitzkrieg : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Blitzkrieg ransomware." author = "ReversingLabs" - id = "078f7f9d-edd4-52b4-a30e-e968542da95c" + id = "80cb1024-622e-5a10-b14b-afbc3634e570" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara#L1-L127" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "22dd16c886a1982186fe927e633be9951da7d7e664e877e11fa976696b2bc86f" + logic_hash = "v1_sha256_22dd16c886a1982186fe927e633be9951da7d7e664e877e11fa976696b2bc86f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31286,20 +31286,20 @@ rule REVERSINGLABS_Win32_Ransomware_Blitzkrieg : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and (( all of ($disable_services_p*)) and ( all of ($search_files_p*)) and ($encrypt_files)) + uint16( 0 ) == 0x5A4D and ( ( all of ( $disable_services_p* ) ) and ( all of ( $search_files_p* ) ) and ( $encrypt_files ) ) } rule REVERSINGLABS_Win32_Ransomware_PXJ : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects PXJ ransomware." author = "ReversingLabs" - id = "c1549905-5b31-55c0-a275-0ab8133b3504" + id = "1a02dc4e-340e-5a77-8bdf-c9adc516d122" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.PXJ.yara#L1-L158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e88d27dcd7ad3af459bd7e34fcc827822365441446b0e4e7bbec399c9a948cb7" + logic_hash = "v1_sha256_e88d27dcd7ad3af459bd7e34fcc827822365441446b0e4e7bbec399c9a948cb7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31434,20 +31434,20 @@ rule REVERSINGLABS_Win32_Ransomware_PXJ : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($delete_volumes_snapshots_p*)) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $delete_volumes_snapshots_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Gpgqwerty : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GPGQwerty ransomware." author = "ReversingLabs" - id = "8848e00a-a695-575b-a29d-fc9521859e12" + id = "6f9ee028-57a5-591b-8aea-4ac5e59941bc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GPGQwerty.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e59adadd66b4d242ac7337ce4b3c3ec6c60724f4cf5b86305f1e31b88745928c" + logic_hash = "v1_sha256_e59adadd66b4d242ac7337ce4b3c3ec6c60724f4cf5b86305f1e31b88745928c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31514,20 +31514,20 @@ rule REVERSINGLABS_Win32_Ransomware_Gpgqwerty : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Janelle : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Janelle ransomware." author = "ReversingLabs" - id = "4fef3be5-8332-5ce2-b1e9-3993e6963331" + id = "555fbf4b-0b65-5b54-8020-ab2f4b02e3f7" date = "2021-12-16" modified = "2021-12-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "49f1eac82930606183ab9cf1d5c6c42534d58735876134793e9712e78eb5a4c7" + logic_hash = "v1_sha256_49f1eac82930606183ab9cf1d5c6c42534d58735876134793e9712e78eb5a4c7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31603,20 +31603,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Janelle : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and ( all of ($setup_env_p*)) and ($find_files) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( all of ( $setup_env_p* ) ) and ( $find_files ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Zerocrypt : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ZeroCrypt ransomware." author = "ReversingLabs" - id = "89e47d7f-1ac4-570d-8ae1-30f0acc21462" + id = "8a3f47dd-1f5c-54a4-8326-2c2387a357cf" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "947925206ded187eac31c5046d75ab017869ae3f8dc906f2e5536d4db219f108" + logic_hash = "v1_sha256_947925206ded187eac31c5046d75ab017869ae3f8dc906f2e5536d4db219f108" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31700,20 +31700,20 @@ rule REVERSINGLABS_Win32_Ransomware_Zerocrypt : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $encrypt_file_3 + uint16( 0 ) == 0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $encrypt_file_3 } rule REVERSINGLABS_Win32_Ransomware_Zoldon : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Zoldon ransomware." author = "ReversingLabs" - id = "5d28e6f0-9d6b-54f4-81ed-aadb58352c80" + id = "50620a61-7c84-5473-b19c-a0afd811ed5b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zoldon.yara#L1-L107" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4821b8506e7ba00987978f2744da1c532e03d73f3275cb15e39cdf87f6018223" + logic_hash = "v1_sha256_4821b8506e7ba00987978f2744da1c532e03d73f3275cb15e39cdf87f6018223" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31799,20 +31799,20 @@ rule REVERSINGLABS_Win32_Ransomware_Zoldon : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($write_zoldon_regkey) and ( all of ($find_files_p*)) and ( all of ($main_encrypt_function_p*)) + uint16( 0 ) == 0x5A4D and ( $write_zoldon_regkey ) and ( all of ( $find_files_p* ) ) and ( all of ( $main_encrypt_function_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Loocipher : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LooCipher ransomware." author = "ReversingLabs" - id = "b5aa2bd0-72b0-5013-a60e-9b4f1ee1de1f" + id = "821433b8-14bb-5ccb-a164-bffa78c1d2d1" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LooCipher.yara#L1-L87" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa0598d63b5fad6aea0945a0aa2030d3d6e2cd9f1fea16f3dd17cdceb68323e3" + logic_hash = "v1_sha256_aa0598d63b5fad6aea0945a0aa2030d3d6e2cd9f1fea16f3dd17cdceb68323e3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31880,20 +31880,20 @@ rule REVERSINGLABS_Win32_Ransomware_Loocipher : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_files) and ($encrypt_files) and ($remote_connection) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( $encrypt_files ) and ( $remote_connection ) } rule REVERSINGLABS_Win32_Ransomware_Skystars : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Skystars ransomware." author = "ReversingLabs" - id = "9dc19bda-c5bd-58fb-8c4f-a7d8a6fbbce9" + id = "90529d44-8741-58f7-ac0d-0e54f22fb26d" date = "2020-11-20" modified = "2020-11-20" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Skystars.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "352d22183b0974908ce684725fe85b4714ac5959c3bddf093b54383195881a5a" + logic_hash = "v1_sha256_352d22183b0974908ce684725fe85b4714ac5959c3bddf093b54383195881a5a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31970,20 +31970,20 @@ rule REVERSINGLABS_Win32_Ransomware_Skystars : TC_DETECTION MALICIOUS MALWARE FI } condition: - uint16(0)==0x5A4D and ($main_routine) and ( all of ($search_files_p*)) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $main_routine ) and ( all of ( $search_files_p* ) ) and ( $encrypt_files ) } rule REVERSINGLABS_Win32_Ransomware_Sigrun : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Sigrun ransomware." author = "ReversingLabs" - id = "fa627192-ed80-5115-a028-014f67f4571d" + id = "7d92db58-2e6d-53b1-902c-509d97b5912a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sigrun.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ea29ec64cdfc0c714fe0acdce5878cb1302dd5aa916811121c644948ce275935" + logic_hash = "v1_sha256_ea29ec64cdfc0c714fe0acdce5878cb1302dd5aa916811121c644948ce275935" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32072,20 +32072,20 @@ rule REVERSINGLABS_Win32_Ransomware_Sigrun : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($enum_resources_*)) and ($find_files) and ( all of ($encrypt_files_*)) + uint16( 0 ) == 0x5A4D and ( all of ( $enum_resources_* ) ) and ( $find_files ) and ( all of ( $encrypt_files_* ) ) } rule REVERSINGLABS_Win32_Ransomware_Asn1Encoder : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ASN1Encoder ransomware." author = "ReversingLabs" - id = "5fa361e5-4ab0-5856-92b2-6f434e33c350" + id = "85d76df8-15d9-5bdb-951a-d8b676b04480" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara#L1-L136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "000fd846fa5f09af19ead4623bb5a8eb51cdb4c751013569bf070710d3e0d61d" + logic_hash = "v1_sha256_000fd846fa5f09af19ead4623bb5a8eb51cdb4c751013569bf070710d3e0d61d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32200,20 +32200,20 @@ rule REVERSINGLABS_Win32_Ransomware_Asn1Encoder : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($find_files and ( all of ($encrypt_files_p*)) and ( all of ($remote_connection_p*))) + uint16( 0 ) == 0x5A4D and ( $find_files and ( all of ( $encrypt_files_p* ) ) and ( all of ( $remote_connection_p* ) ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Mcburglar : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects McBurglar ransomware." author = "ReversingLabs" - id = "11816401-87c3-5aff-b161-da0fa4eb4bca" + id = "eddcf970-f4d2-5108-9c5a-68c1f2f53dd0" date = "2021-09-27" modified = "2021-09-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "57fefcdc1528fc1c8da36a431cd09774e33ea08a394ac4f8d19a27504e72676d" + logic_hash = "v1_sha256_57fefcdc1528fc1c8da36a431cd09774e33ea08a394ac4f8d19a27504e72676d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32264,20 +32264,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Mcburglar : TC_DETECTION MALICIOUS M } condition: - uint16(0)==0x5A4D and ($setup_env) and ($find_files) and ($generate_salt) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $setup_env ) and ( $find_files ) and ( $generate_salt ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Win64_Ransomware_Cactus : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Cactus ransomware." author = "ReversingLabs" - id = "f391919a-b433-5f8d-8051-f0467118fa1b" + id = "232248f9-f977-551f-a622-6a3b2f41ca0f" date = "2023-12-15" modified = "2023-12-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Cactus.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2953b67e926cb653df0de208b098da3d5c16e6690842ab28fbf8c37cd16f54d7" + logic_hash = "v1_sha256_2953b67e926cb653df0de208b098da3d5c16e6690842ab28fbf8c37cd16f54d7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32439,20 +32439,20 @@ rule REVERSINGLABS_Win64_Ransomware_Cactus : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) and ($check_processes) and ( all of ($kill_file_processes_p*)) + uint16( 0 ) == 0x5A4D and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) and ( $check_processes ) and ( all of ( $kill_file_processes_p* ) ) } rule REVERSINGLABS_Win32_Ransomware_Balaclava : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Balaclava ransomware." author = "ReversingLabs" - id = "1a17f2e8-f161-55bc-b44e-f8f47ebd9869" + id = "16ac2306-466b-531f-af08-ca4821a10051" date = "2020-10-01" modified = "2020-10-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Balaclava.yara#L1-L113" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "01b43e6ea7ceebdbdda7e1f7c5bd2439a460b8aed4a1837755fa3679e9893ff3" + logic_hash = "v1_sha256_01b43e6ea7ceebdbdda7e1f7c5bd2439a460b8aed4a1837755fa3679e9893ff3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32544,20 +32544,20 @@ rule REVERSINGLABS_Win32_Ransomware_Balaclava : TC_DETECTION MALICIOUS MALWARE F } condition: - uint16(0)==0x5A4D and ($find_volumes) and ( all of ($find_files_p*)) and ( all of ($encrypt_files_p*)) + uint16( 0 ) == 0x5A4D and ( $find_volumes ) and ( all of ( $find_files_p* ) ) and ( all of ( $encrypt_files_p* ) ) } rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Dusk : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Dusk ransomware." author = "ReversingLabs" - id = "cde30f40-f13c-53da-8656-cc293433aa36" + id = "749bbb5f-4702-5696-8bd1-088e15261e90" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b6b0b3be7c17115dc5f225a13228f8a4811d84ae095c3ceba2d89f569f2d40c7" + logic_hash = "v1_sha256_b6b0b3be7c17115dc5f225a13228f8a4811d84ae095c3ceba2d89f569f2d40c7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32610,20 +32610,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Dusk : TC_DETECTION MALICIOUS MALWAR } condition: - uint16(0)==0x5A4D and ($find_files) and ( all of ($encrypt_files_p*)) and ($dusk_delete_itself) + uint16( 0 ) == 0x5A4D and ( $find_files ) and ( all of ( $encrypt_files_p* ) ) and ( $dusk_delete_itself ) } rule REVERSINGLABS_Win32_Ransomware_Avoslocker : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects AvosLocker ransomware." author = "ReversingLabs" - id = "a803283d-6424-5a64-89e6-c73a3322ba1e" + id = "201b3e77-4989-5b00-a5e8-8d5ede6b7f13" date = "2021-10-22" modified = "2021-10-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.AvosLocker.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4d81b801a95a54a35989c4a985d92578971568d1412f625bca911d0fa1eee1fe" + logic_hash = "v1_sha256_4d81b801a95a54a35989c4a985d92578971568d1412f625bca911d0fa1eee1fe" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32708,7 +32708,7 @@ rule REVERSINGLABS_Win32_Ransomware_Avoslocker : TC_DETECTION MALICIOUS MALWARE } condition: - uint16(0)==0x5A4D and ($enum_resources) and ($find_files) and ($import_key) and ($encrypt_files) + uint16( 0 ) == 0x5A4D and ( $enum_resources ) and ( $find_files ) and ( $import_key ) and ( $encrypt_files ) } import "pe" @@ -32717,13 +32717,13 @@ rule REVERSINGLABS_Cert_Blocklist_05E2E6A4Cd09Ea54D665B075Fe22A256 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "824c6b2f-081a-5f38-b949-d802f59e6ced" + id = "74e54dc0-a87e-504b-8b84-b9c5250d5460" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L27-L43" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "43da21d9c7ae9bfcc7fe4ee69f9d46cbce1954785d56c1d424b36deb8afe592e" + logic_hash = "v1_sha256_43da21d9c7ae9bfcc7fe4ee69f9d46cbce1954785d56c1d424b36deb8afe592e" score = 75 quality = 90 tags = "INFO, FILE" @@ -32733,7 +32733,7 @@ rule REVERSINGLABS_Cert_Blocklist_05E2E6A4Cd09Ea54D665B075Fe22A256 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "*.google.com" and pe.signatures[i].serial=="05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "*.google.com" and pe.signatures [ i ] . serial == "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32742,13 +32742,13 @@ rule REVERSINGLABS_Cert_Blocklist_77019A082385E4B73F569569C9F87Bb8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4046a31b-d7c8-5c63-b5b2-2179b0817b03" + id = "4c18a7c7-23b4-5dcb-8afa-f6005be9510e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L45-L61" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8613986005bdd30d92e633fa2058be5c43f1c530b9dc6d80ec953f12f6d66ce7" + logic_hash = "v1_sha256_8613986005bdd30d92e633fa2058be5c43f1c530b9dc6d80ec953f12f6d66ce7" score = 75 quality = 90 tags = "INFO, FILE" @@ -32758,7 +32758,7 @@ rule REVERSINGLABS_Cert_Blocklist_77019A082385E4B73F569569C9F87Bb8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AND LLC" and pe.signatures[i].serial=="77:01:9a:08:23:85:e4:b7:3f:56:95:69:c9:f8:7b:b8" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AND LLC" and pe.signatures [ i ] . serial == "77:01:9a:08:23:85:e4:b7:3f:56:95:69:c9:f8:7b:b8" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32767,13 +32767,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F2Ef29Ca5F96E5777B82C62F34Fd3A6 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "6cfb6ae0-8eba-503b-8bb7-ac72746d9aa2" + id = "3affd4a4-b6e1-50ee-8412-50d98c4e6a93" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L63-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e8f27c4a72f416a16acabb1de606fdde7dc694256809fdb952a25313dda0d34e" + logic_hash = "v1_sha256_e8f27c4a72f416a16acabb1de606fdde7dc694256809fdb952a25313dda0d34e" score = 75 quality = 90 tags = "INFO, FILE" @@ -32783,7 +32783,7 @@ rule REVERSINGLABS_Cert_Blocklist_4F2Ef29Ca5F96E5777B82C62F34Fd3A6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bit9, Inc" and pe.signatures[i].serial=="4f:2e:f2:9c:a5:f9:6e:57:77:b8:2c:62:f3:4f:d3:a6" and 1342051200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bit9, Inc" and pe.signatures [ i ] . serial == "4f:2e:f2:9c:a5:f9:6e:57:77:b8:2c:62:f3:4f:d3:a6" and 1342051200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32792,13 +32792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Cc1Db2Ad0A290A4Bfe7A5F336D6800C : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "89bc7c99-dea2-50ce-a0d2-4292c14d049e" + id = "11e119de-9832-5370-9198-fa9162a490eb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L81-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c9f91edb525a02041bc20dff25ec58323f8fabd4d2a2eca63238ecb10ccef2a6" + logic_hash = "v1_sha256_c9f91edb525a02041bc20dff25ec58323f8fabd4d2a2eca63238ecb10ccef2a6" score = 75 quality = 90 tags = "INFO, FILE" @@ -32808,7 +32808,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Cc1Db2Ad0A290A4Bfe7A5F336D6800C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bit9, Inc" and pe.signatures[i].serial=="7c:c1:db:2a:d0:a2:90:a4:bf:e7:a5:f3:36:d6:80:0c" and 1342051200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bit9, Inc" and pe.signatures [ i ] . serial == "7c:c1:db:2a:d0:a2:90:a4:bf:e7:a5:f3:36:d6:80:0c" and 1342051200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32817,13 +32817,13 @@ rule REVERSINGLABS_Cert_Blocklist_13C8351Aece71C731158980F575F4133 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b6a1eb97-f0da-571e-951c-57f49cf62057" + id = "aa38231a-6f8f-5b0c-b903-bd6c9e6e4af5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L99-L115" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f96723845adc8030b72c119311103d5c2cf136e79de226d31141d8b925ce8e75" + logic_hash = "v1_sha256_f96723845adc8030b72c119311103d5c2cf136e79de226d31141d8b925ce8e75" score = 75 quality = 90 tags = "INFO, FILE" @@ -32833,7 +32833,7 @@ rule REVERSINGLABS_Cert_Blocklist_13C8351Aece71C731158980F575F4133 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Opera Software ASA" and pe.signatures[i].serial=="13:c8:35:1a:ec:e7:1c:73:11:58:98:0f:57:5f:41:33" and 1371513600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Opera Software ASA" and pe.signatures [ i ] . serial == "13:c8:35:1a:ec:e7:1c:73:11:58:98:0f:57:5f:41:33" and 1371513600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32842,13 +32842,13 @@ rule REVERSINGLABS_Cert_Blocklist_4531954F6265304055F66Ce4F624F95B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "da1aaa4c-ac71-5c4c-b663-3d1b57d69040" + id = "b4f36de6-9443-5726-a866-80089e115f46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L117-L133" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58d3a2a5e3f6730f329bddb171ad6332794fa95848825b892c3b8324f503ae89" + logic_hash = "v1_sha256_58d3a2a5e3f6730f329bddb171ad6332794fa95848825b892c3b8324f503ae89" score = 75 quality = 90 tags = "INFO, FILE" @@ -32858,7 +32858,7 @@ rule REVERSINGLABS_Cert_Blocklist_4531954F6265304055F66Ce4F624F95B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IDAutomation.com" and pe.signatures[i].serial=="45:31:95:4f:62:65:30:40:55:f6:6c:e4:f6:24:f9:5b" and 1384819199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IDAutomation.com" and pe.signatures [ i ] . serial == "45:31:95:4f:62:65:30:40:55:f6:6c:e4:f6:24:f9:5b" and 1384819199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32867,13 +32867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E808F231515Bc519Eea1A73Cdf3266F : INFO FILE meta: description = "Certificate used for digitally signing Careto malware." author = "ReversingLabs" - id = "1f1eb5c2-bfef-58df-b51e-c558d87cd5d2" + id = "374ab19a-66be-5467-ad4a-eb084c1ab343" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L135-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "05e466e304ed7a8f5c1c93aac4a4b7019d6fb1e07aeb45d078b657f838d1f3bd" + logic_hash = "v1_sha256_05e466e304ed7a8f5c1c93aac4a4b7019d6fb1e07aeb45d078b657f838d1f3bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -32883,7 +32883,7 @@ rule REVERSINGLABS_Cert_Blocklist_0E808F231515Bc519Eea1A73Cdf3266F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TecSystem Ltd." and pe.signatures[i].serial=="0e:80:8f:23:15:15:bc:51:9e:ea:1a:73:cd:f3:26:6f" and 1468799999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TecSystem Ltd." and pe.signatures [ i ] . serial == "0e:80:8f:23:15:15:bc:51:9e:ea:1a:73:cd:f3:26:6f" and 1468799999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32892,13 +32892,13 @@ rule REVERSINGLABS_Cert_Blocklist_36Be4Ad457F062Fa77D87595B8Ccc8Cf : INFO FILE meta: description = "Certificate used for digitally signing Careto malware." author = "ReversingLabs" - id = "224ec8ed-e4f0-5d1b-8cdd-a669a7e3e859" + id = "b256c13b-c6ad-50f2-a785-717e3be04b61" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L153-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d19a6f22a1e702a4da69c867195722adf8f1dd84539f2c584af428fe4b1caf79" + logic_hash = "v1_sha256_d19a6f22a1e702a4da69c867195722adf8f1dd84539f2c584af428fe4b1caf79" score = 75 quality = 90 tags = "INFO, FILE" @@ -32908,7 +32908,7 @@ rule REVERSINGLABS_Cert_Blocklist_36Be4Ad457F062Fa77D87595B8Ccc8Cf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TecSystem Ltd." and pe.signatures[i].serial=="36:be:4a:d4:57:f0:62:fa:77:d8:75:95:b8:cc:c8:cf" and 1372377599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TecSystem Ltd." and pe.signatures [ i ] . serial == "36:be:4a:d4:57:f0:62:fa:77:d8:75:95:b8:cc:c8:cf" and 1372377599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32917,13 +32917,13 @@ rule REVERSINGLABS_Cert_Blocklist_75A38507Bf403B152125B8F5Ce1B97Ad : INFO FILE meta: description = "Certificate used for digitally signing Zeus malware." author = "ReversingLabs" - id = "6805abd8-217e-5179-ab5a-297e2a17e65e" + id = "16f81122-d09c-505c-982a-40c994160ab6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L171-L187" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "af21cee3ee92268c3aa0106a245e5a00c5ba892fca3e4fd2dc55e302ed5d470a" + logic_hash = "v1_sha256_af21cee3ee92268c3aa0106a245e5a00c5ba892fca3e4fd2dc55e302ed5d470a" score = 75 quality = 90 tags = "INFO, FILE" @@ -32933,7 +32933,7 @@ rule REVERSINGLABS_Cert_Blocklist_75A38507Bf403B152125B8F5Ce1B97Ad : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "isonet ag" and pe.signatures[i].serial=="75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad" and 1395359999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "isonet ag" and pe.signatures [ i ] . serial == "75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad" and 1395359999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32942,13 +32942,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Effa8B216E24B16202940C1Bc2Fa8A5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "541a169e-a263-5901-9d8e-768306b8b8ba" + id = "294f1385-486e-5485-a706-20cac8669695" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L189-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b5282fc85bbbee50c5307fff923e9e477fed8c011288e2ebd61c4b3ee801bc62" + logic_hash = "v1_sha256_b5282fc85bbbee50c5307fff923e9e477fed8c011288e2ebd61c4b3ee801bc62" score = 75 quality = 90 tags = "INFO, FILE" @@ -32958,7 +32958,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Effa8B216E24B16202940C1Bc2Fa8A5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Henan Maijiamai Technology Co., Ltd." and pe.signatures[i].serial=="4e:ff:a8:b2:16:e2:4b:16:20:29:40:c1:bc:2f:a8:a5" and 1404691199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Henan Maijiamai Technology Co., Ltd." and pe.signatures [ i ] . serial == "4e:ff:a8:b2:16:e2:4b:16:20:29:40:c1:bc:2f:a8:a5" and 1404691199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32967,13 +32967,13 @@ rule REVERSINGLABS_Cert_Blocklist_57D7153A89Bbf4729Be87F3C927043Aa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b778a20-8a0c-5c9f-8cc3-9e5054713e13" + id = "fabbf43e-6750-57ad-9245-3d69db57235c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L207-L223" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a8de7951bd25c8a9346ef341d8bf9c9147f9fa6913e952be40fb43d3d7a370c1" + logic_hash = "v1_sha256_a8de7951bd25c8a9346ef341d8bf9c9147f9fa6913e952be40fb43d3d7a370c1" score = 75 quality = 90 tags = "INFO, FILE" @@ -32983,7 +32983,7 @@ rule REVERSINGLABS_Cert_Blocklist_57D7153A89Bbf4729Be87F3C927043Aa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, zhenganjun" and pe.signatures[i].serial=="57:d7:15:3a:89:bb:f4:72:9b:e8:7f:3c:92:70:43:aa" and 1469059200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, zhenganjun" and pe.signatures [ i ] . serial == "57:d7:15:3a:89:bb:f4:72:9b:e8:7f:3c:92:70:43:aa" and 1469059200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -32992,13 +32992,13 @@ rule REVERSINGLABS_Cert_Blocklist_028E1Deccf93D38Ecf396118Dfe908B4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6dfb0181-299f-5a28-b647-137d75f747a6" + id = "e43c15c5-be2c-544a-b400-503e4c4122cc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L225-L241" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b07c797652ef19c7e0b23c3eddbbbf2700160d743d71a0005b950160474638d8" + logic_hash = "v1_sha256_b07c797652ef19c7e0b23c3eddbbbf2700160d743d71a0005b950160474638d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33008,7 +33008,7 @@ rule REVERSINGLABS_Cert_Blocklist_028E1Deccf93D38Ecf396118Dfe908B4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fortuna Games Co., Ltd." and pe.signatures[i].serial=="02:8e:1d:ec:cf:93:d3:8e:cf:39:61:18:df:e9:08:b4" and 1392163199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fortuna Games Co., Ltd." and pe.signatures [ i ] . serial == "02:8e:1d:ec:cf:93:d3:8e:cf:39:61:18:df:e9:08:b4" and 1392163199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33017,13 +33017,13 @@ rule REVERSINGLABS_Cert_Blocklist_40575Df73Eaa1B6140C7Ef62C08Bf216 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a6e6320-8e01-5ec7-8119-3e90f1eacc4e" + id = "bb03fea5-e0c2-523b-9072-119c08b1c836" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L243-L259" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7da8e98f38413e5cbb18e3c7771c530afb766dd9fbeb8fdd2264617aff24f920" + logic_hash = "v1_sha256_7da8e98f38413e5cbb18e3c7771c530afb766dd9fbeb8fdd2264617aff24f920" score = 75 quality = 90 tags = "INFO, FILE" @@ -33033,7 +33033,7 @@ rule REVERSINGLABS_Cert_Blocklist_40575Df73Eaa1B6140C7Ef62C08Bf216 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dali Feifang Tech Co.,LTD." and pe.signatures[i].serial=="40:57:5d:f7:3e:aa:1b:61:40:c7:ef:62:c0:8b:f2:16" and 1394063999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dali Feifang Tech Co.,LTD." and pe.signatures [ i ] . serial == "40:57:5d:f7:3e:aa:1b:61:40:c7:ef:62:c0:8b:f2:16" and 1394063999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33042,13 +33042,13 @@ rule REVERSINGLABS_Cert_Blocklist_049Ce8C47F1F0E650Cb086F0Cfa7Ca53 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aebba591-2024-584a-bba6-9a27049cf4b8" + id = "6622f335-30b2-57ad-b141-af3eb2a942a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L261-L277" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9ae4a236e1252afc1db6fae4e388a53ebde7e724cc07c213d4bfc176cf0a0096" + logic_hash = "v1_sha256_9ae4a236e1252afc1db6fae4e388a53ebde7e724cc07c213d4bfc176cf0a0096" score = 75 quality = 90 tags = "INFO, FILE" @@ -33058,7 +33058,7 @@ rule REVERSINGLABS_Cert_Blocklist_049Ce8C47F1F0E650Cb086F0Cfa7Ca53 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Select'Assistance Pro" and pe.signatures[i].serial=="04:9c:e8:c4:7f:1f:0e:65:0c:b0:86:f0:cf:a7:ca:53" and 1393804799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Select'Assistance Pro" and pe.signatures [ i ] . serial == "04:9c:e8:c4:7f:1f:0e:65:0c:b0:86:f0:cf:a7:ca:53" and 1393804799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33067,13 +33067,13 @@ rule REVERSINGLABS_Cert_Blocklist_29F42680E653Cf8Fafd0E935553F7E86 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f616e92c-ed9f-581c-aa15-970bddfb073a" + id = "dd513a20-68ca-5a36-9e7e-fc15495c47c0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L279-L295" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6c726e4c2933a6472d256a18ea5265660ff035d05036ab9cae3409ab5a7c7598" + logic_hash = "v1_sha256_6c726e4c2933a6472d256a18ea5265660ff035d05036ab9cae3409ab5a7c7598" score = 75 quality = 90 tags = "INFO, FILE" @@ -33083,7 +33083,7 @@ rule REVERSINGLABS_Cert_Blocklist_29F42680E653Cf8Fafd0E935553F7E86 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and pe.signatures[i].serial=="29:f4:26:80:e6:53:cf:8f:af:d0:e9:35:55:3f:7e:86" and 1390175999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Wemade Entertainment co.,Ltd" and pe.signatures [ i ] . serial == "29:f4:26:80:e6:53:cf:8f:af:d0:e9:35:55:3f:7e:86" and 1390175999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33092,13 +33092,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C15 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4a7a5404-1a20-53a7-9670-6f5215582c9d" + id = "0ca07a33-8f75-543d-8c28-870e32f67295" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L297-L313" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1ee88813270dddeeedd90edbce9be2ce74303a6799ee64b0e9bfaea7377d3b2d" + logic_hash = "v1_sha256_1ee88813270dddeeedd90edbce9be2ce74303a6799ee64b0e9bfaea7377d3b2d" score = 75 quality = 90 tags = "INFO, FILE" @@ -33108,7 +33108,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C15 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "William Richard John" and pe.signatures[i].serial=="0c:15" and 1387324799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "William Richard John" and pe.signatures [ i ] . serial == "0c:15" and 1387324799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33117,13 +33117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "919a62ba-2902-5088-ad92-9f1bae23e68f" + id = "06caf6bc-a9a4-5f11-9d39-3adae6e38d55" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L315-L331" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0f8fda07dc362b7e04892446f1abe1e5f5717ee715824a2c1f6550096c366701" + logic_hash = "v1_sha256_0f8fda07dc362b7e04892446f1abe1e5f5717ee715824a2c1f6550096c366701" score = 75 quality = 90 tags = "INFO, FILE" @@ -33133,7 +33133,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C0F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dmitry Vasilev" and pe.signatures[i].serial=="0c:0f" and 1386719999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dmitry Vasilev" and pe.signatures [ i ] . serial == "0c:0f" and 1386719999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33142,13 +33142,13 @@ rule REVERSINGLABS_Cert_Blocklist_06A164Ec5978497741Ee6Cec9966871B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c73206d-3d5c-5540-a2e1-d00138d7e1b5" + id = "8962c47c-53b4-5050-9e03-6e90d2b0f143" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L333-L349" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8a27015d94a3bd8543a8ca9202831ffc9c9e65f61bf26ed6825c3e746b6af0d4" + logic_hash = "v1_sha256_8a27015d94a3bd8543a8ca9202831ffc9c9e65f61bf26ed6825c3e746b6af0d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -33158,7 +33158,7 @@ rule REVERSINGLABS_Cert_Blocklist_06A164Ec5978497741Ee6Cec9966871B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "JOHN WILLIAM RICHARD" and pe.signatures[i].serial=="06:a1:64:ec:59:78:49:77:41:ee:6c:ec:99:66:87:1b" and 1385596799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "JOHN WILLIAM RICHARD" and pe.signatures [ i ] . serial == "06:a1:64:ec:59:78:49:77:41:ee:6c:ec:99:66:87:1b" and 1385596799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33167,13 +33167,13 @@ rule REVERSINGLABS_Cert_Blocklist_1121Ed568764E75Be35574448Feadefcd3Bc : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "44fa007f-f5f7-5001-8b92-eb4a657ea756" + id = "a6fc788c-bbdc-5c78-8234-0ea986aa3be5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L351-L367" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3316a2536920c5aa9dd627cec7678e6fe33c722b4830dd740009c20dd013c9ab" + logic_hash = "v1_sha256_3316a2536920c5aa9dd627cec7678e6fe33c722b4830dd740009c20dd013c9ab" score = 75 quality = 90 tags = "INFO, FILE" @@ -33183,7 +33183,7 @@ rule REVERSINGLABS_Cert_Blocklist_1121Ed568764E75Be35574448Feadefcd3Bc : INFO FI importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FRINORTE COMERCIO DE PECAS E SERVICOS LTDA - ME" and pe.signatures[i].serial=="11:21:ed:56:87:64:e7:5b:e3:55:74:44:8f:ea:de:fc:d3:bc" and 1385337599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FRINORTE COMERCIO DE PECAS E SERVICOS LTDA - ME" and pe.signatures [ i ] . serial == "11:21:ed:56:87:64:e7:5b:e3:55:74:44:8f:ea:de:fc:d3:bc" and 1385337599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33192,13 +33192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ed2450Ceac0F72E73Fda1727E66E654 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c19ddbde-eec0-5ebb-8f11-1e7dcb489bc8" + id = "d7c40af6-ece5-5c1a-8ec0-e34a0dbb31ee" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L369-L385" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0e5af7795c825367d441c8abc2aa835fa83083eb8ee1f723c7d2dacff1ca88ff" + logic_hash = "v1_sha256_0e5af7795c825367d441c8abc2aa835fa83083eb8ee1f723c7d2dacff1ca88ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -33208,7 +33208,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Ed2450Ceac0F72E73Fda1727E66E654 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Hohhot Handing Trade and Business Co., Ltd." and pe.signatures[i].serial=="6e:d2:45:0c:ea:c0:f7:2e:73:fd:a1:72:7e:66:e6:54" and 1376092799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Hohhot Handing Trade and Business Co., Ltd." and pe.signatures [ i ] . serial == "6e:d2:45:0c:ea:c0:f7:2e:73:fd:a1:72:7e:66:e6:54" and 1376092799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33217,13 +33217,13 @@ rule REVERSINGLABS_Cert_Blocklist_32665079C5A5854A6833623Ca77Ff5Ac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7078e95f-8bbe-5446-b9cb-c079f8448cb1" + id = "3d98324d-4605-5613-995a-ba53c4b4deea" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L387-L403" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6b734ca733c5fbadcb490ffd4c19c951e0fc17dd9b660eca948b126038c42cdb" + logic_hash = "v1_sha256_6b734ca733c5fbadcb490ffd4c19c951e0fc17dd9b660eca948b126038c42cdb" score = 75 quality = 90 tags = "INFO, FILE" @@ -33233,7 +33233,7 @@ rule REVERSINGLABS_Cert_Blocklist_32665079C5A5854A6833623Ca77Ff5Ac : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ohanae" and pe.signatures[i].serial=="32:66:50:79:c5:a5:85:4a:68:33:62:3c:a7:7f:f5:ac" and 1381967999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ohanae" and pe.signatures [ i ] . serial == "32:66:50:79:c5:a5:85:4a:68:33:62:3c:a7:7f:f5:ac" and 1381967999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33242,13 +33242,13 @@ rule REVERSINGLABS_Cert_Blocklist_01A90094C83412C00Cf98Dd2Eb0D7042 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5059974-9ea2-5497-a728-c21a6cdd30e4" + id = "6d2c33f9-4b0b-5eea-b866-ffce6b67b1aa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L405-L421" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a3de0e6de5cda39e40988f9e2324cbee3e059aff5ceaf7fd819de8bf7215808" + logic_hash = "v1_sha256_5a3de0e6de5cda39e40988f9e2324cbee3e059aff5ceaf7fd819de8bf7215808" score = 75 quality = 90 tags = "INFO, FILE" @@ -33258,7 +33258,7 @@ rule REVERSINGLABS_Cert_Blocklist_01A90094C83412C00Cf98Dd2Eb0D7042 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FreeVox SA" and pe.signatures[i].serial=="01:a9:00:94:c8:34:12:c0:0c:f9:8d:d2:eb:0d:70:42" and 1376956799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FreeVox SA" and pe.signatures [ i ] . serial == "01:a9:00:94:c8:34:12:c0:0c:f9:8d:d2:eb:0d:70:42" and 1376956799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33267,13 +33267,13 @@ rule REVERSINGLABS_Cert_Blocklist_55Efe24B9674855Baf16E67716479C71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c1a4102e-ce78-5a4d-95ea-b9e394df0c28" + id = "d1074848-c9a1-5400-a6b2-459b92679b1c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L423-L439" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2cf7a76ae3c3a698564013ff545c74d0319face5aa19416c93bf10f45f84f8c9" + logic_hash = "v1_sha256_2cf7a76ae3c3a698564013ff545c74d0319face5aa19416c93bf10f45f84f8c9" score = 75 quality = 90 tags = "INFO, FILE" @@ -33283,7 +33283,7 @@ rule REVERSINGLABS_Cert_Blocklist_55Efe24B9674855Baf16E67716479C71 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "S2BVISIO BELGIQUE SA" and pe.signatures[i].serial=="55:ef:e2:4b:96:74:85:5b:af:16:e6:77:16:47:9c:71" and 1374451199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "S2BVISIO BELGIQUE SA" and pe.signatures [ i ] . serial == "55:ef:e2:4b:96:74:85:5b:af:16:e6:77:16:47:9c:71" and 1374451199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33292,13 +33292,13 @@ rule REVERSINGLABS_Cert_Blocklist_094Bf19D509D3074913995160B195B6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8241e2c6-e4e7-581c-b759-6314d2e28a4d" + id = "c306f52d-270c-5ccf-a430-d792f804b7b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L441-L457" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c1ed012716f36876d9375838befb9821b87cafc6aca57a0f18392f80f5ba325" + logic_hash = "v1_sha256_3c1ed012716f36876d9375838befb9821b87cafc6aca57a0f18392f80f5ba325" score = 75 quality = 90 tags = "INFO, FILE" @@ -33308,7 +33308,7 @@ rule REVERSINGLABS_Cert_Blocklist_094Bf19D509D3074913995160B195B6C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Porral Twinware S.L.L." and pe.signatures[i].serial=="09:4b:f1:9d:50:9d:30:74:91:39:95:16:0b:19:5b:6c" and 1373241599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Porral Twinware S.L.L." and pe.signatures [ i ] . serial == "09:4b:f1:9d:50:9d:30:74:91:39:95:16:0b:19:5b:6c" and 1373241599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33317,13 +33317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A77Cf3Ba49B64E6Cbe5Fb4A6A6Aacc6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4fb06917-ccbd-514c-a936-e337c31c6e65" + id = "6bae9d83-fffc-53c1-b61a-4cb97a5216d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L459-L475" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3bebc4a36b57526505167d8f075d468e4775d66c81ce08644c506d9be94efba0" + logic_hash = "v1_sha256_3bebc4a36b57526505167d8f075d468e4775d66c81ce08644c506d9be94efba0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33333,7 +33333,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A77Cf3Ba49B64E6Cbe5Fb4A6A6Aacc6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "I.ST.SAN. Srl" and pe.signatures[i].serial=="0a:77:cf:3b:a4:9b:64:e6:cb:e5:fb:4a:6a:6a:ac:c6" and 1371081599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "I.ST.SAN. Srl" and pe.signatures [ i ] . serial == "0a:77:cf:3b:a4:9b:64:e6:cb:e5:fb:4a:6a:6a:ac:c6" and 1371081599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33342,13 +33342,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F4C22Da1107D20C1Eda04569D58E573 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4ff75d18-926e-51aa-8e1c-b9699669bbd0" + id = "68bcabbb-8ad3-549c-b4f0-11089f66addf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L477-L493" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fe19c4b21c3b70ec571461ca6d9c370a971c01f2d68e3c3916aa1fa0f13b20f8" + logic_hash = "v1_sha256_fe19c4b21c3b70ec571461ca6d9c370a971c01f2d68e3c3916aa1fa0f13b20f8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33358,7 +33358,7 @@ rule REVERSINGLABS_Cert_Blocklist_1F4C22Da1107D20C1Eda04569D58E573 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PlanView, Inc." and pe.signatures[i].serial=="1f:4c:22:da:11:07:d2:0c:1e:da:04:56:9d:58:e5:73" and 1366156799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PlanView, Inc." and pe.signatures [ i ] . serial == "1f:4c:22:da:11:07:d2:0c:1e:da:04:56:9d:58:e5:73" and 1366156799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33367,13 +33367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fe68D48634893D18De040D8F1C289D2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "40aed582-2960-5b42-acde-7350a2595b4b" + id = "49ec12c2-7573-5695-8669-207c77c1893d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L495-L511" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "41feebc8800a084ac369b5c5721b1362d371bd503b67823986bad2839157a4b0" + logic_hash = "v1_sha256_41feebc8800a084ac369b5c5721b1362d371bd503b67823986bad2839157a4b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33383,7 +33383,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Fe68D48634893D18De040D8F1C289D2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xinghua Yile Network Tech Co.,Ltd." and pe.signatures[i].serial=="4f:e6:8d:48:63:48:93:d1:8d:e0:40:d8:f1:c2:89:d2" and 1371081600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xinghua Yile Network Tech Co.,Ltd." and pe.signatures [ i ] . serial == "4f:e6:8d:48:63:48:93:d1:8d:e0:40:d8:f1:c2:89:d2" and 1371081600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33392,13 +33392,13 @@ rule REVERSINGLABS_Cert_Blocklist_6767Def972D6Ea702D8C8A53Af1832D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c60497b4-5abe-52b0-aac9-88953ea6cdf1" + id = "df69d46c-a443-5e33-b261-e1389f2eb03c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L513-L529" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa7f997449b4b8dcf488cfb7f45ee98ca540d39fb861f5b01ff4bb4aa1875b72" + logic_hash = "v1_sha256_aa7f997449b4b8dcf488cfb7f45ee98ca540d39fb861f5b01ff4bb4aa1875b72" score = 75 quality = 90 tags = "INFO, FILE" @@ -33408,7 +33408,7 @@ rule REVERSINGLABS_Cert_Blocklist_6767Def972D6Ea702D8C8A53Af1832D3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Guangzhou typical corner Network Technology Co., Ltd." and pe.signatures[i].serial=="67:67:de:f9:72:d6:ea:70:2d:8c:8a:53:af:18:32:d3" and 1361750400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Guangzhou typical corner Network Technology Co., Ltd." and pe.signatures [ i ] . serial == "67:67:de:f9:72:d6:ea:70:2d:8c:8a:53:af:18:32:d3" and 1361750400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33417,13 +33417,13 @@ rule REVERSINGLABS_Cert_Blocklist_06477E3425F1448995Ced539789E6842 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "21da6056-bf4e-5fc4-bef5-37010ebe8f05" + id = "55acdab2-95ad-542e-9abb-aeeed6bc1715" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L531-L547" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c0bc7808bb6bcc8273a887203c1b47d1a49fcb7719863e6bc97b5c7404a254f7" + logic_hash = "v1_sha256_c0bc7808bb6bcc8273a887203c1b47d1a49fcb7719863e6bc97b5c7404a254f7" score = 75 quality = 90 tags = "INFO, FILE" @@ -33433,7 +33433,7 @@ rule REVERSINGLABS_Cert_Blocklist_06477E3425F1448995Ced539789E6842 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Karim Lammali" and pe.signatures[i].serial=="06:47:7e:34:25:f1:44:89:95:ce:d5:39:78:9e:68:42" and 1334275199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Karim Lammali" and pe.signatures [ i ] . serial == "06:47:7e:34:25:f1:44:89:95:ce:d5:39:78:9e:68:42" and 1334275199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33442,13 +33442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0450A7C1C36951Da09C8Ad0E7F716Ff2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b4a56bbe-f2ba-52df-832d-35b92ab73683" + id = "b29f9623-4cbb-5900-90d7-a76db41d20a5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L549-L565" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cb594607ceef1b8d79145ad3905fb2c38d2ed3f3e6c8a0a793fc2dc9d0a21855" + logic_hash = "v1_sha256_cb594607ceef1b8d79145ad3905fb2c38d2ed3f3e6c8a0a793fc2dc9d0a21855" score = 75 quality = 90 tags = "INFO, FILE" @@ -33458,7 +33458,7 @@ rule REVERSINGLABS_Cert_Blocklist_0450A7C1C36951Da09C8Ad0E7F716Ff2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PS Partnership" and pe.signatures[i].serial=="04:50:a7:c1:c3:69:51:da:09:c8:ad:0e:7f:71:6f:f2" and 1362182399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PS Partnership" and pe.signatures [ i ] . serial == "04:50:a7:c1:c3:69:51:da:09:c8:ad:0e:7f:71:6f:f2" and 1362182399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33467,13 +33467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F9Fbdab9B39645Cf3211F87Abb5Ddb7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ad24d2e9-ae3d-5fae-b58d-965bd1de2a99" + id = "9898f0b7-5f4b-51aa-8d4d-0efe3bb91b70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L567-L583" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ba5885c7769b5ead261815880033b0df50dc4f7684fdb37398ab01bfebda0e37" + logic_hash = "v1_sha256_ba5885c7769b5ead261815880033b0df50dc4f7684fdb37398ab01bfebda0e37" score = 75 quality = 90 tags = "INFO, FILE" @@ -33483,7 +33483,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F9Fbdab9B39645Cf3211F87Abb5Ddb7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "The Motivo Group, Inc." and pe.signatures[i].serial=="0f:9f:bd:ab:9b:39:64:5c:f3:21:1f:87:ab:b5:dd:b7" and 1361318399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "The Motivo Group, Inc." and pe.signatures [ i ] . serial == "0f:9f:bd:ab:9b:39:64:5c:f3:21:1f:87:ab:b5:dd:b7" and 1361318399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33492,13 +33492,13 @@ rule REVERSINGLABS_Cert_Blocklist_4211D2E4F0E87127319302C55B85Bcf2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dbe2a945-cf13-564a-a95a-24534c70a723" + id = "99752033-2532-52ed-8988-10023b7a8606" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L585-L601" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "edf9bbface7fe943dfa4f5a6e8469802ccdbd3de9d3e6b8fabebb024c21bb9a9" + logic_hash = "v1_sha256_edf9bbface7fe943dfa4f5a6e8469802ccdbd3de9d3e6b8fabebb024c21bb9a9" score = 75 quality = 90 tags = "INFO, FILE" @@ -33508,7 +33508,7 @@ rule REVERSINGLABS_Cert_Blocklist_4211D2E4F0E87127319302C55B85Bcf2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "yinsheng xie" and pe.signatures[i].serial=="42:11:d2:e4:f0:e8:71:27:31:93:02:c5:5b:85:bc:f2" and 1360713599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "yinsheng xie" and pe.signatures [ i ] . serial == "42:11:d2:e4:f0:e8:71:27:31:93:02:c5:5b:85:bc:f2" and 1360713599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33517,13 +33517,13 @@ rule REVERSINGLABS_Cert_Blocklist_07B44Cdbfffb78De05F4261672A67312 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "18787692-1233-5ea8-869c-feb530d06237" + id = "616aa3ba-163a-55d0-9918-a707abde1948" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L603-L619" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c88a8543782fc49d8aa68f3fc8052bd3316d10118dfb2ef2eef5006de657b6f1" + logic_hash = "v1_sha256_c88a8543782fc49d8aa68f3fc8052bd3316d10118dfb2ef2eef5006de657b6f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -33533,7 +33533,7 @@ rule REVERSINGLABS_Cert_Blocklist_07B44Cdbfffb78De05F4261672A67312 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Buster Paper Comercial Ltda" and pe.signatures[i].serial=="07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12" and 1359503999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Buster Paper Comercial Ltda" and pe.signatures [ i ] . serial == "07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12" and 1359503999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33542,13 +33542,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F8B9A1Ba5E60C754Dbb40Ddee7905E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b6ba6bb-a796-59e1-a38b-04d4b60a99a6" + id = "004c2d1c-b1b7-5408-88a9-a16663236135" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L621-L637" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a0d07d47cd41db5dc170a29607b6c1f2e3b7c0785f83b211f68f9cb9368e350" + logic_hash = "v1_sha256_2a0d07d47cd41db5dc170a29607b6c1f2e3b7c0785f83b211f68f9cb9368e350" score = 75 quality = 90 tags = "INFO, FILE" @@ -33558,7 +33558,7 @@ rule REVERSINGLABS_Cert_Blocklist_4F8B9A1Ba5E60C754Dbb40Ddee7905E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NOX Entertainment Co., Ltd" and pe.signatures[i].serial=="4f:8b:9a:1b:a5:e6:0c:75:4d:bb:40:dd:ee:79:05:e2" and 1348617599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NOX Entertainment Co., Ltd" and pe.signatures [ i ] . serial == "4f:8b:9a:1b:a5:e6:0c:75:4d:bb:40:dd:ee:79:05:e2" and 1348617599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33567,13 +33567,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A389B95Ee736Dd13Bc0Ed743Fd74D2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "43cce248-2322-5607-8706-aeab046a30b9" + id = "b08f2c25-ac0f-5bfa-8522-26c78e54eca9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L639-L655" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8b83e4aa47cea7cadf4b4a9f4e044478a62f4233e082fb52f9ed906d80a552aa" + logic_hash = "v1_sha256_8b83e4aa47cea7cadf4b4a9f4e044478a62f4233e082fb52f9ed906d80a552aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -33583,7 +33583,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A389B95Ee736Dd13Bc0Ed743Fd74D2F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME" and pe.signatures[i].serial=="0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f" and 1351814399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME" and pe.signatures [ i ] . serial == "0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f" and 1351814399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33592,13 +33592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A3Faaeb3A8B93B2394Fec36345996E6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "343e4dbe-21a6-5758-be81-e5e7918c54fa" + id = "4c9abece-37fd-52f3-b86a-dfe3fdbc75d5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L657-L673" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a3bd9aaba8dbdb340b5d3013684584524eb08b11339985ba6ca0291b8c8bc692" + logic_hash = "v1_sha256_a3bd9aaba8dbdb340b5d3013684584524eb08b11339985ba6ca0291b8c8bc692" score = 75 quality = 90 tags = "INFO, FILE" @@ -33608,7 +33608,7 @@ rule REVERSINGLABS_Cert_Blocklist_1A3Faaeb3A8B93B2394Fec36345996E6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "salvatore macchiarella" and pe.signatures[i].serial=="1a:3f:aa:eb:3a:8b:93:b2:39:4f:ec:36:34:59:96:e6" and 1468454400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "salvatore macchiarella" and pe.signatures [ i ] . serial == "1a:3f:aa:eb:3a:8b:93:b2:39:4f:ec:36:34:59:96:e6" and 1468454400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33617,13 +33617,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A35Acce5B0C77206B1C3Dc2A6A2417C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0e42ffb8-07f2-55e4-977d-7760e923d76d" + id = "c15c09d8-5a52-5830-8cff-b2292c5641c7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L675-L691" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ce161fdd511e0efa042516ead09c6ab5f8dcf54f2087cdccbfed8e7cdfbd25b2" + logic_hash = "v1_sha256_ce161fdd511e0efa042516ead09c6ab5f8dcf54f2087cdccbfed8e7cdfbd25b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -33633,7 +33633,7 @@ rule REVERSINGLABS_Cert_Blocklist_1A35Acce5B0C77206B1C3Dc2A6A2417C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "cd ingegneri associati srl" and pe.signatures[i].serial=="1a:35:ac:ce:5b:0c:77:20:6b:1c:3d:c2:a6:a2:41:7c" and 1166054399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "cd ingegneri associati srl" and pe.signatures [ i ] . serial == "1a:35:ac:ce:5b:0c:77:20:6b:1c:3d:c2:a6:a2:41:7c" and 1166054399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33642,13 +33642,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb40Ea11Eaac847B050De9B59E25Bdc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e9f94ae9-0158-5789-b4d2-88f750442274" + id = "983ebcbf-1ae2-5476-9c1e-351dd1393800" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L693-L709" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d0e7ab78fb42c9a8f19cba8e6a8b15d584651a23f1088e1f311589d46145e963" + logic_hash = "v1_sha256_d0e7ab78fb42c9a8f19cba8e6a8b15d584651a23f1088e1f311589d46145e963" score = 75 quality = 90 tags = "INFO, FILE" @@ -33658,7 +33658,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb40Ea11Eaac847B050De9B59E25Bdc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "My Free Internet Update" and pe.signatures[i].serial=="6e:b4:0e:a1:1e:aa:c8:47:b0:50:de:9b:59:e2:5b:dc" and 1062201599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "My Free Internet Update" and pe.signatures [ i ] . serial == "6e:b4:0e:a1:1e:aa:c8:47:b0:50:de:9b:59:e2:5b:dc" and 1062201599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33667,13 +33667,13 @@ rule REVERSINGLABS_Cert_Blocklist_6724340Ddbc7252F7Fb714B812A5C04D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b61de88-9fea-5c3f-a7ab-db91e90b4965" + id = "c129e911-dd5f-5a03-8706-56db1c553c58" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L711-L727" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bc72c2ca5f81198684233e23260831da5b9ef4e7ac5a25abbdb303eecc38bd53" + logic_hash = "v1_sha256_bc72c2ca5f81198684233e23260831da5b9ef4e7ac5a25abbdb303eecc38bd53" score = 75 quality = 90 tags = "INFO, FILE" @@ -33683,7 +33683,7 @@ rule REVERSINGLABS_Cert_Blocklist_6724340Ddbc7252F7Fb714B812A5C04D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "YNK JAPAN Inc" and pe.signatures[i].serial=="67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" and 1306195199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "YNK JAPAN Inc" and pe.signatures [ i ] . serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" and 1306195199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33692,13 +33692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0813Ee9B7B9D7C46001D6Bc8784Df1Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0915fae0-ac6f-5a92-ab44-80f840fd5061" + id = "9afe28b5-b524-520a-9f8c-7f748fa48f65" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L729-L745" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1a25a2f25fa8d5075113cbafb73e80e741268d6b2f9e629fd54ffca9e82409b0" + logic_hash = "v1_sha256_1a25a2f25fa8d5075113cbafb73e80e741268d6b2f9e629fd54ffca9e82409b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33708,7 +33708,7 @@ rule REVERSINGLABS_Cert_Blocklist_0813Ee9B7B9D7C46001D6Bc8784Df1Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Les Garcons s'habillent" and pe.signatures[i].serial=="08:13:ee:9b:7b:9d:7c:46:00:1d:6b:c8:78:4d:f1:dd" and 1334707199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Les Garcons s'habillent" and pe.signatures [ i ] . serial == "08:13:ee:9b:7b:9d:7c:46:00:1d:6b:c8:78:4d:f1:dd" and 1334707199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33717,13 +33717,13 @@ rule REVERSINGLABS_Cert_Blocklist_530591C61B5E1212F659138B7Cea0A97 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "71cf0653-5aab-5d5c-aa3a-f42f40196412" + id = "3866d6a5-c700-5695-864f-f1229f4e04ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L747-L763" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ef01e542d145475713bbd373bdcdae5f25bfd823a60e7d40fe9a6b6039c83e0" + logic_hash = "v1_sha256_0ef01e542d145475713bbd373bdcdae5f25bfd823a60e7d40fe9a6b6039c83e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33733,7 +33733,7 @@ rule REVERSINGLABS_Cert_Blocklist_530591C61B5E1212F659138B7Cea0A97 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\x97\\xA5\\xE7\\x85\\xA7\\xE5\\xB3\\xB0\\xE5\\xB7\\x9D\\xE5\\x9B\\xBD\\xE9\\x99\\x85\\xE7\\x9F\\xBF\\xE4\\xB8\\x9A\\xE8\\xB4\\xB8\\xE6\\x98\\x93\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="53:05:91:c6:1b:5e:12:12:f6:59:13:8b:7c:ea:0a:97" and 1403654399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\x97\\xA5\\xE7\\x85\\xA7\\xE5\\xB3\\xB0\\xE5\\xB7\\x9D\\xE5\\x9B\\xBD\\xE9\\x99\\x85\\xE7\\x9F\\xBF\\xE4\\xB8\\x9A\\xE8\\xB4\\xB8\\xE6\\x98\\x93\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "53:05:91:c6:1b:5e:12:12:f6:59:13:8b:7c:ea:0a:97" and 1403654399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33742,13 +33742,13 @@ rule REVERSINGLABS_Cert_Blocklist_07270Ff9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "fcd2d82a-b51d-53ff-bfae-3c83147c1903" + id = "eb2c068b-f175-541b-911e-fe193af2aeb1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L765-L781" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8f0da7c330464184fa1d5bf8d51dd8ad2e8637710a36972dcab03629cb57e910" + logic_hash = "v1_sha256_8f0da7c330464184fa1d5bf8d51dd8ad2e8637710a36972dcab03629cb57e910" score = 75 quality = 90 tags = "INFO, FILE" @@ -33758,7 +33758,7 @@ rule REVERSINGLABS_Cert_Blocklist_07270Ff9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Cyber CA" and pe.signatures[i].serial=="07:27:0f:f9" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Cyber CA" and pe.signatures [ i ] . serial == "07:27:0f:f9" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33767,13 +33767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0727100D : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "1ee866ec-a445-5a79-b824-37f28a49f20b" + id = "b5f61bb9-bb58-5064-84ee-963744c6fd31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L783-L799" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a09f4004ed002b90d67a3baddde74832e6c7b70e8b330347ef169460750aa344" + logic_hash = "v1_sha256_a09f4004ed002b90d67a3baddde74832e6c7b70e8b330347ef169460750aa344" score = 75 quality = 90 tags = "INFO, FILE" @@ -33783,7 +33783,7 @@ rule REVERSINGLABS_Cert_Blocklist_0727100D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Cyber CA" and pe.signatures[i].serial=="07:27:10:0d" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Cyber CA" and pe.signatures [ i ] . serial == "07:27:10:0d" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33792,13 +33792,13 @@ rule REVERSINGLABS_Cert_Blocklist_07271003 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "7573c436-5bf9-5522-9952-e30dbbccd092" + id = "457c2218-ad90-5e68-b97a-a54bfbaa7648" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L801-L817" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "14c201b4fdda5b3553732a173a3d6705129c54f2a50d26997d63a77be8504285" + logic_hash = "v1_sha256_14c201b4fdda5b3553732a173a3d6705129c54f2a50d26997d63a77be8504285" score = 75 quality = 90 tags = "INFO, FILE" @@ -33808,7 +33808,7 @@ rule REVERSINGLABS_Cert_Blocklist_07271003 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Cyber CA" and pe.signatures[i].serial=="07:27:10:03" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Cyber CA" and pe.signatures [ i ] . serial == "07:27:10:03" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33817,13 +33817,13 @@ rule REVERSINGLABS_Cert_Blocklist_013134Bf : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a3292707-c481-56a8-abf9-e1a762c76cb6" + id = "4e73717a-91a7-5f63-b6b4-009b582e5d12" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L819-L835" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1ade100c310c22bce25bcc6687855bd4eb6364b64cf31514b2548509a16e4a36" + logic_hash = "v1_sha256_1ade100c310c22bce25bcc6687855bd4eb6364b64cf31514b2548509a16e4a36" score = 75 quality = 90 tags = "INFO, FILE" @@ -33833,7 +33833,7 @@ rule REVERSINGLABS_Cert_Blocklist_013134Bf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Organisatie - G2" and pe.signatures[i].serial=="01:31:34:bf" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar PKIoverheid CA Organisatie - G2" and pe.signatures [ i ] . serial == "01:31:34:bf" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33842,13 +33842,13 @@ rule REVERSINGLABS_Cert_Blocklist_01314476 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "e0a52ad1-cebd-5ffc-953f-e0b09fc6d710" + id = "43aafa3a-ffdd-5a29-8b58-104948bfbd3c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L837-L853" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6f2f3f3ae009fbb9ebe589fc6b640be89c4a7b734eda515f182c7e9c9ffb4779" + logic_hash = "v1_sha256_6f2f3f3ae009fbb9ebe589fc6b640be89c4a7b734eda515f182c7e9c9ffb4779" score = 75 quality = 90 tags = "INFO, FILE" @@ -33858,7 +33858,7 @@ rule REVERSINGLABS_Cert_Blocklist_01314476 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid" and pe.signatures[i].serial=="01:31:44:76" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar PKIoverheid CA Overheid" and pe.signatures [ i ] . serial == "01:31:44:76" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33867,13 +33867,13 @@ rule REVERSINGLABS_Cert_Blocklist_013169B0 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a5f68c0a-635a-5aa9-94d2-7628999f06c2" + id = "2e16665b-3764-5ff0-b667-e269a7ece222" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L855-L871" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "354421ebad7fd0b73c9ba63630c91d481901ca9ec39be3c6b66843221e4b5aad" + logic_hash = "v1_sha256_354421ebad7fd0b73c9ba63630c91d481901ca9ec39be3c6b66843221e4b5aad" score = 75 quality = 90 tags = "INFO, FILE" @@ -33883,7 +33883,7 @@ rule REVERSINGLABS_Cert_Blocklist_013169B0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid en Bedrijven" and pe.signatures[i].serial=="01:31:69:b0" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar PKIoverheid CA Overheid en Bedrijven" and pe.signatures [ i ] . serial == "01:31:69:b0" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33892,13 +33892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C76Da9C910C4E2C9Efe15D058933C4C : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a9b06d49-1ab2-539e-bd1f-16da40b654b2" + id = "008bc831-2634-56f3-82bb-d1cd19b3c263" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L873-L889" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "883e93bff42161ba68f69fb17f7e78377d7f3cb6b6cdf72cffb4166466f8bc7b" + logic_hash = "v1_sha256_883e93bff42161ba68f69fb17f7e78377d7f3cb6b6cdf72cffb4166466f8bc7b" score = 75 quality = 90 tags = "INFO, FILE" @@ -33908,7 +33908,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C76Da9C910C4E2C9Efe15D058933C4C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Root CA" and pe.signatures[i].serial=="0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Root CA" and pe.signatures [ i ] . serial == "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33917,13 +33917,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Caf : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "12d7c4a8-0a84-502a-855b-674972a2e2e1" + id = "9d379a33-fe23-5627-8513-1f196869678e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L891-L907" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2490dbd74a5d3eede494d284f96af835c270d2fb0752b887aadbaf92bf34e6d4" + logic_hash = "v1_sha256_2490dbd74a5d3eede494d284f96af835c270d2fb0752b887aadbaf92bf34e6d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -33933,7 +33933,7 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Caf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Root CA" and pe.signatures[i].serial=="46:9c:2c:af" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Root CA" and pe.signatures [ i ] . serial == "46:9c:2c:af" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33942,13 +33942,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C3Cc9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "36d76a9f-d18f-56bf-b00a-f7320f04f39a" + id = "af049b58-3b7d-52ed-b005-5bb37dc39ccf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L909-L925" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7327b7cbeb616bc46c82975aed6b3ea1caafa74fd431e2d98ca55b00851e22c8" + logic_hash = "v1_sha256_7327b7cbeb616bc46c82975aed6b3ea1caafa74fd431e2d98ca55b00851e22c8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33958,7 +33958,7 @@ rule REVERSINGLABS_Cert_Blocklist_469C3Cc9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Root CA" and pe.signatures[i].serial=="46:9c:3c:c9" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Root CA" and pe.signatures [ i ] . serial == "46:9c:3c:c9" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33967,13 +33967,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A82Bd1E144E8814D75B1A5527Bebf3E : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "f3d7d714-8085-524a-814c-ab8cc59ceb4f" + id = "ffabaf6b-264e-5961-b70a-3144f9b06d01" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L927-L943" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2534e58ce1e5adbb10dbacb664d40cc32faec341bdb93b926cc85b666cc7b77e" + logic_hash = "v1_sha256_2534e58ce1e5adbb10dbacb664d40cc32faec341bdb93b926cc85b666cc7b77e" score = 75 quality = 90 tags = "INFO, FILE" @@ -33983,7 +33983,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A82Bd1E144E8814D75B1A5527Bebf3E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Root CA G2" and pe.signatures[i].serial=="0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Root CA G2" and pe.signatures [ i ] . serial == "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -33992,13 +33992,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Cb0 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "dd19b988-747d-55b9-825b-2ada1ca83691" + id = "7c3d2b3c-3ca4-5f78-9171-739e2502da30" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L945-L961" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "67ff84475cbe231f97daa3ce623689e7936db8e56be562778f8a4c1ebf7bf316" + logic_hash = "v1_sha256_67ff84475cbe231f97daa3ce623689e7936db8e56be562778f8a4c1ebf7bf316" score = 75 quality = 90 tags = "INFO, FILE" @@ -34008,7 +34008,7 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Cb0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DigiNotar Services 1024 CA" and pe.signatures[i].serial=="46:9c:2c:b0" and 1308182400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DigiNotar Services 1024 CA" and pe.signatures [ i ] . serial == "46:9c:2c:b0" and 1308182400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34017,13 +34017,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C0E636A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "beb2039c-3b0e-5649-96ca-40175493e62c" + id = "dc06d595-041d-50aa-b430-43308496227b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L963-L979" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "20169cf9ce3f271a22d1376bcf0ff0914f43937738c9ed61fd8e40179405136b" + logic_hash = "v1_sha256_20169cf9ce3f271a22d1376bcf0ff0914f43937738c9ed61fd8e40179405136b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34033,7 +34033,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C0E636A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digisign Server ID - (Enrich)" and pe.signatures[i].serial=="4c:0e:63:6a" and 1320191999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digisign Server ID - (Enrich)" and pe.signatures [ i ] . serial == "4c:0e:63:6a" and 1320191999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34042,13 +34042,13 @@ rule REVERSINGLABS_Cert_Blocklist_072714A9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "15ad6936-78a4-58b1-8c68-27ec4ed38649" + id = "ba228fe2-0b8a-5a2d-944d-a4526b547430" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L981-L997" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8bea4cfb60056446043ef90a7d01ecc52d82d9e7005a145a4daa61a522ecd2ae" + logic_hash = "v1_sha256_8bea4cfb60056446043ef90a7d01ecc52d82d9e7005a145a4daa61a522ecd2ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -34058,7 +34058,7 @@ rule REVERSINGLABS_Cert_Blocklist_072714A9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digisign Server ID (Enrich)" and pe.signatures[i].serial=="07:27:14:a9" and 1320191999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digisign Server ID (Enrich)" and pe.signatures [ i ] . serial == "07:27:14:a9" and 1320191999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34067,13 +34067,13 @@ rule REVERSINGLABS_Cert_Blocklist_00D8F35F4Eb7872B2Dab0692E315382Fb0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2c051732-76d7-5562-a79e-c5bbdc8373b2" + id = "744f2f0f-44bd-5620-bcc8-16641a58133c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L999-L1017" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "463757c59c32859163ea80e694e1f39239c857124aad3895f22f83b47645910c" + logic_hash = "v1_sha256_463757c59c32859163ea80e694e1f39239c857124aad3895f22f83b47645910c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34083,7 +34083,7 @@ rule REVERSINGLABS_Cert_Blocklist_00D8F35F4Eb7872B2Dab0692E315382Fb0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "global trustee" and (pe.signatures[i].serial=="00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" or pe.signatures[i].serial=="d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0") and 1300060800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "global trustee" and ( pe.signatures [ i ] . serial == "00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" or pe.signatures [ i ] . serial == "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" ) and 1300060800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34092,13 +34092,13 @@ rule REVERSINGLABS_Cert_Blocklist_750E40Ff97F047Edf556C7084Eb1Abfd : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "7ae4ba81-82be-57f9-aa8c-0e5c30e412c6" + id = "4d02b423-cf06-5ec8-9b15-d5bfa989e479" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1019-L1035" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "21c2468905514e1725a206814b0c61c576cf7f97f184bac857bca9283f49a957" + logic_hash = "v1_sha256_21c2468905514e1725a206814b0c61c576cf7f97f184bac857bca9283f49a957" score = 75 quality = 90 tags = "INFO, FILE" @@ -34108,7 +34108,7 @@ rule REVERSINGLABS_Cert_Blocklist_750E40Ff97F047Edf556C7084Eb1Abfd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Microsoft Corporation" and pe.signatures[i].serial=="75:0e:40:ff:97:f0:47:ed:f5:56:c7:08:4e:b1:ab:fd" and 980899199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Microsoft Corporation" and pe.signatures [ i ] . serial == "75:0e:40:ff:97:f0:47:ed:f5:56:c7:08:4e:b1:ab:fd" and 980899199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34117,13 +34117,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B5190F73724399C9254Cd424637996A : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "dfb08450-c35c-5b7b-9d04-2c9a6af9bcf8" + id = "3d4ef9bc-22e7-59fa-b20b-451c2cee7015" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1037-L1053" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08f287ccda93e03a7e796d5625ab35ef0de782d07e5db4e2264f612fc5ebaa21" + logic_hash = "v1_sha256_08f287ccda93e03a7e796d5625ab35ef0de782d07e5db4e2264f612fc5ebaa21" score = 75 quality = 90 tags = "INFO, FILE" @@ -34133,7 +34133,7 @@ rule REVERSINGLABS_Cert_Blocklist_1B5190F73724399C9254Cd424637996A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Microsoft Corporation" and pe.signatures[i].serial=="1b:51:90:f7:37:24:39:9c:92:54:cd:42:46:37:99:6a" and 980812799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Microsoft Corporation" and pe.signatures [ i ] . serial == "1b:51:90:f7:37:24:39:9c:92:54:cd:42:46:37:99:6a" and 980812799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34142,13 +34142,13 @@ rule REVERSINGLABS_Cert_Blocklist_00Ebaa11D62E2481081820 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "e192d271-b5de-5acc-a04f-02a26d9231ac" + id = "ff10274b-a6d0-5656-8def-f5559770f147" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1055-L1072" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2fafc6775ec88b5a1000afbc7234fbef6b03e9eaf866dae660dd2d749996cb5c" + logic_hash = "v1_sha256_2fafc6775ec88b5a1000afbc7234fbef6b03e9eaf866dae660dd2d749996cb5c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34158,7 +34158,7 @@ rule REVERSINGLABS_Cert_Blocklist_00Ebaa11D62E2481081820 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and (pe.signatures[i].serial=="00:eb:aa:11:d6:2e:24:81:08:18:20" or pe.signatures[i].serial=="eb:aa:11:d6:2e:24:81:08:18:20")) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Microsoft Enforced Licensing Intermediate PCA" and ( pe.signatures [ i ] . serial == "00:eb:aa:11:d6:2e:24:81:08:18:20" or pe.signatures [ i ] . serial == "eb:aa:11:d6:2e:24:81:08:18:20" ) ) } import "pe" @@ -34167,13 +34167,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Aab11Dee52F1B19D056 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "c6334520-7f93-59d0-8a22-721b928c14d1" + id = "1e4cdde4-b43a-55ad-91c6-b9ba3ba845bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1074-L1089" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1f1215143dc828596e6d7eeff99983755b17eaeb3ab9d7643abdbb48e9957c78" + logic_hash = "v1_sha256_1f1215143dc828596e6d7eeff99983755b17eaeb3ab9d7643abdbb48e9957c78" score = 75 quality = 90 tags = "INFO, FILE" @@ -34183,7 +34183,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Aab11Dee52F1B19D056 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and pe.signatures[i].serial=="3a:ab:11:de:e5:2f:1b:19:d0:56") + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Microsoft Enforced Licensing Intermediate PCA" and pe.signatures [ i ] . serial == "3a:ab:11:de:e5:2f:1b:19:d0:56" ) } import "pe" @@ -34192,13 +34192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6102B01900000000002F : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "b98769c6-805e-5cd0-96f1-67418fec40a6" + id = "ff0a4a7b-333d-55c5-94ca-593d10688a64" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1091-L1106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6c42daa8b8730541bb422ac860ec4b0830e00fdb732e4bb503054dbcae1ff6d4" + logic_hash = "v1_sha256_6c42daa8b8730541bb422ac860ec4b0830e00fdb732e4bb503054dbcae1ff6d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -34208,7 +34208,7 @@ rule REVERSINGLABS_Cert_Blocklist_6102B01900000000002F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Microsoft Enforced Licensing Registration Authority CA (SHA1)" and pe.signatures[i].serial=="61:02:b0:19:00:00:00:00:00:2f") + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Microsoft Enforced Licensing Registration Authority CA (SHA1)" and pe.signatures [ i ] . serial == "61:02:b0:19:00:00:00:00:00:2f" ) } import "pe" @@ -34217,13 +34217,13 @@ rule REVERSINGLABS_Cert_Blocklist_01E2B4F759811C64379Fca0Be76D2Dce : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "00effc8a-066c-54ff-891e-c635d161b171" + id = "6b784721-6d07-547c-ac1c-0e38bbacfb33" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1108-L1124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0dff7a9f2e152c20427ea231449b942a040e964cb7dad90271d2865290535326" + logic_hash = "v1_sha256_0dff7a9f2e152c20427ea231449b942a040e964cb7dad90271d2865290535326" score = 75 quality = 90 tags = "INFO, FILE" @@ -34233,7 +34233,7 @@ rule REVERSINGLABS_Cert_Blocklist_01E2B4F759811C64379Fca0Be76D2Dce : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sony Pictures Entertainment Inc." and pe.signatures[i].serial=="01:e2:b4:f7:59:81:1c:64:37:9f:ca:0b:e7:6d:2d:ce" and 1417651200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sony Pictures Entertainment Inc." and pe.signatures [ i ] . serial == "01:e2:b4:f7:59:81:1c:64:37:9f:ca:0b:e7:6d:2d:ce" and 1417651200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34242,13 +34242,13 @@ rule REVERSINGLABS_Cert_Blocklist_03E5A010B05C9287F823C2585F547B80 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "14ad79c7-f669-59a6-94d1-978a13fbb337" + id = "ee32b812-6dac-56ff-93ea-b3d4aae159b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1126-L1142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1d57b640ee313ad4d53dc64ce4df3e4ed57976e7750cfd80d62bf9982d964d26" + logic_hash = "v1_sha256_1d57b640ee313ad4d53dc64ce4df3e4ed57976e7750cfd80d62bf9982d964d26" score = 75 quality = 90 tags = "INFO, FILE" @@ -34258,7 +34258,7 @@ rule REVERSINGLABS_Cert_Blocklist_03E5A010B05C9287F823C2585F547B80 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MOCOMSYS INC" and pe.signatures[i].serial=="03:e5:a0:10:b0:5c:92:87:f8:23:c2:58:5f:54:7b:80" and 1385423999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MOCOMSYS INC" and pe.signatures [ i ] . serial == "03:e5:a0:10:b0:5c:92:87:f8:23:c2:58:5f:54:7b:80" and 1385423999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34267,13 +34267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fe7Df6C4B9A33B83D04E23E98A77Cce : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "47a10658-c5c4-58b6-b154-7babcfbc50a2" + id = "ce9f5342-e720-5ad0-bb91-1f5f5bee0b93" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1144-L1160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "da5ed07def8d0c04ea58aacd90f9fa5588f868f6d0057b9148587f2f0b381f25" + logic_hash = "v1_sha256_da5ed07def8d0c04ea58aacd90f9fa5588f868f6d0057b9148587f2f0b381f25" score = 75 quality = 90 tags = "INFO, FILE" @@ -34283,7 +34283,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fe7Df6C4B9A33B83D04E23E98A77Cce : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PIXELPLUS CO., LTD." and pe.signatures[i].serial=="0f:e7:df:6c:4b:9a:33:b8:3d:04:e2:3e:98:a7:7c:ce" and 1396310399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PIXELPLUS CO., LTD." and pe.signatures [ i ] . serial == "0f:e7:df:6c:4b:9a:33:b8:3d:04:e2:3e:98:a7:7c:ce" and 1396310399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34292,13 +34292,13 @@ rule REVERSINGLABS_Cert_Blocklist_065569A3E261409128A40Affa90D6D10 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "924c210b-f72a-51eb-af2a-9897faf8f677" + id = "60acfe13-e39a-52bf-beb9-c377f8489e31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1162-L1178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f8d68758704e41325e95ec69334aaf7fabe08a6d5557e0a81bac2f02d3ab5977" + logic_hash = "v1_sha256_f8d68758704e41325e95ec69334aaf7fabe08a6d5557e0a81bac2f02d3ab5977" score = 75 quality = 90 tags = "INFO, FILE" @@ -34308,7 +34308,7 @@ rule REVERSINGLABS_Cert_Blocklist_065569A3E261409128A40Affa90D6D10 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Police Mutual Aid Association" and pe.signatures[i].serial=="06:55:69:a3:e2:61:40:91:28:a4:0a:ff:a9:0d:6d:10" and 1381795199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Police Mutual Aid Association" and pe.signatures [ i ] . serial == "06:55:69:a3:e2:61:40:91:28:a4:0a:ff:a9:0d:6d:10" and 1381795199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34317,13 +34317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0979616733E062C544Df0Abd315E3B92 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "73222a8d-df63-5784-b5a2-0d936db8ddcb" + id = "243c4f32-f5eb-5fbd-9677-2633dd97994e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1180-L1196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "034b233d6b6dd82ad9fa1ec99db1effa3daaa5bb478d448133c479ac728117ad" + logic_hash = "v1_sha256_034b233d6b6dd82ad9fa1ec99db1effa3daaa5bb478d448133c479ac728117ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -34333,7 +34333,7 @@ rule REVERSINGLABS_Cert_Blocklist_0979616733E062C544Df0Abd315E3B92 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Jessica Karam" and pe.signatures[i].serial=="09:79:61:67:33:e0:62:c5:44:df:0a:bd:31:5e:3b:92" and 1408319999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Jessica Karam" and pe.signatures [ i ] . serial == "09:79:61:67:33:e0:62:c5:44:df:0a:bd:31:5e:3b:92" and 1408319999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34342,13 +34342,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D3250B27E0547C77307030491B42802 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "54073485-e9a5-5a0b-a907-0e8a528da85d" + id = "c31fb253-84cf-5eee-a1e9-abbddd807792" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1198-L1214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "65f036921dfb9cbce3275aefb7111711e50874440096b2e3c3b55190cfc14ddb" + logic_hash = "v1_sha256_65f036921dfb9cbce3275aefb7111711e50874440096b2e3c3b55190cfc14ddb" score = 75 quality = 90 tags = "INFO, FILE" @@ -34358,7 +34358,7 @@ rule REVERSINGLABS_Cert_Blocklist_7D3250B27E0547C77307030491B42802 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Banco do Brasil S.A." and pe.signatures[i].serial=="7d:32:50:b2:7e:05:47:c7:73:07:03:04:91:b4:28:02" and 1412207999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Banco do Brasil S.A." and pe.signatures [ i ] . serial == "7d:32:50:b2:7e:05:47:c7:73:07:03:04:91:b4:28:02" and 1412207999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34367,13 +34367,13 @@ rule REVERSINGLABS_Cert_Blocklist_00D1836Bd37C331A67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4d99e2ee-823e-568d-88b1-48aaf6d44286" + id = "41ce0e19-5660-5215-b867-de902db14615" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1216-L1234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8af1d10085c5be8924eb6e4ea3a9b8e936c7706d8ec43d42f24a9a293c7f9d27" + logic_hash = "v1_sha256_8af1d10085c5be8924eb6e4ea3a9b8e936c7706d8ec43d42f24a9a293c7f9d27" score = 75 quality = 90 tags = "INFO, FILE" @@ -34383,7 +34383,7 @@ rule REVERSINGLABS_Cert_Blocklist_00D1836Bd37C331A67 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MINDSTORM LLC" and (pe.signatures[i].serial=="00:d1:83:6b:d3:7c:33:1a:67" or pe.signatures[i].serial=="d1:83:6b:d3:7c:33:1a:67") and 1422835199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MINDSTORM LLC" and ( pe.signatures [ i ] . serial == "00:d1:83:6b:d3:7c:33:1a:67" or pe.signatures [ i ] . serial == "d1:83:6b:d3:7c:33:1a:67" ) and 1422835199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34392,13 +34392,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Ca028D1A4De0Eb743135Edecf74D7Af : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "19e1bce7-ad37-5223-b934-b20e78dfd071" + id = "4c9908c1-7367-54e3-9833-291d817c98d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1236-L1252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "60b6351194e23153d425eaa0c25f840080a29abb5eb1bbcd41bb76a3d4130edd" + logic_hash = "v1_sha256_60b6351194e23153d425eaa0c25f840080a29abb5eb1bbcd41bb76a3d4130edd" score = 75 quality = 90 tags = "INFO, FILE" @@ -34408,7 +34408,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Ca028D1A4De0Eb743135Edecf74D7Af : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="2c:a0:28:d1:a4:de:0e:b7:43:13:5e:de:cf:74:d7:af" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "2c:a0:28:d1:a4:de:0e:b7:43:13:5e:de:cf:74:d7:af" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34417,13 +34417,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dbb14Dcf973Eada14Ece7Ea79C895C11 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "139f2e4f-7997-5cfd-aba2-dcf8d7525f5e" + id = "531f7801-9e3f-56cf-8081-3d978eebd169" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1254-L1270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c73c83f5cb6d840b887e1aa41e96a29529f975434ac27a5aa57f2e14b342f63d" + logic_hash = "v1_sha256_c73c83f5cb6d840b887e1aa41e96a29529f975434ac27a5aa57f2e14b342f63d" score = 75 quality = 90 tags = "INFO, FILE" @@ -34433,7 +34433,7 @@ rule REVERSINGLABS_Cert_Blocklist_Dbb14Dcf973Eada14Ece7Ea79C895C11 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="db:b1:4d:cf:97:3e:ad:a1:4e:ce:7e:a7:9c:89:5c:11" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "db:b1:4d:cf:97:3e:ad:a1:4e:ce:7e:a7:9c:89:5c:11" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34442,13 +34442,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2239De3977B8D4A3Dcbedc9031A51 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "3e102d0a-30e3-5f0a-9b67-a5fd15117e69" + id = "a21a6ab5-b747-5a4a-ae19-a5c0b4c12059" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1272-L1288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa4f39790bc58b0a50e05e7670abad654d7f3d73e500bd5f054fece4a979ebfa" + logic_hash = "v1_sha256_aa4f39790bc58b0a50e05e7670abad654d7f3d73e500bd5f054fece4a979ebfa" score = 75 quality = 90 tags = "INFO, FILE" @@ -34458,7 +34458,7 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2239De3977B8D4A3Dcbedc9031A51 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="f8:c2:23:9d:e3:97:7b:8d:4a:3d:cb:ed:c9:03:1a:51" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "f8:c2:23:9d:e3:97:7b:8d:4a:3d:cb:ed:c9:03:1a:51" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34467,13 +34467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Caad8222705D3Fb3430E114A31C8C6A4 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "d95b5e25-679c-57f8-b790-8f5633a23e4b" + id = "d68cb2b0-387d-55fe-a82d-90b36e4c8655" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1290-L1306" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "35c4f46322da4f5b9f938c1098c8e57effc8abfc03db865190c343df7b8990ea" + logic_hash = "v1_sha256_35c4f46322da4f5b9f938c1098c8e57effc8abfc03db865190c343df7b8990ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -34483,7 +34483,7 @@ rule REVERSINGLABS_Cert_Blocklist_Caad8222705D3Fb3430E114A31C8C6A4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="ca:ad:82:22:70:5d:3f:b3:43:0e:11:4a:31:c8:c6:a4" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "ca:ad:82:22:70:5d:3f:b3:43:0e:11:4a:31:c8:c6:a4" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34492,13 +34492,13 @@ rule REVERSINGLABS_Cert_Blocklist_B191812516E6618D49E6Ccf5E63Dc343 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "8f316011-9a29-5366-a26a-1fe20651ef17" + id = "9ad59c1f-392a-5920-ab3d-1021f6cea138" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1308-L1324" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40c03e683b4b8e8a23ca84da7dfd3bd998d3708b27b7df7a22f25fb364c3a69b" + logic_hash = "v1_sha256_40c03e683b4b8e8a23ca84da7dfd3bd998d3708b27b7df7a22f25fb364c3a69b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34508,7 +34508,7 @@ rule REVERSINGLABS_Cert_Blocklist_B191812516E6618D49E6Ccf5E63Dc343 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="b1:91:81:25:16:e6:61:8d:49:e6:cc:f5:e6:3d:c3:43" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "b1:91:81:25:16:e6:61:8d:49:e6:cc:f5:e6:3d:c3:43" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34517,13 +34517,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Ba7Fb8Ee1Deff8F4A1525E1E0580057 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "af912c64-334d-51f5-8ca4-707fcec512ba" + id = "b6d24664-ba2f-51e1-a82f-c3488b9e650c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1326-L1342" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "324157b9fec2653cb8874c7a1a5b6e39b121992cd52856b8c4a2a8b7cee86a69" + logic_hash = "v1_sha256_324157b9fec2653cb8874c7a1a5b6e39b121992cd52856b8c4a2a8b7cee86a69" score = 75 quality = 90 tags = "INFO, FILE" @@ -34533,7 +34533,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Ba7Fb8Ee1Deff8F4A1525E1E0580057 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="4b:a7:fb:8e:e1:de:ff:8f:4a:15:25:e1:e0:58:00:57" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "4b:a7:fb:8e:e1:de:ff:8f:4a:15:25:e1:e0:58:00:57" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34542,13 +34542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Df9F7Eb6Cdc5Ca243B33122E3941E25 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "da1895fd-ec29-513d-b8ae-2317f84b8280" + id = "ff708876-f157-5593-a542-1be2599454a8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1344-L1360" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "703eccd5573fe42f03ec82887660d50e942156d840394746c90ba87d82507803" + logic_hash = "v1_sha256_703eccd5573fe42f03ec82887660d50e942156d840394746c90ba87d82507803" score = 75 quality = 90 tags = "INFO, FILE" @@ -34558,7 +34558,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Df9F7Eb6Cdc5Ca243B33122E3941E25 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="2d:f9:f7:eb:6c:dc:5c:a2:43:b3:31:22:e3:94:1e:25" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "2d:f9:f7:eb:6c:dc:5c:a2:43:b3:31:22:e3:94:1e:25" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34567,13 +34567,13 @@ rule REVERSINGLABS_Cert_Blocklist_58A541D50F9E2Fab4380C6A2Ed433B82 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "19a26581-5c94-5c8d-8e3e-b2ef1d770968" + id = "58f91572-9ced-5a82-a71c-a963c482ac8e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1362-L1378" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "69ddc58b6fec159d6eded8c78237a6a0626b1aedb58b0c9867b758fd09db46ad" + logic_hash = "v1_sha256_69ddc58b6fec159d6eded8c78237a6a0626b1aedb58b0c9867b758fd09db46ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -34583,7 +34583,7 @@ rule REVERSINGLABS_Cert_Blocklist_58A541D50F9E2Fab4380C6A2Ed433B82 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="58:a5:41:d5:0f:9e:2f:ab:43:80:c6:a2:ed:43:3b:82" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "58:a5:41:d5:0f:9e:2f:ab:43:80:c6:a2:ed:43:3b:82" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34592,13 +34592,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F273626859Ae4Bc4Becbbeb71E2Ab2D : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a80dcaba-73f9-51d0-a75a-b6348fd305c6" + id = "57d60f5b-fcc0-512a-9835-522ec65c7305" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1380-L1396" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c8be504f075041508f299b1df03d9cb9e58d9a89f49b7a926676033d18b108ba" + logic_hash = "v1_sha256_c8be504f075041508f299b1df03d9cb9e58d9a89f49b7a926676033d18b108ba" score = 75 quality = 90 tags = "INFO, FILE" @@ -34608,7 +34608,7 @@ rule REVERSINGLABS_Cert_Blocklist_5F273626859Ae4Bc4Becbbeb71E2Ab2D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="5f:27:36:26:85:9a:e4:bc:4b:ec:bb:eb:71:e2:ab:2d" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "5f:27:36:26:85:9a:e4:bc:4b:ec:bb:eb:71:e2:ab:2d" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34617,13 +34617,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Ad46Ce4Db160B348C24F66C9663178 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "df34eb28-18ec-568b-8257-0b2f7959868c" + id = "1b72ffa5-4977-5cc5-b554-13d8ca51b5b7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1398-L1414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "59ce2b7a2e881853d07446b3dda74b296f2be09651364d0e131552cf76dab751" + logic_hash = "v1_sha256_59ce2b7a2e881853d07446b3dda74b296f2be09651364d0e131552cf76dab751" score = 75 quality = 90 tags = "INFO, FILE" @@ -34633,7 +34633,7 @@ rule REVERSINGLABS_Cert_Blocklist_B1Ad46Ce4Db160B348C24F66C9663178 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Adobe Systems" and pe.signatures[i].serial=="b1:ad:46:ce:4d:b1:60:b3:48:c2:4f:66:c9:66:31:78" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Adobe Systems" and pe.signatures [ i ] . serial == "b1:ad:46:ce:4d:b1:60:b3:48:c2:4f:66:c9:66:31:78" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34642,13 +34642,13 @@ rule REVERSINGLABS_Cert_Blocklist_256541E204619033F8B09F9Eb7C88Ef8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4a5eb19-2964-5d3a-b4c5-ee4396e76814" + id = "c6e4f2ef-ab4f-505e-bae3-f128da97eca9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1416-L1432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e33cedf1dd24ac73f77461de0cef25cad57909be2a69469fec450ead7da85c65" + logic_hash = "v1_sha256_e33cedf1dd24ac73f77461de0cef25cad57909be2a69469fec450ead7da85c65" score = 75 quality = 90 tags = "INFO, FILE" @@ -34658,7 +34658,7 @@ rule REVERSINGLABS_Cert_Blocklist_256541E204619033F8B09F9Eb7C88Ef8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HON HAI PRECISION INDUSTRY CO. LTD." and pe.signatures[i].serial=="25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8" and 1424303999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HON HAI PRECISION INDUSTRY CO. LTD." and pe.signatures [ i ] . serial == "25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8" and 1424303999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34667,13 +34667,13 @@ rule REVERSINGLABS_Cert_Blocklist_00E8Cc18Cf100B6B27443Ef26319398734 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "f7e80c51-9dcf-599a-8164-c07cf4c9c5ff" + id = "fcb5a1d8-0e7d-5aac-bc39-a9d6a845fac9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1434-L1452" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "68e9df056109cae41d981090c7a98ddc192a445647d7475569ddbe4118e570c5" + logic_hash = "v1_sha256_68e9df056109cae41d981090c7a98ddc192a445647d7475569ddbe4118e570c5" score = 75 quality = 90 tags = "INFO, FILE" @@ -34683,7 +34683,7 @@ rule REVERSINGLABS_Cert_Blocklist_00E8Cc18Cf100B6B27443Ef26319398734 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Syngenta" and (pe.signatures[i].serial=="00:e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" or pe.signatures[i].serial=="e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34") and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Syngenta" and ( pe.signatures [ i ] . serial == "00:e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" or pe.signatures [ i ] . serial == "e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" ) and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34692,13 +34692,13 @@ rule REVERSINGLABS_Cert_Blocklist_62Af28A7657Ba8Ab10Fa8E2D47250C69 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "cba20a1b-5d24-5a1f-8f2f-8c47add846d6" + id = "9bea3365-e4fa-5b00-b6c7-9324820be295" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1454-L1470" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c3c034cb4e2c65e2269fbfd9c045eb294badde60389ae62ed694ea4d61c5eb35" + logic_hash = "v1_sha256_c3c034cb4e2c65e2269fbfd9c045eb294badde60389ae62ed694ea4d61c5eb35" score = 75 quality = 90 tags = "INFO, FILE" @@ -34708,7 +34708,7 @@ rule REVERSINGLABS_Cert_Blocklist_62Af28A7657Ba8Ab10Fa8E2D47250C69 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AFINA Fintek" and pe.signatures[i].serial=="62:af:28:a7:65:7b:a8:ab:10:fa:8e:2d:47:25:0c:69" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AFINA Fintek" and pe.signatures [ i ] . serial == "62:af:28:a7:65:7b:a8:ab:10:fa:8e:2d:47:25:0c:69" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34717,13 +34717,13 @@ rule REVERSINGLABS_Cert_Blocklist_04C8Eca7243208A110Dea926C7Ad89Ce : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "484d0aa6-0447-5e60-946b-89b01a5e43dd" + id = "ccfee04c-4877-5d99-9702-9bd39fc379b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1472-L1488" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0012436e83704397026a8b2e500e5d61915e0f4c8ad4100176e200a975562e8f" + logic_hash = "v1_sha256_0012436e83704397026a8b2e500e5d61915e0f4c8ad4100176e200a975562e8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -34733,7 +34733,7 @@ rule REVERSINGLABS_Cert_Blocklist_04C8Eca7243208A110Dea926C7Ad89Ce : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, SINGH ADITYA" and pe.signatures[i].serial=="04:c8:ec:a7:24:32:08:a1:10:de:a9:26:c7:ad:89:ce" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, SINGH ADITYA" and pe.signatures [ i ] . serial == "04:c8:ec:a7:24:32:08:a1:10:de:a9:26:c7:ad:89:ce" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34742,13 +34742,13 @@ rule REVERSINGLABS_Cert_Blocklist_157C3A4A6Bcf35Cf8453E6B6C0072E1D : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "4bae3fb2-7e30-598e-8708-b985697bf63a" + id = "fb93889c-6c83-5507-bc86-29b8c1e9bcd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1490-L1506" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a68051ab6d0b967f08e44d91b9f13d75587ea0f16e2a5536ccf5898445e1a58" + logic_hash = "v1_sha256_2a68051ab6d0b967f08e44d91b9f13d75587ea0f16e2a5536ccf5898445e1a58" score = 75 quality = 90 tags = "INFO, FILE" @@ -34758,7 +34758,7 @@ rule REVERSINGLABS_Cert_Blocklist_157C3A4A6Bcf35Cf8453E6B6C0072E1D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Favorite-III" and pe.signatures[i].serial=="15:7c:3a:4a:6b:cf:35:cf:84:53:e6:b6:c0:07:2e:1d" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Favorite-III" and pe.signatures [ i ] . serial == "15:7c:3a:4a:6b:cf:35:cf:84:53:e6:b6:c0:07:2e:1d" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34767,13 +34767,13 @@ rule REVERSINGLABS_Cert_Blocklist_04422F12037Bc2032521Dbb6Ae02Ea0E : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "0dc659e8-1f3b-5130-a776-dd9e4141f5f3" + id = "83d38930-0699-5eb5-a766-9275641d6d2a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1508-L1524" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "381d749d24121d6634656fd33adcda5c3e500ee77a6333f525f351a2ee589e2c" + logic_hash = "v1_sha256_381d749d24121d6634656fd33adcda5c3e500ee77a6333f525f351a2ee589e2c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34783,7 +34783,7 @@ rule REVERSINGLABS_Cert_Blocklist_04422F12037Bc2032521Dbb6Ae02Ea0E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, Muhammad Lee" and pe.signatures[i].serial=="04:42:2f:12:03:7b:c2:03:25:21:db:b6:ae:02:ea:0e" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, Muhammad Lee" and pe.signatures [ i ] . serial == "04:42:2f:12:03:7b:c2:03:25:21:db:b6:ae:02:ea:0e" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34792,13 +34792,13 @@ rule REVERSINGLABS_Cert_Blocklist_65Eae6C98111Dc40Bf4F962Bf27227F2 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "34275efd-b941-56f5-8e1b-30a43f1936e2" + id = "5a974cb1-238b-5ad9-90c5-90d50a76f8a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1526-L1542" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "20c0f4e9783586e68ff363fe6a72398f6ea27aef5d25f98872d1203ce1a0c9bd" + logic_hash = "v1_sha256_20c0f4e9783586e68ff363fe6a72398f6ea27aef5d25f98872d1203ce1a0c9bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -34808,7 +34808,7 @@ rule REVERSINGLABS_Cert_Blocklist_65Eae6C98111Dc40Bf4F962Bf27227F2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, BHARATH KUCHANGI" and pe.signatures[i].serial=="65:ea:e6:c9:81:11:dc:40:bf:4f:96:2b:f2:72:27:f2" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, BHARATH KUCHANGI" and pe.signatures [ i ] . serial == "65:ea:e6:c9:81:11:dc:40:bf:4f:96:2b:f2:72:27:f2" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34817,13 +34817,13 @@ rule REVERSINGLABS_Cert_Blocklist_12D5A4B29Fe6156D4195Fba55Ae0D9A9 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "45c37c98-1006-51e4-8832-b8e5c9fba416" + id = "b126cd79-33ba-5ef6-ade0-3b03bff21451" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1544-L1560" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "860550745f6dbcd7dd0925d9b8f04e8e08e8b7c06343a4c070e131a815c42e12" + logic_hash = "v1_sha256_860550745f6dbcd7dd0925d9b8f04e8e08e8b7c06343a4c070e131a815c42e12" score = 75 quality = 90 tags = "INFO, FILE" @@ -34833,7 +34833,7 @@ rule REVERSINGLABS_Cert_Blocklist_12D5A4B29Fe6156D4195Fba55Ae0D9A9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, Marc Chapon" and pe.signatures[i].serial=="12:d5:a4:b2:9f:e6:15:6d:41:95:fb:a5:5a:e0:d9:a9" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, Marc Chapon" and pe.signatures [ i ] . serial == "12:d5:a4:b2:9f:e6:15:6d:41:95:fb:a5:5a:e0:d9:a9" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34842,13 +34842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0087D60D1E2B9374Eb7A735Dce4Bbdae56 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "8759a40a-648e-548e-a519-bedc812aefe4" + id = "714b862e-0b97-5aaa-ae20-841b5351bbdd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1562-L1580" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6e0d22e926a237f1cc6b71c6f8ce01e497723032c9efba1e6af7327a786b608" + logic_hash = "v1_sha256_d6e0d22e926a237f1cc6b71c6f8ce01e497723032c9efba1e6af7327a786b608" score = 75 quality = 90 tags = "INFO, FILE" @@ -34858,7 +34858,7 @@ rule REVERSINGLABS_Cert_Blocklist_0087D60D1E2B9374Eb7A735Dce4Bbdae56 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMO-K Limited Liability Company" and (pe.signatures[i].serial=="00:87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" or pe.signatures[i].serial=="87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56") and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMO-K Limited Liability Company" and ( pe.signatures [ i ] . serial == "00:87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" or pe.signatures [ i ] . serial == "87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" ) and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34867,13 +34867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0860C8A7Ed18C3F030A32722Fd2B220C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "335a1cd3-520a-5f0f-abda-6ec8a122de4b" + id = "d8fe70e7-ee11-5658-8862-d09e5404bee8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1582-L1598" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c777fb157a6669bfdf3143e77f69265e09458a2b42b75b72680eb043da71e85" + logic_hash = "v1_sha256_3c777fb157a6669bfdf3143e77f69265e09458a2b42b75b72680eb043da71e85" score = 75 quality = 90 tags = "INFO, FILE" @@ -34883,7 +34883,7 @@ rule REVERSINGLABS_Cert_Blocklist_0860C8A7Ed18C3F030A32722Fd2B220C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, Tony Yeh" and pe.signatures[i].serial=="08:60:c8:a7:ed:18:c3:f0:30:a3:27:22:fd:2b:22:0c" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, Tony Yeh" and pe.signatures [ i ] . serial == "08:60:c8:a7:ed:18:c3:f0:30:a3:27:22:fd:2b:22:0c" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34892,13 +34892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Fdadd0740572270203F8138692C4A83 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0b289c4e-c564-5513-a1a5-42e8551c6218" + id = "2d02db0c-d06e-5a94-840c-21337c36ffbc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1600-L1616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "18ce7ed721a454c5bb3cd6ab26df703b1e08b94b8c518055feffa38ad42afa50" + logic_hash = "v1_sha256_18ce7ed721a454c5bb3cd6ab26df703b1e08b94b8c518055feffa38ad42afa50" score = 75 quality = 90 tags = "INFO, FILE" @@ -34908,7 +34908,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Fdadd0740572270203F8138692C4A83 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, William Zoltan" and pe.signatures[i].serial=="2f:da:dd:07:40:57:22:70:20:3f:81:38:69:2c:4a:83" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, William Zoltan" and pe.signatures [ i ] . serial == "2f:da:dd:07:40:57:22:70:20:3f:81:38:69:2c:4a:83" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34917,13 +34917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fc13D6220C629043A26F81B1Cad72D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2573adc-6580-58aa-a58c-c21bf6b79364" + id = "f06763f5-afd3-5ff6-b59a-f1d6c5bb67c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1618-L1634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5572c278f6c9be62b2bba09ea610fd170438c6893ee5283ff4a5b3bb2852b07b" + logic_hash = "v1_sha256_5572c278f6c9be62b2bba09ea610fd170438c6893ee5283ff4a5b3bb2852b07b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34933,7 +34933,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Fc13D6220C629043A26F81B1Cad72D8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, meicun ge" and pe.signatures[i].serial=="4f:c1:3d:62:20:c6:29:04:3a:26:f8:1b:1c:ad:72:d8" and 1404172799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, meicun ge" and pe.signatures [ i ] . serial == "4f:c1:3d:62:20:c6:29:04:3a:26:f8:1b:1c:ad:72:d8" and 1404172799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34942,13 +34942,13 @@ rule REVERSINGLABS_Cert_Blocklist_3457A918C6D3701B2Eaca6A92474A7Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12526715-7b54-5c31-aa2a-b77ed067e3ee" + id = "bf526f41-0408-5a7d-941b-2b30fa1bc6f6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1636-L1652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "70d4bece52a86bfe8958f6d4195b833cea609596e3b68bb90087c262501bd462" + logic_hash = "v1_sha256_70d4bece52a86bfe8958f6d4195b833cea609596e3b68bb90087c262501bd462" score = 75 quality = 90 tags = "INFO, FILE" @@ -34958,7 +34958,7 @@ rule REVERSINGLABS_Cert_Blocklist_3457A918C6D3701B2Eaca6A92474A7Cc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KONSALTING PLUS OOO" and pe.signatures[i].serial=="34:57:a9:18:c6:d3:70:1b:2e:ac:a6:a9:24:74:a7:cc" and 1432252799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KONSALTING PLUS OOO" and pe.signatures [ i ] . serial == "34:57:a9:18:c6:d3:70:1b:2e:ac:a6:a9:24:74:a7:cc" and 1432252799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34967,13 +34967,13 @@ rule REVERSINGLABS_Cert_Blocklist_621Ed8265B0Ad872D9F4B4Ed6D560513 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b64e640c-264f-597c-90a5-d0ad57aa5075" + id = "2d4a10e4-caad-55ec-bc65-7b226bd26385" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1654-L1670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c133d6eea5d27e597d0a656c7c930a5ca84adb46aa2fec66381b6b5c759e22aa" + logic_hash = "v1_sha256_c133d6eea5d27e597d0a656c7c930a5ca84adb46aa2fec66381b6b5c759e22aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -34983,7 +34983,7 @@ rule REVERSINGLABS_Cert_Blocklist_621Ed8265B0Ad872D9F4B4Ed6D560513 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fan Li" and pe.signatures[i].serial=="62:1e:d8:26:5b:0a:d8:72:d9:f4:b4:ed:6d:56:05:13" and 1413183357<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fan Li" and pe.signatures [ i ] . serial == "62:1e:d8:26:5b:0a:d8:72:d9:f4:b4:ed:6d:56:05:13" and 1413183357 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -34992,13 +34992,13 @@ rule REVERSINGLABS_Cert_Blocklist_56E22B992B4C7F1Afeac1D63B492Bf54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "28609e75-47cb-5017-bb92-046a9e8931c6" + id = "1bfd81bf-caad-5825-8b32-b3ff2a55c333" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1672-L1688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ef058c0ec352260fa3db0fc74331d1da3c9eb8d161cef7635632fd7c569198c6" + logic_hash = "v1_sha256_ef058c0ec352260fa3db0fc74331d1da3c9eb8d161cef7635632fd7c569198c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35008,7 +35008,7 @@ rule REVERSINGLABS_Cert_Blocklist_56E22B992B4C7F1Afeac1D63B492Bf54 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, Hetem Ramadani" and pe.signatures[i].serial=="56:e2:2b:99:2b:4c:7f:1a:fe:ac:1d:63:b4:92:bf:54" and 1435622399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, Hetem Ramadani" and pe.signatures [ i ] . serial == "56:e2:2b:99:2b:4c:7f:1a:fe:ac:1d:63:b4:92:bf:54" and 1435622399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35017,13 +35017,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bc3Bae4118D46F3Fdd9Beeeab749Fee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d2f1f5f-119a-5069-abcb-e4e93d9964c3" + id = "fe41ed11-1a14-5c04-a43c-315c59b9fed2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1690-L1706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fcbda27f8bf4dca8aa32103bb344380c82f0c701c25766df94c182ef94805a12" + logic_hash = "v1_sha256_fcbda27f8bf4dca8aa32103bb344380c82f0c701c25766df94c182ef94805a12" score = 75 quality = 90 tags = "INFO, FILE" @@ -35033,7 +35033,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Bc3Bae4118D46F3Fdd9Beeeab749Fee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\x9D\\x8E\\xE9\\x9B\\xAA\\xE6\\xA2\\x85" and pe.signatures[i].serial=="3b:c3:ba:e4:11:8d:46:f3:fd:d9:be:ee:ab:74:9f:ee" and 1442275199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\x9D\\x8E\\xE9\\x9B\\xAA\\xE6\\xA2\\x85" and pe.signatures [ i ] . serial == "3b:c3:ba:e4:11:8d:46:f3:fd:d9:be:ee:ab:74:9f:ee" and 1442275199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35042,13 +35042,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F0449F7691E5B4C8E74E71Cae822179 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "17c99772-f2f9-56bc-be01-d9f62626a9ff" + id = "f5e27b65-c048-5191-a9f6-fc57d92836c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1708-L1724" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f8d3593b357f27240a4399e877ae9044f783bb944ad47ec9fe8bbecc63be864c" + logic_hash = "v1_sha256_f8d3593b357f27240a4399e877ae9044f783bb944ad47ec9fe8bbecc63be864c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35058,7 +35058,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F0449F7691E5B4C8E74E71Cae822179 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SBO INVEST" and pe.signatures[i].serial=="0f:04:49:f7:69:1e:5b:4c:8e:74:e7:1c:ae:82:21:79" and 1432079999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SBO INVEST" and pe.signatures [ i ] . serial == "0f:04:49:f7:69:1e:5b:4c:8e:74:e7:1c:ae:82:21:79" and 1432079999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35067,13 +35067,13 @@ rule REVERSINGLABS_Cert_Blocklist_43Db4448D870D7Bdc275F36A01Fba36F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "47b3e681-87ae-5e70-8d02-18aa0daab0dc" + id = "f334b4de-c598-5bdf-926a-ce730f287b68" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1726-L1742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "951e35e2c3f1bd90a33f8b76b6ede5686ee9b9c97a4c71df5b9dff15956209c5" + logic_hash = "v1_sha256_951e35e2c3f1bd90a33f8b76b6ede5686ee9b9c97a4c71df5b9dff15956209c5" score = 75 quality = 90 tags = "INFO, FILE" @@ -35083,7 +35083,7 @@ rule REVERSINGLABS_Cert_Blocklist_43Db4448D870D7Bdc275F36A01Fba36F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3-T TOV" and pe.signatures[i].serial=="43:db:44:48:d8:70:d7:bd:c2:75:f3:6a:01:fb:a3:6f" and 1436227199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3-T TOV" and pe.signatures [ i ] . serial == "43:db:44:48:d8:70:d7:bd:c2:75:f3:6a:01:fb:a3:6f" and 1436227199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35092,13 +35092,13 @@ rule REVERSINGLABS_Cert_Blocklist_2880A7F7Ff2D334Aa08744A8754Fab2C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b079b564-9284-59b6-9703-4e33f2b2c44d" + id = "a18bfeee-ba7a-5441-9611-51e68f8a6405" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1744-L1760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03c7e1251c44e8824ae3b648a95cf34f4c56db65d76806306a062a343981d87f" + logic_hash = "v1_sha256_03c7e1251c44e8824ae3b648a95cf34f4c56db65d76806306a062a343981d87f" score = 75 quality = 90 tags = "INFO, FILE" @@ -35108,7 +35108,7 @@ rule REVERSINGLABS_Cert_Blocklist_2880A7F7Ff2D334Aa08744A8754Fab2C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Garena Online Pte Ltd" and pe.signatures[i].serial=="28:80:a7:f7:ff:2d:33:4a:a0:87:44:a8:75:4f:ab:2c" and 1393891199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Garena Online Pte Ltd" and pe.signatures [ i ] . serial == "28:80:a7:f7:ff:2d:33:4a:a0:87:44:a8:75:4f:ab:2c" and 1393891199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35117,13 +35117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0492F5C18E26Fa0Cd7E15067674Aff1C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a176d4a-5d3e-5184-b923-12d561e7034a" + id = "23736437-4673-5dfa-8fc4-cf92d4e7df77" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1762-L1778" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d47d59d7680000d6c35181be2d9b034c2ecb7ca754a39c8e11750ddd7246b47c" + logic_hash = "v1_sha256_d47d59d7680000d6c35181be2d9b034c2ecb7ca754a39c8e11750ddd7246b47c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35133,7 +35133,7 @@ rule REVERSINGLABS_Cert_Blocklist_0492F5C18E26Fa0Cd7E15067674Aff1C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ghada Saffarini" and pe.signatures[i].serial=="04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c" and 1445990399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ghada Saffarini" and pe.signatures [ i ] . serial == "04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c" and 1445990399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35142,13 +35142,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Aa668Cd6A9De1Fdd476Ea8225326937 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bfff2210-8545-594d-8674-243e57e3dd09" + id = "cb6b18e3-8d93-50a3-9418-1a646eedaa0a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1780-L1796" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "706e16995af40a6c9176dcbca07fb406f2efe4d47dbd9629d1a6b1ab1d09b045" + logic_hash = "v1_sha256_706e16995af40a6c9176dcbca07fb406f2efe4d47dbd9629d1a6b1ab1d09b045" score = 75 quality = 90 tags = "INFO, FILE" @@ -35158,7 +35158,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Aa668Cd6A9De1Fdd476Ea8225326937 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BSCP LIMITED" and pe.signatures[i].serial=="6a:a6:68:cd:6a:9d:e1:fd:d4:76:ea:82:25:32:69:37" and 1441583999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BSCP LIMITED" and pe.signatures [ i ] . serial == "6a:a6:68:cd:6a:9d:e1:fd:d4:76:ea:82:25:32:69:37" and 1441583999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35167,13 +35167,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb06Dccb482255728671Ea12Ac41620 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a7f61a4-15ba-5f5c-89e1-b8b986e13f19" + id = "623e6bb6-9746-5727-b0d9-491f37afa268" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1798-L1814" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e0867ffe2ddd28282fe78b27b3b12ebac525b33a27dd242bc6f55bcd2e066a18" + logic_hash = "v1_sha256_e0867ffe2ddd28282fe78b27b3b12ebac525b33a27dd242bc6f55bcd2e066a18" score = 75 quality = 90 tags = "INFO, FILE" @@ -35183,7 +35183,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb06Dccb482255728671Ea12Ac41620 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fangzhen Li" and pe.signatures[i].serial=="1c:b0:6d:cc:b4:82:25:57:28:67:1e:a1:2a:c4:16:20" and 1445126399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fangzhen Li" and pe.signatures [ i ] . serial == "1c:b0:6d:cc:b4:82:25:57:28:67:1e:a1:2a:c4:16:20" and 1445126399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35192,13 +35192,13 @@ rule REVERSINGLABS_Cert_Blocklist_370C2467C41D6019Bbecd72E00C5D73D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "18c5d1bb-21b8-5157-a03b-8bcbdc74c0cd" + id = "ae5a04c0-6ee1-5841-8924-50b7734c99d4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1816-L1832" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b99522b75ee83d85b30146cb292b5a8a46dc300fb43dd9d39d9ca96c9d32d9b" + logic_hash = "v1_sha256_2b99522b75ee83d85b30146cb292b5a8a46dc300fb43dd9d39d9ca96c9d32d9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35208,7 +35208,7 @@ rule REVERSINGLABS_Cert_Blocklist_370C2467C41D6019Bbecd72E00C5D73D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "UNINFO SISTEMAS LTDA ME" and pe.signatures[i].serial=="37:0c:24:67:c4:1d:60:19:bb:ec:d7:2e:00:c5:d7:3d" and 1445299199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "UNINFO SISTEMAS LTDA ME" and pe.signatures [ i ] . serial == "37:0c:24:67:c4:1d:60:19:bb:ec:d7:2e:00:c5:d7:3d" and 1445299199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35217,13 +35217,13 @@ rule REVERSINGLABS_Cert_Blocklist_5067339614C5Cc219C489D40420F3Bf9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "6e0cb6f9-0a92-5eb2-b13f-f9c4eb0ae6b1" + id = "5a889259-0acd-52c1-9b6c-f2f18cb3e299" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1834-L1850" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1716087285a093a3467583f79d7ae9bee641997227e6d4f95047905aedcc97c6" + logic_hash = "v1_sha256_1716087285a093a3467583f79d7ae9bee641997227e6d4f95047905aedcc97c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35233,7 +35233,7 @@ rule REVERSINGLABS_Cert_Blocklist_5067339614C5Cc219C489D40420F3Bf9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "D-LINK CORPORATION" and pe.signatures[i].serial=="50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9" and 1441238400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "D-LINK CORPORATION" and pe.signatures [ i ] . serial == "50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9" and 1441238400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35242,13 +35242,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E32531Ae83992F0573120A5E78De271 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "37fc58ea-63d4-569d-968f-f4775403b0bb" + id = "24b36182-58c1-5ade-b23a-8bd848bdd713" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1852-L1868" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b6d54ea8395c3666906b2e60c30b970c2c1b6f55ded874cbcc22dc79391fb34" + logic_hash = "v1_sha256_2b6d54ea8395c3666906b2e60c30b970c2c1b6f55ded874cbcc22dc79391fb34" score = 75 quality = 90 tags = "INFO, FILE" @@ -35258,7 +35258,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E32531Ae83992F0573120A5E78De271 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3 AM CHP" and pe.signatures[i].serial=="6e:32:53:1a:e8:39:92:f0:57:31:20:a5:e7:8d:e2:71" and 1451606399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3 AM CHP" and pe.signatures [ i ] . serial == "6e:32:53:1a:e8:39:92:f0:57:31:20:a5:e7:8d:e2:71" and 1451606399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35267,13 +35267,13 @@ rule REVERSINGLABS_Cert_Blocklist_6967A89Bcf6Efef160Aaeebbff376C0A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d6714f50-600b-5437-8be6-097f7dd93dc7" + id = "b6d9fdf7-b919-5bb9-b124-8553547dd059" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1870-L1886" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "deb7465e453aa5838f81e15e270abc958a65e1a6051a88a5910244edbe874451" + logic_hash = "v1_sha256_deb7465e453aa5838f81e15e270abc958a65e1a6051a88a5910244edbe874451" score = 75 quality = 90 tags = "INFO, FILE" @@ -35283,7 +35283,7 @@ rule REVERSINGLABS_Cert_Blocklist_6967A89Bcf6Efef160Aaeebbff376C0A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Chang Yucheng" and pe.signatures[i].serial=="69:67:a8:9b:cf:6e:fe:f1:60:aa:ee:bb:ff:37:6c:0a" and 1451174399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Chang Yucheng" and pe.signatures [ i ] . serial == "69:67:a8:9b:cf:6e:fe:f1:60:aa:ee:bb:ff:37:6c:0a" and 1451174399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35292,13 +35292,13 @@ rule REVERSINGLABS_Cert_Blocklist_7473D95405D2B0B3A8F28785Ce6E74Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7f44b9d8-917b-5fc4-9651-cce89358e415" + id = "83f29658-690a-54ff-81e2-b7dad3797467" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1888-L1904" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e15b990b13617017ca2d1f8caf03d8ff3785ca9b860bf11f81af5dadf17a9be5" + logic_hash = "v1_sha256_e15b990b13617017ca2d1f8caf03d8ff3785ca9b860bf11f81af5dadf17a9be5" score = 75 quality = 90 tags = "INFO, FILE" @@ -35308,7 +35308,7 @@ rule REVERSINGLABS_Cert_Blocklist_7473D95405D2B0B3A8F28785Ce6E74Ca : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dmitrij Emelyanov" and pe.signatures[i].serial=="74:73:d9:54:05:d2:b0:b3:a8:f2:87:85:ce:6e:74:ca" and 1453939199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dmitrij Emelyanov" and pe.signatures [ i ] . serial == "74:73:d9:54:05:d2:b0:b3:a8:f2:87:85:ce:6e:74:ca" and 1453939199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35317,13 +35317,13 @@ rule REVERSINGLABS_Cert_Blocklist_04F380F97579F1702A85E0169Bbdfd78 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "860027ff-2df2-5519-afde-60ebee270290" + id = "1c240ac4-fa7e-5cba-a8b8-a7d28ad3681c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1906-L1922" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73dc6e36fdaf5c80b33f20f2a9157805ce1d0218f3898104de16522ee9cfd51b" + logic_hash = "v1_sha256_73dc6e36fdaf5c80b33f20f2a9157805ce1d0218f3898104de16522ee9cfd51b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35333,7 +35333,7 @@ rule REVERSINGLABS_Cert_Blocklist_04F380F97579F1702A85E0169Bbdfd78 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GRANIFLOR" and pe.signatures[i].serial=="04:f3:80:f9:75:79:f1:70:2a:85:e0:16:9b:bd:fd:78" and 1454889599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GRANIFLOR" and pe.signatures [ i ] . serial == "04:f3:80:f9:75:79:f1:70:2a:85:e0:16:9b:bd:fd:78" and 1454889599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35342,13 +35342,13 @@ rule REVERSINGLABS_Cert_Blocklist_04D6B8Cc6Dce353Fcf3Ae8A532Be7255 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "937dd780-52f7-5f27-ac2e-a0245997d449" + id = "9178b6ac-b2cd-58d2-bce1-ad079d97294a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1924-L1940" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a316ad7f554428d02a850fb3bb04f349d30ecd2ccd4597e7a63461bf5e866e6f" + logic_hash = "v1_sha256_a316ad7f554428d02a850fb3bb04f349d30ecd2ccd4597e7a63461bf5e866e6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -35358,7 +35358,7 @@ rule REVERSINGLABS_Cert_Blocklist_04D6B8Cc6Dce353Fcf3Ae8A532Be7255 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MADERA" and pe.signatures[i].serial=="04:d6:b8:cc:6d:ce:35:3f:cf:3a:e8:a5:32:be:72:55" and 1451692799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MADERA" and pe.signatures [ i ] . serial == "04:d6:b8:cc:6d:ce:35:3f:cf:3a:e8:a5:32:be:72:55" and 1451692799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35367,13 +35367,13 @@ rule REVERSINGLABS_Cert_Blocklist_191322A00200F793 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4011e54c-ca28-536f-8759-077fcce6d45f" + id = "81fe75a6-fd0d-5d4a-aebb-8bfccff1edeb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1942-L1958" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1b816785f86189817c124636e50a0f369ec85cfd898223c4ba43758a877f1cf3" + logic_hash = "v1_sha256_1b816785f86189817c124636e50a0f369ec85cfd898223c4ba43758a877f1cf3" score = 75 quality = 90 tags = "INFO, FILE" @@ -35383,7 +35383,7 @@ rule REVERSINGLABS_Cert_Blocklist_191322A00200F793 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PRABHAKAR NARAYAN" and pe.signatures[i].serial=="19:13:22:a0:02:00:f7:93" and 1442966399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PRABHAKAR NARAYAN" and pe.signatures [ i ] . serial == "19:13:22:a0:02:00:f7:93" and 1442966399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35392,13 +35392,13 @@ rule REVERSINGLABS_Cert_Blocklist_451C9D0B413E6E8Df175 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "adc832c0-166d-52d1-aeec-2fc92ff52d02" + id = "83e818ef-bf03-5469-a47d-54109422196e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1960-L1976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7c94d87f79c9add4d7bf2a63d0774449319aa56cbc631dd9b0f19ed9bb9837d4" + logic_hash = "v1_sha256_7c94d87f79c9add4d7bf2a63d0774449319aa56cbc631dd9b0f19ed9bb9837d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -35408,7 +35408,7 @@ rule REVERSINGLABS_Cert_Blocklist_451C9D0B413E6E8Df175 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PRASAD UPENDRA" and pe.signatures[i].serial=="45:1c:9d:0b:41:3e:6e:8d:f1:75" and 1442275199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PRASAD UPENDRA" and pe.signatures [ i ] . serial == "45:1c:9d:0b:41:3e:6e:8d:f1:75" and 1442275199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35417,13 +35417,13 @@ rule REVERSINGLABS_Cert_Blocklist_03943858218F35Adb7073A6027555621 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fbaf4c7a-5f20-57f7-b6b7-143fdbf0e5c2" + id = "e8b490f2-7b49-5a32-96de-7f43d4c99bc2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1978-L1994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "93369d51b73591559494a48fafa5e4f7d46301ecaa379d8de70a70ac4d2d2728" + logic_hash = "v1_sha256_93369d51b73591559494a48fafa5e4f7d46301ecaa379d8de70a70ac4d2d2728" score = 75 quality = 90 tags = "INFO, FILE" @@ -35433,7 +35433,7 @@ rule REVERSINGLABS_Cert_Blocklist_03943858218F35Adb7073A6027555621 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RuN APps FOrEver lld" and pe.signatures[i].serial=="03:94:38:58:21:8f:35:ad:b7:07:3a:60:27:55:56:21" and 1480550399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RuN APps FOrEver lld" and pe.signatures [ i ] . serial == "03:94:38:58:21:8f:35:ad:b7:07:3a:60:27:55:56:21" and 1480550399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35442,13 +35442,13 @@ rule REVERSINGLABS_Cert_Blocklist_09813Ee7318452C28A1F6426D1Cee12D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db3c1992-b6a1-5aaf-ae3a-c626b531529a" + id = "f0cd893e-80c6-5142-a7a5-97f75e8cc515" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1996-L2012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "89eb019192f822f9fe070403161d81e425fb8acdbc80e55fa516b5607eb8f8c7" + logic_hash = "v1_sha256_89eb019192f822f9fe070403161d81e425fb8acdbc80e55fa516b5607eb8f8c7" score = 75 quality = 90 tags = "INFO, FILE" @@ -35458,7 +35458,7 @@ rule REVERSINGLABS_Cert_Blocklist_09813Ee7318452C28A1F6426D1Cee12D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Saly Younes" and pe.signatures[i].serial=="09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d" and 1455667199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Saly Younes" and pe.signatures [ i ] . serial == "09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d" and 1455667199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35467,13 +35467,13 @@ rule REVERSINGLABS_Cert_Blocklist_476Bf24A4B1E9F4Bc2A61B152115E1Fe : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "a41e8196-f5ad-5046-82ac-38c6fe753bdb" + id = "59f6775d-4344-5a5e-b50a-e4c6ae345d79" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2014-L2030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ec0f44d2a7a53ad5653334378b631abde1834ebfcf72efcdcce353c6b9ae17d" + logic_hash = "v1_sha256_0ec0f44d2a7a53ad5653334378b631abde1834ebfcf72efcdcce353c6b9ae17d" score = 75 quality = 90 tags = "INFO, FILE" @@ -35483,7 +35483,7 @@ rule REVERSINGLABS_Cert_Blocklist_476Bf24A4B1E9F4Bc2A61B152115E1Fe : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and pe.signatures[i].serial=="47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" and 1414454399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Wemade Entertainment co.,Ltd" and pe.signatures [ i ] . serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" and 1414454399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35492,13 +35492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bd55818C5971B63Dc45Cf57Cbeb950B : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "9269cc5c-039e-5d98-ac13-c7b99606e7fa" + id = "4146c8d8-2f8d-5d52-8d34-6e8c4b4579d9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2032-L2048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5aa41a2d6a86a30559b36818602e1bdf2bfd38b799a4869c26c150052d6d788c" + logic_hash = "v1_sha256_5aa41a2d6a86a30559b36818602e1bdf2bfd38b799a4869c26c150052d6d788c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35508,7 +35508,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Bd55818C5971B63Dc45Cf57Cbeb950B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "XL Games Co.,Ltd." and pe.signatures[i].serial=="7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" and 1371513599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "XL Games Co.,Ltd." and pe.signatures [ i ] . serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" and 1371513599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35517,13 +35517,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C0B2E9D2Ef909D15270D4Dd7Fa5A4A5 : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "97005464-1219-56d7-bd5c-f047558be1dc" + id = "7ea27d85-e09b-5cac-ac23-dc8e57f6e172" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2050-L2066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9c74eb025bb413503b97ffdba6f19eadecf3789ce3a5d5419f84e32e25c9b5b1" + logic_hash = "v1_sha256_9c74eb025bb413503b97ffdba6f19eadecf3789ce3a5d5419f84e32e25c9b5b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -35533,7 +35533,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C0B2E9D2Ef909D15270D4Dd7Fa5A4A5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fuqing Dawu Technology Co.,Ltd." and pe.signatures[i].serial=="4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" and 1372118399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fuqing Dawu Technology Co.,Ltd." and pe.signatures [ i ] . serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" and 1372118399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35542,13 +35542,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E3D76Dc7E273E2F313Fc0775847A2A2 : INFO FILE meta: description = "Certificate used for digitally signing Sakula and Derusbi malware." author = "ReversingLabs" - id = "93707307-a250-526d-a3d4-32ed5d2a63a6" + id = "56a5288c-ae62-5bd0-8038-16aa46815469" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2068-L2084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b943057fc3e97cfccadb4b8f61289a93b659aacf2a40217fcf519d4882e70708" + logic_hash = "v1_sha256_b943057fc3e97cfccadb4b8f61289a93b659aacf2a40217fcf519d4882e70708" score = 75 quality = 90 tags = "INFO, FILE" @@ -35558,7 +35558,7 @@ rule REVERSINGLABS_Cert_Blocklist_5E3D76Dc7E273E2F313Fc0775847A2A2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NexG" and pe.signatures[i].serial=="5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2" and 1372723199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NexG" and pe.signatures [ i ] . serial == "5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2" and 1372723199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35567,13 +35567,13 @@ rule REVERSINGLABS_Cert_Blocklist_47D5D5372Bcb1562B4C9F4C2Bdf13587 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "d888478e-3883-5d9d-a2b3-d59b57409b8d" + id = "7cd3951c-9caa-5350-b364-a526a6e28fc9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2086-L2102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fb4994647a2ed95c73625d90315c9b6deb6fb3b81b4aa6e847b0193f0a76650c" + logic_hash = "v1_sha256_fb4994647a2ed95c73625d90315c9b6deb6fb3b81b4aa6e847b0193f0a76650c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35583,7 +35583,7 @@ rule REVERSINGLABS_Cert_Blocklist_47D5D5372Bcb1562B4C9F4C2Bdf13587 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DTOPTOOLZ Co.,Ltd." and pe.signatures[i].serial=="47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87" and 1400803199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DTOPTOOLZ Co.,Ltd." and pe.signatures [ i ] . serial == "47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87" and 1400803199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35592,13 +35592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ac10E68F1Ce519E84Ddcd28B11Fa542 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "9cc0e518-84c8-5b23-b8cb-e0e0fe7849bd" + id = "5d642fc9-a444-53bf-b03f-3306ca56ec90" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2104-L2120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dac3b6b7609ec1e82afe4f9c6c14e2d32b6f5d8d49c59d6c605f2a94d71bc107" + logic_hash = "v1_sha256_dac3b6b7609ec1e82afe4f9c6c14e2d32b6f5d8d49c59d6c605f2a94d71bc107" score = 75 quality = 90 tags = "INFO, FILE" @@ -35608,7 +35608,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Ac10E68F1Ce519E84Ddcd28B11Fa542 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "U-Tech IT service" and pe.signatures[i].serial=="3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42" and 1420156799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "U-Tech IT service" and pe.signatures [ i ] . serial == "3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42" and 1420156799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35617,13 +35617,13 @@ rule REVERSINGLABS_Cert_Blocklist_31062E483E0106B18C982F0053185C36 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "84bce7c1-efba-5a76-8865-dcfcc8e50d41" + id = "bfeaaaac-f8d7-5e76-abbe-4a18ef5f5eb7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2122-L2138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e45fc5b4d1b9f5cd35c56aad381e26e30675a9d99747cd318f3c77ea2af0e14a" + logic_hash = "v1_sha256_e45fc5b4d1b9f5cd35c56aad381e26e30675a9d99747cd318f3c77ea2af0e14a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35633,7 +35633,7 @@ rule REVERSINGLABS_Cert_Blocklist_31062E483E0106B18C982F0053185C36 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MICRO DIGITAL INC." and pe.signatures[i].serial=="31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36" and 1332287999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MICRO DIGITAL INC." and pe.signatures [ i ] . serial == "31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36" and 1332287999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35642,13 +35642,13 @@ rule REVERSINGLABS_Cert_Blocklist_20D0Ee42Fc901E6B3A8Fefe8C1E6087A : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "ba37919a-584b-5ff7-b4d5-5b711cc87b1f" + id = "8dff7c52-d6aa-5540-a094-252437eb9e1b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2140-L2156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2225302de1e8fe9f2ad064e19b2b1d9faf90c7cafbebff6ddd0921bf57c5f9e6" + logic_hash = "v1_sha256_2225302de1e8fe9f2ad064e19b2b1d9faf90c7cafbebff6ddd0921bf57c5f9e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35658,7 +35658,7 @@ rule REVERSINGLABS_Cert_Blocklist_20D0Ee42Fc901E6B3A8Fefe8C1E6087A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SJ SYSTEM" and pe.signatures[i].serial=="20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a" and 1391299199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SJ SYSTEM" and pe.signatures [ i ] . serial == "20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a" and 1391299199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35667,13 +35667,13 @@ rule REVERSINGLABS_Cert_Blocklist_127251B32B9A50Bd : INFO FILE meta: description = "Certificate used for digitally signing OSX DokSpy backdoor." author = "ReversingLabs" - id = "3581085c-a6e7-571f-8253-f8d9e90e78fc" + id = "831d550b-c18b-5434-92aa-e749ac26d471" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2158-L2174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8552ce9e9ab8d6b1025ab3c6e7b2485ef855236114c426475fde0b5f2e231ec9" + logic_hash = "v1_sha256_8552ce9e9ab8d6b1025ab3c6e7b2485ef855236114c426475fde0b5f2e231ec9" score = 75 quality = 90 tags = "INFO, FILE" @@ -35683,7 +35683,7 @@ rule REVERSINGLABS_Cert_Blocklist_127251B32B9A50Bd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Developer ID Application: Edouard Roulet (W7J9LRHXTG)" and pe.signatures[i].serial=="12:72:51:b3:2b:9a:50:bd" and 1493769599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Developer ID Application: Edouard Roulet (W7J9LRHXTG)" and pe.signatures [ i ] . serial == "12:72:51:b3:2b:9a:50:bd" and 1493769599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35692,13 +35692,13 @@ rule REVERSINGLABS_Cert_Blocklist_48Cad4E6966E22D6 : INFO FILE meta: description = "Certificate used for digitally signing OSX DokSpy backdoor." author = "ReversingLabs" - id = "22d62d7e-3f76-5f6b-a3f1-a6b087fb63e2" + id = "b276bbaa-0b32-577b-9529-c70fdd7520e8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2176-L2192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7733b8a97d9f3538db04309a2e3f9df6cb64930b0b6f7f241c3e629be2dd7804" + logic_hash = "v1_sha256_7733b8a97d9f3538db04309a2e3f9df6cb64930b0b6f7f241c3e629be2dd7804" score = 75 quality = 90 tags = "INFO, FILE" @@ -35708,7 +35708,7 @@ rule REVERSINGLABS_Cert_Blocklist_48Cad4E6966E22D6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Developer ID Application: Seven Muller (FUP9692NN6)" and pe.signatures[i].serial=="48:ca:d4:e6:96:6e:22:d6" and 1492732799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Developer ID Application: Seven Muller (FUP9692NN6)" and pe.signatures [ i ] . serial == "48:ca:d4:e6:96:6e:22:d6" and 1492732799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35717,13 +35717,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E15205F180442Cc6C3C0F03E1A33D9F : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "4a0d995a-37df-52a4-a66f-4bc6c290c10a" + id = "bae1b19d-3d31-5e27-9ceb-20f004146bdc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2194-L2210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1ca238b5da4ff9940425c99f55542c931ccdf0ea3b0a2acbf00ffbbb54171ae0" + logic_hash = "v1_sha256_1ca238b5da4ff9940425c99f55542c931ccdf0ea3b0a2acbf00ffbbb54171ae0" score = 75 quality = 90 tags = "INFO, FILE" @@ -35733,7 +35733,7 @@ rule REVERSINGLABS_Cert_Blocklist_5E15205F180442Cc6C3C0F03E1A33D9F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ziber Ltd" and pe.signatures[i].serial=="5e:15:20:5f:18:04:42:cc:6c:3c:0f:03:e1:a3:3d:9f" and 1498607999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ziber Ltd" and pe.signatures [ i ] . serial == "5e:15:20:5f:18:04:42:cc:6c:3c:0f:03:e1:a3:3d:9f" and 1498607999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35742,13 +35742,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C8E3B1613F73542F7106F272094Eb23 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "06f79efe-134e-5941-80fe-3b6482ac9668" + id = "fb0ad329-cccb-50d4-8312-d01d01447004" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2212-L2228" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "15c21b783409d904a0b4971dbdcbd0740083d13f3c633ee77c87df46d3aca748" + logic_hash = "v1_sha256_15c21b783409d904a0b4971dbdcbd0740083d13f3c633ee77c87df46d3aca748" score = 75 quality = 90 tags = "INFO, FILE" @@ -35758,7 +35758,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C8E3B1613F73542F7106F272094Eb23 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ADD Audit" and pe.signatures[i].serial=="4c:8e:3b:16:13:f7:35:42:f7:10:6f:27:20:94:eb:23" and 1472687999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ADD Audit" and pe.signatures [ i ] . serial == "4c:8e:3b:16:13:f7:35:42:f7:10:6f:27:20:94:eb:23" and 1472687999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35767,13 +35767,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Ce2Bd0Ad3Cfde9Ea73Eec7Ca30400Da : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "b7439b38-c8b7-5dcb-8d10-952862ce3465" + id = "e26cfb12-4584-583b-8657-3b6d8533fe32" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2230-L2246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a879ecd957acd29e8a5bad6c97cd10453ab857949680b522735bd77eb561d2ee" + logic_hash = "v1_sha256_a879ecd957acd29e8a5bad6c97cd10453ab857949680b522735bd77eb561d2ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -35783,7 +35783,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Ce2Bd0Ad3Cfde9Ea73Eec7Ca30400Da : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Media Lid" and pe.signatures[i].serial=="2c:e2:bd:0a:d3:cf:de:9e:a7:3e:ec:7c:a3:04:00:da" and 1493337599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Media Lid" and pe.signatures [ i ] . serial == "2c:e2:bd:0a:d3:cf:de:9e:a7:3e:ec:7c:a3:04:00:da" and 1493337599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35792,13 +35792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fbc30Db127A536C34D7A0Fa81B48193 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "c755a6c1-e113-5513-9a61-87bf6d7dcb3e" + id = "cc5c248c-9c05-5353-b6c6-30b4c8d9fe9e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2248-L2264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6b109b5636aa297a6e07f9d9213f7f07a7767b58442d03dc2f34f8a9b3eaba2b" + logic_hash = "v1_sha256_6b109b5636aa297a6e07f9d9213f7f07a7767b58442d03dc2f34f8a9b3eaba2b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35808,7 +35808,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fbc30Db127A536C34D7A0Fa81B48193 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Megabit, OOO" and pe.signatures[i].serial=="0f:bc:30:db:12:7a:53:6c:34:d7:a0:fa:81:b4:81:93" and 1466121599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Megabit, OOO" and pe.signatures [ i ] . serial == "0f:bc:30:db:12:7a:53:6c:34:d7:a0:fa:81:b4:81:93" and 1466121599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35817,13 +35817,13 @@ rule REVERSINGLABS_Cert_Blocklist_08448Bd6Ee9105Ae31228Ea5Fe496F63 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "489ffe25-43cf-55b6-b249-17d251b9774e" + id = "3d7713f2-4a5e-53ec-aefa-6d1c8737f83d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2266-L2282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9bc044b4fdf381274a2c31bc997dcdfd553595d92de7b33dc472353a00011711" + logic_hash = "v1_sha256_9bc044b4fdf381274a2c31bc997dcdfd553595d92de7b33dc472353a00011711" score = 75 quality = 90 tags = "INFO, FILE" @@ -35833,7 +35833,7 @@ rule REVERSINGLABS_Cert_Blocklist_08448Bd6Ee9105Ae31228Ea5Fe496F63 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Raffaele Carnacina" and pe.signatures[i].serial=="08:44:8b:d6:ee:91:05:ae:31:22:8e:a5:fe:49:6f:63" and 1445212799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Raffaele Carnacina" and pe.signatures [ i ] . serial == "08:44:8b:d6:ee:91:05:ae:31:22:8e:a5:fe:49:6f:63" and 1445212799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35842,13 +35842,13 @@ rule REVERSINGLABS_Cert_Blocklist_02F17566Ef568Dc06C9A379Ea2F4Faea : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a14e16ff-844c-53ff-9297-8760265da747" + id = "f329536b-17a3-57be-a082-0c49edc1d74f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2284-L2300" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e3ec8a6de817354862880301e78a999f45f02c2fa8512bba6d27c9776f1a3417" + logic_hash = "v1_sha256_e3ec8a6de817354862880301e78a999f45f02c2fa8512bba6d27c9776f1a3417" score = 75 quality = 90 tags = "INFO, FILE" @@ -35858,7 +35858,7 @@ rule REVERSINGLABS_Cert_Blocklist_02F17566Ef568Dc06C9A379Ea2F4Faea : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VALERIANO BEDESCHI" and pe.signatures[i].serial=="02:f1:75:66:ef:56:8d:c0:6c:9a:37:9e:a2:f4:fa:ea" and 1441324799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VALERIANO BEDESCHI" and pe.signatures [ i ] . serial == "02:f1:75:66:ef:56:8d:c0:6c:9a:37:9e:a2:f4:fa:ea" and 1441324799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35867,13 +35867,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D824Ba1F7F730319C50D64C9A7Ed507 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4372aea7-a25b-5211-befd-9e0bcfb09199" + id = "23dd5d56-ac05-5324-902d-3305796eff9a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2302-L2318" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "407611603974c910d9a6a0ed71ecdf54ddcc59abb0f48c60846e61d6d4191933" + logic_hash = "v1_sha256_407611603974c910d9a6a0ed71ecdf54ddcc59abb0f48c60846e61d6d4191933" score = 75 quality = 90 tags = "INFO, FILE" @@ -35883,7 +35883,7 @@ rule REVERSINGLABS_Cert_Blocklist_7D824Ba1F7F730319C50D64C9A7Ed507 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "joaweb" and pe.signatures[i].serial=="7d:82:4b:a1:f7:f7:30:31:9c:50:d6:4c:9a:7e:d5:07" and 1238025599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "joaweb" and pe.signatures [ i ] . serial == "7d:82:4b:a1:f7:f7:30:31:9c:50:d6:4c:9a:7e:d5:07" and 1238025599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35892,13 +35892,13 @@ rule REVERSINGLABS_Cert_Blocklist_77A64759F12766E363D779998C71Bdc9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98acd01b-c452-530d-8814-2591810ecd53" + id = "d90085b5-e6c7-53b3-b34c-f8d1bc8acd5e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2320-L2336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2bf3d99ddec6b76da1ca60a9285767a5b34b84455db58195fc5d8fd8a22c9f8a" + logic_hash = "v1_sha256_2bf3d99ddec6b76da1ca60a9285767a5b34b84455db58195fc5d8fd8a22c9f8a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35908,7 +35908,7 @@ rule REVERSINGLABS_Cert_Blocklist_77A64759F12766E363D779998C71Bdc9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Gigabit Times Technology Co., Ltd" and pe.signatures[i].serial=="77:a6:47:59:f1:27:66:e3:63:d7:79:99:8c:71:bd:c9" and 1301011199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Gigabit Times Technology Co., Ltd" and pe.signatures [ i ] . serial == "77:a6:47:59:f1:27:66:e3:63:d7:79:99:8c:71:bd:c9" and 1301011199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35917,13 +35917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B0D17Ec1449B4B2D38Fcb0F20Fbcd3A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4484b00d-8fad-5f8f-9030-67216f2820a3" + id = "c2479c2b-7fdb-5adf-8bb2-5933188ff0f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2338-L2354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3121f2c49d0d4c396023924521f2c980045b6f07d082e49447429e9cd640e0ef" + logic_hash = "v1_sha256_3121f2c49d0d4c396023924521f2c980045b6f07d082e49447429e9cd640e0ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -35933,7 +35933,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B0D17Ec1449B4B2D38Fcb0F20Fbcd3A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA" and pe.signatures[i].serial=="0b:0d:17:ec:14:49:b4:b2:d3:8f:cb:0f:20:fb:cd:3a" and 1394150399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA" and pe.signatures [ i ] . serial == "0b:0d:17:ec:14:49:b4:b2:d3:8f:cb:0f:20:fb:cd:3a" and 1394150399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35942,13 +35942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fe9404Dc73Cf1C2Ba1450B8398305557 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "17700719-81ea-58d4-87f5-4d5c1b19bf64" + id = "478b502f-562a-5ca8-bea5-c77c991538b0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2356-L2374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c0132d71de1384f6e534dd154eba88c4a51c43b7dfe984f3064ba4feffa4dd5a" + logic_hash = "v1_sha256_c0132d71de1384f6e534dd154eba88c4a51c43b7dfe984f3064ba4feffa4dd5a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35958,7 +35958,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fe9404Dc73Cf1C2Ba1450B8398305557 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\x8E\\xA6\\xE9\\x97\\xA8\\xE7\\xBF\\x94\\xE9\\x80\\x9A\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE5\\x88\\x86\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (pe.signatures[i].serial=="00:fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" or pe.signatures[i].serial=="fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57") and 1287360000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\x8E\\xA6\\xE9\\x97\\xA8\\xE7\\xBF\\x94\\xE9\\x80\\x9A\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE5\\x88\\x86\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( pe.signatures [ i ] . serial == "00:fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" or pe.signatures [ i ] . serial == "fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" ) and 1287360000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35967,13 +35967,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb2D523A6Bf7A066642C578De1C9Be4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2c87c29-cb64-5d43-847b-64c888421c1f" + id = "35b4c6d5-2441-5981-b780-ea7b090ab62a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2376-L2392" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a786b9ade5a59b8a1e0bbef1eb3dcb65404dcee19d572dc60f9ec9f45e4755b" + logic_hash = "v1_sha256_5a786b9ade5a59b8a1e0bbef1eb3dcb65404dcee19d572dc60f9ec9f45e4755b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35983,7 +35983,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb2D523A6Bf7A066642C578De1C9Be4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shenzhen Hua\\xE2\\x80\\x99nan Xingfa Electronic Equipment Firm" and pe.signatures[i].serial=="1c:b2:d5:23:a6:bf:7a:06:66:42:c5:78:de:1c:9b:e4" and 1400889599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shenzhen Hua\\xE2\\x80\\x99nan Xingfa Electronic Equipment Firm" and pe.signatures [ i ] . serial == "1c:b2:d5:23:a6:bf:7a:06:66:42:c5:78:de:1c:9b:e4" and 1400889599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -35992,13 +35992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A6Ccabb1C62F3Be3Eb03869Fa43Dc4A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b16f7bb7-88fe-5f8f-9592-8d309f556419" + id = "1dae33e9-147c-54bf-b075-11940a4efc00" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2394-L2410" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ccb603c8a5f4fb63876e78d763f80a97098c23aa10673c7b04a48026268f57d3" + logic_hash = "v1_sha256_ccb603c8a5f4fb63876e78d763f80a97098c23aa10673c7b04a48026268f57d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -36008,7 +36008,7 @@ rule REVERSINGLABS_Cert_Blocklist_3A6Ccabb1C62F3Be3Eb03869Fa43Dc4A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\xB8\\xB8\\xE5\\xB7\\x9E\\xE9\\xAA\\x8F\\xE6\\x99\\xAF\\xE9\\x80\\x9A\\xE8\\x81\\x94\\xE6\\x95\\xB0\\xE5\\xAD\\x97\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="3a:6c:ca:bb:1c:62:f3:be:3e:b0:38:69:fa:43:dc:4a" and 1259798399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\xB8\\xB8\\xE5\\xB7\\x9E\\xE9\\xAA\\x8F\\xE6\\x99\\xAF\\xE9\\x80\\x9A\\xE8\\x81\\x94\\xE6\\x95\\xB0\\xE5\\xAD\\x97\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "3a:6c:ca:bb:1c:62:f3:be:3e:b0:38:69:fa:43:dc:4a" and 1259798399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36017,13 +36017,13 @@ rule REVERSINGLABS_Cert_Blocklist_864196F01971Dbec7002B48642A7013A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "80478430-ce01-5fae-bcaf-2b7a445bc20d" + id = "c8763456-02b4-5c88-b2f3-0fc3d5cffb3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2412-L2430" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a3173bb08e673caaa64ab22854840a135e891044b165bbc67733c951ec6aa991" + logic_hash = "v1_sha256_a3173bb08e673caaa64ab22854840a135e891044b165bbc67733c951ec6aa991" score = 75 quality = 90 tags = "INFO, FILE" @@ -36033,7 +36033,7 @@ rule REVERSINGLABS_Cert_Blocklist_864196F01971Dbec7002B48642A7013A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP" and (pe.signatures[i].serial=="00:86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" or pe.signatures[i].serial=="86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a") and 1384300799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP" and ( pe.signatures [ i ] . serial == "00:86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" or pe.signatures [ i ] . serial == "86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" ) and 1384300799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36042,13 +36042,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fda1E121B61Adeca936A6Aebe079303 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fba98d6b-dc09-5294-ad86-2f4e0d8ad320" + id = "3b3f1366-16ad-522e-a490-35c42ac0209f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2432-L2448" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "70a04c83e79c98024bacf1688bb46d80c9b8491e25dd32d6d92bf3cf61c62e48" + logic_hash = "v1_sha256_70a04c83e79c98024bacf1688bb46d80c9b8491e25dd32d6d92bf3cf61c62e48" score = 75 quality = 90 tags = "INFO, FILE" @@ -36058,7 +36058,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Fda1E121B61Adeca936A6Aebe079303 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Laizhou wanlei stone Co., LTD" and pe.signatures[i].serial=="4f:da:1e:12:1b:61:ad:ec:a9:36:a6:ae:be:07:93:03" and 1310687999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Laizhou wanlei stone Co., LTD" and pe.signatures [ i ] . serial == "4f:da:1e:12:1b:61:ad:ec:a9:36:a6:ae:be:07:93:03" and 1310687999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36067,13 +36067,13 @@ rule REVERSINGLABS_Cert_Blocklist_03866Deb183Abfbf4Ff458D4De7Bd73A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2641eb86-94f0-537c-a82a-6a5e1596ee84" + id = "48f082bc-c58d-579d-a19d-41b1861ab660" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2450-L2466" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "90d09d0d2d01500e0670277d0e8de574feecf7443cf4d077912b1166a9c14c43" + logic_hash = "v1_sha256_90d09d0d2d01500e0670277d0e8de574feecf7443cf4d077912b1166a9c14c43" score = 75 quality = 90 tags = "INFO, FILE" @@ -36083,7 +36083,7 @@ rule REVERSINGLABS_Cert_Blocklist_03866Deb183Abfbf4Ff458D4De7Bd73A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE8\\xAF\\x9D\\xE8\\xAF\\xAD\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="03:86:6d:eb:18:3a:bf:bf:4f:f4:58:d4:de:7b:d7:3a" and 1371772799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE8\\xAF\\x9D\\xE8\\xAF\\xAD\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "03:86:6d:eb:18:3a:bf:bf:4f:f4:58:d4:de:7b:d7:3a" and 1371772799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36092,13 +36092,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Be41B34127Ca9E6270830D2070Db426 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bee69e9d-db8e-5d4e-8e97-b3791b4f717d" + id = "e44afe7f-3a7c-50ff-bd18-1ff1b0b5f4a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2468-L2484" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b66c4b9264be70d53838442a3112c4bacbdf2dda90840d71c3eb949e630b3f17" + logic_hash = "v1_sha256_b66c4b9264be70d53838442a3112c4bacbdf2dda90840d71c3eb949e630b3f17" score = 75 quality = 90 tags = "INFO, FILE" @@ -36108,7 +36108,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Be41B34127Ca9E6270830D2070Db426 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE8\\x80\\x98\\xE5\\x8D\\x87\\xE5\\xA4\\xA9\\xE4\\xB8\\x8B\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="1b:e4:1b:34:12:7c:a9:e6:27:08:30:d2:07:0d:b4:26" and 1352764799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE8\\x80\\x98\\xE5\\x8D\\x87\\xE5\\xA4\\xA9\\xE4\\xB8\\x8B\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "1b:e4:1b:34:12:7c:a9:e6:27:08:30:d2:07:0d:b4:26" and 1352764799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36117,13 +36117,13 @@ rule REVERSINGLABS_Cert_Blocklist_9B108B8A1Daa0D5581F59Fcee0447901 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cacb2af8-dbc6-5d61-a2d5-641c5c09bc79" + id = "3dac7711-674e-5d9c-8099-e15f5fa33a51" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2486-L2504" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "696e3da511f74f9cfb10b96130a36ae9f48c22f1e0deb76092db1262980ab3ac" + logic_hash = "v1_sha256_696e3da511f74f9cfb10b96130a36ae9f48c22f1e0deb76092db1262980ab3ac" score = 75 quality = 90 tags = "INFO, FILE" @@ -36133,7 +36133,7 @@ rule REVERSINGLABS_Cert_Blocklist_9B108B8A1Daa0D5581F59Fcee0447901 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CharacTell Ltd" and (pe.signatures[i].serial=="00:9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" or pe.signatures[i].serial=="9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01") and 1380671999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CharacTell Ltd" and ( pe.signatures [ i ] . serial == "00:9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" or pe.signatures [ i ] . serial == "9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" ) and 1380671999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36142,13 +36142,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F8203C430Fc7Db4E61F6684F6829Ffc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "975cd500-2f08-55c9-a821-4dde3a54ae0c" + id = "11194d47-3c2a-552f-ae67-e00497f9b656" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2506-L2522" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cd22d1beea12d1f6c50f69e76074c2582ce5567887056c43d4d6c87d33fce1bf" + logic_hash = "v1_sha256_cd22d1beea12d1f6c50f69e76074c2582ce5567887056c43d4d6c87d33fce1bf" score = 75 quality = 90 tags = "INFO, FILE" @@ -36158,7 +36158,7 @@ rule REVERSINGLABS_Cert_Blocklist_5F8203C430Fc7Db4E61F6684F6829Ffc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Haivision Network Video" and pe.signatures[i].serial=="5f:82:03:c4:30:fc:7d:b4:e6:1f:66:84:f6:82:9f:fc" and 1382572799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Haivision Network Video" and pe.signatures [ i ] . serial == "5f:82:03:c4:30:fc:7d:b4:e6:1f:66:84:f6:82:9f:fc" and 1382572799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36167,13 +36167,13 @@ rule REVERSINGLABS_Cert_Blocklist_6B6Daef5Be29F20Ddce4B0F5E9Fa6Ea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55611c9a-d45d-55fa-8e5e-a5621223cc9d" + id = "005428ab-00bf-5d2f-8cc1-1cfcf047f4b1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2524-L2540" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "edd2f302d2fac65f6a93372a24c3f80757f2b175af661032917366e9629c5491" + logic_hash = "v1_sha256_edd2f302d2fac65f6a93372a24c3f80757f2b175af661032917366e9629c5491" score = 75 quality = 90 tags = "INFO, FILE" @@ -36183,7 +36183,7 @@ rule REVERSINGLABS_Cert_Blocklist_6B6Daef5Be29F20Ddce4B0F5E9Fa6Ea5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Calibration Consultants" and pe.signatures[i].serial=="6b:6d:ae:f5:be:29:f2:0d:dc:e4:b0:f5:e9:fa:6e:a5" and 1280447999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Calibration Consultants" and pe.signatures [ i ] . serial == "6b:6d:ae:f5:be:29:f2:0d:dc:e4:b0:f5:e9:fa:6e:a5" and 1280447999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36192,13 +36192,13 @@ rule REVERSINGLABS_Cert_Blocklist_57D6Dff1Ef96F01B9430666B2733Cc87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c20b81a1-7331-57a9-9daf-007ec516a473" + id = "6fc6e7dd-85d9-54eb-9f88-b86d44875ad7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2542-L2558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40d22137e9c5345859c5f000166da2a3117bcfcc19b4c5e81083cad80dfa6ee4" + logic_hash = "v1_sha256_40d22137e9c5345859c5f000166da2a3117bcfcc19b4c5e81083cad80dfa6ee4" score = 75 quality = 90 tags = "INFO, FILE" @@ -36208,7 +36208,7 @@ rule REVERSINGLABS_Cert_Blocklist_57D6Dff1Ef96F01B9430666B2733Cc87 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Smart Plugin Ltda" and pe.signatures[i].serial=="57:d6:df:f1:ef:96:f0:1b:94:30:66:6b:27:33:cc:87" and 1314575999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Smart Plugin Ltda" and pe.signatures [ i ] . serial == "57:d6:df:f1:ef:96:f0:1b:94:30:66:6b:27:33:cc:87" and 1314575999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36217,13 +36217,13 @@ rule REVERSINGLABS_Cert_Blocklist_0166B65038D61E5435B48204Cae4795A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "04bdefc5-ee4e-5a46-94d6-e3a5d8b56ce0" + id = "10ee6bc5-947a-589e-b83a-7fef1e204a13" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2560-L2576" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4e289eda4d5381250bcd6e36daade6f1e1803b6d16578d7eaee4454cef6981d0" + logic_hash = "v1_sha256_4e289eda4d5381250bcd6e36daade6f1e1803b6d16578d7eaee4454cef6981d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -36233,7 +36233,7 @@ rule REVERSINGLABS_Cert_Blocklist_0166B65038D61E5435B48204Cae4795A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TOLGA KAPLAN" and pe.signatures[i].serial=="01:66:b6:50:38:d6:1e:54:35:b4:82:04:ca:e4:79:5a" and 1403999999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TOLGA KAPLAN" and pe.signatures [ i ] . serial == "01:66:b6:50:38:d6:1e:54:35:b4:82:04:ca:e4:79:5a" and 1403999999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36242,13 +36242,13 @@ rule REVERSINGLABS_Cert_Blocklist_784F226B45C3Bd8E4089243D747D1F59 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f2a979e0-2027-5143-8cb4-ffcfd19faf45" + id = "2eb740f6-c2e1-51e4-8006-3814067890ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2578-L2594" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "df8ca35a07ec6815d1efb68fa6fbf8f80c57032ecb99d0b038da0604ceffe8cf" + logic_hash = "v1_sha256_df8ca35a07ec6815d1efb68fa6fbf8f80c57032ecb99d0b038da0604ceffe8cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -36258,7 +36258,7 @@ rule REVERSINGLABS_Cert_Blocklist_784F226B45C3Bd8E4089243D747D1F59 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FSPro Labs" and pe.signatures[i].serial=="78:4f:22:6b:45:c3:bd:8e:40:89:24:3d:74:7d:1f:59" and 1242777599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FSPro Labs" and pe.signatures [ i ] . serial == "78:4f:22:6b:45:c3:bd:8e:40:89:24:3d:74:7d:1f:59" and 1242777599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36267,13 +36267,13 @@ rule REVERSINGLABS_Cert_Blocklist_11690F05604445Fae0De539Eeeeec584 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6513bd1-2524-5baa-8484-b7e0f2f0c02a" + id = "3d816e2d-2a75-5be6-a250-3af16851109a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2596-L2612" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b66257f562f698559910eb9576f8fdf0ce3a750cc0a96a27e2ec1a18872ad13f" + logic_hash = "v1_sha256_b66257f562f698559910eb9576f8fdf0ce3a750cc0a96a27e2ec1a18872ad13f" score = 75 quality = 90 tags = "INFO, FILE" @@ -36283,7 +36283,7 @@ rule REVERSINGLABS_Cert_Blocklist_11690F05604445Fae0De539Eeeeec584 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Tera information Technology co.Ltd" and pe.signatures[i].serial=="11:69:0f:05:60:44:45:fa:e0:de:53:9e:ee:ee:c5:84" and 1294703999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Tera information Technology co.Ltd" and pe.signatures [ i ] . serial == "11:69:0f:05:60:44:45:fa:e0:de:53:9e:ee:ee:c5:84" and 1294703999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36292,13 +36292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa146Bff4B832Bdbfe30B84580356763 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "90fab567-f39f-5d0b-b0d9-a93693a05a01" + id = "94b31fa1-925a-52c9-b36b-f47e5c7ec4a5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2614-L2632" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "37abe7a4fd773fd34f5d7dbe725ba4edcfb8ebb501dc41f386b8b0629161051f" + logic_hash = "v1_sha256_37abe7a4fd773fd34f5d7dbe725ba4edcfb8ebb501dc41f386b8b0629161051f" score = 75 quality = 90 tags = "INFO, FILE" @@ -36308,7 +36308,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aa146Bff4B832Bdbfe30B84580356763 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yancheng Peoples Information Technology Service Co., Ltd" and (pe.signatures[i].serial=="00:aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" or pe.signatures[i].serial=="aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63") and 1295481599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yancheng Peoples Information Technology Service Co., Ltd" and ( pe.signatures [ i ] . serial == "00:aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" or pe.signatures [ i ] . serial == "aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" ) and 1295481599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36317,13 +36317,13 @@ rule REVERSINGLABS_Cert_Blocklist_E86F46B60142092Aae81B8F6Fa3D9C7C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fde17cc1-a968-5134-b12b-d65cb34c086f" + id = "6b146164-3cb1-51ce-a08d-e75afb3f4e3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2634-L2652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6de16a44bc84fbf8f1d3d82526e1d7f8fd4ae3da6deaa471c77d2c8df47a14b0" + logic_hash = "v1_sha256_6de16a44bc84fbf8f1d3d82526e1d7f8fd4ae3da6deaa471c77d2c8df47a14b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -36333,7 +36333,7 @@ rule REVERSINGLABS_Cert_Blocklist_E86F46B60142092Aae81B8F6Fa3D9C7C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Syncode Sistemas e Tecnologia Ltda" and (pe.signatures[i].serial=="00:e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" or pe.signatures[i].serial=="e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c") and 1373932799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Syncode Sistemas e Tecnologia Ltda" and ( pe.signatures [ i ] . serial == "00:e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" or pe.signatures [ i ] . serial == "e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" ) and 1373932799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36342,13 +36342,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A0Fd2A4Ef4C2A36Ab9C5E8F792A35E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7148a21a-97d6-59a2-a1cf-442c271bc0b5" + id = "067b1ce8-a011-5ca6-8cff-e9192b02adbe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2654-L2670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8e768415998a6a92961986cb0a9d310514d928be93b3e5a9aaa9ec71bf5886ad" + logic_hash = "v1_sha256_8e768415998a6a92961986cb0a9d310514d928be93b3e5a9aaa9ec71bf5886ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -36358,7 +36358,7 @@ rule REVERSINGLABS_Cert_Blocklist_1A0Fd2A4Ef4C2A36Ab9C5E8F792A35E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE9\\x87\\x91\\xE5\\x88\\xA9\\xE5\\xAE\\x8F\\xE6\\x98\\x8C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="1a:0f:d2:a4:ef:4c:2a:36:ab:9c:5e:8f:79:2a:35:e2" and 1389311999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE9\\x87\\x91\\xE5\\x88\\xA9\\xE5\\xAE\\x8F\\xE6\\x98\\x8C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "1a:0f:d2:a4:ef:4c:2a:36:ab:9c:5e:8f:79:2a:35:e2" and 1389311999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36367,13 +36367,13 @@ rule REVERSINGLABS_Cert_Blocklist_53Bb753B79A99E61A6E822Ac52460C70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6339d548-775b-52b9-84c5-a79de23a16b2" + id = "017d6bcb-9f94-52ad-8de7-83976d9ce58b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2672-L2688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24ff4f46fa6e85c25e130459f9b8d6907cf6cd51098e0cf45ec11d54d7de509b" + logic_hash = "v1_sha256_24ff4f46fa6e85c25e130459f9b8d6907cf6cd51098e0cf45ec11d54d7de509b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36383,7 +36383,7 @@ rule REVERSINGLABS_Cert_Blocklist_53Bb753B79A99E61A6E822Ac52460C70 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xEB\\x8D\\xB0\\xEC\\x8A\\xA4\\xED\\x81\\xAC\\xED\\x83\\x91\\xEC\\x95\\x84\\xEC\\x9D\\xB4\\xEC\\xBD\\x98" and pe.signatures[i].serial=="53:bb:75:3b:79:a9:9e:61:a6:e8:22:ac:52:46:0c:70" and 1400543999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xEB\\x8D\\xB0\\xEC\\x8A\\xA4\\xED\\x81\\xAC\\xED\\x83\\x91\\xEC\\x95\\x84\\xEC\\x9D\\xB4\\xEC\\xBD\\x98" and pe.signatures [ i ] . serial == "53:bb:75:3b:79:a9:9e:61:a6:e8:22:ac:52:46:0c:70" and 1400543999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36392,13 +36392,13 @@ rule REVERSINGLABS_Cert_Blocklist_83F68Fc6834Bf8Bd2C801A2D1F1Acc76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "763d4faf-19af-5349-a643-4773055df47a" + id = "b539502e-a25a-57af-a4e3-d657db6f581b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2690-L2708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "35552242f9f0a56b45e30e6f376877446f33e24690ff5d7b03dc776fab178afd" + logic_hash = "v1_sha256_35552242f9f0a56b45e30e6f376877446f33e24690ff5d7b03dc776fab178afd" score = 75 quality = 90 tags = "INFO, FILE" @@ -36408,7 +36408,7 @@ rule REVERSINGLABS_Cert_Blocklist_83F68Fc6834Bf8Bd2C801A2D1F1Acc76 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Helpful Technologies, Inc" and (pe.signatures[i].serial=="00:83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" or pe.signatures[i].serial=="83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76") and 1407715199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Helpful Technologies, Inc" and ( pe.signatures [ i ] . serial == "00:83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" or pe.signatures [ i ] . serial == "83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" ) and 1407715199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36417,13 +36417,13 @@ rule REVERSINGLABS_Cert_Blocklist_F385E765Acfb95605C9B35Ca4C32F80E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "865f8daf-35c4-5437-9c97-9b9fc48d7d70" + id = "0af9dec6-2a34-53dc-b7fa-9b8ced50d772" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2710-L2728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c73c8f1913d3423a52f5e77751813460ae9200eb3cb1cc6e2ec30f37f0da8152" + logic_hash = "v1_sha256_c73c8f1913d3423a52f5e77751813460ae9200eb3cb1cc6e2ec30f37f0da8152" score = 75 quality = 90 tags = "INFO, FILE" @@ -36433,7 +36433,7 @@ rule REVERSINGLABS_Cert_Blocklist_F385E765Acfb95605C9B35Ca4C32F80E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CWI SOFTWARE LTDA" and (pe.signatures[i].serial=="00:f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" or pe.signatures[i].serial=="f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e") and 1382313599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CWI SOFTWARE LTDA" and ( pe.signatures [ i ] . serial == "00:f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" or pe.signatures [ i ] . serial == "f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" ) and 1382313599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36442,13 +36442,13 @@ rule REVERSINGLABS_Cert_Blocklist_F62C9C4Efc81Caf0D5A2608009D48018 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "176434ae-7162-5b35-91f7-888536250884" + id = "d4f1d184-2083-54c5-a2fd-c8338cafcd1b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2730-L2748" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08fcff795297c0608b1a1d71465279cbf76d4dff06de2a2262a58debbb2f9e0d" + logic_hash = "v1_sha256_08fcff795297c0608b1a1d71465279cbf76d4dff06de2a2262a58debbb2f9e0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -36458,7 +36458,7 @@ rule REVERSINGLABS_Cert_Blocklist_F62C9C4Efc81Caf0D5A2608009D48018 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\x94\\x90\\xE5\\xB1\\xB1\\xE4\\xB8\\x87\\xE4\\xB8\\x9C\\xE6\\xB6\\xA6\\xE6\\x92\\xAD\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (pe.signatures[i].serial=="00:f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" or pe.signatures[i].serial=="f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18") and 1292889599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\x94\\x90\\xE5\\xB1\\xB1\\xE4\\xB8\\x87\\xE4\\xB8\\x9C\\xE6\\xB6\\xA6\\xE6\\x92\\xAD\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( pe.signatures [ i ] . serial == "00:f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" or pe.signatures [ i ] . serial == "f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" ) and 1292889599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36467,13 +36467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cc8D902Da36587C9B2113Cd76C3C3F8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f9e542aa-eaa5-50a5-95dc-fb55f8575c89" + id = "12e62503-d8b6-5cd1-b798-2ef500a8f338" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2750-L2768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "25e524d23ccc1c06f602a086369ffd44b8c97b76c29f068764081339556b3465" + logic_hash = "v1_sha256_25e524d23ccc1c06f602a086369ffd44b8c97b76c29f068764081339556b3465" score = 75 quality = 90 tags = "INFO, FILE" @@ -36483,7 +36483,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cc8D902Da36587C9B2113Cd76C3C3F8D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE9\\x87\\x91\\xE4\\xBF\\x8A\\xE5\\x9D\\xA4\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x8D\\xE5\\x8A\\xA1\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (pe.signatures[i].serial=="00:cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" or pe.signatures[i].serial=="cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d") and 1292544000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE9\\x87\\x91\\xE4\\xBF\\x8A\\xE5\\x9D\\xA4\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x8D\\xE5\\x8A\\xA1\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( pe.signatures [ i ] . serial == "00:cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" or pe.signatures [ i ] . serial == "cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" ) and 1292544000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36492,13 +36492,13 @@ rule REVERSINGLABS_Cert_Blocklist_328Bdcc0F679C4649147Fbb3Eb0E9Bc6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8e2c2204-8905-5e05-9ec8-e1577ae4c2cb" + id = "1645c47d-5cee-5f64-9157-ee834fdad420" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2770-L2786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6d9e1f25ca252ca9dda7714c52a2e57fd3b5dca08cd2a45c9dec18a31d3bb342" + logic_hash = "v1_sha256_6d9e1f25ca252ca9dda7714c52a2e57fd3b5dca08cd2a45c9dec18a31d3bb342" score = 75 quality = 90 tags = "INFO, FILE" @@ -36508,7 +36508,7 @@ rule REVERSINGLABS_Cert_Blocklist_328Bdcc0F679C4649147Fbb3Eb0E9Bc6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Nooly Systems LTD" and pe.signatures[i].serial=="32:8b:dc:c0:f6:79:c4:64:91:47:fb:b3:eb:0e:9b:c6" and 1204847999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Nooly Systems LTD" and pe.signatures [ i ] . serial == "32:8b:dc:c0:f6:79:c4:64:91:47:fb:b3:eb:0e:9b:c6" and 1204847999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36517,13 +36517,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F78149Eb4F75Eb17404A8143Aaeaed7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4c9d3bba-4e7f-5bf5-ab90-f2b900ec0b2a" + id = "84bc0de2-7527-53ca-900f-a981ce4cf763" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2788-L2804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0c7c9e8d2a9304e0407b8a1a29977312a9ba766a4052c6b874855fa187c85585" + logic_hash = "v1_sha256_0c7c9e8d2a9304e0407b8a1a29977312a9ba766a4052c6b874855fa187c85585" score = 75 quality = 90 tags = "INFO, FILE" @@ -36533,7 +36533,7 @@ rule REVERSINGLABS_Cert_Blocklist_5F78149Eb4F75Eb17404A8143Aaeaed7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\x9F\\x9F\\xE8\\x81\\x94\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7" and 1303116124<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\x9F\\x9F\\xE8\\x81\\x94\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7" and 1303116124 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36542,13 +36542,13 @@ rule REVERSINGLABS_Cert_Blocklist_629D120Dd84F9C1688D4Da40366Fab7A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7e6249ba-3a4f-5096-be32-779e73c88221" + id = "f73eb563-ac88-5f3e-b2e8-75bd296e2fcf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2806-L2822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "187f6ef0de869500526d1b0d5c6f6762b0a939e06781e633a602834687c64023" + logic_hash = "v1_sha256_187f6ef0de869500526d1b0d5c6f6762b0a939e06781e633a602834687c64023" score = 75 quality = 90 tags = "INFO, FILE" @@ -36558,7 +36558,7 @@ rule REVERSINGLABS_Cert_Blocklist_629D120Dd84F9C1688D4Da40366Fab7A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Delta Controls" and pe.signatures[i].serial=="62:9d:12:0d:d8:4f:9c:16:88:d4:da:40:36:6f:ab:7a" and 1306799999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Delta Controls" and pe.signatures [ i ] . serial == "62:9d:12:0d:d8:4f:9c:16:88:d4:da:40:36:6f:ab:7a" and 1306799999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36567,13 +36567,13 @@ rule REVERSINGLABS_Cert_Blocklist_039E5D0E3297F574Db99E1D9503853D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "969ffa17-de06-58d5-a74e-c115b49a9a6c" + id = "6a459a5e-86f8-5789-aac9-f4fa8872a0b3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2824-L2840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2f150f60b7dce583fc68705f0b29a7c8684f1b69020275b2ec1ac6beeaa63952" + logic_hash = "v1_sha256_2f150f60b7dce583fc68705f0b29a7c8684f1b69020275b2ec1ac6beeaa63952" score = 75 quality = 90 tags = "INFO, FILE" @@ -36583,7 +36583,7 @@ rule REVERSINGLABS_Cert_Blocklist_039E5D0E3297F574Db99E1D9503853D9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Cigam Software Corporativo LTDA" and pe.signatures[i].serial=="03:9e:5d:0e:32:97:f5:74:db:99:e1:d9:50:38:53:d9" and 1378079999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Cigam Software Corporativo LTDA" and pe.signatures [ i ] . serial == "03:9e:5d:0e:32:97:f5:74:db:99:e1:d9:50:38:53:d9" and 1378079999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36592,13 +36592,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc32Bbe5Bbb4F06F490C50651Cd5Da50 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb6ccc6d-2a66-5113-8b78-c32012431123" + id = "2b7c548c-06e6-5ba2-a970-0cee3e4df71e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2842-L2860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "104be481b7d4b1cb3c43c72314afc3641983838b5177c34a88d6da0d0e7b89c9" + logic_hash = "v1_sha256_104be481b7d4b1cb3c43c72314afc3641983838b5177c34a88d6da0d0e7b89c9" score = 75 quality = 90 tags = "INFO, FILE" @@ -36608,7 +36608,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bc32Bbe5Bbb4F06F490C50651Cd5Da50 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Remedica Medical Education and Publishing Ltd" and (pe.signatures[i].serial=="00:bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" or pe.signatures[i].serial=="bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50") and 1387151999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Remedica Medical Education and Publishing Ltd" and ( pe.signatures [ i ] . serial == "00:bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" or pe.signatures [ i ] . serial == "bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" ) and 1387151999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36617,13 +36617,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E1656Dfcaacfed7C2D2564355698Aa3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "57b75eaa-2cb2-5713-8eb3-065f90a1fdd5" + id = "39a5f43e-930b-5d48-a5ba-c3a0984eb592" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2862-L2878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ba7cca8d71f571644cabd3d491cddefffd05ca7a838f262a343a01e4a09bb72a" + logic_hash = "v1_sha256_ba7cca8d71f571644cabd3d491cddefffd05ca7a838f262a343a01e4a09bb72a" score = 75 quality = 90 tags = "INFO, FILE" @@ -36633,7 +36633,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E1656Dfcaacfed7C2D2564355698Aa3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "John W.Richard" and pe.signatures[i].serial=="3e:16:56:df:ca:ac:fe:d7:c2:d2:56:43:55:69:8a:a3" and 1385251199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "John W.Richard" and pe.signatures [ i ] . serial == "3e:16:56:df:ca:ac:fe:d7:c2:d2:56:43:55:69:8a:a3" and 1385251199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36642,13 +36642,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Bf1D68E926E2Dd8966008C44F95Ea1C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c82170a4-911c-5206-bae8-6503a5449df9" + id = "00726514-4782-54a2-b0f6-832e0f92e468" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2880-L2896" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "44b5aae8380e3590ebb6e2365e89b3827432e8330e5290dc8f8603a00bcf62f6" + logic_hash = "v1_sha256_44b5aae8380e3590ebb6e2365e89b3827432e8330e5290dc8f8603a00bcf62f6" score = 75 quality = 90 tags = "INFO, FILE" @@ -36658,7 +36658,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Bf1D68E926E2Dd8966008C44F95Ea1C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Technical and Commercial Consulting Pvt. Ltd." and pe.signatures[i].serial=="4b:f1:d6:8e:92:6e:2d:d8:96:60:08:c4:4f:95:ea:1c" and 1322092799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Technical and Commercial Consulting Pvt. Ltd." and pe.signatures [ i ] . serial == "4b:f1:d6:8e:92:6e:2d:d8:96:60:08:c4:4f:95:ea:1c" and 1322092799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36667,13 +36667,13 @@ rule REVERSINGLABS_Cert_Blocklist_149C12083C145E28155510Cfc19Db0Fe : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8d9b0b1c-df7c-560a-8d51-bc8738952457" + id = "e7eb69ce-63fd-5396-9057-8baf9db87c4e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2898-L2914" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f616fc470e223d65ac4c984394a38d566265ab37829ff566012de0a1527396c2" + logic_hash = "v1_sha256_f616fc470e223d65ac4c984394a38d566265ab37829ff566012de0a1527396c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -36683,7 +36683,7 @@ rule REVERSINGLABS_Cert_Blocklist_149C12083C145E28155510Cfc19Db0Fe : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3rd Eye Solutions Ltd" and pe.signatures[i].serial=="14:9c:12:08:3c:14:5e:28:15:55:10:cf:c1:9d:b0:fe" and 1209340799<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3rd Eye Solutions Ltd" and pe.signatures [ i ] . serial == "14:9c:12:08:3c:14:5e:28:15:55:10:cf:c1:9d:b0:fe" and 1209340799 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36692,13 +36692,13 @@ rule REVERSINGLABS_Cert_Blocklist_77E0117E8B2B8Faa84Bed961019D5Ef8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2733cc5b-bc1f-5ba9-a2f4-50f472fc288e" + id = "a23972fb-9c83-5282-b77f-820c2dab2f74" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2916-L2932" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bea94b9da8c176f22a66fe7a4545dcc3a38f727a75a0bc7920d9aece8e24b9b7" + logic_hash = "v1_sha256_bea94b9da8c176f22a66fe7a4545dcc3a38f727a75a0bc7920d9aece8e24b9b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -36708,7 +36708,7 @@ rule REVERSINGLABS_Cert_Blocklist_77E0117E8B2B8Faa84Bed961019D5Ef8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Reiner Wodey Informationssysteme" and pe.signatures[i].serial=="77:e0:11:7e:8b:2b:8f:aa:84:be:d9:61:01:9d:5e:f8" and 1383695999<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Reiner Wodey Informationssysteme" and pe.signatures [ i ] . serial == "77:e0:11:7e:8b:2b:8f:aa:84:be:d9:61:01:9d:5e:f8" and 1383695999 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36717,13 +36717,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F3Feb4Baf377Aea90A463C5Dee63884 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8de9bcf3-d705-590f-8898-52218f937571" + id = "510e999b-73d5-5303-a9d1-adab22b9254e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2934-L2950" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "56c37e758db33aa40e9a2c1c5a4eb14c2c370f614e838d86bf20c64f79e2a746" + logic_hash = "v1_sha256_56c37e758db33aa40e9a2c1c5a4eb14c2c370f614e838d86bf20c64f79e2a746" score = 75 quality = 90 tags = "INFO, FILE" @@ -36733,7 +36733,7 @@ rule REVERSINGLABS_Cert_Blocklist_4F3Feb4Baf377Aea90A463C5Dee63884 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "F3D LIMITED" and pe.signatures[i].serial=="4f:3f:eb:4b:af:37:7a:ea:90:a4:63:c5:de:e6:38:84" and 1526601599<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "F3D LIMITED" and pe.signatures [ i ] . serial == "4f:3f:eb:4b:af:37:7a:ea:90:a4:63:c5:de:e6:38:84" and 1526601599 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36742,13 +36742,13 @@ rule REVERSINGLABS_Cert_Blocklist_3D2580E89526F7852B570654Efd9A8Bf : INFO FILE meta: description = "Certificate used for digitally signing LockerGoga ransomware." author = "ReversingLabs" - id = "0514759c-2d10-5b29-aa2f-d16eb45b2816" + id = "3cdd0cfa-a4f3-5083-9fd0-957759004e50" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2952-L2968" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0f46fcfc8ee06756646899450daa254d3e5261bdc5c2339f20d01971608fff7b" + logic_hash = "v1_sha256_0f46fcfc8ee06756646899450daa254d3e5261bdc5c2339f20d01971608fff7b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36758,7 +36758,7 @@ rule REVERSINGLABS_Cert_Blocklist_3D2580E89526F7852B570654Efd9A8Bf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MIKL LIMITED" and pe.signatures[i].serial=="3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf" and 1529888400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MIKL LIMITED" and pe.signatures [ i ] . serial == "3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf" and 1529888400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36767,13 +36767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fffe432A53Ff03B9223F88Be1B83D9D : INFO FILE meta: description = "Certificate used for digitally signing BabyShark malware." author = "ReversingLabs" - id = "25a4c68b-5774-51a2-9aba-1326c85a5251" + id = "86e4473e-82ef-5692-bed1-e109f74ed660" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2970-L2986" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e7dbe6b95877f9473661ccf26fa6e5142147609adfe0a9bb8b493875325710af" + logic_hash = "v1_sha256_e7dbe6b95877f9473661ccf26fa6e5142147609adfe0a9bb8b493875325710af" score = 75 quality = 90 tags = "INFO, FILE" @@ -36783,7 +36783,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fffe432A53Ff03B9223F88Be1B83D9D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EGIS Co., Ltd." and pe.signatures[i].serial=="0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" and 1498524050<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EGIS Co., Ltd." and pe.signatures [ i ] . serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" and 1498524050 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36792,13 +36792,13 @@ rule REVERSINGLABS_Cert_Blocklist_832E161Aea5206D815F973E5A1Feb3E7 : INFO FILE meta: description = "Certificate used for digitally signing SeedLocker ransomware." author = "ReversingLabs" - id = "ecaa250b-d4ac-5cc9-9e5e-5d6f45db18ad" + id = "eaec6895-edf7-57f9-b656-4daa3ec78f7d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2988-L3006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "da908de031c78aa012809988e44dea564d32b88b65a2010925c1af85d578a68a" + logic_hash = "v1_sha256_da908de031c78aa012809988e44dea564d32b88b65a2010925c1af85d578a68a" score = 75 quality = 90 tags = "INFO, FILE" @@ -36808,7 +36808,7 @@ rule REVERSINGLABS_Cert_Blocklist_832E161Aea5206D815F973E5A1Feb3E7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Project NSRM Ltd" and (pe.signatures[i].serial=="00:83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" or pe.signatures[i].serial=="83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7") and 1549830060<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Project NSRM Ltd" and ( pe.signatures [ i ] . serial == "00:83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" or pe.signatures [ i ] . serial == "83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" ) and 1549830060 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36817,13 +36817,13 @@ rule REVERSINGLABS_Cert_Blocklist_09Aecea45Bfd40Ce7D62D7D711916D7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "421425b1-13ad-5d80-b044-8bd43c60b3ff" + id = "da012503-3863-526e-9ab3-112314dec526" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3008-L3024" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d1c6bfb10a244ba866c8aabdff6055388afa8096fd4bd77bb21f781794333e9b" + logic_hash = "v1_sha256_d1c6bfb10a244ba866c8aabdff6055388afa8096fd4bd77bb21f781794333e9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36833,7 +36833,7 @@ rule REVERSINGLABS_Cert_Blocklist_09Aecea45Bfd40Ce7D62D7D711916D7D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALINA LTD" and pe.signatures[i].serial=="09:ae:ce:a4:5b:fd:40:ce:7d:62:d7:d7:11:91:6d:7d" and 1551052800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALINA LTD" and pe.signatures [ i ] . serial == "09:ae:ce:a4:5b:fd:40:ce:7d:62:d7:d7:11:91:6d:7d" and 1551052800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36842,13 +36842,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Ff4Eda5Fa641E70162713426401F438 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e34aa1b-a4b1-593d-bd93-0f5913ab96b9" + id = "833dd5cb-1b1a-5c15-a2f1-56f60f011d62" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3026-L3042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58f5e163d9807520497ba55e42c048020f6b7653ed71f3954e7ffb490f4de0e4" + logic_hash = "v1_sha256_58f5e163d9807520497ba55e42c048020f6b7653ed71f3954e7ffb490f4de0e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -36858,7 +36858,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Ff4Eda5Fa641E70162713426401F438 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DUHANEY LIMITED" and pe.signatures[i].serial=="4f:f4:ed:a5:fa:64:1e:70:16:27:13:42:64:01:f4:38" and 1555349604<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DUHANEY LIMITED" and pe.signatures [ i ] . serial == "4f:f4:ed:a5:fa:64:1e:70:16:27:13:42:64:01:f4:38" and 1555349604 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36867,13 +36867,13 @@ rule REVERSINGLABS_Cert_Blocklist_067Dffc5E3026Eb4C62971C98Ac8A900 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b9771bb-c2a4-5a6e-8fdb-b3e98f62f9b1" + id = "43e9f762-5589-5d3a-abab-ef281c9feb6b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3044-L3060" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b7c4cded14afd8ba3feabb6debaa1317917b811b44e22aa8a0b3ea00d689141" + logic_hash = "v1_sha256_2b7c4cded14afd8ba3feabb6debaa1317917b811b44e22aa8a0b3ea00d689141" score = 75 quality = 90 tags = "INFO, FILE" @@ -36883,7 +36883,7 @@ rule REVERSINGLABS_Cert_Blocklist_067Dffc5E3026Eb4C62971C98Ac8A900 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DVERI FADO, TOV" and pe.signatures[i].serial=="06:7d:ff:c5:e3:02:6e:b4:c6:29:71:c9:8a:c8:a9:00" and 1552176000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DVERI FADO, TOV" and pe.signatures [ i ] . serial == "06:7d:ff:c5:e3:02:6e:b4:c6:29:71:c9:8a:c8:a9:00" and 1552176000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36892,13 +36892,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Da219688E51Fd0Bfac2C891D56Cbb8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "245c582a-b168-53ce-9a3c-b291ae5bc2a0" + id = "6ec59dff-13fc-5d56-8411-cae3b4e5b807" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3062-L3080" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03549214940a8689213bd2eb891da1c1991627c81c8b7f26860141c397409d46" + logic_hash = "v1_sha256_03549214940a8689213bd2eb891da1c1991627c81c8b7f26860141c397409d46" score = 75 quality = 90 tags = "INFO, FILE" @@ -36908,7 +36908,7 @@ rule REVERSINGLABS_Cert_Blocklist_B1Da219688E51Fd0Bfac2C891D56Cbb8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FIRNEEZ EUROPE LIMITED" and (pe.signatures[i].serial=="00:b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" or pe.signatures[i].serial=="b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8") and 1542931200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FIRNEEZ EUROPE LIMITED" and ( pe.signatures [ i ] . serial == "00:b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" or pe.signatures [ i ] . serial == "b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" ) and 1542931200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36917,13 +36917,13 @@ rule REVERSINGLABS_Cert_Blocklist_7289B0F9Bd641E3E352Dc3183F8De6Be : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc8a745f-7150-57b7-9ddc-e5a1721d8c02" + id = "6e0ea548-67a2-58f6-8e43-ec98c7e71af1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3082-L3098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "42b068e85b3aff5e6dd5ec4979f546dc5338ebf8719d86c0641ffb8353959af9" + logic_hash = "v1_sha256_42b068e85b3aff5e6dd5ec4979f546dc5338ebf8719d86c0641ffb8353959af9" score = 75 quality = 90 tags = "INFO, FILE" @@ -36933,7 +36933,7 @@ rule REVERSINGLABS_Cert_Blocklist_7289B0F9Bd641E3E352Dc3183F8De6Be : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ICE ACTIVATION LIMITED" and pe.signatures[i].serial=="72:89:b0:f9:bd:64:1e:3e:35:2d:c3:18:3f:8d:e6:be" and 1557933274<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ICE ACTIVATION LIMITED" and pe.signatures [ i ] . serial == "72:89:b0:f9:bd:64:1e:3e:35:2d:c3:18:3f:8d:e6:be" and 1557933274 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36942,13 +36942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd7B7A8678A67181A54Bc7499Eba44Da : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d6456cb6-e950-54be-a7f4-5c1d622c6aab" + id = "b74f6f5f-dc93-5d86-b5b8-43f39e374385" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3100-L3118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1e26ea26890043be2c8b9c35ba2e6758b60fe173f00bf4c77cc5289ce0d5600" + logic_hash = "v1_sha256_f1e26ea26890043be2c8b9c35ba2e6758b60fe173f00bf4c77cc5289ce0d5600" score = 75 quality = 90 tags = "INFO, FILE" @@ -36958,7 +36958,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fd7B7A8678A67181A54Bc7499Eba44Da : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IMRAN IT SERVICES LTD" and (pe.signatures[i].serial=="00:fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" or pe.signatures[i].serial=="fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da") and 1548028800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IMRAN IT SERVICES LTD" and ( pe.signatures [ i ] . serial == "00:fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" or pe.signatures [ i ] . serial == "fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" ) and 1548028800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36967,13 +36967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ebbdd6Cdeda40Ca64513280Ecd625C54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2cf769dc-5108-5f18-a51e-e152180a2b66" + id = "7229d413-ec61-57ae-a8a7-9f8ae7e84fdf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3120-L3138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1d419f2fe2a9bf744bdde48adc50e0bc48746f1576f96570385a2a1c9ba92d21" + logic_hash = "v1_sha256_1d419f2fe2a9bf744bdde48adc50e0bc48746f1576f96570385a2a1c9ba92d21" score = 75 quality = 90 tags = "INFO, FILE" @@ -36983,7 +36983,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ebbdd6Cdeda40Ca64513280Ecd625C54 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IT PUT LIMITED" and (pe.signatures[i].serial=="00:eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" or pe.signatures[i].serial=="eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54") and 1549238400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IT PUT LIMITED" and ( pe.signatures [ i ] . serial == "00:eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" or pe.signatures [ i ] . serial == "eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" ) and 1549238400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -36992,13 +36992,13 @@ rule REVERSINGLABS_Cert_Blocklist_61Da676C1Dcfcf188276E2C70D68082E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d974b740-38fa-564d-b4c6-8955568a4e77" + id = "301c714e-5628-5353-af01-fcbf3195bafc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3140-L3156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4f8af4a5c9812e6559218e387e32bc02cb0adcd40d9d4963fefc929f6101ae9a" + logic_hash = "v1_sha256_4f8af4a5c9812e6559218e387e32bc02cb0adcd40d9d4963fefc929f6101ae9a" score = 75 quality = 90 tags = "INFO, FILE" @@ -37008,7 +37008,7 @@ rule REVERSINGLABS_Cert_Blocklist_61Da676C1Dcfcf188276E2C70D68082E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "P2N ONLINE LTD" and pe.signatures[i].serial=="61:da:67:6c:1d:cf:cf:18:82:76:e2:c7:0d:68:08:2e" and 1552723954<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "P2N ONLINE LTD" and pe.signatures [ i ] . serial == "61:da:67:6c:1d:cf:cf:18:82:76:e2:c7:0d:68:08:2e" and 1552723954 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37017,13 +37017,13 @@ rule REVERSINGLABS_Cert_Blocklist_767436921B2698Bd18400A24B01341B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e3b2b75-9416-5c4f-ad47-88f92039f532" + id = "3b388db4-7903-598b-9168-5cb45804ea94" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3158-L3174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "759bbbc5929463ad68d5dcd28b30401b9ff680f522172ed8d5d7dd3772e07587" + logic_hash = "v1_sha256_759bbbc5929463ad68d5dcd28b30401b9ff680f522172ed8d5d7dd3772e07587" score = 75 quality = 90 tags = "INFO, FILE" @@ -37033,7 +37033,7 @@ rule REVERSINGLABS_Cert_Blocklist_767436921B2698Bd18400A24B01341B6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "REBROSE LEISURE LIMITED" and pe.signatures[i].serial=="76:74:36:92:1b:26:98:bd:18:40:0a:24:b0:13:41:b6" and 1556284480<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "REBROSE LEISURE LIMITED" and pe.signatures [ i ] . serial == "76:74:36:92:1b:26:98:bd:18:40:0a:24:b0:13:41:b6" and 1556284480 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37042,13 +37042,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E795531B3265510F935187Eca59920A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "953434f4-cc19-5a0a-923b-4deaadacef00" + id = "cd8cc713-44a9-55b9-95b9-2eea20336687" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3176-L3192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d597e88314f9f20283b40058dd74167d0d72f7518277a57f26c15e44b670b386" + logic_hash = "v1_sha256_d597e88314f9f20283b40058dd74167d0d72f7518277a57f26c15e44b670b386" score = 75 quality = 90 tags = "INFO, FILE" @@ -37058,7 +37058,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E795531B3265510F935187Eca59920A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "sasha catering ltd" and pe.signatures[i].serial=="3e:79:55:31:b3:26:55:10:f9:35:18:7e:ca:59:92:0a" and 1557243644<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "sasha catering ltd" and pe.signatures [ i ] . serial == "3e:79:55:31:b3:26:55:10:f9:35:18:7e:ca:59:92:0a" and 1557243644 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37067,13 +37067,13 @@ rule REVERSINGLABS_Cert_Blocklist_8F40B1485309A064A28B96Bfa3F55F36 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bad5b57e-185a-5872-9817-a7d688e24fe7" + id = "dc978d9d-136f-53ef-8af0-62964dc74502" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3194-L3212" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58dd47bfd2acd698bc27fb03eb51e4b8598ef6c71f7193e3cc4eea63982855f0" + logic_hash = "v1_sha256_58dd47bfd2acd698bc27fb03eb51e4b8598ef6c71f7193e3cc4eea63982855f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -37083,7 +37083,7 @@ rule REVERSINGLABS_Cert_Blocklist_8F40B1485309A064A28B96Bfa3F55F36 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Singh Agile Content Design Limited" and (pe.signatures[i].serial=="00:8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" or pe.signatures[i].serial=="8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36") and 1542585600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Singh Agile Content Design Limited" and ( pe.signatures [ i ] . serial == "00:8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" or pe.signatures [ i ] . serial == "8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" ) and 1542585600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37092,13 +37092,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2120Facadbb92Cc0A176759604C6A0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8a90cc61-4d39-58eb-a102-c22d096d99ae" + id = "1ae77175-2d5d-58ee-8cc7-eed2f773b257" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3214-L3232" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08462b1bd3d45824aeea901a4db19365c28d8b8b0f594657df7a59250111729b" + logic_hash = "v1_sha256_08462b1bd3d45824aeea901a4db19365c28d8b8b0f594657df7a59250111729b" score = 75 quality = 90 tags = "INFO, FILE" @@ -37108,7 +37108,7 @@ rule REVERSINGLABS_Cert_Blocklist_B2120Facadbb92Cc0A176759604C6A0F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SLON LTD" and (pe.signatures[i].serial=="00:b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" or pe.signatures[i].serial=="b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f") and 1554249600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SLON LTD" and ( pe.signatures [ i ] . serial == "00:b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" or pe.signatures [ i ] . serial == "b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" ) and 1554249600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37117,13 +37117,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F407Eb50803845Cc43937823E1344C0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6989cda1-f28e-58b7-8572-a7dc2e84d9e3" + id = "492ee284-80da-58a0-8dbd-53f3883461d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3234-L3250" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4d5a2b0619be902d8a437f204ae1b87222c73d3186930809b1f694bad429aea8" + logic_hash = "v1_sha256_4d5a2b0619be902d8a437f204ae1b87222c73d3186930809b1f694bad429aea8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37133,7 +37133,7 @@ rule REVERSINGLABS_Cert_Blocklist_4F407Eb50803845Cc43937823E1344C0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SLOW COOKED VENTURES LTD" and pe.signatures[i].serial=="4f:40:7e:b5:08:03:84:5c:c4:39:37:82:3e:13:44:c0" and 1556555362<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SLOW COOKED VENTURES LTD" and pe.signatures [ i ] . serial == "4f:40:7e:b5:08:03:84:5c:c4:39:37:82:3e:13:44:c0" and 1556555362 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37142,13 +37142,13 @@ rule REVERSINGLABS_Cert_Blocklist_6922Bb5De88E4127E1Ac6969E6A199F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "86e16068-8b0b-5f0f-af5e-5ee9f518a915" + id = "cc5bcb85-418b-53cf-8cd9-72ec5014c935" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3252-L3268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "39dbaa232ea9125934b3682d780e3821d12e771f2b844d027d99a432fe249d9f" + logic_hash = "v1_sha256_39dbaa232ea9125934b3682d780e3821d12e771f2b844d027d99a432fe249d9f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37158,7 +37158,7 @@ rule REVERSINGLABS_Cert_Blocklist_6922Bb5De88E4127E1Ac6969E6A199F5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SMACHNA PLITKA, TOV" and pe.signatures[i].serial=="69:22:bb:5d:e8:8e:41:27:e1:ac:69:69:e6:a1:99:f5" and 1552692162<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SMACHNA PLITKA, TOV" and pe.signatures [ i ] . serial == "69:22:bb:5d:e8:8e:41:27:e1:ac:69:69:e6:a1:99:f5" and 1552692162 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37167,13 +37167,13 @@ rule REVERSINGLABS_Cert_Blocklist_73065Efa163B7901Fa1Ccb0A54E80540 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "949f55a9-7aa0-50de-bb81-fed5d27c3d24" + id = "00f13686-9393-5529-8243-10e40a63201c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3270-L3286" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e420c37c04aa676c266a4c2c228063239815c173a83c39d426c5a674648f1934" + logic_hash = "v1_sha256_e420c37c04aa676c266a4c2c228063239815c173a83c39d426c5a674648f1934" score = 75 quality = 90 tags = "INFO, FILE" @@ -37183,7 +37183,7 @@ rule REVERSINGLABS_Cert_Blocklist_73065Efa163B7901Fa1Ccb0A54E80540 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SOVA CONSULTANCY LTD" and pe.signatures[i].serial=="73:06:5e:fa:16:3b:79:01:fa:1c:cb:0a:54:e8:05:40" and 1548115200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SOVA CONSULTANCY LTD" and pe.signatures [ i ] . serial == "73:06:5e:fa:16:3b:79:01:fa:1c:cb:0a:54:e8:05:40" and 1548115200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37192,13 +37192,13 @@ rule REVERSINGLABS_Cert_Blocklist_4842Afad00904Ed8C98811E652Ccb3B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f09723aa-85a6-5d96-a71e-94f0e0a0f23c" + id = "d39aa4dc-dfc6-52d2-b7c6-ba612bfabda0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3288-L3304" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b5c7c13369c7b89f1ea5474de3644a12bf6412cb3fa8ade5b66de280fb10cbf" + logic_hash = "v1_sha256_2b5c7c13369c7b89f1ea5474de3644a12bf6412cb3fa8ade5b66de280fb10cbf" score = 75 quality = 90 tags = "INFO, FILE" @@ -37208,7 +37208,7 @@ rule REVERSINGLABS_Cert_Blocklist_4842Afad00904Ed8C98811E652Ccb3B7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\"VERY EXCLUSIVE LTD\"" and pe.signatures[i].serial=="48:42:af:ad:00:90:4e:d8:c9:88:11:e6:52:cc:b3:b7" and 1545177600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\"VERY EXCLUSIVE LTD\"" and pe.signatures [ i ] . serial == "48:42:af:ad:00:90:4e:d8:c9:88:11:e6:52:cc:b3:b7" and 1545177600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37217,13 +37217,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A59A686B4A904D0Fca07153Ea6Db6Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "018e511f-191d-5fd4-8ab0-0e5bbff44d58" + id = "8bbe8d3e-87ed-5e4c-b116-c8aeac58f1f5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3306-L3322" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7597b2ba870ec58ac0786a97fb92956406fe019c81f6176cc1a581988d3a9632" + logic_hash = "v1_sha256_7597b2ba870ec58ac0786a97fb92956406fe019c81f6176cc1a581988d3a9632" score = 75 quality = 90 tags = "INFO, FILE" @@ -37233,7 +37233,7 @@ rule REVERSINGLABS_Cert_Blocklist_5A59A686B4A904D0Fca07153Ea6Db6Cc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ABADAN PIZZA LTD" and pe.signatures[i].serial=="5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc" and 1563403380<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ABADAN PIZZA LTD" and pe.signatures [ i ] . serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc" and 1563403380 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37242,13 +37242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B6D8152F4A06Ba781C6677Eea5Ab74B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dacac5fe-00dc-5080-a725-9ef69473c45e" + id = "b548f16e-fcf1-563c-a1df-2406a2eae0b3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3324-L3340" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bd20cf8e4cab2117361dbe05ae2efe813e7f55667b1f3825cd893313d98dcb5f" + logic_hash = "v1_sha256_bd20cf8e4cab2117361dbe05ae2efe813e7f55667b1f3825cd893313d98dcb5f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37258,7 +37258,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B6D8152F4A06Ba781C6677Eea5Ab74B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GLARYSOFT LTD" and pe.signatures[i].serial=="0b:6d:81:52:f4:a0:6b:a7:81:c6:67:7e:ea:5a:b7:4b" and 1568246400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GLARYSOFT LTD" and pe.signatures [ i ] . serial == "0b:6d:81:52:f4:a0:6b:a7:81:c6:67:7e:ea:5a:b7:4b" and 1568246400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37267,13 +37267,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ad60Cea73E1Dd1A3E6C02D9B339C380 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "80b39632-29a7-5932-a47b-736a9e8ed686" + id = "999a4198-027f-5246-91c3-fd25b5155bdc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3342-L3358" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fb83cf25be19e7cccd2c8369c3a37a90af72cb2f76db3619b8311d2a851335a8" + logic_hash = "v1_sha256_fb83cf25be19e7cccd2c8369c3a37a90af72cb2f76db3619b8311d2a851335a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37283,7 +37283,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Ad60Cea73E1Dd1A3E6C02D9B339C380 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CUS Software GmbH" and pe.signatures[i].serial=="3a:d6:0c:ea:73:e1:dd:1a:3e:6c:02:d9:b3:39:c3:80" and 1567036800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CUS Software GmbH" and pe.signatures [ i ] . serial == "3a:d6:0c:ea:73:e1:dd:1a:3e:6c:02:d9:b3:39:c3:80" and 1567036800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37292,13 +37292,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Df2Dfed47C6Fd6542131847Cffbc102 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "306444d8-7573-58c6-b6fe-14d701942275" + id = "1ce1cf4c-a9b6-504d-ad47-a41eea02fd0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3360-L3376" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fc6adbfd45ff6ac465aecb3db862421f02170e977fc044017f3ddc306a9f7a37" + logic_hash = "v1_sha256_fc6adbfd45ff6ac465aecb3db862421f02170e977fc044017f3ddc306a9f7a37" score = 75 quality = 90 tags = "INFO, FILE" @@ -37308,7 +37308,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Df2Dfed47C6Fd6542131847Cffbc102 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AFVIMPEX SRL" and pe.signatures[i].serial=="7d:f2:df:ed:47:c6:fd:65:42:13:18:47:cf:fb:c1:02" and 1567036800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AFVIMPEX SRL" and pe.signatures [ i ] . serial == "7d:f2:df:ed:47:c6:fd:65:42:13:18:47:cf:fb:c1:02" and 1567036800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37317,13 +37317,13 @@ rule REVERSINGLABS_Cert_Blocklist_74Fedf0F8398060Fa8378C6D174465C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eea46214-d0f5-5e92-b678-4a1df09025ce" + id = "b49bf14f-bf2f-580a-8ba0-fa7e2ccb97b5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3378-L3394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "406821c7990f05fdad91704f6418304f53dd4800bc4b41912177a1695858fade" + logic_hash = "v1_sha256_406821c7990f05fdad91704f6418304f53dd4800bc4b41912177a1695858fade" score = 75 quality = 90 tags = "INFO, FILE" @@ -37333,7 +37333,7 @@ rule REVERSINGLABS_Cert_Blocklist_74Fedf0F8398060Fa8378C6D174465C8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DOCS PTY LTD" and pe.signatures[i].serial=="74:fe:df:0f:83:98:06:0f:a8:37:8c:6d:17:44:65:c8" and 1566172800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DOCS PTY LTD" and pe.signatures [ i ] . serial == "74:fe:df:0f:83:98:06:0f:a8:37:8c:6d:17:44:65:c8" and 1566172800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37342,13 +37342,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bd6A5Bba28E7C1Ca44880159Dace237 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c80245bd-908a-5b89-92e3-af0dd7bed63a" + id = "38b29b2e-eaff-520d-a6d1-e48f7510fe36" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3396-L3412" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f885c782148947d09133a3cc65319e02204c21d6c6d911b360840f25f37601dc" + logic_hash = "v1_sha256_f885c782148947d09133a3cc65319e02204c21d6c6d911b360840f25f37601dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -37358,7 +37358,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Bd6A5Bba28E7C1Ca44880159Dace237 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TECHNO BEAVERS LIMITED" and pe.signatures[i].serial=="3b:d6:a5:bb:a2:8e:7c:1c:a4:48:80:15:9d:ac:e2:37" and 1563408000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TECHNO BEAVERS LIMITED" and pe.signatures [ i ] . serial == "3b:d6:a5:bb:a2:8e:7c:1c:a4:48:80:15:9d:ac:e2:37" and 1563408000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37367,13 +37367,13 @@ rule REVERSINGLABS_Cert_Blocklist_C04F8F1E00C69E96A51Bf14Aab1C6Ae0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6513160e-ece5-500b-8b0b-4b8a6e04c0af" + id = "b19746b5-a4bd-5581-9c3a-35cee7153387" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3414-L3432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c2b5ffa305b761b57dd91c0acea0d8f82bec6b7d3608be10a20ea63621f3f3e8" + logic_hash = "v1_sha256_c2b5ffa305b761b57dd91c0acea0d8f82bec6b7d3608be10a20ea63621f3f3e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37383,7 +37383,7 @@ rule REVERSINGLABS_Cert_Blocklist_C04F8F1E00C69E96A51Bf14Aab1C6Ae0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CHAIKA, TOV" and (pe.signatures[i].serial=="00:c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" or pe.signatures[i].serial=="c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0") and 1551398400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CHAIKA, TOV" and ( pe.signatures [ i ] . serial == "00:c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" or pe.signatures [ i ] . serial == "c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" ) and 1551398400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37392,13 +37392,13 @@ rule REVERSINGLABS_Cert_Blocklist_23F537Ce13C6Cccdfd3F8Ce81Fb981Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f48b7818-5b34-5609-822a-39a2e7fb44c5" + id = "4141d035-98ce-5ea7-963c-040799b808eb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3434-L3450" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d347bce3eddd0cac276a7504955f0342ae44fd93d238e514af5b1fdc208b68fc" + logic_hash = "v1_sha256_d347bce3eddd0cac276a7504955f0342ae44fd93d238e514af5b1fdc208b68fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -37408,7 +37408,7 @@ rule REVERSINGLABS_Cert_Blocklist_23F537Ce13C6Cccdfd3F8Ce81Fb981Cb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ISECURE GROUP PTY LTD" and pe.signatures[i].serial=="23:f5:37:ce:13:c6:cc:cd:fd:3f:8c:e8:1f:b9:81:cb" and 1566086400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ISECURE GROUP PTY LTD" and pe.signatures [ i ] . serial == "23:f5:37:ce:13:c6:cc:cd:fd:3f:8c:e8:1f:b9:81:cb" and 1566086400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37417,13 +37417,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Ecfdbb99Aec176Ddfcf7958D120E1A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "84e20878-e4ea-53a5-9c1b-04f3c66276de" + id = "73865e3c-6827-5002-899c-e13e8d73e6d9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3452-L3468" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d911156707cef97acf79c096b5d4a4db166ddf05237168f1ecffb0c0a2ebd8fa" + logic_hash = "v1_sha256_d911156707cef97acf79c096b5d4a4db166ddf05237168f1ecffb0c0a2ebd8fa" score = 75 quality = 90 tags = "INFO, FILE" @@ -37433,7 +37433,7 @@ rule REVERSINGLABS_Cert_Blocklist_73Ecfdbb99Aec176Ddfcf7958D120E1A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MHOW PTY LTD" and pe.signatures[i].serial=="73:ec:fd:bb:99:ae:c1:76:dd:fc:f7:95:8d:12:0e:1a" and 1566864000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MHOW PTY LTD" and pe.signatures [ i ] . serial == "73:ec:fd:bb:99:ae:c1:76:dd:fc:f7:95:8d:12:0e:1a" and 1566864000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37442,13 +37442,13 @@ rule REVERSINGLABS_Cert_Blocklist_675129Bb174A5B05E330Cc09F8Bbd70A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "97046206-efc4-58dd-a9df-4966bad3902d" + id = "c20b2560-7210-5469-a417-0e671bb1d814" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3470-L3486" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d989ea5233e8a64bffa0e29645c3458ef1f5173158ced7814c3b473b92ef49f4" + logic_hash = "v1_sha256_d989ea5233e8a64bffa0e29645c3458ef1f5173158ced7814c3b473b92ef49f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -37458,7 +37458,7 @@ rule REVERSINGLABS_Cert_Blocklist_675129Bb174A5B05E330Cc09F8Bbd70A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALEX & CO PTY LIMITED" and pe.signatures[i].serial=="67:51:29:bb:17:4a:5b:05:e3:30:cc:09:f8:bb:d7:0a" and 1565568000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALEX & CO PTY LIMITED" and pe.signatures [ i ] . serial == "67:51:29:bb:17:4a:5b:05:e3:30:cc:09:f8:bb:d7:0a" and 1565568000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37467,13 +37467,13 @@ rule REVERSINGLABS_Cert_Blocklist_De13Fe2Dbb8F890287E1780Aff6Ffd22 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2b15920-76ae-54e4-988c-278a3622ec52" + id = "b7a7dfcd-3663-56cf-81ce-71de38a030c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3488-L3504" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ebd983bcfa1e5d54af9d9e07d80d05f4752040eab92e63cd986db789fa07026f" + logic_hash = "v1_sha256_ebd983bcfa1e5d54af9d9e07d80d05f4752040eab92e63cd986db789fa07026f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37483,7 +37483,7 @@ rule REVERSINGLABS_Cert_Blocklist_De13Fe2Dbb8F890287E1780Aff6Ffd22 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LAST TIME PTY LTD" and pe.signatures[i].serial=="de:13:fe:2d:bb:8f:89:02:87:e1:78:0a:ff:6f:fd:22" and 1566259200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LAST TIME PTY LTD" and pe.signatures [ i ] . serial == "de:13:fe:2d:bb:8f:89:02:87:e1:78:0a:ff:6f:fd:22" and 1566259200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37492,13 +37492,13 @@ rule REVERSINGLABS_Cert_Blocklist_Da000D18949C247D4Ddfc2585Cc8Bd0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e939b73-abe4-5941-93ab-18bcde854aaf" + id = "0f73c82e-6a30-5650-b293-b8e4d08081d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3506-L3524" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3453f13e633a2c233f78d0389c655bb5304e567407b3e0c5c47e5e7127c345ca" + logic_hash = "v1_sha256_3453f13e633a2c233f78d0389c655bb5304e567407b3e0c5c47e5e7127c345ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -37508,7 +37508,7 @@ rule REVERSINGLABS_Cert_Blocklist_Da000D18949C247D4Ddfc2585Cc8Bd0F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PORT-SERVIS LTD" and (pe.signatures[i].serial=="00:da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" or pe.signatures[i].serial=="da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f") and 1564444800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PORT-SERVIS LTD" and ( pe.signatures [ i ] . serial == "00:da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" or pe.signatures [ i ] . serial == "da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" ) and 1564444800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37517,13 +37517,13 @@ rule REVERSINGLABS_Cert_Blocklist_06E842D3Ea6249D783D6B55E29C060C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "37829f07-c569-5e46-8b7a-2137c4c801e8" + id = "e78168d4-cb46-57cd-a68c-f251d93791b7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3526-L3542" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9f71de0119527c8580f9e47e3fba07242814c5a537d727d4541fd7a802b0cb86" + logic_hash = "v1_sha256_9f71de0119527c8580f9e47e3fba07242814c5a537d727d4541fd7a802b0cb86" score = 75 quality = 90 tags = "INFO, FILE" @@ -37533,7 +37533,7 @@ rule REVERSINGLABS_Cert_Blocklist_06E842D3Ea6249D783D6B55E29C060C7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PORT-SERVIS LTD, TOV" and pe.signatures[i].serial=="06:e8:42:d3:ea:62:49:d7:83:d6:b5:5e:29:c0:60:c7" and 1565568000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PORT-SERVIS LTD, TOV" and pe.signatures [ i ] . serial == "06:e8:42:d3:ea:62:49:d7:83:d6:b5:5e:29:c0:60:c7" and 1565568000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37542,13 +37542,13 @@ rule REVERSINGLABS_Cert_Blocklist_06473C3C19D9E1A9429B58B6Faec2967 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "01eba681-8c98-5553-b369-941b6dba11e2" + id = "f21f11d8-aa91-5766-af64-dd54e7b185fb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3544-L3560" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f9ca49ce65d213dce803806956c0ce1da0c4068bea173daae9cb06dab0a86268" + logic_hash = "v1_sha256_f9ca49ce65d213dce803806956c0ce1da0c4068bea173daae9cb06dab0a86268" score = 75 quality = 90 tags = "INFO, FILE" @@ -37558,7 +37558,7 @@ rule REVERSINGLABS_Cert_Blocklist_06473C3C19D9E1A9429B58B6Faec2967 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digital Leadership Solutions Limited" and pe.signatures[i].serial=="06:47:3c:3c:19:d9:e1:a9:42:9b:58:b6:fa:ec:29:67" and 1581984001<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digital Leadership Solutions Limited" and pe.signatures [ i ] . serial == "06:47:3c:3c:19:d9:e1:a9:42:9b:58:b6:fa:ec:29:67" and 1581984001 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37567,13 +37567,13 @@ rule REVERSINGLABS_Cert_Blocklist_39F56251Df2088223Cc03494084E6081 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0c475e89-9729-53b9-a301-7a9faa0fef91" + id = "297c6614-6d5d-5231-932e-794dfb5cf5a2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3562-L3578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c87850f91758a5bb3bdf6f6d7de9a3f53077d64cebdde541ac0742d3cea4f4e0" + logic_hash = "v1_sha256_c87850f91758a5bb3bdf6f6d7de9a3f53077d64cebdde541ac0742d3cea4f4e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -37583,7 +37583,7 @@ rule REVERSINGLABS_Cert_Blocklist_39F56251Df2088223Cc03494084E6081 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Inter Med Pty. Ltd." and pe.signatures[i].serial=="39:f5:62:51:df:20:88:22:3c:c0:34:94:08:4e:60:81" and 1583539200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Inter Med Pty. Ltd." and pe.signatures [ i ] . serial == "39:f5:62:51:df:20:88:22:3c:c0:34:94:08:4e:60:81" and 1583539200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37592,13 +37592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1362E56D34Dc7B501E17Fa1Ac3C3E3D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9dccd009-eca1-5f21-b5ef-1a75f9d93c7d" + id = "3ac3d879-1b81-58d9-89c5-17c52e4da99c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3580-L3596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0415c5a49076bab23dfc29ef2d6168b93d6bfde07a89ccb0368d2c967422407a" + logic_hash = "v1_sha256_0415c5a49076bab23dfc29ef2d6168b93d6bfde07a89ccb0368d2c967422407a" score = 75 quality = 90 tags = "INFO, FILE" @@ -37608,7 +37608,7 @@ rule REVERSINGLABS_Cert_Blocklist_1362E56D34Dc7B501E17Fa1Ac3C3E3D9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO \"Amaranth\"" and pe.signatures[i].serial=="13:62:e5:6d:34:dc:7b:50:1e:17:fa:1a:c3:c3:e3:d9" and 1575936000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO \"Amaranth\"" and pe.signatures [ i ] . serial == "13:62:e5:6d:34:dc:7b:50:1e:17:fa:1a:c3:c3:e3:d9" and 1575936000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37617,13 +37617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B83593Fc78D92Cfaa9Bdf3F97383964 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8b5a8a8e-16f5-5098-83e5-72820f4f548a" + id = "8f8cdd7c-a21e-533f-a366-180d7c52ac03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3598-L3614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "775e41fc102cbaeb9374984380b0e073de2a0075b9a200f8ab644bd1369ba015" + logic_hash = "v1_sha256_775e41fc102cbaeb9374984380b0e073de2a0075b9a200f8ab644bd1369ba015" score = 75 quality = 90 tags = "INFO, FILE" @@ -37633,7 +37633,7 @@ rule REVERSINGLABS_Cert_Blocklist_4B83593Fc78D92Cfaa9Bdf3F97383964 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Kometa" and pe.signatures[i].serial=="4b:83:59:3f:c7:8d:92:cf:aa:9b:df:3f:97:38:39:64" and 1579996800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Kometa" and pe.signatures [ i ] . serial == "4b:83:59:3f:c7:8d:92:cf:aa:9b:df:3f:97:38:39:64" and 1579996800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37642,13 +37642,13 @@ rule REVERSINGLABS_Cert_Blocklist_C7505E7464E00Ec1Dccd8D1B466D15Ff : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a75cc09f-de73-5db4-9ace-189e8da99053" + id = "5534af7d-71c8-5c30-9b4c-b45d4207531a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3616-L3634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7c5c84cb9071eff6a1bd7062506b807466bb4a432d1ed073961898c6c08cc4bd" + logic_hash = "v1_sha256_7c5c84cb9071eff6a1bd7062506b807466bb4a432d1ed073961898c6c08cc4bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -37658,7 +37658,7 @@ rule REVERSINGLABS_Cert_Blocklist_C7505E7464E00Ec1Dccd8D1B466D15Ff : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and (pe.signatures[i].serial=="00:c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" or pe.signatures[i].serial=="c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff") and 1583824676<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ltd. \"Eve Beauty\"" and ( pe.signatures [ i ] . serial == "00:c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" or pe.signatures [ i ] . serial == "c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" ) and 1583824676 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37667,13 +37667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cbf91988Fb83511De1B3A7A520712E9C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2d71058-f7b9-594f-b099-75aa4774306f" + id = "9713b4eb-9489-5757-967c-db95f54f4d7c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3636-L3654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5862a8ec43d2e545f36b815ada2bb31c4384a8161c6956a31f3bd517532923fd" + logic_hash = "v1_sha256_5862a8ec43d2e545f36b815ada2bb31c4384a8161c6956a31f3bd517532923fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -37683,7 +37683,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cbf91988Fb83511De1B3A7A520712E9C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and (pe.signatures[i].serial=="00:cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" or pe.signatures[i].serial=="cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c") and 1578786662<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ltd. \"Eve Beauty\"" and ( pe.signatures [ i ] . serial == "00:cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" or pe.signatures [ i ] . serial == "cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" ) and 1578786662 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37692,13 +37692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ce3675Ae4Abfe688870Bcacb63060F4F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "586c9de9-e1b0-5d17-9783-c9e18dfdf463" + id = "84702e36-0b27-5ed8-a891-54f983a0b526" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3656-L3674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0c6f2ef55bef283a3f915fd8c1ced27c3c665f7f490caeea0f180c2d7fa2b2b5" + logic_hash = "v1_sha256_0c6f2ef55bef283a3f915fd8c1ced27c3c665f7f490caeea0f180c2d7fa2b2b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -37708,7 +37708,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ce3675Ae4Abfe688870Bcacb63060F4F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO \"MPS\"" and (pe.signatures[i].serial=="00:ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" or pe.signatures[i].serial=="ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f") and 1582675200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO \"MPS\"" and ( pe.signatures [ i ] . serial == "00:ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" or pe.signatures [ i ] . serial == "ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" ) and 1582675200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37717,13 +37717,13 @@ rule REVERSINGLABS_Cert_Blocklist_9813229Efe0046D23542Cc7569D5A403 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0cf7573f-290d-58ac-989f-f82e9313d54e" + id = "36aebce1-04f7-5d10-8adc-163ff92294a0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3676-L3694" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0d8f0df83572b8d31f29cb76f44d524fd1ae0467d2d99af959e45694524d18e8" + logic_hash = "v1_sha256_0d8f0df83572b8d31f29cb76f44d524fd1ae0467d2d99af959e45694524d18e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37733,7 +37733,7 @@ rule REVERSINGLABS_Cert_Blocklist_9813229Efe0046D23542Cc7569D5A403 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO \"MPS\"" and (pe.signatures[i].serial=="00:98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" or pe.signatures[i].serial=="98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03") and 1575849600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO \"MPS\"" and ( pe.signatures [ i ] . serial == "00:98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" or pe.signatures [ i ] . serial == "98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" ) and 1575849600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37742,13 +37742,13 @@ rule REVERSINGLABS_Cert_Blocklist_86E5A9B9E89E5075C475006D0Ca03832 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f3058f56-dcbb-532a-b914-5ac0e6d70e6e" + id = "800de760-3157-5b1c-8a37-fcefc26bfb9c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3696-L3714" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5ba0b0f1b104eb11023590b8ef2b9cc747372bc9310a754694d45d3b3ce293e9" + logic_hash = "v1_sha256_5ba0b0f1b104eb11023590b8ef2b9cc747372bc9310a754694d45d3b3ce293e9" score = 75 quality = 90 tags = "INFO, FILE" @@ -37758,7 +37758,7 @@ rule REVERSINGLABS_Cert_Blocklist_86E5A9B9E89E5075C475006D0Ca03832 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BlueMarble GmbH" and (pe.signatures[i].serial=="00:86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" or pe.signatures[i].serial=="86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32") and 1574791194<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BlueMarble GmbH" and ( pe.signatures [ i ] . serial == "00:86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" or pe.signatures [ i ] . serial == "86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" ) and 1574791194 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37767,13 +37767,13 @@ rule REVERSINGLABS_Cert_Blocklist_075Dca9Ca84B93E8A89B775128F90302 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2fa6b400-7c6c-5bc4-9cac-78d52003a24e" + id = "ae702caf-abbe-5bc1-8730-50a515d652ae" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3716-L3732" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "32af21e71fb3475c50de4cd8a24fa0aec1ee67bc01c1a3720c12f9ce822833c3" + logic_hash = "v1_sha256_32af21e71fb3475c50de4cd8a24fa0aec1ee67bc01c1a3720c12f9ce822833c3" score = 75 quality = 90 tags = "INFO, FILE" @@ -37783,7 +37783,7 @@ rule REVERSINGLABS_Cert_Blocklist_075Dca9Ca84B93E8A89B775128F90302 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "UAB GT-servis" and pe.signatures[i].serial=="07:5d:ca:9c:a8:4b:93:e8:a8:9b:77:51:28:f9:03:02" and 1579305601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "UAB GT-servis" and pe.signatures [ i ] . serial == "07:5d:ca:9c:a8:4b:93:e8:a8:9b:77:51:28:f9:03:02" and 1579305601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37792,13 +37792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ddce8Cdc91B5B649Bb4B45Ffbba6C6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9de11ec8-f408-593c-895f-08dff703ff10" + id = "e86eaa00-a5fe-561d-b6ad-227a27c9ab70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3734-L3750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "622e6ed08ca26908539519f37cf493f8030100bd5e88cb05e851b7d56b0f4c0d" + logic_hash = "v1_sha256_622e6ed08ca26908539519f37cf493f8030100bd5e88cb05e851b7d56b0f4c0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -37808,7 +37808,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ddce8Cdc91B5B649Bb4B45Ffbba6C6C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SLIM DOG GROUP SP Z O O" and pe.signatures[i].serial=="0d:dc:e8:cd:c9:1b:5b:64:9b:b4:b4:5f:fb:ba:6c:6c" and 1580722435<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SLIM DOG GROUP SP Z O O" and pe.signatures [ i ] . serial == "0d:dc:e8:cd:c9:1b:5b:64:9b:b4:b4:5f:fb:ba:6c:6c" and 1580722435 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37817,13 +37817,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd614D5869Bb66C96B67E154D517384 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb42b516-aac6-5bee-af1d-70e0e66700f5" + id = "b0bf3e33-70b7-50c0-8f14-afed558fc172" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3752-L3770" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d9eea38a1340797cef129b12cf2bb46c444e6f312db7356260f0ac0d9e63183d" + logic_hash = "v1_sha256_d9eea38a1340797cef129b12cf2bb46c444e6f312db7356260f0ac0d9e63183d" score = 75 quality = 90 tags = "INFO, FILE" @@ -37833,7 +37833,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd614D5869Bb66C96B67E154D517384 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\"CENTR MBP\"" and (pe.signatures[i].serial=="00:9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" or pe.signatures[i].serial=="9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84") and 1581618180<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\"CENTR MBP\"" and ( pe.signatures [ i ] . serial == "00:9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" or pe.signatures [ i ] . serial == "9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" ) and 1581618180 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37842,13 +37842,13 @@ rule REVERSINGLABS_Cert_Blocklist_540Cea639D5D48669B7F2F64 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bfc514b6-43ef-5343-b5f2-d39168ba3e8d" + id = "b0c0ddc6-91c9-5ee3-bc36-c9c51385f138" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3772-L3788" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3d3774f10ff9949ea13a7892662438b84b3eb895fc986092649fa9b192170d48" + logic_hash = "v1_sha256_3d3774f10ff9949ea13a7892662438b84b3eb895fc986092649fa9b192170d48" score = 75 quality = 90 tags = "INFO, FILE" @@ -37858,7 +37858,7 @@ rule REVERSINGLABS_Cert_Blocklist_540Cea639D5D48669B7F2F64 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CENTR MBP LLC" and pe.signatures[i].serial=="54:0c:ea:63:9d:5d:48:66:9b:7f:2f:64" and 1570871755<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CENTR MBP LLC" and pe.signatures [ i ] . serial == "54:0c:ea:63:9d:5d:48:66:9b:7f:2f:64" and 1570871755 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37867,13 +37867,13 @@ rule REVERSINGLABS_Cert_Blocklist_03A7748A4355020A652466B5E02E07De : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "10134543-04fa-5a2f-8f77-98444ad1d7f0" + id = "e8a92f1c-79a4-5873-b666-e1f7260e3a6d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3790-L3806" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6dc6d0fd2b702939847981ff31c2d8103227ccd0c19f999849ff89c64a90f92f" + logic_hash = "v1_sha256_6dc6d0fd2b702939847981ff31c2d8103227ccd0c19f999849ff89c64a90f92f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37883,7 +37883,7 @@ rule REVERSINGLABS_Cert_Blocklist_03A7748A4355020A652466B5E02E07De : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Teleneras MB" and pe.signatures[i].serial=="03:a7:74:8a:43:55:02:0a:65:24:66:b5:e0:2e:07:de" and 1575244801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Teleneras MB" and pe.signatures [ i ] . serial == "03:a7:74:8a:43:55:02:0a:65:24:66:b5:e0:2e:07:de" and 1575244801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37892,13 +37892,13 @@ rule REVERSINGLABS_Cert_Blocklist_B881A72D4117Bbc38B81D3C65C792C1A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "593c1799-a5df-5b3e-8a8b-826d808a14f0" + id = "1d6b118d-4d7f-5629-91f3-0289e578924e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3808-L3826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bad2a06090f077ebc635d21446b47c9f115fe477567afb3d5994043f5a7883b1" + logic_hash = "v1_sha256_bad2a06090f077ebc635d21446b47c9f115fe477567afb3d5994043f5a7883b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -37908,7 +37908,7 @@ rule REVERSINGLABS_Cert_Blocklist_B881A72D4117Bbc38B81D3C65C792C1A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Red GmbH" and (pe.signatures[i].serial=="00:b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" or pe.signatures[i].serial=="b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a") and 1581936420<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Red GmbH" and ( pe.signatures [ i ] . serial == "00:b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" or pe.signatures [ i ] . serial == "b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" ) and 1581936420 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37917,13 +37917,13 @@ rule REVERSINGLABS_Cert_Blocklist_08653Ef2Ed9E6Ebb56Ffa7E93F963235 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9ac976c0-260f-5207-ae39-bbb722c38a92" + id = "f0b58bac-69b4-51d4-80d5-3cb01ce29ecd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3828-L3844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5ae8d2fb03cd0f945c2f5eb86de4e5da4fbb1cdf233d8a808157304538ced872" + logic_hash = "v1_sha256_5ae8d2fb03cd0f945c2f5eb86de4e5da4fbb1cdf233d8a808157304538ced872" score = 75 quality = 90 tags = "INFO, FILE" @@ -37933,7 +37933,7 @@ rule REVERSINGLABS_Cert_Blocklist_08653Ef2Ed9E6Ebb56Ffa7E93F963235 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Haw Farm LIMITED" and pe.signatures[i].serial=="08:65:3e:f2:ed:9e:6e:bb:56:ff:a7:e9:3f:96:32:35" and 1581465601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Haw Farm LIMITED" and pe.signatures [ i ] . serial == "08:65:3e:f2:ed:9e:6e:bb:56:ff:a7:e9:3f:96:32:35" and 1581465601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37942,13 +37942,13 @@ rule REVERSINGLABS_Cert_Blocklist_9C4816D900A6Ecdbe54Adf72B19Ebcf5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bd22372d-774b-5e25-b4e5-47d34fe1c40b" + id = "489d1dbd-64fc-5a71-9a81-a74a5307b6af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3846-L3864" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "92e8130f444417d5bc3788721280338bbed33e3362104de0cf27bc7c1fc30d0e" + logic_hash = "v1_sha256_92e8130f444417d5bc3788721280338bbed33e3362104de0cf27bc7c1fc30d0e" score = 75 quality = 90 tags = "INFO, FILE" @@ -37958,7 +37958,7 @@ rule REVERSINGLABS_Cert_Blocklist_9C4816D900A6Ecdbe54Adf72B19Ebcf5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Datamingo Limited" and (pe.signatures[i].serial=="00:9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" or pe.signatures[i].serial=="9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5") and 1557187200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Datamingo Limited" and ( pe.signatures [ i ] . serial == "00:9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" or pe.signatures [ i ] . serial == "9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" ) and 1557187200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37967,13 +37967,13 @@ rule REVERSINGLABS_Cert_Blocklist_269174F9Fe7C6Ed4E1D19B26C3F5B35F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fbcf1f18-f612-5516-9a67-2564de76c456" + id = "542a6f40-afbf-5f00-91a6-f8a63833a517" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3866-L3882" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "95c9720d6311c2fe7026b6cac092d59967479e6c9382eac1d26f7745efa92860" + logic_hash = "v1_sha256_95c9720d6311c2fe7026b6cac092d59967479e6c9382eac1d26f7745efa92860" score = 75 quality = 90 tags = "INFO, FILE" @@ -37983,7 +37983,7 @@ rule REVERSINGLABS_Cert_Blocklist_269174F9Fe7C6Ed4E1D19B26C3F5B35F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GO ONLINE d.o.o." and pe.signatures[i].serial=="26:91:74:f9:fe:7c:6e:d4:e1:d1:9b:26:c3:f5:b3:5f" and 1586386919<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GO ONLINE d.o.o." and pe.signatures [ i ] . serial == "26:91:74:f9:fe:7c:6e:d4:e1:d1:9b:26:c3:f5:b3:5f" and 1586386919 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -37992,13 +37992,13 @@ rule REVERSINGLABS_Cert_Blocklist_523Fb4036368Dc26192D68827F2D889B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bfce2ea9-cbe0-5b58-b7f8-39d2dad28db6" + id = "6f36517e-1177-52fb-be01-0778dc4f226d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3884-L3900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1886a046305637d335c493972560de56d8186bf99183aed5e2040b2e530fc22" + logic_hash = "v1_sha256_f1886a046305637d335c493972560de56d8186bf99183aed5e2040b2e530fc22" score = 75 quality = 90 tags = "INFO, FILE" @@ -38008,7 +38008,7 @@ rule REVERSINGLABS_Cert_Blocklist_523Fb4036368Dc26192D68827F2D889B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO MEDUZA SERVICE GROUP" and pe.signatures[i].serial=="52:3f:b4:03:63:68:dc:26:19:2d:68:82:7f:2d:88:9b" and 1586847880<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO MEDUZA SERVICE GROUP" and pe.signatures [ i ] . serial == "52:3f:b4:03:63:68:dc:26:19:2d:68:82:7f:2d:88:9b" and 1586847880 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38017,13 +38017,13 @@ rule REVERSINGLABS_Cert_Blocklist_84F842F6D33Cd2F25B88Dd1710E21137 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "202593d3-d63a-5852-b680-516504d92031" + id = "5bf7d159-35af-517b-ab52-737213324f9c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3902-L3920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5aad8e95d1306626b63d767fce4706104330dd776b75c09cc404227863564307" + logic_hash = "v1_sha256_5aad8e95d1306626b63d767fce4706104330dd776b75c09cc404227863564307" score = 75 quality = 90 tags = "INFO, FILE" @@ -38033,7 +38033,7 @@ rule REVERSINGLABS_Cert_Blocklist_84F842F6D33Cd2F25B88Dd1710E21137 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DataNext s.r.o." and (pe.signatures[i].serial=="00:84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" or pe.signatures[i].serial=="84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37") and 1586775720<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DataNext s.r.o." and ( pe.signatures [ i ] . serial == "00:84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" or pe.signatures [ i ] . serial == "84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" ) and 1586775720 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38042,13 +38042,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fbcaa289Ba925B4E247809B6B028202 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d0c4c6c0-d8e3-5efc-a87b-01d1f98a2c18" + id = "4b372679-4789-5587-8d86-36b39cb1b38c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3922-L3938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c41a4f9ccda54b9735313edf9042b831e6eaca149c089f74a823cee6719e1064" + logic_hash = "v1_sha256_c41a4f9ccda54b9735313edf9042b831e6eaca149c089f74a823cee6719e1064" score = 75 quality = 90 tags = "INFO, FILE" @@ -38058,7 +38058,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Fbcaa289Ba925B4E247809B6B028202 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kimjac ApS" and pe.signatures[i].serial=="4f:bc:aa:28:9b:a9:25:b4:e2:47:80:9b:6b:02:82:02" and 1588227220<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kimjac ApS" and pe.signatures [ i ] . serial == "4f:bc:aa:28:9b:a9:25:b4:e2:47:80:9b:6b:02:82:02" and 1588227220 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38067,13 +38067,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F2E8Effbb08C7Dbcc7A7F2D835457B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cf032593-e742-56d5-a579-3f38a31e2c0c" + id = "a6ab629a-a720-5cca-8d10-e18b593fd74f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3940-L3956" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0b446641617d435c3d312592957e19c3d391b0149eafcf9ac2da51e8d9080eb4" + logic_hash = "v1_sha256_0b446641617d435c3d312592957e19c3d391b0149eafcf9ac2da51e8d9080eb4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38083,7 +38083,7 @@ rule REVERSINGLABS_Cert_Blocklist_1F2E8Effbb08C7Dbcc7A7F2D835457B5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RTI, OOO" and pe.signatures[i].serial=="1f:2e:8e:ff:bb:08:c7:db:cc:7a:7f:2d:83:54:57:b5" and 1581382360<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RTI, OOO" and pe.signatures [ i ] . serial == "1f:2e:8e:ff:bb:08:c7:db:cc:7a:7f:2d:83:54:57:b5" and 1581382360 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38092,13 +38092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aeba4C39306Fdd022849867801645814 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f8cb78cf-541c-5038-b7af-83679c978ec8" + id = "256a339d-9540-518e-b7bf-fec5c903bd5f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3958-L3976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "82c149f1d8ef93a0df2035690c5cdca935236687bc36a35a84c3d6610eb6902c" + logic_hash = "v1_sha256_82c149f1d8ef93a0df2035690c5cdca935236687bc36a35a84c3d6610eb6902c" score = 75 quality = 90 tags = "INFO, FILE" @@ -38108,7 +38108,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aeba4C39306Fdd022849867801645814 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SK AI MAS GmbH" and (pe.signatures[i].serial=="00:ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" or pe.signatures[i].serial=="ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14") and 1579478400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SK AI MAS GmbH" and ( pe.signatures [ i ] . serial == "00:ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" or pe.signatures [ i ] . serial == "ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" ) and 1579478400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38117,13 +38117,13 @@ rule REVERSINGLABS_Cert_Blocklist_028D50Ae0C554B49148E82Db5B1C2699 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "76ccda8a-bdea-5db2-a3a4-11292bfb3c95" + id = "12d55d8a-d086-5ee9-9bbd-a318841e38dc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3978-L3994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e3cc0066cad56d78a3f42e092befa3b0855b2ed33c8465c5ecbb19fec082d35e" + logic_hash = "v1_sha256_e3cc0066cad56d78a3f42e092befa3b0855b2ed33c8465c5ecbb19fec082d35e" score = 75 quality = 90 tags = "INFO, FILE" @@ -38133,7 +38133,7 @@ rule REVERSINGLABS_Cert_Blocklist_028D50Ae0C554B49148E82Db5B1C2699 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VAS CO PTY LTD" and pe.signatures[i].serial=="02:8d:50:ae:0c:55:4b:49:14:8e:82:db:5b:1c:26:99" and 1579478400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VAS CO PTY LTD" and pe.signatures [ i ] . serial == "02:8d:50:ae:0c:55:4b:49:14:8e:82:db:5b:1c:26:99" and 1579478400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38142,13 +38142,13 @@ rule REVERSINGLABS_Cert_Blocklist_684F478C7259Dde0Cfe2260112Ca9846 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "840af428-47e0-529e-9db9-8ab9c968f2e3" + id = "4a23a94a-ef9f-5a47-bbe6-56247a926206" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3996-L4012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "59654ba1df27029a04ef3b1a1bb54f6c15b727f2013923a11a729752b8829743" + logic_hash = "v1_sha256_59654ba1df27029a04ef3b1a1bb54f6c15b727f2013923a11a729752b8829743" score = 75 quality = 90 tags = "INFO, FILE" @@ -38158,7 +38158,7 @@ rule REVERSINGLABS_Cert_Blocklist_684F478C7259Dde0Cfe2260112Ca9846 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LLC \"IP EM\"" and pe.signatures[i].serial=="68:4f:47:8c:72:59:dd:e0:cf:e2:26:01:12:ca:98:46" and 1584981648<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LLC \"IP EM\"" and pe.signatures [ i ] . serial == "68:4f:47:8c:72:59:dd:e0:cf:e2:26:01:12:ca:98:46" and 1584981648 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38167,13 +38167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B7C32208A954A483Dd102E1Be094867 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d16e74d8-2c46-508b-b518-a542603ca726" + id = "41984ca7-7514-5cfb-aa55-db2b8fd6e6ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4014-L4030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "49e2208a7d2b5684283c1dfc9856f864d16b50f951f58e0252c97419819a46ec" + logic_hash = "v1_sha256_49e2208a7d2b5684283c1dfc9856f864d16b50f951f58e0252c97419819a46ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -38183,7 +38183,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B7C32208A954A483Dd102E1Be094867 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Win Sp Z O O" and pe.signatures[i].serial=="0b:7c:32:20:8a:95:4a:48:3d:d1:02:e1:be:09:48:67" and 1583884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Win Sp Z O O" and pe.signatures [ i ] . serial == "0b:7c:32:20:8a:95:4a:48:3d:d1:02:e1:be:09:48:67" and 1583884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38192,13 +38192,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E72Daf2B9A4449E946009E5084A8E76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aa7c6cbe-0794-59e3-a675-93beeccc9784" + id = "40757a7e-f776-5151-ad11-3364533d5988" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4032-L4048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1a7bf6c18e0ebf8aef53feb7d7789ce87c96e00962c64e07a37d968702d2fa5" + logic_hash = "v1_sha256_f1a7bf6c18e0ebf8aef53feb7d7789ce87c96e00962c64e07a37d968702d2fa5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38208,7 +38208,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E72Daf2B9A4449E946009E5084A8E76 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Infoteh63" and pe.signatures[i].serial=="3e:72:da:f2:b9:a4:44:9e:94:60:09:e5:08:4a:8e:76" and 1591787570<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Infoteh63" and pe.signatures [ i ] . serial == "3e:72:da:f2:b9:a4:44:9e:94:60:09:e5:08:4a:8e:76" and 1591787570 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38217,13 +38217,13 @@ rule REVERSINGLABS_Cert_Blocklist_11Edd343E21C36Ac985555D85C16135F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "219f709f-4e05-5d0e-97a4-eca1e65153a3" + id = "0da68966-6e67-5098-ac1b-fc88fdc5eee7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4050-L4066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "17feeed4be074a30572eb12fc81dc15d1b06f2d3f7b4b4fb4443391c62ac4d9b" + logic_hash = "v1_sha256_17feeed4be074a30572eb12fc81dc15d1b06f2d3f7b4b4fb4443391c62ac4d9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -38233,7 +38233,7 @@ rule REVERSINGLABS_Cert_Blocklist_11Edd343E21C36Ac985555D85C16135F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Pribyl Handels GmbH" and pe.signatures[i].serial=="11:ed:d3:43:e2:1c:36:ac:98:55:55:d8:5c:16:13:5f" and 1589925600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Pribyl Handels GmbH" and pe.signatures [ i ] . serial == "11:ed:d3:43:e2:1c:36:ac:98:55:55:d8:5c:16:13:5f" and 1589925600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38242,13 +38242,13 @@ rule REVERSINGLABS_Cert_Blocklist_093Fe63D1A5F68F14Ecaac871A03F7A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce0b23fd-5f79-5b90-8d5c-2ff59ac39df6" + id = "5e39a81b-20a1-5ef6-b3c2-d1b6514a6a9a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4068-L4084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "333c58a9af2d94604b637ab0a7280b6688a89ff73e30a93a8daed040fab7f620" + logic_hash = "v1_sha256_333c58a9af2d94604b637ab0a7280b6688a89ff73e30a93a8daed040fab7f620" score = 75 quality = 90 tags = "INFO, FILE" @@ -38258,7 +38258,7 @@ rule REVERSINGLABS_Cert_Blocklist_093Fe63D1A5F68F14Ecaac871A03F7A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SPECTACLE IMAGE LTD" and pe.signatures[i].serial=="09:3f:e6:3d:1a:5f:68:f1:4e:ca:ac:87:1a:03:f7:a3" and 1562716800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SPECTACLE IMAGE LTD" and pe.signatures [ i ] . serial == "09:3f:e6:3d:1a:5f:68:f1:4e:ca:ac:87:1a:03:f7:a3" and 1562716800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38267,13 +38267,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bb26B7B6634D5Db548C437B5085B01C1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "443a876a-dfd7-5a9e-bb15-a44a53363494" + id = "6912d4e9-c0e8-54af-a391-75d9fa3d1663" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4086-L4104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58d574b196f84416eb04000205cd8f4817618003f2948bb0eb7d951c282ef6ff" + logic_hash = "v1_sha256_58d574b196f84416eb04000205cd8f4817618003f2948bb0eb7d951c282ef6ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -38283,7 +38283,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bb26B7B6634D5Db548C437B5085B01C1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO \"IT Mott\"" and (pe.signatures[i].serial=="00:bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" or pe.signatures[i].serial=="bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1") and 1591919307<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO \"IT Mott\"" and ( pe.signatures [ i ] . serial == "00:bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" or pe.signatures [ i ] . serial == "bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" ) and 1591919307 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38292,13 +38292,13 @@ rule REVERSINGLABS_Cert_Blocklist_29128A56E7B3Bfb230742591Ac8B4718 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b868d2f2-3852-57a3-be01-32cc16eb2ff7" + id = "0012272c-b784-5dd0-85a4-e3e27331de7c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4106-L4122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a89fec015e56ddddaed75be91a87288dcd27841937d26e3416187913c4f0b85" + logic_hash = "v1_sha256_5a89fec015e56ddddaed75be91a87288dcd27841937d26e3416187913c4f0b85" score = 75 quality = 90 tags = "INFO, FILE" @@ -38308,7 +38308,7 @@ rule REVERSINGLABS_Cert_Blocklist_29128A56E7B3Bfb230742591Ac8B4718 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Programavimo paslaugos, MB" and pe.signatures[i].serial=="29:12:8a:56:e7:b3:bf:b2:30:74:25:91:ac:8b:47:18" and 1590900909<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Programavimo paslaugos, MB" and pe.signatures [ i ] . serial == "29:12:8a:56:e7:b3:bf:b2:30:74:25:91:ac:8b:47:18" and 1590900909 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38317,13 +38317,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bfbfdfef43608730Ee14779Ee3Ee2Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fdc2f6a0-8fae-537e-812f-b0c292f76b1e" + id = "a5e8ad86-5720-5c1c-90f0-dc4f8d7c4efa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4124-L4140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f8f233b78e9d3558b0cd7978e3c5fa32645a3bb706c6fdec7f1e4195cf513f10" + logic_hash = "v1_sha256_f8f233b78e9d3558b0cd7978e3c5fa32645a3bb706c6fdec7f1e4195cf513f10" score = 75 quality = 90 tags = "INFO, FILE" @@ -38333,7 +38333,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Bfbfdfef43608730Ee14779Ee3Ee2Cb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CSTech Software Inc." and pe.signatures[i].serial=="7b:fb:fd:fe:f4:36:08:73:0e:e1:47:79:ee:3e:e2:cb" and 1590537600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CSTech Software Inc." and pe.signatures [ i ] . serial == "7b:fb:fd:fe:f4:36:08:73:0e:e1:47:79:ee:3e:e2:cb" and 1590537600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38342,13 +38342,13 @@ rule REVERSINGLABS_Cert_Blocklist_62205361A758B00572D417Cba014F007 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "85da8e0e-d791-5fed-b9ea-c681462651a6" + id = "f8f94762-be3b-5b36-8fd4-3df51025c0b1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4142-L4158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ebf28921c81191bcf6130baf6532122bb320cc916e38ab225f0acdcb57ea00f3" + logic_hash = "v1_sha256_ebf28921c81191bcf6130baf6532122bb320cc916e38ab225f0acdcb57ea00f3" score = 75 quality = 90 tags = "INFO, FILE" @@ -38358,7 +38358,7 @@ rule REVERSINGLABS_Cert_Blocklist_62205361A758B00572D417Cba014F007 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "UNITEKH-S, OOO" and pe.signatures[i].serial=="62:20:53:61:a7:58:b0:05:72:d4:17:cb:a0:14:f0:07" and 1590470683<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "UNITEKH-S, OOO" and pe.signatures [ i ] . serial == "62:20:53:61:a7:58:b0:05:72:d4:17:cb:a0:14:f0:07" and 1590470683 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38367,13 +38367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B47D18Dbea57Abd1563Ddf89F87A6C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "689c1f80-3b3c-5bd7-9129-4f508cad7fb4" + id = "e5409489-1391-5abb-b325-6388cf6f2dc5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4160-L4176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2e464f4e9bfe0c9510a78552acffb241d2435ea9bf3f5f2501353d7f8f280d78" + logic_hash = "v1_sha256_2e464f4e9bfe0c9510a78552acffb241d2435ea9bf3f5f2501353d7f8f280d78" score = 75 quality = 90 tags = "INFO, FILE" @@ -38383,7 +38383,7 @@ rule REVERSINGLABS_Cert_Blocklist_4B47D18Dbea57Abd1563Ddf89F87A6C2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KBK, OOO" and pe.signatures[i].serial=="4b:47:d1:8d:be:a5:7a:bd:15:63:dd:f8:9f:87:a6:c2" and 1590485607<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KBK, OOO" and pe.signatures [ i ] . serial == "4b:47:d1:8d:be:a5:7a:bd:15:63:dd:f8:9f:87:a6:c2" and 1590485607 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38392,13 +38392,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be41E2C7Bb2493044B9241Abb732599D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "81e5a8f3-0893-534a-ab4f-5c2c47078b40" + id = "98a353c0-7b68-5ce7-aa32-492c835577e5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4178-L4196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "eb5d94b80fd030d14dc26878895c61761825f3c77209ca0280e88dcd1800f9c2" + logic_hash = "v1_sha256_eb5d94b80fd030d14dc26878895c61761825f3c77209ca0280e88dcd1800f9c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -38408,7 +38408,7 @@ rule REVERSINGLABS_Cert_Blocklist_Be41E2C7Bb2493044B9241Abb732599D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Company Babylon" and (pe.signatures[i].serial=="00:be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" or pe.signatures[i].serial=="be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d") and 1589146251<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Company Babylon" and ( pe.signatures [ i ] . serial == "00:be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" or pe.signatures [ i ] . serial == "be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" ) and 1589146251 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38417,13 +38417,13 @@ rule REVERSINGLABS_Cert_Blocklist_15C5Af15Afecf1C900Cbab0Ca9165629 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "de734943-e735-5895-b76e-5f8588a77540" + id = "8dbaaf3b-8ff2-5b47-b82b-4cb8d0657f03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4198-L4214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5c54f32dbac271b2b60ec40bd052b5566a512cd2bcb4255057b21262806882d2" + logic_hash = "v1_sha256_5c54f32dbac271b2b60ec40bd052b5566a512cd2bcb4255057b21262806882d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -38433,7 +38433,7 @@ rule REVERSINGLABS_Cert_Blocklist_15C5Af15Afecf1C900Cbab0Ca9165629 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kompaniya Auttek" and pe.signatures[i].serial=="15:c5:af:15:af:ec:f1:c9:00:cb:ab:0c:a9:16:56:29" and 1586091840<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kompaniya Auttek" and pe.signatures [ i ] . serial == "15:c5:af:15:af:ec:f1:c9:00:cb:ab:0c:a9:16:56:29" and 1586091840 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38442,13 +38442,13 @@ rule REVERSINGLABS_Cert_Blocklist_476De2F108D20B43Ba3Bae6F331Af8F1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a741e6d-9b58-5536-8987-b3c36cdfcd5f" + id = "55d2d0d6-b485-5379-af98-552acf0be063" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4216-L4232" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e5edf3e15b2139ba6cd85f2cfea63b53f7fa36a3fd7224a4a9ccbe5de6eb6f1d" + logic_hash = "v1_sha256_e5edf3e15b2139ba6cd85f2cfea63b53f7fa36a3fd7224a4a9ccbe5de6eb6f1d" score = 75 quality = 90 tags = "INFO, FILE" @@ -38458,7 +38458,7 @@ rule REVERSINGLABS_Cert_Blocklist_476De2F108D20B43Ba3Bae6F331Af8F1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digiwill Limited" and pe.signatures[i].serial=="47:6d:e2:f1:08:d2:0b:43:ba:3b:ae:6f:33:1a:f8:f1" and 1588135722<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digiwill Limited" and pe.signatures [ i ] . serial == "47:6d:e2:f1:08:d2:0b:43:ba:3b:ae:6f:33:1a:f8:f1" and 1588135722 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38467,13 +38467,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Ddcc67F8Cad6929607E4Cda29B3503 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3563547f-556b-56e3-ad25-cfec0294fe93" + id = "a8e97bdd-2493-5847-9014-5fb2b950cd6b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4234-L4250" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4cd975312ca825b51f34f5c89184a56526877436224c1e7407d715b28ebfd9d5" + logic_hash = "v1_sha256_4cd975312ca825b51f34f5c89184a56526877436224c1e7407d715b28ebfd9d5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38483,7 +38483,7 @@ rule REVERSINGLABS_Cert_Blocklist_08Ddcc67F8Cad6929607E4Cda29B3503 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FAN-CHAI, TOV" and pe.signatures[i].serial=="08:dd:cc:67:f8:ca:d6:92:96:07:e4:cd:a2:9b:35:03" and 1564310268<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FAN-CHAI, TOV" and pe.signatures [ i ] . serial == "08:dd:cc:67:f8:ca:d6:92:96:07:e4:cd:a2:9b:35:03" and 1564310268 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38492,13 +38492,13 @@ rule REVERSINGLABS_Cert_Blocklist_052242Ace583Adf2A3B96Adcb04D0812 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22104929-e2c5-565c-975c-826f666e78e2" + id = "69994d14-e9eb-5973-af2d-5c88e7b84ca3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4252-L4268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e1593a2bf375912e411d5f19d9e232c6b87f0897bb6f1c0b0539380b34b05af5" + logic_hash = "v1_sha256_e1593a2bf375912e411d5f19d9e232c6b87f0897bb6f1c0b0539380b34b05af5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38508,7 +38508,7 @@ rule REVERSINGLABS_Cert_Blocklist_052242Ace583Adf2A3B96Adcb04D0812 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FAN-CHAI, TOV" and pe.signatures[i].serial=="05:22:42:ac:e5:83:ad:f2:a3:b9:6a:dc:b0:4d:08:12" and 1573603200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FAN-CHAI, TOV" and pe.signatures [ i ] . serial == "05:22:42:ac:e5:83:ad:f2:a3:b9:6a:dc:b0:4d:08:12" and 1573603200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38517,13 +38517,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bebef5C533Ce92Efc402Fab8605C43Ec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "59d3dd01-47bc-59ee-8fe7-fd5b1af8f9f4" + id = "5622523b-f857-5b50-95ac-98f6b2fb67bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4270-L4288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "daa57ad622799467c60693060e6c9eea18bdf0bb26f178e8b03453aab486ccf4" + logic_hash = "v1_sha256_daa57ad622799467c60693060e6c9eea18bdf0bb26f178e8b03453aab486ccf4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38533,7 +38533,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bebef5C533Ce92Efc402Fab8605C43Ec : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO VEKTOR" and (pe.signatures[i].serial=="00:be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" or pe.signatures[i].serial=="be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec") and 1587513600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO VEKTOR" and ( pe.signatures [ i ] . serial == "00:be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" or pe.signatures [ i ] . serial == "be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" ) and 1587513600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38542,13 +38542,13 @@ rule REVERSINGLABS_Cert_Blocklist_1D3F39F481Fe067F8A9289Bb49E05A04 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0c4b6efb-c793-5505-bcd6-f62266c984c6" + id = "7b414d16-5a8d-5261-830d-b7f960a62f36" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4290-L4306" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2fdf8b59d302d2ce81a1e9a5715138adc1ec45bd86871c4c2e46412407e329f9" + logic_hash = "v1_sha256_2fdf8b59d302d2ce81a1e9a5715138adc1ec45bd86871c4c2e46412407e329f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -38558,7 +38558,7 @@ rule REVERSINGLABS_Cert_Blocklist_1D3F39F481Fe067F8A9289Bb49E05A04 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LOGIKA, OOO" and pe.signatures[i].serial=="1d:3f:39:f4:81:fe:06:7f:8a:92:89:bb:49:e0:5a:04" and 1592553220<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LOGIKA, OOO" and pe.signatures [ i ] . serial == "1d:3f:39:f4:81:fe:06:7f:8a:92:89:bb:49:e0:5a:04" and 1592553220 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38567,13 +38567,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Be35D025E65Cc7A4Ee01F72 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "533bcad1-b589-5a05-8f35-32fcb79c7f68" + id = "607807ef-57b2-5d52-81d3-17a599f93d07" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4308-L4324" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dad7ab834a67d36c0b63e45922aea566dc0aaf922be2b74161616b3caea83fdc" + logic_hash = "v1_sha256_dad7ab834a67d36c0b63e45922aea566dc0aaf922be2b74161616b3caea83fdc" score = 75 quality = 90 tags = "INFO, FILE" @@ -38583,7 +38583,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Be35D025E65Cc7A4Ee01F72 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Logika OOO" and pe.signatures[i].serial=="7b:e3:5d:02:5e:65:cc:7a:4e:e0:1f:72" and 1594976445<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Logika OOO" and pe.signatures [ i ] . serial == "7b:e3:5d:02:5e:65:cc:7a:4e:e0:1f:72" and 1594976445 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38592,13 +38592,13 @@ rule REVERSINGLABS_Cert_Blocklist_351Fe2Efdc0Ac56A0C822Cf8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac6b7c6d-781b-5c91-80fe-b822ee00ea7f" + id = "db24fc4a-3524-5d62-a78b-f2bf377dd185" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4326-L4342" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "46b87c3531e01ba150f056ec3270564426363ef8c58256eeedbcab247c7625e4" + logic_hash = "v1_sha256_46b87c3531e01ba150f056ec3270564426363ef8c58256eeedbcab247c7625e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38608,7 +38608,7 @@ rule REVERSINGLABS_Cert_Blocklist_351Fe2Efdc0Ac56A0C822Cf8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Logika OOO" and pe.signatures[i].serial=="35:1f:e2:ef:dc:0a:c5:6a:0c:82:2c:f8" and 1594976475<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Logika OOO" and pe.signatures [ i ] . serial == "35:1f:e2:ef:dc:0a:c5:6a:0c:82:2c:f8" and 1594976475 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38617,13 +38617,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Cfbb4C69008821Aaacecde97Ee149Ab : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8ba633b-fbbe-51ca-9f67-fb91ce9ac2f7" + id = "961033b2-afeb-5fe1-8885-070e08a72d2d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4344-L4362" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d74b13eeb5d0a57c5dd3257480230c504a68a8422e77a46bb2e101abb2c7f282" + logic_hash = "v1_sha256_d74b13eeb5d0a57c5dd3257480230c504a68a8422e77a46bb2e101abb2c7f282" score = 75 quality = 90 tags = "INFO, FILE" @@ -38633,7 +38633,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Cfbb4C69008821Aaacecde97Ee149Ab : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kivaliz Prest s.r.l." and (pe.signatures[i].serial=="00:9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" or pe.signatures[i].serial=="9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab") and 1592363914<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kivaliz Prest s.r.l." and ( pe.signatures [ i ] . serial == "00:9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" or pe.signatures [ i ] . serial == "9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" ) and 1592363914 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38642,13 +38642,13 @@ rule REVERSINGLABS_Cert_Blocklist_C04F5D17Af872Cb2C37E3367Fe761D0D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7ef2bdf-afba-5254-bef2-78f4b6d5ecea" + id = "7486c321-fbcd-597e-a4dd-69db39976dce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4364-L4382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4a4d60aa3722a710fe23d5e11c55a28bfe721bb4e797b041d58f62a994487799" + logic_hash = "v1_sha256_4a4d60aa3722a710fe23d5e11c55a28bfe721bb4e797b041d58f62a994487799" score = 75 quality = 90 tags = "INFO, FILE" @@ -38658,7 +38658,7 @@ rule REVERSINGLABS_Cert_Blocklist_C04F5D17Af872Cb2C37E3367Fe761D0D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DES SP Z O O" and (pe.signatures[i].serial=="00:c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" or pe.signatures[i].serial=="c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d") and 1594590024<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DES SP Z O O" and ( pe.signatures [ i ] . serial == "00:c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" or pe.signatures [ i ] . serial == "c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" ) and 1594590024 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38667,13 +38667,13 @@ rule REVERSINGLABS_Cert_Blocklist_02C5351936Abe405Ac760228A40387E8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a1e5115-ac72-57a3-8418-7c81f38f76af" + id = "ddc0932b-e324-5c3e-bd07-f159f8c207cf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4384-L4400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a990f8d1a3f467cdafa0f625bc162745d9201e15ce43fdc93cd6b1730572e89" + logic_hash = "v1_sha256_5a990f8d1a3f467cdafa0f625bc162745d9201e15ce43fdc93cd6b1730572e89" score = 75 quality = 90 tags = "INFO, FILE" @@ -38683,7 +38683,7 @@ rule REVERSINGLABS_Cert_Blocklist_02C5351936Abe405Ac760228A40387E8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RESURS-RM OOO" and pe.signatures[i].serial=="02:c5:35:19:36:ab:e4:05:ac:76:02:28:a4:03:87:e8" and 1589932801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RESURS-RM OOO" and pe.signatures [ i ] . serial == "02:c5:35:19:36:ab:e4:05:ac:76:02:28:a4:03:87:e8" and 1589932801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38692,13 +38692,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ecd829Adcc55D9D6Afe30Dc371Ebda6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db9f022b-f650-5d40-ae84-4df92b0f3a96" + id = "8dde377c-5237-5f3d-b195-df746fbf6e8b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4402-L4420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "02955f4df7deccab52cdd82fd04d5012db7440f85c87d750fa9f81ff85e2dab0" + logic_hash = "v1_sha256_02955f4df7deccab52cdd82fd04d5012db7440f85c87d750fa9f81ff85e2dab0" score = 75 quality = 90 tags = "INFO, FILE" @@ -38708,7 +38708,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Ecd829Adcc55D9D6Afe30Dc371Ebda6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Komp.IT" and (pe.signatures[i].serial=="00:1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" or pe.signatures[i].serial=="1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6") and 1588723200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Komp.IT" and ( pe.signatures [ i ] . serial == "00:1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" or pe.signatures [ i ] . serial == "1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" ) and 1588723200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38717,13 +38717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B0167124Ca59149E64D292Eb4B142014 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "384ce73e-3ad5-54d9-a140-cb242f9a91e6" + id = "76a1bbba-740c-5109-98ae-a10136f0e88f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4422-L4440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "10d980d4a71dab4679376f5a6d6a6999e0b59af4f25587a7b8d1ef52a7808cc9" + logic_hash = "v1_sha256_10d980d4a71dab4679376f5a6d6a6999e0b59af4f25587a7b8d1ef52a7808cc9" score = 75 quality = 90 tags = "INFO, FILE" @@ -38733,7 +38733,7 @@ rule REVERSINGLABS_Cert_Blocklist_B0167124Ca59149E64D292Eb4B142014 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Euro May SP Z O O" and (pe.signatures[i].serial=="00:b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" or pe.signatures[i].serial=="b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14") and 1585267200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Euro May SP Z O O" and ( pe.signatures [ i ] . serial == "00:b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" or pe.signatures [ i ] . serial == "b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" ) and 1585267200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38742,13 +38742,13 @@ rule REVERSINGLABS_Cert_Blocklist_112613B7B5F696Cf377680F6463Fcc8C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c0015521-b163-51ab-8c27-da3b1a8df084" + id = "af4bd5aa-75f5-5549-bcc8-af494c62fa7d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4442-L4458" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "50fd35617e059a5fe9d9e0fdb4b880c20e406357bbb2d037f9e6e9db47b8e49f" + logic_hash = "v1_sha256_50fd35617e059a5fe9d9e0fdb4b880c20e406357bbb2d037f9e6e9db47b8e49f" score = 75 quality = 90 tags = "INFO, FILE" @@ -38758,7 +38758,7 @@ rule REVERSINGLABS_Cert_Blocklist_112613B7B5F696Cf377680F6463Fcc8C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Infoware Cloud Limited" and pe.signatures[i].serial=="11:26:13:b7:b5:f6:96:cf:37:76:80:f6:46:3f:cc:8c" and 1566518400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Infoware Cloud Limited" and pe.signatures [ i ] . serial == "11:26:13:b7:b5:f6:96:cf:37:76:80:f6:46:3f:cc:8c" and 1566518400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38767,13 +38767,13 @@ rule REVERSINGLABS_Cert_Blocklist_B3F906E5E6B2Cf61C5E51Be79B4E8777 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc826355-bd15-58b3-adcb-55b704f03c0d" + id = "4e585a68-e9fa-5d5f-a7d5-2b2740917940" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4460-L4478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "037e154854c1128fb73d2221c2b7d7211d977492378614fcf4fde959207e34b3" + logic_hash = "v1_sha256_037e154854c1128fb73d2221c2b7d7211d977492378614fcf4fde959207e34b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -38783,7 +38783,7 @@ rule REVERSINGLABS_Cert_Blocklist_B3F906E5E6B2Cf61C5E51Be79B4E8777 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Accelerate Technologies Ltd" and (pe.signatures[i].serial=="00:b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" or pe.signatures[i].serial=="b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77") and 1594900020<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Accelerate Technologies Ltd" and ( pe.signatures [ i ] . serial == "00:b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" or pe.signatures [ i ] . serial == "b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" ) and 1594900020 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38792,13 +38792,13 @@ rule REVERSINGLABS_Cert_Blocklist_566Ac16A57B132D3F64Dced14De790Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cb2ebbd5-5036-52f6-a064-11609f02309f" + id = "c82cb6c1-0e5a-51c4-8d62-5743bfca578e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4480-L4496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "48f4d334614f6c413907d51f4d6312554b13c4f5a3c03070ceba48baa13a8247" + logic_hash = "v1_sha256_48f4d334614f6c413907d51f4d6312554b13c4f5a3c03070ceba48baa13a8247" score = 75 quality = 90 tags = "INFO, FILE" @@ -38808,7 +38808,7 @@ rule REVERSINGLABS_Cert_Blocklist_566Ac16A57B132D3F64Dced14De790Ee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Unirad LLC" and pe.signatures[i].serial=="56:6a:c1:6a:57:b1:32:d3:f6:4d:ce:d1:4d:e7:90:ee" and 1562889600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Unirad LLC" and pe.signatures [ i ] . serial == "56:6a:c1:6a:57:b1:32:d3:f6:4d:ce:d1:4d:e7:90:ee" and 1562889600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38817,13 +38817,13 @@ rule REVERSINGLABS_Cert_Blocklist_D2Caf7908Aaebfa1A8F3E2136Fece024 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c2c4fc6-5359-55fa-bf79-9202caa5f326" + id = "fb132f40-2061-5856-97ad-e0745d0c48ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4498-L4516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cf4d17274ef36d61e78578d34634bf6e5fb0fb857a9a92184916b0f3b8484568" + logic_hash = "v1_sha256_cf4d17274ef36d61e78578d34634bf6e5fb0fb857a9a92184916b0f3b8484568" score = 75 quality = 90 tags = "INFO, FILE" @@ -38833,7 +38833,7 @@ rule REVERSINGLABS_Cert_Blocklist_D2Caf7908Aaebfa1A8F3E2136Fece024 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FANATOR, OOO" and (pe.signatures[i].serial=="00:d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" or pe.signatures[i].serial=="d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24") and 1599041760<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FANATOR, OOO" and ( pe.signatures [ i ] . serial == "00:d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" or pe.signatures [ i ] . serial == "d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" ) and 1599041760 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38842,13 +38842,13 @@ rule REVERSINGLABS_Cert_Blocklist_E04A344B397F752A45B128A594A3D6B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b396e08c-b7dc-5498-9c68-2d8cdc5dd3d3" + id = "7303068a-202f-522e-8d79-8204455d171b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4518-L4536" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0489577c6050f0c5d1dad5bda8c4f3c895902b932cd0324087712ccb83f14680" + logic_hash = "v1_sha256_0489577c6050f0c5d1dad5bda8c4f3c895902b932cd0324087712ccb83f14680" score = 75 quality = 90 tags = "INFO, FILE" @@ -38858,7 +38858,7 @@ rule REVERSINGLABS_Cert_Blocklist_E04A344B397F752A45B128A594A3D6B5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Highweb Ireland Operations Limited" and (pe.signatures[i].serial=="00:e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" or pe.signatures[i].serial=="e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5") and 1597708800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Highweb Ireland Operations Limited" and ( pe.signatures [ i ] . serial == "00:e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" or pe.signatures [ i ] . serial == "e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" ) and 1597708800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38867,13 +38867,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bcaed3Ef678F2F9Bf38D09E149B8D70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0aea5110-569b-5d9c-a2ce-a6a9fe75b58e" + id = "d7873219-f50e-55be-a5b1-87fd9c1d8cc1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4538-L4554" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dbf85cbd1d92823287749dac312f95576900753f60a694347b31b1e3aaa288a8" + logic_hash = "v1_sha256_dbf85cbd1d92823287749dac312f95576900753f60a694347b31b1e3aaa288a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -38883,7 +38883,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Bcaed3Ef678F2F9Bf38D09E149B8D70 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "StarY Media Inc." and pe.signatures[i].serial=="3b:ca:ed:3e:f6:78:f2:f9:bf:38:d0:9e:14:9b:8d:70" and 1599091200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "StarY Media Inc." and pe.signatures [ i ] . serial == "3b:ca:ed:3e:f6:78:f2:f9:bf:38:d0:9e:14:9b:8d:70" and 1599091200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38892,13 +38892,13 @@ rule REVERSINGLABS_Cert_Blocklist_56D576A062491Ea0A5877Ced418203A1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3db67353-6310-54ad-b46a-97daf63fee42" + id = "5d2a7120-f1c5-5700-981e-d6ad672f7385" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4556-L4572" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "19bd6834b432f3dc8786b449241082b359275559a112a8ef4a51efe185b256dc" + logic_hash = "v1_sha256_19bd6834b432f3dc8786b449241082b359275559a112a8ef4a51efe185b256dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -38908,7 +38908,7 @@ rule REVERSINGLABS_Cert_Blocklist_56D576A062491Ea0A5877Ced418203A1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Silvo LLC" and pe.signatures[i].serial=="56:d5:76:a0:62:49:1e:a0:a5:87:7c:ed:41:82:03:a1" and 1596249885<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Silvo LLC" and pe.signatures [ i ] . serial == "56:d5:76:a0:62:49:1e:a0:a5:87:7c:ed:41:82:03:a1" and 1596249885 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38917,13 +38917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fcba260Df7Da602Ecf4D4D6Fc89D5Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce248602-1f28-5707-b921-640271176e7f" + id = "d9aeca7a-9834-5553-91d6-c0e63e2a9b9e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4574-L4590" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4e9a3e516342820248ebf9b3605b8ce2dbf1d9b4255a5b74f7369dd2f1cdd9d8" + logic_hash = "v1_sha256_4e9a3e516342820248ebf9b3605b8ce2dbf1d9b4255a5b74f7369dd2f1cdd9d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -38933,7 +38933,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fcba260Df7Da602Ecf4D4D6Fc89D5Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Gold Stroy SP Z O O" and pe.signatures[i].serial=="0f:cb:a2:60:df:7d:a6:02:ec:f4:d4:d6:fc:89:d5:dd" and 1593388801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Gold Stroy SP Z O O" and pe.signatures [ i ] . serial == "0f:cb:a2:60:df:7d:a6:02:ec:f4:d4:d6:fc:89:d5:dd" and 1593388801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38942,13 +38942,13 @@ rule REVERSINGLABS_Cert_Blocklist_4152169F22454Ed604D03555B7Afb175 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8975a1a-ac7c-5016-a206-de9ca7eea37f" + id = "772ba395-c5b3-5744-97a9-baf73d46c1df" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4592-L4608" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbb2124b934c270739f564317526d5b23b996364372426485d7c994a83293866" + logic_hash = "v1_sha256_fbb2124b934c270739f564317526d5b23b996364372426485d7c994a83293866" score = 75 quality = 90 tags = "INFO, FILE" @@ -38958,7 +38958,7 @@ rule REVERSINGLABS_Cert_Blocklist_4152169F22454Ed604D03555B7Afb175 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SMACKTECH SOFTWARE LIMITED" and pe.signatures[i].serial=="41:52:16:9f:22:45:4e:d6:04:d0:35:55:b7:af:b1:75" and 1595808000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SMACKTECH SOFTWARE LIMITED" and pe.signatures [ i ] . serial == "41:52:16:9f:22:45:4e:d6:04:d0:35:55:b7:af:b1:75" and 1595808000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38967,13 +38967,13 @@ rule REVERSINGLABS_Cert_Blocklist_01C88Ccbd219500139D1Af138A9E898E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e3bd6be6-461c-56fd-8dfd-8205845f731e" + id = "cfb21b7f-c6cf-5db2-8f38-1d25349fd282" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4610-L4626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d1acb0a7d6e20158797e77c066be42548cee9293fa94f24f936a95977ac16d91" + logic_hash = "v1_sha256_d1acb0a7d6e20158797e77c066be42548cee9293fa94f24f936a95977ac16d91" score = 75 quality = 90 tags = "INFO, FILE" @@ -38983,7 +38983,7 @@ rule REVERSINGLABS_Cert_Blocklist_01C88Ccbd219500139D1Af138A9E898E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Raymond Yanagita" and pe.signatures[i].serial=="01:c8:8c:cb:d2:19:50:01:39:d1:af:13:8a:9e:89:8e" and 1593041280<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Raymond Yanagita" and pe.signatures [ i ] . serial == "01:c8:8c:cb:d2:19:50:01:39:d1:af:13:8a:9e:89:8e" and 1593041280 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -38992,13 +38992,13 @@ rule REVERSINGLABS_Cert_Blocklist_41D05676E0D31908Be4Dead3486Aeae3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bca4533d-e721-5f23-984a-3b741ca8b53f" + id = "2118e870-a77c-5fc7-9acb-d1a76379f16d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4628-L4644" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c4905f02c74df6d05b3f9a6fe2c4f5f32a02bb10da4db929314be043be76d703" + logic_hash = "v1_sha256_c4905f02c74df6d05b3f9a6fe2c4f5f32a02bb10da4db929314be043be76d703" score = 75 quality = 90 tags = "INFO, FILE" @@ -39008,7 +39008,7 @@ rule REVERSINGLABS_Cert_Blocklist_41D05676E0D31908Be4Dead3486Aeae3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rov SP Z O O" and pe.signatures[i].serial=="41:d0:56:76:e0:d3:19:08:be:4d:ea:d3:48:6a:ea:e3" and 1594857600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rov SP Z O O" and pe.signatures [ i ] . serial == "41:d0:56:76:e0:d3:19:08:be:4d:ea:d3:48:6a:ea:e3" and 1594857600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39017,13 +39017,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Cff807Edaf368A60E4106906D8Df319 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c964a540-6124-52f0-b17f-692cd4b9b3af" + id = "58612562-39c3-5e83-9d77-10622049eb6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4646-L4664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6fc98519faf218d90bb4e01821e6014e009c0b525cfd3c906a64ef82bc20beda" + logic_hash = "v1_sha256_6fc98519faf218d90bb4e01821e6014e009c0b525cfd3c906a64ef82bc20beda" score = 75 quality = 90 tags = "INFO, FILE" @@ -39033,7 +39033,7 @@ rule REVERSINGLABS_Cert_Blocklist_8Cff807Edaf368A60E4106906D8Df319 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KRAFT BOKS OOO" and (pe.signatures[i].serial=="00:8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" or pe.signatures[i].serial=="8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19") and 1598334455<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KRAFT BOKS OOO" and ( pe.signatures [ i ] . serial == "00:8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" or pe.signatures [ i ] . serial == "8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" ) and 1598334455 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39042,13 +39042,13 @@ rule REVERSINGLABS_Cert_Blocklist_A3E62Be1572293Ad618F58A8Aa32857F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2f67abf3-390a-5c67-afed-e586e20692af" + id = "52f393d6-2980-5b99-b788-10c185e6e135" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4666-L4684" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f849898465bc651f19f6f1b54315c061466d8c5860ecf1a07f54c8c8292f6a95" + logic_hash = "v1_sha256_f849898465bc651f19f6f1b54315c061466d8c5860ecf1a07f54c8c8292f6a95" score = 75 quality = 90 tags = "INFO, FILE" @@ -39058,7 +39058,7 @@ rule REVERSINGLABS_Cert_Blocklist_A3E62Be1572293Ad618F58A8Aa32857F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ISIDA, TOV" and (pe.signatures[i].serial=="00:a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" or pe.signatures[i].serial=="a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f") and 1596585600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ISIDA, TOV" and ( pe.signatures [ i ] . serial == "00:a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" or pe.signatures [ i ] . serial == "a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" ) and 1596585600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39067,13 +39067,13 @@ rule REVERSINGLABS_Cert_Blocklist_672D4428450Afcc24Fc60969A5063A3E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fcd8e808-dbd6-5903-868a-0aa4541e6321" + id = "ac0efb69-27cb-5857-b114-9abf2343b1a8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4686-L4702" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8f5927e96109184bad7de4513994fd1021fe1cc5977e60fa72d808df95cb4516" + logic_hash = "v1_sha256_8f5927e96109184bad7de4513994fd1021fe1cc5977e60fa72d808df95cb4516" score = 75 quality = 90 tags = "INFO, FILE" @@ -39083,7 +39083,7 @@ rule REVERSINGLABS_Cert_Blocklist_672D4428450Afcc24Fc60969A5063A3E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MEP, OOO" and pe.signatures[i].serial=="67:2d:44:28:45:0a:fc:c2:4f:c6:09:69:a5:06:3a:3e" and 1597381260<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MEP, OOO" and pe.signatures [ i ] . serial == "67:2d:44:28:45:0a:fc:c2:4f:c6:09:69:a5:06:3a:3e" and 1597381260 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39092,13 +39092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df479E14A70C7970A4De3Dd3E4Bb0318 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "465fc41c-920d-55e6-8616-a51d1f77b158" + id = "19f54736-9c4b-5ef0-bbdd-90f6091460b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4704-L4722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "35b1f04cf5d5d1d89db537bf75737e3af5945e594f4d4231e9ae3e7fba52fc0d" + logic_hash = "v1_sha256_35b1f04cf5d5d1d89db537bf75737e3af5945e594f4d4231e9ae3e7fba52fc0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39108,7 +39108,7 @@ rule REVERSINGLABS_Cert_Blocklist_Df479E14A70C7970A4De3Dd3E4Bb0318 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SOFTWARE HUB IT LTD" and (pe.signatures[i].serial=="00:df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" or pe.signatures[i].serial=="df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18") and 1591660800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SOFTWARE HUB IT LTD" and ( pe.signatures [ i ] . serial == "00:df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" or pe.signatures [ i ] . serial == "df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" ) and 1591660800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39117,13 +39117,13 @@ rule REVERSINGLABS_Cert_Blocklist_2924785Fd7990B2D510675176Dae2Bed : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6898e95c-ee31-57a3-b764-99bf9008d0fe" + id = "f29bd774-edd2-5ab5-a158-3a3e7894530a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4724-L4740" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e308ca5f24ed5811e947289caf9aa820a16b08ea183c7aa9826f8a726fb5c3cf" + logic_hash = "v1_sha256_e308ca5f24ed5811e947289caf9aa820a16b08ea183c7aa9826f8a726fb5c3cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39133,7 +39133,7 @@ rule REVERSINGLABS_Cert_Blocklist_2924785Fd7990B2D510675176Dae2Bed : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Neoopt LLC" and pe.signatures[i].serial=="29:24:78:5f:d7:99:0b:2d:51:06:75:17:6d:ae:2b:ed" and 1595000258<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Neoopt LLC" and pe.signatures [ i ] . serial == "29:24:78:5f:d7:99:0b:2d:51:06:75:17:6d:ae:2b:ed" and 1595000258 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39142,13 +39142,13 @@ rule REVERSINGLABS_Cert_Blocklist_F4D2Def53Bccb0Dd2B7D54E4853A2Fc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3c1bec34-9eac-5c7c-bb36-2e24b6ee52dc" + id = "6f45e4d0-d986-5f01-b2ff-21ba6dbcc3d2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4742-L4760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9991f44b8e984bd79269c44999481258d94bec9c21b154b63c6c30ae52344b3c" + logic_hash = "v1_sha256_9991f44b8e984bd79269c44999481258d94bec9c21b154b63c6c30ae52344b3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39158,7 +39158,7 @@ rule REVERSINGLABS_Cert_Blocklist_F4D2Def53Bccb0Dd2B7D54E4853A2Fc5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PETROYL GROUP, TOV" and (pe.signatures[i].serial=="00:f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" or pe.signatures[i].serial=="f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5") and 1598347687<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PETROYL GROUP, TOV" and ( pe.signatures [ i ] . serial == "00:f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" or pe.signatures [ i ] . serial == "f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" ) and 1598347687 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39167,13 +39167,13 @@ rule REVERSINGLABS_Cert_Blocklist_03Bf9Ef4Cf037A2385649026C3Da9D3E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7396af1-2eae-594a-9933-3d148503c0ea" + id = "dcb7b9cb-c66d-5a83-aa37-857601ca0f10" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4762-L4778" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "14196bad586b1349e6e8a1eb5621ce0d8d346ff8021c8ef80804de1533fd40d9" + logic_hash = "v1_sha256_14196bad586b1349e6e8a1eb5621ce0d8d346ff8021c8ef80804de1533fd40d9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39183,7 +39183,7 @@ rule REVERSINGLABS_Cert_Blocklist_03Bf9Ef4Cf037A2385649026C3Da9D3E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "COLLECTIVE SOFTWARE INC." and pe.signatures[i].serial=="03:bf:9e:f4:cf:03:7a:23:85:64:90:26:c3:da:9d:3e" and 1595371955<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "COLLECTIVE SOFTWARE INC." and pe.signatures [ i ] . serial == "03:bf:9e:f4:cf:03:7a:23:85:64:90:26:c3:da:9d:3e" and 1595371955 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39192,13 +39192,13 @@ rule REVERSINGLABS_Cert_Blocklist_790177A54209D55560A55Db97C5900D6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cc49f477-269a-55af-8344-39d2f24c1e7f" + id = "ed9d5c65-db03-55a6-bebd-1b00eafa42c8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4780-L4796" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "07c8e21fe604b481beebae784eb49e32bebee70e749581a55313bfbc757752e2" + logic_hash = "v1_sha256_07c8e21fe604b481beebae784eb49e32bebee70e749581a55313bfbc757752e2" score = 75 quality = 90 tags = "INFO, FILE" @@ -39208,7 +39208,7 @@ rule REVERSINGLABS_Cert_Blocklist_790177A54209D55560A55Db97C5900D6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MAK GmbH" and pe.signatures[i].serial=="79:01:77:a5:42:09:d5:55:60:a5:5d:b9:7c:59:00:d6" and 1594080000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MAK GmbH" and pe.signatures [ i ] . serial == "79:01:77:a5:42:09:d5:55:60:a5:5d:b9:7c:59:00:d6" and 1594080000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39217,13 +39217,13 @@ rule REVERSINGLABS_Cert_Blocklist_048F7B5F67D8E2B3030F75Eb7Be2713D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e746516a-c51f-5cb8-8157-a5fe1f2c7abe" + id = "ea29c2b9-8c88-588b-8105-446031c9389d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4798-L4814" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6d1b47f3c9d7b90a5470f83a848adeebff2cf9341a1eb41ca8b45d08b469b17f" + logic_hash = "v1_sha256_6d1b47f3c9d7b90a5470f83a848adeebff2cf9341a1eb41ca8b45d08b469b17f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39233,7 +39233,7 @@ rule REVERSINGLABS_Cert_Blocklist_048F7B5F67D8E2B3030F75Eb7Be2713D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RITEIL SERVIS, OOO" and pe.signatures[i].serial=="04:8f:7b:5f:67:d8:e2:b3:03:0f:75:eb:7b:e2:71:3d" and 1591142400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RITEIL SERVIS, OOO" and pe.signatures [ i ] . serial == "04:8f:7b:5f:67:d8:e2:b3:03:0f:75:eb:7b:e2:71:3d" and 1591142400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39242,13 +39242,13 @@ rule REVERSINGLABS_Cert_Blocklist_082023879112289Bf351D297Cc8Efcfc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "94a4e3d6-2d0a-5e5d-9ae8-574ef9be017e" + id = "01554ff6-0f1c-5e97-b707-8a7124f698b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4816-L4832" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58bec160445765ce45a26bf9d96ba6cfe61eee31e0953009d40a7ec64920c677" + logic_hash = "v1_sha256_58bec160445765ce45a26bf9d96ba6cfe61eee31e0953009d40a7ec64920c677" score = 75 quality = 90 tags = "INFO, FILE" @@ -39258,7 +39258,7 @@ rule REVERSINGLABS_Cert_Blocklist_082023879112289Bf351D297Cc8Efcfc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "STA-R TOV" and pe.signatures[i].serial=="08:20:23:87:91:12:28:9b:f3:51:d2:97:cc:8e:fc:fc" and 1573430400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "STA-R TOV" and pe.signatures [ i ] . serial == "08:20:23:87:91:12:28:9b:f3:51:d2:97:cc:8e:fc:fc" and 1573430400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39267,13 +39267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D53690631Dd186C56Be9026Eb931Ae2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4f60613c-4162-5b3d-989f-f79a06450f4d" + id = "6c909943-5384-5782-baa1-76affce18202" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4834-L4850" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3d0a80c062800f935fa3837755e8a91245e01a4e2450a05fecab5564cb62c15c" + logic_hash = "v1_sha256_3d0a80c062800f935fa3837755e8a91245e01a4e2450a05fecab5564cb62c15c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39283,7 +39283,7 @@ rule REVERSINGLABS_Cert_Blocklist_0D53690631Dd186C56Be9026Eb931Ae2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "STA-R TOV" and pe.signatures[i].serial=="0d:53:69:06:31:dd:18:6c:56:be:90:26:eb:93:1a:e2" and 1592190240<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "STA-R TOV" and pe.signatures [ i ] . serial == "0d:53:69:06:31:dd:18:6c:56:be:90:26:eb:93:1a:e2" and 1592190240 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39292,13 +39292,13 @@ rule REVERSINGLABS_Cert_Blocklist_32119925A6Ce4710Aecc4006C28E749F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cfd51cb8-bd04-5ede-a73e-e924815a01f0" + id = "72c416c8-99f9-51a0-aa6c-2b8e51c478e0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4852-L4868" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca812cdfbb7ca984fae1e16159eb0eeb1e65767fcc6aa07eeb84966853146f9d" + logic_hash = "v1_sha256_ca812cdfbb7ca984fae1e16159eb0eeb1e65767fcc6aa07eeb84966853146f9d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39308,7 +39308,7 @@ rule REVERSINGLABS_Cert_Blocklist_32119925A6Ce4710Aecc4006C28E749F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Maxiol" and pe.signatures[i].serial=="32:11:99:25:a6:ce:47:10:ae:cc:40:06:c2:8e:74:9f" and 1592438400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Maxiol" and pe.signatures [ i ] . serial == "32:11:99:25:a6:ce:47:10:ae:cc:40:06:c2:8e:74:9f" and 1592438400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39317,13 +39317,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C90Eaf4De3Afc03Ba924C719435C2A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "06edc1a3-65b1-5a69-ab6b-4ffc3963513c" + id = "a9972b24-0e02-5a5a-a729-2d285bdf6ed9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4870-L4888" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5bb78a5e39f9d023cf63edabdc83d4965fc79f6f04f9fea9bcf2a53223fbd4ca" + logic_hash = "v1_sha256_5bb78a5e39f9d023cf63edabdc83d4965fc79f6f04f9fea9bcf2a53223fbd4ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -39333,7 +39333,7 @@ rule REVERSINGLABS_Cert_Blocklist_2C90Eaf4De3Afc03Ba924C719435C2A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AntiFIX s.r.o." and (pe.signatures[i].serial=="00:2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" or pe.signatures[i].serial=="2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3") and 1586293430<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AntiFIX s.r.o." and ( pe.signatures [ i ] . serial == "00:2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" or pe.signatures [ i ] . serial == "2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" ) and 1586293430 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39342,13 +39342,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aff762E907F0644E76Ed8A7485Fb12A1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3b3bbbdd-9c2d-5c80-a121-3e3ad13e9ac6" + id = "e1d0cb25-f7d4-5995-b11f-3c397ddb9589" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4890-L4908" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ad05389e0eb30cb894b03842d213b8c956f66357a913c73d8d8b79f8336bf980" + logic_hash = "v1_sha256_ad05389e0eb30cb894b03842d213b8c956f66357a913c73d8d8b79f8336bf980" score = 75 quality = 90 tags = "INFO, FILE" @@ -39358,7 +39358,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aff762E907F0644E76Ed8A7485Fb12A1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Lets Start SP Z O O" and (pe.signatures[i].serial=="00:af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" or pe.signatures[i].serial=="af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1") and 1594882330<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Lets Start SP Z O O" and ( pe.signatures [ i ] . serial == "00:af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" or pe.signatures [ i ] . serial == "af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" ) and 1594882330 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39367,13 +39367,13 @@ rule REVERSINGLABS_Cert_Blocklist_D8530214Ca0F512946496B5164C61201 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0125a67a-d5e7-5c93-a58c-cacb6d8fa60b" + id = "082a3ba4-8e82-5463-8322-4809854047f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4910-L4928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "377962915586c9f5a5737c24b698c96efc2e819e52ee16109c405f9af2d57e7f" + logic_hash = "v1_sha256_377962915586c9f5a5737c24b698c96efc2e819e52ee16109c405f9af2d57e7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39383,7 +39383,7 @@ rule REVERSINGLABS_Cert_Blocklist_D8530214Ca0F512946496B5164C61201 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DJ ONLINE MARKETING LIMITED" and (pe.signatures[i].serial=="00:d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" or pe.signatures[i].serial=="d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01") and 1595485920<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DJ ONLINE MARKETING LIMITED" and ( pe.signatures [ i ] . serial == "00:d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" or pe.signatures [ i ] . serial == "d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" ) and 1595485920 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39392,13 +39392,13 @@ rule REVERSINGLABS_Cert_Blocklist_661Ba8F3C9D1B348413484E9A49502F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a0c501c9-a856-55b6-b845-aeab4db5ab51" + id = "260d2578-6792-5d10-ae4b-2cea417ab65d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4930-L4948" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4840b311c1e2c0ae14bb2cf6fa8d96ab1a434ceac861db540697f3aed1a6833f" + logic_hash = "v1_sha256_4840b311c1e2c0ae14bb2cf6fa8d96ab1a434ceac861db540697f3aed1a6833f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39408,7 +39408,7 @@ rule REVERSINGLABS_Cert_Blocklist_661Ba8F3C9D1B348413484E9A49502F7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Unique Digital Services Ltd." and (pe.signatures[i].serial=="00:66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" or pe.signatures[i].serial=="66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7") and 1594942800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Unique Digital Services Ltd." and ( pe.signatures [ i ] . serial == "00:66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" or pe.signatures [ i ] . serial == "66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" ) and 1594942800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39417,13 +39417,13 @@ rule REVERSINGLABS_Cert_Blocklist_51Aead5A9Ab2D841B449Fa82De3A8A00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c4909945-f2f1-53b2-b438-edf411fda7ed" + id = "394a7fee-ff73-5c8b-be4e-12e857376fe3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4950-L4966" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e53095aab9d6c2745125e8cd933334ebc2e51a9725714d31a46baa74b8e42ed9" + logic_hash = "v1_sha256_e53095aab9d6c2745125e8cd933334ebc2e51a9725714d31a46baa74b8e42ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39433,7 +39433,7 @@ rule REVERSINGLABS_Cert_Blocklist_51Aead5A9Ab2D841B449Fa82De3A8A00 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Corsair Software Solution Inc." and pe.signatures[i].serial=="51:ae:ad:5a:9a:b2:d8:41:b4:49:fa:82:de:3a:8a:00" and 1501577475<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Corsair Software Solution Inc." and pe.signatures [ i ] . serial == "51:ae:ad:5a:9a:b2:d8:41:b4:49:fa:82:de:3a:8a:00" and 1501577475 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39442,13 +39442,13 @@ rule REVERSINGLABS_Cert_Blocklist_03B630F9645531F8868Dae8Ac0F8Cfe6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "be945687-9b8c-5d84-9992-fd317eddae54" + id = "bc1540b2-9af0-57fa-b148-8f1d0813ad52" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4968-L4984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6d2f4346760bf52a438c4c996e92a2641bebfd536248776383d7c8394e094e6a" + logic_hash = "v1_sha256_6d2f4346760bf52a438c4c996e92a2641bebfd536248776383d7c8394e094e6a" score = 75 quality = 90 tags = "INFO, FILE" @@ -39458,7 +39458,7 @@ rule REVERSINGLABS_Cert_Blocklist_03B630F9645531F8868Dae8Ac0F8Cfe6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Geksan LLC" and pe.signatures[i].serial=="03:b6:30:f9:64:55:31:f8:86:8d:ae:8a:c0:f8:cf:e6" and 1594252801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Geksan LLC" and pe.signatures [ i ] . serial == "03:b6:30:f9:64:55:31:f8:86:8d:ae:8a:c0:f8:cf:e6" and 1594252801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39467,13 +39467,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F8373Cf89F1B49138F4328118487F9E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "80c5d205-7f5e-5e06-b490-f33205154974" + id = "af7f1735-37f8-5780-9593-0380744a40b9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4986-L5002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f926c2f73d47d463721a0cad48d9866192df55d71867941a40cba7e0b7725102" + logic_hash = "v1_sha256_f926c2f73d47d463721a0cad48d9866192df55d71867941a40cba7e0b7725102" score = 75 quality = 90 tags = "INFO, FILE" @@ -39483,7 +39483,7 @@ rule REVERSINGLABS_Cert_Blocklist_6F8373Cf89F1B49138F4328118487F9E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "30 PTY LTD" and pe.signatures[i].serial=="6f:83:73:cf:89:f1:b4:91:38:f4:32:81:18:48:7f:9e" and 1572566400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "30 PTY LTD" and pe.signatures [ i ] . serial == "6f:83:73:cf:89:f1:b4:91:38:f4:32:81:18:48:7f:9e" and 1572566400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39492,13 +39492,13 @@ rule REVERSINGLABS_Cert_Blocklist_E38259Cf24Cc702Ce441B683Ad578911 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fc5df86f-b8c9-58b1-bd41-e03ed50829dd" + id = "81e206c2-db07-55aa-8d39-546d2115636e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5004-L5022" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2428df14a18f4aed1a3db85c1fb43a847fae8a922c6dc948f3bc514dc4cae09c" + logic_hash = "v1_sha256_2428df14a18f4aed1a3db85c1fb43a847fae8a922c6dc948f3bc514dc4cae09c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39508,7 +39508,7 @@ rule REVERSINGLABS_Cert_Blocklist_E38259Cf24Cc702Ce441B683Ad578911 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Akhirah Technologies Inc." and (pe.signatures[i].serial=="00:e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" or pe.signatures[i].serial=="e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11") and 1597276800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Akhirah Technologies Inc." and ( pe.signatures [ i ] . serial == "00:e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" or pe.signatures [ i ] . serial == "e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" ) and 1597276800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39517,13 +39517,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bdc81Bc76090Dae0Eee2E1Eb744A4F9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "66feefd2-9cec-56fc-a1c1-11004363462d" + id = "aee6afc4-0984-5c5c-b62f-9ad6c7b34cb4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5024-L5042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4fc3e57bedb6fb7c96e6a1ee2ad2aec3860716ac714d52ea58b86be4bbda4660" + logic_hash = "v1_sha256_4fc3e57bedb6fb7c96e6a1ee2ad2aec3860716ac714d52ea58b86be4bbda4660" score = 75 quality = 90 tags = "INFO, FILE" @@ -39533,7 +39533,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bdc81Bc76090Dae0Eee2E1Eb744A4F9A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALM4U GmbH" and (pe.signatures[i].serial=="00:bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" or pe.signatures[i].serial=="bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a") and 1579824000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALM4U GmbH" and ( pe.signatures [ i ] . serial == "00:bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" or pe.signatures [ i ] . serial == "bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" ) and 1579824000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39542,13 +39542,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2E730B0526F36Faf7D093D48D6D9997 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb82e05b-9aee-5ea7-88a5-8d186b8aafb8" + id = "48c46ca2-d884-53e4-a1d8-2befa2402d28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5044-L5062" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f74cc94428d7739abf6ee76f6cbd53aa47cea815a014de0d786fe53b15f66201" + logic_hash = "v1_sha256_f74cc94428d7739abf6ee76f6cbd53aa47cea815a014de0d786fe53b15f66201" score = 75 quality = 90 tags = "INFO, FILE" @@ -39558,7 +39558,7 @@ rule REVERSINGLABS_Cert_Blocklist_B2E730B0526F36Faf7D093D48D6D9997 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bamboo Connect s.r.o." and (pe.signatures[i].serial=="00:b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" or pe.signatures[i].serial=="b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97") and 1597276800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bamboo Connect s.r.o." and ( pe.signatures [ i ] . serial == "00:b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" or pe.signatures [ i ] . serial == "b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" ) and 1597276800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39567,13 +39567,13 @@ rule REVERSINGLABS_Cert_Blocklist_7156Ec47Ef01Ab8359Ef4304E5Af1A05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b285a407-7f71-5c7e-baae-bfa111a50101" + id = "e6f0b220-5a00-5687-8c8e-fa92ad1aa4c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5064-L5080" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7bb093287dd309ce12859eca9a9fc98095b3d52ec860626fe6e743bace262fde" + logic_hash = "v1_sha256_7bb093287dd309ce12859eca9a9fc98095b3d52ec860626fe6e743bace262fde" score = 75 quality = 90 tags = "INFO, FILE" @@ -39583,7 +39583,7 @@ rule REVERSINGLABS_Cert_Blocklist_7156Ec47Ef01Ab8359Ef4304E5Af1A05 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BOREC, OOO" and pe.signatures[i].serial=="71:56:ec:47:ef:01:ab:83:59:ef:43:04:e5:af:1a:05" and 1597363200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BOREC, OOO" and pe.signatures [ i ] . serial == "71:56:ec:47:ef:01:ab:83:59:ef:43:04:e5:af:1a:05" and 1597363200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39592,13 +39592,13 @@ rule REVERSINGLABS_Cert_Blocklist_13794371C052Ec0559E9B492Abb25C26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "31f119a3-e0da-5875-826f-68c40c6f8b88" + id = "da20a58f-046f-5489-b19c-db68755337ad" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5082-L5098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7383d1fb1fa6e49f8fa9e1eecfe3fcedb8a11702fbd3700630a11b12da29fedf" + logic_hash = "v1_sha256_7383d1fb1fa6e49f8fa9e1eecfe3fcedb8a11702fbd3700630a11b12da29fedf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39608,7 +39608,7 @@ rule REVERSINGLABS_Cert_Blocklist_13794371C052Ec0559E9B492Abb25C26 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Carmel group LLC" and pe.signatures[i].serial=="13:79:43:71:c0:52:ec:05:59:e9:b4:92:ab:b2:5c:26" and 1599177600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Carmel group LLC" and pe.signatures [ i ] . serial == "13:79:43:71:c0:52:ec:05:59:e9:b4:92:ab:b2:5c:26" and 1599177600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39617,13 +39617,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C7E78F53C31D6Aa5B45De14B47Eb5C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5906107a-03ce-5ca4-b0a7-12b0b45359dd" + id = "26a806f4-656e-53e2-83fc-30d3e2fc89d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5100-L5116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7521abc5c93f0336af4fab95268962aa3d3fb48fed6a8ba7fdb98e373158b327" + logic_hash = "v1_sha256_7521abc5c93f0336af4fab95268962aa3d3fb48fed6a8ba7fdb98e373158b327" score = 75 quality = 90 tags = "INFO, FILE" @@ -39633,7 +39633,7 @@ rule REVERSINGLABS_Cert_Blocklist_5C7E78F53C31D6Aa5B45De14B47Eb5C4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Cubic Information Systems, UAB" and pe.signatures[i].serial=="5c:7e:78:f5:3c:31:d6:aa:5b:45:de:14:b4:7e:b5:c4" and 1579824000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Cubic Information Systems, UAB" and pe.signatures [ i ] . serial == "5c:7e:78:f5:3c:31:d6:aa:5b:45:de:14:b4:7e:b5:c4" and 1579824000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39642,13 +39642,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dadf44E4046372313Ee97B8E394C4079 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bebfbbd7-8d42-50a3-8efa-85b641eb069a" + id = "a227de3a-1860-5261-a930-bf227b58ab63" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5118-L5136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "170533935b91776ec2413106c55ed4a01c33f32a469a855824cac796f2e132a0" + logic_hash = "v1_sha256_170533935b91776ec2413106c55ed4a01c33f32a469a855824cac796f2e132a0" score = 75 quality = 90 tags = "INFO, FILE" @@ -39658,7 +39658,7 @@ rule REVERSINGLABS_Cert_Blocklist_Dadf44E4046372313Ee97B8E394C4079 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digital Capital Management Ireland Limited" and (pe.signatures[i].serial=="00:da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" or pe.signatures[i].serial=="da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79") and 1600244736<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digital Capital Management Ireland Limited" and ( pe.signatures [ i ] . serial == "00:da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" or pe.signatures [ i ] . serial == "da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" ) and 1600244736 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39667,13 +39667,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2E08438Bb0E9Adc955E4B493E5821 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "65297530-2482-5773-8914-461fb56cb41d" + id = "448840e4-a3e5-5d56-886d-61a0d81881d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5138-L5156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5dbe554032c945c46ffd61ef1e0deb59d396a70dd63994bf44c65d849ec8220a" + logic_hash = "v1_sha256_5dbe554032c945c46ffd61ef1e0deb59d396a70dd63994bf44c65d849ec8220a" score = 75 quality = 90 tags = "INFO, FILE" @@ -39683,7 +39683,7 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2E08438Bb0E9Adc955E4B493E5821 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DocsGen Software Solutions Inc." and (pe.signatures[i].serial=="00:f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" or pe.signatures[i].serial=="f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21") and 1599523200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DocsGen Software Solutions Inc." and ( pe.signatures [ i ] . serial == "00:f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" or pe.signatures [ i ] . serial == "f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" ) and 1599523200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39692,13 +39692,13 @@ rule REVERSINGLABS_Cert_Blocklist_70E1Ebd170Db8102D8C28E58392E5632 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e3b0f68c-8cc9-5275-988a-8d955ea25a47" + id = "918eb26d-3409-54cc-aa07-0da48b17a599" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5158-L5174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e1738eddc1da0876a373ee7f35bff155d56c1b98a23cb117c0e7a966f8fa3c92" + logic_hash = "v1_sha256_e1738eddc1da0876a373ee7f35bff155d56c1b98a23cb117c0e7a966f8fa3c92" score = 75 quality = 90 tags = "INFO, FILE" @@ -39708,7 +39708,7 @@ rule REVERSINGLABS_Cert_Blocklist_70E1Ebd170Db8102D8C28E58392E5632 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Equal Cash Technologies Limited" and pe.signatures[i].serial=="70:e1:eb:d1:70:db:81:02:d8:c2:8e:58:39:2e:56:32" and 1599264000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Equal Cash Technologies Limited" and pe.signatures [ i ] . serial == "70:e1:eb:d1:70:db:81:02:d8:c2:8e:58:39:2e:56:32" and 1599264000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39717,13 +39717,13 @@ rule REVERSINGLABS_Cert_Blocklist_09C89De6F64A7Fdf657E69353C5Fdd44 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f86eafb5-ec59-58c5-b5f9-01a6704fb555" + id = "106589b2-3cda-519e-a7a4-504df7869845" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5176-L5192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1cb57cd68cda91754307d2e4d94ea011975bbfff0f15134081a5aa11870b0db1" + logic_hash = "v1_sha256_1cb57cd68cda91754307d2e4d94ea011975bbfff0f15134081a5aa11870b0db1" score = 75 quality = 90 tags = "INFO, FILE" @@ -39733,7 +39733,7 @@ rule REVERSINGLABS_Cert_Blocklist_09C89De6F64A7Fdf657E69353C5Fdd44 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EXON RENTAL SP Z O O" and pe.signatures[i].serial=="09:c8:9d:e6:f6:4a:7f:df:65:7e:69:35:3c:5f:dd:44" and 1601337601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EXON RENTAL SP Z O O" and pe.signatures [ i ] . serial == "09:c8:9d:e6:f6:4a:7f:df:65:7e:69:35:3c:5f:dd:44" and 1601337601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39742,13 +39742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ffff2Ce862378B26440Df49Ca9175B70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d5d1e84d-328f-53ac-adb6-3824fa77a47d" + id = "4f1c541b-eee3-5281-bb00-a3b86936b3f9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5194-L5212" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8ed7b0643b07ce4954f570157e1534ee1ed647717cce00fe7f2b572c9b5d0042" + logic_hash = "v1_sha256_8ed7b0643b07ce4954f570157e1534ee1ed647717cce00fe7f2b572c9b5d0042" score = 75 quality = 90 tags = "INFO, FILE" @@ -39758,7 +39758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ffff2Ce862378B26440Df49Ca9175B70 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "F & A.TIM d.o.o." and (pe.signatures[i].serial=="00:ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" or pe.signatures[i].serial=="ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70") and 1576195200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "F & A.TIM d.o.o." and ( pe.signatures [ i ] . serial == "00:ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" or pe.signatures [ i ] . serial == "ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" ) and 1576195200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39767,13 +39767,13 @@ rule REVERSINGLABS_Cert_Blocklist_3223B4616C2687C04865Bee8321726A8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "089aae56-4f46-563c-800a-dbf57db2bde6" + id = "69605fb5-7f3d-5e5f-b3df-6e0305480853" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5214-L5230" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fcb0a14866b3612c5ec5a7db7a3333e20a4605695b3d019eef84de85d7b3ea4d" + logic_hash = "v1_sha256_fcb0a14866b3612c5ec5a7db7a3333e20a4605695b3d019eef84de85d7b3ea4d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39783,7 +39783,7 @@ rule REVERSINGLABS_Cert_Blocklist_3223B4616C2687C04865Bee8321726A8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and pe.signatures[i].serial=="32:23:b4:61:6c:26:87:c0:48:65:be:e8:32:17:26:a8" and 1601337600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORTUNE STAR TRADING, INC." and pe.signatures [ i ] . serial == "32:23:b4:61:6c:26:87:c0:48:65:be:e8:32:17:26:a8" and 1601337600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39792,13 +39792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7709D2Df39E9A4F7Db2F3Cbc29B49743 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7227daa3-453d-5bb8-804c-8a97cd0d81c6" + id = "d18eb0bd-beef-52b2-b7b2-4bb546208096" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5232-L5248" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c9ade45e0f9fb737a08ffa94d1fff89471a1cbcbacc139730fab88e382226d0b" + logic_hash = "v1_sha256_c9ade45e0f9fb737a08ffa94d1fff89471a1cbcbacc139730fab88e382226d0b" score = 75 quality = 90 tags = "INFO, FILE" @@ -39808,7 +39808,7 @@ rule REVERSINGLABS_Cert_Blocklist_7709D2Df39E9A4F7Db2F3Cbc29B49743 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Grina LLC" and pe.signatures[i].serial=="77:09:d2:df:39:e9:a4:f7:db:2f:3c:bc:29:b4:97:43" and 1556353331<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Grina LLC" and pe.signatures [ i ] . serial == "77:09:d2:df:39:e9:a4:f7:db:2f:3c:bc:29:b4:97:43" and 1556353331 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39817,13 +39817,13 @@ rule REVERSINGLABS_Cert_Blocklist_E29690E14518874D2Dcf00234Ae94F1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b4f26d3-b943-5a2e-bfb9-0e290031926a" + id = "59c7ef55-cf69-5912-93d0-e0304d7de478" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5250-L5268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ef84815798b213dc49a142e3076cc6dd680dccabe72643fc86234024a46468f9" + logic_hash = "v1_sha256_ef84815798b213dc49a142e3076cc6dd680dccabe72643fc86234024a46468f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39833,7 +39833,7 @@ rule REVERSINGLABS_Cert_Blocklist_E29690E14518874D2Dcf00234Ae94F1F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GRIND & TAMP ENTERPRISES PTY LTD" and (pe.signatures[i].serial=="00:e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" or pe.signatures[i].serial=="e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f") and 1570838400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GRIND & TAMP ENTERPRISES PTY LTD" and ( pe.signatures [ i ] . serial == "00:e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" or pe.signatures [ i ] . serial == "e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" ) and 1570838400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39842,13 +39842,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfac705C7E6845904F99995324F7562C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "42aa3105-a077-5962-8d5d-50429254582b" + id = "4815ecf9-b51c-5f5c-9a26-20a3a7e6ce87" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5270-L5288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "68bcfe60c2e7154f427c20d0471ede99e55c8200149a4438d5a2a75982fcd419" + logic_hash = "v1_sha256_68bcfe60c2e7154f427c20d0471ede99e55c8200149a4438d5a2a75982fcd419" score = 75 quality = 90 tags = "INFO, FILE" @@ -39858,7 +39858,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cfac705C7E6845904F99995324F7562C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HMWOCFPSDLAFMFZIVD" and (pe.signatures[i].serial=="cf:ac:70:5c:7e:68:45:90:4f:99:99:53:24:f7:56:2c" or pe.signatures[i].serial=="30:53:8f:a3:81:97:ba:6f:b0:66:66:ac:db:08:a9:d4") and 1601918720<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HMWOCFPSDLAFMFZIVD" and ( pe.signatures [ i ] . serial == "cf:ac:70:5c:7e:68:45:90:4f:99:99:53:24:f7:56:2c" or pe.signatures [ i ] . serial == "30:53:8f:a3:81:97:ba:6f:b0:66:66:ac:db:08:a9:d4" ) and 1601918720 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39867,13 +39867,13 @@ rule REVERSINGLABS_Cert_Blocklist_A7989F8Be0C82D35A19E7B3Dd4Be30E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "21d54d40-442e-50f5-a561-41b3d6239bac" + id = "48b9b712-a872-52e2-816a-70c498e36bdc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5290-L5308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a50129908a471e6692bcf663abd5ef52861d4a46fdf528f39efe816ee6150edf" + logic_hash = "v1_sha256_a50129908a471e6692bcf663abd5ef52861d4a46fdf528f39efe816ee6150edf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39883,7 +39883,7 @@ rule REVERSINGLABS_Cert_Blocklist_A7989F8Be0C82D35A19E7B3Dd4Be30E5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Instamix Limited" and (pe.signatures[i].serial=="00:a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" or pe.signatures[i].serial=="a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5") and 1598054400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Instamix Limited" and ( pe.signatures [ i ] . serial == "00:a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" or pe.signatures [ i ] . serial == "a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" ) and 1598054400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39892,13 +39892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fa13Ae98E17Ae23Fcfe7Ae873D0C120 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "87a47456-4d90-5a7d-af9d-7a6d5fb8efac" + id = "6185be58-f0df-57e5-9317-331743162e15" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5310-L5326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "415f39f82b6a45acd196ccf246ec660806a8d66c61df8c7d2850e5b244118d04" + logic_hash = "v1_sha256_415f39f82b6a45acd196ccf246ec660806a8d66c61df8c7d2850e5b244118d04" score = 75 quality = 90 tags = "INFO, FILE" @@ -39908,7 +39908,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fa13Ae98E17Ae23Fcfe7Ae873D0C120 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KLAKSON, LLC" and pe.signatures[i].serial=="0f:a1:3a:e9:8e:17:ae:23:fc:fe:7a:e8:73:d0:c1:20" and 1597276801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KLAKSON, LLC" and pe.signatures [ i ] . serial == "0f:a1:3a:e9:8e:17:ae:23:fc:fe:7a:e8:73:d0:c1:20" and 1597276801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39917,13 +39917,13 @@ rule REVERSINGLABS_Cert_Blocklist_3696883055975D571199C6B5D48F3Cd5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f68338f9-8614-5793-981d-70547dbc65ce" + id = "5f943a91-a036-5be7-8e35-65a104dd5c70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5328-L5344" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6f77b9ca928167341a35b83e353886d4db8dfcecf45cde0f0f93d65059b5200" + logic_hash = "v1_sha256_d6f77b9ca928167341a35b83e353886d4db8dfcecf45cde0f0f93d65059b5200" score = 75 quality = 90 tags = "INFO, FILE" @@ -39933,7 +39933,7 @@ rule REVERSINGLABS_Cert_Blocklist_3696883055975D571199C6B5D48F3Cd5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Korist Networks Incorporated" and pe.signatures[i].serial=="36:96:88:30:55:97:5d:57:11:99:c6:b5:d4:8f:3c:d5" and 1600069289<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Korist Networks Incorporated" and pe.signatures [ i ] . serial == "36:96:88:30:55:97:5d:57:11:99:c6:b5:d4:8f:3c:d5" and 1600069289 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39942,13 +39942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ee678930D5Bdfaa2Ab0172Fa4C10Ae07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e2c2c34a-6177-5457-9ed9-fa34f82ee4cd" + id = "0335af6e-6318-54c2-824b-89656e70bd82" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5346-L5364" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1e254450fdbe94172a4fa2d2727c3ade5ae436cf4c0c1153a15e9a2f64f2452" + logic_hash = "v1_sha256_f1e254450fdbe94172a4fa2d2727c3ade5ae436cf4c0c1153a15e9a2f64f2452" score = 75 quality = 90 tags = "INFO, FILE" @@ -39958,7 +39958,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ee678930D5Bdfaa2Ab0172Fa4C10Ae07 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LEX CORPORATION PTY LTD" and (pe.signatures[i].serial=="00:ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" or pe.signatures[i].serial=="ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07") and 1571011200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LEX CORPORATION PTY LTD" and ( pe.signatures [ i ] . serial == "00:ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" or pe.signatures [ i ] . serial == "ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" ) and 1571011200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39967,13 +39967,13 @@ rule REVERSINGLABS_Cert_Blocklist_D7C432E8D4Edef515Bfb9D1C214Ff0F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5aed508e-2da1-52a0-98f3-52e903e95b7d" + id = "cfc7779c-da9c-50dd-b781-5a36701f0678" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5366-L5384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "63741513f3ab2f51ecd66dc973239c9dc194b86504fe26b2dd4a7f31299e5497" + logic_hash = "v1_sha256_63741513f3ab2f51ecd66dc973239c9dc194b86504fe26b2dd4a7f31299e5497" score = 75 quality = 90 tags = "INFO, FILE" @@ -39983,7 +39983,7 @@ rule REVERSINGLABS_Cert_Blocklist_D7C432E8D4Edef515Bfb9D1C214Ff0F5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LLC \"MILKY PUT\"" and (pe.signatures[i].serial=="00:d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" or pe.signatures[i].serial=="d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5") and 1601596800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LLC \"MILKY PUT\"" and ( pe.signatures [ i ] . serial == "00:d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" or pe.signatures [ i ] . serial == "d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" ) and 1601596800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -39992,13 +39992,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B440A47E8Ce3Dd202271E5C7A666C78 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6f9852cb-277d-5942-b3f7-525593a41027" + id = "e551053a-c705-5752-bb9b-e0d336126492" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5386-L5402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "eb4387d58e391c356ed774d8c13bb4bbb2befed585bb44674459d3ef519aec58" + logic_hash = "v1_sha256_eb4387d58e391c356ed774d8c13bb4bbb2befed585bb44674459d3ef519aec58" score = 75 quality = 90 tags = "INFO, FILE" @@ -40008,7 +40008,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B440A47E8Ce3Dd202271E5C7A666C78 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Master Networking s.r.o." and pe.signatures[i].serial=="5b:44:0a:47:e8:ce:3d:d2:02:27:1e:5c:7a:66:6c:78" and 1601895571<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Master Networking s.r.o." and pe.signatures [ i ] . serial == "5b:44:0a:47:e8:ce:3d:d2:02:27:1e:5c:7a:66:6c:78" and 1601895571 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40017,13 +40017,13 @@ rule REVERSINGLABS_Cert_Blocklist_B82C6553B2186C219797621Aaa233Edb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1dd9783-078f-582e-8493-7c493cda9c62" + id = "83f2f813-f4a6-5a22-8d82-1ced318dfe03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5404-L5422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "72e3e1740a4adc4315d2dd9c9f7b8cee2d89c3006014dec663b70d3419f43ca3" + logic_hash = "v1_sha256_72e3e1740a4adc4315d2dd9c9f7b8cee2d89c3006014dec663b70d3419f43ca3" score = 75 quality = 90 tags = "INFO, FILE" @@ -40033,7 +40033,7 @@ rule REVERSINGLABS_Cert_Blocklist_B82C6553B2186C219797621Aaa233Edb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MC Commerce SP Z o o" and (pe.signatures[i].serial=="00:b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" or pe.signatures[i].serial=="b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db") and 1585785600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MC Commerce SP Z o o" and ( pe.signatures [ i ] . serial == "00:b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" or pe.signatures [ i ] . serial == "b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" ) and 1585785600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40042,13 +40042,13 @@ rule REVERSINGLABS_Cert_Blocklist_F360F7Ad0Ed065Fec0B44F98E04481A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "96219c86-f463-5f11-950d-ca2af75d5559" + id = "3b575e56-f1c0-5f65-9466-6b1b6a13b562" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5424-L5442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a25f1121f492dec461e570ff56acb0e3957cdf9100002f2ff0b6c3d3b35fee5" + logic_hash = "v1_sha256_2a25f1121f492dec461e570ff56acb0e3957cdf9100002f2ff0b6c3d3b35fee5" score = 75 quality = 90 tags = "INFO, FILE" @@ -40058,7 +40058,7 @@ rule REVERSINGLABS_Cert_Blocklist_F360F7Ad0Ed065Fec0B44F98E04481A0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MEHANIKUM OOO" and (pe.signatures[i].serial=="00:f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" or pe.signatures[i].serial=="f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0") and 1599031121<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MEHANIKUM OOO" and ( pe.signatures [ i ] . serial == "00:f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" or pe.signatures [ i ] . serial == "f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" ) and 1599031121 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40067,13 +40067,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fe41941464B9992A69B7317418Ae8Eb7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd84a6b2-e616-5f93-af50-1a4fc15f3c45" + id = "a74708bc-69a8-589b-b7ae-0ae63b8fd31b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5444-L5462" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bd5131f2b44deec6a7a68577b80ef4d066c331da2976539ce52ac6cff8d5560e" + logic_hash = "v1_sha256_bd5131f2b44deec6a7a68577b80ef4d066c331da2976539ce52ac6cff8d5560e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40083,7 +40083,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fe41941464B9992A69B7317418Ae8Eb7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Milsean Software Limited" and (pe.signatures[i].serial=="00:fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" or pe.signatures[i].serial=="fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7") and 1599523200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Milsean Software Limited" and ( pe.signatures [ i ] . serial == "00:fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" or pe.signatures [ i ] . serial == "fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" ) and 1599523200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40092,13 +40092,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C14B611A44A1Bae0E8C7581651845B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "116beeac-49c6-56b0-a1c0-855623f604d9" + id = "c3ab1646-ccbb-5856-a562-a1dca8ee8d36" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5464-L5480" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7f6028181e33e4ba8264ee367169e7259e19ff49dcae9a337a4ba78c06b459e6" + logic_hash = "v1_sha256_7f6028181e33e4ba8264ee367169e7259e19ff49dcae9a337a4ba78c06b459e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40108,7 +40108,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C14B611A44A1Bae0E8C7581651845B6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NEEDCODE SP Z O O" and pe.signatures[i].serial=="0c:14:b6:11:a4:4a:1b:ae:0e:8c:75:81:65:18:45:b6" and 1600300801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NEEDCODE SP Z O O" and pe.signatures [ i ] . serial == "0c:14:b6:11:a4:4a:1b:ae:0e:8c:75:81:65:18:45:b6" and 1600300801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40117,13 +40117,13 @@ rule REVERSINGLABS_Cert_Blocklist_690910Dc89D7857C3500Fb74Bed2B08D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7c427b1a-fbe9-5e97-9810-87863c70988d" + id = "35111140-4028-588c-bf7a-22e2c03109ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5482-L5498" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c5da6238279296854eb95ecaed802f453e80c6bceb71c3fa587df0f7d40cf96" + logic_hash = "v1_sha256_3c5da6238279296854eb95ecaed802f453e80c6bceb71c3fa587df0f7d40cf96" score = 75 quality = 90 tags = "INFO, FILE" @@ -40133,7 +40133,7 @@ rule REVERSINGLABS_Cert_Blocklist_690910Dc89D7857C3500Fb74Bed2B08D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OLIMP STROI, OOO" and pe.signatures[i].serial=="69:09:10:dc:89:d7:85:7c:35:00:fb:74:be:d2:b0:8d" and 1597276800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OLIMP STROI, OOO" and pe.signatures [ i ] . serial == "69:09:10:dc:89:d7:85:7c:35:00:fb:74:be:d2:b0:8d" and 1597276800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40142,13 +40142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd41E6Bd7428D3008C8A05F68C9Ac6F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef59a76a-3b59-55a2-9da5-c3ba844bbe77" + id = "2414f272-96ca-52a6-9488-86a71d9dfedb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5500-L5518" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e387664dc9aa746e127b4efb2ef43675f8fb6df66e99d33ef765e8fa306a4f18" + logic_hash = "v1_sha256_e387664dc9aa746e127b4efb2ef43675f8fb6df66e99d33ef765e8fa306a4f18" score = 75 quality = 90 tags = "INFO, FILE" @@ -40158,7 +40158,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fd41E6Bd7428D3008C8A05F68C9Ac6F2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OM-FAS d.o.o." and (pe.signatures[i].serial=="00:fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" or pe.signatures[i].serial=="fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2") and 1575590400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OM-FAS d.o.o." and ( pe.signatures [ i ] . serial == "00:fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" or pe.signatures [ i ] . serial == "fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" ) and 1575590400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40167,13 +40167,13 @@ rule REVERSINGLABS_Cert_Blocklist_C7079866C0E48B01246Ba0C148E70D4D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2c985bd9-cb2a-553a-af63-a2a0a80cc641" + id = "4dc4393b-7cdc-5dcd-b70b-5d17d535b14c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5520-L5538" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cc144760e0ca21fd98b55ac222db540900def61f54e9644f8cab5f711ec7bf24" + logic_hash = "v1_sha256_cc144760e0ca21fd98b55ac222db540900def61f54e9644f8cab5f711ec7bf24" score = 75 quality = 90 tags = "INFO, FILE" @@ -40183,7 +40183,7 @@ rule REVERSINGLABS_Cert_Blocklist_C7079866C0E48B01246Ba0C148E70D4D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO GARANT" and (pe.signatures[i].serial=="00:c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" or pe.signatures[i].serial=="c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d") and 1588679105<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO GARANT" and ( pe.signatures [ i ] . serial == "00:c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" or pe.signatures [ i ] . serial == "c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" ) and 1588679105 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40192,13 +40192,13 @@ rule REVERSINGLABS_Cert_Blocklist_D591Da22F33C800A7024Aecff2Cd6C6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "294cbf90-cd1f-5743-a51a-46e1d04ef34e" + id = "10b5234f-79c6-5528-ae98-50b7c5b08527" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5540-L5558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30e421d5ea3c5693c5c9bd0e3dd997ceda9755d17e3fb16d2a8e6c4a327ae32f" + logic_hash = "v1_sha256_30e421d5ea3c5693c5c9bd0e3dd997ceda9755d17e3fb16d2a8e6c4a327ae32f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40208,7 +40208,7 @@ rule REVERSINGLABS_Cert_Blocklist_D591Da22F33C800A7024Aecff2Cd6C6D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO T2 Soft" and (pe.signatures[i].serial=="00:d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" or pe.signatures[i].serial=="d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d") and 1588679107<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO T2 Soft" and ( pe.signatures [ i ] . serial == "00:d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" or pe.signatures [ i ] . serial == "d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" ) and 1588679107 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40217,13 +40217,13 @@ rule REVERSINGLABS_Cert_Blocklist_B36E0F2053Caee9C3B966F7Be0B40Fc3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8ed732ae-1c25-59fc-8ebe-50a1eb81e4a9" + id = "46fac83d-9624-5da9-b892-d61e7cb6b42e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5560-L5578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2444c78aefdb9e8c8004598a318db016d7e781ede6da2ba3ee85316456c3e77b" + logic_hash = "v1_sha256_2444c78aefdb9e8c8004598a318db016d7e781ede6da2ba3ee85316456c3e77b" score = 75 quality = 90 tags = "INFO, FILE" @@ -40233,7 +40233,7 @@ rule REVERSINGLABS_Cert_Blocklist_B36E0F2053Caee9C3B966F7Be0B40Fc3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PARTS-JEST d.o.o." and (pe.signatures[i].serial=="00:b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" or pe.signatures[i].serial=="b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3") and 1600172855<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PARTS-JEST d.o.o." and ( pe.signatures [ i ] . serial == "00:b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" or pe.signatures [ i ] . serial == "b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" ) and 1600172855 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40242,13 +40242,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B320A2F46C99C1Ba1357Bee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3912fdfc-7a84-51ce-abd2-977ad183af26" + id = "cf2fc150-b922-573b-877c-0fab4d7a2f6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5580-L5596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "12797f80bce9d64c6c07e185aa309a0c4f910835745a7f2cc1874fb1211624d8" + logic_hash = "v1_sha256_12797f80bce9d64c6c07e185aa309a0c4f910835745a7f2cc1874fb1211624d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -40258,7 +40258,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B320A2F46C99C1Ba1357Bee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "REGION TOURISM LLC" and pe.signatures[i].serial=="5b:32:0a:2f:46:c9:9c:1b:a1:35:7b:ee" and 1602513116<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "REGION TOURISM LLC" and pe.signatures [ i ] . serial == "5b:32:0a:2f:46:c9:9c:1b:a1:35:7b:ee" and 1602513116 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40267,13 +40267,13 @@ rule REVERSINGLABS_Cert_Blocklist_08D4352185317271C1Cec9D05C279Af7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0165920f-5f4d-5b35-990d-120786b4c5ba" + id = "1b80cb3a-0253-53e6-b702-1fe45555481d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5598-L5614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b240962ab23729b241413ed1e53ac6541bf6b8a673c57522efd0cfe0c7eb9dd4" + logic_hash = "v1_sha256_b240962ab23729b241413ed1e53ac6541bf6b8a673c57522efd0cfe0c7eb9dd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -40283,7 +40283,7 @@ rule REVERSINGLABS_Cert_Blocklist_08D4352185317271C1Cec9D05C279Af7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Retalit LLC" and pe.signatures[i].serial=="08:d4:35:21:85:31:72:71:c1:ce:c9:d0:5c:27:9a:f7" and 1596585601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Retalit LLC" and pe.signatures [ i ] . serial == "08:d4:35:21:85:31:72:71:c1:ce:c9:d0:5c:27:9a:f7" and 1596585601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40292,13 +40292,13 @@ rule REVERSINGLABS_Cert_Blocklist_B514E4C5309Ef9F27Add05Bedd4339A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4b5abcfe-259e-5029-822b-c191b8d2c607" + id = "c44f6ae2-cd2a-592f-b36f-3d7e375e9e77" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5616-L5634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "665b280218528bbe3d5c65d043266469e5288587ed9d85d01797bef7ce132a6f" + logic_hash = "v1_sha256_665b280218528bbe3d5c65d043266469e5288587ed9d85d01797bef7ce132a6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40308,7 +40308,7 @@ rule REVERSINGLABS_Cert_Blocklist_B514E4C5309Ef9F27Add05Bedd4339A0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SCABONE PTY LTD" and (pe.signatures[i].serial=="00:b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" or pe.signatures[i].serial=="b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0") and 1572566400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SCABONE PTY LTD" and ( pe.signatures [ i ] . serial == "00:b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" or pe.signatures [ i ] . serial == "b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" ) and 1572566400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40317,13 +40317,13 @@ rule REVERSINGLABS_Cert_Blocklist_13C7B92282Aae782Bfb00Baf879935F4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cc147c06-e0cf-5536-be3c-17e838b346a9" + id = "5bd724e9-23e6-55bc-a596-747f22f45526" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5636-L5652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d4edbb446a51e5153ba88d6757d5fb610303eac3fd4bdd3b987b508dc618d2dc" + logic_hash = "v1_sha256_d4edbb446a51e5153ba88d6757d5fb610303eac3fd4bdd3b987b508dc618d2dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -40333,7 +40333,7 @@ rule REVERSINGLABS_Cert_Blocklist_13C7B92282Aae782Bfb00Baf879935F4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and pe.signatures[i].serial=="13:c7:b9:22:82:aa:e7:82:bf:b0:0b:af:87:99:35:f4" and 1603130510<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THE WIZARD GIFT CORPORATION" and pe.signatures [ i ] . serial == "13:c7:b9:22:82:aa:e7:82:bf:b0:0b:af:87:99:35:f4" and 1603130510 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40342,13 +40342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D627F1000D12485995514Bfbdefc55D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4696fc12-16b7-575f-b90f-aa0a5cc12852" + id = "51581274-6fa7-5ab4-a7f6-b65a879a8518" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5654-L5672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7ca590d71997879d17054a936238dd5273a52f3438d1b231a75927abfb118ffd" + logic_hash = "v1_sha256_7ca590d71997879d17054a936238dd5273a52f3438d1b231a75927abfb118ffd" score = 75 quality = 90 tags = "INFO, FILE" @@ -40358,7 +40358,7 @@ rule REVERSINGLABS_Cert_Blocklist_D627F1000D12485995514Bfbdefc55D9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THREE D CORPORATION PTY LTD" and (pe.signatures[i].serial=="00:d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" or pe.signatures[i].serial=="d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9") and 1597622400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THREE D CORPORATION PTY LTD" and ( pe.signatures [ i ] . serial == "00:d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" or pe.signatures [ i ] . serial == "d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" ) and 1597622400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40367,13 +40367,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fb6Bae8834Edd8D3D58818Edc86D7D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "52b11933-f22c-53ea-88b7-75b3242907dd" + id = "684fb349-5bc7-5d21-8908-75493f906561" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5674-L5690" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a8cec0479bfd53f34e291d56538187c05375e80d20af7f0af08f0db8e1d6ed22" + logic_hash = "v1_sha256_a8cec0479bfd53f34e291d56538187c05375e80d20af7f0af08f0db8e1d6ed22" score = 75 quality = 90 tags = "INFO, FILE" @@ -40383,7 +40383,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Fb6Bae8834Edd8D3D58818Edc86D7D7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Tramplink LLC" and pe.signatures[i].serial=="5f:b6:ba:e8:83:4e:dd:8d:3d:58:81:8e:dc:86:d7:d7" and 1600781989<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Tramplink LLC" and pe.signatures [ i ] . serial == "5f:b6:ba:e8:83:4e:dd:8d:3d:58:81:8e:dc:86:d7:d7" and 1600781989 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40392,13 +40392,13 @@ rule REVERSINGLABS_Cert_Blocklist_E5Ad42C509A7C24605530D35832C091E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "29b1803e-90ee-5390-9548-20b24a3de218" + id = "79dc96a7-8487-5fa0-bd72-78de55318816" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5692-L5710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2d57d1c171734d0da167ce7eba47aecd88cd15063488d79659804c6c2fae00a2" + logic_hash = "v1_sha256_2d57d1c171734d0da167ce7eba47aecd88cd15063488d79659804c6c2fae00a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -40408,7 +40408,7 @@ rule REVERSINGLABS_Cert_Blocklist_E5Ad42C509A7C24605530D35832C091E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VESNA, OOO" and (pe.signatures[i].serial=="00:e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" or pe.signatures[i].serial=="e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e") and 1600786458<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VESNA, OOO" and ( pe.signatures [ i ] . serial == "00:e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" or pe.signatures [ i ] . serial == "e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" ) and 1600786458 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40417,13 +40417,13 @@ rule REVERSINGLABS_Cert_Blocklist_8E3D89C682F7C0Dad70110Cb7B7C8263 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1adc776c-1549-5149-bd2f-81920a8d7255" + id = "b52e4c48-7914-550c-ab64-be9024f490bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5712-L5730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a0f42c5492469e7f132b000aead2d674fed4ea9c0e168579fd55a6c89b45ae4d" + logic_hash = "v1_sha256_a0f42c5492469e7f132b000aead2d674fed4ea9c0e168579fd55a6c89b45ae4d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40433,7 +40433,7 @@ rule REVERSINGLABS_Cert_Blocklist_8E3D89C682F7C0Dad70110Cb7B7C8263 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "WORK PLACEMENTS INTERNATIONAL LIMITED" and (pe.signatures[i].serial=="00:8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" or pe.signatures[i].serial=="8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63") and 1570626662<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "WORK PLACEMENTS INTERNATIONAL LIMITED" and ( pe.signatures [ i ] . serial == "00:8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" or pe.signatures [ i ] . serial == "8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" ) and 1570626662 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40442,13 +40442,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ef2D35F2Ae82A767A16Be582Ab0D1Ba0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc8f49b8-fda2-510c-8374-3261e75d11a9" + id = "fe8a01ed-8aa4-5007-bf7c-00824b6ad418" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5732-L5750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0709290aeb18bcb855518e150c2768c24ab311f5c727cdc4c40145b879ff88b6" + logic_hash = "v1_sha256_0709290aeb18bcb855518e150c2768c24ab311f5c727cdc4c40145b879ff88b6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40458,7 +40458,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ef2D35F2Ae82A767A16Be582Ab0D1Ba0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Workstage Limited" and (pe.signatures[i].serial=="00:ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" or pe.signatures[i].serial=="ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0") and 1567123200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Workstage Limited" and ( pe.signatures [ i ] . serial == "00:ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" or pe.signatures [ i ] . serial == "ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" ) and 1567123200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40467,13 +40467,13 @@ rule REVERSINGLABS_Cert_Blocklist_039668034826Df47E6207Ec9Daed57C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2a3477a-a4cf-586e-ba70-555cc577ab2c" + id = "ec11ced8-d3c2-52c2-9f8e-c3867df7edcd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5752-L5768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "792860feec6e599ba22ae3869ef132cf5b7be2e0572e23503e293444fd7c382d" + logic_hash = "v1_sha256_792860feec6e599ba22ae3869ef132cf5b7be2e0572e23503e293444fd7c382d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40483,7 +40483,7 @@ rule REVERSINGLABS_Cert_Blocklist_039668034826Df47E6207Ec9Daed57C3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CHOO FSP, LLC" and pe.signatures[i].serial=="03:96:68:03:48:26:df:47:e6:20:7e:c9:da:ed:57:c3" and 1601424001<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CHOO FSP, LLC" and pe.signatures [ i ] . serial == "03:96:68:03:48:26:df:47:e6:20:7e:c9:da:ed:57:c3" and 1601424001 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40492,13 +40492,13 @@ rule REVERSINGLABS_Cert_Blocklist_07Bb6A9D1C642C5973C16D5353B17Ca4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "094a02ee-394b-5989-9f73-6b942aca5500" + id = "0fc2d7f4-30ae-5186-b86b-b4fed5f50deb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5770-L5786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b98dcd4f0ebe870a9dad55cac5b0db81be6062216337b75a74a0aff8436df57f" + logic_hash = "v1_sha256_b98dcd4f0ebe870a9dad55cac5b0db81be6062216337b75a74a0aff8436df57f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40508,7 +40508,7 @@ rule REVERSINGLABS_Cert_Blocklist_07Bb6A9D1C642C5973C16D5353B17Ca4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MADAS d.o.o." and pe.signatures[i].serial=="07:bb:6a:9d:1c:64:2c:59:73:c1:6d:53:53:b1:7c:a4" and 1601856001<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MADAS d.o.o." and pe.signatures [ i ] . serial == "07:bb:6a:9d:1c:64:2c:59:73:c1:6d:53:53:b1:7c:a4" and 1601856001 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40517,13 +40517,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A1Dc99E4D5264C45A5090F93242A30A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b85ed8d-ddda-51d0-bfac-5cdc6e4fd94f" + id = "62e4dbb6-2219-5cc4-81b7-b01b4329e595" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5788-L5804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1985c9c4f4a93c3088eaec3031df93cf87a9d7ee36b94322330caf3c21982f3c" + logic_hash = "v1_sha256_1985c9c4f4a93c3088eaec3031df93cf87a9d7ee36b94322330caf3c21982f3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -40533,7 +40533,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A1Dc99E4D5264C45A5090F93242A30A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "K & D KOMPANI d.o.o." and pe.signatures[i].serial=="0a:1d:c9:9e:4d:52:64:c4:5a:50:90:f9:32:42:a3:0a" and 1600905601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "K & D KOMPANI d.o.o." and pe.signatures [ i ] . serial == "0a:1d:c9:9e:4d:52:64:c4:5a:50:90:f9:32:42:a3:0a" and 1600905601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40542,13 +40542,13 @@ rule REVERSINGLABS_Cert_Blocklist_018093Cfad72Cdf402Eecbe18B33Ec71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d9ab2e5c-a107-53c1-9b8d-b4625eed03b0" + id = "7f7ff64b-121b-55fc-965b-edf459426f9e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5806-L5822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ac398ef89e691158742598777c320832a750a7410904448778afc7ef3c63c255" + logic_hash = "v1_sha256_ac398ef89e691158742598777c320832a750a7410904448778afc7ef3c63c255" score = 75 quality = 90 tags = "INFO, FILE" @@ -40558,7 +40558,7 @@ rule REVERSINGLABS_Cert_Blocklist_018093Cfad72Cdf402Eecbe18B33Ec71 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FAT11 d.o.o." and pe.signatures[i].serial=="01:80:93:cf:ad:72:cd:f4:02:ee:cb:e1:8b:33:ec:71" and 1602000390<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FAT11 d.o.o." and pe.signatures [ i ] . serial == "01:80:93:cf:ad:72:cd:f4:02:ee:cb:e1:8b:33:ec:71" and 1602000390 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40567,13 +40567,13 @@ rule REVERSINGLABS_Cert_Blocklist_569E03988Af60D80Ce60728940850D9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a4432990-8c2f-523c-8a9d-cba578aaefc5" + id = "1aa7e141-490c-5a78-923e-8446ac855d8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5824-L5842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3ea894d9e088c2123f9ec87cbf097e2275fae18cad26e926641fe64921808b1e" + logic_hash = "v1_sha256_3ea894d9e088c2123f9ec87cbf097e2275fae18cad26e926641fe64921808b1e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40583,7 +40583,7 @@ rule REVERSINGLABS_Cert_Blocklist_569E03988Af60D80Ce60728940850D9B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OORT inc." and (pe.signatures[i].serial=="00:56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" or pe.signatures[i].serial=="56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b") and 1601006510<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OORT inc." and ( pe.signatures [ i ] . serial == "00:56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" or pe.signatures [ i ] . serial == "56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" ) and 1601006510 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40592,13 +40592,13 @@ rule REVERSINGLABS_Cert_Blocklist_418F6D959A8A0F82Bef07Ceba3603E52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ecfb72ef-04c4-55b6-b9e0-e95053e03425" + id = "ee093467-9c08-588a-af31-0511680357c1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5844-L5862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6c13c5e85d6e053319193d1d94f216eeec64405c86d15971419078a1ce6c8ac9" + logic_hash = "v1_sha256_6c13c5e85d6e053319193d1d94f216eeec64405c86d15971419078a1ce6c8ac9" score = 75 quality = 90 tags = "INFO, FILE" @@ -40608,7 +40608,7 @@ rule REVERSINGLABS_Cert_Blocklist_418F6D959A8A0F82Bef07Ceba3603E52 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OORT inc." and (pe.signatures[i].serial=="00:41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" or pe.signatures[i].serial=="41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52") and 1601928240<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OORT inc." and ( pe.signatures [ i ] . serial == "00:41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" or pe.signatures [ i ] . serial == "41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" ) and 1601928240 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40617,13 +40617,13 @@ rule REVERSINGLABS_Cert_Blocklist_5378C5Bbeba0D3309A35Bb47F63037F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7f367505-d7c1-5b8c-83bd-df3fec789d12" + id = "22d08e9d-8daf-5893-bb58-7c37fa7b5e92" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5864-L5882" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a96acf93ca6da4d3bf5177b51996825cd3ea70443577622deccdd11fde579c31" + logic_hash = "v1_sha256_a96acf93ca6da4d3bf5177b51996825cd3ea70443577622deccdd11fde579c31" score = 75 quality = 90 tags = "INFO, FILE" @@ -40633,7 +40633,7 @@ rule REVERSINGLABS_Cert_Blocklist_5378C5Bbeba0D3309A35Bb47F63037F7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OORT inc." and (pe.signatures[i].serial=="00:53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" or pe.signatures[i].serial=="53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7") and 1601427420<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OORT inc." and ( pe.signatures [ i ] . serial == "00:53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" or pe.signatures [ i ] . serial == "53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" ) and 1601427420 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40642,13 +40642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bab6A2Aa84B495D9E554A4C42C0126D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7b6d364c-3e27-5314-b604-d44bb408fc4e" + id = "5ceb1dd7-79c8-57b9-a62c-2983a7d8c5d5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5884-L5900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "79b6df421c78fd3e2f05a60f7d875e02519297a0278614c9f63dff8b1b2a2d18" + logic_hash = "v1_sha256_79b6df421c78fd3e2f05a60f7d875e02519297a0278614c9f63dff8b1b2a2d18" score = 75 quality = 90 tags = "INFO, FILE" @@ -40658,7 +40658,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Bab6A2Aa84B495D9E554A4C42C0126D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NOSOV SP Z O O" and pe.signatures[i].serial=="0b:ab:6a:2a:a8:4b:49:5d:9e:55:4a:4c:42:c0:12:6d" and 1597971600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NOSOV SP Z O O" and pe.signatures [ i ] . serial == "0b:ab:6a:2a:a8:4b:49:5d:9e:55:4a:4c:42:c0:12:6d" and 1597971600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40667,13 +40667,13 @@ rule REVERSINGLABS_Cert_Blocklist_6314001C3235Cd59Bcc3F5278C518804 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aff0fb76-587b-5493-810c-ac32a6ba9576" + id = "62f6454f-80cd-531e-8bdc-65ccd7f7a3b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5902-L5918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4320f3884c0f7e4939e8988a4e83b8028a5e01fb425ae4faa2273134db835813" + logic_hash = "v1_sha256_4320f3884c0f7e4939e8988a4e83b8028a5e01fb425ae4faa2273134db835813" score = 75 quality = 90 tags = "INFO, FILE" @@ -40683,7 +40683,7 @@ rule REVERSINGLABS_Cert_Blocklist_6314001C3235Cd59Bcc3F5278C518804 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GIE-MUTUALISTE" and pe.signatures[i].serial=="63:14:00:1c:32:35:cd:59:bc:c3:f5:27:8c:51:88:04" and 1600304400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GIE-MUTUALISTE" and pe.signatures [ i ] . serial == "63:14:00:1c:32:35:cd:59:bc:c3:f5:27:8c:51:88:04" and 1600304400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40692,13 +40692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed8Ade5D73B73Dade6943D557Ff87E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dbfae40c-2f81-5daf-8655-d06ae38ffa8f" + id = "c5e5a2e5-acc0-5bde-9ebf-2fa7b74a399e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5920-L5936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7796b6e7da900be8634e7f1e51cda1275ab1e7c2709af7ecaa8777ab0b518494" + logic_hash = "v1_sha256_7796b6e7da900be8634e7f1e51cda1275ab1e7c2709af7ecaa8777ab0b518494" score = 75 quality = 90 tags = "INFO, FILE" @@ -40708,7 +40708,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed8Ade5D73B73Dade6943D557Ff87E5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rumikon LLC" and pe.signatures[i].serial=="0e:d8:ad:e5:d7:3b:73:da:de:69:43:d5:57:ff:87:e5" and 1597885200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rumikon LLC" and pe.signatures [ i ] . serial == "0e:d8:ad:e5:d7:3b:73:da:de:69:43:d5:57:ff:87:e5" and 1597885200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40717,13 +40717,13 @@ rule REVERSINGLABS_Cert_Blocklist_0292C7D574132Ba5C0441D1C7Ffcb805 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef58cf01-9c54-5dbb-99a7-d3ca42663133" + id = "93fa72d6-2863-5e2d-bc37-bcb4054294b7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5938-L5954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d2bcf72f4c5829d161bc40e820eb0b1a85deaa49b749422d5429e27b7fb2b1fe" + logic_hash = "v1_sha256_d2bcf72f4c5829d161bc40e820eb0b1a85deaa49b749422d5429e27b7fb2b1fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -40733,7 +40733,7 @@ rule REVERSINGLABS_Cert_Blocklist_0292C7D574132Ba5C0441D1C7Ffcb805 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TES LOGISTIKA d.o.o." and pe.signatures[i].serial=="02:92:c7:d5:74:13:2b:a5:c0:44:1d:1c:7f:fc:b8:05" and 1602183720<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TES LOGISTIKA d.o.o." and pe.signatures [ i ] . serial == "02:92:c7:d5:74:13:2b:a5:c0:44:1d:1c:7f:fc:b8:05" and 1602183720 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40742,13 +40742,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F23F001458716D435Cca1A55D660Ec5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "16614e20-1cf1-55c0-a04c-d99c06fb29a2" + id = "de5eeaeb-2a15-5d68-8e61-0c460a447bef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5956-L5972" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bacfb4b7900ab57d23474e0422bd74fff113296b8db37e8eae3bd456443d28d6" + logic_hash = "v1_sha256_bacfb4b7900ab57d23474e0422bd74fff113296b8db37e8eae3bd456443d28d6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40758,7 +40758,7 @@ rule REVERSINGLABS_Cert_Blocklist_1F23F001458716D435Cca1A55D660Ec5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Ringen" and pe.signatures[i].serial=="1f:23:f0:01:45:87:16:d4:35:cc:a1:a5:5d:66:0e:c5" and 1603176940<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Ringen" and pe.signatures [ i ] . serial == "1f:23:f0:01:45:87:16:d4:35:cc:a1:a5:5d:66:0e:c5" and 1603176940 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40767,13 +40767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E0Ccbdfb4777E10Ea6221B90Dc350C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "64007bd7-b273-5579-8224-68337f1bc54d" + id = "8ae9183f-4c6e-523c-8126-40cb52c978a8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5974-L5990" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08a1ff7cc3a7680fdbb3235a7b46709cd4ba530a9afeab4344671db9fe893cc4" + logic_hash = "v1_sha256_08a1ff7cc3a7680fdbb3235a7b46709cd4ba530a9afeab4344671db9fe893cc4" score = 75 quality = 90 tags = "INFO, FILE" @@ -40783,7 +40783,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E0Ccbdfb4777E10Ea6221B90Dc350C2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRAUMALAB INTERNATIONAL APS" and pe.signatures[i].serial=="6e:0c:cb:df:b4:77:7e:10:ea:62:21:b9:0d:c3:50:c2" and 1603046620<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRAUMALAB INTERNATIONAL APS" and pe.signatures [ i ] . serial == "6e:0c:cb:df:b4:77:7e:10:ea:62:21:b9:0d:c3:50:c2" and 1603046620 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40792,13 +40792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed1847A2Ae5D71Def1E833Fddd33D38 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "11fd3bbe-5d15-57b7-a461-fc9c90046dbc" + id = "0d8664e3-42e1-5362-be0d-4bfb367d74fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5992-L6008" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ec5eb8ff1f630284fabfba5c58dd563d471343ace718f79dad08cfe75c3070d" + logic_hash = "v1_sha256_0ec5eb8ff1f630284fabfba5c58dd563d471343ace718f79dad08cfe75c3070d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40808,7 +40808,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed1847A2Ae5D71Def1E833Fddd33D38 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SNAB-RESURS, OOO" and pe.signatures[i].serial=="0e:d1:84:7a:2a:e5:d7:1d:ef:1e:83:3f:dd:d3:3d:38" and 1598662800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SNAB-RESURS, OOO" and pe.signatures [ i ] . serial == "0e:d1:84:7a:2a:e5:d7:1d:ef:1e:83:3f:dd:d3:3d:38" and 1598662800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40817,13 +40817,13 @@ rule REVERSINGLABS_Cert_Blocklist_97Df46Acb26B7C81A13Cc467B47688C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "68e2fdc7-61cd-5e0a-8bc7-5e0ca96271c5" + id = "22d4bd7a-016c-5cf9-ad0f-d332eb51e508" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6010-L6028" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6f6e0e175caee83eaec2dacedaf564b642195a8815cfd0d4564f581070b0c545" + logic_hash = "v1_sha256_6f6e0e175caee83eaec2dacedaf564b642195a8815cfd0d4564f581070b0c545" score = 75 quality = 90 tags = "INFO, FILE" @@ -40833,7 +40833,7 @@ rule REVERSINGLABS_Cert_Blocklist_97Df46Acb26B7C81A13Cc467B47688C8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Information Civilized System Oy" and (pe.signatures[i].serial=="00:97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" or pe.signatures[i].serial=="97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8") and 1602636910<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Information Civilized System Oy" and ( pe.signatures [ i ] . serial == "00:97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" or pe.signatures [ i ] . serial == "97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" ) and 1602636910 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40842,13 +40842,13 @@ rule REVERSINGLABS_Cert_Blocklist_186D49Fac34Ce99775B8E7Ffbf50679D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9279d4ee-3f53-5d68-aaa1-af6ed579310f" + id = "c5fa77aa-cd3a-561c-a325-3d3d74b5c425" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6030-L6046" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0444a5052ee384451ebd85918bbc6bf6d6a75334899a63a8b5828ef06cb9c7ca" + logic_hash = "v1_sha256_0444a5052ee384451ebd85918bbc6bf6d6a75334899a63a8b5828ef06cb9c7ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -40858,7 +40858,7 @@ rule REVERSINGLABS_Cert_Blocklist_186D49Fac34Ce99775B8E7Ffbf50679D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Hairis LLC" and pe.signatures[i].serial=="18:6d:49:fa:c3:4c:e9:97:75:b8:e7:ff:bf:50:67:9d" and 1602234590<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Hairis LLC" and pe.signatures [ i ] . serial == "18:6d:49:fa:c3:4c:e9:97:75:b8:e7:ff:bf:50:67:9d" and 1602234590 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40867,13 +40867,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Aea98Bf0Ce789B6C952310F14Edde0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f039f379-e3d5-56bd-83b7-016881538017" + id = "2a85ccf9-18fc-5296-87e9-d9b9f5b1c6aa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6048-L6066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6e78750d6aca91e9e6d8f2651a5682ccdab5cd20ee3a74e1f8582eb7bc45d614" + logic_hash = "v1_sha256_6e78750d6aca91e9e6d8f2651a5682ccdab5cd20ee3a74e1f8582eb7bc45d614" score = 75 quality = 90 tags = "INFO, FILE" @@ -40883,7 +40883,7 @@ rule REVERSINGLABS_Cert_Blocklist_B1Aea98Bf0Ce789B6C952310F14Edde0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Absolut LLC" and (pe.signatures[i].serial=="00:b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" or pe.signatures[i].serial=="b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0") and 1602612570<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Absolut LLC" and ( pe.signatures [ i ] . serial == "00:b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" or pe.signatures [ i ] . serial == "b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" ) and 1602612570 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40892,13 +40892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Dcd0699Da08915Dde6D044Cb474157C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1f56719-e726-5f81-99d4-937e343cbcc9" + id = "5190ab6a-bf05-5a95-aa94-b19d57df462a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6068-L6084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e1a3f27b8b9b642fe1ca73ec54d225f4470b53d0d06f2eea55ad1ad43ec67b39" + logic_hash = "v1_sha256_e1a3f27b8b9b642fe1ca73ec54d225f4470b53d0d06f2eea55ad1ad43ec67b39" score = 75 quality = 90 tags = "INFO, FILE" @@ -40908,7 +40908,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Dcd0699Da08915Dde6D044Cb474157C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VENTE DE TOUT" and pe.signatures[i].serial=="2d:cd:06:99:da:08:91:5d:de:6d:04:4c:b4:74:15:7c" and 1601830010<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VENTE DE TOUT" and pe.signatures [ i ] . serial == "2d:cd:06:99:da:08:91:5d:de:6d:04:4c:b4:74:15:7c" and 1601830010 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40917,13 +40917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B03Cabe6A0481F17A2Dbeb9Aefad425 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "30108ce3-b133-5e1d-924f-7caaf390e836" + id = "1942f9f9-4428-5a99-b310-6a22f8ed04fa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6086-L6102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6986e7bd90842647ec6a168c30dca2d5ae8ae5b1c1014f966dd596a78859ac6e" + logic_hash = "v1_sha256_6986e7bd90842647ec6a168c30dca2d5ae8ae5b1c1014f966dd596a78859ac6e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40933,7 +40933,7 @@ rule REVERSINGLABS_Cert_Blocklist_4B03Cabe6A0481F17A2Dbeb9Aefad425 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RASSVET, OOO" and pe.signatures[i].serial=="4b:03:ca:be:6a:04:81:f1:7a:2d:be:b9:ae:fa:d4:25" and 1603230930<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RASSVET, OOO" and pe.signatures [ i ] . serial == "4b:03:ca:be:6a:04:81:f1:7a:2d:be:b9:ae:fa:d4:25" and 1603230930 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40942,13 +40942,13 @@ rule REVERSINGLABS_Cert_Blocklist_64Cd303Fa289790Afa03C403E9240002 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "86644ef8-4218-5a04-9655-c7d51729872d" + id = "74c285a3-b700-5c43-9b06-802e04887ec7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6104-L6120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f51556a8a12affbd7f7633bf8daa50e6332fa3d3448ea08853cf8ed28e593680" + logic_hash = "v1_sha256_f51556a8a12affbd7f7633bf8daa50e6332fa3d3448ea08853cf8ed28e593680" score = 75 quality = 90 tags = "INFO, FILE" @@ -40958,7 +40958,7 @@ rule REVERSINGLABS_Cert_Blocklist_64Cd303Fa289790Afa03C403E9240002 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MAITLAND TRIFECTA, INC." and pe.signatures[i].serial=="64:cd:30:3f:a2:89:79:0a:fa:03:c4:03:e9:24:00:02" and 1602723600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MAITLAND TRIFECTA, INC." and pe.signatures [ i ] . serial == "64:cd:30:3f:a2:89:79:0a:fa:03:c4:03:e9:24:00:02" and 1602723600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40967,13 +40967,13 @@ rule REVERSINGLABS_Cert_Blocklist_07Cef66A71C35Bc3Aed6D100C6493863 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9c16c370-a382-54f7-ba2e-3b738740966f" + id = "0aaf99d0-ad47-59c8-9d82-9ed62318f4e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6122-L6138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e741fc13fe4d03b145ed1d86e738b415a7260eae5b0908c6991c9ea9896f14cf" + logic_hash = "v1_sha256_e741fc13fe4d03b145ed1d86e738b415a7260eae5b0908c6991c9ea9896f14cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -40983,7 +40983,7 @@ rule REVERSINGLABS_Cert_Blocklist_07Cef66A71C35Bc3Aed6D100C6493863 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fubon Technologies Ltd" and pe.signatures[i].serial=="07:ce:f6:6a:71:c3:5b:c3:ae:d6:d1:00:c6:49:38:63" and 1602740890<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fubon Technologies Ltd" and pe.signatures [ i ] . serial == "07:ce:f6:6a:71:c3:5b:c3:ae:d6:d1:00:c6:49:38:63" and 1602740890 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -40992,13 +40992,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be77Fe5C58B7A360Add6A3Fced4E8334 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1bbaebe9-b3ca-5ee2-91ac-b2343ca8bb86" + id = "feeb21fc-4c02-58dd-b17a-93a6a3992967" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6140-L6158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cea0d217206562c0045843405802d3b2fad01bdb2a4cfb52057625b43f5f8eee" + logic_hash = "v1_sha256_cea0d217206562c0045843405802d3b2fad01bdb2a4cfb52057625b43f5f8eee" score = 75 quality = 90 tags = "INFO, FILE" @@ -41008,7 +41008,7 @@ rule REVERSINGLABS_Cert_Blocklist_Be77Fe5C58B7A360Add6A3Fced4E8334 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Incar LLC" and (pe.signatures[i].serial=="00:be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" or pe.signatures[i].serial=="be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34") and 1602530730<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Incar LLC" and ( pe.signatures [ i ] . serial == "00:be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" or pe.signatures [ i ] . serial == "be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" ) and 1602530730 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41017,13 +41017,13 @@ rule REVERSINGLABS_Cert_Blocklist_F097E59809Ae2E771B7B9Ae5Fc3408D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1eed6f30-0648-5b8e-81ff-9f3af0f1c91d" + id = "d8857d67-34e0-5362-917c-f4defa214f3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6160-L6178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9e23ff26d3e1ea181e48fc23383e3717804858bc517a31ec508fa0753730c78e" + logic_hash = "v1_sha256_9e23ff26d3e1ea181e48fc23383e3717804858bc517a31ec508fa0753730c78e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41033,7 +41033,7 @@ rule REVERSINGLABS_Cert_Blocklist_F097E59809Ae2E771B7B9Ae5Fc3408D7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ABEL RENOVATIONS, INC." and (pe.signatures[i].serial=="00:f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" or pe.signatures[i].serial=="f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7") and 1602542033<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ABEL RENOVATIONS, INC." and ( pe.signatures [ i ] . serial == "00:f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" or pe.signatures [ i ] . serial == "f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" ) and 1602542033 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41042,13 +41042,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf1Ed2A6Ff4Bee621Efdf725Ea174B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7f7ecbcd-7a92-526d-99a8-d849fffa19cb" + id = "5273b2bc-85f6-52ba-824f-c2f84e22afbe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6180-L6196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7030c122905105c72833cfcb41692bd9a67cf456e3309afce0b8f9e65c6aa5c1" + logic_hash = "v1_sha256_7030c122905105c72833cfcb41692bd9a67cf456e3309afce0b8f9e65c6aa5c1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41058,7 +41058,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf1Ed2A6Ff4Bee621Efdf725Ea174B7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LEVEL LIST SP Z O O" and pe.signatures[i].serial=="0c:f1:ed:2a:6f:f4:be:e6:21:ef:df:72:5e:a1:74:b7" and 1603036100<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LEVEL LIST SP Z O O" and pe.signatures [ i ] . serial == "0c:f1:ed:2a:6f:f4:be:e6:21:ef:df:72:5e:a1:74:b7" and 1603036100 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41067,13 +41067,13 @@ rule REVERSINGLABS_Cert_Blocklist_1249Aa2Ada4967969B71Ce63Bf187C38 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5b2876a2-8dfa-5456-a615-4ea69df53422" + id = "9dc5db74-7ec6-519f-8a17-29f9ca337702" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6198-L6214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f84568cfe6304af0307a34bfed6dd346a74e714005b5e6f22a354b14f853ec65" + logic_hash = "v1_sha256_f84568cfe6304af0307a34bfed6dd346a74e714005b5e6f22a354b14f853ec65" score = 75 quality = 90 tags = "INFO, FILE" @@ -41083,7 +41083,7 @@ rule REVERSINGLABS_Cert_Blocklist_1249Aa2Ada4967969B71Ce63Bf187C38 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Umbrella LLC" and pe.signatures[i].serial=="12:49:aa:2a:da:49:67:96:9b:71:ce:63:bf:18:7c:38" and 1599181200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Umbrella LLC" and pe.signatures [ i ] . serial == "12:49:aa:2a:da:49:67:96:9b:71:ce:63:bf:18:7c:38" and 1599181200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41092,13 +41092,13 @@ rule REVERSINGLABS_Cert_Blocklist_D59A05955A4A421500F9561Ce983Aac4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "088f0f98-328b-50fa-b1e4-1d80023b3c09" + id = "73bdc59f-cea6-5046-a950-92e017752d55" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6216-L6234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7ed87a03f20872669369cc3cad4eae40ba597f06222194bd67262c094083ec1" + logic_hash = "v1_sha256_b7ed87a03f20872669369cc3cad4eae40ba597f06222194bd67262c094083ec1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41108,7 +41108,7 @@ rule REVERSINGLABS_Cert_Blocklist_D59A05955A4A421500F9561Ce983Aac4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Olymp LLC" and (pe.signatures[i].serial=="00:d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" or pe.signatures[i].serial=="d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4") and 1601895290<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Olymp LLC" and ( pe.signatures [ i ] . serial == "00:d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" or pe.signatures [ i ] . serial == "d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" ) and 1601895290 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41117,13 +41117,13 @@ rule REVERSINGLABS_Cert_Blocklist_539015999E304A5952985A994F9C3A53 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ccb4da10-3178-5d8f-be17-9c689e794418" + id = "1104a05f-9503-5630-b8df-c5d2752cf171" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6236-L6252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "feeb1710bd5b048c689a2e45575529624cd1622dcc73db8fe7de6c133fdc5698" + logic_hash = "v1_sha256_feeb1710bd5b048c689a2e45575529624cd1622dcc73db8fe7de6c133fdc5698" score = 75 quality = 90 tags = "INFO, FILE" @@ -41133,7 +41133,7 @@ rule REVERSINGLABS_Cert_Blocklist_539015999E304A5952985A994F9C3A53 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Service lab LLC" and pe.signatures[i].serial=="53:90:15:99:9e:30:4a:59:52:98:5a:99:4f:9c:3a:53" and 1599181200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Service lab LLC" and pe.signatures [ i ] . serial == "53:90:15:99:9e:30:4a:59:52:98:5a:99:4f:9c:3a:53" and 1599181200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41142,13 +41142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B1926A5E8Ae50A0Efa504F005F93869 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce437144-0f99-5c41-8d15-edeceb34de4d" + id = "b3a67595-5683-5dcf-a516-dd5c909002c8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6254-L6270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1cbdf39a873c83d2b55723215fb4930a3ce23b6cab2d71a6cd5f16b2721e30f9" + logic_hash = "v1_sha256_1cbdf39a873c83d2b55723215fb4930a3ce23b6cab2d71a6cd5f16b2721e30f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -41158,7 +41158,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B1926A5E8Ae50A0Efa504F005F93869 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Nordkod LLC" and pe.signatures[i].serial=="0b:19:26:a5:e8:ae:50:a0:ef:a5:04:f0:05:f9:38:69" and 1600650000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Nordkod LLC" and pe.signatures [ i ] . serial == "0b:19:26:a5:e8:ae:50:a0:ef:a5:04:f0:05:f9:38:69" and 1600650000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41167,13 +41167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A23B660E7322E54D7Bd0E5Acc890966 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "daae5f42-59ff-5838-9444-93357eaa9d60" + id = "e2aa285b-7943-59eb-a438-f597914587c8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6272-L6288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "17996dd0ec81623dbd4eeea98f9bbe37c11c911ca840833ecb9301bb0a9ddb52" + logic_hash = "v1_sha256_17996dd0ec81623dbd4eeea98f9bbe37c11c911ca840833ecb9301bb0a9ddb52" score = 75 quality = 90 tags = "INFO, FILE" @@ -41183,7 +41183,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A23B660E7322E54D7Bd0E5Acc890966 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ARTBUD RADOM SP Z O O" and pe.signatures[i].serial=="0a:23:b6:60:e7:32:2e:54:d7:bd:0e:5a:cc:89:09:66" and 1601254800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ARTBUD RADOM SP Z O O" and pe.signatures [ i ] . serial == "0a:23:b6:60:e7:32:2e:54:d7:bd:0e:5a:cc:89:09:66" and 1601254800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41192,13 +41192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Cfa5050C819C4Acbb8Fa75979688Dff : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f91ecc17-7406-552a-8864-c9e1657a5ca9" + id = "b26e366d-dffd-5dd4-8987-f591633c0237" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6290-L6308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cffc234be78446191dd5f5990db9f17c7e28eeaa3e16f1eb8ad4ed1e58fdc25e" + logic_hash = "v1_sha256_cffc234be78446191dd5f5990db9f17c7e28eeaa3e16f1eb8ad4ed1e58fdc25e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41208,7 +41208,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Cfa5050C819C4Acbb8Fa75979688Dff : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Elite Web Development Ltd." and (pe.signatures[i].serial=="00:6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" or pe.signatures[i].serial=="6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff") and 1600176940<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Elite Web Development Ltd." and ( pe.signatures [ i ] . serial == "00:6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" or pe.signatures [ i ] . serial == "6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" ) and 1600176940 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41217,13 +41217,13 @@ rule REVERSINGLABS_Cert_Blocklist_044E05Bb1A01A1Cbb50Cfb6Cd24E5D6B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c0796bc3-96cd-5d12-a0ee-97d8ed4a3076" + id = "7a0d5e9f-0c4e-5ab5-aef3-422334696734" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6310-L6326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40c80d3b6bedb0b3454e14501745a6e82b6ea9ac202748867a2e937fb79c6f6c" + logic_hash = "v1_sha256_40c80d3b6bedb0b3454e14501745a6e82b6ea9ac202748867a2e937fb79c6f6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -41233,7 +41233,7 @@ rule REVERSINGLABS_Cert_Blocklist_044E05Bb1A01A1Cbb50Cfb6Cd24E5D6B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MUSTER PLUS SP Z O O" and pe.signatures[i].serial=="04:4e:05:bb:1a:01:a1:cb:b5:0c:fb:6c:d2:4e:5d:6b" and 1601427600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MUSTER PLUS SP Z O O" and pe.signatures [ i ] . serial == "04:4e:05:bb:1a:01:a1:cb:b5:0c:fb:6c:d2:4e:5d:6b" and 1601427600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41242,13 +41242,13 @@ rule REVERSINGLABS_Cert_Blocklist_B7F19B13De9Bee8A52Ff365Ced6F67Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0e7e235e-3f0b-5396-9c19-9336d9cbb95a" + id = "5a8069a3-0730-5a3f-a69b-d147fca8efbf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6328-L6346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a8d2a92b44cdd7b123907a6a77ba0fc9fde4961f9ac846b36f1e87730a1efae6" + logic_hash = "v1_sha256_a8d2a92b44cdd7b123907a6a77ba0fc9fde4961f9ac846b36f1e87730a1efae6" score = 75 quality = 90 tags = "INFO, FILE" @@ -41258,7 +41258,7 @@ rule REVERSINGLABS_Cert_Blocklist_B7F19B13De9Bee8A52Ff365Ced6F67Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALEXIS SECURITY GROUP, LLC" and (pe.signatures[i].serial=="00:b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" or pe.signatures[i].serial=="b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa") and 1574914319<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALEXIS SECURITY GROUP, LLC" and ( pe.signatures [ i ] . serial == "00:b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" or pe.signatures [ i ] . serial == "b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" ) and 1574914319 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41267,13 +41267,13 @@ rule REVERSINGLABS_Cert_Blocklist_B61B8E71514059Adc604Da05C283E514 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2587d30d-e9c8-599c-9cc4-4d4a7aa83c34" + id = "517683e3-bcfb-50b8-86eb-2f3b7e3de30f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6348-L6366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1255cef74082c9cad41ac8e7d62e740f69e6ba44171bb45655a68ee5db204e57" + logic_hash = "v1_sha256_1255cef74082c9cad41ac8e7d62e740f69e6ba44171bb45655a68ee5db204e57" score = 75 quality = 90 tags = "INFO, FILE" @@ -41283,7 +41283,7 @@ rule REVERSINGLABS_Cert_Blocklist_B61B8E71514059Adc604Da05C283E514 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "APP DIVISION ApS" and (pe.signatures[i].serial=="00:b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" or pe.signatures[i].serial=="b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14") and 1603328400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "APP DIVISION ApS" and ( pe.signatures [ i ] . serial == "00:b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" or pe.signatures [ i ] . serial == "b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" ) and 1603328400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41292,13 +41292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ece6Cbf67Dc41635A5E5D075F286Af23 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e451a5a-835b-572d-ab17-ff52d3614a86" + id = "68d0e8ba-d4f2-5702-9393-c999e66a1a77" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6368-L6386" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f560e6f4a65eaac8db1d8accb0748de17048e66ccf989468e6350a3ec1d70dc8" + logic_hash = "v1_sha256_f560e6f4a65eaac8db1d8accb0748de17048e66ccf989468e6350a3ec1d70dc8" score = 75 quality = 90 tags = "INFO, FILE" @@ -41308,7 +41308,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ece6Cbf67Dc41635A5E5D075F286Af23 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THRANE AGENTUR ApS" and (pe.signatures[i].serial=="00:ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" or pe.signatures[i].serial=="ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23") and 1603369254<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THRANE AGENTUR ApS" and ( pe.signatures [ i ] . serial == "00:ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" or pe.signatures [ i ] . serial == "ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" ) and 1603369254 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41317,13 +41317,13 @@ rule REVERSINGLABS_Cert_Blocklist_014A98D697B44F43Ded21F18Eb6Ad0Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4fcd4e89-658c-593b-8f94-edd5df19da6e" + id = "08ee4154-90be-5f9b-95b9-98e85cf1e398" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6388-L6404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9f1cc61b944974696113912bc1d1a0b45b9911fa4d6de382a48c0d22d2d20953" + logic_hash = "v1_sha256_9f1cc61b944974696113912bc1d1a0b45b9911fa4d6de382a48c0d22d2d20953" score = 75 quality = 90 tags = "INFO, FILE" @@ -41333,7 +41333,7 @@ rule REVERSINGLABS_Cert_Blocklist_014A98D697B44F43Ded21F18Eb6Ad0Ba : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Hillcoe Software Inc." and pe.signatures[i].serial=="01:4a:98:d6:97:b4:4f:43:de:d2:1f:18:eb:6a:d0:ba" and 1605364760<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Hillcoe Software Inc." and pe.signatures [ i ] . serial == "01:4a:98:d6:97:b4:4f:43:de:d2:1f:18:eb:6a:d0:ba" and 1605364760 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41342,13 +41342,13 @@ rule REVERSINGLABS_Cert_Blocklist_063A7D09107Eddd8Aa1F733634C6591B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0169cf47-72b0-53ec-bc8f-c2a80febad3a" + id = "73472fa3-59d5-5822-a861-7434e981f5ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6406-L6422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "19f11e1d9ce95eb4bc75387a0118c230388a13cd07b02e00ea1d65cdcc0b2bd7" + logic_hash = "v1_sha256_19f11e1d9ce95eb4bc75387a0118c230388a13cd07b02e00ea1d65cdcc0b2bd7" score = 75 quality = 90 tags = "INFO, FILE" @@ -41358,7 +41358,7 @@ rule REVERSINGLABS_Cert_Blocklist_063A7D09107Eddd8Aa1F733634C6591B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Smart Line Logistics" and pe.signatures[i].serial=="06:3a:7d:09:10:7e:dd:d8:aa:1f:73:36:34:c6:59:1b" and 1605712706<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Smart Line Logistics" and pe.signatures [ i ] . serial == "06:3a:7d:09:10:7e:dd:d8:aa:1f:73:36:34:c6:59:1b" and 1605712706 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41367,13 +41367,13 @@ rule REVERSINGLABS_Cert_Blocklist_1E74Cfe7De8C5F57840A61034414Ca9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7fd0c3f-0292-5d27-b8e6-559b829440b4" + id = "0c266fed-d400-57c0-aaee-95ba0470af38" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6424-L6442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d82220d908283f1707ec15882503b02cb8dc80095279a9e7d6cbdd113c25d8ae" + logic_hash = "v1_sha256_d82220d908283f1707ec15882503b02cb8dc80095279a9e7d6cbdd113c25d8ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -41383,7 +41383,7 @@ rule REVERSINGLABS_Cert_Blocklist_1E74Cfe7De8C5F57840A61034414Ca9F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Insta Software Solution Inc." and (pe.signatures[i].serial=="00:1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" or pe.signatures[i].serial=="1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f") and 1601733106<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Insta Software Solution Inc." and ( pe.signatures [ i ] . serial == "00:1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" or pe.signatures [ i ] . serial == "1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" ) and 1601733106 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41392,13 +41392,13 @@ rule REVERSINGLABS_Cert_Blocklist_75Cf729F8A740Bbdef183A1C4D86A02F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e96fdf57-3884-526e-a704-93e783c95241" + id = "f3bdebaa-8cb2-534a-b7f9-055bafd40d51" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6444-L6460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "691fadaa653ecd29e60f2db39b7c5154d7c85f388f72eccd0a4b5fe42eaee0dd" + logic_hash = "v1_sha256_691fadaa653ecd29e60f2db39b7c5154d7c85f388f72eccd0a4b5fe42eaee0dd" score = 75 quality = 90 tags = "INFO, FILE" @@ -41408,7 +41408,7 @@ rule REVERSINGLABS_Cert_Blocklist_75Cf729F8A740Bbdef183A1C4D86A02F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Umbor LLC" and pe.signatures[i].serial=="75:cf:72:9f:8a:74:0b:bd:ef:18:3a:1c:4d:86:a0:2f" and 1604223894<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Umbor LLC" and pe.signatures [ i ] . serial == "75:cf:72:9f:8a:74:0b:bd:ef:18:3a:1c:4d:86:a0:2f" and 1604223894 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41417,13 +41417,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F64677254D3844Efdac2922123D05D1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "de9ef02d-a723-5013-9f91-e394edc23855" + id = "00110f99-1e0e-5321-b93a-e13633036387" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6462-L6478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f9f1f629e03563ece0fe5186b199e2f030dce7f58fb259de1aeb7387c76fa902" + logic_hash = "v1_sha256_f9f1f629e03563ece0fe5186b199e2f030dce7f58fb259de1aeb7387c76fa902" score = 75 quality = 90 tags = "INFO, FILE" @@ -41433,7 +41433,7 @@ rule REVERSINGLABS_Cert_Blocklist_2F64677254D3844Efdac2922123D05D1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ORGANICUP ApS" and pe.signatures[i].serial=="2f:64:67:72:54:d3:84:4e:fd:ac:29:22:12:3d:05:d1" and 1605640092<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ORGANICUP ApS" and pe.signatures [ i ] . serial == "2f:64:67:72:54:d3:84:4e:fd:ac:29:22:12:3d:05:d1" and 1605640092 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41442,13 +41442,13 @@ rule REVERSINGLABS_Cert_Blocklist_32Fbf8Cfa43Dca3F85Efabe96Dfefa49 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22bd8590-7a95-564c-ad77-fb20569de51d" + id = "b2b8d763-5834-547f-ad84-a068f9e30f1b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6480-L6496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73d80e6a0dc2316524a55a9627792b9b4488d238ef529f1767de182956b0865e" + logic_hash = "v1_sha256_73d80e6a0dc2316524a55a9627792b9b4488d238ef529f1767de182956b0865e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41458,7 +41458,7 @@ rule REVERSINGLABS_Cert_Blocklist_32Fbf8Cfa43Dca3F85Efabe96Dfefa49 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Foxstyle LLC" and pe.signatures[i].serial=="32:fb:f8:cf:a4:3d:ca:3f:85:ef:ab:e9:6d:fe:fa:49" and 1598255906<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Foxstyle LLC" and pe.signatures [ i ] . serial == "32:fb:f8:cf:a4:3d:ca:3f:85:ef:ab:e9:6d:fe:fa:49" and 1598255906 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41467,13 +41467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ef9D0Cf071D463Cd63D13083046A7B8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8751f71b-0ebb-5820-927c-684a5ae5ee7b" + id = "450aa178-3e80-58ee-9680-2b7915092e4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6498-L6516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2923979811504f78a79a2480600285a2697845e51870a44ed231a81e79807121" + logic_hash = "v1_sha256_2923979811504f78a79a2480600285a2697845e51870a44ed231a81e79807121" score = 75 quality = 90 tags = "INFO, FILE" @@ -41483,7 +41483,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ef9D0Cf071D463Cd63D13083046A7B8D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rubin LLC" and (pe.signatures[i].serial=="00:ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" or pe.signatures[i].serial=="ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d") and 1605358307<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rubin LLC" and ( pe.signatures [ i ] . serial == "00:ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" or pe.signatures [ i ] . serial == "ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" ) and 1605358307 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41492,13 +41492,13 @@ rule REVERSINGLABS_Cert_Blocklist_115Cf1353A0E33E19099A4867A4C750A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2564461-6731-5d7b-8dbb-560929b568d0" + id = "3dab0eed-8672-5a8a-8ee3-4da89572b508" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6518-L6536" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a3353c655531b113dc019a86288310881e3bbcb6c03670a805f22b185e09e6c" + logic_hash = "v1_sha256_2a3353c655531b113dc019a86288310881e3bbcb6c03670a805f22b185e09e6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -41508,7 +41508,7 @@ rule REVERSINGLABS_Cert_Blocklist_115Cf1353A0E33E19099A4867A4C750A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "212 NY Gifts, Inc." and (pe.signatures[i].serial=="00:11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" or pe.signatures[i].serial=="11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a") and 1605515909<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "212 NY Gifts, Inc." and ( pe.signatures [ i ] . serial == "00:11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" or pe.signatures [ i ] . serial == "11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" ) and 1605515909 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41517,13 +41517,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Cf3778Bb11115A884E192A7Cb807599 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cd643ad5-254a-5c53-a6f2-b263ff539cd3" + id = "df43930a-ff33-59ba-a912-691f26637be9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6538-L6556" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4242ef4a30bb09463ec5a6df9367915788a2aa782df6c463bcf966d2aad63c1d" + logic_hash = "v1_sha256_4242ef4a30bb09463ec5a6df9367915788a2aa782df6c463bcf966d2aad63c1d" score = 75 quality = 90 tags = "INFO, FILE" @@ -41533,7 +41533,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Cf3778Bb11115A884E192A7Cb807599 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SLOMATIC d.o.o." and (pe.signatures[i].serial=="00:5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" or pe.signatures[i].serial=="5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99") and 1605006199<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SLOMATIC d.o.o." and ( pe.signatures [ i ] . serial == "00:5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" or pe.signatures [ i ] . serial == "5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" ) and 1605006199 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41542,13 +41542,13 @@ rule REVERSINGLABS_Cert_Blocklist_82Cb93593B658100Cdd7A00C874287F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "85df653a-a4a3-5d0e-86f4-cad0249cd3d3" + id = "1999de58-2fe1-5c7e-a126-09aa5dac4285" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6558-L6576" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c77881e0365c9fc398097d0b6e077330a5f0fcbb53279bfde96b3c01df914c55" + logic_hash = "v1_sha256_c77881e0365c9fc398097d0b6e077330a5f0fcbb53279bfde96b3c01df914c55" score = 75 quality = 90 tags = "INFO, FILE" @@ -41558,7 +41558,7 @@ rule REVERSINGLABS_Cert_Blocklist_82Cb93593B658100Cdd7A00C874287F2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sportsonline24 B.V." and (pe.signatures[i].serial=="00:82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" or pe.signatures[i].serial=="82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2") and 1605117874<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sportsonline24 B.V." and ( pe.signatures [ i ] . serial == "00:82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" or pe.signatures [ i ] . serial == "82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" ) and 1605117874 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41567,13 +41567,13 @@ rule REVERSINGLABS_Cert_Blocklist_9A8Bcfd05F86B15D0C99F50Cf414Bd00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4446aead-9505-545a-8d3a-6ad844d348d3" + id = "b3722fe3-978b-58ca-b339-4714f8c95eb2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6578-L6596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "803d70dddeff51b753b577ea196b12570847c6875ae676a2d12cf1ca9323be34" + logic_hash = "v1_sha256_803d70dddeff51b753b577ea196b12570847c6875ae676a2d12cf1ca9323be34" score = 75 quality = 90 tags = "INFO, FILE" @@ -41583,7 +41583,7 @@ rule REVERSINGLABS_Cert_Blocklist_9A8Bcfd05F86B15D0C99F50Cf414Bd00 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AI Software a.s." and (pe.signatures[i].serial=="00:9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" or pe.signatures[i].serial=="9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00") and 1592442000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AI Software a.s." and ( pe.signatures [ i ] . serial == "00:9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" or pe.signatures [ i ] . serial == "9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" ) and 1592442000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41592,13 +41592,13 @@ rule REVERSINGLABS_Cert_Blocklist_95E5793F2Abe0B4Ec9Be54Fd24F76Ae5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b992971-6a1f-53e3-8651-f25a6b761c41" + id = "9359d701-b0c2-5595-ab91-76e0b5611619" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6598-L6616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bd198665ae952e11c91adc329908e3cd55a55365875200cd81d2f71fd092f1fe" + logic_hash = "v1_sha256_bd198665ae952e11c91adc329908e3cd55a55365875200cd81d2f71fd092f1fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -41608,7 +41608,7 @@ rule REVERSINGLABS_Cert_Blocklist_95E5793F2Abe0B4Ec9Be54Fd24F76Ae5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kommservice LLC" and (pe.signatures[i].serial=="00:95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" or pe.signatures[i].serial=="95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5") and 1604933746<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kommservice LLC" and ( pe.signatures [ i ] . serial == "00:95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" or pe.signatures [ i ] . serial == "95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" ) and 1604933746 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41617,13 +41617,13 @@ rule REVERSINGLABS_Cert_Blocklist_133565779808C3B79D8E3F70A9C3Ffac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bc3f54a6-723d-5de5-9a59-2be8a005cedc" + id = "d46ef07a-26fd-563c-8fb8-b8e0af962358" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6618-L6634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b9fb2e3cc150b0278e67c673f7c01174c30b2cc4458c9c5e573661071795b793" + logic_hash = "v1_sha256_b9fb2e3cc150b0278e67c673f7c01174c30b2cc4458c9c5e573661071795b793" score = 75 quality = 90 tags = "INFO, FILE" @@ -41633,7 +41633,7 @@ rule REVERSINGLABS_Cert_Blocklist_133565779808C3B79D8E3F70A9C3Ffac : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Istok" and pe.signatures[i].serial=="13:35:65:77:98:08:c3:b7:9d:8e:3f:70:a9:c3:ff:ac" and 1605019819<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Istok" and pe.signatures [ i ] . serial == "13:35:65:77:98:08:c3:b7:9d:8e:3f:70:a9:c3:ff:ac" and 1605019819 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41642,13 +41642,13 @@ rule REVERSINGLABS_Cert_Blocklist_7E0Ccda0Ef37Acef6C2Ebe4538627E5C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4668ceb3-8bf2-5be4-9a1a-d0d902c35cf0" + id = "332c96a9-61e2-5659-9800-279181ac7d29" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6636-L6654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f13f9b70a2a3187522e4fff45a8a425863ad6242f82592aa9319c8d5fddeeefa" + logic_hash = "v1_sha256_f13f9b70a2a3187522e4fff45a8a425863ad6242f82592aa9319c8d5fddeeefa" score = 75 quality = 90 tags = "INFO, FILE" @@ -41658,7 +41658,7 @@ rule REVERSINGLABS_Cert_Blocklist_7E0Ccda0Ef37Acef6C2Ebe4538627E5C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Orangetree B.V." and (pe.signatures[i].serial=="00:7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" or pe.signatures[i].serial=="7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c") and 1606159604<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Orangetree B.V." and ( pe.signatures [ i ] . serial == "00:7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" or pe.signatures [ i ] . serial == "7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" ) and 1606159604 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41667,13 +41667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bad35Fd70025D46C56B89E32B1A3954C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "871e399f-8498-5d66-ab5e-24e48491124f" + id = "2b24603c-89a1-551f-b2b8-d739d3479fc1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6656-L6674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1020250fc5030e50bc1e7d0f0c5a77e462a53f47bfcc4383c682b34fed567492" + logic_hash = "v1_sha256_1020250fc5030e50bc1e7d0f0c5a77e462a53f47bfcc4383c682b34fed567492" score = 75 quality = 90 tags = "INFO, FILE" @@ -41683,7 +41683,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bad35Fd70025D46C56B89E32B1A3954C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fort LLC" and (pe.signatures[i].serial=="00:ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" or pe.signatures[i].serial=="ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c") and 1604937337<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fort LLC" and ( pe.signatures [ i ] . serial == "00:ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" or pe.signatures [ i ] . serial == "ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" ) and 1604937337 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41692,13 +41692,13 @@ rule REVERSINGLABS_Cert_Blocklist_7B91468122273Aa32B7Cfc80C331Ea13 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2a949015-3b7b-5123-8df1-f2199ef636c9" + id = "7e57e4f4-8fe8-5504-8603-e2937c7407f5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6676-L6692" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "49d6fd8b325df4bc688275a09cee35e1040172eb6f3680aa2b6f0f3640c0782e" + logic_hash = "v1_sha256_49d6fd8b325df4bc688275a09cee35e1040172eb6f3680aa2b6f0f3640c0782e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41708,7 +41708,7 @@ rule REVERSINGLABS_Cert_Blocklist_7B91468122273Aa32B7Cfc80C331Ea13 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO KBI" and pe.signatures[i].serial=="7b:91:46:81:22:27:3a:a3:2b:7c:fc:80:c3:31:ea:13" and 1586942863<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO KBI" and pe.signatures [ i ] . serial == "7b:91:46:81:22:27:3a:a3:2b:7c:fc:80:c3:31:ea:13" and 1586942863 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41717,13 +41717,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E267B5D14Cdf1F645C1Ec545Cec3Aee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "adff6ae2-076c-5c97-9fea-f95d770a3821" + id = "e3f62fc2-6097-5583-9812-e8f6b2199685" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6694-L6710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e36ae57d715a71aa7d26dd003d647dfa7ab16d64e5411b6c49831544fc482645" + logic_hash = "v1_sha256_e36ae57d715a71aa7d26dd003d647dfa7ab16d64e5411b6c49831544fc482645" score = 75 quality = 90 tags = "INFO, FILE" @@ -41733,7 +41733,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E267B5D14Cdf1F645C1Ec545Cec3Aee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO KBI" and pe.signatures[i].serial=="3e:26:7b:5d:14:cd:f1:f6:45:c1:ec:54:5c:ec:3a:ee" and 1579825892<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO KBI" and pe.signatures [ i ] . serial == "3e:26:7b:5d:14:cd:f1:f6:45:c1:ec:54:5c:ec:3a:ee" and 1579825892 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41742,13 +41742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ae6D3C0269Ef6497E14379C51A8507Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5b8e7730-cb8b-5c51-9784-d944453bc898" + id = "da66796a-51d0-50d8-bcb3-a9933004ea3c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6712-L6730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "23570962c80bddce28a3dee9d4d864cf3cf64018eec6fbcbdd3ca2658c9f660f" + logic_hash = "v1_sha256_23570962c80bddce28a3dee9d4d864cf3cf64018eec6fbcbdd3ca2658c9f660f" score = 75 quality = 90 tags = "INFO, FILE" @@ -41758,7 +41758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ae6D3C0269Ef6497E14379C51A8507Ba : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VELES PROPERTIES LIMITED" and (pe.signatures[i].serial=="00:ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" or pe.signatures[i].serial=="ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba") and 1578566034<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VELES PROPERTIES LIMITED" and ( pe.signatures [ i ] . serial == "00:ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" or pe.signatures [ i ] . serial == "ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" ) and 1578566034 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41767,13 +41767,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd8C468Cc1B45C9Cfb41Cbd8C835Cc9E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f0050a52-65d5-54b2-b06d-08812af98948" + id = "caf6d703-96b7-5a2f-ae8e-f2383b25d893" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6732-L6750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "230d33f0d1d31d4cb76bf3b13f109d3cc9ace846daef145e1dc7666b33c8a42a" + logic_hash = "v1_sha256_230d33f0d1d31d4cb76bf3b13f109d3cc9ace846daef145e1dc7666b33c8a42a" score = 75 quality = 90 tags = "INFO, FILE" @@ -41783,7 +41783,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fd8C468Cc1B45C9Cfb41Cbd8C835Cc9E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Pivo ZLoun s.r.o." and (pe.signatures[i].serial=="00:fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" or pe.signatures[i].serial=="fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e") and 1604019600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Pivo ZLoun s.r.o." and ( pe.signatures [ i ] . serial == "00:fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" or pe.signatures [ i ] . serial == "fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" ) and 1604019600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41792,13 +41792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C061Baa3118327255161F6A7Fa4E21D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f597956a-d11b-54e4-91b6-0572c0b10279" + id = "5d276cfb-42b6-5b29-b34c-8f1069e1ba40" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6752-L6770" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4193fce69af03b3521a3cc442b762c52f8585b44fa6b0bd78b9ace171b807ed4" + logic_hash = "v1_sha256_4193fce69af03b3521a3cc442b762c52f8585b44fa6b0bd78b9ace171b807ed4" score = 75 quality = 90 tags = "INFO, FILE" @@ -41808,7 +41808,7 @@ rule REVERSINGLABS_Cert_Blocklist_7C061Baa3118327255161F6A7Fa4E21D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "YUTAKS, OOO" and (pe.signatures[i].serial=="00:7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" or pe.signatures[i].serial=="7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d") and 1599611338<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "YUTAKS, OOO" and ( pe.signatures [ i ] . serial == "00:7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" or pe.signatures [ i ] . serial == "7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" ) and 1599611338 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41817,13 +41817,13 @@ rule REVERSINGLABS_Cert_Blocklist_04332C16724Ffeda5868D22Af56Aea43 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e5a2708-2875-50ab-af6b-3be91f38e13f" + id = "ec2f13ef-a438-5190-9bd8-b194f42a9107" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6772-L6788" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6b62d5c7a3c6e3096797cd2f515d86045fa77682638bda44175d05c5b6c5bbc0" + logic_hash = "v1_sha256_6b62d5c7a3c6e3096797cd2f515d86045fa77682638bda44175d05c5b6c5bbc0" score = 75 quality = 90 tags = "INFO, FILE" @@ -41833,7 +41833,7 @@ rule REVERSINGLABS_Cert_Blocklist_04332C16724Ffeda5868D22Af56Aea43 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bespoke Software Solutions Limited" and pe.signatures[i].serial=="04:33:2c:16:72:4f:fe:da:58:68:d2:2a:f5:6a:ea:43" and 1597971601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bespoke Software Solutions Limited" and pe.signatures [ i ] . serial == "04:33:2c:16:72:4f:fe:da:58:68:d2:2a:f5:6a:ea:43" and 1597971601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41842,13 +41842,13 @@ rule REVERSINGLABS_Cert_Blocklist_030012F134E64347669F3256C7D050C5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e61a781-d5fb-5f05-81c4-3cc697ece13c" + id = "6d973548-cab8-5c36-b2a0-5323663a2826" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6790-L6806" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1a55856bfa4c632b2b0404686dc7ba5e7238b619dd4d2eb68c3d291bc86e52c4" + logic_hash = "v1_sha256_1a55856bfa4c632b2b0404686dc7ba5e7238b619dd4d2eb68c3d291bc86e52c4" score = 75 quality = 90 tags = "INFO, FILE" @@ -41858,7 +41858,7 @@ rule REVERSINGLABS_Cert_Blocklist_030012F134E64347669F3256C7D050C5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Futumarket LLC" and pe.signatures[i].serial=="03:00:12:f1:34:e6:43:47:66:9f:32:56:c7:d0:50:c5" and 1604036657<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Futumarket LLC" and pe.signatures [ i ] . serial == "03:00:12:f1:34:e6:43:47:66:9f:32:56:c7:d0:50:c5" and 1604036657 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41867,13 +41867,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fa3Dcac19B884B44Ef4F81541184D6B0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "574ee0d4-ba7c-5c74-b711-222f92196f4a" + id = "b5efea26-c8b2-5273-b9c2-59451c9153e9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6808-L6826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "324de84cb8c2f5402c9326749e3456e11312828df2523954fd84f7fb3298fdf3" + logic_hash = "v1_sha256_324de84cb8c2f5402c9326749e3456e11312828df2523954fd84f7fb3298fdf3" score = 75 quality = 90 tags = "INFO, FILE" @@ -41883,7 +41883,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fa3Dcac19B884B44Ef4F81541184D6B0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Unicom Ltd" and (pe.signatures[i].serial=="00:fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" or pe.signatures[i].serial=="fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0") and 1603958571<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Unicom Ltd" and ( pe.signatures [ i ] . serial == "00:fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" or pe.signatures [ i ] . serial == "fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" ) and 1603958571 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41892,13 +41892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E6F4Cb8B06E01C3Bd296Ace3A95F814 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7a829a63-eeb4-50ef-829d-fc13572c1148" + id = "df6abd9b-ca8b-54bc-8749-5979618dd991" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6828-L6844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f3184a9d1fe2a1cf2dcc04d26c284aa9a651d2f00aa28642d7f951550a050138" + logic_hash = "v1_sha256_f3184a9d1fe2a1cf2dcc04d26c284aa9a651d2f00aa28642d7f951550a050138" score = 75 quality = 90 tags = "INFO, FILE" @@ -41908,7 +41908,7 @@ rule REVERSINGLABS_Cert_Blocklist_0E6F4Cb8B06E01C3Bd296Ace3A95F814 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EVATON, s.r.o." and pe.signatures[i].serial=="0e:6f:4c:b8:b0:6e:01:c3:bd:29:6a:ce:3a:95:f8:14" and 1603957781<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EVATON, s.r.o." and pe.signatures [ i ] . serial == "0e:6f:4c:b8:b0:6e:01:c3:bd:29:6a:ce:3a:95:f8:14" and 1603957781 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41917,13 +41917,13 @@ rule REVERSINGLABS_Cert_Blocklist_085B70224253486624Fc36Fa658A1E32 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7d27604e-4ecd-559c-9180-4914e7f1f6c9" + id = "0a6afccd-bfaa-554b-9eaa-78da192fb6ee" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6846-L6862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "50ff48a421a109f8c6bf92032691d9b673945bc591005004ff17dc18c97d4aea" + logic_hash = "v1_sha256_50ff48a421a109f8c6bf92032691d9b673945bc591005004ff17dc18c97d4aea" score = 75 quality = 90 tags = "INFO, FILE" @@ -41933,7 +41933,7 @@ rule REVERSINGLABS_Cert_Blocklist_085B70224253486624Fc36Fa658A1E32 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Best Fud, OOO" and pe.signatures[i].serial=="08:5b:70:22:42:53:48:66:24:fc:36:fa:65:8a:1e:32" and 1597971601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Best Fud, OOO" and pe.signatures [ i ] . serial == "08:5b:70:22:42:53:48:66:24:fc:36:fa:65:8a:1e:32" and 1597971601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41942,13 +41942,13 @@ rule REVERSINGLABS_Cert_Blocklist_51Cd5393514F7Ace2B407C3Dbfb09D8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac86893f-2edd-5f1c-96eb-4cb140e8e001" + id = "0c0f003d-cd67-5de7-961b-a9be194cf9a1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6864-L6880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4cd08b9113a7c1f4f2d438ac59ad0be503daded3a08b8c8e8ce3e0dfdddf259e" + logic_hash = "v1_sha256_4cd08b9113a7c1f4f2d438ac59ad0be503daded3a08b8c8e8ce3e0dfdddf259e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41958,7 +41958,7 @@ rule REVERSINGLABS_Cert_Blocklist_51Cd5393514F7Ace2B407C3Dbfb09D8D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "APPI CZ a.s" and pe.signatures[i].serial=="51:cd:53:93:51:4f:7a:ce:2b:40:7c:3d:bf:b0:9d:8d" and 1605299467<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "APPI CZ a.s" and pe.signatures [ i ] . serial == "51:cd:53:93:51:4f:7a:ce:2b:40:7c:3d:bf:b0:9d:8d" and 1605299467 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41967,13 +41967,13 @@ rule REVERSINGLABS_Cert_Blocklist_B72179C027B9037Ee220E81Ab18Fe56D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "85639e74-80b0-59c6-b31b-5b3d9587b37a" + id = "2af1644b-568a-5107-97e7-c3c3d025766a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6882-L6900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1416768011ff824307d112bdeecce1ad50d1f673e92bef8fddbbeb58ff98b1b1" + logic_hash = "v1_sha256_1416768011ff824307d112bdeecce1ad50d1f673e92bef8fddbbeb58ff98b1b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41983,7 +41983,7 @@ rule REVERSINGLABS_Cert_Blocklist_B72179C027B9037Ee220E81Ab18Fe56D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Planeta, TOV" and (pe.signatures[i].serial=="00:b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" or pe.signatures[i].serial=="b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d") and 1603381300<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Planeta, TOV" and ( pe.signatures [ i ] . serial == "00:b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" or pe.signatures [ i ] . serial == "b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" ) and 1603381300 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -41992,13 +41992,13 @@ rule REVERSINGLABS_Cert_Blocklist_07B74C70C4Aa092648B7F0D1A8A3A28F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f941b7d6-f168-57aa-881a-54679a2b948c" + id = "2601f8bb-e6bf-5671-93c5-231e84031109" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6902-L6918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "97759fa2e519936115f0493e251f9abc0cce3ada437776a5a370388512235491" + logic_hash = "v1_sha256_97759fa2e519936115f0493e251f9abc0cce3ada437776a5a370388512235491" score = 75 quality = 90 tags = "INFO, FILE" @@ -42008,7 +42008,7 @@ rule REVERSINGLABS_Cert_Blocklist_07B74C70C4Aa092648B7F0D1A8A3A28F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rad-Grad D.O.O." and pe.signatures[i].serial=="07:b7:4c:70:c4:aa:09:26:48:b7:f0:d1:a8:a3:a2:8f" and 1603240965<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rad-Grad D.O.O." and pe.signatures [ i ] . serial == "07:b7:4c:70:c4:aa:09:26:48:b7:f0:d1:a8:a3:a2:8f" and 1603240965 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42017,13 +42017,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C8Def294478B7D59Ee95C61Fae3D965 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "549249df-690c-5b75-ac1a-77b509c9e163" + id = "8efb6f0e-2465-5ec6-b76e-6ce2d8e17477" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6920-L6936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3b7b10afa5f0212bd494ba8fe32bef18f2bbd77c8ab2ad498b9557a0575cc177" + logic_hash = "v1_sha256_3b7b10afa5f0212bd494ba8fe32bef18f2bbd77c8ab2ad498b9557a0575cc177" score = 75 quality = 90 tags = "INFO, FILE" @@ -42033,7 +42033,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C8Def294478B7D59Ee95C61Fae3D965 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DREAM SECURITY USA INC" and pe.signatures[i].serial=="4c:8d:ef:29:44:78:b7:d5:9e:e9:5c:61:fa:e3:d9:65" and 1592961292<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DREAM SECURITY USA INC" and pe.signatures [ i ] . serial == "4c:8d:ef:29:44:78:b7:d5:9e:e9:5c:61:fa:e3:d9:65" and 1592961292 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42042,13 +42042,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D36Cbb64Bc9Add17Ba71737D3Ecceca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce10840c-150d-5ecd-ab9a-7bc96092ebfd" + id = "8f00c4b7-856d-562f-9729-75006a919a18" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6938-L6954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5874860582ed5be6908dca38e6ecae831eeeb0c2b768e8065ada9fd5ac2bda89" + logic_hash = "v1_sha256_5874860582ed5be6908dca38e6ecae831eeeb0c2b768e8065ada9fd5ac2bda89" score = 75 quality = 90 tags = "INFO, FILE" @@ -42058,7 +42058,7 @@ rule REVERSINGLABS_Cert_Blocklist_7D36Cbb64Bc9Add17Ba71737D3Ecceca : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LTD SERVICES LIMITED" and pe.signatures[i].serial=="7d:36:cb:b6:4b:c9:ad:d1:7b:a7:17:37:d3:ec:ce:ca" and 1616025600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LTD SERVICES LIMITED" and pe.signatures [ i ] . serial == "7d:36:cb:b6:4b:c9:ad:d1:7b:a7:17:37:d3:ec:ce:ca" and 1616025600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42067,13 +42067,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ad255D4Ebefa751F3782587396C08629 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e42d2881-efda-5aa0-b455-dabbd3a77e97" + id = "e5d743e6-c7a3-5c5b-a6cf-33bf6f0ce105" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6956-L6974" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "43f44cbedf37094416628c9df23767be3b036519f93222812597777a146ecb24" + logic_hash = "v1_sha256_43f44cbedf37094416628c9df23767be3b036519f93222812597777a146ecb24" score = 75 quality = 90 tags = "INFO, FILE" @@ -42083,7 +42083,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ad255D4Ebefa751F3782587396C08629 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Ornitek" and (pe.signatures[i].serial=="00:ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" or pe.signatures[i].serial=="ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29") and 1614643200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Ornitek" and ( pe.signatures [ i ] . serial == "00:ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" or pe.signatures [ i ] . serial == "ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" ) and 1614643200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42092,13 +42092,13 @@ rule REVERSINGLABS_Cert_Blocklist_262Ca7Ae19D688138E75932832B18F9D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7151fd62-7f6c-59d7-800b-65e5b4db279b" + id = "6de10413-2adc-5eb8-a5fe-acb05a26e25b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6976-L6992" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a5bb946c6199cd47a087ac26f0a996261318d1830191ea7c0e7797ff03984558" + logic_hash = "v1_sha256_a5bb946c6199cd47a087ac26f0a996261318d1830191ea7c0e7797ff03984558" score = 75 quality = 90 tags = "INFO, FILE" @@ -42108,7 +42108,7 @@ rule REVERSINGLABS_Cert_Blocklist_262Ca7Ae19D688138E75932832B18F9D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bisoyetutu Ltd Ltd" and pe.signatures[i].serial=="26:2c:a7:ae:19:d6:88:13:8e:75:93:28:32:b1:8f:9d" and 1616025600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bisoyetutu Ltd Ltd" and pe.signatures [ i ] . serial == "26:2c:a7:ae:19:d6:88:13:8e:75:93:28:32:b1:8f:9d" and 1616025600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42117,13 +42117,13 @@ rule REVERSINGLABS_Cert_Blocklist_59A57E8Ba3Dcf2B6F59981Fda14B03 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12c80895-57fd-5341-b3ef-d59c25d4c234" + id = "0fc1fb74-a611-507a-a17a-c01e7c84fd83" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6994-L7010" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6e77c7d0bd7e5e9bc8880cc6ffc3f5f4f738e3dde22c270ad7a6f6672a99de53" + logic_hash = "v1_sha256_6e77c7d0bd7e5e9bc8880cc6ffc3f5f4f738e3dde22c270ad7a6f6672a99de53" score = 75 quality = 90 tags = "INFO, FILE" @@ -42133,7 +42133,7 @@ rule REVERSINGLABS_Cert_Blocklist_59A57E8Ba3Dcf2B6F59981Fda14B03 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Medium LLC" and pe.signatures[i].serial=="59:a5:7e:8b:a3:dc:f2:b6:f5:99:81:fd:a1:4b:03" and 1609113600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Medium LLC" and pe.signatures [ i ] . serial == "59:a5:7e:8b:a3:dc:f2:b6:f5:99:81:fd:a1:4b:03" and 1609113600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42142,13 +42142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aebe117A13B8Bca21685Df48C74F584D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec525737-9770-585e-922a-43f14e0a4a37" + id = "23642318-b818-541d-ac1c-14ec4f2cbaf5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7012-L7030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e7fbc1f32adec39c94dc046933e152cd6d3946da4a168306484b7b6bc7f26fb6" + logic_hash = "v1_sha256_e7fbc1f32adec39c94dc046933e152cd6d3946da4a168306484b7b6bc7f26fb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42158,7 +42158,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aebe117A13B8Bca21685Df48C74F584D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NANAX d.o.o." and (pe.signatures[i].serial=="00:ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" or pe.signatures[i].serial=="ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d") and 1613520000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NANAX d.o.o." and ( pe.signatures [ i ] . serial == "00:ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" or pe.signatures [ i ] . serial == "ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" ) and 1613520000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42167,13 +42167,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Dcd19A94535F034Ee36Af4676740633 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c09778b6-17c9-5b24-8977-1bd998083c23" + id = "071c2510-f192-5641-996e-ad37b46b1e05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7032-L7048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7079d4f1973ad4de21e1f88282c94b11c4d63f8bad12b35ef76a481e154d9da3" + logic_hash = "v1_sha256_7079d4f1973ad4de21e1f88282c94b11c4d63f8bad12b35ef76a481e154d9da3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42183,7 +42183,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Dcd19A94535F034Ee36Af4676740633 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Toko Saya ApS" and pe.signatures[i].serial=="7d:cd:19:a9:45:35:f0:34:ee:36:af:46:76:74:06:33" and 1609200000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Toko Saya ApS" and pe.signatures [ i ] . serial == "7d:cd:19:a9:45:35:f0:34:ee:36:af:46:76:74:06:33" and 1609200000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42192,13 +42192,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca4822E6905Aa4Fca9E28523F04F14A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "004454a0-20f9-58f5-8c24-8097f7586c5b" + id = "ec232099-a3ae-51e0-8f89-05b89abfc76f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7050-L7068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9633f3494e9ece3a698d47c5ba2b7ee7f82cee4be36ac418c969c36285c4963c" + logic_hash = "v1_sha256_9633f3494e9ece3a698d47c5ba2b7ee7f82cee4be36ac418c969c36285c4963c" score = 75 quality = 90 tags = "INFO, FILE" @@ -42208,7 +42208,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ca4822E6905Aa4Fca9E28523F04F14A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ELISTREID, OOO" and (pe.signatures[i].serial=="00:ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" or pe.signatures[i].serial=="ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3") and 1614643200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ELISTREID, OOO" and ( pe.signatures [ i ] . serial == "00:ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" or pe.signatures [ i ] . serial == "ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" ) and 1614643200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42217,13 +42217,13 @@ rule REVERSINGLABS_Cert_Blocklist_24C1Ef800F275Ab2780280C595De3464 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "251212a5-95ce-5d9f-aec0-e6d3dd099349" + id = "a2cdb857-e4ea-516f-b7a3-68d910b6eff5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7070-L7086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7536ec92f388234bea3b33bee4af52e0e0ce9cd86b1c8321a503f70bfe5faa76" + logic_hash = "v1_sha256_7536ec92f388234bea3b33bee4af52e0e0ce9cd86b1c8321a503f70bfe5faa76" score = 75 quality = 90 tags = "INFO, FILE" @@ -42233,7 +42233,7 @@ rule REVERSINGLABS_Cert_Blocklist_24C1Ef800F275Ab2780280C595De3464 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HOLGAN LIMITED" and pe.signatures[i].serial=="24:c1:ef:80:0f:27:5a:b2:78:02:80:c5:95:de:34:64" and 1614729600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HOLGAN LIMITED" and pe.signatures [ i ] . serial == "24:c1:ef:80:0f:27:5a:b2:78:02:80:c5:95:de:34:64" and 1614729600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42242,13 +42242,13 @@ rule REVERSINGLABS_Cert_Blocklist_6401831B46588B9D872B02076C3A7B00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "61b67e68-9e15-5848-b12a-437a0ad8399e" + id = "4cc51dd8-afb9-562e-8fd2-4bc3ecf5eae6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7088-L7104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cb84b27391fa0260061bc5444039967e83f2134f7b56f9cccf6a421d4a65a577" + logic_hash = "v1_sha256_cb84b27391fa0260061bc5444039967e83f2134f7b56f9cccf6a421d4a65a577" score = 75 quality = 90 tags = "INFO, FILE" @@ -42258,7 +42258,7 @@ rule REVERSINGLABS_Cert_Blocklist_6401831B46588B9D872B02076C3A7B00 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ACTIV GROUP ApS" and pe.signatures[i].serial=="64:01:83:1b:46:58:8b:9d:87:2b:02:07:6c:3a:7b:00" and 1615507200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ACTIV GROUP ApS" and pe.signatures [ i ] . serial == "64:01:83:1b:46:58:8b:9d:87:2b:02:07:6c:3a:7b:00" and 1615507200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42267,13 +42267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A01A91Cce63Ede5Eaa3Dac4883Aea05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a1efbce8-3cca-5e07-a652-d67007c72a18" + id = "119ceb6b-e993-5996-a81b-9ef445880bd8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7106-L7122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58a26b44e485814fa645bfa490f3442745884026bb7a70327d4f51645ad3f69c" + logic_hash = "v1_sha256_58a26b44e485814fa645bfa490f3442745884026bb7a70327d4f51645ad3f69c" score = 75 quality = 90 tags = "INFO, FILE" @@ -42283,7 +42283,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A01A91Cce63Ede5Eaa3Dac4883Aea05 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Seacloud Technologies Pte. Ltd." and pe.signatures[i].serial=="0a:01:a9:1c:ce:63:ed:e5:ea:a3:da:c4:88:3a:ea:05" and 1618876800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Seacloud Technologies Pte. Ltd." and pe.signatures [ i ] . serial == "0a:01:a9:1c:ce:63:ed:e5:ea:a3:da:c4:88:3a:ea:05" and 1618876800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42292,13 +42292,13 @@ rule REVERSINGLABS_Cert_Blocklist_54Cd7Ae1C27F1421136Ed25088F4979A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "76999ae0-966e-5c52-8e00-a3af8afd8fae" + id = "d59e680a-c103-50b1-aae6-29fd19b36d29" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7124-L7140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c7cd84a225216ff1464a147c2572de2b0a2f69f7a315cdebef5ad2bab843b72a" + logic_hash = "v1_sha256_c7cd84a225216ff1464a147c2572de2b0a2f69f7a315cdebef5ad2bab843b72a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42308,7 +42308,7 @@ rule REVERSINGLABS_Cert_Blocklist_54Cd7Ae1C27F1421136Ed25088F4979A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ABBYMAJUTA LTD LIMITED" and pe.signatures[i].serial=="54:cd:7a:e1:c2:7f:14:21:13:6e:d2:50:88:f4:97:9a" and 1616371200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ABBYMAJUTA LTD LIMITED" and pe.signatures [ i ] . serial == "54:cd:7a:e1:c2:7f:14:21:13:6e:d2:50:88:f4:97:9a" and 1616371200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42317,13 +42317,13 @@ rule REVERSINGLABS_Cert_Blocklist_F2D693Aad63E6920782A0027Dfc97D91 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c4876bdd-35bc-5a3f-9f55-9a730e7ff5c8" + id = "f23c393d-66df-5995-beef-2c35b0e005d4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7142-L7160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8f29e65b39608518d16f708faef68db37b6e179c567819dccb6681adcec262e3" + logic_hash = "v1_sha256_8f29e65b39608518d16f708faef68db37b6e179c567819dccb6681adcec262e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42333,7 +42333,7 @@ rule REVERSINGLABS_Cert_Blocklist_F2D693Aad63E6920782A0027Dfc97D91 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EKO-KHIM TOV" and (pe.signatures[i].serial=="00:f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" or pe.signatures[i].serial=="f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91") and 1598989763<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EKO-KHIM TOV" and ( pe.signatures [ i ] . serial == "00:f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" or pe.signatures [ i ] . serial == "f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" ) and 1598989763 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42342,13 +42342,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8E8F6C92Ba666B0688A8Cacce9Acccf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "909d0ce9-406c-539f-9d0e-d7ab1b277ee3" + id = "d67c6d53-18b2-5bd5-827e-5c01e4bf551b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7162-L7180" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa419bc044be55d4c94481998be4e9c0310416740084eb8376842cf5416d78bf" + logic_hash = "v1_sha256_aa419bc044be55d4c94481998be4e9c0310416740084eb8376842cf5416d78bf" score = 75 quality = 90 tags = "INFO, FILE" @@ -42358,7 +42358,7 @@ rule REVERSINGLABS_Cert_Blocklist_F8E8F6C92Ba666B0688A8Cacce9Acccf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "5 th Dimension LTD Oy" and (pe.signatures[i].serial=="00:f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" or pe.signatures[i].serial=="f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf") and 1618531200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "5 th Dimension LTD Oy" and ( pe.signatures [ i ] . serial == "00:f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" or pe.signatures [ i ] . serial == "f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" ) and 1618531200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42367,13 +42367,13 @@ rule REVERSINGLABS_Cert_Blocklist_E3D5089D4B8F01Aadce2731062Fb0Cce : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "25df791f-1128-51f9-90da-9977262d00c7" + id = "0086651c-e772-502f-bff3-2ded048cd26a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7182-L7200" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7f10b86f156ccac695f480661dfea8bcc455477afd9575230c2f8510327d1996" + logic_hash = "v1_sha256_7f10b86f156ccac695f480661dfea8bcc455477afd9575230c2f8510327d1996" score = 75 quality = 90 tags = "INFO, FILE" @@ -42383,7 +42383,7 @@ rule REVERSINGLABS_Cert_Blocklist_E3D5089D4B8F01Aadce2731062Fb0Cce : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DEVELOP - Residence s. r. o." and (pe.signatures[i].serial=="00:e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" or pe.signatures[i].serial=="e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce") and 1618358400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DEVELOP - Residence s. r. o." and ( pe.signatures [ i ] . serial == "00:e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" or pe.signatures [ i ] . serial == "e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" ) and 1618358400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42392,13 +42392,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ed801843Fa001B8Add52D3A97B25931 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7c685bb7-3201-5ffc-856b-657d824595ab" + id = "24e20d47-6820-54f2-b87e-51cc3dee342d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7202-L7218" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7c9424520afe16bd4769e1be84163ac37b8fb37433931f2e362d90cacc01093" + logic_hash = "v1_sha256_b7c9424520afe16bd4769e1be84163ac37b8fb37433931f2e362d90cacc01093" score = 75 quality = 90 tags = "INFO, FILE" @@ -42408,7 +42408,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Ed801843Fa001B8Add52D3A97B25931 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AM El-Teknik ApS" and pe.signatures[i].serial=="7e:d8:01:84:3f:a0:01:b8:ad:d5:2d:3a:97:b2:59:31" and 1614297600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AM El-Teknik ApS" and pe.signatures [ i ] . serial == "7e:d8:01:84:3f:a0:01:b8:ad:d5:2d:3a:97:b2:59:31" and 1614297600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42417,13 +42417,13 @@ rule REVERSINGLABS_Cert_Blocklist_D9E834182Dec62C654E775E809Ac1D1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "30831e91-c2aa-50bc-a0e9-ee7574fc58f4" + id = "55d4d3b4-161f-5ba4-aff0-977e0f6d6e2d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7220-L7238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3d8075e34fa3dc221bc2abc2630a93f32efbdde6df270a77b1d6b64d8ce56133" + logic_hash = "v1_sha256_3d8075e34fa3dc221bc2abc2630a93f32efbdde6df270a77b1d6b64d8ce56133" score = 75 quality = 90 tags = "INFO, FILE" @@ -42433,7 +42433,7 @@ rule REVERSINGLABS_Cert_Blocklist_D9E834182Dec62C654E775E809Ac1D1B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FoodLehto Oy" and (pe.signatures[i].serial=="00:d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" or pe.signatures[i].serial=="d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b") and 1614297600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FoodLehto Oy" and ( pe.signatures [ i ] . serial == "00:d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" or pe.signatures [ i ] . serial == "d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" ) and 1614297600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42442,13 +42442,13 @@ rule REVERSINGLABS_Cert_Blocklist_801689896Ed339237464A41A2900A969 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0ef4ce5c-b2a1-59e8-8d39-3cf7ab9fd0e1" + id = "a27d8232-38e3-55d2-9f84-88e037a06339" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7240-L7258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a371092cbf5a1a0c8051ba2b4c9dd758d829a2f0c21c86d1920164a0ae7751e6" + logic_hash = "v1_sha256_a371092cbf5a1a0c8051ba2b4c9dd758d829a2f0c21c86d1920164a0ae7751e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42458,7 +42458,7 @@ rule REVERSINGLABS_Cert_Blocklist_801689896Ed339237464A41A2900A969 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GLG Rental ApS" and (pe.signatures[i].serial=="00:80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" or pe.signatures[i].serial=="80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69") and 1615507200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GLG Rental ApS" and ( pe.signatures [ i ] . serial == "00:80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" or pe.signatures [ i ] . serial == "80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" ) and 1615507200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42467,13 +42467,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Fd3661533Eef209153C9Afec3Ba4D8A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e45d66b0-58ae-5054-b0a7-47a001daac7a" + id = "2b0380b4-af5a-5287-9538-d3692e26a194" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7260-L7276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ce6c07b8ae54db03e4fa2739856a8d3dc2051c051a10c3c73501dad4296dde97" + logic_hash = "v1_sha256_ce6c07b8ae54db03e4fa2739856a8d3dc2051c051a10c3c73501dad4296dde97" score = 75 quality = 90 tags = "INFO, FILE" @@ -42483,7 +42483,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Fd3661533Eef209153C9Afec3Ba4D8A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SFB Regnskabsservice ApS" and pe.signatures[i].serial=="3f:d3:66:15:33:ee:f2:09:15:3c:9a:fe:c3:ba:4d:8a" and 1614816000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SFB Regnskabsservice ApS" and pe.signatures [ i ] . serial == "3f:d3:66:15:33:ee:f2:09:15:3c:9a:fe:c3:ba:4d:8a" and 1614816000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42492,13 +42492,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ced87Bd70B092Cb93B182Fac32655F6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b9e6a35f-08c2-5f29-9bcf-07a3cddf0fbe" + id = "483fa837-20b3-5dbc-8c45-9861bea04d6e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7278-L7294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4e2c967b9502d9009c61831f019ba19367b866e898ca1246a1099d75ad0eb4d5" + logic_hash = "v1_sha256_4e2c967b9502d9009c61831f019ba19367b866e898ca1246a1099d75ad0eb4d5" score = 75 quality = 90 tags = "INFO, FILE" @@ -42508,7 +42508,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ced87Bd70B092Cb93B182Fac32655F6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Creator Soft Limited" and pe.signatures[i].serial=="0c:ed:87:bd:70:b0:92:cb:93:b1:82:fa:c3:26:55:f6" and 1614816000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Creator Soft Limited" and pe.signatures [ i ] . serial == "0c:ed:87:bd:70:b0:92:cb:93:b1:82:fa:c3:26:55:f6" and 1614816000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42517,13 +42517,13 @@ rule REVERSINGLABS_Cert_Blocklist_047801D5B55C800B48411Fd8C320Ca5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "602b8c18-3dad-55b9-bb47-3f9835a049ac" + id = "761cb2c1-6d64-5412-886c-7f0fe00a1edb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7296-L7312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ef26b4e3c658f53f3048d10bd1b7a2a198cd402e1b7c60e84adadb4f236ccb5d" + logic_hash = "v1_sha256_ef26b4e3c658f53f3048d10bd1b7a2a198cd402e1b7c60e84adadb4f236ccb5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -42533,7 +42533,7 @@ rule REVERSINGLABS_Cert_Blocklist_047801D5B55C800B48411Fd8C320Ca5B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LICHFIELD STUDIO GLASS LIMITED" and pe.signatures[i].serial=="04:78:01:d5:b5:5c:80:0b:48:41:1f:d8:c3:20:ca:5b" and 1614297600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LICHFIELD STUDIO GLASS LIMITED" and pe.signatures [ i ] . serial == "04:78:01:d5:b5:5c:80:0b:48:41:1f:d8:c3:20:ca:5b" and 1614297600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42542,13 +42542,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F0Ed5318848703405D40F7C62D0F39A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "30e3a977-caa3-5ae0-9cd0-6b2ce62ccebd" + id = "b4fce387-661c-54c1-b35a-b89f901bf0e1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7314-L7330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "484932ddfe614fd5ab22361ab281cda62803c98279f938aa5237237fae6a95d6" + logic_hash = "v1_sha256_484932ddfe614fd5ab22361ab281cda62803c98279f938aa5237237fae6a95d6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42558,7 +42558,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F0Ed5318848703405D40F7C62D0F39A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SIES UPRAVLENIE PROTSESSAMI, OOO" and pe.signatures[i].serial=="0f:0e:d5:31:88:48:70:34:05:d4:0f:7c:62:d0:f3:9a" and 1614729600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SIES UPRAVLENIE PROTSESSAMI, OOO" and pe.signatures [ i ] . serial == "0f:0e:d5:31:88:48:70:34:05:d4:0f:7c:62:d0:f3:9a" and 1614729600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42567,13 +42567,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E7545C9Fc5938F5198Ab9F1749Ca31C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d5f810ee-127a-5df0-9299-ffeaddf369ee" + id = "46428d7a-661d-58bf-97fb-497a94bb98f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7332-L7348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6be57eb6744ad6d239a0a2cc1ec8c39c9dfd4e4eeb3be9e699516c259f617f0" + logic_hash = "v1_sha256_f6be57eb6744ad6d239a0a2cc1ec8c39c9dfd4e4eeb3be9e699516c259f617f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -42583,7 +42583,7 @@ rule REVERSINGLABS_Cert_Blocklist_4E7545C9Fc5938F5198Ab9F1749Ca31C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "For M d.o.o." and pe.signatures[i].serial=="4e:75:45:c9:fc:59:38:f5:19:8a:b9:f1:74:9c:a3:1c" and 1614297600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "For M d.o.o." and pe.signatures [ i ] . serial == "4e:75:45:c9:fc:59:38:f5:19:8a:b9:f1:74:9c:a3:1c" and 1614297600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42592,13 +42592,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ddd3796A427B42F2E52D7C7Af0Ca54F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5c2e1f5b-5ff7-51d7-9642-0a527856814c" + id = "3753b9e7-a428-52a5-81cc-5152d7b5b864" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7350-L7366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "804ab8c44e5d97d8e14f852d61094e90d1e3ace66316781e9e79ab46fc7db8e7" + logic_hash = "v1_sha256_804ab8c44e5d97d8e14f852d61094e90d1e3ace66316781e9e79ab46fc7db8e7" score = 75 quality = 90 tags = "INFO, FILE" @@ -42608,7 +42608,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Ddd3796A427B42F2E52D7C7Af0Ca54F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Fobos" and pe.signatures[i].serial=="7d:dd:37:96:a4:27:b4:2f:2e:52:d7:c7:af:0c:a5:4f" and 1612915200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Fobos" and pe.signatures [ i ] . serial == "7d:dd:37:96:a4:27:b4:2f:2e:52:d7:c7:af:0c:a5:4f" and 1612915200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42617,13 +42617,13 @@ rule REVERSINGLABS_Cert_Blocklist_03B27D7F4Ee21A462A064A17Eef70D6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9d32947c-778f-5e2d-b0b1-4a17a108035e" + id = "bc251583-4a5d-5325-aa8c-94acd1be5be2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7368-L7384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b303751e354c346f73368de94b66a960dd12efa0730d2ab14af743810669ac81" + logic_hash = "v1_sha256_b303751e354c346f73368de94b66a960dd12efa0730d2ab14af743810669ac81" score = 75 quality = 90 tags = "INFO, FILE" @@ -42633,7 +42633,7 @@ rule REVERSINGLABS_Cert_Blocklist_03B27D7F4Ee21A462A064A17Eef70D6C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CCL TRADING LIMITED" and pe.signatures[i].serial=="03:b2:7d:7f:4e:e2:1a:46:2a:06:4a:17:ee:f7:0d:6c" and 1613952000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CCL TRADING LIMITED" and pe.signatures [ i ] . serial == "03:b2:7d:7f:4e:e2:1a:46:2a:06:4a:17:ee:f7:0d:6c" and 1613952000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42642,13 +42642,13 @@ rule REVERSINGLABS_Cert_Blocklist_B0A308Fc2E71Ac4Ac40677B9C27Ccbad : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7e13e257-a264-5a40-b670-889045504acf" + id = "5ee289f4-eb64-5887-8d15-767bf47fd2bd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7386-L7404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "21fd7625399c939b6d03100b731709616d206a3811197af2b86991be9d89b4eb" + logic_hash = "v1_sha256_21fd7625399c939b6d03100b731709616d206a3811197af2b86991be9d89b4eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -42658,7 +42658,7 @@ rule REVERSINGLABS_Cert_Blocklist_B0A308Fc2E71Ac4Ac40677B9C27Ccbad : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Volpayk LLC" and (pe.signatures[i].serial=="00:b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" or pe.signatures[i].serial=="b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad") and 1611705600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Volpayk LLC" and ( pe.signatures [ i ] . serial == "00:b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" or pe.signatures [ i ] . serial == "b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" ) and 1611705600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42667,13 +42667,13 @@ rule REVERSINGLABS_Cert_Blocklist_61B11Ef9726Ab2E78132E01Bd791B336 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "573a024e-11f0-5cf9-8f0d-a946cdca34c5" + id = "bfbbbbae-9cf9-536b-a9ce-a91bad4b4f52" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7406-L7422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1a8e72f31039a5a5602d0314f017a2596a23e4a796dc66167dfefc0c9790e3e3" + logic_hash = "v1_sha256_1a8e72f31039a5a5602d0314f017a2596a23e4a796dc66167dfefc0c9790e3e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42683,7 +42683,7 @@ rule REVERSINGLABS_Cert_Blocklist_61B11Ef9726Ab2E78132E01Bd791B336 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Skalari" and pe.signatures[i].serial=="61:b1:1e:f9:72:6a:b2:e7:81:32:e0:1b:d7:91:b3:36" and 1609372800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Skalari" and pe.signatures [ i ] . serial == "61:b1:1e:f9:72:6a:b2:e7:81:32:e0:1b:d7:91:b3:36" and 1609372800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42692,13 +42692,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Fe807310D98357A59382090634B93F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "690e7919-0344-5bd1-849f-e7bfe2f19276" + id = "51470200-7dca-5c81-8174-83d8dfe5fad6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7424-L7442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ec56bd4783c854efef863050ff729fd99efa98b7b19e04e56a080ee3e75cd90" + logic_hash = "v1_sha256_0ec56bd4783c854efef863050ff729fd99efa98b7b19e04e56a080ee3e75cd90" score = 75 quality = 90 tags = "INFO, FILE" @@ -42708,7 +42708,7 @@ rule REVERSINGLABS_Cert_Blocklist_8Fe807310D98357A59382090634B93F0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MAVE MEDIA" and (pe.signatures[i].serial=="00:8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" or pe.signatures[i].serial=="8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0") and 1613433600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MAVE MEDIA" and ( pe.signatures [ i ] . serial == "00:8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" or pe.signatures [ i ] . serial == "8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" ) and 1613433600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42717,13 +42717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B97F66Bb221772Dc07Ef1D4Bed8F6085 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c83918d8-fe90-59dc-8f4e-0e7b10238780" + id = "912d2a87-6b24-5565-906c-dfc8183e69da" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7444-L7462" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "794dc27ff9b2588d3f2c31cdb83e53616c604aa41da7d8c895034e1cf9da5dd8" + logic_hash = "v1_sha256_794dc27ff9b2588d3f2c31cdb83e53616c604aa41da7d8c895034e1cf9da5dd8" score = 75 quality = 90 tags = "INFO, FILE" @@ -42733,7 +42733,7 @@ rule REVERSINGLABS_Cert_Blocklist_B97F66Bb221772Dc07Ef1D4Bed8F6085 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "S-PRO d.o.o." and (pe.signatures[i].serial=="00:b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" or pe.signatures[i].serial=="b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85") and 1614556800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "S-PRO d.o.o." and ( pe.signatures [ i ] . serial == "00:b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" or pe.signatures [ i ] . serial == "b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" ) and 1614556800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42742,13 +42742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fed006Fbf85Cd1C6Ba6B4345B198E1E6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ab84282d-9c35-5e52-a117-1d85c03cc6f4" + id = "e33e1257-5f4c-57bb-81ae-ef95c80c87d4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7464-L7482" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0360c6760f1018f9388ef5639ab2306879134f33da12677f954fa31b8a71aa16" + logic_hash = "v1_sha256_0360c6760f1018f9388ef5639ab2306879134f33da12677f954fa31b8a71aa16" score = 75 quality = 90 tags = "INFO, FILE" @@ -42758,7 +42758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fed006Fbf85Cd1C6Ba6B4345B198E1E6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LoL d.o.o." and (pe.signatures[i].serial=="00:fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" or pe.signatures[i].serial=="fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6") and 1614297600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LoL d.o.o." and ( pe.signatures [ i ] . serial == "00:fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" or pe.signatures [ i ] . serial == "fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" ) and 1614297600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42767,13 +42767,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa28C9Bd16D9D304F18Af223B27Bfa1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "facb8bba-a8cc-5b2a-9ef6-ba290cbf9b24" + id = "6b467480-7e8a-58c3-9f29-762013c630f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7484-L7502" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "feaa8d645eea46c7cbbba4ba86c92184df7515a50f1f905ab818c59079a0c96a" + logic_hash = "v1_sha256_feaa8d645eea46c7cbbba4ba86c92184df7515a50f1f905ab818c59079a0c96a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42783,7 +42783,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aa28C9Bd16D9D304F18Af223B27Bfa1E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Tecno trade d.o.o." and (pe.signatures[i].serial=="00:aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" or pe.signatures[i].serial=="aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e") and 1611705600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Tecno trade d.o.o." and ( pe.signatures [ i ] . serial == "00:aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" or pe.signatures [ i ] . serial == "aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" ) and 1611705600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42792,13 +42792,13 @@ rule REVERSINGLABS_Cert_Blocklist_19Beff8A6C129663E5E8C18953Dc1F67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "300d9e11-9283-500e-9716-5b628ef41853" + id = "ace301b4-39ca-56d9-b308-734dc724c9ca" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7504-L7520" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ec031c781ebad7447cfc53ce791aacc8f24e38f039c84e2ee547de64729ae76" + logic_hash = "v1_sha256_0ec031c781ebad7447cfc53ce791aacc8f24e38f039c84e2ee547de64729ae76" score = 75 quality = 90 tags = "INFO, FILE" @@ -42808,7 +42808,7 @@ rule REVERSINGLABS_Cert_Blocklist_19Beff8A6C129663E5E8C18953Dc1F67 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CULNADY LTD LTD" and pe.signatures[i].serial=="19:be:ff:8a:6c:12:96:63:e5:e8:c1:89:53:dc:1f:67" and 1608163200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CULNADY LTD LTD" and pe.signatures [ i ] . serial == "19:be:ff:8a:6c:12:96:63:e5:e8:c1:89:53:dc:1f:67" and 1608163200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42817,13 +42817,13 @@ rule REVERSINGLABS_Cert_Blocklist_029685Cda1C8233D2409A31206F78F9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7894a48-459b-574f-9df3-8505578de42b" + id = "f3c15b8b-1cc8-55e4-b244-f41ae10598fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7522-L7538" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d541ce73e5039541ea221f27cc4d033f0c477e41a148206c26cc39ae07c4caaa" + logic_hash = "v1_sha256_d541ce73e5039541ea221f27cc4d033f0c477e41a148206c26cc39ae07c4caaa" score = 75 quality = 90 tags = "INFO, FILE" @@ -42833,7 +42833,7 @@ rule REVERSINGLABS_Cert_Blocklist_029685Cda1C8233D2409A31206F78F9F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KOTO TRADE, dru\\xC5\\xBEba za posredovanje, d.o.o." and pe.signatures[i].serial=="02:96:85:cd:a1:c8:23:3d:24:09:a3:12:06:f7:8f:9f" and 1612396800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KOTO TRADE, dru\\xC5\\xBEba za posredovanje, d.o.o." and pe.signatures [ i ] . serial == "02:96:85:cd:a1:c8:23:3d:24:09:a3:12:06:f7:8f:9f" and 1612396800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42842,13 +42842,13 @@ rule REVERSINGLABS_Cert_Blocklist_D609B6C95428954A999A8A99D4F198Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4ce9b2ce-5dda-5741-bd29-cadae44c3b28" + id = "5d607298-89f6-5d2a-998b-9fbddb3de942" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7540-L7558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a124f80d599051ecd7c17e6818d181ea018db14c9f0514bbcc5b677ba3656d65" + logic_hash = "v1_sha256_a124f80d599051ecd7c17e6818d181ea018db14c9f0514bbcc5b677ba3656d65" score = 75 quality = 90 tags = "INFO, FILE" @@ -42858,7 +42858,7 @@ rule REVERSINGLABS_Cert_Blocklist_D609B6C95428954A999A8A99D4F198Af : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Fudl" and (pe.signatures[i].serial=="00:d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" or pe.signatures[i].serial=="d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af") and 1612828800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Fudl" and ( pe.signatures [ i ] . serial == "00:d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" or pe.signatures [ i ] . serial == "d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" ) and 1612828800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42867,13 +42867,13 @@ rule REVERSINGLABS_Cert_Blocklist_D3356318924C8C42959Bf1D1574E6482 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "36b12300-6535-5644-9145-9f532b49a421" + id = "18728003-5574-55f3-815d-0db5a9f4fee0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7560-L7578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a672054a776d0715fc888578bcb559d24ef54b4c523f7d49a39ded2586c3140a" + logic_hash = "v1_sha256_a672054a776d0715fc888578bcb559d24ef54b4c523f7d49a39ded2586c3140a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42883,7 +42883,7 @@ rule REVERSINGLABS_Cert_Blocklist_D3356318924C8C42959Bf1D1574E6482 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ADV TOURS d.o.o." and (pe.signatures[i].serial=="00:d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" or pe.signatures[i].serial=="d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82") and 1613001600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ADV TOURS d.o.o." and ( pe.signatures [ i ] . serial == "00:d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" or pe.signatures [ i ] . serial == "d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" ) and 1613001600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42892,13 +42892,13 @@ rule REVERSINGLABS_Cert_Blocklist_31D852F5Fca1A5966B5Ed08A14825C54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "362a6eb7-f49e-502b-9870-522aea13e04b" + id = "f4a33ae2-d2d7-5018-9a0a-6c77c831b1f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7580-L7596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8c98b856d53e6862e94042bb133f5739bddcec2e208e43961b23e244584c6ee4" + logic_hash = "v1_sha256_8c98b856d53e6862e94042bb133f5739bddcec2e208e43961b23e244584c6ee4" score = 75 quality = 90 tags = "INFO, FILE" @@ -42908,7 +42908,7 @@ rule REVERSINGLABS_Cert_Blocklist_31D852F5Fca1A5966B5Ed08A14825C54 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BBT KLA d.o.o." and pe.signatures[i].serial=="31:d8:52:f5:fc:a1:a5:96:6b:5e:d0:8a:14:82:5c:54" and 1612396800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BBT KLA d.o.o." and pe.signatures [ i ] . serial == "31:d8:52:f5:fc:a1:a5:96:6b:5e:d0:8a:14:82:5c:54" and 1612396800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42917,13 +42917,13 @@ rule REVERSINGLABS_Cert_Blocklist_17D99Cc2F5B29522D422332E681F3E18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d0a58a4-353d-51f9-a739-a135d77357c9" + id = "54e13971-67ad-5c8a-8e5a-99266e2e95fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7598-L7614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "55cc1634cdc5209d68b98fdb0d9e97e0a34346cdcb10f243d13217cda01195f1" + logic_hash = "v1_sha256_55cc1634cdc5209d68b98fdb0d9e97e0a34346cdcb10f243d13217cda01195f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -42933,7 +42933,7 @@ rule REVERSINGLABS_Cert_Blocklist_17D99Cc2F5B29522D422332E681F3E18 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PKV Trading ApS" and pe.signatures[i].serial=="17:d9:9c:c2:f5:b2:95:22:d4:22:33:2e:68:1f:3e:18" and 1613088000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PKV Trading ApS" and pe.signatures [ i ] . serial == "17:d9:9c:c2:f5:b2:95:22:d4:22:33:2e:68:1f:3e:18" and 1613088000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42942,13 +42942,13 @@ rule REVERSINGLABS_Cert_Blocklist_6A568F85De2061F67Ded98707D4988Df : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "962c3096-2c3d-5137-9637-b45d00b2ee9b" + id = "44810935-f0a4-5962-a1de-55553621d466" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7616-L7632" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "793be308a4df55c3b325e1ee3185159c4155f6dfabc311216d3763bd43680bd4" + logic_hash = "v1_sha256_793be308a4df55c3b325e1ee3185159c4155f6dfabc311216d3763bd43680bd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -42958,7 +42958,7 @@ rule REVERSINGLABS_Cert_Blocklist_6A568F85De2061F67Ded98707D4988Df : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Apladis" and pe.signatures[i].serial=="6a:56:8f:85:de:20:61:f6:7d:ed:98:70:7d:49:88:df" and 1613001600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Apladis" and pe.signatures [ i ] . serial == "6a:56:8f:85:de:20:61:f6:7d:ed:98:70:7d:49:88:df" and 1613001600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42967,13 +42967,13 @@ rule REVERSINGLABS_Cert_Blocklist_038Fc745523B41B40D653B83Aa381B80 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3f7f9d58-3a7a-5f84-bf6e-795a9c8bcd38" + id = "3954b7a9-b19f-513f-b7f4-9f1a0eeb8bb8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7634-L7650" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "016ca6dcb5c7c56c80e4486b84d97fb3869a959ef3e8392e4376a0a0de06092f" + logic_hash = "v1_sha256_016ca6dcb5c7c56c80e4486b84d97fb3869a959ef3e8392e4376a0a0de06092f" score = 75 quality = 90 tags = "INFO, FILE" @@ -42983,7 +42983,7 @@ rule REVERSINGLABS_Cert_Blocklist_038Fc745523B41B40D653B83Aa381B80 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Optima" and pe.signatures[i].serial=="03:8f:c7:45:52:3b:41:b4:0d:65:3b:83:aa:38:1b:80" and 1606143708<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Optima" and pe.signatures [ i ] . serial == "03:8f:c7:45:52:3b:41:b4:0d:65:3b:83:aa:38:1b:80" and 1606143708 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -42992,13 +42992,13 @@ rule REVERSINGLABS_Cert_Blocklist_30Af0D0E6D8201A5369664C5Ebbb010F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aaa31642-a0f4-5652-b3cd-c81cfb1ab127" + id = "cdb7da47-0e0b-58b6-9abe-c355bb8ae9f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7652-L7668" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "018e5a0fbeeaded2569b83e2f91230e0055a5ffa2059b7a064a5c2eda55ed2de" + logic_hash = "v1_sha256_018e5a0fbeeaded2569b83e2f91230e0055a5ffa2059b7a064a5c2eda55ed2de" score = 75 quality = 90 tags = "INFO, FILE" @@ -43008,7 +43008,7 @@ rule REVERSINGLABS_Cert_Blocklist_30Af0D0E6D8201A5369664C5Ebbb010F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3N-\\xC5\\xA0PORT podjetje za in\\xC5\\xBEeniring, storitve in trgovino d.o.o." and pe.signatures[i].serial=="30:af:0d:0e:6d:82:01:a5:36:96:64:c5:eb:bb:01:0f" and 1613433600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3N-\\xC5\\xA0PORT podjetje za in\\xC5\\xBEeniring, storitve in trgovino d.o.o." and pe.signatures [ i ] . serial == "30:af:0d:0e:6d:82:01:a5:36:96:64:c5:eb:bb:01:0f" and 1613433600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43017,13 +43017,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac0A7B9420B369Af3Ddb748385B981 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "82d6c0f5-80d1-5003-a5c9-9eadd9654460" + id = "e400c27f-bf0d-535c-839f-11eff4c05d0f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7670-L7688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2bc31eaa64be487cb85873a64b7462d90d1c28839def070ce5db7ae555383421" + logic_hash = "v1_sha256_2bc31eaa64be487cb85873a64b7462d90d1c28839def070ce5db7ae555383421" score = 75 quality = 90 tags = "INFO, FILE" @@ -43033,7 +43033,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ac0A7B9420B369Af3Ddb748385B981 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Tochka" and (pe.signatures[i].serial=="00:ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" or pe.signatures[i].serial=="ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81") and 1604620800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Tochka" and ( pe.signatures [ i ] . serial == "00:ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" or pe.signatures [ i ] . serial == "ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" ) and 1604620800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43042,13 +43042,13 @@ rule REVERSINGLABS_Cert_Blocklist_C167F04B338B1E8747B92C2197403C43 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0bf561ac-0283-557f-a685-4603e2b58273" + id = "b7d933c6-7472-5235-82d4-7420523b95ae" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7690-L7708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8e0a11efc739baefe23a3d77e4eefc9dc23c74821c91fc219822dbc5dbb468b1" + logic_hash = "v1_sha256_8e0a11efc739baefe23a3d77e4eefc9dc23c74821c91fc219822dbc5dbb468b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43058,7 +43058,7 @@ rule REVERSINGLABS_Cert_Blocklist_C167F04B338B1E8747B92C2197403C43 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and (pe.signatures[i].serial=="00:c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" or pe.signatures[i].serial=="c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43") and 1604361600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORTUNE STAR TRADING, INC." and ( pe.signatures [ i ] . serial == "00:c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" or pe.signatures [ i ] . serial == "c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" ) and 1604361600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43067,13 +43067,13 @@ rule REVERSINGLABS_Cert_Blocklist_9272607Cfc982B782A5D36C4B78F5E7B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e3ad8f20-d12f-54e9-a6da-7aad28a10287" + id = "57378d08-6fcb-5174-a133-61ed5f8f9bd4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7710-L7728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b1d6f27fb513542589a5c9011e501a9d298282bba6882eac0fc7bf3e6ebb291" + logic_hash = "v1_sha256_2b1d6f27fb513542589a5c9011e501a9d298282bba6882eac0fc7bf3e6ebb291" score = 75 quality = 90 tags = "INFO, FILE" @@ -43083,7 +43083,7 @@ rule REVERSINGLABS_Cert_Blocklist_9272607Cfc982B782A5D36C4B78F5E7B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rada SP Z o o" and (pe.signatures[i].serial=="00:92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" or pe.signatures[i].serial=="92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b") and 1605139200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rada SP Z o o" and ( pe.signatures [ i ] . serial == "00:92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" or pe.signatures [ i ] . serial == "92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" ) and 1605139200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43092,13 +43092,13 @@ rule REVERSINGLABS_Cert_Blocklist_45Eb9187A2505D8E6C842E6D366Ad0C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1b8390aa-16b9-558b-aee8-e30fc7100af4" + id = "9b2481d7-736e-59be-b998-43d02c38c65c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7730-L7746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4ae755e814ae2488d4bd6b8136ab6d78e4809a2ddacb7f88cf1d2b64c1488898" + logic_hash = "v1_sha256_4ae755e814ae2488d4bd6b8136ab6d78e4809a2ddacb7f88cf1d2b64c1488898" score = 75 quality = 90 tags = "INFO, FILE" @@ -43108,7 +43108,7 @@ rule REVERSINGLABS_Cert_Blocklist_45Eb9187A2505D8E6C842E6D366Ad0C8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BAKERA s.r.o." and pe.signatures[i].serial=="45:eb:91:87:a2:50:5d:8e:6c:84:2e:6d:36:6a:d0:c8" and 1607040000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BAKERA s.r.o." and pe.signatures [ i ] . serial == "45:eb:91:87:a2:50:5d:8e:6c:84:2e:6d:36:6a:d0:c8" and 1607040000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43117,13 +43117,13 @@ rule REVERSINGLABS_Cert_Blocklist_56Fff139Df5Ae7E788E5D72196Dd563A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4f34fd37-908c-573c-ba53-5ab622589e88" + id = "a20aba17-47b3-55cf-ae9b-a7e3018d53e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7748-L7764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4b58c83901605d8b43519f1bc2d4ac8dc10c794f027681378b2bee2a8ff81604" + logic_hash = "v1_sha256_4b58c83901605d8b43519f1bc2d4ac8dc10c794f027681378b2bee2a8ff81604" score = 75 quality = 90 tags = "INFO, FILE" @@ -43133,7 +43133,7 @@ rule REVERSINGLABS_Cert_Blocklist_56Fff139Df5Ae7E788E5D72196Dd563A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Cifromatika LLC" and pe.signatures[i].serial=="56:ff:f1:39:df:5a:e7:e7:88:e5:d7:21:96:dd:56:3a" and 1606435200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Cifromatika LLC" and pe.signatures [ i ] . serial == "56:ff:f1:39:df:5a:e7:e7:88:e5:d7:21:96:dd:56:3a" and 1606435200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43142,13 +43142,13 @@ rule REVERSINGLABS_Cert_Blocklist_E161F76Da3B5E4623892C8E6Fda1Ea3D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "386c81ef-87aa-514e-81d7-dddfb90e0dc2" + id = "9dea3f43-78f2-5463-bcbf-df2fe8444b66" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7766-L7784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "883545593b48aa11c11f7fa1a1f77c62321ea86067f1ed108dcd00c8c6cd3495" + logic_hash = "v1_sha256_883545593b48aa11c11f7fa1a1f77c62321ea86067f1ed108dcd00c8c6cd3495" score = 75 quality = 90 tags = "INFO, FILE" @@ -43158,7 +43158,7 @@ rule REVERSINGLABS_Cert_Blocklist_E161F76Da3B5E4623892C8E6Fda1Ea3D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TGN Nedelica d.o.o." and (pe.signatures[i].serial=="00:e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" or pe.signatures[i].serial=="e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d") and 1604966400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TGN Nedelica d.o.o." and ( pe.signatures [ i ] . serial == "00:e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" or pe.signatures [ i ] . serial == "e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" ) and 1604966400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43167,13 +43167,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Ae5B177Ac3A7Ce2Aadf1C891B574924 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c72b8b2a-3e49-5ac3-ab4d-55b86ce7f061" + id = "09f43ef4-6a6d-5fd1-bdf5-068c88fad28e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7786-L7804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03ac299459a1aaf2e4a2e62884cd321e16100fee78b4b0e271acdd8a4e32525c" + logic_hash = "v1_sha256_03ac299459a1aaf2e4a2e62884cd321e16100fee78b4b0e271acdd8a4e32525c" score = 75 quality = 90 tags = "INFO, FILE" @@ -43183,7 +43183,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Ae5B177Ac3A7Ce2Aadf1C891B574924 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Kolorit" and (pe.signatures[i].serial=="00:9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" or pe.signatures[i].serial=="9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24") and 1608076800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Kolorit" and ( pe.signatures [ i ] . serial == "00:9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" or pe.signatures [ i ] . serial == "9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" ) and 1608076800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43192,13 +43192,13 @@ rule REVERSINGLABS_Cert_Blocklist_A03Ea3A4Fa772B17037A0B80F1F968Aa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cbc0c6ca-fab2-531e-b368-4d3fdc72509f" + id = "9952dd19-b161-5c61-a7e9-7447e67a8919" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7806-L7824" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e2044c6ddb80f3add13dfc3b623d0460ce8e9a66c5a98582f80d906edbbbd829" + logic_hash = "v1_sha256_e2044c6ddb80f3add13dfc3b623d0460ce8e9a66c5a98582f80d906edbbbd829" score = 75 quality = 90 tags = "INFO, FILE" @@ -43208,7 +43208,7 @@ rule REVERSINGLABS_Cert_Blocklist_A03Ea3A4Fa772B17037A0B80F1F968Aa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DREVOKAPITAL, s.r.o." and (pe.signatures[i].serial=="00:a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" or pe.signatures[i].serial=="a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa") and 1608076800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DREVOKAPITAL, s.r.o." and ( pe.signatures [ i ] . serial == "00:a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" or pe.signatures [ i ] . serial == "a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" ) and 1608076800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43217,13 +43217,13 @@ rule REVERSINGLABS_Cert_Blocklist_333Ca7D100B139B0D9C1A97Cb458E226 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2c32499-4b0d-51ad-a10e-1ddd7218df84" + id = "497527ff-24bc-5f47-8732-78d675ca438a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7826-L7842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b3a31a54132fd8ca2c11b7806503207a4197f16af78693387bac56879b5e1448" + logic_hash = "v1_sha256_b3a31a54132fd8ca2c11b7806503207a4197f16af78693387bac56879b5e1448" score = 75 quality = 90 tags = "INFO, FILE" @@ -43233,7 +43233,7 @@ rule REVERSINGLABS_Cert_Blocklist_333Ca7D100B139B0D9C1A97Cb458E226 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FSE, d.o.o." and pe.signatures[i].serial=="33:3c:a7:d1:00:b1:39:b0:d9:c1:a9:7c:b4:58:e2:26" and 1608076800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FSE, d.o.o." and pe.signatures [ i ] . serial == "33:3c:a7:d1:00:b1:39:b0:d9:c1:a9:7c:b4:58:e2:26" and 1608076800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43242,13 +43242,13 @@ rule REVERSINGLABS_Cert_Blocklist_9245D1511923F541844Faa3C6Bfebcbe : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7d4033b8-da1d-55f5-aa80-f96636650633" + id = "9202c913-a805-56bf-9965-80feb9c8e420" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7844-L7862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b965e897b42c39841e663cc144cf6e4a81fc9bcb64ce3a15a7ca021e95866b08" + logic_hash = "v1_sha256_b965e897b42c39841e663cc144cf6e4a81fc9bcb64ce3a15a7ca021e95866b08" score = 75 quality = 90 tags = "INFO, FILE" @@ -43258,7 +43258,7 @@ rule REVERSINGLABS_Cert_Blocklist_9245D1511923F541844Faa3C6Bfebcbe : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LEHTEH d.o.o., Ljubljana" and (pe.signatures[i].serial=="00:92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" or pe.signatures[i].serial=="92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be") and 1607040000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LEHTEH d.o.o., Ljubljana" and ( pe.signatures [ i ] . serial == "00:92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" or pe.signatures [ i ] . serial == "92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" ) and 1607040000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43267,13 +43267,13 @@ rule REVERSINGLABS_Cert_Blocklist_2888Cf0F953A4A3640Ee4Cfc6304D9D4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "75ec52c5-4c59-51d8-bd9b-928c75d3521a" + id = "407aac59-d305-59a7-8e92-59e7f34adf09" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7864-L7880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a9ee8534d89b8ac8705bb1777718513a28e4531ed398f482f46a72f2760af161" + logic_hash = "v1_sha256_a9ee8534d89b8ac8705bb1777718513a28e4531ed398f482f46a72f2760af161" score = 75 quality = 90 tags = "INFO, FILE" @@ -43283,7 +43283,7 @@ rule REVERSINGLABS_Cert_Blocklist_2888Cf0F953A4A3640Ee4Cfc6304D9D4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Lotte Schmidt" and pe.signatures[i].serial=="28:88:cf:0f:95:3a:4a:36:40:ee:4c:fc:63:04:d9:d4" and 1608024974<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Lotte Schmidt" and pe.signatures [ i ] . serial == "28:88:cf:0f:95:3a:4a:36:40:ee:4c:fc:63:04:d9:d4" and 1608024974 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43292,13 +43292,13 @@ rule REVERSINGLABS_Cert_Blocklist_C8Edcfe8Be174C2F204D858C5B91Dea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "92baa26f-1352-53ed-bb9f-0a632e471dd5" + id = "702f3959-4902-53ba-a614-ac6b9b6a7bbf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7882-L7900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b3e6927abfce69548374bfd430a3ae3a1c5a8d05f0f40e43091b4d12025c5b1a" + logic_hash = "v1_sha256_b3e6927abfce69548374bfd430a3ae3a1c5a8d05f0f40e43091b4d12025c5b1a" score = 75 quality = 90 tags = "INFO, FILE" @@ -43308,7 +43308,7 @@ rule REVERSINGLABS_Cert_Blocklist_C8Edcfe8Be174C2F204D858C5B91Dea5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Paarcopy Oy" and (pe.signatures[i].serial=="00:c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" or pe.signatures[i].serial=="c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5") and 1608076800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Paarcopy Oy" and ( pe.signatures [ i ] . serial == "00:c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" or pe.signatures [ i ] . serial == "c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" ) and 1608076800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43317,13 +43317,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Faf8705A3Eaef9340800Cc4Fd38597C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2988928-4ef3-56bf-a407-f735756c7f81" + id = "f888f349-cc02-513b-b4f8-6b3d84ec0c9d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7902-L7920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "66a340f169e401705ba229d2d4548cef1a57bf1d2d320b108d12b2049b063b92" + logic_hash = "v1_sha256_66a340f169e401705ba229d2d4548cef1a57bf1d2d320b108d12b2049b063b92" score = 75 quality = 90 tags = "INFO, FILE" @@ -43333,7 +43333,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Faf8705A3Eaef9340800Cc4Fd38597C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Tekhnokod LLC" and (pe.signatures[i].serial=="00:9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" or pe.signatures[i].serial=="9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c") and 1605744000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Tekhnokod LLC" and ( pe.signatures [ i ] . serial == "00:9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" or pe.signatures [ i ] . serial == "9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" ) and 1605744000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43342,13 +43342,13 @@ rule REVERSINGLABS_Cert_Blocklist_0940Fa9A4080F35052B2077333769C2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "358391b7-649b-5792-b4bd-d97b388c5d12" + id = "88f81b92-a692-51d1-aa24-678d4d737149" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7922-L7938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "45636ea33751fea61572539fe6f28bccd05df9b6b9e7f2d77bb738f7c69c53a2" + logic_hash = "v1_sha256_45636ea33751fea61572539fe6f28bccd05df9b6b9e7f2d77bb738f7c69c53a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43358,7 +43358,7 @@ rule REVERSINGLABS_Cert_Blocklist_0940Fa9A4080F35052B2077333769C2F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PROFF LAIN, OOO" and pe.signatures[i].serial=="09:40:fa:9a:40:80:f3:50:52:b2:07:73:33:76:9c:2f" and 1603497600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PROFF LAIN, OOO" and pe.signatures [ i ] . serial == "09:40:fa:9a:40:80:f3:50:52:b2:07:73:33:76:9c:2f" and 1603497600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43367,13 +43367,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ea720222D92Dc8D48E3B3C3B0Fc360A6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8415406b-ede8-5404-8208-34eb649f7325" + id = "d318623b-67f0-5e89-b241-e2330f4433fb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7940-L7958" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c60e1ccf178f03f930a3bc41e9a92be20df0362f067ed1fcfc7c93627a056d75" + logic_hash = "v1_sha256_c60e1ccf178f03f930a3bc41e9a92be20df0362f067ed1fcfc7c93627a056d75" score = 75 quality = 90 tags = "INFO, FILE" @@ -43383,7 +43383,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ea720222D92Dc8D48E3B3C3B0Fc360A6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CAVANAGH NETS LIMITED" and (pe.signatures[i].serial=="00:ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" or pe.signatures[i].serial=="ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6") and 1608640280<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CAVANAGH NETS LIMITED" and ( pe.signatures [ i ] . serial == "00:ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" or pe.signatures [ i ] . serial == "ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" ) and 1608640280 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43392,13 +43392,13 @@ rule REVERSINGLABS_Cert_Blocklist_4743E140C05B33F0449023946Bd05Acb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f783bad3-f350-5a74-8e3f-5b7220e4de8f" + id = "72753fbf-e9b7-525c-894f-e960080736cd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7960-L7976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "69ce1512d7df4926ee2b470b18fbe51a2aa81e07b37b2536617d6353045e0d19" + logic_hash = "v1_sha256_69ce1512d7df4926ee2b470b18fbe51a2aa81e07b37b2536617d6353045e0d19" score = 75 quality = 90 tags = "INFO, FILE" @@ -43408,7 +43408,7 @@ rule REVERSINGLABS_Cert_Blocklist_4743E140C05B33F0449023946Bd05Acb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "STROI RENOV SARL" and pe.signatures[i].serial=="47:43:e1:40:c0:5b:33:f0:44:90:23:94:6b:d0:5a:cb" and 1607644800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "STROI RENOV SARL" and pe.signatures [ i ] . serial == "47:43:e1:40:c0:5b:33:f0:44:90:23:94:6b:d0:5a:cb" and 1607644800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43417,13 +43417,13 @@ rule REVERSINGLABS_Cert_Blocklist_A496Bc774575C31Abec861B68C36Dcb6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51941c0d-a7a1-5c17-bef8-290e5db66fb7" + id = "272be425-6aec-5075-b3a8-739922e8597d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7978-L7996" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f82214f982c9972e547f77966c44e935e9de701cc9108ceca34a4fede850d243" + logic_hash = "v1_sha256_f82214f982c9972e547f77966c44e935e9de701cc9108ceca34a4fede850d243" score = 75 quality = 90 tags = "INFO, FILE" @@ -43433,7 +43433,7 @@ rule REVERSINGLABS_Cert_Blocklist_A496Bc774575C31Abec861B68C36Dcb6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ORGLE DVORSAK, d.o.o" and (pe.signatures[i].serial=="00:a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" or pe.signatures[i].serial=="a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6") and 1606867200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ORGLE DVORSAK, d.o.o" and ( pe.signatures [ i ] . serial == "00:a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" or pe.signatures [ i ] . serial == "a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" ) and 1606867200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43442,13 +43442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A55C15F733Bf1633E9Ffae8A6E3B37D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "32cefe84-b305-5542-a5d3-1832dcbf6d61" + id = "849d3fa9-4cb9-5445-9b2a-d6ce5e231416" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7998-L8014" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "89ca9f1c5cf0b029748528d8c5bb65f89ee05877bfdc13b4ce3d2d3e7feafb5d" + logic_hash = "v1_sha256_89ca9f1c5cf0b029748528d8c5bb65f89ee05877bfdc13b4ce3d2d3e7feafb5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -43458,7 +43458,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A55C15F733Bf1633E9Ffae8A6E3B37D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Osnova OOO" and pe.signatures[i].serial=="0a:55:c1:5f:73:3b:f1:63:3e:9f:fa:e8:a6:e3:b3:7d" and 1604016000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Osnova OOO" and pe.signatures [ i ] . serial == "0a:55:c1:5f:73:3b:f1:63:3e:9f:fa:e8:a6:e3:b3:7d" and 1604016000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43467,13 +43467,13 @@ rule REVERSINGLABS_Cert_Blocklist_C650Ae531100A91389A7F030228B3095 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d506480-96ca-5e71-9fb2-185b2f8ddc6c" + id = "e5eef96b-65d1-55b6-80ed-c3dc1ced8d0a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8016-L8034" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "186b66283491cfebcaade57b1010ce4304c08ddb131153984210c2c7025961aa" + logic_hash = "v1_sha256_186b66283491cfebcaade57b1010ce4304c08ddb131153984210c2c7025961aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -43483,7 +43483,7 @@ rule REVERSINGLABS_Cert_Blocklist_C650Ae531100A91389A7F030228B3095 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "POKEROWA STRUNA SP Z O O" and (pe.signatures[i].serial=="00:c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" or pe.signatures[i].serial=="c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95") and 1606089600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "POKEROWA STRUNA SP Z O O" and ( pe.signatures [ i ] . serial == "00:c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" or pe.signatures [ i ] . serial == "c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" ) and 1606089600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43492,13 +43492,13 @@ rule REVERSINGLABS_Cert_Blocklist_3990362C34015Ce4C23Ecc3377Fd3C06 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "453b5da2-ae26-5005-8a56-1105a960fde6" + id = "6371f3d4-7afb-55d9-94f0-6afcb7260214" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8036-L8052" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0625800fcb166b56cab2e16d0d757983a6f880b68627ed8c3c38419dd9a32999" + logic_hash = "v1_sha256_0625800fcb166b56cab2e16d0d757983a6f880b68627ed8c3c38419dd9a32999" score = 75 quality = 90 tags = "INFO, FILE" @@ -43508,7 +43508,7 @@ rule REVERSINGLABS_Cert_Blocklist_3990362C34015Ce4C23Ecc3377Fd3C06 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RZOH ApS" and pe.signatures[i].serial=="39:90:36:2c:34:01:5c:e4:c2:3e:cc:33:77:fd:3c:06" and 1606780800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RZOH ApS" and pe.signatures [ i ] . serial == "39:90:36:2c:34:01:5c:e4:c2:3e:cc:33:77:fd:3c:06" and 1606780800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43517,13 +43517,13 @@ rule REVERSINGLABS_Cert_Blocklist_121Fca3Cfa4Bd011669F5Cc4E053Aa3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ebc47e1e-e6fe-581c-86b3-22e2e67a0b81" + id = "2e4ba9f0-2a1f-5c0a-a59e-73eeaa98b4c1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8054-L8070" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1edd5be3f970202be15080cd7ef19c0cce7fcba73cb6120d7cb7d518e877cf85" + logic_hash = "v1_sha256_1edd5be3f970202be15080cd7ef19c0cce7fcba73cb6120d7cb7d518e877cf85" score = 75 quality = 90 tags = "INFO, FILE" @@ -43533,7 +43533,7 @@ rule REVERSINGLABS_Cert_Blocklist_121Fca3Cfa4Bd011669F5Cc4E053Aa3F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kymijoen Projektipalvelut Oy" and pe.signatures[i].serial=="12:1f:ca:3c:fa:4b:d0:11:66:9f:5c:c4:e0:53:aa:3f" and 1606953600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kymijoen Projektipalvelut Oy" and pe.signatures [ i ] . serial == "12:1f:ca:3c:fa:4b:d0:11:66:9f:5c:c4:e0:53:aa:3f" and 1606953600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43542,13 +43542,13 @@ rule REVERSINGLABS_Cert_Blocklist_D338F8A490E37E6C2Be80A0E349929Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "93ca450e-7278-5c6c-aba8-e90728570e0c" + id = "05925b7d-d54c-5e2e-b86c-0466d3d56b0e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8072-L8090" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "39d9695803e96508b5ad12a7d9f8b65d13288dbe94b21a4952e096dd576e11ce" + logic_hash = "v1_sha256_39d9695803e96508b5ad12a7d9f8b65d13288dbe94b21a4952e096dd576e11ce" score = 75 quality = 90 tags = "INFO, FILE" @@ -43558,7 +43558,7 @@ rule REVERSINGLABS_Cert_Blocklist_D338F8A490E37E6C2Be80A0E349929Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SAGUARO ApS" and (pe.signatures[i].serial=="00:d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" or pe.signatures[i].serial=="d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa") and 1607558400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SAGUARO ApS" and ( pe.signatures [ i ] . serial == "00:d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" or pe.signatures [ i ] . serial == "d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" ) and 1607558400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43567,13 +43567,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C1Ee9B583310B5E34A1Ee6945A34B26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "70fc063e-f032-5e63-ae53-65a25d5a29c3" + id = "1ccc0dfe-5436-5bde-9243-5a70cc748946" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8092-L8108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7752e49e8848863d78c5de03c3d194498765d80da00a84c5164c7a9010d13474" + logic_hash = "v1_sha256_7752e49e8848863d78c5de03c3d194498765d80da00a84c5164c7a9010d13474" score = 75 quality = 90 tags = "INFO, FILE" @@ -43583,7 +43583,7 @@ rule REVERSINGLABS_Cert_Blocklist_2C1Ee9B583310B5E34A1Ee6945A34B26 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Artmarket" and pe.signatures[i].serial=="2c:1e:e9:b5:83:31:0b:5e:34:a1:ee:69:45:a3:4b:26" and 1607558400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Artmarket" and pe.signatures [ i ] . serial == "2c:1e:e9:b5:83:31:0b:5e:34:a1:ee:69:45:a3:4b:26" and 1607558400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43592,13 +43592,13 @@ rule REVERSINGLABS_Cert_Blocklist_D875B3E3F2Db6C3Eb426E24946066111 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4aedeb77-181b-5422-bec4-93c84412bae4" + id = "0157634c-26ee-5caf-a9bd-b741c293040c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8110-L8128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9e181271d46c828b9ec266331e077b3b4891a193c71173447da383fad91ae878" + logic_hash = "v1_sha256_9e181271d46c828b9ec266331e077b3b4891a193c71173447da383fad91ae878" score = 75 quality = 90 tags = "INFO, FILE" @@ -43608,7 +43608,7 @@ rule REVERSINGLABS_Cert_Blocklist_D875B3E3F2Db6C3Eb426E24946066111 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kubit LLC" and (pe.signatures[i].serial=="00:d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" or pe.signatures[i].serial=="d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11") and 1606953600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kubit LLC" and ( pe.signatures [ i ] . serial == "00:d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" or pe.signatures [ i ] . serial == "d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" ) and 1606953600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43617,13 +43617,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ad0A958Cdf188Bed43154A54Bf23Afba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "183d9d02-885b-5f2f-b455-dd72af7bc5a6" + id = "24e8cf1c-d69b-5200-aeab-ee99cd82c349" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8130-L8148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "07e53e59f90aa3cd3a98dbca2627672606f6c6f8f3bda8456e32122463729c4b" + logic_hash = "v1_sha256_07e53e59f90aa3cd3a98dbca2627672606f6c6f8f3bda8456e32122463729c4b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43633,7 +43633,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ad0A958Cdf188Bed43154A54Bf23Afba : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RHM Ltd" and (pe.signatures[i].serial=="00:ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" or pe.signatures[i].serial=="ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba") and 1612915200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RHM Ltd" and ( pe.signatures [ i ] . serial == "00:ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" or pe.signatures [ i ] . serial == "ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" ) and 1612915200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43642,13 +43642,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Cee26C125B8C188F316C3Fa78D9C2F1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "79989b9b-60e4-577d-97e2-cb447c38baf3" + id = "8d6f8d4e-b7ff-508c-aa36-8a0b296d5bb0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8150-L8166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5c64f8e40c31822ce8d2e34f96ccc977085e429f0c068a5f6b44099117837de1" + logic_hash = "v1_sha256_5c64f8e40c31822ce8d2e34f96ccc977085e429f0c068a5f6b44099117837de1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43658,7 +43658,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Cee26C125B8C188F316C3Fa78D9C2F1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Bitubit LLC" and pe.signatures[i].serial=="3c:ee:26:c1:25:b8:c1:88:f3:16:c3:fa:78:d9:c2:f1" and 1606435200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Bitubit LLC" and pe.signatures [ i ] . serial == "3c:ee:26:c1:25:b8:c1:88:f3:16:c3:fa:78:d9:c2:f1" and 1606435200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43667,13 +43667,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C687A0022C36F89E253F91D1F6954E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c45a2125-dd7c-5ff1-89a8-35cbe1d924d7" + id = "b8b8af69-a7f3-5fb0-9233-c78a432ac795" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8168-L8184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "287c0c7a25e33e0e7def6efa23dbd2efba7c4ac3aa8f5deb8568a60a95e08bbe" + logic_hash = "v1_sha256_287c0c7a25e33e0e7def6efa23dbd2efba7c4ac3aa8f5deb8568a60a95e08bbe" score = 75 quality = 90 tags = "INFO, FILE" @@ -43683,7 +43683,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C687A0022C36F89E253F91D1F6954E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HETCO ApS" and pe.signatures[i].serial=="4c:68:7a:00:22:c3:6f:89:e2:53:f9:1d:1f:69:54:e2" and 1606780800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HETCO ApS" and pe.signatures [ i ] . serial == "4c:68:7a:00:22:c3:6f:89:e2:53:f9:1d:1f:69:54:e2" and 1606780800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43692,13 +43692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca646B4275406Df639Cf603756F63D77 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b176b7f8-e3d1-593c-91c3-03e781f6ef7b" + id = "251b669d-e2fe-565d-90b0-28890842e81a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8186-L8204" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a690e3f6a656835984e47d999271fe441a5fbf424208da8d5b3c9ddcef47b70e" + logic_hash = "v1_sha256_a690e3f6a656835984e47d999271fe441a5fbf424208da8d5b3c9ddcef47b70e" score = 75 quality = 90 tags = "INFO, FILE" @@ -43708,7 +43708,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ca646B4275406Df639Cf603756F63D77 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SHOECORP LIMITED" and (pe.signatures[i].serial=="00:ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" or pe.signatures[i].serial=="ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77") and 1605830400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SHOECORP LIMITED" and ( pe.signatures [ i ] . serial == "00:ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" or pe.signatures [ i ] . serial == "ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" ) and 1605830400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43717,13 +43717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Addbec454B5479Cabd940A72Df4500Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f2488d44-5a9a-5ab6-be6f-f3444f72444a" + id = "b2f37561-38bd-59c3-9b19-13ad83a706d1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8206-L8224" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "799629791646c524d170b900339b87474aed73b7156a8c4dd20f7c13cbe97929" + logic_hash = "v1_sha256_799629791646c524d170b900339b87474aed73b7156a8c4dd20f7c13cbe97929" score = 75 quality = 90 tags = "INFO, FILE" @@ -43733,7 +43733,7 @@ rule REVERSINGLABS_Cert_Blocklist_Addbec454B5479Cabd940A72Df4500Af : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SHAT LIMITED" and (pe.signatures[i].serial=="00:ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" or pe.signatures[i].serial=="ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af") and 1612828800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SHAT LIMITED" and ( pe.signatures [ i ] . serial == "00:ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" or pe.signatures [ i ] . serial == "ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" ) and 1612828800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43742,13 +43742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac307E5257Bb814B818D3633B630326F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c33d798a-854c-5fab-afbe-e94d142befa7" + id = "863241ce-ecaa-5aff-bfb3-bd0b5ac8ea5e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8226-L8244" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "10819bd2194fface6db812f8c6770c306c183386d2d9ba97467a5b55fd997194" + logic_hash = "v1_sha256_10819bd2194fface6db812f8c6770c306c183386d2d9ba97467a5b55fd997194" score = 75 quality = 90 tags = "INFO, FILE" @@ -43758,7 +43758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ac307E5257Bb814B818D3633B630326F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Aqua Direct s.r.o." and (pe.signatures[i].serial=="00:ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" or pe.signatures[i].serial=="ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f") and 1606089600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Aqua Direct s.r.o." and ( pe.signatures [ i ] . serial == "00:ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" or pe.signatures [ i ] . serial == "ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" ) and 1606089600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43767,13 +43767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D83E7F47189Cdbfc7Fa3E5F58882329 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d6bda332-06fc-5b1a-99fb-fc9578dc5326" + id = "5a075334-2608-5dce-86dd-3f4cecf148ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8246-L8262" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b344f9fd6d8378b7d77a34b14c5f37eea253f3d13a8eb0777925f195fb3cf502" + logic_hash = "v1_sha256_b344f9fd6d8378b7d77a34b14c5f37eea253f3d13a8eb0777925f195fb3cf502" score = 75 quality = 90 tags = "INFO, FILE" @@ -43783,7 +43783,7 @@ rule REVERSINGLABS_Cert_Blocklist_0D83E7F47189Cdbfc7Fa3E5F58882329 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and pe.signatures[i].serial=="0d:83:e7:f4:71:89:cd:bf:c7:fa:3e:5f:58:88:23:29" and 1605830400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THE WIZARD GIFT CORPORATION" and pe.signatures [ i ] . serial == "0d:83:e7:f4:71:89:cd:bf:c7:fa:3e:5f:58:88:23:29" and 1605830400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43792,13 +43792,13 @@ rule REVERSINGLABS_Cert_Blocklist_58Aa64564A50E8B2D6E31D5Cd6250Fde : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00e096f6-2955-5936-9a75-f537c2da3621" + id = "d6085b1b-ed30-508a-b4f1-88e165230881" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8264-L8280" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6b50ebf707b67650fe832d81c6fe8d2411cd83432ef94432d181db0c29aa48b" + logic_hash = "v1_sha256_f6b50ebf707b67650fe832d81c6fe8d2411cd83432ef94432d181db0c29aa48b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43808,7 +43808,7 @@ rule REVERSINGLABS_Cert_Blocklist_58Aa64564A50E8B2D6E31D5Cd6250Fde : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Foreground" and pe.signatures[i].serial=="58:aa:64:56:4a:50:e8:b2:d6:e3:1d:5c:d6:25:0f:de" and 1609002028<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Foreground" and pe.signatures [ i ] . serial == "58:aa:64:56:4a:50:e8:b2:d6:e3:1d:5c:d6:25:0f:de" and 1609002028 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43817,13 +43817,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Aa0Ae245B487C8926C88Ee6D736D1Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2d61fd7-2392-5d75-9c5b-4e4fddfc7a83" + id = "302f4685-6b40-54b5-9e8c-27f07f10a385" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8282-L8298" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5a362175600552983ae838ca18aa378dc748b8b68bd8b67a9387794d983ed1a2" + logic_hash = "v1_sha256_5a362175600552983ae838ca18aa378dc748b8b68bd8b67a9387794d983ed1a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43833,7 +43833,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Aa0Ae245B487C8926C88Ee6D736D1Ca : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PILOTE SPRL" and pe.signatures[i].serial=="2a:a0:ae:24:5b:48:7c:89:26:c8:8e:e6:d7:36:d1:ca" and 1612262280<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PILOTE SPRL" and pe.signatures [ i ] . serial == "2a:a0:ae:24:5b:48:7c:89:26:c8:8e:e6:d7:36:d1:ca" and 1612262280 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43842,13 +43842,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Aec3D3F752A38617C1D7A677D0B5591 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "02f2bf36-e573-502c-8ecc-843a6e627c2b" + id = "fea0592d-c3f2-561f-9e18-c08ea85e991a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8300-L8316" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b299833a19944ca6943ba9c974ec95369c57cd61acc8b2e1b5310edd077762c2" + logic_hash = "v1_sha256_b299833a19944ca6943ba9c974ec95369c57cd61acc8b2e1b5310edd077762c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43858,7 +43858,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Aec3D3F752A38617C1D7A677D0B5591 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SILVER d.o.o." and pe.signatures[i].serial=="1a:ec:3d:3f:75:2a:38:61:7c:1d:7a:67:7d:0b:55:91" and 1611705600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SILVER d.o.o." and pe.signatures [ i ] . serial == "1a:ec:3d:3f:75:2a:38:61:7c:1d:7a:67:7d:0b:55:91" and 1611705600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43867,13 +43867,13 @@ rule REVERSINGLABS_Cert_Blocklist_A7E1Dc5352C3852C5523030F57F2425C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a2795796-2897-55ad-936c-456c3b93bf14" + id = "58488ca8-d1a5-54c0-bd78-57e6025cc819" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8318-L8336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "79c42c9a4eeeb69a62a16590e2b0b63818785509a40d543c7efe27ec6baaa19e" + logic_hash = "v1_sha256_79c42c9a4eeeb69a62a16590e2b0b63818785509a40d543c7efe27ec6baaa19e" score = 75 quality = 90 tags = "INFO, FILE" @@ -43883,7 +43883,7 @@ rule REVERSINGLABS_Cert_Blocklist_A7E1Dc5352C3852C5523030F57F2425C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Pushka LLC" and (pe.signatures[i].serial=="00:a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" or pe.signatures[i].serial=="a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c") and 1611792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Pushka LLC" and ( pe.signatures [ i ] . serial == "00:a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" or pe.signatures [ i ] . serial == "a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" ) and 1611792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43892,13 +43892,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bbd4Dc3768A51Aa2B3059C1Bad569276 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ee861c79-fea2-5931-873d-b76e5bdef593" + id = "28e4f24a-7973-5ffb-8223-c89ccf73351d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8338-L8356" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f336570834e0663c6e589fa22b3541f4f79c40ff945dd91f1fd1258a96adeceb" + logic_hash = "v1_sha256_f336570834e0663c6e589fa22b3541f4f79c40ff945dd91f1fd1258a96adeceb" score = 75 quality = 90 tags = "INFO, FILE" @@ -43908,7 +43908,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bbd4Dc3768A51Aa2B3059C1Bad569276 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "JJ ELECTRICAL SERVICES LIMITED" and (pe.signatures[i].serial=="00:bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" or pe.signatures[i].serial=="bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76") and 1607472000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "JJ ELECTRICAL SERVICES LIMITED" and ( pe.signatures [ i ] . serial == "00:bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" or pe.signatures [ i ] . serial == "bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" ) and 1607472000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43917,13 +43917,13 @@ rule REVERSINGLABS_Cert_Blocklist_08622B9Dd9D78E67678Ecc21E026522E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "66d942c7-ceb9-54e5-bccc-1adf641fd70e" + id = "f186d873-7485-5d73-ac59-b91d986f66b3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8358-L8374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "09507b09b035195b74434f56041588f67245fa097183228dffc612bb4901825b" + logic_hash = "v1_sha256_09507b09b035195b74434f56041588f67245fa097183228dffc612bb4901825b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43933,7 +43933,7 @@ rule REVERSINGLABS_Cert_Blocklist_08622B9Dd9D78E67678Ecc21E026522E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kayak Republic af 2015 APS" and pe.signatures[i].serial=="08:62:2b:9d:d9:d7:8e:67:67:8e:cc:21:e0:26:52:2e" and 1611619200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kayak Republic af 2015 APS" and pe.signatures [ i ] . serial == "08:62:2b:9d:d9:d7:8e:67:67:8e:cc:21:e0:26:52:2e" and 1611619200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43942,13 +43942,13 @@ rule REVERSINGLABS_Cert_Blocklist_E69A6De0074Ece38C2F30F0D4A808456 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "17571f1e-1dce-5216-8f45-467e5d77ccf1" + id = "d2387e7e-d2af-5678-9b64-6c596ecda458" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8376-L8394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "21d8641d2394120847044f0e6f4d868095a1e30c0b594a3d045877ab9b3808a1" + logic_hash = "v1_sha256_21d8641d2394120847044f0e6f4d868095a1e30c0b594a3d045877ab9b3808a1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43958,7 +43958,7 @@ rule REVERSINGLABS_Cert_Blocklist_E69A6De0074Ece38C2F30F0D4A808456 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Semantic" and (pe.signatures[i].serial=="00:e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" or pe.signatures[i].serial=="e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56") and 1611532800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Semantic" and ( pe.signatures [ i ] . serial == "00:e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" or pe.signatures [ i ] . serial == "e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" ) and 1611532800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43967,13 +43967,13 @@ rule REVERSINGLABS_Cert_Blocklist_8385684419Ab26A3F2640B1496E1Fe94 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "03e861a0-156e-5366-a312-dc2aa73b0393" + id = "341e483e-73ae-52a4-a6ca-9337addea867" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8396-L8414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24f75badc335160a8053a4c7e8bbd8ddbd3266c3a18059a937d5989df97ae9d9" + logic_hash = "v1_sha256_24f75badc335160a8053a4c7e8bbd8ddbd3266c3a18059a937d5989df97ae9d9" score = 75 quality = 90 tags = "INFO, FILE" @@ -43983,7 +43983,7 @@ rule REVERSINGLABS_Cert_Blocklist_8385684419Ab26A3F2640B1496E1Fe94 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CAUSE FOR CHANGE LTD" and (pe.signatures[i].serial=="00:83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" or pe.signatures[i].serial=="83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94") and 1612137600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CAUSE FOR CHANGE LTD" and ( pe.signatures [ i ] . serial == "00:83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" or pe.signatures [ i ] . serial == "83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" ) and 1612137600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -43992,13 +43992,13 @@ rule REVERSINGLABS_Cert_Blocklist_21E3Cae5B77C41528658Ada08509C392 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fdb1903b-15c1-5cb7-892f-58957303d3b4" + id = "730833d4-db48-5890-b44a-ae80c9e3ad71" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8416-L8432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2e24ed0bd0bf3c36cae4bf106a2c17386bfb58b76372068be9745c2d501f30fc" + logic_hash = "v1_sha256_2e24ed0bd0bf3c36cae4bf106a2c17386bfb58b76372068be9745c2d501f30fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44008,7 +44008,7 @@ rule REVERSINGLABS_Cert_Blocklist_21E3Cae5B77C41528658Ada08509C392 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Network Design International Holdings Limited" and pe.signatures[i].serial=="21:e3:ca:e5:b7:7c:41:52:86:58:ad:a0:85:09:c3:92" and 1609233559<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Network Design International Holdings Limited" and pe.signatures [ i ] . serial == "21:e3:ca:e5:b7:7c:41:52:86:58:ad:a0:85:09:c3:92" and 1609233559 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44017,13 +44017,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Abd2Eef14D480Dfea9Ca9Fdd823Cf03 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d6cb1371-113d-5155-aed2-c575321f0973" + id = "e8d0936e-8189-5f6f-a6ea-b4c034780854" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8434-L8450" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2dfc220c44d3dda28a253e5115ae9a087b6ddbf1a7ca1e9bcae5bd9ac5b2e1a0" + logic_hash = "v1_sha256_2dfc220c44d3dda28a253e5115ae9a087b6ddbf1a7ca1e9bcae5bd9ac5b2e1a0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44033,7 +44033,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Abd2Eef14D480Dfea9Ca9Fdd823Cf03 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BE SOL d.o.o." and pe.signatures[i].serial=="2a:bd:2e:ef:14:d4:80:df:ea:9c:a9:fd:d8:23:cf:03" and 1611100800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BE SOL d.o.o." and pe.signatures [ i ] . serial == "2a:bd:2e:ef:14:d4:80:df:ea:9c:a9:fd:d8:23:cf:03" and 1611100800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44042,13 +44042,13 @@ rule REVERSINGLABS_Cert_Blocklist_86909B91F07F9316984D888D1E28Ab76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3cde0016-14d8-5b3a-860e-f5128f899542" + id = "f2518af1-f3e2-5097-87aa-ba404b12ba83" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8452-L8470" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "abd84492ed008125688a53e20d51780fa0b8c2309dcf751ff76a03d6f337beaa" + logic_hash = "v1_sha256_abd84492ed008125688a53e20d51780fa0b8c2309dcf751ff76a03d6f337beaa" score = 75 quality = 90 tags = "INFO, FILE" @@ -44058,7 +44058,7 @@ rule REVERSINGLABS_Cert_Blocklist_86909B91F07F9316984D888D1E28Ab76 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dantherm Intelligent Monitoring A/S" and (pe.signatures[i].serial=="00:86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" or pe.signatures[i].serial=="86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76") and 1611273600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dantherm Intelligent Monitoring A/S" and ( pe.signatures [ i ] . serial == "00:86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" or pe.signatures [ i ] . serial == "86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" ) and 1611273600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44067,13 +44067,13 @@ rule REVERSINGLABS_Cert_Blocklist_D1B8F1Fe56381Befdb2E73Ffef2A4B28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "226371ea-670f-52f2-8dfc-78b30a29a5cc" + id = "a1bc09ab-3a56-576d-9b2b-cb30ba0cae57" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8472-L8490" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c118cb46914e7a6df8dd33dd14d5f9cf2692d98311503ec850cc66f02c20839e" + logic_hash = "v1_sha256_c118cb46914e7a6df8dd33dd14d5f9cf2692d98311503ec850cc66f02c20839e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44083,7 +44083,7 @@ rule REVERSINGLABS_Cert_Blocklist_D1B8F1Fe56381Befdb2E73Ffef2A4B28 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sein\\xC3\\xA4joen Squash ja Bowling Oy" and (pe.signatures[i].serial=="00:d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" or pe.signatures[i].serial=="d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28") and 1617667200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sein\\xC3\\xA4joen Squash ja Bowling Oy" and ( pe.signatures [ i ] . serial == "00:d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" or pe.signatures [ i ] . serial == "d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" ) and 1617667200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44092,13 +44092,13 @@ rule REVERSINGLABS_Cert_Blocklist_D4Ef1Ab6Ab5D3Cb35E4Efb7984Def7A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "41b2e05f-1dcd-5ebc-97da-275512deaf72" + id = "f2dbfdb3-6dd9-5b25-8ae5-81099d3edf90" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8492-L8510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ecc2f6bfda1a0afd016f0a5183c0d1cdfe5d5e06c893a7d9a3d7cb7f9bc4bf16" + logic_hash = "v1_sha256_ecc2f6bfda1a0afd016f0a5183c0d1cdfe5d5e06c893a7d9a3d7cb7f9bc4bf16" score = 75 quality = 90 tags = "INFO, FILE" @@ -44108,7 +44108,7 @@ rule REVERSINGLABS_Cert_Blocklist_D4Ef1Ab6Ab5D3Cb35E4Efb7984Def7A2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "REIGN BROS ApS" and (pe.signatures[i].serial=="00:d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" or pe.signatures[i].serial=="d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2") and 1611187200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "REIGN BROS ApS" and ( pe.signatures [ i ] . serial == "00:d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" or pe.signatures [ i ] . serial == "d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" ) and 1611187200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44117,13 +44117,13 @@ rule REVERSINGLABS_Cert_Blocklist_066276Af2F2C7E246D3B1Cab1B4Aa42E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "97f791d5-7a73-5da7-984e-32bb94d0e83f" + id = "a8423f22-a442-5500-b963-e511116dd148" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8512-L8528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30d4fa2cbc75d3a6258cdf0374159f25ea152c39784f8b7e9c461978df865dc0" + logic_hash = "v1_sha256_30d4fa2cbc75d3a6258cdf0374159f25ea152c39784f8b7e9c461978df865dc0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44133,7 +44133,7 @@ rule REVERSINGLABS_Cert_Blocklist_066276Af2F2C7E246D3B1Cab1B4Aa42E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IQ Trade ApS" and pe.signatures[i].serial=="06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e" and 1616630400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IQ Trade ApS" and pe.signatures [ i ] . serial == "06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e" and 1616630400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44142,13 +44142,13 @@ rule REVERSINGLABS_Cert_Blocklist_65Cd323C2483668B90A44A711D2A6B98 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e2ed910d-2264-58c1-a1a0-3c131020a2cf" + id = "6a1059af-af43-5558-aaf9-2eaea84a4283" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8530-L8546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "653aff6f3913f1bf51e90e7a835dbb5441457175797cefdddd234a6c2c0f11ad" + logic_hash = "v1_sha256_653aff6f3913f1bf51e90e7a835dbb5441457175797cefdddd234a6c2c0f11ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -44158,7 +44158,7 @@ rule REVERSINGLABS_Cert_Blocklist_65Cd323C2483668B90A44A711D2A6B98 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Giperion" and pe.signatures[i].serial=="65:cd:32:3c:24:83:66:8b:90:a4:4a:71:1d:2a:6b:98" and 1602547200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Giperion" and pe.signatures [ i ] . serial == "65:cd:32:3c:24:83:66:8b:90:a4:4a:71:1d:2a:6b:98" and 1602547200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44167,13 +44167,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A17D5De74Fd8F09Df596Df3123139Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4a3ffa4a-c080-5d76-9655-010cde091ae2" + id = "678a3c0c-64ab-5f00-86aa-ff1485e1d505" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8548-L8564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7ed62740fe191d961ad32b2a79463cc9cbce557ea757e413860f7b4974904c03" + logic_hash = "v1_sha256_7ed62740fe191d961ad32b2a79463cc9cbce557ea757e413860f7b4974904c03" score = 75 quality = 90 tags = "INFO, FILE" @@ -44183,7 +44183,7 @@ rule REVERSINGLABS_Cert_Blocklist_5A17D5De74Fd8F09Df596Df3123139Bb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ACTA FIS d.o.o." and pe.signatures[i].serial=="5a:17:d5:de:74:fd:8f:09:df:59:6d:f3:12:31:39:bb" and 1611273600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ACTA FIS d.o.o." and pe.signatures [ i ] . serial == "5a:17:d5:de:74:fd:8f:09:df:59:6d:f3:12:31:39:bb" and 1611273600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44192,13 +44192,13 @@ rule REVERSINGLABS_Cert_Blocklist_15Da61D7E1A631803431561674Fb9B90 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "07518dc2-bd6c-5a4c-b537-68f5a462cdc2" + id = "1ef26a79-29f9-519b-abbf-ea8618b184ef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8566-L8582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "75d2c3b47fe9c863812f2c98fc565af9050b909a03528e2ea4a96542a3ec0c0d" + logic_hash = "v1_sha256_75d2c3b47fe9c863812f2c98fc565af9050b909a03528e2ea4a96542a3ec0c0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44208,7 +44208,7 @@ rule REVERSINGLABS_Cert_Blocklist_15Da61D7E1A631803431561674Fb9B90 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "JAY DANCE STUDIO d.o.o." and pe.signatures[i].serial=="15:da:61:d7:e1:a6:31:80:34:31:56:16:74:fb:9b:90" and 1610668800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "JAY DANCE STUDIO d.o.o." and pe.signatures [ i ] . serial == "15:da:61:d7:e1:a6:31:80:34:31:56:16:74:fb:9b:90" and 1610668800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44217,13 +44217,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ab21306B11Ff280A93Fc445876988Ab : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "656bb2a6-bb41-5190-af10-280351e64c66" + id = "1a3b5130-8d6d-51d0-bb3b-69d97e65d28d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8584-L8600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0cda954aa807336a6737716d0fa43d696376c240ab7be9d8477baf8800604bf1" + logic_hash = "v1_sha256_0cda954aa807336a6737716d0fa43d696376c240ab7be9d8477baf8800604bf1" score = 75 quality = 90 tags = "INFO, FILE" @@ -44233,7 +44233,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Ab21306B11Ff280A93Fc445876988Ab : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ABC BIOS d.o.o." and pe.signatures[i].serial=="7a:b2:13:06:b1:1f:f2:80:a9:3f:c4:45:87:69:88:ab" and 1611014400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ABC BIOS d.o.o." and pe.signatures [ i ] . serial == "7a:b2:13:06:b1:1f:f2:80:a9:3f:c4:45:87:69:88:ab" and 1611014400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44242,13 +44242,13 @@ rule REVERSINGLABS_Cert_Blocklist_634E16E38F12E9A71Aca08E4C6B2Dbb9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4aa7bea7-06fb-5d90-bac4-c8ca1ca5c02f" + id = "be400dee-54c0-54c1-a20a-9c4376c7cc2c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8602-L8618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "08950f276e5cf3fe4b5f7421ba671dfd72585aac3bbed7868fdb0e5aa90ec10e" + logic_hash = "v1_sha256_08950f276e5cf3fe4b5f7421ba671dfd72585aac3bbed7868fdb0e5aa90ec10e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44258,7 +44258,7 @@ rule REVERSINGLABS_Cert_Blocklist_634E16E38F12E9A71Aca08E4C6B2Dbb9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AUTO RESPONSE LTD CYF" and pe.signatures[i].serial=="63:4e:16:e3:8f:12:e9:a7:1a:ca:08:e4:c6:b2:db:b9" and 1616112000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AUTO RESPONSE LTD CYF" and pe.signatures [ i ] . serial == "63:4e:16:e3:8f:12:e9:a7:1a:ca:08:e4:c6:b2:db:b9" and 1616112000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44267,13 +44267,13 @@ rule REVERSINGLABS_Cert_Blocklist_289051A83F350A2C600187C99B6C0A73 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55497d57-7d4f-50e1-85a6-e60786084e3f" + id = "6b1b5584-d564-5e91-b131-d0f3a9ece262" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8620-L8636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cd5d6f95f0cfdbf8d37ea78d061ce00512b6cb7c899152b1640673494d539dd1" + logic_hash = "v1_sha256_cd5d6f95f0cfdbf8d37ea78d061ce00512b6cb7c899152b1640673494d539dd1" score = 75 quality = 90 tags = "INFO, FILE" @@ -44283,7 +44283,7 @@ rule REVERSINGLABS_Cert_Blocklist_289051A83F350A2C600187C99B6C0A73 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HALL HAULAGE LTD LTD" and pe.signatures[i].serial=="28:90:51:a8:3f:35:0a:2c:60:01:87:c9:9b:6c:0a:73" and 1616716800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HALL HAULAGE LTD LTD" and pe.signatures [ i ] . serial == "28:90:51:a8:3f:35:0a:2c:60:01:87:c9:9b:6c:0a:73" and 1616716800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44292,13 +44292,13 @@ rule REVERSINGLABS_Cert_Blocklist_818631110B5D14331Dac7E6Ad998B902 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a8f3abd-199c-5e2f-a60e-46e869831445" + id = "b0a0e69a-2644-5526-890d-4c5982e94ed8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8638-L8656" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5e0de3848adf933632c2eb8cf5ead61d6470237386ba8b48d57a278d99dba324" + logic_hash = "v1_sha256_5e0de3848adf933632c2eb8cf5ead61d6470237386ba8b48d57a278d99dba324" score = 75 quality = 90 tags = "INFO, FILE" @@ -44308,7 +44308,7 @@ rule REVERSINGLABS_Cert_Blocklist_818631110B5D14331Dac7E6Ad998B902 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "2 TOY GUYS LLC" and (pe.signatures[i].serial=="00:81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" or pe.signatures[i].serial=="81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02") and 1571616000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "2 TOY GUYS LLC" and ( pe.signatures [ i ] . serial == "00:81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" or pe.signatures [ i ] . serial == "81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" ) and 1571616000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44317,13 +44317,13 @@ rule REVERSINGLABS_Cert_Blocklist_277Cd16De5D61B9398B645Afe41C09C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d863faac-7b6e-5e1d-960f-8379347c6838" + id = "27967cb8-6026-5f8f-8090-2aeca34d0004" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8658-L8674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "696467d699dec060b205f36f53dbe157b241823757d72798b35235d6530fd193" + logic_hash = "v1_sha256_696467d699dec060b205f36f53dbe157b241823757d72798b35235d6530fd193" score = 75 quality = 90 tags = "INFO, FILE" @@ -44333,7 +44333,7 @@ rule REVERSINGLABS_Cert_Blocklist_277Cd16De5D61B9398B645Afe41C09C7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THE SIGN COMPANY LIMITED" and pe.signatures[i].serial=="27:7c:d1:6d:e5:d6:1b:93:98:b6:45:af:e4:1c:09:c7" and 1619049600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THE SIGN COMPANY LIMITED" and pe.signatures [ i ] . serial == "27:7c:d1:6d:e5:d6:1b:93:98:b6:45:af:e4:1c:09:c7" and 1619049600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44342,13 +44342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D0Eda76C13D30C97015708790Bb94214 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aa323bac-a9f5-560f-b44a-3cf2b26351bb" + id = "faa2e47c-3370-5de9-af17-a3f239ad1ba5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8676-L8694" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2112ebfb7c9ebbbccb20cefcd23bb49142da770feb16ee8eef5eb27646226785" + logic_hash = "v1_sha256_2112ebfb7c9ebbbccb20cefcd23bb49142da770feb16ee8eef5eb27646226785" score = 75 quality = 90 tags = "INFO, FILE" @@ -44358,7 +44358,7 @@ rule REVERSINGLABS_Cert_Blocklist_D0Eda76C13D30C97015708790Bb94214 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LAEN ApS" and (pe.signatures[i].serial=="00:d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" or pe.signatures[i].serial=="d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14") and 1619136000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LAEN ApS" and ( pe.signatures [ i ] . serial == "00:d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" or pe.signatures [ i ] . serial == "d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" ) and 1619136000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44367,13 +44367,13 @@ rule REVERSINGLABS_Cert_Blocklist_6333Ed618F88A05B4D82Ad7Bf66Cb0Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c4d3603e-57e2-57df-a055-c43d449242c7" + id = "e696c6fa-2cc4-5ac9-9119-09db0063cac4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8696-L8712" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b088ac4b74a8cf3dddb67c8de2b7c3c5f537287a0454c0030c0eb4069c465c7d" + logic_hash = "v1_sha256_b088ac4b74a8cf3dddb67c8de2b7c3c5f537287a0454c0030c0eb4069c465c7d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44383,7 +44383,7 @@ rule REVERSINGLABS_Cert_Blocklist_6333Ed618F88A05B4D82Ad7Bf66Cb0Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RHM LIMITED" and pe.signatures[i].serial=="63:33:ed:61:8f:88:a0:5b:4d:82:ad:7b:f6:6c:b0:fa" and 1616457600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RHM LIMITED" and pe.signatures [ i ] . serial == "63:33:ed:61:8f:88:a0:5b:4d:82:ad:7b:f6:6c:b0:fa" and 1616457600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44392,13 +44392,13 @@ rule REVERSINGLABS_Cert_Blocklist_3B777165B125Bccc181D0Bac3F5B55B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f065e99f-9cce-55cb-a592-60b89c26028a" + id = "ed7f7ee9-78ec-5336-b438-f30e6201789d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8714-L8730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "80aff3d6f45f5847d5d39b170b9d0e70168d02569ca6d86a2c39150399d290fc" + logic_hash = "v1_sha256_80aff3d6f45f5847d5d39b170b9d0e70168d02569ca6d86a2c39150399d290fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44408,7 +44408,7 @@ rule REVERSINGLABS_Cert_Blocklist_3B777165B125Bccc181D0Bac3F5B55B3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "STAND ALONE MUSIC LTD" and pe.signatures[i].serial=="3b:77:71:65:b1:25:bc:cc:18:1d:0b:ac:3f:5b:55:b3" and 1607299200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "STAND ALONE MUSIC LTD" and pe.signatures [ i ] . serial == "3b:77:71:65:b1:25:bc:cc:18:1d:0b:ac:3f:5b:55:b3" and 1607299200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44417,13 +44417,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B37Ac3479283B6F9D75Ddf0F8742D06 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cc124d3f-2446-57a2-a206-0a5e569fc703" + id = "c440013d-942a-5056-911b-67b7c0389a82" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8732-L8748" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7abd389ac31cd970e6611c7c303714fdd658f45d4857ad524f5e8368edbb875" + logic_hash = "v1_sha256_b7abd389ac31cd970e6611c7c303714fdd658f45d4857ad524f5e8368edbb875" score = 75 quality = 90 tags = "INFO, FILE" @@ -44433,7 +44433,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B37Ac3479283B6F9D75Ddf0F8742D06 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ART BOOK PHOTO s.r.o." and pe.signatures[i].serial=="5b:37:ac:34:79:28:3b:6f:9d:75:dd:f0:f8:74:2d:06" and 1619740800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ART BOOK PHOTO s.r.o." and pe.signatures [ i ] . serial == "5b:37:ac:34:79:28:3b:6f:9d:75:dd:f0:f8:74:2d:06" and 1619740800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44442,13 +44442,13 @@ rule REVERSINGLABS_Cert_Blocklist_3112C69D460C781Fd649C71E61Bfec82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f4d2f240-49a7-51f3-8db1-1c569aa63177" + id = "b6b1a06c-a014-55cf-9201-ea672531a63f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8750-L8766" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ed31b0a24d18a451163867f0f49df12af3ca0768f250ac8ce66d41405393130d" + logic_hash = "v1_sha256_ed31b0a24d18a451163867f0f49df12af3ca0768f250ac8ce66d41405393130d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44458,7 +44458,7 @@ rule REVERSINGLABS_Cert_Blocklist_3112C69D460C781Fd649C71E61Bfec82 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KREATURHANDLER BJARNE ANDERSEN ApS" and pe.signatures[i].serial=="31:12:c6:9d:46:0c:78:1f:d6:49:c7:1e:61:bf:ec:82" and 1614902400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KREATURHANDLER BJARNE ANDERSEN ApS" and pe.signatures [ i ] . serial == "31:12:c6:9d:46:0c:78:1f:d6:49:c7:1e:61:bf:ec:82" and 1614902400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44467,13 +44467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A5B4F67Ad8B22Afc2Debe6Ce5F8F679 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7dd5ba42-2d04-52d7-b15a-2bdba2e742fb" + id = "14b2c6d6-7a44-5316-9653-c5bad26483b7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8768-L8784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "938efb7ee19970484aded5cd46b2ff730f8882706bec3f062bdebde3cc9a4799" + logic_hash = "v1_sha256_938efb7ee19970484aded5cd46b2ff730f8882706bec3f062bdebde3cc9a4799" score = 75 quality = 90 tags = "INFO, FILE" @@ -44483,7 +44483,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A5B4F67Ad8B22Afc2Debe6Ce5F8F679 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Farad LLC" and pe.signatures[i].serial=="0a:5b:4f:67:ad:8b:22:af:c2:de:be:6c:e5:f8:f6:79" and 1607472000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Farad LLC" and pe.signatures [ i ] . serial == "0a:5b:4f:67:ad:8b:22:af:c2:de:be:6c:e5:f8:f6:79" and 1607472000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44492,13 +44492,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df45B36C9D0Bd248C3F9494E7Ca822 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7d0d1c4-b341-5651-8179-4035f537ba98" + id = "831ec8a5-9b0e-5409-a700-4db2eba0453e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8786-L8804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9c03522376b0d807cd36a0641e474d770bc3b4f8221f26d232878d2d320d072b" + logic_hash = "v1_sha256_9c03522376b0d807cd36a0641e474d770bc3b4f8221f26d232878d2d320d072b" score = 75 quality = 90 tags = "INFO, FILE" @@ -44508,7 +44508,7 @@ rule REVERSINGLABS_Cert_Blocklist_Df45B36C9D0Bd248C3F9494E7Ca822 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MPO STORITVE d.o.o." and (pe.signatures[i].serial=="00:df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" or pe.signatures[i].serial=="df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22") and 1619740800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MPO STORITVE d.o.o." and ( pe.signatures [ i ] . serial == "00:df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" or pe.signatures [ i ] . serial == "df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" ) and 1619740800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44517,13 +44517,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ae3C4Eccecda2127D43Be390A850Dda : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a9d8906b-64f6-5c5d-80e0-ab916e83b613" + id = "cecfde0c-3737-5f70-a119-23d76c41f5d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8806-L8822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8a2ff4f7a5ac996127778b1670e79291bddcb5dee6e7da2b540fd254537ee27e" + logic_hash = "v1_sha256_8a2ff4f7a5ac996127778b1670e79291bddcb5dee6e7da2b540fd254537ee27e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44533,7 +44533,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Ae3C4Eccecda2127D43Be390A850Dda : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PARTYNET LIMITED" and pe.signatures[i].serial=="1a:e3:c4:ec:ce:cd:a2:12:7d:43:be:39:0a:85:0d:da" and 1614902400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PARTYNET LIMITED" and pe.signatures [ i ] . serial == "1a:e3:c4:ec:ce:cd:a2:12:7d:43:be:39:0a:85:0d:da" and 1614902400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44542,13 +44542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2E36360538624C9B1Afd78A2Fb756028 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "549a566b-0c94-516c-9231-a5e54136785f" + id = "f30dbe31-50bc-5d0c-9adb-75b6e5f8e3d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8824-L8840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9cbb50c7d383048fd506506fa9ee8bf7c6d82feaf21bcde4008ab99b82e234a7" + logic_hash = "v1_sha256_9cbb50c7d383048fd506506fa9ee8bf7c6d82feaf21bcde4008ab99b82e234a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -44558,7 +44558,7 @@ rule REVERSINGLABS_Cert_Blocklist_2E36360538624C9B1Afd78A2Fb756028 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ts Trade ApS" and pe.signatures[i].serial=="2e:36:36:05:38:62:4c:9b:1a:fd:78:a2:fb:75:60:28" and 1615766400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ts Trade ApS" and pe.signatures [ i ] . serial == "2e:36:36:05:38:62:4c:9b:1a:fd:78:a2:fb:75:60:28" and 1615766400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44567,13 +44567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Addb899F8229Fd53E6435E08Bbd3A733 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e5f0577-ba05-5e43-a817-c75f65547c3d" + id = "302fbb48-ed03-5b04-b466-5165302af1a8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8842-L8860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ecb8e31b8c56b92cef601618e0adc2f6d88999318805b92389693aa9e8050d18" + logic_hash = "v1_sha256_ecb8e31b8c56b92cef601618e0adc2f6d88999318805b92389693aa9e8050d18" score = 75 quality = 90 tags = "INFO, FILE" @@ -44583,7 +44583,7 @@ rule REVERSINGLABS_Cert_Blocklist_Addb899F8229Fd53E6435E08Bbd3A733 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "U.K. STEEL EXPORTS LIMITED" and (pe.signatures[i].serial=="00:ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" or pe.signatures[i].serial=="ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33") and 1616630400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "U.K. STEEL EXPORTS LIMITED" and ( pe.signatures [ i ] . serial == "00:ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" or pe.signatures [ i ] . serial == "ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" ) and 1616630400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44592,13 +44592,13 @@ rule REVERSINGLABS_Cert_Blocklist_C1A1Db95D7Bf80290Aa6E82D8F8F996A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c04a2731-5eb8-5db4-9e88-cab9b61952e4" + id = "d470433f-0996-58a3-8d27-84e083231c3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8862-L8880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "84c7c0e53facadcdfd752e9cf3811fbfd6aac4bef4109acf430a67b6dcd37bfc" + logic_hash = "v1_sha256_84c7c0e53facadcdfd752e9cf3811fbfd6aac4bef4109acf430a67b6dcd37bfc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44608,7 +44608,7 @@ rule REVERSINGLABS_Cert_Blocklist_C1A1Db95D7Bf80290Aa6E82D8F8F996A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Software Two Pty Ltd" and (pe.signatures[i].serial=="00:c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" or pe.signatures[i].serial=="c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a") and 1615334400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Software Two Pty Ltd" and ( pe.signatures [ i ] . serial == "00:c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" or pe.signatures [ i ] . serial == "c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" ) and 1615334400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44617,13 +44617,13 @@ rule REVERSINGLABS_Cert_Blocklist_C667Ffe3A5B0A5Ae7Cf3A9E41682E91B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "83a5e5c2-0932-526b-80aa-800b37088bbd" + id = "df9450a7-a3a1-5dd4-8877-1c75ba8f420a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8882-L8900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "be2cd688f2d7c458ee764bd7a7250e0116328702db5585b444d631f05cdc701b" + logic_hash = "v1_sha256_be2cd688f2d7c458ee764bd7a7250e0116328702db5585b444d631f05cdc701b" score = 75 quality = 90 tags = "INFO, FILE" @@ -44633,7 +44633,7 @@ rule REVERSINGLABS_Cert_Blocklist_C667Ffe3A5B0A5Ae7Cf3A9E41682E91B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and (pe.signatures[i].serial=="00:c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" or pe.signatures[i].serial=="c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b") and 1616976000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NAILS UNLIMITED LIMITED" and ( pe.signatures [ i ] . serial == "00:c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" or pe.signatures [ i ] . serial == "c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" ) and 1616976000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44642,13 +44642,13 @@ rule REVERSINGLABS_Cert_Blocklist_E0A83917660D05Cf476374659D3C7B85 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3387f396-01f7-58b1-a5bd-b308105c66d6" + id = "7271b540-9fd0-58e9-9d5b-0a898cfb52a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8902-L8920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f60753ecb775d664e07e78611568799eaf06fb4742bcef3bf0c28202daf98c50" + logic_hash = "v1_sha256_f60753ecb775d664e07e78611568799eaf06fb4742bcef3bf0c28202daf98c50" score = 75 quality = 90 tags = "INFO, FILE" @@ -44658,7 +44658,7 @@ rule REVERSINGLABS_Cert_Blocklist_E0A83917660D05Cf476374659D3C7B85 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PIK MOTEL S.R.L." and (pe.signatures[i].serial=="00:e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" or pe.signatures[i].serial=="e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85") and 1621468800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PIK MOTEL S.R.L." and ( pe.signatures [ i ] . serial == "00:e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" or pe.signatures [ i ] . serial == "e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" ) and 1621468800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44667,13 +44667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afc5522898143Aafaab7Fd52304Cf00C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "016ad027-bd6a-58e0-9099-341b81dd6f70" + id = "9213d2e1-dd3c-59e9-8c6a-f361b98f4ca5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8922-L8940" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bfcf2fbbd9be97202eeb44c0f81f0a0713d4d30c466f2b170231c7f9df0e9e6d" + logic_hash = "v1_sha256_bfcf2fbbd9be97202eeb44c0f81f0a0713d4d30c466f2b170231c7f9df0e9e6d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44683,7 +44683,7 @@ rule REVERSINGLABS_Cert_Blocklist_Afc5522898143Aafaab7Fd52304Cf00C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "YAN CHING LIMITED" and (pe.signatures[i].serial=="00:af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" or pe.signatures[i].serial=="af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c") and 1622419200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "YAN CHING LIMITED" and ( pe.signatures [ i ] . serial == "00:af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" or pe.signatures [ i ] . serial == "af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" ) and 1622419200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44692,13 +44692,13 @@ rule REVERSINGLABS_Cert_Blocklist_8B3333D32B2C2A1D33B41Ba5Db9D4D2D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7f72cd2-0bf4-5aa7-804e-4ae354eda055" + id = "06a8c9dd-8e8d-5bb6-ab02-736515352d87" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8942-L8960" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cdb3f1983ed17df22d17c6321bc2ead2c391d70fdca4a9f6f4784f62196b85d0" + logic_hash = "v1_sha256_cdb3f1983ed17df22d17c6321bc2ead2c391d70fdca4a9f6f4784f62196b85d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44708,7 +44708,7 @@ rule REVERSINGLABS_Cert_Blocklist_8B3333D32B2C2A1D33B41Ba5Db9D4D2D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BOOK CAF\\xC3\\x89, s.r.o." and (pe.signatures[i].serial=="00:8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" or pe.signatures[i].serial=="8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d") and 1620000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BOOK CAF\\xC3\\x89, s.r.o." and ( pe.signatures [ i ] . serial == "00:8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" or pe.signatures [ i ] . serial == "8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" ) and 1620000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44717,13 +44717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb1198Bd8Bddb0D693Eb72A8613Fe3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f9983426-9f05-56e2-8ad0-1c5a48ab04be" + id = "28db12e1-979d-5ce3-97c3-98ef7e0e4cf2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8962-L8980" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2e004116d0f8df5a625b190127655926336fc74b4cce4ae40cd516a135e5d719" + logic_hash = "v1_sha256_2e004116d0f8df5a625b190127655926336fc74b4cce4ae40cd516a135e5d719" score = 75 quality = 90 tags = "INFO, FILE" @@ -44733,7 +44733,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb1198Bd8Bddb0D693Eb72A8613Fe3F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Trade Hunters, s. r. o." and (pe.signatures[i].serial=="00:fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" or pe.signatures[i].serial=="fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f") and 1620000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Trade Hunters, s. r. o." and ( pe.signatures [ i ] . serial == "00:fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" or pe.signatures [ i ] . serial == "fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" ) and 1620000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44742,13 +44742,13 @@ rule REVERSINGLABS_Cert_Blocklist_846F77D9919Fc4405Aefe1701309Bd67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c326fbf0-2d95-5aa1-9ae4-6cb04b9c2212" + id = "7ac97a9f-926f-5c02-887c-e52af634b072" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8982-L9000" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6739049a61183d506daf9aaf44a3b15cbf2234c6af307ec95bc07fa3d8501105" + logic_hash = "v1_sha256_6739049a61183d506daf9aaf44a3b15cbf2234c6af307ec95bc07fa3d8501105" score = 75 quality = 90 tags = "INFO, FILE" @@ -44758,7 +44758,7 @@ rule REVERSINGLABS_Cert_Blocklist_846F77D9919Fc4405Aefe1701309Bd67 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IPM Skupina d.o.o." and (pe.signatures[i].serial=="00:84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" or pe.signatures[i].serial=="84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67") and 1621382400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IPM Skupina d.o.o." and ( pe.signatures [ i ] . serial == "00:84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" or pe.signatures [ i ] . serial == "84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" ) and 1621382400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44767,13 +44767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0939C2Bad859C0432E8E98A6C0162C02 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5dba4570-51d8-5c23-85a5-5de9a048793f" + id = "aa1e7585-ad21-51db-8dd2-474fe0eae075" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9002-L9018" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c48241e52e58600bfa0385742831dba59d9cbd959cd6853fe8e030f5df79c23" + logic_hash = "v1_sha256_3c48241e52e58600bfa0385742831dba59d9cbd959cd6853fe8e030f5df79c23" score = 75 quality = 90 tags = "INFO, FILE" @@ -44783,7 +44783,7 @@ rule REVERSINGLABS_Cert_Blocklist_0939C2Bad859C0432E8E98A6C0162C02 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Activ Expeditions ApS" and pe.signatures[i].serial=="09:39:c2:ba:d8:59:c0:43:2e:8e:98:a6:c0:16:2c:02" and 1615939200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Activ Expeditions ApS" and pe.signatures [ i ] . serial == "09:39:c2:ba:d8:59:c0:43:2e:8e:98:a6:c0:16:2c:02" and 1615939200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44792,13 +44792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Fba0E19919Ac50D700Ba60250D02C8B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8828c863-2800-5f66-968e-96a41a071218" + id = "4bf10cfc-d821-5019-8bab-0dac957182c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9020-L9036" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8c803111df930056bdc3ef7560f07bf4d255b93286d01ecc55f790e72565ba5d" + logic_hash = "v1_sha256_8c803111df930056bdc3ef7560f07bf4d255b93286d01ecc55f790e72565ba5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44808,7 +44808,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Fba0E19919Ac50D700Ba60250D02C8B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Diamartis" and pe.signatures[i].serial=="7f:ba:0e:19:91:9a:c5:0d:70:0b:a6:02:50:d0:2c:8b" and 1623196800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Diamartis" and pe.signatures [ i ] . serial == "7f:ba:0e:19:91:9a:c5:0d:70:0b:a6:02:50:d0:2c:8b" and 1623196800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44817,13 +44817,13 @@ rule REVERSINGLABS_Cert_Blocklist_A758504E7971869D0Aec2775Fffa03D5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cc8c0cca-1848-5a5e-a421-c5ecdea6ba53" + id = "65aa9412-2ace-53f8-9a45-ea96755902c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9038-L9056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dcb1ac4c7dcbebd0a432515da82e4a97be6c6c2a54f9d642aa8c1a2bcbdce5de" + logic_hash = "v1_sha256_dcb1ac4c7dcbebd0a432515da82e4a97be6c6c2a54f9d642aa8c1a2bcbdce5de" score = 75 quality = 90 tags = "INFO, FILE" @@ -44833,7 +44833,7 @@ rule REVERSINGLABS_Cert_Blocklist_A758504E7971869D0Aec2775Fffa03D5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Amcert LLC" and (pe.signatures[i].serial=="00:a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" or pe.signatures[i].serial=="a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5") and 1623628800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Amcert LLC" and ( pe.signatures [ i ] . serial == "00:a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" or pe.signatures [ i ] . serial == "a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" ) and 1623628800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44842,13 +44842,13 @@ rule REVERSINGLABS_Cert_Blocklist_37A67Cf754Ee5Ae284B4Cf8B9D651604 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e85434e1-1ef5-5660-8ba6-b35cbbe7510d" + id = "248b06e8-f98e-5b47-bd24-268fe141fffe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9058-L9074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "22cb71eebbb212a4436847c11c7ca9cefaf118086b024014c12498a6a5953af5" + logic_hash = "v1_sha256_22cb71eebbb212a4436847c11c7ca9cefaf118086b024014c12498a6a5953af5" score = 75 quality = 90 tags = "INFO, FILE" @@ -44858,7 +44858,7 @@ rule REVERSINGLABS_Cert_Blocklist_37A67Cf754Ee5Ae284B4Cf8B9D651604 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORTH PROPERTY LTD" and pe.signatures[i].serial=="37:a6:7c:f7:54:ee:5a:e2:84:b4:cf:8b:9d:65:16:04" and 1617321600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORTH PROPERTY LTD" and pe.signatures [ i ] . serial == "37:a6:7c:f7:54:ee:5a:e2:84:b4:cf:8b:9d:65:16:04" and 1617321600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44867,13 +44867,13 @@ rule REVERSINGLABS_Cert_Blocklist_119Acead668Bad57A48B4F42F294F8F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7ec33498-b299-58e0-be42-9e4fb9549e28" + id = "8af769e1-adbb-5795-8b7e-f5ec901220e7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9076-L9092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "61c49c60fc4fd5d654a6376fcee43e986a5351f085a5652a3c8888774557e053" + logic_hash = "v1_sha256_61c49c60fc4fd5d654a6376fcee43e986a5351f085a5652a3c8888774557e053" score = 75 quality = 90 tags = "INFO, FILE" @@ -44883,7 +44883,7 @@ rule REVERSINGLABS_Cert_Blocklist_119Acead668Bad57A48B4F42F294F8F0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PB03 TRANSPORT LTD." and pe.signatures[i].serial=="11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" and 1619654400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PB03 TRANSPORT LTD." and pe.signatures [ i ] . serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" and 1619654400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44892,13 +44892,13 @@ rule REVERSINGLABS_Cert_Blocklist_7A6D30A6Eb2Fa0C3369283725704Ac4C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7830a3a-ddcc-54ef-84dd-5d4b13863f90" + id = "f1598928-45c7-5d0e-9450-cb9228692304" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9094-L9110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "788abb53ed7974d87c1b1bdbe31dcd3e852ea64745d94780d78d1217ee0206fe" + logic_hash = "v1_sha256_788abb53ed7974d87c1b1bdbe31dcd3e852ea64745d94780d78d1217ee0206fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -44908,7 +44908,7 @@ rule REVERSINGLABS_Cert_Blocklist_7A6D30A6Eb2Fa0C3369283725704Ac4C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Trade By International ApS" and pe.signatures[i].serial=="7a:6d:30:a6:eb:2f:a0:c3:36:92:83:72:57:04:ac:4c" and 1619568000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Trade By International ApS" and pe.signatures [ i ] . serial == "7a:6d:30:a6:eb:2f:a0:c3:36:92:83:72:57:04:ac:4c" and 1619568000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44917,13 +44917,13 @@ rule REVERSINGLABS_Cert_Blocklist_670C3494206B9F0C18714Fdcffaaa42F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "210a0c72-7eb7-5c78-bf5b-1ac292e7fa11" + id = "8b1fc707-d8d4-5f20-bdb4-384839df9696" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9112-L9128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3b1e244b5f543a05beb2475020aa20dfc723f4dce3a5a0a963db1672d3295721" + logic_hash = "v1_sha256_3b1e244b5f543a05beb2475020aa20dfc723f4dce3a5a0a963db1672d3295721" score = 75 quality = 90 tags = "INFO, FILE" @@ -44933,7 +44933,7 @@ rule REVERSINGLABS_Cert_Blocklist_670C3494206B9F0C18714Fdcffaaa42F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ADRIATIK PORT SERVIS, d.o.o." and pe.signatures[i].serial=="67:0c:34:94:20:6b:9f:0c:18:71:4f:dc:ff:aa:a4:2f" and 1622160000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ADRIATIK PORT SERVIS, d.o.o." and pe.signatures [ i ] . serial == "67:0c:34:94:20:6b:9f:0c:18:71:4f:dc:ff:aa:a4:2f" and 1622160000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44942,13 +44942,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E8Aa328Af207Ce8Bcae1Dc15C626188 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9718f290-6ecd-5d67-9013-af99f98fffef" + id = "c57f8e6c-b111-5afb-983e-5d5d116b6a46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9130-L9146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4022abb8efbda944e35ff529c5b3b3c9f6370127a945f3eec1310149bb5d06e4" + logic_hash = "v1_sha256_4022abb8efbda944e35ff529c5b3b3c9f6370127a945f3eec1310149bb5d06e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -44958,7 +44958,7 @@ rule REVERSINGLABS_Cert_Blocklist_0E8Aa328Af207Ce8Bcae1Dc15C626188 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PRO SAT SRL" and pe.signatures[i].serial=="0e:8a:a3:28:af:20:7c:e8:bc:ae:1d:c1:5c:62:61:88" and 1627344000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PRO SAT SRL" and pe.signatures [ i ] . serial == "0e:8a:a3:28:af:20:7c:e8:bc:ae:1d:c1:5c:62:61:88" and 1627344000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44967,13 +44967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfad6Be1D823B4Eacb803B720F525A7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "844e295f-b22f-5eb0-9f98-0d6e574d2954" + id = "3c8fc16c-b1ee-5ce6-85d2-40c212555fbe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9148-L9166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d8005774e6011d8198039a6588834cd0b13dd728103b63c3ea8b6e0dc3878f05" + logic_hash = "v1_sha256_d8005774e6011d8198039a6588834cd0b13dd728103b63c3ea8b6e0dc3878f05" score = 75 quality = 90 tags = "INFO, FILE" @@ -44983,7 +44983,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cfad6Be1D823B4Eacb803B720F525A7D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sistema LLC" and (pe.signatures[i].serial=="00:cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" or pe.signatures[i].serial=="cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d") and 1627430400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sistema LLC" and ( pe.signatures [ i ] . serial == "00:cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" or pe.signatures [ i ] . serial == "cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" ) and 1627430400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -44992,13 +44992,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ebcb54B7E0E6410B28610De0743D4Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "84140bbd-23a0-5355-9d1a-918cc93c3352" + id = "74eb9b2b-fb4c-5842-83b5-55ca31f4b768" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9168-L9184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c9444ff9e13192bf300afac12554bc4cc2defb37bb5b57906b6163db378c515a" + logic_hash = "v1_sha256_c9444ff9e13192bf300afac12554bc4cc2defb37bb5b57906b6163db378c515a" score = 75 quality = 90 tags = "INFO, FILE" @@ -45008,7 +45008,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Ebcb54B7E0E6410B28610De0743D4Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SIA \"MWorx\"" and pe.signatures[i].serial=="7e:bc:b5:4b:7e:0e:64:10:b2:86:10:de:07:43:d4:dd" and 1625616000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SIA \"MWorx\"" and pe.signatures [ i ] . serial == "7e:bc:b5:4b:7e:0e:64:10:b2:86:10:de:07:43:d4:dd" and 1625616000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45017,13 +45017,13 @@ rule REVERSINGLABS_Cert_Blocklist_01106Cc293772Ca905A2B6Eff02Bf0F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ec81090-91a1-5019-be91-14f60d6722fc" + id = "191ee551-e54a-5872-b46e-5443696ae90d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9186-L9202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "81e19c06de4546a2cee974230ef7aa15291f20f2e6b6f89c9b12107c26836b5e" + logic_hash = "v1_sha256_81e19c06de4546a2cee974230ef7aa15291f20f2e6b6f89c9b12107c26836b5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -45033,7 +45033,7 @@ rule REVERSINGLABS_Cert_Blocklist_01106Cc293772Ca905A2B6Eff02Bf0F5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DMR Consulting Ltd." and pe.signatures[i].serial=="01:10:6c:c2:93:77:2c:a9:05:a2:b6:ef:f0:2b:f0:f5" and 1627084800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DMR Consulting Ltd." and pe.signatures [ i ] . serial == "01:10:6c:c2:93:77:2c:a9:05:a2:b6:ef:f0:2b:f0:f5" and 1627084800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45042,13 +45042,13 @@ rule REVERSINGLABS_Cert_Blocklist_05Bb162F6Efe852B7Bd4712Fd737A61E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "82b2198e-140a-54d0-afa8-ad89980c7899" + id = "0692b7f4-6281-5bef-8c97-014564b200c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9204-L9220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d2fcbce0826c1478338827376d2c7869e5b38dc6d5e737a2f986600c6f71b1e6" + logic_hash = "v1_sha256_d2fcbce0826c1478338827376d2c7869e5b38dc6d5e737a2f986600c6f71b1e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -45058,7 +45058,7 @@ rule REVERSINGLABS_Cert_Blocklist_05Bb162F6Efe852B7Bd4712Fd737A61E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Wellpro Impact Solutions Oy" and pe.signatures[i].serial=="05:bb:16:2f:6e:fe:85:2b:7b:d4:71:2f:d7:37:a6:1e" and 1628726400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Wellpro Impact Solutions Oy" and pe.signatures [ i ] . serial == "05:bb:16:2f:6e:fe:85:2b:7b:d4:71:2f:d7:37:a6:1e" and 1628726400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45067,13 +45067,13 @@ rule REVERSINGLABS_Cert_Blocklist_6171990Ba1C8E71049Ebb296A35Bd160 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f81697ca-e49a-5a3d-9e0f-6192159e098b" + id = "f023524a-768c-54e7-803d-3d93616f443d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9222-L9238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e922bb850b7c5c70db80e6a2b99310eac48d3b10b94a7259899facd681916bfa" + logic_hash = "v1_sha256_e922bb850b7c5c70db80e6a2b99310eac48d3b10b94a7259899facd681916bfa" score = 75 quality = 90 tags = "INFO, FILE" @@ -45083,7 +45083,7 @@ rule REVERSINGLABS_Cert_Blocklist_6171990Ba1C8E71049Ebb296A35Bd160 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OWLNET LIMITED" and pe.signatures[i].serial=="61:71:99:0b:a1:c8:e7:10:49:eb:b2:96:a3:5b:d1:60" and 1620000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OWLNET LIMITED" and pe.signatures [ i ] . serial == "61:71:99:0b:a1:c8:e7:10:49:eb:b2:96:a3:5b:d1:60" and 1620000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45092,13 +45092,13 @@ rule REVERSINGLABS_Cert_Blocklist_2114Ca3Bd2Afd63D7Fa29D744992B043 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7d112cb8-a29f-5560-9c3c-cd8891623d96" + id = "2a86dea8-52e9-56f8-b5c4-ea8b8435c0ad" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9240-L9256" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "241fe5a9f233fa36a665d22b38fd360bee21bc9832c15ac9c9d9b17adc3bb306" + logic_hash = "v1_sha256_241fe5a9f233fa36a665d22b38fd360bee21bc9832c15ac9c9d9b17adc3bb306" score = 75 quality = 90 tags = "INFO, FILE" @@ -45108,7 +45108,7 @@ rule REVERSINGLABS_Cert_Blocklist_2114Ca3Bd2Afd63D7Fa29D744992B043 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MATCH CONSULTANTS LTD" and pe.signatures[i].serial=="21:14:ca:3b:d2:af:d6:3d:7f:a2:9d:74:49:92:b0:43" and 1625097600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MATCH CONSULTANTS LTD" and pe.signatures [ i ] . serial == "21:14:ca:3b:d2:af:d6:3d:7f:a2:9d:74:49:92:b0:43" and 1625097600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45117,13 +45117,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Aaa62208A3A78Bfac1443007D031E61 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd6dca76-ff5b-51a8-9318-20a88eb44ffb" + id = "49d98081-3018-5c24-9eec-b531c5442a2c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9258-L9274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7ba7f69514230fe636efc0a12fb9ac489a5a80ca1f5bcdb050dd30ee8f69659c" + logic_hash = "v1_sha256_7ba7f69514230fe636efc0a12fb9ac489a5a80ca1f5bcdb050dd30ee8f69659c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45133,7 +45133,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Aaa62208A3A78Bfac1443007D031E61 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Solar LLC" and pe.signatures[i].serial=="6a:aa:62:20:8a:3a:78:bf:ac:14:43:00:7d:03:1e:61" and 1608163200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Solar LLC" and pe.signatures [ i ] . serial == "6a:aa:62:20:8a:3a:78:bf:ac:14:43:00:7d:03:1e:61" and 1608163200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45142,13 +45142,13 @@ rule REVERSINGLABS_Cert_Blocklist_09450B8F73Ea43E39D2Cdd56049Dbe40 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6914a29-f6f7-56fc-8606-95666d31cf33" + id = "95f035e3-1b06-5a4b-b024-8709d69f4aab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9276-L9292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "22b344b8befc00b0154d225603c81c6058399770f54cb6a09d0f7908c5c8188c" + logic_hash = "v1_sha256_22b344b8befc00b0154d225603c81c6058399770f54cb6a09d0f7908c5c8188c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45158,7 +45158,7 @@ rule REVERSINGLABS_Cert_Blocklist_09450B8F73Ea43E39D2Cdd56049Dbe40 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE4\\xB9\\x9D\\xE6\\xB1\\x9F\\xE5\\xAE\\x8F\\xE5\\x9B\\xBE\\xE6\\x97\\xA0\\xE5\\xBF\\xA7\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="09:45:0b:8f:73:ea:43:e3:9d:2c:dd:56:04:9d:be:40" and 1561602110<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE4\\xB9\\x9D\\xE6\\xB1\\x9F\\xE5\\xAE\\x8F\\xE5\\x9B\\xBE\\xE6\\x97\\xA0\\xE5\\xBF\\xA7\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "09:45:0b:8f:73:ea:43:e3:9d:2c:dd:56:04:9d:be:40" and 1561602110 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45167,13 +45167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Efd9Bd4B4281C6522D96011Df46C9C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7bd6616b-fef7-56aa-a78a-606601afa4f3" + id = "08379b10-f8d2-5432-b730-9aaf98f5f02a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9294-L9310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8f8a5e3457c05c5e70e33041c5b0b971cf8f19313d47055fd760ed17d94c8794" + logic_hash = "v1_sha256_8f8a5e3457c05c5e70e33041c5b0b971cf8f19313d47055fd760ed17d94c8794" score = 75 quality = 90 tags = "INFO, FILE" @@ -45183,7 +45183,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Efd9Bd4B4281C6522D96011Df46C9C4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="0e:fd:9b:d4:b4:28:1c:65:22:d9:60:11:df:46:c9:c4" and 1586249095<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "0e:fd:9b:d4:b4:28:1c:65:22:d9:60:11:df:46:c9:c4" and 1586249095 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45192,13 +45192,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Dd7D4A785990584D8C0837659173272 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d5e3d85b-cc4e-5522-8558-f2703c38c4e6" + id = "e2c57c59-465a-5d2c-bddd-9d933d36350e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9312-L9328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d18a479f07f2bdb890437e2bcb0213abdfb0eb684cdaf17c5eb0583039f2edb4" + logic_hash = "v1_sha256_d18a479f07f2bdb890437e2bcb0213abdfb0eb684cdaf17c5eb0583039f2edb4" score = 75 quality = 90 tags = "INFO, FILE" @@ -45208,7 +45208,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Dd7D4A785990584D8C0837659173272 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="0d:d7:d4:a7:85:99:05:84:d8:c0:83:76:59:17:32:72" and 1586249095<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "0d:d7:d4:a7:85:99:05:84:d8:c0:83:76:59:17:32:72" and 1586249095 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45217,13 +45217,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C59D46580F039Af2C4Ab6Ba0Ffed197 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "969e05a1-8ae1-5ea6-9607-5bf164f34e7b" + id = "8c1e8d24-4f14-5999-bd68-a367e5897a4a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9330-L9346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "32eea2a436f386ef44a00ef72be8be7d4070b02f84ba71c7ee1ca407fddce8ec" + logic_hash = "v1_sha256_32eea2a436f386ef44a00ef72be8be7d4070b02f84ba71c7ee1ca407fddce8ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -45233,7 +45233,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C59D46580F039Af2C4Ab6Ba0Ffed197 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="0c:59:d4:65:80:f0:39:af:2c:4a:b6:ba:0f:fe:d1:97" and 1585108595<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "0c:59:d4:65:80:f0:39:af:2c:4a:b6:ba:0f:fe:d1:97" and 1585108595 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45242,13 +45242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0448Ec8D26597F99912138500Cc41C1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0c306a1f-e810-5988-a44c-964b6a67c918" + id = "906c899a-dd49-5dfb-af3f-ade4103c957b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9348-L9364" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "001556c31cfb0d94978adc48dc0d24c83666512348c65508975cc9e1a119aeae" + logic_hash = "v1_sha256_001556c31cfb0d94978adc48dc0d24c83666512348c65508975cc9e1a119aeae" score = 75 quality = 90 tags = "INFO, FILE" @@ -45258,7 +45258,7 @@ rule REVERSINGLABS_Cert_Blocklist_0448Ec8D26597F99912138500Cc41C1B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="04:48:ec:8d:26:59:7f:99:91:21:38:50:0c:c4:1c:1b" and 1585108595<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "04:48:ec:8d:26:59:7f:99:91:21:38:50:0c:c4:1c:1b" and 1585108595 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45267,13 +45267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0108Cbaee60728F5Bf06E45A56D6F170 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2be3a0d2-2c6a-5c66-856a-d3a70a490ba3" + id = "3dbc0172-eb09-590c-b162-b27d84231f1c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9366-L9382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "52027548e20c819e73ea5e9afd87faaca4498bc39e54dd30ad99a24e3ace57fd" + logic_hash = "v1_sha256_52027548e20c819e73ea5e9afd87faaca4498bc39e54dd30ad99a24e3ace57fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -45283,7 +45283,7 @@ rule REVERSINGLABS_Cert_Blocklist_0108Cbaee60728F5Bf06E45A56D6F170 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and pe.signatures[i].serial=="01:08:cb:ae:e6:07:28:f5:bf:06:e4:5a:56:d6:f1:70" and 1605680260<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and pe.signatures [ i ] . serial == "01:08:cb:ae:e6:07:28:f5:bf:06:e4:5a:56:d6:f1:70" and 1605680260 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45292,13 +45292,13 @@ rule REVERSINGLABS_Cert_Blocklist_038D56A12153E8B5C74C69Bff65Cbe3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "48162554-a95b-5cd3-9bbb-bcf6a1d96592" + id = "3ecee8d7-f540-532d-89d5-0c5fd8979aeb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9384-L9400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ed3a81231f93f9d2ae462481503ba37072c3800dd1379baae11737f093a27af1" + logic_hash = "v1_sha256_ed3a81231f93f9d2ae462481503ba37072c3800dd1379baae11737f093a27af1" score = 75 quality = 90 tags = "INFO, FILE" @@ -45308,7 +45308,7 @@ rule REVERSINGLABS_Cert_Blocklist_038D56A12153E8B5C74C69Bff65Cbe3F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE5\\x86\\x85\\xE7\\x91\\x9F\\xE6\\x96\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="03:8d:56:a1:21:53:e8:b5:c7:4c:69:bf:f6:5c:be:3f" and 1605680260<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE5\\x86\\x85\\xE7\\x91\\x9F\\xE6\\x96\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "03:8d:56:a1:21:53:e8:b5:c7:4c:69:bf:f6:5c:be:3f" and 1605680260 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45317,13 +45317,13 @@ rule REVERSINGLABS_Cert_Blocklist_060D94E2Ccae84536654D9Daf39Fef1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac5d29ef-fd52-536b-bcbc-44433dda8a21" + id = "a375e694-3feb-5e9c-a04c-43c8227263f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9402-L9418" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "49000f3a3ce1ad9aef87162d7527b8f062e0aa12276b82c7335f0ccc14b7d38a" + logic_hash = "v1_sha256_49000f3a3ce1ad9aef87162d7527b8f062e0aa12276b82c7335f0ccc14b7d38a" score = 75 quality = 90 tags = "INFO, FILE" @@ -45333,7 +45333,7 @@ rule REVERSINGLABS_Cert_Blocklist_060D94E2Ccae84536654D9Daf39Fef1E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HasCred ApS" and pe.signatures[i].serial=="06:0d:94:e2:cc:ae:84:53:66:54:d9:da:f3:9f:ef:1e" and 1627948800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HasCred ApS" and pe.signatures [ i ] . serial == "06:0d:94:e2:cc:ae:84:53:66:54:d9:da:f3:9f:ef:1e" and 1627948800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45342,13 +45342,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc9B800F480691Bd6B60963466B0C75 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "614f88ca-183a-548b-99f1-30cf4c4027ce" + id = "3cbcc1a0-695e-5dc9-9e64-f02fca12324d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9420-L9436" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6a498fd30c611976e9aad2f9b85b13c3c29246582cdfefc800615db88e40dac2" + logic_hash = "v1_sha256_6a498fd30c611976e9aad2f9b85b13c3c29246582cdfefc800615db88e40dac2" score = 75 quality = 90 tags = "INFO, FILE" @@ -45358,7 +45358,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc9B800F480691Bd6B60963466B0C75 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HasCred ApS" and pe.signatures[i].serial=="0b:c9:b8:00:f4:80:69:1b:d6:b6:09:63:46:6b:0c:75" and 1629158400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HasCred ApS" and pe.signatures [ i ] . serial == "0b:c9:b8:00:f4:80:69:1b:d6:b6:09:63:46:6b:0c:75" and 1629158400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45367,13 +45367,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C4324Ff41F0A7B16Ffcc93Dffa8Fa99 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "34594a57-f9fd-5b9d-afb6-691be33da9b5" + id = "0721b19a-7ec9-55ec-bc0e-b1509d377513" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9438-L9454" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d3ce83fb0497c533a5474d46300c341677ec243686723783798bfbaec4f6e369" + logic_hash = "v1_sha256_d3ce83fb0497c533a5474d46300c341677ec243686723783798bfbaec4f6e369" score = 75 quality = 90 tags = "INFO, FILE" @@ -45383,7 +45383,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C4324Ff41F0A7B16Ffcc93Dffa8Fa99 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE7\\xA6\\x8F\\xE5\\xBB\\xBA\\xE7\\x9C\\x81\\xE4\\xBA\\x94\\xE6\\x98\\x9F\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="0c:43:24:ff:41:f0:a7:b1:6f:fc:c9:3d:ff:a8:fa:99" and 1600300800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE7\\xA6\\x8F\\xE5\\xBB\\xBA\\xE7\\x9C\\x81\\xE4\\xBA\\x94\\xE6\\x98\\x9F\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "0c:43:24:ff:41:f0:a7:b1:6f:fc:c9:3d:ff:a8:fa:99" and 1600300800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45392,13 +45392,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B980Fc8783E4F158E41829Ab21Bab81 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7358f71-421f-57fa-abdf-ab479f4b7007" + id = "58bfa9eb-3470-57d2-b7f3-76acab259dd7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9456-L9472" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b0f43caec1cfc5b2d1512d7fcf0bcf1e02fc81764b4376b081f38c4de328eab2" + logic_hash = "v1_sha256_b0f43caec1cfc5b2d1512d7fcf0bcf1e02fc81764b4376b081f38c4de328eab2" score = 75 quality = 90 tags = "INFO, FILE" @@ -45408,7 +45408,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B980Fc8783E4F158E41829Ab21Bab81 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Idris Kanchwala Holding Corp." and pe.signatures[i].serial=="0b:98:0f:c8:78:3e:4f:15:8e:41:82:9a:b2:1b:ab:81" and 1631750400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Idris Kanchwala Holding Corp." and pe.signatures [ i ] . serial == "0b:98:0f:c8:78:3e:4f:15:8e:41:82:9a:b2:1b:ab:81" and 1631750400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45417,13 +45417,13 @@ rule REVERSINGLABS_Cert_Blocklist_D8F515715Aeffef0A0E4E37F16C254Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "50ffd0a0-d861-53d7-a7dc-f74ccc49eff8" + id = "08c4940b-614e-5b56-aef4-86283bcbf161" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9474-L9492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3c7d57a655f76a6e5ef6b0e770db7c91d0830b6b0b37caef5ef9e3e78ad1fd75" + logic_hash = "v1_sha256_3c7d57a655f76a6e5ef6b0e770db7c91d0830b6b0b37caef5ef9e3e78ad1fd75" score = 75 quality = 90 tags = "INFO, FILE" @@ -45433,7 +45433,7 @@ rule REVERSINGLABS_Cert_Blocklist_D8F515715Aeffef0A0E4E37F16C254Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HOLDING LA LTD" and (pe.signatures[i].serial=="00:d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" or pe.signatures[i].serial=="d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa") and 1619136000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HOLDING LA LTD" and ( pe.signatures [ i ] . serial == "00:d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" or pe.signatures [ i ] . serial == "d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" ) and 1619136000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45442,13 +45442,13 @@ rule REVERSINGLABS_Cert_Blocklist_D79739187C585E453C00Afc11D77B523 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ed427336-6833-5e09-8ebe-039c8cd50846" + id = "65c25440-c800-5b7e-89fe-01565d807d7a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9494-L9512" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6d6db87227d7be559afa67c4f2b65b01f26741fdf337d920241a633bb036426f" + logic_hash = "v1_sha256_6d6db87227d7be559afa67c4f2b65b01f26741fdf337d920241a633bb036426f" score = 75 quality = 90 tags = "INFO, FILE" @@ -45458,7 +45458,7 @@ rule REVERSINGLABS_Cert_Blocklist_D79739187C585E453C00Afc11D77B523 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SAN MARINO INVESTMENTS PTY LTD" and (pe.signatures[i].serial=="00:d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" or pe.signatures[i].serial=="d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23") and 1631059200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SAN MARINO INVESTMENTS PTY LTD" and ( pe.signatures [ i ] . serial == "00:d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" or pe.signatures [ i ] . serial == "d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" ) and 1631059200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45467,13 +45467,13 @@ rule REVERSINGLABS_Cert_Blocklist_961Cecb0227845317549E9343A980E91 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f319592a-5f08-5f2c-b840-5f897695e054" + id = "8d75a136-bcb9-575f-be49-80ac55e376fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9514-L9532" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c74512e95e2d6aedecb1dbd30fac6fde40d1e9520c89b785519694d9bc9ba854" + logic_hash = "v1_sha256_c74512e95e2d6aedecb1dbd30fac6fde40d1e9520c89b785519694d9bc9ba854" score = 75 quality = 90 tags = "INFO, FILE" @@ -45483,7 +45483,7 @@ rule REVERSINGLABS_Cert_Blocklist_961Cecb0227845317549E9343A980E91 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AmiraCo Oy" and (pe.signatures[i].serial=="00:96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" or pe.signatures[i].serial=="96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91") and 1615248000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AmiraCo Oy" and ( pe.signatures [ i ] . serial == "00:96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" or pe.signatures [ i ] . serial == "96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" ) and 1615248000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45492,13 +45492,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ef6392B2993A6F67578299659467Ea8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "123e5aed-0ef4-5146-81bb-5d455a9cf92e" + id = "bb6cf84e-48c7-551e-a3fe-8e5b63a7a67d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9534-L9550" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6b454a575ea7635d5edebffe3c9c83e95312ee33245e733987532348258733e" + logic_hash = "v1_sha256_f6b454a575ea7635d5edebffe3c9c83e95312ee33245e733987532348258733e" score = 75 quality = 90 tags = "INFO, FILE" @@ -45508,7 +45508,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Ef6392B2993A6F67578299659467Ea8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALUSEN d. o. o." and pe.signatures[i].serial=="1e:f6:39:2b:29:93:a6:f6:75:78:29:96:59:46:7e:a8" and 1618531200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALUSEN d. o. o." and pe.signatures [ i ] . serial == "1e:f6:39:2b:29:93:a6:f6:75:78:29:96:59:46:7e:a8" and 1618531200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45517,13 +45517,13 @@ rule REVERSINGLABS_Cert_Blocklist_A918455C0D4Da7Ca474F41F11A7Cf38C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "959b10fe-fbd0-5642-a5d9-4ac2e0474666" + id = "f1eca1c5-a687-575e-8dd5-760ffe7bad59" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9552-L9570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ea30d85c057f9363ce29d4c024097c50a8752dd2095481181322fe5d5c92bb4b" + logic_hash = "v1_sha256_ea30d85c057f9363ce29d4c024097c50a8752dd2095481181322fe5d5c92bb4b" score = 75 quality = 90 tags = "INFO, FILE" @@ -45533,7 +45533,7 @@ rule REVERSINGLABS_Cert_Blocklist_A918455C0D4Da7Ca474F41F11A7Cf38C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MIDDRA INTERNATIONAL CORP." and (pe.signatures[i].serial=="00:a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" or pe.signatures[i].serial=="a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c") and 1618963200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MIDDRA INTERNATIONAL CORP." and ( pe.signatures [ i ] . serial == "00:a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" or pe.signatures [ i ] . serial == "a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" ) and 1618963200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45542,13 +45542,13 @@ rule REVERSINGLABS_Cert_Blocklist_936Bc256D2057Ca9B9Ec3034C3Ed0Ee6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4dbe7db7-2f61-558c-a6dc-875ba87322c7" + id = "e9ef9ac3-2d79-58c5-b3fa-b19cde79a8d8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9572-L9590" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7e90c29bcfe4632e70b61a0cf2ab48a3de986bd5c6c730f64a363f4f3d79a3f4" + logic_hash = "v1_sha256_7e90c29bcfe4632e70b61a0cf2ab48a3de986bd5c6c730f64a363f4f3d79a3f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -45558,7 +45558,7 @@ rule REVERSINGLABS_Cert_Blocklist_936Bc256D2057Ca9B9Ec3034C3Ed0Ee6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SALES & MAINTENANCE LIMITED" and (pe.signatures[i].serial=="00:93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" or pe.signatures[i].serial=="93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6") and 1616889600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SALES & MAINTENANCE LIMITED" and ( pe.signatures [ i ] . serial == "00:93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" or pe.signatures [ i ] . serial == "93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" ) and 1616889600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45567,13 +45567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afe8Fee94B41422E01E4897Bcd52D0A4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "83d08ca6-2a0b-5da3-8d53-7bf8bcc361cf" + id = "637f35cb-a3e8-52e4-9e7a-45cb5b4e7b48" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9592-L9610" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "02c55b182bc9843334baed9c0a7cca2c88cd1de00ca9b47b10ec79b7a5acf9bb" + logic_hash = "v1_sha256_02c55b182bc9843334baed9c0a7cca2c88cd1de00ca9b47b10ec79b7a5acf9bb" score = 75 quality = 90 tags = "INFO, FILE" @@ -45583,7 +45583,7 @@ rule REVERSINGLABS_Cert_Blocklist_Afe8Fee94B41422E01E4897Bcd52D0A4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TLGM ApS" and (pe.signatures[i].serial=="00:af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" or pe.signatures[i].serial=="af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4") and 1617062400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TLGM ApS" and ( pe.signatures [ i ] . serial == "00:af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" or pe.signatures [ i ] . serial == "af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" ) and 1617062400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45592,13 +45592,13 @@ rule REVERSINGLABS_Cert_Blocklist_718E89Ddb33257Ea77Ba74Be7F2Baf1D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d173c2b2-2b76-521a-aac1-ae69fdf5b16b" + id = "dd6c1ffd-9446-552e-b6ad-88ddcb68bee7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9612-L9628" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2f0defa1e1d905d937677e96f2a0955d9737f6976596932cc093fdecfea3fdb0" + logic_hash = "v1_sha256_2f0defa1e1d905d937677e96f2a0955d9737f6976596932cc093fdecfea3fdb0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45608,7 +45608,7 @@ rule REVERSINGLABS_Cert_Blocklist_718E89Ddb33257Ea77Ba74Be7F2Baf1D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Trap Capital ApS" and pe.signatures[i].serial=="71:8e:89:dd:b3:32:57:ea:77:ba:74:be:7f:2b:af:1d" and 1635462927<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Trap Capital ApS" and pe.signatures [ i ] . serial == "71:8e:89:dd:b3:32:57:ea:77:ba:74:be:7f:2b:af:1d" and 1635462927 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45617,13 +45617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4D3E38F4Aebbc32257450726B29Be117 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "173f89ca-e7b3-507b-96c1-325dd06210f8" + id = "15fbb08b-8913-5a89-b3c9-37f5ef089d50" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9630-L9646" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f618547942fcd9b3d1104cb5bedeecec8596fa7cc34bca838b6120085b305d73" + logic_hash = "v1_sha256_f618547942fcd9b3d1104cb5bedeecec8596fa7cc34bca838b6120085b305d73" score = 75 quality = 90 tags = "INFO, FILE" @@ -45633,7 +45633,7 @@ rule REVERSINGLABS_Cert_Blocklist_4D3E38F4Aebbc32257450726B29Be117 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "POLE & AERIAL FITNESS LIMITED" and pe.signatures[i].serial=="4d:3e:38:f4:ae:bb:c3:22:57:45:07:26:b2:9b:e1:17" and 1636123882<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "POLE & AERIAL FITNESS LIMITED" and pe.signatures [ i ] . serial == "4d:3e:38:f4:ae:bb:c3:22:57:45:07:26:b2:9b:e1:17" and 1636123882 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45642,13 +45642,13 @@ rule REVERSINGLABS_Cert_Blocklist_8F4C49Dae1F1Ff0Ebe9104C6F73242Bd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7731056-1674-5375-a3cb-69632670d6d9" + id = "d4dd5229-77ee-50a0-9843-c164d743502e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9648-L9666" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a8c99cc30b791a76fe3cd48184bf95ee47abb30bd200128efd2f5295ee18f7b1" + logic_hash = "v1_sha256_a8c99cc30b791a76fe3cd48184bf95ee47abb30bd200128efd2f5295ee18f7b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -45658,7 +45658,7 @@ rule REVERSINGLABS_Cert_Blocklist_8F4C49Dae1F1Ff0Ebe9104C6F73242Bd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Contact Merger Holding ApS" and (pe.signatures[i].serial=="00:8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" or pe.signatures[i].serial=="8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd") and 1636039748<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Contact Merger Holding ApS" and ( pe.signatures [ i ] . serial == "00:8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" or pe.signatures [ i ] . serial == "8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" ) and 1636039748 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45667,13 +45667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac3C05F1Cb9453De8E7110F589Fb32C0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2578655e-6420-5a67-9116-cab5cf5bc195" + id = "51f2c464-6986-5ecd-95ec-20479dec5fcc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9668-L9686" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6328fd5dbb497c69ddc9151f85754669760b709ecbff3e8f320a40a62ca0dd2c" + logic_hash = "v1_sha256_6328fd5dbb497c69ddc9151f85754669760b709ecbff3e8f320a40a62ca0dd2c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45683,7 +45683,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ac3C05F1Cb9453De8E7110F589Fb32C0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRAIN BUILDING TEAM s.r.o." and (pe.signatures[i].serial=="00:ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" or pe.signatures[i].serial=="ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0") and 1635854205<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRAIN BUILDING TEAM s.r.o." and ( pe.signatures [ i ] . serial == "00:ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" or pe.signatures [ i ] . serial == "ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" ) and 1635854205 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45692,13 +45692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb96A90B6718810311767Ca25Ab1E48 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "77319b9c-6075-5ac7-958c-d76916873e85" + id = "28fb7fa8-1c00-515e-8341-8bde5eb0f113" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9688-L9706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "431e3364a42b272d9b71b92dee44cc185ef034a45a0b72bbda82cf7e9b29c355" + logic_hash = "v1_sha256_431e3364a42b272d9b71b92dee44cc185ef034a45a0b72bbda82cf7e9b29c355" score = 75 quality = 90 tags = "INFO, FILE" @@ -45708,7 +45708,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb96A90B6718810311767Ca25Ab1E48 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rakurs LLC" and (pe.signatures[i].serial=="00:fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" or pe.signatures[i].serial=="fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48") and 1636046757<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rakurs LLC" and ( pe.signatures [ i ] . serial == "00:fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" or pe.signatures [ i ] . serial == "fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" ) and 1636046757 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45717,13 +45717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfd38423Aef875A10B16644D058297E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f53e4f44-dde2-5f7a-8cab-71e91ff75d28" + id = "b82c88c5-810d-5ea1-8e36-b0c566509199" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9708-L9726" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a2f67cbf31c9db2891892c31a7ed4ce7eccd834bfb10ae70f58e46f8e68e7c17" + logic_hash = "v1_sha256_a2f67cbf31c9db2891892c31a7ed4ce7eccd834bfb10ae70f58e46f8e68e7c17" score = 75 quality = 90 tags = "INFO, FILE" @@ -45733,7 +45733,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cfd38423Aef875A10B16644D058297E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRUST DANMARK ApS" and (pe.signatures[i].serial=="00:cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" or pe.signatures[i].serial=="cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2") and 1632884040<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRUST DANMARK ApS" and ( pe.signatures [ i ] . serial == "00:cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" or pe.signatures [ i ] . serial == "cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" ) and 1632884040 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45742,13 +45742,13 @@ rule REVERSINGLABS_Cert_Blocklist_E6C05C5A2222Bf92818324A3A7374Ad3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b5b79d8-e8fa-5593-b4c4-89af1f711152" + id = "f3484e62-c689-5ea2-8c56-655dfe572689" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9728-L9746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bea8fea49144abc109e33a5964bb8e113aa61b4cd70c72a43183cb0840429571" + logic_hash = "v1_sha256_bea8fea49144abc109e33a5964bb8e113aa61b4cd70c72a43183cb0840429571" score = 75 quality = 90 tags = "INFO, FILE" @@ -45758,7 +45758,7 @@ rule REVERSINGLABS_Cert_Blocklist_E6C05C5A2222Bf92818324A3A7374Ad3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ANAQA EVENTS LTD" and (pe.signatures[i].serial=="00:e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" or pe.signatures[i].serial=="e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3") and 1634720407<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ANAQA EVENTS LTD" and ( pe.signatures [ i ] . serial == "00:e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" or pe.signatures [ i ] . serial == "e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" ) and 1634720407 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45767,13 +45767,13 @@ rule REVERSINGLABS_Cert_Blocklist_75Ce08Bdbad44123299Dbe9D7C1D20De : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8e2d3b6-077f-56ba-9f2a-1941bf2ebdeb" + id = "42b8d51b-f00d-50ec-90fd-6c3bb3e0436d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9748-L9764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8ba66ab55f9a6755e11a7f39152aa26917271c7f6bc5ffdb42d07ad791fb47d7" + logic_hash = "v1_sha256_8ba66ab55f9a6755e11a7f39152aa26917271c7f6bc5ffdb42d07ad791fb47d7" score = 75 quality = 90 tags = "INFO, FILE" @@ -45783,7 +45783,7 @@ rule REVERSINGLABS_Cert_Blocklist_75Ce08Bdbad44123299Dbe9D7C1D20De : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rose Holm International ApS" and pe.signatures[i].serial=="75:ce:08:bd:ba:d4:41:23:29:9d:be:9d:7c:1d:20:de" and 1631007095<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rose Holm International ApS" and pe.signatures [ i ] . serial == "75:ce:08:bd:ba:d4:41:23:29:9d:be:9d:7c:1d:20:de" and 1631007095 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45792,13 +45792,13 @@ rule REVERSINGLABS_Cert_Blocklist_333705C20B56E57F60B5Eb191Eef0D90 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7f98e550-fca6-564f-bbad-40e153f17adc" + id = "698935da-4df5-558d-98b1-5bffc4501633" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9766-L9782" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30eeec467b837f6b1759cd0fd6a8bc2e8942f2400df170c671287f4159652479" + logic_hash = "v1_sha256_30eeec467b837f6b1759cd0fd6a8bc2e8942f2400df170c671287f4159652479" score = 75 quality = 90 tags = "INFO, FILE" @@ -45808,7 +45808,7 @@ rule REVERSINGLABS_Cert_Blocklist_333705C20B56E57F60B5Eb191Eef0D90 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TASK Holding ApS" and pe.signatures[i].serial=="33:37:05:c2:0b:56:e5:7f:60:b5:eb:19:1e:ef:0d:90" and 1634233052<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TASK Holding ApS" and pe.signatures [ i ] . serial == "33:37:05:c2:0b:56:e5:7f:60:b5:eb:19:1e:ef:0d:90" and 1634233052 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45817,13 +45817,13 @@ rule REVERSINGLABS_Cert_Blocklist_A2A0Ba281262Acce7A00119E25564386 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ab0c7b78-5e7e-5cb9-ae61-d88f3f8d9684" + id = "d05d0457-bdd3-538e-b659-115949ef6dbd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9784-L9802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f5e3c16f6caaf5f3152d90dc48895d0bbcdb296c368beeebb96157f03a8ded40" + logic_hash = "v1_sha256_f5e3c16f6caaf5f3152d90dc48895d0bbcdb296c368beeebb96157f03a8ded40" score = 75 quality = 90 tags = "INFO, FILE" @@ -45833,7 +45833,7 @@ rule REVERSINGLABS_Cert_Blocklist_A2A0Ba281262Acce7A00119E25564386 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sopiteks LLC" and (pe.signatures[i].serial=="00:a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" or pe.signatures[i].serial=="a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86") and 1631908320<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sopiteks LLC" and ( pe.signatures [ i ] . serial == "00:a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" or pe.signatures [ i ] . serial == "a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" ) and 1631908320 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45842,13 +45842,13 @@ rule REVERSINGLABS_Cert_Blocklist_338483Cc174C16Ebc454A3803Ffd4217 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce30ace6-c2c2-5f3e-a2f7-1f08825d44eb" + id = "fb23d49d-d0de-51bd-bd62-157cfdc6cb38" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9804-L9820" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7d7dd55eaab15cf458e5e57f0e5fbebdcc9313aee05394310a5cf9d9b4def153" + logic_hash = "v1_sha256_7d7dd55eaab15cf458e5e57f0e5fbebdcc9313aee05394310a5cf9d9b4def153" score = 75 quality = 90 tags = "INFO, FILE" @@ -45858,7 +45858,7 @@ rule REVERSINGLABS_Cert_Blocklist_338483Cc174C16Ebc454A3803Ffd4217 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Lpr:n Laatu-Ravintolat Oy" and pe.signatures[i].serial=="33:84:83:cc:17:4c:16:eb:c4:54:a3:80:3f:fd:42:17" and 1635208206<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Lpr:n Laatu-Ravintolat Oy" and pe.signatures [ i ] . serial == "33:84:83:cc:17:4c:16:eb:c4:54:a3:80:3f:fd:42:17" and 1635208206 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45867,13 +45867,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be89936C26Cd0D845074F6B7B47F480C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3ff8149b-4a90-5593-b12a-d815b04fce7e" + id = "91cb0b68-e8cb-5949-82e3-71d749e6fdeb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9822-L9840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "348df24620bfe6322c410cb593f5caad67492b0b5af234ee89b0411beb4b48f9" + logic_hash = "v1_sha256_348df24620bfe6322c410cb593f5caad67492b0b5af234ee89b0411beb4b48f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -45883,7 +45883,7 @@ rule REVERSINGLABS_Cert_Blocklist_Be89936C26Cd0D845074F6B7B47F480C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Argus Security Maintenance Systems Inc." and (pe.signatures[i].serial=="00:be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" or pe.signatures[i].serial=="be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c") and 1634235015<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Argus Security Maintenance Systems Inc." and ( pe.signatures [ i ] . serial == "00:be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" or pe.signatures [ i ] . serial == "be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" ) and 1634235015 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45892,13 +45892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F20A5155E53Ce20Bb644F646Ed6A2Fd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d52066d5-9bc1-5f72-8e97-7efda88c14b2" + id = "4699ca3c-cb63-55a5-9ab0-fb31541c6126" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9842-L9858" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "70d57f2c24d4ae6f17339bfb998589a3b10f5dd4b19ac8a5bc99e082145c4ed0" + logic_hash = "v1_sha256_70d57f2c24d4ae6f17339bfb998589a3b10f5dd4b19ac8a5bc99e082145c4ed0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45908,7 +45908,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F20A5155E53Ce20Bb644F646Ed6A2Fd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CB CAM SP Z O O" and pe.signatures[i].serial=="0f:20:a5:15:5e:53:ce:20:bb:64:4f:64:6e:d6:a2:fd" and 1635196200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CB CAM SP Z O O" and pe.signatures [ i ] . serial == "0f:20:a5:15:5e:53:ce:20:bb:64:4f:64:6e:d6:a2:fd" and 1635196200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45917,13 +45917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ea734E1Dfb6E69Ed2Bc55E513Bf95B5E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8e059a2a-c436-5247-b395-a2f594c1c9a9" + id = "4305355e-43e1-5a90-8536-b9c159475957" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9860-L9878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a18d1c1e5e22c1aa041a4b2d23d2aefcbedbd3517a079d578e1a143ecadb4533" + logic_hash = "v1_sha256_a18d1c1e5e22c1aa041a4b2d23d2aefcbedbd3517a079d578e1a143ecadb4533" score = 75 quality = 90 tags = "INFO, FILE" @@ -45933,7 +45933,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ea734E1Dfb6E69Ed2Bc55E513Bf95B5E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Postmarket LLC" and (pe.signatures[i].serial=="00:ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" or pe.signatures[i].serial=="ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e") and 1635153791<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Postmarket LLC" and ( pe.signatures [ i ] . serial == "00:ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" or pe.signatures [ i ] . serial == "ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" ) and 1635153791 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45942,13 +45942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ba67B0De51Ebb9B1179804E75357Ab26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "63938a97-2cb3-52b0-9717-c8949e3fae46" + id = "5c23cb5f-e702-5550-ab0f-0c9bf109a098" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9880-L9898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "69b9012fc4ab9636d159de49ff452f054030c1157cf70a95512b2a0748dad7c0" + logic_hash = "v1_sha256_69b9012fc4ab9636d159de49ff452f054030c1157cf70a95512b2a0748dad7c0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45958,7 +45958,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ba67B0De51Ebb9B1179804E75357Ab26 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Fjordland Bike Wear ApS" and (pe.signatures[i].serial=="00:ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" or pe.signatures[i].serial=="ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26") and 1636145940<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Fjordland Bike Wear ApS" and ( pe.signatures [ i ] . serial == "00:ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" or pe.signatures [ i ] . serial == "ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" ) and 1636145940 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45967,13 +45967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cff2B275Ba8A1Dde83Ac7Ff858399A62 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "50cc539a-1f00-566d-a83f-b4d8459506d8" + id = "7147d5e4-ce86-54bd-be45-b76070b82f49" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9900-L9918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d37e1d94048339a86b8fa173d3ab753fc5e79329b73df9fda5815cd622c57745" + logic_hash = "v1_sha256_d37e1d94048339a86b8fa173d3ab753fc5e79329b73df9fda5815cd622c57745" score = 75 quality = 90 tags = "INFO, FILE" @@ -45983,7 +45983,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cff2B275Ba8A1Dde83Ac7Ff858399A62 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "XL-FORCE ApS" and (pe.signatures[i].serial=="00:cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" or pe.signatures[i].serial=="cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62") and 1636111842<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "XL-FORCE ApS" and ( pe.signatures [ i ] . serial == "00:cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" or pe.signatures [ i ] . serial == "cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" ) and 1636111842 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -45992,13 +45992,13 @@ rule REVERSINGLABS_Cert_Blocklist_D22E026C5B5966F1Cf6Ef00A7C06682E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a72a0001-a272-506d-b610-c028ed8ac6da" + id = "57401f7a-7e4c-528f-a708-284384f40b53" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9920-L9938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "33a05d46b40ffdf49bfa5facca41ebdf6bedcabc1cb1f5b9bf2d043ad1c869b0" + logic_hash = "v1_sha256_33a05d46b40ffdf49bfa5facca41ebdf6bedcabc1cb1f5b9bf2d043ad1c869b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -46008,7 +46008,7 @@ rule REVERSINGLABS_Cert_Blocklist_D22E026C5B5966F1Cf6Ef00A7C06682E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT, LLC" and (pe.signatures[i].serial=="00:d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" or pe.signatures[i].serial=="d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e") and 1636456620<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT, LLC" and ( pe.signatures [ i ] . serial == "00:d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" or pe.signatures [ i ] . serial == "d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" ) and 1636456620 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46017,13 +46017,13 @@ rule REVERSINGLABS_Cert_Blocklist_3054F940C931Bad7B238A24376C6A5Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5643d08-5957-58b0-8b46-d5e339dfba9c" + id = "58541366-547c-5e0c-9838-573686e8f4cc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9940-L9956" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "21c8e8f10d1e4b9eb917c86ac868de2afcd5776a9c1d59149df1d07d8c3e14b9" + logic_hash = "v1_sha256_21c8e8f10d1e4b9eb917c86ac868de2afcd5776a9c1d59149df1d07d8c3e14b9" score = 75 quality = 90 tags = "INFO, FILE" @@ -46033,7 +46033,7 @@ rule REVERSINGLABS_Cert_Blocklist_3054F940C931Bad7B238A24376C6A5Cc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "POLE CLEAN LTD" and pe.signatures[i].serial=="30:54:f9:40:c9:31:ba:d7:b2:38:a2:43:76:c6:a5:cc" and 1637030220<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "POLE CLEAN LTD" and pe.signatures [ i ] . serial == "30:54:f9:40:c9:31:ba:d7:b2:38:a2:43:76:c6:a5:cc" and 1637030220 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46042,13 +46042,13 @@ rule REVERSINGLABS_Cert_Blocklist_A617E23D6Ca8F34E2F7413Cd299Fc72B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3ffb592c-eec5-51b1-9840-b6b72269fc31" + id = "18e4d04b-ef20-5119-beab-023532f8329a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9958-L9976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f307a0b598f0876c003aa43db50e024698b6f93931e626c085f98553c14ec2ae" + logic_hash = "v1_sha256_f307a0b598f0876c003aa43db50e024698b6f93931e626c085f98553c14ec2ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -46058,7 +46058,7 @@ rule REVERSINGLABS_Cert_Blocklist_A617E23D6Ca8F34E2F7413Cd299Fc72B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EXPRESS BOOKS LTD" and (pe.signatures[i].serial=="00:a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" or pe.signatures[i].serial=="a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b") and 1636971821<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EXPRESS BOOKS LTD" and ( pe.signatures [ i ] . serial == "00:a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" or pe.signatures [ i ] . serial == "a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" ) and 1636971821 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46067,13 +46067,13 @@ rule REVERSINGLABS_Cert_Blocklist_387Eeb89B8Bf626Bbf4C7C9F5B998B40 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2f4a26f2-689a-57bd-8028-d3554e339e60" + id = "7897e88e-2e46-5aed-99a9-9c193d48de42" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9978-L9994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2377eeb5316d25752443735e78d0ad7de398a2677f5a0fd45fd6e6c87720d49b" + logic_hash = "v1_sha256_2377eeb5316d25752443735e78d0ad7de398a2677f5a0fd45fd6e6c87720d49b" score = 75 quality = 90 tags = "INFO, FILE" @@ -46083,7 +46083,7 @@ rule REVERSINGLABS_Cert_Blocklist_387Eeb89B8Bf626Bbf4C7C9F5B998B40 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ULTRA ACADEMY LTD" and pe.signatures[i].serial=="38:7e:eb:89:b8:bf:62:6b:bf:4c:7c:9f:5b:99:8b:40" and 1637141034<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ULTRA ACADEMY LTD" and pe.signatures [ i ] . serial == "38:7e:eb:89:b8:bf:62:6b:bf:4c:7c:9f:5b:99:8b:40" and 1637141034 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46092,13 +46092,13 @@ rule REVERSINGLABS_Cert_Blocklist_292Eb1133507F42E6F36C5549C189D5E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b557864d-c573-5789-9959-8df3036d5ac5" + id = "d575f9c6-b681-532a-9292-27ba900ebb05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9996-L10012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bc3ef217455b74900cae114d25b02325d2bef25c11873342df1dd2369cbce76a" + logic_hash = "v1_sha256_bc3ef217455b74900cae114d25b02325d2bef25c11873342df1dd2369cbce76a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46108,7 +46108,7 @@ rule REVERSINGLABS_Cert_Blocklist_292Eb1133507F42E6F36C5549C189D5E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Affairs-case s.r.o." and pe.signatures[i].serial=="29:2e:b1:13:35:07:f4:2e:6f:36:c5:54:9c:18:9d:5e" and 1638832273<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Affairs-case s.r.o." and pe.signatures [ i ] . serial == "29:2e:b1:13:35:07:f4:2e:6f:36:c5:54:9c:18:9d:5e" and 1638832273 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46117,13 +46117,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fbf16A33D26390A15F046C310030Cf0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "620c04df-e613-5319-aa00-646c7e0c8031" + id = "95d4810c-e3af-5a7a-8afa-abd412da7820" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10014-L10030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24bee3563e0867ef6702e7f57bbce7075f766410650ae5ce1e2e8c7b14a3eaca" + logic_hash = "v1_sha256_24bee3563e0867ef6702e7f57bbce7075f766410650ae5ce1e2e8c7b14a3eaca" score = 75 quality = 90 tags = "INFO, FILE" @@ -46133,7 +46133,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Fbf16A33D26390A15F046C310030Cf0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MACHINES SATU MARE SRL" and pe.signatures[i].serial=="5f:bf:16:a3:3d:26:39:0a:15:f0:46:c3:10:03:0c:f0" and 1638390070<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MACHINES SATU MARE SRL" and pe.signatures [ i ] . serial == "5f:bf:16:a3:3d:26:39:0a:15:f0:46:c3:10:03:0c:f0" and 1638390070 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46142,13 +46142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F007898Afcba5F8Af8Ae65D01803617 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6678bd73-bf4d-5576-8bf2-b721ee288da7" + id = "d9a85882-ffea-50c7-a86c-dc897b63cf46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10032-L10048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "27610bb3bf069991803611474abf44a3bf82fc9283d0412a1c24ae46a3f5352e" + logic_hash = "v1_sha256_27610bb3bf069991803611474abf44a3bf82fc9283d0412a1c24ae46a3f5352e" score = 75 quality = 90 tags = "INFO, FILE" @@ -46158,7 +46158,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F007898Afcba5F8Af8Ae65D01803617 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TechnoElek s.r.o." and pe.signatures[i].serial=="0f:00:78:98:af:cb:a5:f8:af:8a:e6:5d:01:80:36:17" and 1638372946<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TechnoElek s.r.o." and pe.signatures [ i ] . serial == "0f:00:78:98:af:cb:a5:f8:af:8a:e6:5d:01:80:36:17" and 1638372946 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46167,13 +46167,13 @@ rule REVERSINGLABS_Cert_Blocklist_E55Be88Ddbd93C423220468D430905Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "37e60515-0395-51a5-8bfa-35e3e336d60c" + id = "b7d539b9-ab81-5286-b993-f4042163c7b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10050-L10068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "05b2f297454e7080591b85991b224193eb89fc5074eb3c2e484ceadad2de4cb7" + logic_hash = "v1_sha256_05b2f297454e7080591b85991b224193eb89fc5074eb3c2e484ceadad2de4cb7" score = 75 quality = 90 tags = "INFO, FILE" @@ -46183,7 +46183,7 @@ rule REVERSINGLABS_Cert_Blocklist_E55Be88Ddbd93C423220468D430905Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VALVE ACTUATION LTD" and (pe.signatures[i].serial=="00:e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" or pe.signatures[i].serial=="e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd") and 1637712000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VALVE ACTUATION LTD" and ( pe.signatures [ i ] . serial == "00:e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" or pe.signatures [ i ] . serial == "e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" ) and 1637712000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46192,13 +46192,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Bcb74291D96096577Bdb1E165Dce85 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "da483b60-d400-54ef-84e0-ea00b299b466" + id = "e43ddd3d-d507-5ac1-9537-e6ba4e869ba0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10070-L10086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "00b7ff8f3cbc04c48c71433c384d7a7884b856f261850e33ea4413a12cf5a1b5" + logic_hash = "v1_sha256_00b7ff8f3cbc04c48c71433c384d7a7884b856f261850e33ea4413a12cf5a1b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -46208,7 +46208,7 @@ rule REVERSINGLABS_Cert_Blocklist_06Bcb74291D96096577Bdb1E165Dce85 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Revo Security SRL" and pe.signatures[i].serial=="06:bc:b7:42:91:d9:60:96:57:7b:db:1e:16:5d:ce:85" and 1637971201<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Revo Security SRL" and pe.signatures [ i ] . serial == "06:bc:b7:42:91:d9:60:96:57:7b:db:1e:16:5d:ce:85" and 1637971201 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46217,13 +46217,13 @@ rule REVERSINGLABS_Cert_Blocklist_C8442A8185082Ef1Ed7Dc3Fff2176Aa7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2a56ff80-584b-5b8b-80ae-e763339cd17a" + id = "1f4aecf7-2be1-505f-8e97-4c4a7395128d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10088-L10106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "74b1b48f0179187ea7bb8ef4663bf13da47f5c6405ecc5589706184564c05727" + logic_hash = "v1_sha256_74b1b48f0179187ea7bb8ef4663bf13da47f5c6405ecc5589706184564c05727" score = 75 quality = 90 tags = "INFO, FILE" @@ -46233,7 +46233,7 @@ rule REVERSINGLABS_Cert_Blocklist_C8442A8185082Ef1Ed7Dc3Fff2176Aa7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ambidekstr LLC" and (pe.signatures[i].serial=="00:c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" or pe.signatures[i].serial=="c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7") and 1616976000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ambidekstr LLC" and ( pe.signatures [ i ] . serial == "00:c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" or pe.signatures [ i ] . serial == "c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" ) and 1616976000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46242,13 +46242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0406C4A1521A38C8D0C4Aa214388E4Dc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9019330e-5ab5-5d37-85a1-0e882dbd68ce" + id = "b33acd6e-5bcf-5d3f-bcf6-1c7de4b4e23e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10108-L10124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f6780751ae553771eb57201a8672847a24512e6279b6a4fd843d8ee2f326860a" + logic_hash = "v1_sha256_f6780751ae553771eb57201a8672847a24512e6279b6a4fd843d8ee2f326860a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46258,7 +46258,7 @@ rule REVERSINGLABS_Cert_Blocklist_0406C4A1521A38C8D0C4Aa214388E4Dc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Venezia Design SRL" and pe.signatures[i].serial=="04:06:c4:a1:52:1a:38:c8:d0:c4:aa:21:43:88:e4:dc" and 1641859201<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Venezia Design SRL" and pe.signatures [ i ] . serial == "04:06:c4:a1:52:1a:38:c8:d0:c4:aa:21:43:88:e4:dc" and 1641859201 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46267,13 +46267,13 @@ rule REVERSINGLABS_Cert_Blocklist_12705Fb66Bc22C68372A1C4E5Fa662E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "78f9fdf0-d8c6-5316-8053-42f77adf95d1" + id = "e567de47-c085-5798-8903-0af2a870fc78" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10126-L10142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f10316a26e2d34400b7c2e403eab18ab6c1cc94b35f0ac8a3f490d101d29dc8d" + logic_hash = "v1_sha256_f10316a26e2d34400b7c2e403eab18ab6c1cc94b35f0ac8a3f490d101d29dc8d" score = 75 quality = 90 tags = "INFO, FILE" @@ -46283,7 +46283,7 @@ rule REVERSINGLABS_Cert_Blocklist_12705Fb66Bc22C68372A1C4E5Fa662E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "APRIL BROTHERS LTD" and pe.signatures[i].serial=="12:70:5f:b6:6b:c2:2c:68:37:2a:1c:4e:5f:a6:62:e2" and 1642464000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "APRIL BROTHERS LTD" and pe.signatures [ i ] . serial == "12:70:5f:b6:6b:c2:2c:68:37:2a:1c:4e:5f:a6:62:e2" and 1642464000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46292,13 +46292,13 @@ rule REVERSINGLABS_Cert_Blocklist_3B0914E2982Be8980Aa23F49848555E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88ca65c4-ba0d-5676-979b-4fac737d4f21" + id = "b28819ae-6c3d-5502-b9b8-9ea65249e0c0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10144-L10160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ea7d9fa7817751fef775765b54be5dd4d00c15ca50ac10fb40fb46cc3634c7b0" + logic_hash = "v1_sha256_ea7d9fa7817751fef775765b54be5dd4d00c15ca50ac10fb40fb46cc3634c7b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -46308,7 +46308,7 @@ rule REVERSINGLABS_Cert_Blocklist_3B0914E2982Be8980Aa23F49848555E5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Office Rat s.r.o." and pe.signatures[i].serial=="3b:09:14:e2:98:2b:e8:98:0a:a2:3f:49:84:85:55:e5" and 1643155200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Office Rat s.r.o." and pe.signatures [ i ] . serial == "3b:09:14:e2:98:2b:e8:98:0a:a2:3f:49:84:85:55:e5" and 1643155200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46317,13 +46317,13 @@ rule REVERSINGLABS_Cert_Blocklist_029Bf7E1Cb09Fe277564Bd27C267De5A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e66d13c-3345-592c-9bf8-b8a566c8b9e6" + id = "6d59b221-d608-5c17-b23b-f43aeb6d1866" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10162-L10178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3f64372d11d61c669580d90cdf2201e7f2904fb3d73d27be2ff1559c9c37614a" + logic_hash = "v1_sha256_3f64372d11d61c669580d90cdf2201e7f2904fb3d73d27be2ff1559c9c37614a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46333,7 +46333,7 @@ rule REVERSINGLABS_Cert_Blocklist_029Bf7E1Cb09Fe277564Bd27C267De5A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SAMOYAJ LIMITED" and pe.signatures[i].serial=="02:9b:f7:e1:cb:09:fe:27:75:64:bd:27:c2:67:de:5a" and 1637712001<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SAMOYAJ LIMITED" and pe.signatures [ i ] . serial == "02:9b:f7:e1:cb:09:fe:27:75:64:bd:27:c2:67:de:5a" and 1637712001 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46342,13 +46342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D3Aee8Abb9948844A3Ac1C04Cc7E6Bdf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6da50886-7f15-5565-9a1a-f6fb25a729ac" + id = "d1a109c0-a904-52f6-906c-b4e1e76b8d02" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10180-L10198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3f3f1d5c871d2b73627d4281ac5bcd08799fb47f94155e82795d97c87de35e40" + logic_hash = "v1_sha256_3f3f1d5c871d2b73627d4281ac5bcd08799fb47f94155e82795d97c87de35e40" score = 75 quality = 90 tags = "INFO, FILE" @@ -46358,7 +46358,7 @@ rule REVERSINGLABS_Cert_Blocklist_D3Aee8Abb9948844A3Ac1C04Cc7E6Bdf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HOUSE 9A s.r.o" and (pe.signatures[i].serial=="00:d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" or pe.signatures[i].serial=="d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df") and 1640822400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HOUSE 9A s.r.o" and ( pe.signatures [ i ] . serial == "00:d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" or pe.signatures [ i ] . serial == "d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" ) and 1640822400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46367,13 +46367,13 @@ rule REVERSINGLABS_Cert_Blocklist_734819463C1195Bd6E135Ce4D5Bf49Bc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7dd21fa-1501-50b2-bd9c-c33cfd932a6b" + id = "207ac3ef-4fb6-5c0f-974a-b2481001650f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10200-L10216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a63c05cca23b61ba6eabda2b60c617b966a2669fd3a0da30354792e5c1ae2140" + logic_hash = "v1_sha256_a63c05cca23b61ba6eabda2b60c617b966a2669fd3a0da30354792e5c1ae2140" score = 75 quality = 90 tags = "INFO, FILE" @@ -46383,7 +46383,7 @@ rule REVERSINGLABS_Cert_Blocklist_734819463C1195Bd6E135Ce4D5Bf49Bc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "videoalarm s. r. o." and pe.signatures[i].serial=="73:48:19:46:3c:11:95:bd:6e:13:5c:e4:d5:bf:49:bc" and 1637884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "videoalarm s. r. o." and pe.signatures [ i ] . serial == "73:48:19:46:3c:11:95:bd:6e:13:5c:e4:d5:bf:49:bc" and 1637884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46392,13 +46392,13 @@ rule REVERSINGLABS_Cert_Blocklist_Db95B22362D46A73C39E0Ac924883C5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "527b7963-340e-5d8f-b7e1-1269c0073ec9" + id = "3e0e19be-bfab-5598-8bf3-cb5033ad0b5a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10218-L10236" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "895983bcb7f3a0c5ce54504f4a2ff8d652137434b8951380d756de6556d0844e" + logic_hash = "v1_sha256_895983bcb7f3a0c5ce54504f4a2ff8d652137434b8951380d756de6556d0844e" score = 75 quality = 90 tags = "INFO, FILE" @@ -46408,7 +46408,7 @@ rule REVERSINGLABS_Cert_Blocklist_Db95B22362D46A73C39E0Ac924883C5B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SPSLTD PLYMOUTH LTD" and (pe.signatures[i].serial=="00:db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" or pe.signatures[i].serial=="db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b") and 1621296000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SPSLTD PLYMOUTH LTD" and ( pe.signatures [ i ] . serial == "00:db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" or pe.signatures [ i ] . serial == "db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" ) and 1621296000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46417,13 +46417,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C48732873Ac8Ccebaf8F0E1E8329Cec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b531341a-e8ac-5b56-a202-3c072f5d2ce0" + id = "74c0953c-e661-59f1-b9d9-6d05ce318dc8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10238-L10254" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7c9476a4119e013c8bb3c14b607090d592feaa5f2fc0f78d810555681d4a3733" + logic_hash = "v1_sha256_7c9476a4119e013c8bb3c14b607090d592feaa5f2fc0f78d810555681d4a3733" score = 75 quality = 90 tags = "INFO, FILE" @@ -46433,7 +46433,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C48732873Ac8Ccebaf8F0E1E8329Cec : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Hermetica Digital Ltd" and pe.signatures[i].serial=="0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec" and 1618272000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Hermetica Digital Ltd" and pe.signatures [ i ] . serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec" and 1618272000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46442,13 +46442,13 @@ rule REVERSINGLABS_Cert_Blocklist_C51F4Cf4D82Bc920421E1Ad93E39D490 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "727aba82-c908-51a6-9f1f-7fd8df424d8c" + id = "a8eba8f4-e96d-5480-92ac-b14ac82a7bf7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10256-L10274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cef717e7fe3eb0fb958d405caaf98fa51b22b150ccbf1286d3b4634e9df81ade" + logic_hash = "v1_sha256_cef717e7fe3eb0fb958d405caaf98fa51b22b150ccbf1286d3b4634e9df81ade" score = 75 quality = 90 tags = "INFO, FILE" @@ -46458,7 +46458,7 @@ rule REVERSINGLABS_Cert_Blocklist_C51F4Cf4D82Bc920421E1Ad93E39D490 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CUT AHEAD LTD" and (pe.signatures[i].serial=="00:c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" or pe.signatures[i].serial=="c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90") and 1644624000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CUT AHEAD LTD" and ( pe.signatures [ i ] . serial == "00:c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" or pe.signatures [ i ] . serial == "c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" ) and 1644624000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46467,13 +46467,13 @@ rule REVERSINGLABS_Cert_Blocklist_C96086F1894E6420D2B4Bdeea834C4D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1268461b-676c-59b8-80c1-c54dbe1a265f" + id = "b9975050-82fa-5606-93e0-4950d495fb3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10276-L10294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "949bbd41ad4c83a05c1f004786cd296e2af80a3a559955ec90a4675cdfa04258" + logic_hash = "v1_sha256_949bbd41ad4c83a05c1f004786cd296e2af80a3a559955ec90a4675cdfa04258" score = 75 quality = 90 tags = "INFO, FILE" @@ -46483,7 +46483,7 @@ rule REVERSINGLABS_Cert_Blocklist_C96086F1894E6420D2B4Bdeea834C4D7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THE FAITH SP Z O O" and (pe.signatures[i].serial=="00:c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" or pe.signatures[i].serial=="c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7") and 1644969600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THE FAITH SP Z O O" and ( pe.signatures [ i ] . serial == "00:c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" or pe.signatures [ i ] . serial == "c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" ) and 1644969600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46492,13 +46492,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Fa27A121Cc82230C3013Ee634B6C62 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4520e544-7a41-5dde-b90b-46cf3349297c" + id = "ca88f7ec-57ff-5e4e-9ccb-1d97dc2aff26" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10296-L10312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "23ac7a97e7632536ed27cf9078b6bc1a734f1e991a20a228734b45117582f367" + logic_hash = "v1_sha256_23ac7a97e7632536ed27cf9078b6bc1a734f1e991a20a228734b45117582f367" score = 75 quality = 90 tags = "INFO, FILE" @@ -46508,7 +46508,7 @@ rule REVERSINGLABS_Cert_Blocklist_06Fa27A121Cc82230C3013Ee634B6C62 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Zimmi Consulting Inc" and pe.signatures[i].serial=="06:fa:27:a1:21:cc:82:23:0c:30:13:ee:63:4b:6c:62" and 1645142401<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Zimmi Consulting Inc" and pe.signatures [ i ] . serial == "06:fa:27:a1:21:cc:82:23:0c:30:13:ee:63:4b:6c:62" and 1645142401 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46517,13 +46517,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Dd3B2F7957Ba99F4B04Fcdbe03B7Aac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "25229478-e891-5e0a-b738-6ca1fdd0012c" + id = "96da816e-c564-51f6-89c0-1b8fa54250c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10314-L10332" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d4f1b75dddd47fe8a19bd8e794b4930bdcaf54d63db57422db0a9b631d4f488d" + logic_hash = "v1_sha256_d4f1b75dddd47fe8a19bd8e794b4930bdcaf54d63db57422db0a9b631d4f488d" score = 75 quality = 90 tags = "INFO, FILE" @@ -46533,7 +46533,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Dd3B2F7957Ba99F4B04Fcdbe03B7Aac : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DOD MEDIA LIMITED" and (pe.signatures[i].serial=="00:9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" or pe.signatures[i].serial=="9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac") and 1646438400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DOD MEDIA LIMITED" and ( pe.signatures [ i ] . serial == "00:9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" or pe.signatures [ i ] . serial == "9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" ) and 1646438400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46542,13 +46542,13 @@ rule REVERSINGLABS_Cert_Blocklist_061051Ff2A8Afab10347A6F1Ff08Ecb6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4e23648f-9770-53ad-9c62-6e6239a02aa7" + id = "1670f233-0aa8-5076-8314-345c2b2b3610" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10334-L10350" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "db3ac3ee326c60e9abc94a2fb53d801637f044e7ab72d69e53958799e48747b7" + logic_hash = "v1_sha256_db3ac3ee326c60e9abc94a2fb53d801637f044e7ab72d69e53958799e48747b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -46558,7 +46558,7 @@ rule REVERSINGLABS_Cert_Blocklist_061051Ff2A8Afab10347A6F1Ff08Ecb6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TACHOPARTS SP Z O O" and pe.signatures[i].serial=="06:10:51:ff:2a:8a:fa:b1:03:47:a6:f1:ff:08:ec:b6" and 1606435200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TACHOPARTS SP Z O O" and pe.signatures [ i ] . serial == "06:10:51:ff:2a:8a:fa:b1:03:47:a6:f1:ff:08:ec:b6" and 1606435200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46567,13 +46567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eda2429083Bfafb04E6E7Bdda1B08834 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f5852c4-7866-5e12-97e9-c73972def6c5" + id = "ce1ecadb-7f9d-506f-b82a-ac5967108595" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10352-L10370" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4f7d5c6929fe364c8868fddb28dd7bbf7cdcf3896d57836466af1a538190d11c" + logic_hash = "v1_sha256_4f7d5c6929fe364c8868fddb28dd7bbf7cdcf3896d57836466af1a538190d11c" score = 75 quality = 90 tags = "INFO, FILE" @@ -46583,7 +46583,7 @@ rule REVERSINGLABS_Cert_Blocklist_Eda2429083Bfafb04E6E7Bdda1B08834 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OWLNET LIMITED" and (pe.signatures[i].serial=="00:ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" or pe.signatures[i].serial=="ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34") and 1625011200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OWLNET LIMITED" and ( pe.signatures [ i ] . serial == "00:ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" or pe.signatures [ i ] . serial == "ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" ) and 1625011200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46592,13 +46592,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A590154B5980E566314122987Dea548 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fd2a2165-494b-5655-a322-73f033643c74" + id = "c559c6e7-25e4-5aa1-95b1-d5d69666378c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10372-L10388" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d5fdf2bc61fadf3e73bcf1695c48ebc465e614cdd2310f9e5f40648d9615afc4" + logic_hash = "v1_sha256_d5fdf2bc61fadf3e73bcf1695c48ebc465e614cdd2310f9e5f40648d9615afc4" score = 75 quality = 90 tags = "INFO, FILE" @@ -46608,7 +46608,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A590154B5980E566314122987Dea548 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Maya logistika d.o.o." and pe.signatures[i].serial=="0a:59:01:54:b5:98:0e:56:63:14:12:29:87:de:a5:48" and 1636416000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Maya logistika d.o.o." and pe.signatures [ i ] . serial == "0a:59:01:54:b5:98:0e:56:63:14:12:29:87:de:a5:48" and 1636416000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46617,13 +46617,13 @@ rule REVERSINGLABS_Cert_Blocklist_69A72F5591Ad78A0825Fbb9402Ab9543 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "938cdd31-433d-5df7-b00e-54a7e440810b" + id = "47c47734-b299-50bf-8f47-db30eb25acdf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10390-L10406" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "72ca07b7722f9506c5c42b5e58c5ce9b3a7d607164a5f265015769f2831cd588" + logic_hash = "v1_sha256_72ca07b7722f9506c5c42b5e58c5ce9b3a7d607164a5f265015769f2831cd588" score = 75 quality = 90 tags = "INFO, FILE" @@ -46633,7 +46633,7 @@ rule REVERSINGLABS_Cert_Blocklist_69A72F5591Ad78A0825Fbb9402Ab9543 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PUSH BANK LIMITED" and pe.signatures[i].serial=="69:a7:2f:55:91:ad:78:a0:82:5f:bb:94:02:ab:95:43" and 1581811200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PUSH BANK LIMITED" and pe.signatures [ i ] . serial == "69:a7:2f:55:91:ad:78:a0:82:5f:bb:94:02:ab:95:43" and 1581811200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46642,13 +46642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0883Db137021B51F3A2A08A76A4Bc066 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "792111be-7c8a-53f5-9ec3-e1f25f083666" + id = "13158822-8817-5f37-b7eb-0565fb4f0f30" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10408-L10424" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5e3c8654169830790665992f5d7669d0ca6c1c8048580b3ae70331ad2a763a6c" + logic_hash = "v1_sha256_5e3c8654169830790665992f5d7669d0ca6c1c8048580b3ae70331ad2a763a6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -46658,7 +46658,7 @@ rule REVERSINGLABS_Cert_Blocklist_0883Db137021B51F3A2A08A76A4Bc066 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Divertida Creative Limited" and pe.signatures[i].serial=="08:83:db:13:70:21:b5:1f:3a:2a:08:a7:6a:4b:c0:66" and 1627430400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Divertida Creative Limited" and pe.signatures [ i ] . serial == "08:83:db:13:70:21:b5:1f:3a:2a:08:a7:6a:4b:c0:66" and 1627430400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46667,13 +46667,13 @@ rule REVERSINGLABS_Cert_Blocklist_2B921Aaaba777B5A99507196C6F1C46C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0cb5be9e-a0b7-5785-87f3-ad097d4ab479" + id = "26dbc0cd-c6a5-5f05-8e94-6e75ca475882" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10426-L10442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a00eb9837f7700d83862dff2077d85c68c24621d7aacf857b42587dc37976465" + logic_hash = "v1_sha256_a00eb9837f7700d83862dff2077d85c68c24621d7aacf857b42587dc37976465" score = 75 quality = 90 tags = "INFO, FILE" @@ -46683,7 +46683,7 @@ rule REVERSINGLABS_Cert_Blocklist_2B921Aaaba777B5A99507196C6F1C46C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Python Software Foundation" and pe.signatures[i].serial=="2b:92:1a:aa:ba:77:7b:5a:99:50:71:96:c6:f1:c4:6c" and 1648425600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Python Software Foundation" and pe.signatures [ i ] . serial == "2b:92:1a:aa:ba:77:7b:5a:99:50:71:96:c6:f1:c4:6c" and 1648425600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46692,13 +46692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0332D5C942869Bdcabf5A8266197Cd14 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b1c650bb-b53f-5cca-8cc2-4d3498285d31" + id = "f3ab27d5-3661-52dd-838d-5effe5315deb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10444-L10460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "726ac44dd8109fcd0a9120f6c0673b8ecf7d5b3a4bb81976f48402e21502201a" + logic_hash = "v1_sha256_726ac44dd8109fcd0a9120f6c0673b8ecf7d5b3a4bb81976f48402e21502201a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46708,7 +46708,7 @@ rule REVERSINGLABS_Cert_Blocklist_0332D5C942869Bdcabf5A8266197Cd14 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "JAWRO SP Z O O" and pe.signatures[i].serial=="03:32:d5:c9:42:86:9b:dc:ab:f5:a8:26:61:97:cd:14" and 1622160000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "JAWRO SP Z O O" and pe.signatures [ i ] . serial == "03:32:d5:c9:42:86:9b:dc:ab:f5:a8:26:61:97:cd:14" and 1622160000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46717,13 +46717,13 @@ rule REVERSINGLABS_Cert_Blocklist_4679C5398A279318365Fd77A84445699 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8d1810e7-9b64-52b3-91c6-f03832d61d3a" + id = "791a842f-af74-5500-b3c3-a93a19c1efd7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10462-L10478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bdb68be92b3ba6b5eaa6e8e963529c0b9213942ba2552c687496ad5d12d5b472" + logic_hash = "v1_sha256_bdb68be92b3ba6b5eaa6e8e963529c0b9213942ba2552c687496ad5d12d5b472" score = 75 quality = 90 tags = "INFO, FILE" @@ -46733,7 +46733,7 @@ rule REVERSINGLABS_Cert_Blocklist_4679C5398A279318365Fd77A84445699 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HURT GROUP HOLDINGS LIMITED" and pe.signatures[i].serial=="46:79:c5:39:8a:27:93:18:36:5f:d7:7a:84:44:56:99" and 1643846400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HURT GROUP HOLDINGS LIMITED" and pe.signatures [ i ] . serial == "46:79:c5:39:8a:27:93:18:36:5f:d7:7a:84:44:56:99" and 1643846400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46742,13 +46742,13 @@ rule REVERSINGLABS_Cert_Blocklist_101D6A5A29D9A77807553Ceac669D853 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "918fa696-5c92-551b-a87b-6410a6dc718a" + id = "ce9b507c-03cf-5965-bc76-f6cc2df1bab1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10480-L10496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bce92750f71477ecfa7b8213724344708066c0e6133a47cd6758bbd9f8f9da5f" + logic_hash = "v1_sha256_bce92750f71477ecfa7b8213724344708066c0e6133a47cd6758bbd9f8f9da5f" score = 75 quality = 90 tags = "INFO, FILE" @@ -46758,7 +46758,7 @@ rule REVERSINGLABS_Cert_Blocklist_101D6A5A29D9A77807553Ceac669D853 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIC GROUP LIMITED" and pe.signatures[i].serial=="10:1d:6a:5a:29:d9:a7:78:07:55:3c:ea:c6:69:d8:53" and 1646352000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIC GROUP LIMITED" and pe.signatures [ i ] . serial == "10:1d:6a:5a:29:d9:a7:78:07:55:3c:ea:c6:69:d8:53" and 1646352000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46767,13 +46767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6000F8C02B0A15B1E53B8399845Faddf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b025fe73-89fa-55f2-8b3a-cb46251669e6" + id = "f14ad762-0a8e-524c-93d2-438d38250311" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10498-L10514" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "00ceb241555154cab97ef616042dbd966f3a8fae257e142dfe6bad9559bd1724" + logic_hash = "v1_sha256_00ceb241555154cab97ef616042dbd966f3a8fae257e142dfe6bad9559bd1724" score = 75 quality = 90 tags = "INFO, FILE" @@ -46783,7 +46783,7 @@ rule REVERSINGLABS_Cert_Blocklist_6000F8C02B0A15B1E53B8399845Faddf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SAY LIMITED" and pe.signatures[i].serial=="60:00:f8:c0:2b:0a:15:b1:e5:3b:83:99:84:5f:ad:df" and 1644278400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SAY LIMITED" and pe.signatures [ i ] . serial == "60:00:f8:c0:2b:0a:15:b1:e5:3b:83:99:84:5f:ad:df" and 1644278400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46792,13 +46792,13 @@ rule REVERSINGLABS_Cert_Blocklist_121070Be1E782F206985543Bc7Bc58B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3f5eee11-4106-5923-9563-84f81199bea0" + id = "6ac0c735-d903-5cb7-9a4b-0002a7356381" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10516-L10532" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a5d603cf64c8a16fa12daf9c6b5d0850e6145fb39b38442ed724ec0f849b8be9" + logic_hash = "v1_sha256_a5d603cf64c8a16fa12daf9c6b5d0850e6145fb39b38442ed724ec0f849b8be9" score = 75 quality = 90 tags = "INFO, FILE" @@ -46808,7 +46808,7 @@ rule REVERSINGLABS_Cert_Blocklist_121070Be1E782F206985543Bc7Bc58B6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Prod Can Holdings Inc." and pe.signatures[i].serial=="12:10:70:be:1e:78:2f:20:69:85:54:3b:c7:bc:58:b6" and 1647820800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Prod Can Holdings Inc." and pe.signatures [ i ] . serial == "12:10:70:be:1e:78:2f:20:69:85:54:3b:c7:bc:58:b6" and 1647820800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46817,13 +46817,13 @@ rule REVERSINGLABS_Cert_Blocklist_5226A724Cfa0B4Bc0164Ecda3F02A3Dc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a4abffb-ac0d-5e70-8193-0cd1a83377ac" + id = "4de027e4-fce6-54d6-af6c-eb3f38b29e4b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10534-L10550" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ba1155b30761f48674aaa82a70a06fea30cced6518f089f3f9f173a4eb06a09" + logic_hash = "v1_sha256_0ba1155b30761f48674aaa82a70a06fea30cced6518f089f3f9f173a4eb06a09" score = 75 quality = 90 tags = "INFO, FILE" @@ -46833,7 +46833,7 @@ rule REVERSINGLABS_Cert_Blocklist_5226A724Cfa0B4Bc0164Ecda3F02A3Dc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VALENTE SP Z O O" and pe.signatures[i].serial=="52:26:a7:24:cf:a0:b4:bc:01:64:ec:da:3f:02:a3:dc" and 1647302400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VALENTE SP Z O O" and pe.signatures [ i ] . serial == "52:26:a7:24:cf:a0:b4:bc:01:64:ec:da:3f:02:a3:dc" and 1647302400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46842,13 +46842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A7Be7722B65A866Ebcd3Bd7F8F10825 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b177573-8b9f-538f-8d07-b7baede1148d" + id = "4bcefc41-f1a6-578e-8b59-305b1e007bd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10552-L10568" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c4aa22241ef72d454db4ec0fb0933abfa7b1d8d1029b45410475832cda4a2af4" + logic_hash = "v1_sha256_c4aa22241ef72d454db4ec0fb0933abfa7b1d8d1029b45410475832cda4a2af4" score = 75 quality = 90 tags = "INFO, FILE" @@ -46858,7 +46858,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A7Be7722B65A866Ebcd3Bd7F8F10825 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rebound Infotech Limited" and pe.signatures[i].serial=="0a:7b:e7:72:2b:65:a8:66:eb:cd:3b:d7:f8:f1:08:25" and 1637971200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rebound Infotech Limited" and pe.signatures [ i ] . serial == "0a:7b:e7:72:2b:65:a8:66:eb:cd:3b:d7:f8:f1:08:25" and 1637971200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46867,13 +46867,13 @@ rule REVERSINGLABS_Cert_Blocklist_05634456Dbedb3556Ca8415E64815C5D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c9a05c35-2aed-5944-aad7-65ae2c290c6c" + id = "4382f846-0ce0-5b1f-a69f-b52e9f3dfab3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10570-L10586" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f5941c74821c0cd76633393d0346a9de2c7bccc666dc20b34c5b4d733faefc8f" + logic_hash = "v1_sha256_f5941c74821c0cd76633393d0346a9de2c7bccc666dc20b34c5b4d733faefc8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -46883,7 +46883,7 @@ rule REVERSINGLABS_Cert_Blocklist_05634456Dbedb3556Ca8415E64815C5D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Walden Intertech Inc." and pe.signatures[i].serial=="05:63:44:56:db:ed:b3:55:6c:a8:41:5e:64:81:5c:5d" and 1648425600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Walden Intertech Inc." and pe.signatures [ i ] . serial == "05:63:44:56:db:ed:b3:55:6c:a8:41:5e:64:81:5c:5d" and 1648425600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46892,13 +46892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2E07A8D6E3B25Ae010C8Ed2C4Ab0Fb37 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "39d23cbf-862f-5a3d-9e30-b3f0929963d5" + id = "e297b902-b471-5c8c-9733-f7058b5c83fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10588-L10604" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bad2144c9cde02a75fa968e3c24178f3ba73b0addb2b4967f24733b933e0eeb6" + logic_hash = "v1_sha256_bad2144c9cde02a75fa968e3c24178f3ba73b0addb2b4967f24733b933e0eeb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -46908,7 +46908,7 @@ rule REVERSINGLABS_Cert_Blocklist_2E07A8D6E3B25Ae010C8Ed2C4Ab0Fb37 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Emurasoft, Inc." and pe.signatures[i].serial=="2e:07:a8:d6:e3:b2:5a:e0:10:c8:ed:2c:4a:b0:fb:37" and 1650499200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Emurasoft, Inc." and pe.signatures [ i ] . serial == "2e:07:a8:d6:e3:b2:5a:e0:10:c8:ed:2c:4a:b0:fb:37" and 1650499200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46917,13 +46917,13 @@ rule REVERSINGLABS_Cert_Blocklist_30B4Eeebd88Fd205Acc8577Bbaed8655 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "27c60ade-41e1-5ba4-be8d-275edc01b5ba" + id = "d443322d-3193-518a-aabd-fb087867e02d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10606-L10622" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "673ec5a1cacb9a7be101a4a533baf5a1eab4e6dd8721c69e56636701c5303c72" + logic_hash = "v1_sha256_673ec5a1cacb9a7be101a4a533baf5a1eab4e6dd8721c69e56636701c5303c72" score = 75 quality = 90 tags = "INFO, FILE" @@ -46933,7 +46933,7 @@ rule REVERSINGLABS_Cert_Blocklist_30B4Eeebd88Fd205Acc8577Bbaed8655 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Enforcer Srl" and pe.signatures[i].serial=="30:b4:ee:eb:d8:8f:d2:05:ac:c8:57:7b:ba:ed:86:55" and 1646179200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Enforcer Srl" and pe.signatures [ i ] . serial == "30:b4:ee:eb:d8:8f:d2:05:ac:c8:57:7b:ba:ed:86:55" and 1646179200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46942,13 +46942,13 @@ rule REVERSINGLABS_Cert_Blocklist_B3391A6C1B3C6836533959E2384Ab4Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ab274ae3-0884-517a-a221-2c952fc9d74c" + id = "59d20f81-c017-50cf-b36c-6b7f3be01ff2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10624-L10642" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "38e38acfbfbf63b7179d2f8656f70224afa9269a7bdecd10ccbbbd92a6a216d3" + logic_hash = "v1_sha256_38e38acfbfbf63b7179d2f8656f70224afa9269a7bdecd10ccbbbd92a6a216d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -46958,7 +46958,7 @@ rule REVERSINGLABS_Cert_Blocklist_B3391A6C1B3C6836533959E2384Ab4Ca : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VERIFIED SOFTWARE LLC" and (pe.signatures[i].serial=="00:b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" or pe.signatures[i].serial=="b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca") and 1595462400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VERIFIED SOFTWARE LLC" and ( pe.signatures [ i ] . serial == "00:b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" or pe.signatures [ i ] . serial == "b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" ) and 1595462400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46967,13 +46967,13 @@ rule REVERSINGLABS_Cert_Blocklist_05D50A0E09Bb9A836Ffb90A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f2e0959f-3bc6-5552-8f7a-f84672fb597d" + id = "0f5e412a-bafc-5518-bca6-0d72ba076778" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10644-L10660" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1bd1960cd6dd8bf83472dc2b1809b84ceb3db68a5e6c3ba68f28ad922230b2ed" + logic_hash = "v1_sha256_1bd1960cd6dd8bf83472dc2b1809b84ceb3db68a5e6c3ba68f28ad922230b2ed" score = 75 quality = 90 tags = "INFO, FILE" @@ -46983,7 +46983,7 @@ rule REVERSINGLABS_Cert_Blocklist_05D50A0E09Bb9A836Ffb90A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Toliz Info Tech Solutions INC." and pe.signatures[i].serial=="05:d5:0a:0e:09:bb:9a:83:6f:fb:90:a3" and 1643892810<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Toliz Info Tech Solutions INC." and pe.signatures [ i ] . serial == "05:d5:0a:0e:09:bb:9a:83:6f:fb:90:a3" and 1643892810 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -46992,13 +46992,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A2787Fbb4627C91611573E323584113 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "64848927-6a60-5ea9-bae5-7d15c3f35ca6" + id = "4ce05212-6d22-558f-8eb9-e1a405f7493c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10662-L10678" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "efa352beafb56b95a89554bc8929f8e01a4da46eef1f6cf8a1487a2a06bc1b3e" + logic_hash = "v1_sha256_efa352beafb56b95a89554bc8929f8e01a4da46eef1f6cf8a1487a2a06bc1b3e" score = 75 quality = 90 tags = "INFO, FILE" @@ -47008,7 +47008,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A2787Fbb4627C91611573E323584113 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "exxon.com" and pe.signatures[i].serial=="0a:27:87:fb:b4:62:7c:91:61:15:73:e3:23:58:41:13" and 1640822400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "exxon.com" and pe.signatures [ i ] . serial == "0a:27:87:fb:b4:62:7c:91:61:15:73:e3:23:58:41:13" and 1640822400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47017,13 +47017,13 @@ rule REVERSINGLABS_Cert_Blocklist_1D36C4F439D651503589318F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f72b8e2c-b799-5aec-a69a-e42cdb3e2ae1" + id = "e6fb66f9-acf1-5fe0-bda2-e408a68f6fc6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10680-L10696" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73dc3c01041d50100a8d5519afe1a80f470c30175f9ad1bf76ac287ac199a959" + logic_hash = "v1_sha256_73dc3c01041d50100a8d5519afe1a80f470c30175f9ad1bf76ac287ac199a959" score = 75 quality = 90 tags = "INFO, FILE" @@ -47033,7 +47033,7 @@ rule REVERSINGLABS_Cert_Blocklist_1D36C4F439D651503589318F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "REDWOOD MARKETING SOLUTIONS INC." and pe.signatures[i].serial=="1d:36:c4:f4:39:d6:51:50:35:89:31:8f" and 1651518469<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "REDWOOD MARKETING SOLUTIONS INC." and pe.signatures [ i ] . serial == "1d:36:c4:f4:39:d6:51:50:35:89:31:8f" and 1651518469 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47042,13 +47042,13 @@ rule REVERSINGLABS_Cert_Blocklist_26F855A25890B749578F13E4B9459768 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d873b0d4-dff5-5ee2-a70f-b067602b217e" + id = "cce72c4a-e100-5dc2-ad42-963afb837443" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10698-L10714" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "35bfa39ef8f03d10af884f288278ea6ad3aff31cbae111057c2b619c6dc0a752" + logic_hash = "v1_sha256_35bfa39ef8f03d10af884f288278ea6ad3aff31cbae111057c2b619c6dc0a752" score = 75 quality = 90 tags = "INFO, FILE" @@ -47058,7 +47058,7 @@ rule REVERSINGLABS_Cert_Blocklist_26F855A25890B749578F13E4B9459768 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Boo\\xE2\\x80\\x99s Q & Sweets Corporation" and pe.signatures[i].serial=="26:f8:55:a2:58:90:b7:49:57:8f:13:e4:b9:45:97:68" and 1645401600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Boo\\xE2\\x80\\x99s Q & Sweets Corporation" and pe.signatures [ i ] . serial == "26:f8:55:a2:58:90:b7:49:57:8f:13:e4:b9:45:97:68" and 1645401600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47067,13 +47067,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F1Ae2239Bb96C5Aef49D0Ae50266912 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "44c878ab-75b2-5cd3-a019-94982a508e0f" + id = "b0664ef1-2178-5e89-82aa-eebc9ef2d2bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10716-L10732" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4f88df4fc2f4cd89aa177ce09caab3e2660267ae883f7ab54c22a9ba1657bad0" + logic_hash = "v1_sha256_4f88df4fc2f4cd89aa177ce09caab3e2660267ae883f7ab54c22a9ba1657bad0" score = 75 quality = 90 tags = "INFO, FILE" @@ -47083,7 +47083,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F1Ae2239Bb96C5Aef49D0Ae50266912 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Aarav Consulting Inc." and pe.signatures[i].serial=="0f:1a:e2:23:9b:b9:6c:5a:ef:49:d0:ae:50:26:69:12" and 1653004800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Aarav Consulting Inc." and pe.signatures [ i ] . serial == "0f:1a:e2:23:9b:b9:6c:5a:ef:49:d0:ae:50:26:69:12" and 1653004800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47092,13 +47092,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Deea179F5757Fe529043577762419Df : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef29c813-e914-5766-990f-76c14d18ec79" + id = "0f606b37-21db-5153-875b-00599fc32fdb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10734-L10750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "67c3d3496caf54ca0b1afc4d1dcc902e2f3632ac6708f85e163d427b567d098f" + logic_hash = "v1_sha256_67c3d3496caf54ca0b1afc4d1dcc902e2f3632ac6708f85e163d427b567d098f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47108,7 +47108,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Deea179F5757Fe529043577762419Df : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SPIRIT CONSULTING s. r. o." and pe.signatures[i].serial=="1d:ee:a1:79:f5:75:7f:e5:29:04:35:77:76:24:19:df" and 1645401600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SPIRIT CONSULTING s. r. o." and pe.signatures [ i ] . serial == "1d:ee:a1:79:f5:75:7f:e5:29:04:35:77:76:24:19:df" and 1645401600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47117,13 +47117,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B1F9Ec88D185631Ab032Dbfd5166C0D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51c596cd-3033-51ef-914f-310d2bbfbd5f" + id = "eade6cd2-4b87-5a82-a666-d1c48645e6e8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10752-L10768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dec9d43c6911deb5f35c45692bfd6ef47f85d955f5e59041e58a1f0d2fc306e3" + logic_hash = "v1_sha256_dec9d43c6911deb5f35c45692bfd6ef47f85d955f5e59041e58a1f0d2fc306e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -47133,7 +47133,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B1F9Ec88D185631Ab032Dbfd5166C0D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TOPFLIGHT GROUP LIMITED" and pe.signatures[i].serial=="5b:1f:9e:c8:8d:18:56:31:ab:03:2d:bf:d5:16:6c:0d" and 1656028800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TOPFLIGHT GROUP LIMITED" and pe.signatures [ i ] . serial == "5b:1f:9e:c8:8d:18:56:31:ab:03:2d:bf:d5:16:6c:0d" and 1656028800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47142,13 +47142,13 @@ rule REVERSINGLABS_Cert_Blocklist_58Af00Ce542760Fc116B41Fa92E18589 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bb58ae8d-ef28-5644-abe8-2d4d8c892e95" + id = "acd28f30-2705-5456-85ac-cdfeed62b18d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10770-L10786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ff773d252e5e0402171ae15d7ab43bcfd313eb8c326ed5f128a89ec43386a52" + logic_hash = "v1_sha256_0ff773d252e5e0402171ae15d7ab43bcfd313eb8c326ed5f128a89ec43386a52" score = 75 quality = 90 tags = "INFO, FILE" @@ -47158,7 +47158,7 @@ rule REVERSINGLABS_Cert_Blocklist_58Af00Ce542760Fc116B41Fa92E18589 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DICKIE MUSDALE WINDFARM LIMITED" and pe.signatures[i].serial=="58:af:00:ce:54:27:60:fc:11:6b:41:fa:92:e1:85:89" and 1654819200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DICKIE MUSDALE WINDFARM LIMITED" and pe.signatures [ i ] . serial == "58:af:00:ce:54:27:60:fc:11:6b:41:fa:92:e1:85:89" and 1654819200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47167,13 +47167,13 @@ rule REVERSINGLABS_Cert_Blocklist_25Ba18A267D6D8E08Ebc6E2457D58D1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb06576e-11ea-58ba-aa19-68c161f6aa68" + id = "02a02f47-26a5-5947-b6e8-4cfa74caf29f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10788-L10804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "174fe170c26a8197486e7b390d9fce4da61fb68ee5dc9486d43dbeb3cf659c3a" + logic_hash = "v1_sha256_174fe170c26a8197486e7b390d9fce4da61fb68ee5dc9486d43dbeb3cf659c3a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47183,7 +47183,7 @@ rule REVERSINGLABS_Cert_Blocklist_25Ba18A267D6D8E08Ebc6E2457D58D1E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "5Y TECHNOLOGY LIMITED" and pe.signatures[i].serial=="25:ba:18:a2:67:d6:d8:e0:8e:bc:6e:24:57:d5:8d:1e" and 1648684800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "5Y TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "25:ba:18:a2:67:d6:d8:e0:8e:bc:6e:24:57:d5:8d:1e" and 1648684800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47192,13 +47192,13 @@ rule REVERSINGLABS_Cert_Blocklist_12Df5Ff3460979Cec1288D874A9Fbf83 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9158c9a5-37fc-54bc-9601-3aa347a421ab" + id = "fedd2fd6-1a04-5110-a9ed-eea4a52fee73" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10806-L10822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3d4b5e56962d04bc35451eeab4c1870c8653c9afcbb28dc6bad7cfb1711e9df1" + logic_hash = "v1_sha256_3d4b5e56962d04bc35451eeab4c1870c8653c9afcbb28dc6bad7cfb1711e9df1" score = 75 quality = 90 tags = "INFO, FILE" @@ -47208,7 +47208,7 @@ rule REVERSINGLABS_Cert_Blocklist_12Df5Ff3460979Cec1288D874A9Fbf83 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and pe.signatures[i].serial=="12:df:5f:f3:46:09:79:ce:c1:28:8d:87:4a:9f:bf:83" and 1599091200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORWARD MUSIC AGENCY SRL" and pe.signatures [ i ] . serial == "12:df:5f:f3:46:09:79:ce:c1:28:8d:87:4a:9f:bf:83" and 1599091200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47217,13 +47217,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df2547B2Cab5689A81D61De80Eaaa3A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e76a088-b0f2-54d6-b730-77552c74d7bd" + id = "a23a764d-09e1-5fe5-b28a-392ff98ea1a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10824-L10842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cde89ae5b77ff6833fe642bdd74e81763ef068e31c07e7881906e4e4a5939942" + logic_hash = "v1_sha256_cde89ae5b77ff6833fe642bdd74e81763ef068e31c07e7881906e4e4a5939942" score = 75 quality = 90 tags = "INFO, FILE" @@ -47233,7 +47233,7 @@ rule REVERSINGLABS_Cert_Blocklist_Df2547B2Cab5689A81D61De80Eaaa3A2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and (pe.signatures[i].serial=="00:df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" or pe.signatures[i].serial=="df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2") and 1657756800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORWARD MUSIC AGENCY SRL" and ( pe.signatures [ i ] . serial == "00:df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" or pe.signatures [ i ] . serial == "df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" ) and 1657756800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47242,13 +47242,13 @@ rule REVERSINGLABS_Cert_Blocklist_28B691272719B1Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8f1d125a-de0f-525b-8dac-702bc123cc53" + id = "9bc8c99e-6b00-597f-a7b3-58064657235e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10844-L10860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0bd973f415b7cfa0858c705c4486da9f181c7259af01d1cff486fb6b8e8e775b" + logic_hash = "v1_sha256_0bd973f415b7cfa0858c705c4486da9f181c7259af01d1cff486fb6b8e8e775b" score = 75 quality = 90 tags = "INFO, FILE" @@ -47258,7 +47258,7 @@ rule REVERSINGLABS_Cert_Blocklist_28B691272719B1Ee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "2021945 Ontario Inc." and pe.signatures[i].serial=="28:b6:91:27:27:19:b1:ee" and 1616410532<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "2021945 Ontario Inc." and pe.signatures [ i ] . serial == "28:b6:91:27:27:19:b1:ee" and 1616410532 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47267,13 +47267,13 @@ rule REVERSINGLABS_Cert_Blocklist_1C897216E58E83Cbe74Ad03284E1Fb82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8805805d-312d-5bd4-94da-c18270ac26bf" + id = "4616de7a-eb1c-5ba4-aad0-e69320438333" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10862-L10878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6b3b2708d3a442fa6425e60ae900c94fc22fbfdb47f290ff56e9d349d99fd85f" + logic_hash = "v1_sha256_6b3b2708d3a442fa6425e60ae900c94fc22fbfdb47f290ff56e9d349d99fd85f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47283,7 +47283,7 @@ rule REVERSINGLABS_Cert_Blocklist_1C897216E58E83Cbe74Ad03284E1Fb82 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "M-Trans Maciej Caban" and pe.signatures[i].serial=="1c:89:72:16:e5:8e:83:cb:e7:4a:d0:32:84:e1:fb:82" and 1639119705<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "M-Trans Maciej Caban" and pe.signatures [ i ] . serial == "1c:89:72:16:e5:8e:83:cb:e7:4a:d0:32:84:e1:fb:82" and 1639119705 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47292,13 +47292,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A364C4957D93406F76321C2316F42F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "49e36ae5-25f0-5e1d-82f0-c7ada2b4d914" + id = "98154f77-c7f8-5982-9dd6-9bdec66eadf6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10880-L10896" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fe3a2b906debb3f03e6a403829fca02c751754e9a02442a962c66defb84aed83" + logic_hash = "v1_sha256_fe3a2b906debb3f03e6a403829fca02c751754e9a02442a962c66defb84aed83" score = 75 quality = 90 tags = "INFO, FILE" @@ -47308,7 +47308,7 @@ rule REVERSINGLABS_Cert_Blocklist_5A364C4957D93406F76321C2316F42F0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Board Game Bucket Ltd" and pe.signatures[i].serial=="5a:36:4c:49:57:d9:34:06:f7:63:21:c2:31:6f:42:f0" and 1661337307<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Board Game Bucket Ltd" and pe.signatures [ i ] . serial == "5a:36:4c:49:57:d9:34:06:f7:63:21:c2:31:6f:42:f0" and 1661337307 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47317,13 +47317,13 @@ rule REVERSINGLABS_Cert_Blocklist_E7E7F7180666546Ce7A8Da32119F5Ce1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8984ac03-2646-54a1-a6d3-4c2cc72806e7" + id = "0d461f01-a0bf-53b5-bbde-329b1b6f692c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10898-L10916" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "940f6508208998593f309ffeeeda20ab475d427c952a14871b6e58e17d2a4c85" + logic_hash = "v1_sha256_940f6508208998593f309ffeeeda20ab475d427c952a14871b6e58e17d2a4c85" score = 75 quality = 90 tags = "INFO, FILE" @@ -47333,7 +47333,7 @@ rule REVERSINGLABS_Cert_Blocklist_E7E7F7180666546Ce7A8Da32119F5Ce1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "C\\xC3\\x94NG TY TNHH PDF SOFTWARE" and (pe.signatures[i].serial=="00:e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" or pe.signatures[i].serial=="e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1") and 1661558399<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "C\\xC3\\x94NG TY TNHH PDF SOFTWARE" and ( pe.signatures [ i ] . serial == "00:e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" or pe.signatures [ i ] . serial == "e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" ) and 1661558399 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47342,13 +47342,13 @@ rule REVERSINGLABS_Cert_Blocklist_062B2827500C5Df35A83F661B3Af5Dd3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "784c58d9-9a13-5402-867e-c1b144512957" + id = "ea1caf0b-8f2f-5ba3-941f-0412e8b054e8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10918-L10934" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4edc263b08b21428b5f2f4f14f9582c0f96f79cb49fbba563c103bf8bb2037a6" + logic_hash = "v1_sha256_4edc263b08b21428b5f2f4f14f9582c0f96f79cb49fbba563c103bf8bb2037a6" score = 75 quality = 90 tags = "INFO, FILE" @@ -47358,7 +47358,7 @@ rule REVERSINGLABS_Cert_Blocklist_062B2827500C5Df35A83F661B3Af5Dd3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "*.eos.com" and pe.signatures[i].serial=="06:2b:28:27:50:0c:5d:f3:5a:83:f6:61:b3:af:5d:d3" and 1651449600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "*.eos.com" and pe.signatures [ i ] . serial == "06:2b:28:27:50:0c:5d:f3:5a:83:f6:61:b3:af:5d:d3" and 1651449600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47367,13 +47367,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bf27695Fd20B588F2B2F173B6Caf2Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a3e6923a-f2c4-5d7c-aeab-bdb7fe03c597" + id = "7730635c-c41d-56f4-a1c2-e38d4a6232f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10936-L10952" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "94d8739761b6a8ee91550be47432b046609b076aab6e57996de123a0fcaba73e" + logic_hash = "v1_sha256_94d8739761b6a8ee91550be47432b046609b076aab6e57996de123a0fcaba73e" score = 75 quality = 90 tags = "INFO, FILE" @@ -47383,7 +47383,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Bf27695Fd20B588F2B2F173B6Caf2Ba : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Game Warriors Limited" and pe.signatures[i].serial=="7b:f2:76:95:fd:20:b5:88:f2:b2:f1:73:b6:ca:f2:ba" and 1662112800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Game Warriors Limited" and pe.signatures [ i ] . serial == "7b:f2:76:95:fd:20:b5:88:f2:b2:f1:73:b6:ca:f2:ba" and 1662112800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47392,13 +47392,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B248C8508042D36Bbd5D92D189C61D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4ad05207-10d1-53c5-8383-a3c71a447ed6" + id = "9698b60c-11a8-5dbe-ab8b-0ce827ca2fd8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10954-L10970" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2c063d0878a8bf6cd637e1dac2cb9164beb52c951e01858a7c3c9c4c1a853f54" + logic_hash = "v1_sha256_2c063d0878a8bf6cd637e1dac2cb9164beb52c951e01858a7c3c9c4c1a853f54" score = 75 quality = 90 tags = "INFO, FILE" @@ -47408,7 +47408,7 @@ rule REVERSINGLABS_Cert_Blocklist_1B248C8508042D36Bbd5D92D189C61D8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Digital Robin Limited" and pe.signatures[i].serial=="1b:24:8c:85:08:04:2d:36:bb:d5:d9:2d:18:9c:61:d8" and 1663171218<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Digital Robin Limited" and pe.signatures [ i ] . serial == "1b:24:8c:85:08:04:2d:36:bb:d5:d9:2d:18:9c:61:d8" and 1663171218 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47417,13 +47417,13 @@ rule REVERSINGLABS_Cert_Blocklist_032660Ee1D49Ad35086027473E2614E5E724 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "29cb9255-0a34-58e8-88b2-fad988c7d229" + id = "b7b2a0ae-aeea-553d-b195-de6ba4f46047" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10972-L10988" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8d1435d2fa70db12cde2f9098e35ca1737f5aac36bac91329b28f03aad090e90" + logic_hash = "v1_sha256_8d1435d2fa70db12cde2f9098e35ca1737f5aac36bac91329b28f03aad090e90" score = 75 quality = 90 tags = "INFO, FILE" @@ -47433,7 +47433,7 @@ rule REVERSINGLABS_Cert_Blocklist_032660Ee1D49Ad35086027473E2614E5E724 : INFO FI importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "sunshine.com" and pe.signatures[i].serial=="03:26:60:ee:1d:49:ad:35:08:60:27:47:3e:26:14:e5:e7:24" and 1660238245<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "sunshine.com" and pe.signatures [ i ] . serial == "03:26:60:ee:1d:49:ad:35:08:60:27:47:3e:26:14:e5:e7:24" and 1660238245 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47442,13 +47442,13 @@ rule REVERSINGLABS_Cert_Blocklist_043052956E1E6Dbd5F6Ae3D8B82Cad2A2Ed8 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac09f8ac-fbdd-5989-a7e7-07373a69213b" + id = "1f0d8573-6497-573c-95f5-e6c3bcf7997e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10990-L11006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c29fb109c741437a3739f1c42aadace8f612ef1e3ea90e3e2bdd8a92c85e766a" + logic_hash = "v1_sha256_c29fb109c741437a3739f1c42aadace8f612ef1e3ea90e3e2bdd8a92c85e766a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47458,7 +47458,7 @@ rule REVERSINGLABS_Cert_Blocklist_043052956E1E6Dbd5F6Ae3D8B82Cad2A2Ed8 : INFO FI importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ok.com" and pe.signatures[i].serial=="04:30:52:95:6e:1e:6d:bd:5f:6a:e3:d8:b8:2c:ad:2a:2e:d8" and 1662149613<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ok.com" and pe.signatures [ i ] . serial == "04:30:52:95:6e:1e:6d:bd:5f:6a:e3:d8:b8:2c:ad:2a:2e:d8" and 1662149613 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47467,13 +47467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dbc03Ca7E6Ae6Db6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a5ac5da6-0bb0-5327-ac3a-b53d2f103fe6" + id = "0873c226-3eb9-5734-8288-bba401b5ee23" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11008-L11026" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0077b9c46ddd98a4929878ba4ba9476ed7fb1d7bf6e30c3ae0f950445d01e8f3" + logic_hash = "v1_sha256_0077b9c46ddd98a4929878ba4ba9476ed7fb1d7bf6e30c3ae0f950445d01e8f3" score = 75 quality = 90 tags = "INFO, FILE" @@ -47483,7 +47483,7 @@ rule REVERSINGLABS_Cert_Blocklist_Dbc03Ca7E6Ae6Db6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SPIDER DEVELOPMENTS PTY LTD" and (pe.signatures[i].serial=="00:db:c0:3c:a7:e6:ae:6d:b6" or pe.signatures[i].serial=="db:c0:3c:a7:e6:ae:6d:b6") and 1600826873<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SPIDER DEVELOPMENTS PTY LTD" and ( pe.signatures [ i ] . serial == "00:db:c0:3c:a7:e6:ae:6d:b6" or pe.signatures [ i ] . serial == "db:c0:3c:a7:e6:ae:6d:b6" ) and 1600826873 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47492,13 +47492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D27332C3Cb3A382A4Fd232C5C66A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d8390528-ff27-514d-ab89-fd563a19ce3c" + id = "66d89af3-9849-5604-a230-c06b62f8748d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11028-L11044" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c1c50015db7f97b530819b40e2578463a6021bfff8e2582858a4c3fbd1a9b9bc" + logic_hash = "v1_sha256_c1c50015db7f97b530819b40e2578463a6021bfff8e2582858a4c3fbd1a9b9bc" score = 75 quality = 90 tags = "INFO, FILE" @@ -47508,7 +47508,7 @@ rule REVERSINGLABS_Cert_Blocklist_7D27332C3Cb3A382A4Fd232C5C66A2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MALVINA RECRUITMENT LIMITED" and pe.signatures[i].serial=="7d:27:33:2c:3c:b3:a3:82:a4:fd:23:2c:5c:66:a2" and 1655424000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MALVINA RECRUITMENT LIMITED" and pe.signatures [ i ] . serial == "7d:27:33:2c:3c:b3:a3:82:a4:fd:23:2c:5c:66:a2" and 1655424000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47517,13 +47517,13 @@ rule REVERSINGLABS_Cert_Blocklist_82D224323Efa65060B641F51Fadfef02 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "166949cf-dbff-5713-950e-46d1f3edc61f" + id = "a84518d6-7f16-58c4-8cea-8e437991316f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11046-L11064" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9d361c91ed24b6c20a7b35957e26f208ce8e0a3d79c5a6fed6278acd826ccf49" + logic_hash = "v1_sha256_9d361c91ed24b6c20a7b35957e26f208ce8e0a3d79c5a6fed6278acd826ccf49" score = 75 quality = 90 tags = "INFO, FILE" @@ -47533,7 +47533,7 @@ rule REVERSINGLABS_Cert_Blocklist_82D224323Efa65060B641F51Fadfef02 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SAVAS INVESTMENTS PTY LTD" and (pe.signatures[i].serial=="00:82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" or pe.signatures[i].serial=="82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02") and 1665100800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SAVAS INVESTMENTS PTY LTD" and ( pe.signatures [ i ] . serial == "00:82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" or pe.signatures [ i ] . serial == "82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" ) and 1665100800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47542,13 +47542,13 @@ rule REVERSINGLABS_Cert_Blocklist_890570B6B0E2868A53Be3F8F904A88Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "681d233c-d5a2-5f25-bdb9-125149a291c4" + id = "e066c464-2128-557a-b663-7d8fdd5a3f30" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11066-L11084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fb7af8ec09da2fecaaaed8c7770966f11ef8a44a131553a9d1412387db2fb7ea" + logic_hash = "v1_sha256_fb7af8ec09da2fecaaaed8c7770966f11ef8a44a131553a9d1412387db2fb7ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -47558,7 +47558,7 @@ rule REVERSINGLABS_Cert_Blocklist_890570B6B0E2868A53Be3F8F904A88Ee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "JESEN LESS d.o.o." and (pe.signatures[i].serial=="00:89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" or pe.signatures[i].serial=="89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee") and 1636588800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "JESEN LESS d.o.o." and ( pe.signatures [ i ] . serial == "00:89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" or pe.signatures [ i ] . serial == "89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" ) and 1636588800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47567,13 +47567,13 @@ rule REVERSINGLABS_Cert_Blocklist_2642Fe865F7566Ce3123A5142C207094 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "508d9c00-c209-55b2-9a40-b62ff4d866c9" + id = "15111c86-572b-54fd-a67b-b28d53ab3465" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11086-L11102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1ad4adf8b05a6cc065d289e6963480d37a92712a318744a30a16aad22380f238" + logic_hash = "v1_sha256_1ad4adf8b05a6cc065d289e6963480d37a92712a318744a30a16aad22380f238" score = 75 quality = 90 tags = "INFO, FILE" @@ -47583,7 +47583,7 @@ rule REVERSINGLABS_Cert_Blocklist_2642Fe865F7566Ce3123A5142C207094 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "C.W.D. INSTAL LTD" and pe.signatures[i].serial=="26:42:fe:86:5f:75:66:ce:31:23:a5:14:2c:20:70:94" and 1666310400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "C.W.D. INSTAL LTD" and pe.signatures [ i ] . serial == "26:42:fe:86:5f:75:66:ce:31:23:a5:14:2c:20:70:94" and 1666310400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47592,13 +47592,13 @@ rule REVERSINGLABS_Cert_Blocklist_4A2E337Fff23E5B2A1321Ffde56D1759 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5cae614-eff1-5c3d-a7f6-c41b0a2c412e" + id = "c05ce577-3aeb-54a3-aea0-294fd001bd69" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11104-L11120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bc2df95ddf1ef3d5f83d14852e1cf6cbf4b71bfbe88fc97c2a4553e8581ddf47" + logic_hash = "v1_sha256_bc2df95ddf1ef3d5f83d14852e1cf6cbf4b71bfbe88fc97c2a4553e8581ddf47" score = 75 quality = 90 tags = "INFO, FILE" @@ -47608,7 +47608,7 @@ rule REVERSINGLABS_Cert_Blocklist_4A2E337Fff23E5B2A1321Ffde56D1759 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Karolina Klimowska" and pe.signatures[i].serial=="4a:2e:33:7f:ff:23:e5:b2:a1:32:1f:fd:e5:6d:17:59" and 1660314070<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Karolina Klimowska" and pe.signatures [ i ] . serial == "4a:2e:33:7f:ff:23:e5:b2:a1:32:1f:fd:e5:6d:17:59" and 1660314070 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47617,13 +47617,13 @@ rule REVERSINGLABS_Cert_Blocklist_92D9B92F8Cf7A1Ba8B2C025Be730C300 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bc37efaa-9ceb-5079-999f-b3d17c585b1c" + id = "c37d9ae5-047c-5c28-993e-9c5b36b49a6f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11122-L11140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a0be6157e589705ad19756971bd865edad2d54760d03c2e6f47a461b402ad68" + logic_hash = "v1_sha256_2a0be6157e589705ad19756971bd865edad2d54760d03c2e6f47a461b402ad68" score = 75 quality = 90 tags = "INFO, FILE" @@ -47633,7 +47633,7 @@ rule REVERSINGLABS_Cert_Blocklist_92D9B92F8Cf7A1Ba8B2C025Be730C300 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "UPLagga Systems s.r.o." and (pe.signatures[i].serial=="00:92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" or pe.signatures[i].serial=="92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00") and 1598054400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "UPLagga Systems s.r.o." and ( pe.signatures [ i ] . serial == "00:92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" or pe.signatures [ i ] . serial == "92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" ) and 1598054400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47642,13 +47642,13 @@ rule REVERSINGLABS_Cert_Blocklist_B8164F7143E1A313003Ab0C834562F1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "50d50330-4098-59dd-b2da-0714eefdfc66" + id = "cb0d2973-96e7-5168-b3ae-787210db1e6a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11142-L11160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a42fec2e0e8d37948420f16907f39c3d502c535be98024d04a777dfbc633004d" + logic_hash = "v1_sha256_a42fec2e0e8d37948420f16907f39c3d502c535be98024d04a777dfbc633004d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47658,7 +47658,7 @@ rule REVERSINGLABS_Cert_Blocklist_B8164F7143E1A313003Ab0C834562F1F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ekitai Data Inc." and (pe.signatures[i].serial=="00:b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" or pe.signatures[i].serial=="b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f") and 1598313600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ekitai Data Inc." and ( pe.signatures [ i ] . serial == "00:b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" or pe.signatures [ i ] . serial == "b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" ) and 1598313600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47667,13 +47667,13 @@ rule REVERSINGLABS_Cert_Blocklist_24E4A2B3Db6Be1007B9Ddc91995Bc0C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8e533ebf-a124-53a9-8647-6f4b40aaa066" + id = "61a16cf2-4d9e-55c2-ac52-b65f1f840051" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11162-L11178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "861691ce7bae4366f3b35d01c84bb0031b54653869f52eaccf20808b1b55d2af" + logic_hash = "v1_sha256_861691ce7bae4366f3b35d01c84bb0031b54653869f52eaccf20808b1b55d2af" score = 75 quality = 90 tags = "INFO, FILE" @@ -47683,7 +47683,7 @@ rule REVERSINGLABS_Cert_Blocklist_24E4A2B3Db6Be1007B9Ddc91995Bc0C8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FLY BETTER s.r.o." and pe.signatures[i].serial=="24:e4:a2:b3:db:6b:e1:00:7b:9d:dc:91:99:5b:c0:c8" and 1645142400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FLY BETTER s.r.o." and pe.signatures [ i ] . serial == "24:e4:a2:b3:db:6b:e1:00:7b:9d:dc:91:99:5b:c0:c8" and 1645142400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47692,13 +47692,13 @@ rule REVERSINGLABS_Cert_Blocklist_881573Fc67Ff7395Dde5Bccfbce5B088 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d188c65c-ee7b-586f-95f0-8de5b506c325" + id = "ef82de35-ba21-5c31-8f66-a6253e50b719" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11180-L11198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ce489a4a2f07181d6fbf295f426deeaf51310e061bac2e56d65b37eeb397ff9a" + logic_hash = "v1_sha256_ce489a4a2f07181d6fbf295f426deeaf51310e061bac2e56d65b37eeb397ff9a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47708,7 +47708,7 @@ rule REVERSINGLABS_Cert_Blocklist_881573Fc67Ff7395Dde5Bccfbce5B088 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Trade in Brasil s.r.o." and (pe.signatures[i].serial=="00:88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" or pe.signatures[i].serial=="88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88") and 1620000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Trade in Brasil s.r.o." and ( pe.signatures [ i ] . serial == "00:88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" or pe.signatures [ i ] . serial == "88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" ) and 1620000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47717,13 +47717,13 @@ rule REVERSINGLABS_Cert_Blocklist_53E1F226Cb77574F8Fbeb5682Da091Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe3abe27-c8c8-54b8-b031-0546c9bfda90" + id = "42e639e5-ea97-55a6-b8f5-87b48e5c5868" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11200-L11216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "591846225d5faf3ee8f3102acaad066f0187219044077bbdaf32345613b00965" + logic_hash = "v1_sha256_591846225d5faf3ee8f3102acaad066f0187219044077bbdaf32345613b00965" score = 75 quality = 90 tags = "INFO, FILE" @@ -47733,7 +47733,7 @@ rule REVERSINGLABS_Cert_Blocklist_53E1F226Cb77574F8Fbeb5682Da091Bb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OdyLab Inc" and pe.signatures[i].serial=="53:e1:f2:26:cb:77:57:4f:8f:be:b5:68:2d:a0:91:bb" and 1654020559<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OdyLab Inc" and pe.signatures [ i ] . serial == "53:e1:f2:26:cb:77:57:4f:8f:be:b5:68:2d:a0:91:bb" and 1654020559 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47742,13 +47742,13 @@ rule REVERSINGLABS_Cert_Blocklist_0772B4D1D63233D2B8771997Bc8Da5C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe602ac3-fa34-5056-a2cc-5ae9de728559" + id = "5b905af3-6089-5038-84b2-21cd410cfbf7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11218-L11234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30586a643b29f3c943b3f35bb1639c5b9fa48ecbd776775086e35af502aa4a7a" + logic_hash = "v1_sha256_30586a643b29f3c943b3f35bb1639c5b9fa48ecbd776775086e35af502aa4a7a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47758,7 +47758,7 @@ rule REVERSINGLABS_Cert_Blocklist_0772B4D1D63233D2B8771997Bc8Da5C4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Maya logistika d.o.o." and pe.signatures[i].serial=="07:72:b4:d1:d6:32:33:d2:b8:77:19:97:bc:8d:a5:c4" and 1637971201<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Maya logistika d.o.o." and pe.signatures [ i ] . serial == "07:72:b4:d1:d6:32:33:d2:b8:77:19:97:bc:8d:a5:c4" and 1637971201 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47767,13 +47767,13 @@ rule REVERSINGLABS_Cert_Blocklist_02B6656292310B84022Db5541Bc48Faf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d679238f-a697-5322-815c-9986c9d24032" + id = "aec042ca-6aea-527b-948c-fc3ed29066e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11236-L11252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40b570b28e10ebd2a1ba515dc3fa45bdb5c0b76044e4dda7a6819976072a67a2" + logic_hash = "v1_sha256_40b570b28e10ebd2a1ba515dc3fa45bdb5c0b76044e4dda7a6819976072a67a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -47783,7 +47783,7 @@ rule REVERSINGLABS_Cert_Blocklist_02B6656292310B84022Db5541Bc48Faf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DILA d.o.o." and pe.signatures[i].serial=="02:b6:65:62:92:31:0b:84:02:2d:b5:54:1b:c4:8f:af" and 1613865600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DILA d.o.o." and pe.signatures [ i ] . serial == "02:b6:65:62:92:31:0b:84:02:2d:b5:54:1b:c4:8f:af" and 1613865600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47792,13 +47792,13 @@ rule REVERSINGLABS_Cert_Blocklist_64C2505C7306639Fc8Eae544B0305338 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b0e4057f-a0e7-5e2e-a47f-dc8188b6b506" + id = "6fb26699-60f0-513b-b417-54d3a21e8dcb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11254-L11270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9b6fb002d603135391958668be0ef805e441928a035c9c4da4bb9915aa3086e8" + logic_hash = "v1_sha256_9b6fb002d603135391958668be0ef805e441928a035c9c4da4bb9915aa3086e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -47808,7 +47808,7 @@ rule REVERSINGLABS_Cert_Blocklist_64C2505C7306639Fc8Eae544B0305338 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MANILA Solution as" and pe.signatures[i].serial=="64:c2:50:5c:73:06:63:9f:c8:ea:e5:44:b0:30:53:38" and 1609418043<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MANILA Solution as" and pe.signatures [ i ] . serial == "64:c2:50:5c:73:06:63:9f:c8:ea:e5:44:b0:30:53:38" and 1609418043 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47817,13 +47817,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F96A89Bfec6E44Dd224E8Fd7E72D9Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bdca8435-c1fd-598d-bd82-20a3a3b2a959" + id = "9668c591-b961-5921-a2e7-f61d3f403f09" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11272-L11288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c0c8e5c0e2e120ee6b055e9a6b2af3d424bed0832c2619beab658fe01757f69f" + logic_hash = "v1_sha256_c0c8e5c0e2e120ee6b055e9a6b2af3d424bed0832c2619beab658fe01757f69f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47833,7 +47833,7 @@ rule REVERSINGLABS_Cert_Blocklist_2F96A89Bfec6E44Dd224E8Fd7E72D9Bb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and pe.signatures[i].serial=="2f:96:a8:9b:fe:c6:e4:4d:d2:24:e8:fd:7e:72:d9:bb" and 1625529600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NAILS UNLIMITED LIMITED" and pe.signatures [ i ] . serial == "2f:96:a8:9b:fe:c6:e4:4d:d2:24:e8:fd:7e:72:d9:bb" and 1625529600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47842,13 +47842,13 @@ rule REVERSINGLABS_Cert_Blocklist_B649A966410F62999C939384Af553919 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "03533c22-eb16-546c-af55-675af9c833ce" + id = "1ff1c322-c041-55c0-80c2-a06e4a5b736d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11290-L11308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "623a2f931198eacf44fd233065e96a4dcadb5b3bbc7ca56df2b6ae9eafc4faa5" + logic_hash = "v1_sha256_623a2f931198eacf44fd233065e96a4dcadb5b3bbc7ca56df2b6ae9eafc4faa5" score = 75 quality = 90 tags = "INFO, FILE" @@ -47858,7 +47858,7 @@ rule REVERSINGLABS_Cert_Blocklist_B649A966410F62999C939384Af553919 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "F.A.T. SARL" and (pe.signatures[i].serial=="00:b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" or pe.signatures[i].serial=="b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19") and 1590537600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "F.A.T. SARL" and ( pe.signatures [ i ] . serial == "00:b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" or pe.signatures [ i ] . serial == "b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" ) and 1590537600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47867,13 +47867,13 @@ rule REVERSINGLABS_Cert_Blocklist_45245Eef53Fcf38169C715Cf68F44452 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "514eac5a-9264-58ef-b4ee-65ec24b43e5a" + id = "1f7a8ecb-4d3d-51ba-8d0f-121da70d4114" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11310-L11326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7e0c3147e657802e457f6df271b7f5a64c81fd13f936a8935aa991022e4ab238" + logic_hash = "v1_sha256_7e0c3147e657802e457f6df271b7f5a64c81fd13f936a8935aa991022e4ab238" score = 75 quality = 90 tags = "INFO, FILE" @@ -47883,7 +47883,7 @@ rule REVERSINGLABS_Cert_Blocklist_45245Eef53Fcf38169C715Cf68F44452 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PAPER AND CORE SUPPLIES LTD" and pe.signatures[i].serial=="45:24:5e:ef:53:fc:f3:81:69:c7:15:cf:68:f4:44:52" and 1639958400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PAPER AND CORE SUPPLIES LTD" and pe.signatures [ i ] . serial == "45:24:5e:ef:53:fc:f3:81:69:c7:15:cf:68:f4:44:52" and 1639958400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47892,13 +47892,13 @@ rule REVERSINGLABS_Cert_Blocklist_1895433Ee9E2Bd48619D75132262616F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7bf59df-708c-5260-bc98-1a86b2c9c988" + id = "a96f1811-2456-5197-b87f-884a6f661b82" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11328-L11344" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f00a29ff5dddae40225ab62cb2d4b9dec1539ad58c8cd27d686480eecdb3e31d" + logic_hash = "v1_sha256_f00a29ff5dddae40225ab62cb2d4b9dec1539ad58c8cd27d686480eecdb3e31d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47908,7 +47908,7 @@ rule REVERSINGLABS_Cert_Blocklist_1895433Ee9E2Bd48619D75132262616F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Evetrans Ltd" and pe.signatures[i].serial=="18:95:43:3e:e9:e2:bd:48:61:9d:75:13:22:62:61:6f" and 1619789516<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Evetrans Ltd" and pe.signatures [ i ] . serial == "18:95:43:3e:e9:e2:bd:48:61:9d:75:13:22:62:61:6f" and 1619789516 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47917,13 +47917,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ffc9825644Caf5B1F521780C5C7F42C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d806d90-e029-5521-b191-6967e2691c0f" + id = "db9bd835-6aa4-5799-95df-15f7fee0e20a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11346-L11362" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1a9263c809f5633d01d4d4d0091c8dc214bad73af0eff3c9a94b33bca513f26d" + logic_hash = "v1_sha256_1a9263c809f5633d01d4d4d0091c8dc214bad73af0eff3c9a94b33bca513f26d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47933,7 +47933,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Ffc9825644Caf5B1F521780C5C7F42C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ACTIVUS LIMITED" and pe.signatures[i].serial=="1f:fc:98:25:64:4c:af:5b:1f:52:17:80:c5:c7:f4:2c" and 1615507200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ACTIVUS LIMITED" and pe.signatures [ i ] . serial == "1f:fc:98:25:64:4c:af:5b:1f:52:17:80:c5:c7:f4:2c" and 1615507200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47942,13 +47942,13 @@ rule REVERSINGLABS_Cert_Blocklist_8D52Fb12A2511E86Bbb0Ba75C517Eab0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1bc9d36c-381e-5359-bba4-8dd870ed9267" + id = "2e7965a0-5739-5a3a-afd0-1ac7a851cbe5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11364-L11382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "023830ab3d71ed8ecf8f0e271c56dc267dcd000f5ff156c70d31089cd7010da8" + logic_hash = "v1_sha256_023830ab3d71ed8ecf8f0e271c56dc267dcd000f5ff156c70d31089cd7010da8" score = 75 quality = 90 tags = "INFO, FILE" @@ -47958,7 +47958,7 @@ rule REVERSINGLABS_Cert_Blocklist_8D52Fb12A2511E86Bbb0Ba75C517Eab0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VThink Software Consulting Inc." and (pe.signatures[i].serial=="00:8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" or pe.signatures[i].serial=="8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0") and 1599177600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VThink Software Consulting Inc." and ( pe.signatures [ i ] . serial == "00:8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" or pe.signatures [ i ] . serial == "8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" ) and 1599177600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47967,13 +47967,13 @@ rule REVERSINGLABS_Cert_Blocklist_332Bd5801E8415585E72C87E0E2Ec71D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d251afda-7582-5a00-a100-fd3acff2f995" + id = "13af634e-c483-50d2-ad81-61c9956705cd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11384-L11400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3648c3a8dbcdbd24746b9fa8cb3071d5f5019e5917848d88437158c6cb165445" + logic_hash = "v1_sha256_3648c3a8dbcdbd24746b9fa8cb3071d5f5019e5917848d88437158c6cb165445" score = 75 quality = 90 tags = "INFO, FILE" @@ -47983,7 +47983,7 @@ rule REVERSINGLABS_Cert_Blocklist_332Bd5801E8415585E72C87E0E2Ec71D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Elite Marketing Strategies, Inc." and pe.signatures[i].serial=="33:2b:d5:80:1e:84:15:58:5e:72:c8:7e:0e:2e:c7:1d" and 1662616824<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Elite Marketing Strategies, Inc." and pe.signatures [ i ] . serial == "33:2b:d5:80:1e:84:15:58:5e:72:c8:7e:0e:2e:c7:1d" and 1662616824 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -47992,13 +47992,13 @@ rule REVERSINGLABS_Cert_Blocklist_E3B80C0932B52A708477939B0D32186F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e7cdf040-3fe2-55ed-8f66-702fb4455653" + id = "0d0af87c-0d2f-593e-b64b-c5e63b5c83a4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11402-L11420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "acdfce4dc25cbc9e9817453d5cf56c7d319bebdf7a039ea47412ec3b2f68cb02" + logic_hash = "v1_sha256_acdfce4dc25cbc9e9817453d5cf56c7d319bebdf7a039ea47412ec3b2f68cb02" score = 75 quality = 90 tags = "INFO, FILE" @@ -48008,7 +48008,7 @@ rule REVERSINGLABS_Cert_Blocklist_E3B80C0932B52A708477939B0D32186F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BISOYETUTU LTD LIMITED" and (pe.signatures[i].serial=="00:e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" or pe.signatures[i].serial=="e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f") and 1617062400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BISOYETUTU LTD LIMITED" and ( pe.signatures [ i ] . serial == "00:e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" or pe.signatures [ i ] . serial == "e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" ) and 1617062400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48017,13 +48017,13 @@ rule REVERSINGLABS_Cert_Blocklist_C79F817F082986Bef3209F6723C8Da97 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b3978831-57d6-5f25-a271-fa4f449d37b3" + id = "a33e037e-771a-57d8-8f13-8110ea6d4e98" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11422-L11440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a5960f4c2ed768ccc5779d3754f51463c7b14a3a887c690944add23fba464f1a" + logic_hash = "v1_sha256_a5960f4c2ed768ccc5779d3754f51463c7b14a3a887c690944add23fba464f1a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48033,7 +48033,7 @@ rule REVERSINGLABS_Cert_Blocklist_C79F817F082986Bef3209F6723C8Da97 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Al-Faris group d.o.o." and (pe.signatures[i].serial=="00:c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" or pe.signatures[i].serial=="c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97") and 1616371200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Al-Faris group d.o.o." and ( pe.signatures [ i ] . serial == "00:c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" or pe.signatures [ i ] . serial == "c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" ) and 1616371200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48042,13 +48042,13 @@ rule REVERSINGLABS_Cert_Blocklist_1E5Efa53A14599Cc82F56F0790E20B17 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f87dac0c-4b46-5b30-a715-f21e7c3a98e0" + id = "be062650-19f7-54f9-85ff-ed0a4719b570" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11442-L11458" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "78cbfeb5d7b58029a5b4107f2a59e892ff9d71788cf74e88ac823cb85ba35a94" + logic_hash = "v1_sha256_78cbfeb5d7b58029a5b4107f2a59e892ff9d71788cf74e88ac823cb85ba35a94" score = 75 quality = 90 tags = "INFO, FILE" @@ -48058,7 +48058,7 @@ rule REVERSINGLABS_Cert_Blocklist_1E5Efa53A14599Cc82F56F0790E20B17 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Storeks LLC" and pe.signatures[i].serial=="1e:5e:fa:53:a1:45:99:cc:82:f5:6f:07:90:e2:0b:17" and 1623196800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Storeks LLC" and pe.signatures [ i ] . serial == "1e:5e:fa:53:a1:45:99:cc:82:f5:6f:07:90:e2:0b:17" and 1623196800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48067,13 +48067,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf2D0B5Bfdd68Cf777A0C12F806A569 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2900c6ae-9e61-5bad-a7b4-b8eca925a1ea" + id = "cdb94df6-21f7-5032-bb76-2cda0df1fafd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11460-L11476" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4d8fd52cd12f9512c0b148f9915860152f108884d29617a5fbfd62500d3a14c4" + logic_hash = "v1_sha256_4d8fd52cd12f9512c0b148f9915860152f108884d29617a5fbfd62500d3a14c4" score = 75 quality = 90 tags = "INFO, FILE" @@ -48083,7 +48083,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf2D0B5Bfdd68Cf777A0C12F806A569 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PROTIP d.o.o. - v ste\\xC4\\x8Daju" and pe.signatures[i].serial=="0c:f2:d0:b5:bf:dd:68:cf:77:7a:0c:12:f8:06:a5:69" and 1611705600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PROTIP d.o.o. - v ste\\xC4\\x8Daju" and pe.signatures [ i ] . serial == "0c:f2:d0:b5:bf:dd:68:cf:77:7a:0c:12:f8:06:a5:69" and 1611705600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48092,13 +48092,13 @@ rule REVERSINGLABS_Cert_Blocklist_F675139Ea68B897A865A98F8E4611F00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3bac20a3-1415-53af-9d04-a30aa7488dd7" + id = "d972345a-5f3c-59c7-b8c0-3a34fe98e4f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11478-L11496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2306e90d376f5de8a4eb6d4a696bc1781686d7094cb0a2db48019ee93c1bf60a" + logic_hash = "v1_sha256_2306e90d376f5de8a4eb6d4a696bc1781686d7094cb0a2db48019ee93c1bf60a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48108,7 +48108,7 @@ rule REVERSINGLABS_Cert_Blocklist_F675139Ea68B897A865A98F8E4611F00 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BS TEHNIK d.o.o." and (pe.signatures[i].serial=="00:f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" or pe.signatures[i].serial=="f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00") and 1606953600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BS TEHNIK d.o.o." and ( pe.signatures [ i ] . serial == "00:f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" or pe.signatures [ i ] . serial == "f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" ) and 1606953600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48117,13 +48117,13 @@ rule REVERSINGLABS_Cert_Blocklist_4728189Fa0F57793484Cdf764F5E283D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fd1b83aa-bfcc-590c-8f97-875badf09698" + id = "52ee03fb-d843-5946-b313-9bbeff513ba0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11498-L11514" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9ec7e84c77583bd52ccfb8d6d5831f3634ed0a401d8103376c4775b7f2c43d81" + logic_hash = "v1_sha256_9ec7e84c77583bd52ccfb8d6d5831f3634ed0a401d8103376c4775b7f2c43d81" score = 75 quality = 90 tags = "INFO, FILE" @@ -48133,7 +48133,7 @@ rule REVERSINGLABS_Cert_Blocklist_4728189Fa0F57793484Cdf764F5E283D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Power Save Systems s.r.o." and pe.signatures[i].serial=="47:28:18:9f:a0:f5:77:93:48:4c:df:76:4f:5e:28:3d" and 1647302400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Power Save Systems s.r.o." and pe.signatures [ i ] . serial == "47:28:18:9f:a0:f5:77:93:48:4c:df:76:4f:5e:28:3d" and 1647302400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48142,13 +48142,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd81A9Adaf71F1Ff081C1F4A05D7Fd7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "727167de-5678-558d-b948-8a40839d0500" + id = "4f23229b-d59e-50b8-bd6f-00a04e3f5e23" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11516-L11534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e275a1fd2eb931030fa8b5fc11cd1b335835aaa553a42455053cb93fef5e6e72" + logic_hash = "v1_sha256_e275a1fd2eb931030fa8b5fc11cd1b335835aaa553a42455053cb93fef5e6e72" score = 75 quality = 90 tags = "INFO, FILE" @@ -48158,7 +48158,7 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd81A9Adaf71F1Ff081C1F4A05D7Fd7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SMART TOYS AND GAMES, INC" and (pe.signatures[i].serial=="00:9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" or pe.signatures[i].serial=="9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7") and 1601683200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SMART TOYS AND GAMES, INC" and ( pe.signatures [ i ] . serial == "00:9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" or pe.signatures [ i ] . serial == "9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" ) and 1601683200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48167,13 +48167,13 @@ rule REVERSINGLABS_Cert_Blocklist_C81319D20C6F1F1Aec3398522189D90C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0a196a18-002e-58e4-bff2-83d1a67a82ce" + id = "ff0ab7f9-c8fd-5012-960a-d1d8106a4c52" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11536-L11554" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2a9f13f5e79a12f7e9d9d4a0dcaac065e1fc5167c67bc9f3fd7ba1c374b26d96" + logic_hash = "v1_sha256_2a9f13f5e79a12f7e9d9d4a0dcaac065e1fc5167c67bc9f3fd7ba1c374b26d96" score = 75 quality = 90 tags = "INFO, FILE" @@ -48183,7 +48183,7 @@ rule REVERSINGLABS_Cert_Blocklist_C81319D20C6F1F1Aec3398522189D90C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT,LLC" and (pe.signatures[i].serial=="00:c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" or pe.signatures[i].serial=="c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c") and 1643500800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT,LLC" and ( pe.signatures [ i ] . serial == "00:c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" or pe.signatures [ i ] . serial == "c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" ) and 1643500800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48192,13 +48192,13 @@ rule REVERSINGLABS_Cert_Blocklist_C318D876768258A696Ab9Dd825E27Acd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6e93547-5be0-5303-b537-655db3d78ad4" + id = "b5ae8c40-659c-52ca-a1b0-258722255725" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11556-L11574" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "691b57929c93d14f8700e0e61170b9248499fd36b80aec90f2054c32d6a3a9eb" + logic_hash = "v1_sha256_691b57929c93d14f8700e0e61170b9248499fd36b80aec90f2054c32d6a3a9eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -48208,7 +48208,7 @@ rule REVERSINGLABS_Cert_Blocklist_C318D876768258A696Ab9Dd825E27Acd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Genezis" and (pe.signatures[i].serial=="00:c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" or pe.signatures[i].serial=="c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd") and 1615161600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Genezis" and ( pe.signatures [ i ] . serial == "00:c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" or pe.signatures [ i ] . serial == "c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" ) and 1615161600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48217,13 +48217,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Df5C318759D6Ea9D090Bfb2Faf1D94 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a61e61c1-9fa0-5fd9-b197-bb9d1b68c8f4" + id = "d44d8da2-8b08-5830-bf55-4231a6164e7b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11576-L11592" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5f151ee5781a15cca4394fdd8200162eae47e9d088a0b1551c9ed22ce11473a2" + logic_hash = "v1_sha256_5f151ee5781a15cca4394fdd8200162eae47e9d088a0b1551c9ed22ce11473a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -48233,7 +48233,7 @@ rule REVERSINGLABS_Cert_Blocklist_06Df5C318759D6Ea9D090Bfb2Faf1D94 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SpiffyTech Inc." and pe.signatures[i].serial=="06:df:5c:31:87:59:d6:ea:9d:09:0b:fb:2f:af:1d:94" and 1634515201<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SpiffyTech Inc." and pe.signatures [ i ] . serial == "06:df:5c:31:87:59:d6:ea:9d:09:0b:fb:2f:af:1d:94" and 1634515201 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48242,13 +48242,13 @@ rule REVERSINGLABS_Cert_Blocklist_02De1Cc6C487954592F1Bf574Ca2B000 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2a15d527-7f42-5c56-9740-9c2503a66f4f" + id = "ed675082-efc7-5af7-a92f-3d5aed9c3627" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11594-L11610" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "40b78005d343684d08bb93e92c51eee10e674e8deb9eec290bc9ffe3b23061b1" + logic_hash = "v1_sha256_40b78005d343684d08bb93e92c51eee10e674e8deb9eec290bc9ffe3b23061b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -48258,7 +48258,7 @@ rule REVERSINGLABS_Cert_Blocklist_02De1Cc6C487954592F1Bf574Ca2B000 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Orca System" and pe.signatures[i].serial=="02:de:1c:c6:c4:87:95:45:92:f1:bf:57:4c:a2:b0:00" and 1613735394<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Orca System" and pe.signatures [ i ] . serial == "02:de:1c:c6:c4:87:95:45:92:f1:bf:57:4c:a2:b0:00" and 1613735394 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48267,13 +48267,13 @@ rule REVERSINGLABS_Cert_Blocklist_A32B8B4F1Be43C23Eb2848Ab4Ef06Bb2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2ced71bb-622c-5597-91c3-210b9b5f3a4e" + id = "e1f3cd90-6e0d-5dfd-a58d-a43987d41163" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11612-L11630" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dd7d44349baaf4a2e2f61b38cef31f288110bb03944fd4593f52a0ab03b9d172" + logic_hash = "v1_sha256_dd7d44349baaf4a2e2f61b38cef31f288110bb03944fd4593f52a0ab03b9d172" score = 75 quality = 90 tags = "INFO, FILE" @@ -48283,7 +48283,7 @@ rule REVERSINGLABS_Cert_Blocklist_A32B8B4F1Be43C23Eb2848Ab4Ef06Bb2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Pak El AB" and (pe.signatures[i].serial=="00:a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" or pe.signatures[i].serial=="a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2") and 1673395200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Pak El AB" and ( pe.signatures [ i ] . serial == "00:a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" or pe.signatures [ i ] . serial == "a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" ) and 1673395200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48292,13 +48292,13 @@ rule REVERSINGLABS_Cert_Blocklist_626735Ed30E50E3E0553986D806Bfc54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e0cfc0e6-b36e-5d4e-bfe6-21f13499dc0c" + id = "67900877-237c-5132-92d0-7281d809c465" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11632-L11648" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0a2acf8528a12fd05cf58c2ed5224f7472d14251b342ce4df6d9c10c6a6decfc" + logic_hash = "v1_sha256_0a2acf8528a12fd05cf58c2ed5224f7472d14251b342ce4df6d9c10c6a6decfc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48308,7 +48308,7 @@ rule REVERSINGLABS_Cert_Blocklist_626735Ed30E50E3E0553986D806Bfc54 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FISH ACCOUNTING & TRANSLATING LIMITED" and pe.signatures[i].serial=="62:67:35:ed:30:e5:0e:3e:05:53:98:6d:80:6b:fc:54" and 1666742400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FISH ACCOUNTING & TRANSLATING LIMITED" and pe.signatures [ i ] . serial == "62:67:35:ed:30:e5:0e:3e:05:53:98:6d:80:6b:fc:54" and 1666742400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48317,13 +48317,13 @@ rule REVERSINGLABS_Cert_Blocklist_34D42E871Ddb1C92Fa20B55B384E1259 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98a8f4b0-08d0-5e09-b46e-74b46f4df223" + id = "57fabc29-a599-598d-b898-07cab35c0595" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11650-L11666" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8af5f4abe6425713b7c1fd17deaa78b2cfd6ef73ad960bce883e95661c2dbb56" + logic_hash = "v1_sha256_8af5f4abe6425713b7c1fd17deaa78b2cfd6ef73ad960bce883e95661c2dbb56" score = 75 quality = 90 tags = "INFO, FILE" @@ -48333,7 +48333,7 @@ rule REVERSINGLABS_Cert_Blocklist_34D42E871Ddb1C92Fa20B55B384E1259 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VENS CORP" and pe.signatures[i].serial=="34:d4:2e:87:1d:db:1c:92:fa:20:b5:5b:38:4e:12:59" and 1630368000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VENS CORP" and pe.signatures [ i ] . serial == "34:d4:2e:87:1d:db:1c:92:fa:20:b5:5b:38:4e:12:59" and 1630368000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48342,13 +48342,13 @@ rule REVERSINGLABS_Cert_Blocklist_08D4Dc90047B8470Ccaf3924Dfbd8B5F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2abe218a-1d93-5efe-9878-4314cf9ecdf7" + id = "62cd657f-836e-5569-b960-8f61efee5eea" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11668-L11684" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "569db2f6d6f4da9985c57812a03f91bce88f2150b17659249e0f746a0d15150b" + logic_hash = "v1_sha256_569db2f6d6f4da9985c57812a03f91bce88f2150b17659249e0f746a0d15150b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48358,7 +48358,7 @@ rule REVERSINGLABS_Cert_Blocklist_08D4Dc90047B8470Ccaf3924Dfbd8B5F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Dibies" and pe.signatures[i].serial=="08:d4:dc:90:04:7b:84:70:cc:af:39:24:df:bd:8b:5f" and 1619136000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Dibies" and pe.signatures [ i ] . serial == "08:d4:dc:90:04:7b:84:70:cc:af:39:24:df:bd:8b:5f" and 1619136000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48367,13 +48367,13 @@ rule REVERSINGLABS_Cert_Blocklist_C2Fc83D458E653837Fcfc132C9B03062 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "135d638c-9ee5-52cf-a6e7-c12e4feef594" + id = "897fe729-78d0-570d-bc6c-91bf6adb0ce0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11686-L11704" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "836cec8d8396680dd64f95d4dd41f7f5876cb4268d983238a01d2e0990cce74a" + logic_hash = "v1_sha256_836cec8d8396680dd64f95d4dd41f7f5876cb4268d983238a01d2e0990cce74a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48383,7 +48383,7 @@ rule REVERSINGLABS_Cert_Blocklist_C2Fc83D458E653837Fcfc132C9B03062 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Vertical" and (pe.signatures[i].serial=="00:c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" or pe.signatures[i].serial=="c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62") and 1602201600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Vertical" and ( pe.signatures [ i ] . serial == "00:c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" or pe.signatures [ i ] . serial == "c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" ) and 1602201600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48392,13 +48392,13 @@ rule REVERSINGLABS_Cert_Blocklist_54C793D2224Bdd6Ca527Bb2B7B9Dfe9D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "80e92980-f4eb-5ac2-9f68-14c352758791" + id = "ab6f81d5-d8b0-591b-ae39-e539bb769c11" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11706-L11722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "81c9c1d841d4aae3de229cc499ee84920d89928590a3eb157f7a7a7fbc46b4a8" + logic_hash = "v1_sha256_81c9c1d841d4aae3de229cc499ee84920d89928590a3eb157f7a7a7fbc46b4a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -48408,7 +48408,7 @@ rule REVERSINGLABS_Cert_Blocklist_54C793D2224Bdd6Ca527Bb2B7B9Dfe9D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CODE - HANDLE, s. r. o." and pe.signatures[i].serial=="54:c7:93:d2:22:4b:dd:6c:a5:27:bb:2b:7b:9d:fe:9d" and 1629676800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CODE - HANDLE, s. r. o." and pe.signatures [ i ] . serial == "54:c7:93:d2:22:4b:dd:6c:a5:27:bb:2b:7b:9d:fe:9d" and 1629676800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48417,13 +48417,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Cece6Df54Cf6Ad63596546D77Ba3581 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bde12eeb-c4f8-5da3-8493-0f94cb1bf1f7" + id = "55d885c1-2f77-5910-b67e-5f391cbcc788" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11724-L11742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6b5bca36ef492ce9b79be905c86c66d43ef38701dafeed977229034119bd00d" + logic_hash = "v1_sha256_d6b5bca36ef492ce9b79be905c86c66d43ef38701dafeed977229034119bd00d" score = 75 quality = 90 tags = "INFO, FILE" @@ -48433,7 +48433,7 @@ rule REVERSINGLABS_Cert_Blocklist_8Cece6Df54Cf6Ad63596546D77Ba3581 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Mikael LLC" and (pe.signatures[i].serial=="00:8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" or pe.signatures[i].serial=="8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81") and 1613088000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Mikael LLC" and ( pe.signatures [ i ] . serial == "00:8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" or pe.signatures [ i ] . serial == "8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" ) and 1613088000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48442,13 +48442,13 @@ rule REVERSINGLABS_Cert_Blocklist_984E84Cfe362E278F558E2C70Aaafac2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "180f1209-7031-50fb-b1fc-3d357f2b73a1" + id = "ec27ad99-875c-57a7-a7d5-2dbbedcda07c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11744-L11762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e7a8f3dff77121df53d5f932f861e15208b0607ba77712f40927bc14b17a53cd" + logic_hash = "v1_sha256_e7a8f3dff77121df53d5f932f861e15208b0607ba77712f40927bc14b17a53cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -48458,7 +48458,7 @@ rule REVERSINGLABS_Cert_Blocklist_984E84Cfe362E278F558E2C70Aaafac2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Arctic Nights \\xC3\\x84k\\xC3\\xA4slompolo Oy" and (pe.signatures[i].serial=="00:98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" or pe.signatures[i].serial=="98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2") and 1640304000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Arctic Nights \\xC3\\x84k\\xC3\\xA4slompolo Oy" and ( pe.signatures [ i ] . serial == "00:98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" or pe.signatures [ i ] . serial == "98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" ) and 1640304000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48467,13 +48467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ff52Eb011Bb748Fee75153Cbe1E50Dd6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "acd29c6d-27ed-587a-b17c-989e69082434" + id = "b91076c1-3d05-5bfe-964c-cd514c430809" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11764-L11782" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8c80ed4e4f77df34ff9fcc712deda4c1bbedc588f2b01d02aa705e368fb98c5e" + logic_hash = "v1_sha256_8c80ed4e4f77df34ff9fcc712deda4c1bbedc588f2b01d02aa705e368fb98c5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -48483,7 +48483,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ff52Eb011Bb748Fee75153Cbe1E50Dd6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TASK ANNA LIMITED" and (pe.signatures[i].serial=="00:ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" or pe.signatures[i].serial=="ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6") and 1647388800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TASK ANNA LIMITED" and ( pe.signatures [ i ] . serial == "00:ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" or pe.signatures [ i ] . serial == "ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" ) and 1647388800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48492,13 +48492,13 @@ rule REVERSINGLABS_Cert_Blocklist_84A4A0D0657E217B176B455E2465Aee0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1484a28d-ce7c-506f-8cbb-73ac541a0907" + id = "12cd8fe8-8ea5-561a-83af-24dc36223814" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11784-L11802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "92f6e90bd21182bece68ac1651105f96a18c5b1497d30e0040a978e349341bdb" + logic_hash = "v1_sha256_92f6e90bd21182bece68ac1651105f96a18c5b1497d30e0040a978e349341bdb" score = 75 quality = 90 tags = "INFO, FILE" @@ -48508,7 +48508,7 @@ rule REVERSINGLABS_Cert_Blocklist_84A4A0D0657E217B176B455E2465Aee0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AATB ApS" and (pe.signatures[i].serial=="00:84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" or pe.signatures[i].serial=="84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0") and 1616457600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AATB ApS" and ( pe.signatures [ i ] . serial == "00:84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" or pe.signatures [ i ] . serial == "84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" ) and 1616457600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48517,13 +48517,13 @@ rule REVERSINGLABS_Cert_Blocklist_B8F726508Cf1D7B7913Bf4Bbd1E5C19C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb441b57-0f28-5609-b987-157e1f026b0c" + id = "87f4f7ec-ef6d-50c7-b152-230c9b682ef9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11804-L11822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ec05c7e41e309aff00ae819c63f5bdc8e4172c611779da345efd211e48c9efb1" + logic_hash = "v1_sha256_ec05c7e41e309aff00ae819c63f5bdc8e4172c611779da345efd211e48c9efb1" score = 75 quality = 90 tags = "INFO, FILE" @@ -48533,7 +48533,7 @@ rule REVERSINGLABS_Cert_Blocklist_B8F726508Cf1D7B7913Bf4Bbd1E5C19C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Merkuri LLC" and (pe.signatures[i].serial=="00:b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" or pe.signatures[i].serial=="b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c") and 1619568000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Merkuri LLC" and ( pe.signatures [ i ] . serial == "00:b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" or pe.signatures [ i ] . serial == "b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" ) and 1619568000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48542,13 +48542,13 @@ rule REVERSINGLABS_Cert_Blocklist_6A241Ffe96A6349Df608D22C02942268 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8a8decfe-c91a-562c-9376-462cab598373" + id = "04b9ed66-a10b-5b04-be34-e48f21286c02" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11824-L11840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "79db8be7ca3ed80eb1e3a9401e8fec2b83da8b95b16789ed0b59bb7f4639a94d" + logic_hash = "v1_sha256_79db8be7ca3ed80eb1e3a9401e8fec2b83da8b95b16789ed0b59bb7f4639a94d" score = 75 quality = 90 tags = "INFO, FILE" @@ -48558,7 +48558,7 @@ rule REVERSINGLABS_Cert_Blocklist_6A241Ffe96A6349Df608D22C02942268 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HELP, d.o.o." and pe.signatures[i].serial=="6a:24:1f:fe:96:a6:34:9d:f6:08:d2:2c:02:94:22:68" and 1605052800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HELP, d.o.o." and pe.signatures [ i ] . serial == "6a:24:1f:fe:96:a6:34:9d:f6:08:d2:2c:02:94:22:68" and 1605052800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48567,13 +48567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa1D84779792B57F91Fe7A4Bde041942 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8ec25296-2e51-53ec-a2f5-a25961079c27" + id = "d68e973c-9d18-5641-a8b2-ed024aab9668" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11842-L11860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "682af8c799acaca531724c5b3184b855e64ec4531fcc333a485ba2f63331cdae" + logic_hash = "v1_sha256_682af8c799acaca531724c5b3184b855e64ec4531fcc333a485ba2f63331cdae" score = 75 quality = 90 tags = "INFO, FILE" @@ -48583,7 +48583,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aa1D84779792B57F91Fe7A4Bde041942 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AXIUM NORTHWESTERN HYDRO INC." and (pe.signatures[i].serial=="00:aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" or pe.signatures[i].serial=="aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42") and 1639872000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AXIUM NORTHWESTERN HYDRO INC." and ( pe.signatures [ i ] . serial == "00:aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" or pe.signatures [ i ] . serial == "aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" ) and 1639872000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48592,13 +48592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3C98B6872Fbb1F4Ae37A4Caa749D24C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f4cc9c94-eb96-5380-9e12-cab5ec010ab8" + id = "432a3407-6e11-5e85-b87e-74bdc9e04324" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11862-L11878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c534ad306f85e12eca2336e998120deb4ba8d0d63b8331986ec7fe4ac69ba65a" + logic_hash = "v1_sha256_c534ad306f85e12eca2336e998120deb4ba8d0d63b8331986ec7fe4ac69ba65a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48608,7 +48608,7 @@ rule REVERSINGLABS_Cert_Blocklist_3C98B6872Fbb1F4Ae37A4Caa749D24C2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO SMART" and pe.signatures[i].serial=="3c:98:b6:87:2f:bb:1f:4a:e3:7a:4c:aa:74:9d:24:c2" and 1613370100<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO SMART" and pe.signatures [ i ] . serial == "3c:98:b6:87:2f:bb:1f:4a:e3:7a:4c:aa:74:9d:24:c2" and 1613370100 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48617,13 +48617,13 @@ rule REVERSINGLABS_Cert_Blocklist_E4E795Fd1Fd25595B869Ce22Aa7Dc49F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9c6d2be7-093c-5ce2-83af-6ab9b46603bc" + id = "c6e80a3e-99b9-585f-8064-ff9db4c31d15" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11880-L11898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ced47bd69b58de9e6b2aa7518ccceca088884acb79c0803c3defe6b115a0abb6" + logic_hash = "v1_sha256_ced47bd69b58de9e6b2aa7518ccceca088884acb79c0803c3defe6b115a0abb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -48633,7 +48633,7 @@ rule REVERSINGLABS_Cert_Blocklist_E4E795Fd1Fd25595B869Ce22Aa7Dc49F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OASIS COURT LIMITED" and (pe.signatures[i].serial=="00:e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" or pe.signatures[i].serial=="e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f") and 1608508800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OASIS COURT LIMITED" and ( pe.signatures [ i ] . serial == "00:e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" or pe.signatures [ i ] . serial == "e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" ) and 1608508800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48642,13 +48642,13 @@ rule REVERSINGLABS_Cert_Blocklist_E953Ada7E8F1438E5F7680Ff599Ae43E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2bce88d4-24e6-59e5-ae02-5284ec43cfa4" + id = "5a81c0df-5a12-55e1-91d4-730b26e3df61" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11900-L11918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7cb7d77abefd35f0756c5aa0983f7403cca4cbacd94dcc6b510c929bc96c8309" + logic_hash = "v1_sha256_7cb7d77abefd35f0756c5aa0983f7403cca4cbacd94dcc6b510c929bc96c8309" score = 75 quality = 90 tags = "INFO, FILE" @@ -48658,7 +48658,7 @@ rule REVERSINGLABS_Cert_Blocklist_E953Ada7E8F1438E5F7680Ff599Ae43E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KULBYT LLC" and (pe.signatures[i].serial=="00:e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" or pe.signatures[i].serial=="e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e") and 1614729600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KULBYT LLC" and ( pe.signatures [ i ] . serial == "00:e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" or pe.signatures [ i ] . serial == "e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" ) and 1614729600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48667,13 +48667,13 @@ rule REVERSINGLABS_Cert_Blocklist_28C57Df09Ce7Cc3Fde2243Beb4D00101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "63e2edab-11a4-55ba-b042-c88b6d2750a5" + id = "feb45241-c3a1-5e5c-83ec-aacb03fc7367" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11920-L11936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "84402dc0a58fca36424d8d6d13c60b80342bb3792f4e32e23878530264358726" + logic_hash = "v1_sha256_84402dc0a58fca36424d8d6d13c60b80342bb3792f4e32e23878530264358726" score = 75 quality = 90 tags = "INFO, FILE" @@ -48683,7 +48683,7 @@ rule REVERSINGLABS_Cert_Blocklist_28C57Df09Ce7Cc3Fde2243Beb4D00101 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "WATER, s.r.o." and pe.signatures[i].serial=="28:c5:7d:f0:9c:e7:cc:3f:de:22:43:be:b4:d0:01:01" and 1622678400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "WATER, s.r.o." and pe.signatures [ i ] . serial == "28:c5:7d:f0:9c:e7:cc:3f:de:22:43:be:b4:d0:01:01" and 1622678400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48692,13 +48692,13 @@ rule REVERSINGLABS_Cert_Blocklist_2D8Cfcf04209Dc7F771D8D18E462C35A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5ce5c076-87de-50f0-9fa1-a3efef8dd7f8" + id = "dd246d9a-57a1-5cb1-9719-796f6a194b36" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11938-L11954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b784e46268d78046365400ef914d7ca673503c93962d0b0740ca2ac9faf7857" + logic_hash = "v1_sha256_2b784e46268d78046365400ef914d7ca673503c93962d0b0740ca2ac9faf7857" score = 75 quality = 90 tags = "INFO, FILE" @@ -48708,7 +48708,7 @@ rule REVERSINGLABS_Cert_Blocklist_2D8Cfcf04209Dc7F771D8D18E462C35A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AA PLUS INVEST d.o.o." and pe.signatures[i].serial=="2d:8c:fc:f0:42:09:dc:7f:77:1d:8d:18:e4:62:c3:5a" and 1631491200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AA PLUS INVEST d.o.o." and pe.signatures [ i ] . serial == "2d:8c:fc:f0:42:09:dc:7f:77:1d:8d:18:e4:62:c3:5a" and 1631491200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48717,13 +48717,13 @@ rule REVERSINGLABS_Cert_Blocklist_016836311Fc39Fbb8E6F308Bb03Cc2B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2c4061e8-0b8e-5c33-a746-6557449b17ed" + id = "f354d7bd-8f9c-5a17-9c98-0d87f4d9b579" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11956-L11972" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c5f6372a207d02283840e745619e93194d954eedff7bae34aadcb645b1cb78fc" + logic_hash = "v1_sha256_c5f6372a207d02283840e745619e93194d954eedff7bae34aadcb645b1cb78fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48733,7 +48733,7 @@ rule REVERSINGLABS_Cert_Blocklist_016836311Fc39Fbb8E6F308Bb03Cc2B3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SERVICE STREAM LIMITED" and pe.signatures[i].serial=="01:68:36:31:1f:c3:9f:bb:8e:6f:30:8b:b0:3c:c2:b3" and 1602547200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SERVICE STREAM LIMITED" and pe.signatures [ i ] . serial == "01:68:36:31:1f:c3:9f:bb:8e:6f:30:8b:b0:3c:c2:b3" and 1602547200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48742,13 +48742,13 @@ rule REVERSINGLABS_Cert_Blocklist_435Abf46053A0A445C54217A8C233A7F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "538d7405-be17-519e-beb5-fbef3beaedd3" + id = "881fed2a-69c9-5a0c-b11f-710864626229" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11974-L11990" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "839f55e8fe7a86aad406e657fdef48925543b5d3884927104fd3786444a8fccc" + logic_hash = "v1_sha256_839f55e8fe7a86aad406e657fdef48925543b5d3884927104fd3786444a8fccc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48758,7 +48758,7 @@ rule REVERSINGLABS_Cert_Blocklist_435Abf46053A0A445C54217A8C233A7F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Kodemika" and pe.signatures[i].serial=="43:5a:bf:46:05:3a:0a:44:5c:54:21:7a:8c:23:3a:7f" and 1616976000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Kodemika" and pe.signatures [ i ] . serial == "43:5a:bf:46:05:3a:0a:44:5c:54:21:7a:8c:23:3a:7f" and 1616976000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48767,13 +48767,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2F9C693A2E6634565F63C79B01Dd8F8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c094666a-0bb3-5cb6-82a8-3074b9eed32b" + id = "9bc8ada3-10ff-585f-887e-56ceb7403c21" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11992-L12010" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f5ec67c082be21a2495ef90fd0a6d4fc4b1379c4903dcc051d39cf1913d5cf20" + logic_hash = "v1_sha256_f5ec67c082be21a2495ef90fd0a6d4fc4b1379c4903dcc051d39cf1913d5cf20" score = 75 quality = 90 tags = "INFO, FILE" @@ -48783,7 +48783,7 @@ rule REVERSINGLABS_Cert_Blocklist_B2F9C693A2E6634565F63C79B01Dd8F8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PHL E STATE ApS" and (pe.signatures[i].serial=="00:b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" or pe.signatures[i].serial=="b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8") and 1620000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PHL E STATE ApS" and ( pe.signatures [ i ] . serial == "00:b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" or pe.signatures [ i ] . serial == "b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" ) and 1620000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48792,13 +48792,13 @@ rule REVERSINGLABS_Cert_Blocklist_54A6D33F73129E0Ef059Ccf51Be0C35E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1cf2bda8-05e6-5f0a-a28a-2f5fa02775c9" + id = "62b0e468-c1c1-5ff1-b14a-b77215bbf838" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12012-L12028" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6fbed9c8537ea2baeb58044a934fc9741730b8a3ae4d059c23b033973d7ff7d3" + logic_hash = "v1_sha256_6fbed9c8537ea2baeb58044a934fc9741730b8a3ae4d059c23b033973d7ff7d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -48808,7 +48808,7 @@ rule REVERSINGLABS_Cert_Blocklist_54A6D33F73129E0Ef059Ccf51Be0C35E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "STAFFORD MEAT COMPANY, INC." and pe.signatures[i].serial=="54:a6:d3:3f:73:12:9e:0e:f0:59:cc:f5:1b:e0:c3:5e" and 1607100127<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "STAFFORD MEAT COMPANY, INC." and pe.signatures [ i ] . serial == "54:a6:d3:3f:73:12:9e:0e:f0:59:cc:f5:1b:e0:c3:5e" and 1607100127 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48817,13 +48817,13 @@ rule REVERSINGLABS_Cert_Blocklist_142Aac4217E22B525C8587589773Ba9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "488be2f7-e3d4-51e3-b7bb-142caa7b2bd5" + id = "2d2e7993-68c0-5235-8181-a9f7caf682d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12030-L12046" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f169925c27f5e0f8d5f658b83d1b9fa4548c4443b16bd4d7f87aa2b8e44bf06b" + logic_hash = "v1_sha256_f169925c27f5e0f8d5f658b83d1b9fa4548c4443b16bd4d7f87aa2b8e44bf06b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48833,7 +48833,7 @@ rule REVERSINGLABS_Cert_Blocklist_142Aac4217E22B525C8587589773Ba9B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "A.B. gostinstvo trgovina posredni\\xC5\\xA1tvo in druge storitve, d.o.o." and pe.signatures[i].serial=="14:2a:ac:42:17:e2:2b:52:5c:85:87:58:97:73:ba:9b" and 1614124800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "A.B. gostinstvo trgovina posredni\\xC5\\xA1tvo in druge storitve, d.o.o." and pe.signatures [ i ] . serial == "14:2a:ac:42:17:e2:2b:52:5c:85:87:58:97:73:ba:9b" and 1614124800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48842,13 +48842,13 @@ rule REVERSINGLABS_Cert_Blocklist_239664C12Baeb5A6D787912888051392 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4d24a880-6fa5-5c22-875e-29f4985e3750" + id = "0ce448fd-88ba-5685-bf12-b248d0246278" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12048-L12064" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ab2c228088a4c11b3a0f1a5f0acf181cc31e548781cb3f1205475bfbe39c7236" + logic_hash = "v1_sha256_ab2c228088a4c11b3a0f1a5f0acf181cc31e548781cb3f1205475bfbe39c7236" score = 75 quality = 90 tags = "INFO, FILE" @@ -48858,7 +48858,7 @@ rule REVERSINGLABS_Cert_Blocklist_239664C12Baeb5A6D787912888051392 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "FORTH PROPERTY LTD" and pe.signatures[i].serial=="23:96:64:c1:2b:ae:b5:a6:d7:87:91:28:88:05:13:92" and 1618272000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "FORTH PROPERTY LTD" and pe.signatures [ i ] . serial == "23:96:64:c1:2b:ae:b5:a6:d7:87:91:28:88:05:13:92" and 1618272000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48867,13 +48867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0218Ebfd5A9Bfd55D2F661F0D18D1D71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d03619c7-c4e8-57bd-a19e-1452ab7a76df" + id = "6c943e3c-e449-5602-86ae-7a809a1477b0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12066-L12082" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4aabe3beab0055b6ef8f6114c5236940f5693b44e94efd14132b450bb9232c03" + logic_hash = "v1_sha256_4aabe3beab0055b6ef8f6114c5236940f5693b44e94efd14132b450bb9232c03" score = 75 quality = 90 tags = "INFO, FILE" @@ -48883,7 +48883,7 @@ rule REVERSINGLABS_Cert_Blocklist_0218Ebfd5A9Bfd55D2F661F0D18D1D71 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "REI LUX UK LIMITED" and pe.signatures[i].serial=="02:18:eb:fd:5a:9b:fd:55:d2:f6:61:f0:d1:8d:1d:71" and 1608508800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "REI LUX UK LIMITED" and pe.signatures [ i ] . serial == "02:18:eb:fd:5a:9b:fd:55:d2:f6:61:f0:d1:8d:1d:71" and 1608508800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48892,13 +48892,13 @@ rule REVERSINGLABS_Cert_Blocklist_35590Ebe4A02Dc23317D8Ce47A947A9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2f72a686-c30c-572d-a78c-03747ac325b6" + id = "88c6aaf7-cf17-5d14-9d21-75ab65e18702" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12084-L12100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2d4bc88943cdc8af00effab745e64e60ef662c668a0b2193c256d11831ef1554" + logic_hash = "v1_sha256_2d4bc88943cdc8af00effab745e64e60ef662c668a0b2193c256d11831ef1554" score = 75 quality = 90 tags = "INFO, FILE" @@ -48908,7 +48908,7 @@ rule REVERSINGLABS_Cert_Blocklist_35590Ebe4A02Dc23317D8Ce47A947A9B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OOO Largos" and pe.signatures[i].serial=="35:59:0e:be:4a:02:dc:23:31:7d:8c:e4:7a:94:7a:9b" and 1602201600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OOO Largos" and pe.signatures [ i ] . serial == "35:59:0e:be:4a:02:dc:23:31:7d:8c:e4:7a:94:7a:9b" and 1602201600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48917,13 +48917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa07D4F2857119Cee514A0Bd412F8201 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6bb83f26-90f5-587f-8c69-fa06beaead3e" + id = "f7037358-2bb2-52e6-8644-f7c9f5089211" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12102-L12120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbbea89f2070b2a527bba6199022fbffd269e664b000988a59adf4ca0d4a9f22" + logic_hash = "v1_sha256_fbbea89f2070b2a527bba6199022fbffd269e664b000988a59adf4ca0d4a9f22" score = 75 quality = 90 tags = "INFO, FILE" @@ -48933,7 +48933,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aa07D4F2857119Cee514A0Bd412F8201 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HANGA GIP d.o.o." and (pe.signatures[i].serial=="00:aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" or pe.signatures[i].serial=="aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01") and 1615766400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HANGA GIP d.o.o." and ( pe.signatures [ i ] . serial == "00:aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" or pe.signatures [ i ] . serial == "aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" ) and 1615766400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48942,13 +48942,13 @@ rule REVERSINGLABS_Cert_Blocklist_40F5660A90301E7A8A8C3B42 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c47bb4f0-d60b-5948-ac10-6083606ed46a" + id = "0b41b94c-b144-5daf-bc7a-9a9553348216" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12122-L12138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3573d1d5f11df106f1f6f44f8b0164992f2a50707c6df7b08b05ed9ea7d9173b" + logic_hash = "v1_sha256_3573d1d5f11df106f1f6f44f8b0164992f2a50707c6df7b08b05ed9ea7d9173b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48958,7 +48958,7 @@ rule REVERSINGLABS_Cert_Blocklist_40F5660A90301E7A8A8C3B42 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Booz Allen Hamilton Inc." and pe.signatures[i].serial=="40:f5:66:0a:90:30:1e:7a:8a:8c:3b:42" and 1641833688<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Booz Allen Hamilton Inc." and pe.signatures [ i ] . serial == "40:f5:66:0a:90:30:1e:7a:8a:8c:3b:42" and 1641833688 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48967,13 +48967,13 @@ rule REVERSINGLABS_Cert_Blocklist_0400C7614F86D75Fe4Ee3F6192B6Feda : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "500c9604-cc07-52b1-8c46-09894d132205" + id = "c4fd7da9-8811-5288-8c4d-af4fb4e1f55e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12140-L12156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "47735267e9a0fb8107f6c4008bacc8aada1705f6714a0447dacc3928fc20cad6" + logic_hash = "v1_sha256_47735267e9a0fb8107f6c4008bacc8aada1705f6714a0447dacc3928fc20cad6" score = 75 quality = 90 tags = "INFO, FILE" @@ -48983,7 +48983,7 @@ rule REVERSINGLABS_Cert_Blocklist_0400C7614F86D75Fe4Ee3F6192B6Feda : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "StackUp ApS" and pe.signatures[i].serial=="04:00:c7:61:4f:86:d7:5f:e4:ee:3f:61:92:b6:fe:da" and 1626393601<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "StackUp ApS" and pe.signatures [ i ] . serial == "04:00:c7:61:4f:86:d7:5f:e4:ee:3f:61:92:b6:fe:da" and 1626393601 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -48992,13 +48992,13 @@ rule REVERSINGLABS_Cert_Blocklist_E573D9C8B403C41Bd59Ffa0A8Efd4168 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2e799dd9-d143-55a7-9d07-d5f289477b24" + id = "c83ef41c-6a99-575c-b301-7f6b801881b6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12158-L12176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "425126b90fe2ab7c1ec7bf2fd5a91e4438a81992f20f99ed87ec62e7f20043cd" + logic_hash = "v1_sha256_425126b90fe2ab7c1ec7bf2fd5a91e4438a81992f20f99ed87ec62e7f20043cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -49008,7 +49008,7 @@ rule REVERSINGLABS_Cert_Blocklist_E573D9C8B403C41Bd59Ffa0A8Efd4168 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\"VERONIKA 2\" OOO" and (pe.signatures[i].serial=="00:e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" or pe.signatures[i].serial=="e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68") and 1563148800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\"VERONIKA 2\" OOO" and ( pe.signatures [ i ] . serial == "00:e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" or pe.signatures [ i ] . serial == "e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" ) and 1563148800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49017,13 +49017,13 @@ rule REVERSINGLABS_Cert_Blocklist_B06Bc166Fc765Dacd2F7448C8Cdd9205 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4b27c958-58f1-5fbd-8a39-aedfe4dafe39" + id = "8ec2b868-8380-5bbe-aa66-cc4bc34e4879" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12178-L12196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2c47166f02c7f94bb4f82296e3220ff7ca3c6c53566d855b2fe77cb842a5fb43" + logic_hash = "v1_sha256_2c47166f02c7f94bb4f82296e3220ff7ca3c6c53566d855b2fe77cb842a5fb43" score = 75 quality = 90 tags = "INFO, FILE" @@ -49033,7 +49033,7 @@ rule REVERSINGLABS_Cert_Blocklist_B06Bc166Fc765Dacd2F7448C8Cdd9205 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GAS Avto, d.o.o." and (pe.signatures[i].serial=="00:b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" or pe.signatures[i].serial=="b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05") and 1615507200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GAS Avto, d.o.o." and ( pe.signatures [ i ] . serial == "00:b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" or pe.signatures [ i ] . serial == "b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" ) and 1615507200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49042,13 +49042,13 @@ rule REVERSINGLABS_Cert_Blocklist_E9268Ed63A7D7E9Dfd40A664Ddfbaf18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a93b0a98-cfec-5e32-9fd8-b3d6c4353558" + id = "c81a9978-cd84-5148-8b0b-6b24389d59c3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12198-L12216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fc840c0b37867c3b0aa80d4dc609feaaab77d3f0c6f84c8bb2ea7c5a6461ebb8" + logic_hash = "v1_sha256_fc840c0b37867c3b0aa80d4dc609feaaab77d3f0c6f84c8bb2ea7c5a6461ebb8" score = 75 quality = 90 tags = "INFO, FILE" @@ -49058,7 +49058,7 @@ rule REVERSINGLABS_Cert_Blocklist_E9268Ed63A7D7E9Dfd40A664Ddfbaf18 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Casta, s.r.o." and (pe.signatures[i].serial=="00:e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" or pe.signatures[i].serial=="e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18") and 1647302400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Casta, s.r.o." and ( pe.signatures [ i ] . serial == "00:e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" or pe.signatures [ i ] . serial == "e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" ) and 1647302400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49067,13 +49067,13 @@ rule REVERSINGLABS_Cert_Blocklist_425Dc3E0Ca8Bcdce19D00D87E3F0Ba28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df6e1403-c300-5d97-b57d-dc70d61b2229" + id = "2c04cd8b-05ae-5616-b717-3e22e0f2b23f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12218-L12234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "67a975f2806825bf0da27fcaf33c2ff497fe9bb2af12c22ff505b49070516960" + logic_hash = "v1_sha256_67a975f2806825bf0da27fcaf33c2ff497fe9bb2af12c22ff505b49070516960" score = 75 quality = 90 tags = "INFO, FILE" @@ -49083,7 +49083,7 @@ rule REVERSINGLABS_Cert_Blocklist_425Dc3E0Ca8Bcdce19D00D87E3F0Ba28 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Protover LLC" and pe.signatures[i].serial=="42:5d:c3:e0:ca:8b:cd:ce:19:d0:0d:87:e3:f0:ba:28" and 1621900800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Protover LLC" and pe.signatures [ i ] . serial == "42:5d:c3:e0:ca:8b:cd:ce:19:d0:0d:87:e3:f0:ba:28" and 1621900800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49092,13 +49092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afc0Ddb7Bdc8207E8C3B7204018Eecd3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "73f4d6e2-6924-59fa-8ec1-305f2d5dc5a3" + id = "14f74bb2-4c87-5913-a73e-d27e65d05171" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12236-L12254" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "302e2d6b31ca5c2c33c4ec7294630fd88a9c40f70ddecdc606ccff27b24e1cd4" + logic_hash = "v1_sha256_302e2d6b31ca5c2c33c4ec7294630fd88a9c40f70ddecdc606ccff27b24e1cd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -49108,7 +49108,7 @@ rule REVERSINGLABS_Cert_Blocklist_Afc0Ddb7Bdc8207E8C3B7204018Eecd3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE9\\x83\\xB4\\xE5\\xB7\\x9E\\xE8\\x9C\\x97\\xE7\\x89\\x9B\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (pe.signatures[i].serial=="00:af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" or pe.signatures[i].serial=="af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3") and 1629676800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE9\\x83\\xB4\\xE5\\xB7\\x9E\\xE8\\x9C\\x97\\xE7\\x89\\x9B\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( pe.signatures [ i ] . serial == "00:af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" or pe.signatures [ i ] . serial == "af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" ) and 1629676800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49117,13 +49117,13 @@ rule REVERSINGLABS_Cert_Blocklist_38989Ec61Ecdb7391Ff5647F7D58Ad18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1841bbd1-4c7a-5b89-8c63-58d8a3ae1cef" + id = "9bce9c96-4e4e-517a-98ab-6f6d485f31c8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12256-L12272" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1795812d4daa458b157280cac7a9b13e9b67a2d78eac077691bbce2bf8aeec34" + logic_hash = "v1_sha256_1795812d4daa458b157280cac7a9b13e9b67a2d78eac077691bbce2bf8aeec34" score = 75 quality = 90 tags = "INFO, FILE" @@ -49133,7 +49133,7 @@ rule REVERSINGLABS_Cert_Blocklist_38989Ec61Ecdb7391Ff5647F7D58Ad18 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RotA Games ApS" and pe.signatures[i].serial=="38:98:9e:c6:1e:cd:b7:39:1f:f5:64:7f:7d:58:ad:18" and 1613088000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RotA Games ApS" and pe.signatures [ i ] . serial == "38:98:9e:c6:1e:cd:b7:39:1f:f5:64:7f:7d:58:ad:18" and 1613088000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49142,13 +49142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6C43D206A360F2D6B58537C456B709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fd19ce61-056b-549a-946e-72543ff1f7c0" + id = "d334902e-8ee4-58c7-8bba-88c82d2884df" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12274-L12292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "eb5288d2b96ff7a7783c2b2b02f9f1168784352ed84ad6463dce00c12daca6cb" + logic_hash = "v1_sha256_eb5288d2b96ff7a7783c2b2b02f9f1168784352ed84ad6463dce00c12daca6cb" score = 75 quality = 90 tags = "INFO, FILE" @@ -49158,7 +49158,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6C43D206A360F2D6B58537C456B709 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ANKADA GROUP, d.o.o." and (pe.signatures[i].serial=="00:bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" or pe.signatures[i].serial=="bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09") and 1616630400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ANKADA GROUP, d.o.o." and ( pe.signatures [ i ] . serial == "00:bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" or pe.signatures [ i ] . serial == "bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" ) and 1616630400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49167,13 +49167,13 @@ rule REVERSINGLABS_Cert_Blocklist_4929Ab561C812Af93Ddb9758B545F546 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6e8ffb39-d00d-54ca-a4be-68f6dd92d798" + id = "111aa066-48be-5dfc-b3bc-3aa20788952b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12294-L12310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "12235e324b92b83e9cfaed7cbcff5d093b8b1d7528dd5ac327159cde6e9a4d1f" + logic_hash = "v1_sha256_12235e324b92b83e9cfaed7cbcff5d093b8b1d7528dd5ac327159cde6e9a4d1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49183,7 +49183,7 @@ rule REVERSINGLABS_Cert_Blocklist_4929Ab561C812Af93Ddb9758B545F546 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Everything Wow s.r.o." and pe.signatures[i].serial=="49:29:ab:56:1c:81:2a:f9:3d:db:97:58:b5:45:f5:46" and 1594252800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Everything Wow s.r.o." and pe.signatures [ i ] . serial == "49:29:ab:56:1c:81:2a:f9:3d:db:97:58:b5:45:f5:46" and 1594252800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49192,13 +49192,13 @@ rule REVERSINGLABS_Cert_Blocklist_25C6Dbce3D5499F65D9Df16E9007465D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f6d0808d-4748-5b9f-9be2-7753292a6209" + id = "fc20b80a-d556-55b6-b214-29763d101909" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12312-L12328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "978f05f86734c63afe1e5929a58f3cfff75ef749ffda07252db90b6fe12508ec" + logic_hash = "v1_sha256_978f05f86734c63afe1e5929a58f3cfff75ef749ffda07252db90b6fe12508ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -49208,7 +49208,7 @@ rule REVERSINGLABS_Cert_Blocklist_25C6Dbce3D5499F65D9Df16E9007465D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT,LLC" and pe.signatures[i].serial=="25:c6:db:ce:3d:54:99:f6:5d:9d:f1:6e:90:07:46:5d" and 1626566400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT,LLC" and pe.signatures [ i ] . serial == "25:c6:db:ce:3d:54:99:f6:5d:9d:f1:6e:90:07:46:5d" and 1626566400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49217,13 +49217,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6A1812E001362469541108973Bbd52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac5ac6d7-898b-5547-8d35-a483f20edcd6" + id = "159aa768-7dfe-537e-a1d8-025f969607c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12330-L12348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9b678e9fb1e1eda3ac8e027b5e449af446de4379fea46ef7ff820240c73795ee" + logic_hash = "v1_sha256_9b678e9fb1e1eda3ac8e027b5e449af446de4379fea46ef7ff820240c73795ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -49233,7 +49233,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6A1812E001362469541108973Bbd52 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT,LLC" and (pe.signatures[i].serial=="00:bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" or pe.signatures[i].serial=="bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52") and 1623801600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT,LLC" and ( pe.signatures [ i ] . serial == "00:bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" or pe.signatures [ i ] . serial == "bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" ) and 1623801600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49242,13 +49242,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bde1D6Dc3622724F427A39E6A34F5124 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b6958c0-3b43-5c17-9354-d0e2326b97fd" + id = "f15afc5b-4f70-5f63-b05e-954111ee4bb8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12350-L12368" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f1cf0b6855269a771447a0b38f4a02996b6527d7df4b143b69598ed591719ca0" + logic_hash = "v1_sha256_f1cf0b6855269a771447a0b38f4a02996b6527d7df4b143b69598ed591719ca0" score = 75 quality = 90 tags = "INFO, FILE" @@ -49258,7 +49258,7 @@ rule REVERSINGLABS_Cert_Blocklist_Bde1D6Dc3622724F427A39E6A34F5124 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT,LLC" and (pe.signatures[i].serial=="00:bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" or pe.signatures[i].serial=="bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24") and 1628553600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT,LLC" and ( pe.signatures [ i ] . serial == "00:bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" or pe.signatures [ i ] . serial == "bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" ) and 1628553600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49267,13 +49267,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C9F5F96726A6E6Fc3B8Bb153Ac82Af2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7619c39-33a0-5f99-b911-9d8a61a4683d" + id = "934a96ce-f689-5298-b18b-788bd1fa89a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12370-L12386" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a61bcc4a90a75a429366e3f93929005b67325eccc6cad3df6b7a0c3692597828" + logic_hash = "v1_sha256_a61bcc4a90a75a429366e3f93929005b67325eccc6cad3df6b7a0c3692597828" score = 75 quality = 90 tags = "INFO, FILE" @@ -49283,7 +49283,7 @@ rule REVERSINGLABS_Cert_Blocklist_5C9F5F96726A6E6Fc3B8Bb153Ac82Af2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "1105 SOFTWARE LLC" and pe.signatures[i].serial=="5c:9f:5f:96:72:6a:6e:6f:c3:b8:bb:15:3a:c8:2a:f2" and 1679061408<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "1105 SOFTWARE LLC" and pe.signatures [ i ] . serial == "5c:9f:5f:96:72:6a:6e:6f:c3:b8:bb:15:3a:c8:2a:f2" and 1679061408 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49292,13 +49292,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E889Bb3B7F7194B674C6A0335A608E0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d164846d-9552-5108-8b01-1b4b3e7c0b60" + id = "6ae78275-2be3-59bb-88ec-93208909baaf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12388-L12404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fa2a47f4fb822089fcc958850ce516c8c5d95a6d9b575f3b1d1d4a2ceb2537e4" + logic_hash = "v1_sha256_fa2a47f4fb822089fcc958850ce516c8c5d95a6d9b575f3b1d1d4a2ceb2537e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -49308,7 +49308,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E889Bb3B7F7194B674C6A0335A608E0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CLEVERCONTROL LLC" and pe.signatures[i].serial=="6e:88:9b:b3:b7:f7:19:4b:67:4c:6a:03:35:a6:08:e0" and 1646956800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CLEVERCONTROL LLC" and pe.signatures [ i ] . serial == "6e:88:9b:b3:b7:f7:19:4b:67:4c:6a:03:35:a6:08:e0" and 1646956800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49317,13 +49317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F62F760704Bdf8Dc30C7Baa7376F484 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe326fb9-fe1e-5fc9-8599-6b4cfd6506dd" + id = "634f9d1f-d240-56bc-be19-ce74592a9159" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12406-L12422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d54d52e116b9404782ce80664f218d2e142577dac672c53c41b82f0466c7375a" + logic_hash = "v1_sha256_d54d52e116b9404782ce80664f218d2e142577dac672c53c41b82f0466c7375a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49333,7 +49333,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F62F760704Bdf8Dc30C7Baa7376F484 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shanghai XuSong investment partnership Enterprise(Limited)" and pe.signatures[i].serial=="0f:62:f7:60:70:4b:df:8d:c3:0c:7b:aa:73:76:f4:84" and 1659398400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shanghai XuSong investment partnership Enterprise(Limited)" and pe.signatures [ i ] . serial == "0f:62:f7:60:70:4b:df:8d:c3:0c:7b:aa:73:76:f4:84" and 1659398400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49342,13 +49342,13 @@ rule REVERSINGLABS_Cert_Blocklist_071202Dbfda40B629C5E7Acac947C2D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4206c383-0e6d-5129-8e6a-05bd54c48e65" + id = "7097c3a6-0d4d-59ca-b12e-f9e5779e86f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12424-L12440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cc51b0ae6a59f68e61ee0b4ff33ea0e1ee9ef04e4c994e1c98da6befab62a5b9" + logic_hash = "v1_sha256_cc51b0ae6a59f68e61ee0b4ff33ea0e1ee9ef04e4c994e1c98da6befab62a5b9" score = 75 quality = 90 tags = "INFO, FILE" @@ -49358,7 +49358,7 @@ rule REVERSINGLABS_Cert_Blocklist_071202Dbfda40B629C5E7Acac947C2D3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Crossfire Industries, LLC" and pe.signatures[i].serial=="07:12:02:db:fd:a4:0b:62:9c:5e:7a:ca:c9:47:c2:d3" and 1658620801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Crossfire Industries, LLC" and pe.signatures [ i ] . serial == "07:12:02:db:fd:a4:0b:62:9c:5e:7a:ca:c9:47:c2:d3" and 1658620801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49367,13 +49367,13 @@ rule REVERSINGLABS_Cert_Blocklist_98Ab9585C04D7F0E4Cf4De98C14B684D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "445bb30e-e021-5a75-a47e-29fa567acfa5" + id = "3e67a2b3-3330-5c2a-998d-1895eb8c7587" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12442-L12460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ba43dd15b13623bb99d88c93fb9e751deb95a546325a1142d9137b25430d07fd" + logic_hash = "v1_sha256_ba43dd15b13623bb99d88c93fb9e751deb95a546325a1142d9137b25430d07fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -49383,7 +49383,7 @@ rule REVERSINGLABS_Cert_Blocklist_98Ab9585C04D7F0E4Cf4De98C14B684D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMCERT,LLC" and (pe.signatures[i].serial=="00:98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" or pe.signatures[i].serial=="98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d") and 1656547200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMCERT,LLC" and ( pe.signatures [ i ] . serial == "00:98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" or pe.signatures [ i ] . serial == "98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" ) and 1656547200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49392,13 +49392,13 @@ rule REVERSINGLABS_Cert_Blocklist_4631713E66E91347F0388B98Cf747794 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c541522-98ab-5acb-af84-c005c9721e1f" + id = "3edec0d8-76ac-51fe-af6d-d9b178dc6246" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12462-L12478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cb517cda67150b7e17ee3bd946903e8e8eca81742a362032249a2f2387e71c50" + logic_hash = "v1_sha256_cb517cda67150b7e17ee3bd946903e8e8eca81742a362032249a2f2387e71c50" score = 75 quality = 90 tags = "INFO, FILE" @@ -49408,7 +49408,7 @@ rule REVERSINGLABS_Cert_Blocklist_4631713E66E91347F0388B98Cf747794 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\xB9\\xBF\\xE5\\xB7\\x9E\\xE6\\x98\\x8A\\xE5\\x8A\\xA8\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="46:31:71:3e:66:e9:13:47:f0:38:8b:98:cf:74:77:94" and 1488240000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\xB9\\xBF\\xE5\\xB7\\x9E\\xE6\\x98\\x8A\\xE5\\x8A\\xA8\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "46:31:71:3e:66:e9:13:47:f0:38:8b:98:cf:74:77:94" and 1488240000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49417,13 +49417,13 @@ rule REVERSINGLABS_Cert_Blocklist_E963F8983D21B4C1A69C66A9D37498E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4cbc6cc9-1795-5d43-84a1-dd835d7ef349" + id = "7c0d882a-3925-539d-8e9f-8fe84707f98e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12480-L12498" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7c715e28f003351d10ba53657e9e667b635a0e4433276d91d26f4482a61191d" + logic_hash = "v1_sha256_b7c715e28f003351d10ba53657e9e667b635a0e4433276d91d26f4482a61191d" score = 75 quality = 90 tags = "INFO, FILE" @@ -49433,7 +49433,7 @@ rule REVERSINGLABS_Cert_Blocklist_E963F8983D21B4C1A69C66A9D37498E5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Max Steinhard" and (pe.signatures[i].serial=="00:e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" or pe.signatures[i].serial=="e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5") and 1656288000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Max Steinhard" and ( pe.signatures [ i ] . serial == "00:e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" or pe.signatures [ i ] . serial == "e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" ) and 1656288000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49442,13 +49442,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E44Fcedd49F22F7A28Cecc99104F61A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b69a4e06-a732-5462-b2b1-bdde3fd34e31" + id = "dda8c05f-ecc7-5b55-a454-6ab57e7cefd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12500-L12516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "caff0cbca45c0dffb673367585824783371f2f4e31a0c9629afb7de708098892" + logic_hash = "v1_sha256_caff0cbca45c0dffb673367585824783371f2f4e31a0c9629afb7de708098892" score = 75 quality = 90 tags = "INFO, FILE" @@ -49458,7 +49458,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E44Fcedd49F22F7A28Cecc99104F61A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "M-Trans Maciej Caban" and pe.signatures[i].serial=="6e:44:fc:ed:d4:9f:22:f7:a2:8c:ec:c9:91:04:f6:1a" and 1672923378<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "M-Trans Maciej Caban" and pe.signatures [ i ] . serial == "6e:44:fc:ed:d4:9f:22:f7:a2:8c:ec:c9:91:04:f6:1a" and 1672923378 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49467,13 +49467,13 @@ rule REVERSINGLABS_Cert_Blocklist_35B49Ee870Aea532E6Ef0A4987105C8F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88dedb69-52f4-59d3-b397-6a091a866cc5" + id = "14dcc331-43e4-5ee7-ae1c-d62b802f8308" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12518-L12534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a9d8e9db453f40e32a0cb6412db8885db54053fdf3d7908b884361a493f97b1f" + logic_hash = "v1_sha256_a9d8e9db453f40e32a0cb6412db8885db54053fdf3d7908b884361a493f97b1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49483,7 +49483,7 @@ rule REVERSINGLABS_Cert_Blocklist_35B49Ee870Aea532E6Ef0A4987105C8F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kancelaria Adwokacka Adwokat Aleksandra Krzemi\\xC5\\x84ska" and pe.signatures[i].serial=="35:b4:9e:e8:70:ae:a5:32:e6:ef:0a:49:87:10:5c:8f" and 1663151018<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kancelaria Adwokacka Adwokat Aleksandra Krzemi\\xC5\\x84ska" and pe.signatures [ i ] . serial == "35:b4:9e:e8:70:ae:a5:32:e6:ef:0a:49:87:10:5c:8f" and 1663151018 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49492,13 +49492,13 @@ rule REVERSINGLABS_Cert_Blocklist_063Dcd7D7B0Bc77Cac844C7213Be3989 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1bf4b84b-4a32-5908-8ccb-9fce2e5944e6" + id = "dd4dea05-3c12-5659-831f-90f5b4a80d39" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12536-L12552" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "091d00b0731f0a3d9917eee945249f001e4b5b1b603cad2fc21eed70ec86aa99" + logic_hash = "v1_sha256_091d00b0731f0a3d9917eee945249f001e4b5b1b603cad2fc21eed70ec86aa99" score = 75 quality = 90 tags = "INFO, FILE" @@ -49508,7 +49508,7 @@ rule REVERSINGLABS_Cert_Blocklist_063Dcd7D7B0Bc77Cac844C7213Be3989 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "HANNAH SISK LIMITED" and pe.signatures[i].serial=="06:3d:cd:7d:7b:0b:c7:7c:ac:84:4c:72:13:be:39:89" and 1656892801<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "HANNAH SISK LIMITED" and pe.signatures [ i ] . serial == "06:3d:cd:7d:7b:0b:c7:7c:ac:84:4c:72:13:be:39:89" and 1656892801 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49517,13 +49517,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F8777Aa866142Ad7120E5E1C9321E37 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ace8a8b4-5288-56c4-bd47-9eb42ea41ecb" + id = "9a49260d-870d-5ae2-af26-ad38a93e5a05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12554-L12570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca3ff0c7192ba90932d35d053712816555dea051ce15d29a7ccf4e37da989899" + logic_hash = "v1_sha256_ca3ff0c7192ba90932d35d053712816555dea051ce15d29a7ccf4e37da989899" score = 75 quality = 90 tags = "INFO, FILE" @@ -49533,7 +49533,7 @@ rule REVERSINGLABS_Cert_Blocklist_6F8777Aa866142Ad7120E5E1C9321E37 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CLOUD SOFTWARE LINE CO., LTD." and pe.signatures[i].serial=="6f:87:77:aa:86:61:42:ad:71:20:e5:e1:c9:32:1e:37" and 1629676800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CLOUD SOFTWARE LINE CO., LTD." and pe.signatures [ i ] . serial == "6f:87:77:aa:86:61:42:ad:71:20:e5:e1:c9:32:1e:37" and 1629676800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49542,13 +49542,13 @@ rule REVERSINGLABS_Cert_Blocklist_4A7F07C5D4Ad2E23F9E8E03F0E229Dd4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "76be58d9-d1a3-5dec-807e-941714be80f9" + id = "5b1caafb-229f-5223-b8a8-bfb713f4ab47" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12572-L12588" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6dc2bfac77117e294cacc772f7bfaea8b2e3caa26a0afd3729d517e91ca20ea5" + logic_hash = "v1_sha256_6dc2bfac77117e294cacc772f7bfaea8b2e3caa26a0afd3729d517e91ca20ea5" score = 75 quality = 90 tags = "INFO, FILE" @@ -49558,7 +49558,7 @@ rule REVERSINGLABS_Cert_Blocklist_4A7F07C5D4Ad2E23F9E8E03F0E229Dd4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Danalis LLC" and pe.signatures[i].serial=="4a:7f:07:c5:d4:ad:2e:23:f9:e8:e0:3f:0e:22:9d:d4" and 1608681600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Danalis LLC" and pe.signatures [ i ] . serial == "4a:7f:07:c5:d4:ad:2e:23:f9:e8:e0:3f:0e:22:9d:d4" and 1608681600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49567,13 +49567,13 @@ rule REVERSINGLABS_Cert_Blocklist_F5F9C8F8C33E4Ce84Dd48Fcb03Ccb075 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "74203aa1-e5d0-59d9-b9f8-b79f5fbe271e" + id = "4faae355-3ea8-55f2-a9f6-81c299cc5aa1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12590-L12608" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ac3bab3f5a93099f39b0862b419346d1eb3d0f75d86e121ba30626d496c46c57" + logic_hash = "v1_sha256_ac3bab3f5a93099f39b0862b419346d1eb3d0f75d86e121ba30626d496c46c57" score = 75 quality = 90 tags = "INFO, FILE" @@ -49583,7 +49583,7 @@ rule REVERSINGLABS_Cert_Blocklist_F5F9C8F8C33E4Ce84Dd48Fcb03Ccb075 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Abdulkadir \\xC5\\x9Eahin" and (pe.signatures[i].serial=="00:f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" or pe.signatures[i].serial=="f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75") and 1545004800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Abdulkadir \\xC5\\x9Eahin" and ( pe.signatures [ i ] . serial == "00:f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" or pe.signatures [ i ] . serial == "f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" ) and 1545004800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49592,13 +49592,13 @@ rule REVERSINGLABS_Cert_Blocklist_57Fc55239F21F139978609E323097132 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e71d575c-5a30-5158-80ee-3508cdaf5636" + id = "eb9c8793-ec97-5560-ae2c-effbe1ed269d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12610-L12626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "030bb847e524e672ee382e0284ba3f027920f60c70bbd153d4b9cdd2669e6a99" + logic_hash = "v1_sha256_030bb847e524e672ee382e0284ba3f027920f60c70bbd153d4b9cdd2669e6a99" score = 75 quality = 90 tags = "INFO, FILE" @@ -49608,7 +49608,7 @@ rule REVERSINGLABS_Cert_Blocklist_57Fc55239F21F139978609E323097132 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Aidem Media Limited" and pe.signatures[i].serial=="57:fc:55:23:9f:21:f1:39:97:86:09:e3:23:09:71:32" and 1501632000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Aidem Media Limited" and pe.signatures [ i ] . serial == "57:fc:55:23:9f:21:f1:39:97:86:09:e3:23:09:71:32" and 1501632000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49617,13 +49617,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eeefec4308Abe63323600E1608F5E6F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "265f70f4-f8cf-52cf-8d9b-ddfefb8a1b79" + id = "32582f0b-e953-58a0-962e-2bab71fdf07b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12628-L12646" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "71ab4bd7e85155bfbc1612941c5f15c409629b116258c38b79bd808512df006a" + logic_hash = "v1_sha256_71ab4bd7e85155bfbc1612941c5f15c409629b116258c38b79bd808512df006a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49633,7 +49633,7 @@ rule REVERSINGLABS_Cert_Blocklist_Eeefec4308Abe63323600E1608F5E6F2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "YUPITER-STROI, OOO" and (pe.signatures[i].serial=="00:ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" or pe.signatures[i].serial=="ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2") and 1491177600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "YUPITER-STROI, OOO" and ( pe.signatures [ i ] . serial == "00:ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" or pe.signatures [ i ] . serial == "ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" ) and 1491177600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49642,13 +49642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ecd460Ce14Bd8Ef2926Da2Cd9A44176 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "94128695-0206-5c04-b792-34400f8ce890" + id = "d93de023-ffcf-5fb5-8e38-59795b7bcad8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12648-L12664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "58fa244c125415ef7a3cf0feb79add4db7c84f94c23e5d27e840fb17c18d67ef" + logic_hash = "v1_sha256_58fa244c125415ef7a3cf0feb79add4db7c84f94c23e5d27e840fb17c18d67ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -49658,7 +49658,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ecd460Ce14Bd8Ef2926Da2Cd9A44176 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Rabah Azrarak" and pe.signatures[i].serial=="0e:cd:46:0c:e1:4b:d8:ef:29:26:da:2c:d9:a4:41:76" and 1463035153<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Rabah Azrarak" and pe.signatures [ i ] . serial == "0e:cd:46:0c:e1:4b:d8:ef:29:26:da:2c:d9:a4:41:76" and 1463035153 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49667,13 +49667,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E75E997F3D70Bb8C182D56B25B7D836 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3578b97f-1d87-517a-8ea9-17606017e46a" + id = "3a2f659c-2f27-5684-b524-9a26dcd5925f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12666-L12682" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a2c6a57759fb0717951f83a32c00deeae82cad772b6cb7f60fa96232b6b82560" + logic_hash = "v1_sha256_a2c6a57759fb0717951f83a32c00deeae82cad772b6cb7f60fa96232b6b82560" score = 75 quality = 90 tags = "INFO, FILE" @@ -49683,7 +49683,7 @@ rule REVERSINGLABS_Cert_Blocklist_5E75E997F3D70Bb8C182D56B25B7D836 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Primetech Ltd." and pe.signatures[i].serial=="5e:75:e9:97:f3:d7:0b:b8:c1:82:d5:6b:25:b7:d8:36" and 1324252800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Primetech Ltd." and pe.signatures [ i ] . serial == "5e:75:e9:97:f3:d7:0b:b8:c1:82:d5:6b:25:b7:d8:36" and 1324252800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49692,13 +49692,13 @@ rule REVERSINGLABS_Cert_Blocklist_D5690D94F15315E143Db10Af35497Dc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "324b2e2f-bad7-5ac4-864c-044d99fa01dc" + id = "fb55bfd6-6379-598a-aea9-d2a0d46c9b7d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12684-L12702" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4ac17d0f0e4ef2bb5f6cda8e7cb07a641d49c83465a0a80c46ff6e0e752d1847" + logic_hash = "v1_sha256_4ac17d0f0e4ef2bb5f6cda8e7cb07a641d49c83465a0a80c46ff6e0e752d1847" score = 75 quality = 90 tags = "INFO, FILE" @@ -49708,7 +49708,7 @@ rule REVERSINGLABS_Cert_Blocklist_D5690D94F15315E143Db10Af35497Dc5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PET SERVICES d.o.o." and (pe.signatures[i].serial=="00:d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" or pe.signatures[i].serial=="d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5") and 1576195200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PET SERVICES d.o.o." and ( pe.signatures [ i ] . serial == "00:d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" or pe.signatures [ i ] . serial == "d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" ) and 1576195200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49717,13 +49717,13 @@ rule REVERSINGLABS_Cert_Blocklist_8223C74185Add0927246F5E33Ebac467 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dfe87130-7b2f-5f8a-8c2d-8653c2bd0cd3" + id = "55f82f94-9dc5-5797-b5b8-aa3ef760dc79" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12704-L12722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f700b4f7cdfda9f678c3a5259d4293640c50567ec277c5b3db69756534e2007f" + logic_hash = "v1_sha256_f700b4f7cdfda9f678c3a5259d4293640c50567ec277c5b3db69756534e2007f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49733,7 +49733,7 @@ rule REVERSINGLABS_Cert_Blocklist_8223C74185Add0927246F5E33Ebac467 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TOV Virikton" and (pe.signatures[i].serial=="00:82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" or pe.signatures[i].serial=="82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67") and 1463616000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TOV Virikton" and ( pe.signatures [ i ] . serial == "00:82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" or pe.signatures [ i ] . serial == "82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" ) and 1463616000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49742,13 +49742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dd9E9E1D7C573714E3F567C5380Ae6D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "72745795-0261-5b7b-b25e-8220bced90ec" + id = "84370a16-5c72-5abd-9566-f477145ec696" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12724-L12742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7bbcdb989d53bafbb2bdb694be72d4f7305323c01e8f1eafcb7cd889df165ff6" + logic_hash = "v1_sha256_7bbcdb989d53bafbb2bdb694be72d4f7305323c01e8f1eafcb7cd889df165ff6" score = 75 quality = 90 tags = "INFO, FILE" @@ -49758,7 +49758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Dd9E9E1D7C573714E3F567C5380Ae6D0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CREA&COM d.o.o." and (pe.signatures[i].serial=="00:dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" or pe.signatures[i].serial=="dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0") and 1575849600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CREA&COM d.o.o." and ( pe.signatures [ i ] . serial == "00:dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" or pe.signatures [ i ] . serial == "dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" ) and 1575849600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49767,13 +49767,13 @@ rule REVERSINGLABS_Cert_Blocklist_3D5E71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7180b20d-f367-5260-88cd-dd2a1269f89b" + id = "56e36b31-804c-5b6a-acc2-8ed9dc7fad76" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12744-L12760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa73ac6569e4bb0084d7b148b2186ec2737a691a133319b21b666aa16bca9f2d" + logic_hash = "v1_sha256_aa73ac6569e4bb0084d7b148b2186ec2737a691a133319b21b666aa16bca9f2d" score = 75 quality = 90 tags = "INFO, FILE" @@ -49783,7 +49783,7 @@ rule REVERSINGLABS_Cert_Blocklist_3D5E71 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "OF.PL sp. z o.o." and pe.signatures[i].serial=="3d:5e:71" and 1066997730<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "OF.PL sp. z o.o." and pe.signatures [ i ] . serial == "3d:5e:71" and 1066997730 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49792,13 +49792,13 @@ rule REVERSINGLABS_Cert_Blocklist_C33187Fe848A65E8484Ea492Cb2Cbb18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fa05113a-a21e-5f21-aae3-b646e5b42dfb" + id = "a38f32ef-cde0-5b5f-814e-3d218f16ea4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12762-L12780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b66d67b74d73a143cb5301b232abd5f0f84f058223d4494b924a25dffb49037a" + logic_hash = "v1_sha256_b66d67b74d73a143cb5301b232abd5f0f84f058223d4494b924a25dffb49037a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49808,7 +49808,7 @@ rule REVERSINGLABS_Cert_Blocklist_C33187Fe848A65E8484Ea492Cb2Cbb18 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SELCUK GUNDOGDU" and (pe.signatures[i].serial=="00:c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" or pe.signatures[i].serial=="c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18") and 1426204800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SELCUK GUNDOGDU" and ( pe.signatures [ i ] . serial == "00:c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" or pe.signatures [ i ] . serial == "c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" ) and 1426204800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49817,13 +49817,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Fc143Ba34Cabf1De7A4C7F8F4Cdad6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "546692ed-2506-56ad-b678-e74b857380a3" + id = "5aeb7001-676d-5fac-92bf-9f7d9434e9c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12782-L12798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ffe25e4478a2245d4e5b330bb9300fb6cb48afb0fe3bd72bd62a589eeee3fe89" + logic_hash = "v1_sha256_ffe25e4478a2245d4e5b330bb9300fb6cb48afb0fe3bd72bd62a589eeee3fe89" score = 75 quality = 90 tags = "INFO, FILE" @@ -49833,7 +49833,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Fc143Ba34Cabf1De7A4C7F8F4Cdad6D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "World Telecom International Inc." and pe.signatures[i].serial=="6f:c1:43:ba:34:ca:bf:1d:e7:a4:c7:f8:f4:cd:ad:6d" and 1147046400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "World Telecom International Inc." and pe.signatures [ i ] . serial == "6f:c1:43:ba:34:ca:bf:1d:e7:a4:c7:f8:f4:cd:ad:6d" and 1147046400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49842,13 +49842,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ac6268B2E431A2C1369346D175D0E30 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12664460-19e1-5b73-8299-cfe19dffc0b4" + id = "5d8df872-076c-5ef0-b6da-cb22dcc29e6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12800-L12816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "27efaba9bd9cd116f640007c1e951bb77757efbe148b5f953e71d6621d7f16b2" + logic_hash = "v1_sha256_27efaba9bd9cd116f640007c1e951bb77757efbe148b5f953e71d6621d7f16b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -49858,7 +49858,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Ac6268B2E431A2C1369346D175D0E30 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Install Sync" and pe.signatures[i].serial=="6a:c6:26:8b:2e:43:1a:2c:13:69:34:6d:17:5d:0e:30" and 1436140800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Install Sync" and pe.signatures [ i ] . serial == "6a:c6:26:8b:2e:43:1a:2c:13:69:34:6d:17:5d:0e:30" and 1436140800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49867,13 +49867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fc4D9178B8Df2C19E269Ac6F43Dd708 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b336ff6c-d94e-5715-bb97-6b60cda90911" + id = "2d88ffcd-a1d0-5c73-a1e9-1321972e771f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12818-L12834" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "41dfe37b464d337268a8bb0e23124df7b50ab966038e8ad33bda81a4d86040ca" + logic_hash = "v1_sha256_41dfe37b464d337268a8bb0e23124df7b50ab966038e8ad33bda81a4d86040ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -49883,7 +49883,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fc4D9178B8Df2C19E269Ac6F43Dd708 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PK Partnership, OOO" and pe.signatures[i].serial=="0f:c4:d9:17:8b:8d:f2:c1:9e:26:9a:c6:f4:3d:d7:08" and 1466553600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PK Partnership, OOO" and pe.signatures [ i ] . serial == "0f:c4:d9:17:8b:8d:f2:c1:9e:26:9a:c6:f4:3d:d7:08" and 1466553600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49892,13 +49892,13 @@ rule REVERSINGLABS_Cert_Blocklist_E01407871E2146C9Baab1Ae7Ab8Ab172 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "229772ae-68a2-566b-bf61-988cb41d7d8f" + id = "25ed88d0-d7be-5968-bb84-dc02d917940d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12836-L12854" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1801e7f15bd5f916fc08d263a845d296d334ca9de1040008f619719c1b5c0a3b" + logic_hash = "v1_sha256_1801e7f15bd5f916fc08d263a845d296d334ca9de1040008f619719c1b5c0a3b" score = 75 quality = 90 tags = "INFO, FILE" @@ -49908,7 +49908,7 @@ rule REVERSINGLABS_Cert_Blocklist_E01407871E2146C9Baab1Ae7Ab8Ab172 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TOV Intalev Ukraina" and (pe.signatures[i].serial=="00:e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" or pe.signatures[i].serial=="e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72") and 1464220800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TOV Intalev Ukraina" and ( pe.signatures [ i ] . serial == "00:e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" or pe.signatures [ i ] . serial == "e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" ) and 1464220800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49917,13 +49917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Effc6D19D6Fc85872E4E5B3Ccee6D301 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "56114e31-2e9b-5d16-8435-708bbb2687cc" + id = "d3dd893b-56cd-55c8-93d9-def495cabf5b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12856-L12874" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a746c4193f1264cb96eae0ea85c2c76b5caf3b72ca950f76af426b4d68d210b3" + logic_hash = "v1_sha256_a746c4193f1264cb96eae0ea85c2c76b5caf3b72ca950f76af426b4d68d210b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -49933,7 +49933,7 @@ rule REVERSINGLABS_Cert_Blocklist_Effc6D19D6Fc85872E4E5B3Ccee6D301 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "C\\xC3\\x93IR IP LIMITED" and (pe.signatures[i].serial=="00:ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" or pe.signatures[i].serial=="ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01") and 1572307200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "C\\xC3\\x93IR IP LIMITED" and ( pe.signatures [ i ] . serial == "00:ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" or pe.signatures [ i ] . serial == "ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" ) and 1572307200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49942,13 +49942,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F4A25D52B16Eb4C9Dfe71Ebbd8121Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1afd5d2b-fd6d-58ca-b966-788d465cd0ed" + id = "3b1c49b3-6dc3-5dc2-9c3c-8c36a9c9279e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12876-L12892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7b237ae0574afeafcc05f71512c09d3170edbee20e512a1b0af5b431923dc25c" + logic_hash = "v1_sha256_7b237ae0574afeafcc05f71512c09d3170edbee20e512a1b0af5b431923dc25c" score = 75 quality = 90 tags = "INFO, FILE" @@ -49958,7 +49958,7 @@ rule REVERSINGLABS_Cert_Blocklist_2F4A25D52B16Eb4C9Dfe71Ebbd8121Bb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Blist LLC" and pe.signatures[i].serial=="2f:4a:25:d5:2b:16:eb:4c:9d:fe:71:eb:bd:81:21:bb" and 1629763200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Blist LLC" and pe.signatures [ i ] . serial == "2f:4a:25:d5:2b:16:eb:4c:9d:fe:71:eb:bd:81:21:bb" and 1629763200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49967,13 +49967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6889Aab6202Bcc5F11Caedf4D04F435B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4499a1d-aa8d-5056-ad91-439f27f00c33" + id = "d448e02e-84e7-5894-a5f8-2df9068a8595" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12894-L12910" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b2261ed8001929be8f80f73cc0c5076138f4794c73cbffd63773da5fc44639a8" + logic_hash = "v1_sha256_b2261ed8001929be8f80f73cc0c5076138f4794c73cbffd63773da5fc44639a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -49983,7 +49983,7 @@ rule REVERSINGLABS_Cert_Blocklist_6889Aab6202Bcc5F11Caedf4D04F435B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "C4DL Media" and pe.signatures[i].serial=="68:89:aa:b6:20:2b:cc:5f:11:ca:ed:f4:d0:4f:43:5b" and 1231891200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "C4DL Media" and pe.signatures [ i ] . serial == "68:89:aa:b6:20:2b:cc:5f:11:ca:ed:f4:d0:4f:43:5b" and 1231891200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -49992,13 +49992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Be63083Fbb1787B445Da97583721419 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6839595d-b645-5963-bd96-a668bfdd667f" + id = "98b2800f-0758-54ce-8fa7-03708d35d101" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12912-L12928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f39f5a632544bc01c3b4c9e2f2dd33f7109c44375f54011a34181e10da79debc" + logic_hash = "v1_sha256_f39f5a632544bc01c3b4c9e2f2dd33f7109c44375f54011a34181e10da79debc" score = 75 quality = 90 tags = "INFO, FILE" @@ -50008,7 +50008,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Be63083Fbb1787B445Da97583721419 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\"SMART GREY\" LLC" and pe.signatures[i].serial=="3b:e6:30:83:fb:b1:78:7b:44:5d:a9:75:83:72:14:19" and 1493942400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\"SMART GREY\" LLC" and pe.signatures [ i ] . serial == "3b:e6:30:83:fb:b1:78:7b:44:5d:a9:75:83:72:14:19" and 1493942400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50017,13 +50017,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E2D3449272B6B96B8B9F728E87580D5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6975acb9-3b37-51f5-8b4d-0d1a090a18e2" + id = "85a0a9bd-9a1e-536a-8cc0-a78217eebbaa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12930-L12946" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0155a8c71bf8426bbb980798772b04c145df5b8c4b60ff1a610a1236a47547ef" + logic_hash = "v1_sha256_0155a8c71bf8426bbb980798772b04c145df5b8c4b60ff1a610a1236a47547ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -50033,7 +50033,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E2D3449272B6B96B8B9F728E87580D5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RADIANT, OOO" and pe.signatures[i].serial=="6e:2d:34:49:27:2b:6b:96:b8:b9:f7:28:e8:75:80:d5" and 1421107200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RADIANT, OOO" and pe.signatures [ i ] . serial == "6e:2d:34:49:27:2b:6b:96:b8:b9:f7:28:e8:75:80:d5" and 1421107200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50042,13 +50042,13 @@ rule REVERSINGLABS_Cert_Blocklist_268C0D7028A154Ac3B6349C5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0e18d9ef-e861-5583-a2a3-5f54fae8d813" + id = "371c49b7-20f0-5478-9432-1bf04d26abb3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12948-L12964" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8311b36f008e31b7ac27b439fa46da4c90ab4be6c7c89426f8e1939963bc3d7d" + logic_hash = "v1_sha256_8311b36f008e31b7ac27b439fa46da4c90ab4be6c7c89426f8e1939963bc3d7d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50058,7 +50058,7 @@ rule REVERSINGLABS_Cert_Blocklist_268C0D7028A154Ac3B6349C5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="26:8c:0d:70:28:a1:54:ac:3b:63:49:c5" and 1474266712<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "26:8c:0d:70:28:a1:54:ac:3b:63:49:c5" and 1474266712 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50067,13 +50067,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Daa8D629Cc0410A9482E62A0F8Bf8Fc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "71e627d9-0892-5501-8189-26eae36b7965" + id = "1de1aaa0-4f9f-5050-abb6-c99bd691b37e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12966-L12982" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cfb2631bc1832f65fb9d77c812bf2a1e05121e825254bd57ae8b21e7b10b2344" + logic_hash = "v1_sha256_cfb2631bc1832f65fb9d77c812bf2a1e05121e825254bd57ae8b21e7b10b2344" score = 75 quality = 90 tags = "INFO, FILE" @@ -50083,7 +50083,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Daa8D629Cc0410A9482E62A0F8Bf8Fc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DON'T MISS A WORD LIMITED" and pe.signatures[i].serial=="2d:aa:8d:62:9c:c0:41:0a:94:82:e6:2a:0f:8b:f8:fc" and 1543449600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DON'T MISS A WORD LIMITED" and pe.signatures [ i ] . serial == "2d:aa:8d:62:9c:c0:41:0a:94:82:e6:2a:0f:8b:f8:fc" and 1543449600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50092,13 +50092,13 @@ rule REVERSINGLABS_Cert_Blocklist_9A727E200Ea76570 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d133dac3-3959-50f0-913e-b279ca6a1c2c" + id = "949fdd92-afea-592a-95b1-84e10098d532" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12984-L13002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "337dc486f2bdca1f7682887d5e5c0f82961850a8fd9c9a20b9a43a75334070d8" + logic_hash = "v1_sha256_337dc486f2bdca1f7682887d5e5c0f82961850a8fd9c9a20b9a43a75334070d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -50108,7 +50108,7 @@ rule REVERSINGLABS_Cert_Blocklist_9A727E200Ea76570 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Alexsandro Da Rosa - ME" and (pe.signatures[i].serial=="00:9a:72:7e:20:0e:a7:65:70" or pe.signatures[i].serial=="9a:72:7e:20:0e:a7:65:70") and 1539056530<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Alexsandro Da Rosa - ME" and ( pe.signatures [ i ] . serial == "00:9a:72:7e:20:0e:a7:65:70" or pe.signatures [ i ] . serial == "9a:72:7e:20:0e:a7:65:70" ) and 1539056530 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50117,13 +50117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0954A3C876Df9262Cde5817F9870F0C6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "89f3a334-cd2f-51b9-83b2-2baca3c59ba5" + id = "519b26fa-8b21-542d-b0c0-d3664cebf0ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13004-L13020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "164b064a9df31d4a122236dfee7b713417a44d47a7f304b2bf55686a7f038feb" + logic_hash = "v1_sha256_164b064a9df31d4a122236dfee7b713417a44d47a7f304b2bf55686a7f038feb" score = 75 quality = 90 tags = "INFO, FILE" @@ -50133,7 +50133,7 @@ rule REVERSINGLABS_Cert_Blocklist_0954A3C876Df9262Cde5817F9870F0C6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dialer Access" and pe.signatures[i].serial=="09:54:a3:c8:76:df:92:62:cd:e5:81:7f:98:70:f0:c6" and 1160438400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dialer Access" and pe.signatures [ i ] . serial == "09:54:a3:c8:76:df:92:62:cd:e5:81:7f:98:70:f0:c6" and 1160438400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50142,13 +50142,13 @@ rule REVERSINGLABS_Cert_Blocklist_3C30930E53Bb026F9A5D7440155F7118 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ad7d8be0-ecb1-508f-bfce-7a5cecfd4e2f" + id = "26789d7f-a24f-58be-878c-d6befe4cc8f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13022-L13038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "260a58669043d21ee0ffccbdee95c9d04ef338497685d42f1951660f658a164d" + logic_hash = "v1_sha256_260a58669043d21ee0ffccbdee95c9d04ef338497685d42f1951660f658a164d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50158,7 +50158,7 @@ rule REVERSINGLABS_Cert_Blocklist_3C30930E53Bb026F9A5D7440155F7118 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CPM Media, Ltd." and pe.signatures[i].serial=="3c:30:93:0e:53:bb:02:6f:9a:5d:74:40:15:5f:71:18" and 1064534400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CPM Media, Ltd." and pe.signatures [ i ] . serial == "3c:30:93:0e:53:bb:02:6f:9a:5d:74:40:15:5f:71:18" and 1064534400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50167,13 +50167,13 @@ rule REVERSINGLABS_Cert_Blocklist_432Eefc0D4Dc0326Eb277A518Cc4310A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eeccb477-0bf7-5b79-94df-710e6e0db78f" + id = "86b9ef28-588c-5926-9c00-3402963499e9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13040-L13056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d5a0b7f19f66f18b5ef1c548276b675ead74fed6be94310c303bfad6c85f18be" + logic_hash = "v1_sha256_d5a0b7f19f66f18b5ef1c548276b675ead74fed6be94310c303bfad6c85f18be" score = 75 quality = 90 tags = "INFO, FILE" @@ -50183,7 +50183,7 @@ rule REVERSINGLABS_Cert_Blocklist_432Eefc0D4Dc0326Eb277A518Cc4310A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="43:2e:ef:c0:d4:dc:03:26:eb:27:7a:51:8c:c4:31:0a" and 1466121600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "43:2e:ef:c0:d4:dc:03:26:eb:27:7a:51:8c:c4:31:0a" and 1466121600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50192,13 +50192,13 @@ rule REVERSINGLABS_Cert_Blocklist_470D6Ce21A6940320261F09E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00b92b5d-59e3-5aae-954d-a90bd8cc1370" + id = "974e28a6-7910-5900-a626-58356be15626" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13058-L13074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cae1d381bf2018a0ce56feb245d01f2bfea55b67894264d32d78dbb41873c792" + logic_hash = "v1_sha256_cae1d381bf2018a0ce56feb245d01f2bfea55b67894264d32d78dbb41873c792" score = 75 quality = 90 tags = "INFO, FILE" @@ -50208,7 +50208,7 @@ rule REVERSINGLABS_Cert_Blocklist_470D6Ce21A6940320261F09E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="47:0d:6c:e2:1a:69:40:32:02:61:f0:9e" and 1474523038<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "47:0d:6c:e2:1a:69:40:32:02:61:f0:9e" and 1474523038 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50217,13 +50217,13 @@ rule REVERSINGLABS_Cert_Blocklist_7E6Bc7E5A49E2C28E6F5D042 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a7b815d9-e247-5de1-9bcb-96294b3b91c0" + id = "07183e92-ea19-579e-839f-b042c76c625c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13076-L13092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f378c490ff4f32fc095c822f75abac44a8d94327404cd97546c63e7441e07632" + logic_hash = "v1_sha256_f378c490ff4f32fc095c822f75abac44a8d94327404cd97546c63e7441e07632" score = 75 quality = 90 tags = "INFO, FILE" @@ -50233,7 +50233,7 @@ rule REVERSINGLABS_Cert_Blocklist_7E6Bc7E5A49E2C28E6F5D042 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shang Hai Jian Ji Wang Luo Ke Ji You Xian Gong Si" and pe.signatures[i].serial=="7e:6b:c7:e5:a4:9e:2c:28:e6:f5:d0:42" and 1560995284<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shang Hai Jian Ji Wang Luo Ke Ji You Xian Gong Si" and pe.signatures [ i ] . serial == "7e:6b:c7:e5:a4:9e:2c:28:e6:f5:d0:42" and 1560995284 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50242,13 +50242,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C5020899147C850196C4Ebf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8ac60604-6548-5f11-bf89-ec7e927b20f7" + id = "0880fe8f-5e2f-5404-b9b6-78207e3bdc05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13094-L13110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "112e834a24c50d639f8607740faa609f1a36539058357544e5dbcddf841f3116" + logic_hash = "v1_sha256_112e834a24c50d639f8607740faa609f1a36539058357544e5dbcddf841f3116" score = 75 quality = 90 tags = "INFO, FILE" @@ -50258,7 +50258,7 @@ rule REVERSINGLABS_Cert_Blocklist_4C5020899147C850196C4Ebf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="4c:50:20:89:91:47:c8:50:19:6c:4e:bf" and 1476693792<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "4c:50:20:89:91:47:c8:50:19:6c:4e:bf" and 1476693792 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50267,13 +50267,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Efcf7Adc21F070E590D49Ddb8081397 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df467418-9d57-5ad0-b396-2ef519a22989" + id = "096ea645-4c04-585d-983f-b42884846604" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13112-L13128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d60a5bbd50484d620ab60cfd40840abc541c2b7bc1005a9076b69ddd1b938652" + logic_hash = "v1_sha256_d60a5bbd50484d620ab60cfd40840abc541c2b7bc1005a9076b69ddd1b938652" score = 75 quality = 90 tags = "INFO, FILE" @@ -50283,7 +50283,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Efcf7Adc21F070E590D49Ddb8081397 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ding Ruan" and pe.signatures[i].serial=="4e:fc:f7:ad:c2:1f:07:0e:59:0d:49:dd:b8:08:13:97" and 1476921600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ding Ruan" and pe.signatures [ i ] . serial == "4e:fc:f7:ad:c2:1f:07:0e:59:0d:49:dd:b8:08:13:97" and 1476921600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50292,13 +50292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cbd37C0A651913Ee25A6860D7D5Ccdf2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e56205d6-9f02-5a8a-8dd3-b8c323fba4bf" + id = "0ec676fc-c6e2-5f8d-9ad0-347159dc01ed" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13130-L13148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "77cc439aea6eaa5a835b6b1aa50904c1df0d5379228e424ab2d68a3cb654834c" + logic_hash = "v1_sha256_77cc439aea6eaa5a835b6b1aa50904c1df0d5379228e424ab2d68a3cb654834c" score = 75 quality = 90 tags = "INFO, FILE" @@ -50308,7 +50308,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cbd37C0A651913Ee25A6860D7D5Ccdf2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Amma" and (pe.signatures[i].serial=="00:cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" or pe.signatures[i].serial=="cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2") and 1431734400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Amma" and ( pe.signatures [ i ] . serial == "00:cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" or pe.signatures [ i ] . serial == "cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" ) and 1431734400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50317,13 +50317,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fe0Ad6B03C57Ab67A352159004Ca3Db : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d1cf11fc-eb30-54fc-9e34-91ad0c67e694" + id = "5d5430c2-503f-5e6f-9259-e55d36a7a4fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13150-L13166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6f2489421f2effa2089b744f7e137818935fe2339d9216a42686012c51da677b" + logic_hash = "v1_sha256_6f2489421f2effa2089b744f7e137818935fe2339d9216a42686012c51da677b" score = 75 quality = 90 tags = "INFO, FILE" @@ -50333,7 +50333,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Fe0Ad6B03C57Ab67A352159004Ca3Db : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SpectorSoft Corp." and pe.signatures[i].serial=="5f:e0:ad:6b:03:c5:7a:b6:7a:35:21:59:00:4c:a3:db" and 1402272000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SpectorSoft Corp." and pe.signatures [ i ] . serial == "5f:e0:ad:6b:03:c5:7a:b6:7a:35:21:59:00:4c:a3:db" and 1402272000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50342,13 +50342,13 @@ rule REVERSINGLABS_Cert_Blocklist_642Ad8E5Ef8B3Ac767F0D5C1A999Bdaa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d29e2342-2d38-5939-aa3f-4506fb36c74a" + id = "7fb35d65-d182-5f7c-b341-3d6639cf7821" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13168-L13184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d42d40ca381b99b68a3384cecf585aab2acca66d4e13503d337b1605d587d0b5" + logic_hash = "v1_sha256_d42d40ca381b99b68a3384cecf585aab2acca66d4e13503d337b1605d587d0b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -50358,7 +50358,7 @@ rule REVERSINGLABS_Cert_Blocklist_642Ad8E5Ef8B3Ac767F0D5C1A999Bdaa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Itgms Ltd" and pe.signatures[i].serial=="64:2a:d8:e5:ef:8b:3a:c7:67:f0:d5:c1:a9:99:bd:aa" and 1447804800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Itgms Ltd" and pe.signatures [ i ] . serial == "64:2a:d8:e5:ef:8b:3a:c7:67:f0:d5:c1:a9:99:bd:aa" and 1447804800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50367,13 +50367,13 @@ rule REVERSINGLABS_Cert_Blocklist_5333D3079D8Afda715703775E1389991 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4db299c6-5be9-5900-a944-07a0a41920a4" + id = "39d90d8b-4515-5c4e-89b0-38e58436eabe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13186-L13202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "98bd9d35c4e196a11943826115ab495833f7ef1d95f9736cc24255d6dd4fd21c" + logic_hash = "v1_sha256_98bd9d35c4e196a11943826115ab495833f7ef1d95f9736cc24255d6dd4fd21c" score = 75 quality = 90 tags = "INFO, FILE" @@ -50383,7 +50383,7 @@ rule REVERSINGLABS_Cert_Blocklist_5333D3079D8Afda715703775E1389991 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Trambambon LLC" and pe.signatures[i].serial=="53:33:d3:07:9d:8a:fd:a7:15:70:37:75:e1:38:99:91" and 1239148800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Trambambon LLC" and pe.signatures [ i ] . serial == "53:33:d3:07:9d:8a:fd:a7:15:70:37:75:e1:38:99:91" and 1239148800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50392,13 +50392,13 @@ rule REVERSINGLABS_Cert_Blocklist_139A7Ee1F1A7735C151089755Df5D373 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eaab67a1-ed7a-58f3-afb3-3637c3b72020" + id = "dee53db5-9ea8-5b75-8fb7-f32e5c4710c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13204-L13220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "86072fef7d1488dc257c3ca8fbb99620ec06f8ecb671b4e20d09d0ce6cc8601d" + logic_hash = "v1_sha256_86072fef7d1488dc257c3ca8fbb99620ec06f8ecb671b4e20d09d0ce6cc8601d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50408,7 +50408,7 @@ rule REVERSINGLABS_Cert_Blocklist_139A7Ee1F1A7735C151089755Df5D373 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yongli Li" and pe.signatures[i].serial=="13:9a:7e:e1:f1:a7:73:5c:15:10:89:75:5d:f5:d3:73" and 1476057600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yongli Li" and pe.signatures [ i ] . serial == "13:9a:7e:e1:f1:a7:73:5c:15:10:89:75:5d:f5:d3:73" and 1476057600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50417,13 +50417,13 @@ rule REVERSINGLABS_Cert_Blocklist_74Dbe83082E1B3Dfa29F9C24 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dbb75cf2-1b48-52f1-8d06-e35d48c4fea4" + id = "cac2c9d2-d68f-5ff6-865d-7461bbe537af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13222-L13238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1fdf6471d0b869df1a8630108cdaf1cc97d33e91d4726073913cdc54c7cf0042" + logic_hash = "v1_sha256_1fdf6471d0b869df1a8630108cdaf1cc97d33e91d4726073913cdc54c7cf0042" score = 75 quality = 90 tags = "INFO, FILE" @@ -50433,7 +50433,7 @@ rule REVERSINGLABS_Cert_Blocklist_74Dbe83082E1B3Dfa29F9C24 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and pe.signatures[i].serial=="74:db:e8:30:82:e1:b3:df:a2:9f:9c:24" and 1468817578<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and pe.signatures [ i ] . serial == "74:db:e8:30:82:e1:b3:df:a2:9f:9c:24" and 1468817578 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50442,13 +50442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A466553A6391Aafd181B400266C7B18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef8ff250-840f-5b55-b0c7-85ca54aadc59" + id = "6c0cb8c7-2a05-592d-8410-b7ae141640db" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13240-L13256" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cb21e5759887904d6a38cd1b363610ebc0bfd9a357050c602210468992815cbe" + logic_hash = "v1_sha256_cb21e5759887904d6a38cd1b363610ebc0bfd9a357050c602210468992815cbe" score = 75 quality = 90 tags = "INFO, FILE" @@ -50458,7 +50458,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A466553A6391Aafd181B400266C7B18 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PhaseQ Limited" and pe.signatures[i].serial=="0a:46:65:53:a6:39:1a:af:d1:81:b4:00:26:6c:7b:18" and 1555545600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PhaseQ Limited" and pe.signatures [ i ] . serial == "0a:46:65:53:a6:39:1a:af:d1:81:b4:00:26:6c:7b:18" and 1555545600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50467,13 +50467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D3Dec8794Fa7228D1Ee40Eeb8187149 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "54e9ec00-d054-521b-b60b-81efe3a8ce12" + id = "8f66a709-bc85-5f92-b4aa-44aaccc51eb6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13258-L13274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "20084dc0b069d65755f859f5aef4be5599d1f066ba006199d3ce803b0d8f041e" + logic_hash = "v1_sha256_20084dc0b069d65755f859f5aef4be5599d1f066ba006199d3ce803b0d8f041e" score = 75 quality = 90 tags = "INFO, FILE" @@ -50483,7 +50483,7 @@ rule REVERSINGLABS_Cert_Blocklist_0D3Dec8794Fa7228D1Ee40Eeb8187149 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Financial Security Institute, Inc." and pe.signatures[i].serial=="0d:3d:ec:87:94:fa:72:28:d1:ee:40:ee:b8:18:71:49" and 1582675200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Financial Security Institute, Inc." and pe.signatures [ i ] . serial == "0d:3d:ec:87:94:fa:72:28:d1:ee:40:ee:b8:18:71:49" and 1582675200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50492,13 +50492,13 @@ rule REVERSINGLABS_Cert_Blocklist_24Af70B5D17A63Ad053E5821 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "034228b3-1864-5a76-ad9d-531778be10ec" + id = "f5c8a95e-e126-5a86-bf4f-b7b01c886d6a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13276-L13292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d78f709067c83169484d9dd6e1dd8a88852362da028551d4e55e5703a22e04a7" + logic_hash = "v1_sha256_d78f709067c83169484d9dd6e1dd8a88852362da028551d4e55e5703a22e04a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -50508,7 +50508,7 @@ rule REVERSINGLABS_Cert_Blocklist_24Af70B5D17A63Ad053E5821 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="24:af:70:b5:d1:7a:63:ad:05:3e:58:21" and 1474179615<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "24:af:70:b5:d1:7a:63:ad:05:3e:58:21" and 1474179615 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50517,13 +50517,13 @@ rule REVERSINGLABS_Cert_Blocklist_402E9Fcba61E5Eaf9C0C7B3Bfd6259D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a24e1201-4a90-5d0f-ac19-4d88a4e4cfe5" + id = "21e71b9e-2db9-5c9d-8b41-a11ee9fb9c19" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13294-L13310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1bfc2610745a98ebcf0f77504815d9d1c448697fbe407d6c2e075219b401de50" + logic_hash = "v1_sha256_1bfc2610745a98ebcf0f77504815d9d1c448697fbe407d6c2e075219b401de50" score = 75 quality = 90 tags = "INFO, FILE" @@ -50533,7 +50533,7 @@ rule REVERSINGLABS_Cert_Blocklist_402E9Fcba61E5Eaf9C0C7B3Bfd6259D9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yongli Li" and pe.signatures[i].serial=="40:2e:9f:cb:a6:1e:5e:af:9c:0c:7b:3b:fd:62:59:d9" and 1477440000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yongli Li" and pe.signatures [ i ] . serial == "40:2e:9f:cb:a6:1e:5e:af:9c:0c:7b:3b:fd:62:59:d9" and 1477440000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50542,13 +50542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C84F9136059E96134F8766670Eacd52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "af7eb5ff-570f-5886-b550-3d327d05fabe" + id = "1a4ebffa-cfaf-525c-ae0e-e021901701d8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13312-L13328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6778630dcc3e4fe2816e6dee1b823e616f53de8a924057495c7c252948a71b4" + logic_hash = "v1_sha256_d6778630dcc3e4fe2816e6dee1b823e616f53de8a924057495c7c252948a71b4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50558,7 +50558,7 @@ rule REVERSINGLABS_Cert_Blocklist_2C84F9136059E96134F8766670Eacd52 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, DIEGO MANUEL RODRIGUEZ" and pe.signatures[i].serial=="2c:84:f9:13:60:59:e9:61:34:f8:76:66:70:ea:cd:52" and 1442215311<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, DIEGO MANUEL RODRIGUEZ" and pe.signatures [ i ] . serial == "2c:84:f9:13:60:59:e9:61:34:f8:76:66:70:ea:cd:52" and 1442215311 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50567,13 +50567,13 @@ rule REVERSINGLABS_Cert_Blocklist_6716A9C195987D5Cfe53A094779461E7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fbd05f8b-3289-565c-a5f4-a1514d06ae37" + id = "1b545bd5-678a-505b-808e-ed5dd1b23940" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13330-L13346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "648fd70432a791b3e589f5eda1b1510045b465623914a9762ff3dfb4a3e022f8" + logic_hash = "v1_sha256_648fd70432a791b3e589f5eda1b1510045b465623914a9762ff3dfb4a3e022f8" score = 75 quality = 90 tags = "INFO, FILE" @@ -50583,7 +50583,7 @@ rule REVERSINGLABS_Cert_Blocklist_6716A9C195987D5Cfe53A094779461E7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Inter Technologies Ltd." and pe.signatures[i].serial=="67:16:a9:c1:95:98:7d:5c:fe:53:a0:94:77:94:61:e7" and 1169424000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Inter Technologies Ltd." and pe.signatures [ i ] . serial == "67:16:a9:c1:95:98:7d:5c:fe:53:a0:94:77:94:61:e7" and 1169424000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50592,13 +50592,13 @@ rule REVERSINGLABS_Cert_Blocklist_876C00Bd665Df98B35554F67A5C1C32A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "830af0ac-fb01-5c6a-a7a3-2cf5c9d016fc" + id = "19d10d6d-7238-5064-a737-94be5f56433b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13348-L13366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "90bde1313db78d4166e8c87e7e4111c576880922b1c983f3a842ea030d38a0da" + logic_hash = "v1_sha256_90bde1313db78d4166e8c87e7e4111c576880922b1c983f3a842ea030d38a0da" score = 75 quality = 90 tags = "INFO, FILE" @@ -50608,7 +50608,7 @@ rule REVERSINGLABS_Cert_Blocklist_876C00Bd665Df98B35554F67A5C1C32A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Lossera-M, OOO" and (pe.signatures[i].serial=="00:87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" or pe.signatures[i].serial=="87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a") and 1493078400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Lossera-M, OOO" and ( pe.signatures [ i ] . serial == "00:87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" or pe.signatures [ i ] . serial == "87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" ) and 1493078400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50617,13 +50617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B093Cb60D4B992266F550934A4Ac7D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c459c3ac-205c-5c13-959d-c6b40f81222f" + id = "d4a959a9-7bc9-5125-898b-9678625b8fc0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13368-L13384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4b634bc706638d72f2d036d41cf092cac538e930d7d407eebc225b482fd64f51" + logic_hash = "v1_sha256_4b634bc706638d72f2d036d41cf092cac538e930d7d407eebc225b482fd64f51" score = 75 quality = 90 tags = "INFO, FILE" @@ -50633,7 +50633,7 @@ rule REVERSINGLABS_Cert_Blocklist_4B093Cb60D4B992266F550934A4Ac7D0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LCB SISTEMAS LTDA ME" and pe.signatures[i].serial=="4b:09:3c:b6:0d:4b:99:22:66:f5:50:93:4a:4a:c7:d0" and 1478649600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LCB SISTEMAS LTDA ME" and pe.signatures [ i ] . serial == "4b:09:3c:b6:0d:4b:99:22:66:f5:50:93:4a:4a:c7:d0" and 1478649600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50642,13 +50642,13 @@ rule REVERSINGLABS_Cert_Blocklist_2050B54146B011Ed30F60F61 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0db2d42d-bdc3-50bc-b360-a39ccec4df41" + id = "3dddd025-25a8-546c-bd5d-aae9bc933664" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13386-L13402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "74749317fcefcdb698046a6f42c6c6e05cc1eab1370b3b1fd7d025f49de4a032" + logic_hash = "v1_sha256_74749317fcefcdb698046a6f42c6c6e05cc1eab1370b3b1fd7d025f49de4a032" score = 75 quality = 90 tags = "INFO, FILE" @@ -50658,7 +50658,7 @@ rule REVERSINGLABS_Cert_Blocklist_2050B54146B011Ed30F60F61 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="20:50:b5:41:46:b0:11:ed:30:f6:0f:61" and 1476773926<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "20:50:b5:41:46:b0:11:ed:30:f6:0f:61" and 1476773926 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50667,13 +50667,13 @@ rule REVERSINGLABS_Cert_Blocklist_73E2F34C9C2435F29Bbe0A3C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "284c206f-8a0c-5bb6-8f28-d8e5e60efe3e" + id = "333783a1-74b4-560c-b8f0-05efbde714f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13404-L13420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "503429e737e8bdad735cf88e2bb2877d1f52b2c38be101a7a129c02db608a347" + logic_hash = "v1_sha256_503429e737e8bdad735cf88e2bb2877d1f52b2c38be101a7a129c02db608a347" score = 75 quality = 90 tags = "INFO, FILE" @@ -50683,7 +50683,7 @@ rule REVERSINGLABS_Cert_Blocklist_73E2F34C9C2435F29Bbe0A3C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="73:e2:f3:4c:9c:24:35:f2:9b:be:0a:3c" and 1480312984<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "73:e2:f3:4c:9c:24:35:f2:9b:be:0a:3c" and 1480312984 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50692,13 +50692,13 @@ rule REVERSINGLABS_Cert_Blocklist_68C457D7495D2A8D0D7B9042836135C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8ed2e72-d94e-5141-8ceb-181459a729ad" + id = "308e9d36-ccf1-5af2-9c24-664172583daa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13422-L13438" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3eb63f75f258eec611fa4288302f0ce5e47149ca876265a4a4b65dc33313aaa6" + logic_hash = "v1_sha256_3eb63f75f258eec611fa4288302f0ce5e47149ca876265a4a4b65dc33313aaa6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50708,7 +50708,7 @@ rule REVERSINGLABS_Cert_Blocklist_68C457D7495D2A8D0D7B9042836135C2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="68:c4:57:d7:49:5d:2a:8d:0d:7b:90:42:83:61:35:c2" and 1476921600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "68:c4:57:d7:49:5d:2a:8d:0d:7b:90:42:83:61:35:c2" and 1476921600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50717,13 +50717,13 @@ rule REVERSINGLABS_Cert_Blocklist_6B72Ca367D40Fbef16E73E6Eba6A9A59 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1cf9568-9a6a-58cb-81a4-25063ccc1ac7" + id = "250ec3fa-977b-53fa-a77a-ad9be23bf02d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13440-L13456" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b20c16dafcd891c36b28b36093cd3ad3a15f3795f0f2adda61fb0db2835d02d" + logic_hash = "v1_sha256_2b20c16dafcd891c36b28b36093cd3ad3a15f3795f0f2adda61fb0db2835d02d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50733,7 +50733,7 @@ rule REVERSINGLABS_Cert_Blocklist_6B72Ca367D40Fbef16E73E6Eba6A9A59 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="6b:72:ca:36:7d:40:fb:ef:16:e7:3e:6e:ba:6a:9a:59" and 1476748800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "6b:72:ca:36:7d:40:fb:ef:16:e7:3e:6e:ba:6a:9a:59" and 1476748800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50742,13 +50742,13 @@ rule REVERSINGLABS_Cert_Blocklist_736B7663D322533413F36E3E7E55F920 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1991779a-8b5d-5188-8a36-c8451923e88f" + id = "5e20c072-62d7-580c-8ec1-1d2e06341d5e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13458-L13474" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "44e86319106a4bf8edba6c1be2f90d68b3d1ef4591f0cc23921a0dc4da4a407b" + logic_hash = "v1_sha256_44e86319106a4bf8edba6c1be2f90d68b3d1ef4591f0cc23921a0dc4da4a407b" score = 75 quality = 90 tags = "INFO, FILE" @@ -50758,7 +50758,7 @@ rule REVERSINGLABS_Cert_Blocklist_736B7663D322533413F36E3E7E55F920 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Net Technology" and pe.signatures[i].serial=="73:6b:76:63:d3:22:53:34:13:f3:6e:3e:7e:55:f9:20" and 1159488000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Net Technology" and pe.signatures [ i ] . serial == "73:6b:76:63:d3:22:53:34:13:f3:6e:3e:7e:55:f9:20" and 1159488000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50767,13 +50767,13 @@ rule REVERSINGLABS_Cert_Blocklist_54A170102461Fdc967Acfafe4Bbbc7F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d012df1d-5e85-57b4-8a79-5da91369a14a" + id = "c838dd21-8414-5d0a-a32c-d4219735f671" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13476-L13492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ddae18d566fa2fd077f51d0afff74fb8a8e525f88f23908c7402a4b2c092ad24" + logic_hash = "v1_sha256_ddae18d566fa2fd077f51d0afff74fb8a8e525f88f23908c7402a4b2c092ad24" score = 75 quality = 90 tags = "INFO, FILE" @@ -50783,7 +50783,7 @@ rule REVERSINGLABS_Cert_Blocklist_54A170102461Fdc967Acfafe4Bbbc7F0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="54:a1:70:10:24:61:fd:c9:67:ac:fa:fe:4b:bb:c7:f0" and 1476748800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "54:a1:70:10:24:61:fd:c9:67:ac:fa:fe:4b:bb:c7:f0" and 1476748800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50792,13 +50792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C501B8B113209C96C8119Cf7A6B8B79 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9ec73230-10cd-55ad-9ef7-56a875294cab" + id = "b7f5cb85-8606-5779-ab0b-43965c1bfc84" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13494-L13510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dca37fda83650979566fb6ffbedaf713955a3c7f03ecc62e2e155475b7ca00e4" + logic_hash = "v1_sha256_dca37fda83650979566fb6ffbedaf713955a3c7f03ecc62e2e155475b7ca00e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50808,7 +50808,7 @@ rule REVERSINGLABS_Cert_Blocklist_0C501B8B113209C96C8119Cf7A6B8B79 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="0c:50:1b:8b:11:32:09:c9:6c:81:19:cf:7a:6b:8b:79" and 1474329600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "0c:50:1b:8b:11:32:09:c9:6c:81:19:cf:7a:6b:8b:79" and 1474329600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50817,13 +50817,13 @@ rule REVERSINGLABS_Cert_Blocklist_0300Ee4A4C52443147821A8186D04309 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "abccf84f-ba18-5644-897c-d23a228facff" + id = "971e1cca-1bec-58c8-9ef8-7fd10e8709e3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13512-L13528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8476ece98427c1ffd99d820c25fe664397de2c393473f7d5ee0846d8d840fd9e" + logic_hash = "v1_sha256_8476ece98427c1ffd99d820c25fe664397de2c393473f7d5ee0846d8d840fd9e" score = 75 quality = 90 tags = "INFO, FILE" @@ -50833,7 +50833,7 @@ rule REVERSINGLABS_Cert_Blocklist_0300Ee4A4C52443147821A8186D04309 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and pe.signatures[i].serial=="03:00:ee:4a:4c:52:44:31:47:82:1a:81:86:d0:43:09" and 1494892800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and pe.signatures [ i ] . serial == "03:00:ee:4a:4c:52:44:31:47:82:1a:81:86:d0:43:09" and 1494892800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50842,13 +50842,13 @@ rule REVERSINGLABS_Cert_Blocklist_202Cf8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1c442ed6-a48a-52f4-b345-300428ec9c76" + id = "afeeba5f-e88f-5623-928b-fdea75ca98f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13530-L13546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "671a4b522761fdff75d1c0c608e8cfb21c7ab538c8c30c8620315bc58ed358e6" + logic_hash = "v1_sha256_671a4b522761fdff75d1c0c608e8cfb21c7ab538c8c30c8620315bc58ed358e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50858,7 +50858,7 @@ rule REVERSINGLABS_Cert_Blocklist_202Cf8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DATALINE LTD." and pe.signatures[i].serial=="20:2c:f8" and 1087841761<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DATALINE LTD." and pe.signatures [ i ] . serial == "20:2c:f8" and 1087841761 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50867,13 +50867,13 @@ rule REVERSINGLABS_Cert_Blocklist_6651Cc8B4850D4Dec61961503Ea7956B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88679114-9c85-5810-af21-d5c2a8dc759e" + id = "27842d3c-0804-5b5f-8c6a-006300429ef0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13548-L13564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "29bfe9c8b340b55a9daa2644e8d55b2b783cc95c85541732e6e0decca8c10ff6" + logic_hash = "v1_sha256_29bfe9c8b340b55a9daa2644e8d55b2b783cc95c85541732e6e0decca8c10ff6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50883,7 +50883,7 @@ rule REVERSINGLABS_Cert_Blocklist_6651Cc8B4850D4Dec61961503Ea7956B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "NUSAAPPINSTALL(APPS INSTALLER S.L.)" and pe.signatures[i].serial=="66:51:cc:8b:48:50:d4:de:c6:19:61:50:3e:a7:95:6b" and 1436175828<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "NUSAAPPINSTALL(APPS INSTALLER S.L.)" and pe.signatures [ i ] . serial == "66:51:cc:8b:48:50:d4:de:c6:19:61:50:3e:a7:95:6b" and 1436175828 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50892,13 +50892,13 @@ rule REVERSINGLABS_Cert_Blocklist_25Bef28467E4750331D2F403458113B8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a97723cb-7814-5f08-af94-6244c1cf4145" + id = "6b4751c6-5176-507f-a920-4fe6c278d46f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13566-L13582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dc59fdecf60f3781e92cfe8469be2e0c1cb1cfdd3e9f9757d159667437cb37f5" + logic_hash = "v1_sha256_dc59fdecf60f3781e92cfe8469be2e0c1cb1cfdd3e9f9757d159667437cb37f5" score = 75 quality = 90 tags = "INFO, FILE" @@ -50908,7 +50908,7 @@ rule REVERSINGLABS_Cert_Blocklist_25Bef28467E4750331D2F403458113B8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="25:be:f2:84:67:e4:75:03:31:d2:f4:03:45:81:13:b8" and 1474156800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "25:be:f2:84:67:e4:75:03:31:d2:f4:03:45:81:13:b8" and 1474156800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50917,13 +50917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0296Cf3314F434C5B74D0C3E36616Dd1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ae7d8c3c-0ac8-5ea5-8013-97ccb2ace4e4" + id = "09c6c0df-7d05-5e66-ba01-d3125f639287" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13584-L13600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "acf3b7460c79fa71c1b131b26a40bbc286c9da0a5fe7071bbe8b386a3ca91de4" + logic_hash = "v1_sha256_acf3b7460c79fa71c1b131b26a40bbc286c9da0a5fe7071bbe8b386a3ca91de4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50933,7 +50933,7 @@ rule REVERSINGLABS_Cert_Blocklist_0296Cf3314F434C5B74D0C3E36616Dd1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="02:96:cf:33:14:f4:34:c5:b7:4d:0c:3e:36:61:6d:d1" and 1474934400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "02:96:cf:33:14:f4:34:c5:b7:4d:0c:3e:36:61:6d:d1" and 1474934400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50942,13 +50942,13 @@ rule REVERSINGLABS_Cert_Blocklist_045D57D63E13775C8F812E1864797F5A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2c37ddc-51bc-58da-b770-df97aebca01d" + id = "e67bff5d-e1ae-5b57-bd1f-05ce5dc4ce96" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13602-L13618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d3e61e9a43f5b17ebb08b71dc39648d1f20273a18214f39605f365f9f0f72c10" + logic_hash = "v1_sha256_d3e61e9a43f5b17ebb08b71dc39648d1f20273a18214f39605f365f9f0f72c10" score = 75 quality = 90 tags = "INFO, FILE" @@ -50958,7 +50958,7 @@ rule REVERSINGLABS_Cert_Blocklist_045D57D63E13775C8F812E1864797F5A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Mei" and pe.signatures[i].serial=="04:5d:57:d6:3e:13:77:5c:8f:81:2e:18:64:79:7f:5a" and 1485043200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Mei" and pe.signatures [ i ] . serial == "04:5d:57:d6:3e:13:77:5c:8f:81:2e:18:64:79:7f:5a" and 1485043200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50967,13 +50967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6D633Df9Bb6015Fc3Ecea99Dff309Ee7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b85bf9c5-f438-5973-83ab-926e44cf2298" + id = "e1049977-84ad-58bb-9bd8-133c90772026" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13620-L13636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "84e2f427ee79b47db8d0e5f1e2217a7e1c1ea64047e01b4ea6db69f529501f36" + logic_hash = "v1_sha256_84e2f427ee79b47db8d0e5f1e2217a7e1c1ea64047e01b4ea6db69f529501f36" score = 75 quality = 90 tags = "INFO, FILE" @@ -50983,7 +50983,7 @@ rule REVERSINGLABS_Cert_Blocklist_6D633Df9Bb6015Fc3Ecea99Dff309Ee7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="6d:63:3d:f9:bb:60:15:fc:3e:ce:a9:9d:ff:30:9e:e7" and 1474156800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "6d:63:3d:f9:bb:60:15:fc:3e:ce:a9:9d:ff:30:9e:e7" and 1474156800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -50992,13 +50992,13 @@ rule REVERSINGLABS_Cert_Blocklist_22E2A66E63B8Cb4Ec6989Bf7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5c028a6c-890c-54f1-aea2-ac04ce654907" + id = "9adb5aa9-330d-5792-a771-05649029e4c7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13638-L13654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2099c508d1fd986f34f14aa396a5aaa136e2cdd2226099acdca9c14f6f6342eb" + logic_hash = "v1_sha256_2099c508d1fd986f34f14aa396a5aaa136e2cdd2226099acdca9c14f6f6342eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51008,7 +51008,7 @@ rule REVERSINGLABS_Cert_Blocklist_22E2A66E63B8Cb4Ec6989Bf7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sivi Technology Limited" and pe.signatures[i].serial=="22:e2:a6:6e:63:b8:cb:4e:c6:98:9b:f7" and 1466995365<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sivi Technology Limited" and pe.signatures [ i ] . serial == "22:e2:a6:6e:63:b8:cb:4e:c6:98:9b:f7" and 1466995365 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51017,13 +51017,13 @@ rule REVERSINGLABS_Cert_Blocklist_654B406De388Ec2Aec253Ff2Ba4C4Bbd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9820112d-d59b-57e7-ae78-7b427f70d529" + id = "7c1ac237-d553-5314-a00c-e036010abf6d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13656-L13672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a1aadaded55c8b0d85ac09ba9ab27fefaeec2969cdabaf26ff0c41bf33422ddc" + logic_hash = "v1_sha256_a1aadaded55c8b0d85ac09ba9ab27fefaeec2969cdabaf26ff0c41bf33422ddc" score = 75 quality = 90 tags = "INFO, FILE" @@ -51033,7 +51033,7 @@ rule REVERSINGLABS_Cert_Blocklist_654B406De388Ec2Aec253Ff2Ba4C4Bbd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yijiajian (Amoy) Jiankan Tech Co.,LTD." and pe.signatures[i].serial=="65:4b:40:6d:e3:88:ec:2a:ec:25:3f:f2:ba:4c:4b:bd" and 1398902400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yijiajian (Amoy) Jiankan Tech Co.,LTD." and pe.signatures [ i ] . serial == "65:4b:40:6d:e3:88:ec:2a:ec:25:3f:f2:ba:4c:4b:bd" and 1398902400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51042,13 +51042,13 @@ rule REVERSINGLABS_Cert_Blocklist_78D1817Ebcf338B4E9C810F9740A726B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d0a97a4-c45a-5238-a287-867529b470cb" + id = "6f4ffa0c-ee59-5b71-a94d-863ad6033a22" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13674-L13690" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "62e59130ef0ac35b17a265bb8bc2031cac6a75c11925ccb21eb4601b8fbe1a63" + logic_hash = "v1_sha256_62e59130ef0ac35b17a265bb8bc2031cac6a75c11925ccb21eb4601b8fbe1a63" score = 75 quality = 90 tags = "INFO, FILE" @@ -51058,7 +51058,7 @@ rule REVERSINGLABS_Cert_Blocklist_78D1817Ebcf338B4E9C810F9740A726B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CONSTRUTORA NOVO PARQUE LTDA - ME" and pe.signatures[i].serial=="78:d1:81:7e:bc:f3:38:b4:e9:c8:10:f9:74:0a:72:6b" and 1431734400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CONSTRUTORA NOVO PARQUE LTDA - ME" and pe.signatures [ i ] . serial == "78:d1:81:7e:bc:f3:38:b4:e9:c8:10:f9:74:0a:72:6b" and 1431734400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51067,13 +51067,13 @@ rule REVERSINGLABS_Cert_Blocklist_45Fbcdb1Fbd3D702Fb77257B45D8C58E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6bfd7c1d-2608-5ca0-8e1e-04c73588895a" + id = "88a693f4-8dcf-5425-b2f0-e19a89f1aa33" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13692-L13708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "441e10f49515d75ee9e8983ba4321377fee13a91ca5eeddc08b393136ce8ccfd" + logic_hash = "v1_sha256_441e10f49515d75ee9e8983ba4321377fee13a91ca5eeddc08b393136ce8ccfd" score = 75 quality = 90 tags = "INFO, FILE" @@ -51083,7 +51083,7 @@ rule REVERSINGLABS_Cert_Blocklist_45Fbcdb1Fbd3D702Fb77257B45D8C58E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ding Ruan" and pe.signatures[i].serial=="45:fb:cd:b1:fb:d3:d7:02:fb:77:25:7b:45:d8:c5:8e" and 1476662400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ding Ruan" and pe.signatures [ i ] . serial == "45:fb:cd:b1:fb:d3:d7:02:fb:77:25:7b:45:d8:c5:8e" and 1476662400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51092,13 +51092,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B5D8Ed5Ca011679F141F124 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c8bc0968-29d0-51a9-8cfe-7c8f447cef3d" + id = "eb31bd34-1686-5306-8b48-bf35a1e66d98" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13710-L13726" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "39ff0d5fd711524ce181596033d1d51579cd086eb20b87722aebf39623bbaa17" + logic_hash = "v1_sha256_39ff0d5fd711524ce181596033d1d51579cd086eb20b87722aebf39623bbaa17" score = 75 quality = 90 tags = "INFO, FILE" @@ -51108,7 +51108,7 @@ rule REVERSINGLABS_Cert_Blocklist_4B5D8Ed5Ca011679F141F124 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="4b:5d:8e:d5:ca:01:16:79:f1:41:f1:24" and 1480644725<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "4b:5d:8e:d5:ca:01:16:79:f1:41:f1:24" and 1480644725 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51117,13 +51117,13 @@ rule REVERSINGLABS_Cert_Blocklist_33671F1Bcbd0F5E231Fc386F4895000E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0863e1ed-7b9c-5a60-82ac-eadc3c23fbd9" + id = "0fcd78eb-4840-5ff1-a60f-780ab0bb87fd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13728-L13744" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9199c8d76e3390ec9038808b4e88b803b3f3d6966af6206d0c9968d9ab673f31" + logic_hash = "v1_sha256_9199c8d76e3390ec9038808b4e88b803b3f3d6966af6206d0c9968d9ab673f31" score = 75 quality = 90 tags = "INFO, FILE" @@ -51133,7 +51133,7 @@ rule REVERSINGLABS_Cert_Blocklist_33671F1Bcbd0F5E231Fc386F4895000E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALAIS, OOO" and pe.signatures[i].serial=="33:67:1f:1b:cb:d0:f5:e2:31:fc:38:6f:48:95:00:0e" and 1491868800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALAIS, OOO" and pe.signatures [ i ] . serial == "33:67:1f:1b:cb:d0:f5:e2:31:fc:38:6f:48:95:00:0e" and 1491868800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51142,13 +51142,13 @@ rule REVERSINGLABS_Cert_Blocklist_32Bc299F0694C19Ec21E71265B1D7E17 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fa2302c3-4002-5bf0-812b-45298abbda8d" + id = "764143b1-944c-5c75-a157-0e7a674bb73c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13746-L13762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cb522e3084d382c451a8b040095e75582675f90dbb588e370f2f0054f4c2d14b" + logic_hash = "v1_sha256_cb522e3084d382c451a8b040095e75582675f90dbb588e370f2f0054f4c2d14b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51158,7 +51158,7 @@ rule REVERSINGLABS_Cert_Blocklist_32Bc299F0694C19Ec21E71265B1D7E17 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="32:bc:29:9f:06:94:c1:9e:c2:1e:71:26:5b:1d:7e:17" and 1474416000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "32:bc:29:9f:06:94:c1:9e:c2:1e:71:26:5b:1d:7e:17" and 1474416000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51167,13 +51167,13 @@ rule REVERSINGLABS_Cert_Blocklist_7B75C6B0A09Afdb9787F6Dff75Ae7844 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0b34c7ce-fa75-5340-a473-fa87fab93b86" + id = "97238465-4308-5586-927e-25b0937e7105" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13764-L13780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8fd125a526b3433fbb8a5c6fa74ce0b0e2de8ff789880c355625d4140cd902a2" + logic_hash = "v1_sha256_8fd125a526b3433fbb8a5c6fa74ce0b0e2de8ff789880c355625d4140cd902a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -51183,7 +51183,7 @@ rule REVERSINGLABS_Cert_Blocklist_7B75C6B0A09Afdb9787F6Dff75Ae7844 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="7b:75:c6:b0:a0:9a:fd:b9:78:7f:6d:ff:75:ae:78:44" and 1476662400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "7b:75:c6:b0:a0:9a:fd:b9:78:7f:6d:ff:75:ae:78:44" and 1476662400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51192,13 +51192,13 @@ rule REVERSINGLABS_Cert_Blocklist_167Fd1295B3Bb102Dbb37292C838E7Cd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "42cf5f07-4c43-567c-a517-42c898658ab8" + id = "9c773d9a-9397-5b02-bc48-5e79c4a7ec4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13782-L13798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1cc7d441291fd9c4dc37320d411f94fb362523d47d37ab35c20b3ac9d4cd75cb" + logic_hash = "v1_sha256_1cc7d441291fd9c4dc37320d411f94fb362523d47d37ab35c20b3ac9d4cd75cb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51208,7 +51208,7 @@ rule REVERSINGLABS_Cert_Blocklist_167Fd1295B3Bb102Dbb37292C838E7Cd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="16:7f:d1:29:5b:3b:b1:02:db:b3:72:92:c8:38:e7:cd" and 1476921600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "16:7f:d1:29:5b:3b:b1:02:db:b3:72:92:c8:38:e7:cd" and 1476921600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51217,13 +51217,13 @@ rule REVERSINGLABS_Cert_Blocklist_253Ad25E39Abe8F8Fda9Fcf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f09ca101-dd40-54d8-9235-1faf1e774dd4" + id = "8c1f98e2-8239-5929-9355-e99e0e4dbcf5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13800-L13816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1d46ccaa136cd7be30ffbf0eb09eb6485c543ff4bdbe99fa7ea3846841cbd41b" + logic_hash = "v1_sha256_1d46ccaa136cd7be30ffbf0eb09eb6485c543ff4bdbe99fa7ea3846841cbd41b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51233,7 +51233,7 @@ rule REVERSINGLABS_Cert_Blocklist_253Ad25E39Abe8F8Fda9Fcf6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DVERI FADO, TOV" and pe.signatures[i].serial=="25:3a:d2:5e:39:ab:e8:f8:fd:a9:fc:f6" and 1538662130<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DVERI FADO, TOV" and pe.signatures [ i ] . serial == "25:3a:d2:5e:39:ab:e8:f8:fd:a9:fc:f6" and 1538662130 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51242,13 +51242,13 @@ rule REVERSINGLABS_Cert_Blocklist_A9C1523Cb2C73A82771D318124963E87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b21365d0-eaff-51da-8b8e-6a6ee75a5b95" + id = "3199e7b3-48be-58f9-9911-da72bfcb196b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13818-L13836" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "87e314d14361f56935b7a8fb93468cfaf2c73e16c25d68a61ec80ad9334d3115" + logic_hash = "v1_sha256_87e314d14361f56935b7a8fb93468cfaf2c73e16c25d68a61ec80ad9334d3115" score = 75 quality = 90 tags = "INFO, FILE" @@ -51258,7 +51258,7 @@ rule REVERSINGLABS_Cert_Blocklist_A9C1523Cb2C73A82771D318124963E87 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ULTERA" and (pe.signatures[i].serial=="00:a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" or pe.signatures[i].serial=="a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87") and 1499731200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ULTERA" and ( pe.signatures [ i ] . serial == "00:a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" or pe.signatures [ i ] . serial == "a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" ) and 1499731200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51267,13 +51267,13 @@ rule REVERSINGLABS_Cert_Blocklist_68E1B2C210B19Bb1F2A24176709B165B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e17bf185-3dfc-5a2f-a87f-525ac0e4084b" + id = "b5993d02-70bf-5ce3-be99-edd6675e9410" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13838-L13854" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8e88ad992c58d37ff1ac34e2d9cf121f3bc692ae78c0ad79140974abdec2f317" + logic_hash = "v1_sha256_8e88ad992c58d37ff1ac34e2d9cf121f3bc692ae78c0ad79140974abdec2f317" score = 75 quality = 90 tags = "INFO, FILE" @@ -51283,7 +51283,7 @@ rule REVERSINGLABS_Cert_Blocklist_68E1B2C210B19Bb1F2A24176709B165B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="68:e1:b2:c2:10:b1:9b:b1:f2:a2:41:76:70:9b:16:5b" and 1474502400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "68:e1:b2:c2:10:b1:9b:b1:f2:a2:41:76:70:9b:16:5b" and 1474502400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51292,13 +51292,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C88313Bd98Bde99C9B9Ac1408A63249 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5108fa8f-3fe6-518c-9bae-b1c44a0ec7a8" + id = "ce016ba2-fd18-5185-842b-c73e6c697e9c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13856-L13872" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f958e46e00bf4ab8ecf071502bcda63a84265029bc9c72cea1eaaf72e9003a84" + logic_hash = "v1_sha256_f958e46e00bf4ab8ecf071502bcda63a84265029bc9c72cea1eaaf72e9003a84" score = 75 quality = 90 tags = "INFO, FILE" @@ -51308,7 +51308,7 @@ rule REVERSINGLABS_Cert_Blocklist_5C88313Bd98Bde99C9B9Ac1408A63249 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="5c:88:31:3b:d9:8b:de:99:c9:b9:ac:14:08:a6:32:49" and 1474243200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "5c:88:31:3b:d9:8b:de:99:c9:b9:ac:14:08:a6:32:49" and 1474243200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51317,13 +51317,13 @@ rule REVERSINGLABS_Cert_Blocklist_7A632A6Ecfc6C49Ec1F42F76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "863a109c-034f-5168-9470-8fd4945e6e92" + id = "a291433c-7a77-5e29-bfc1-8f4d423d1275" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13874-L13890" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "038badeab61c00476b79684308bf91f8a63716641f2be16fe0a3b25ebd3a9a1e" + logic_hash = "v1_sha256_038badeab61c00476b79684308bf91f8a63716641f2be16fe0a3b25ebd3a9a1e" score = 75 quality = 90 tags = "INFO, FILE" @@ -51333,7 +51333,7 @@ rule REVERSINGLABS_Cert_Blocklist_7A632A6Ecfc6C49Ec1F42F76 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="7a:63:2a:6e:cf:c6:c4:9e:c1:f4:2f:76" and 1474959780<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "7a:63:2a:6e:cf:c6:c4:9e:c1:f4:2f:76" and 1474959780 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51342,13 +51342,13 @@ rule REVERSINGLABS_Cert_Blocklist_F57Df6A6Eee3854D513D0Ba8585049B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b31f73d5-ff9e-5be7-b806-8838ddb5d29d" + id = "8974f324-bba1-537c-b099-b311c2342b10" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13892-L13910" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "09d5998960fb65eda56cd698c5ff50d87ba7a811cbb128bc7485c0f124e14cba" + logic_hash = "v1_sha256_09d5998960fb65eda56cd698c5ff50d87ba7a811cbb128bc7485c0f124e14cba" score = 75 quality = 90 tags = "INFO, FILE" @@ -51358,7 +51358,7 @@ rule REVERSINGLABS_Cert_Blocklist_F57Df6A6Eee3854D513D0Ba8585049B7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "smnetworks" and (pe.signatures[i].serial=="00:f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" or pe.signatures[i].serial=="f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7") and 1277769600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "smnetworks" and ( pe.signatures [ i ] . serial == "00:f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" or pe.signatures [ i ] . serial == "f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" ) and 1277769600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51367,13 +51367,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ac5Ac5D323122E6D8E92D6E191B1432 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9a363a84-c21c-5afe-9812-9ce16962b28a" + id = "a0cd8075-d413-5e90-b579-fe0e6d528591" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13912-L13928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d5e62d3cdfacfaea70f9ee11230501bb9c4099508077d50a2a143cb69476f02a" + logic_hash = "v1_sha256_d5e62d3cdfacfaea70f9ee11230501bb9c4099508077d50a2a143cb69476f02a" score = 75 quality = 90 tags = "INFO, FILE" @@ -51383,7 +51383,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Ac5Ac5D323122E6D8E92D6E191B1432 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Certified Software" and pe.signatures[i].serial=="0a:c5:ac:5d:32:31:22:e6:d8:e9:2d:6e:19:1b:14:32" and 1140134400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Certified Software" and pe.signatures [ i ] . serial == "0a:c5:ac:5d:32:31:22:e6:d8:e9:2d:6e:19:1b:14:32" and 1140134400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51392,13 +51392,13 @@ rule REVERSINGLABS_Cert_Blocklist_2433D9Df7Efbccb870Ee5904D62A0101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6cd46771-06ea-51c9-ad84-4b28f4f8442b" + id = "1be97331-83f7-5439-8206-3238315a1582" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13930-L13946" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "92a2effe1b94345f52130e4cb1db181f1990e58eaefb9c74375c14249cc1be22" + logic_hash = "v1_sha256_92a2effe1b94345f52130e4cb1db181f1990e58eaefb9c74375c14249cc1be22" score = 75 quality = 90 tags = "INFO, FILE" @@ -51408,7 +51408,7 @@ rule REVERSINGLABS_Cert_Blocklist_2433D9Df7Efbccb870Ee5904D62A0101 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Conpavi AG" and pe.signatures[i].serial=="24:33:d9:df:7e:fb:cc:b8:70:ee:59:04:d6:2a:01:01" and 1322438400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Conpavi AG" and pe.signatures [ i ] . serial == "24:33:d9:df:7e:fb:cc:b8:70:ee:59:04:d6:2a:01:01" and 1322438400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51417,13 +51417,13 @@ rule REVERSINGLABS_Cert_Blocklist_462Baada57570F70Df76D10B9E7Bf2B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2863a050-ebce-5322-b64a-9160adf6cc21" + id = "7a41c7dc-cc78-5286-9345-9c6240c91cdb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13948-L13964" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c48207907339ce3fb7b6bc630097761a24495a9d4e69d421f2bdb36ddc92abcb" + logic_hash = "v1_sha256_c48207907339ce3fb7b6bc630097761a24495a9d4e69d421f2bdb36ddc92abcb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51433,7 +51433,7 @@ rule REVERSINGLABS_Cert_Blocklist_462Baada57570F70Df76D10B9E7Bf2B7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DVERI FADO, TOV" and pe.signatures[i].serial=="46:2b:aa:da:57:57:0f:70:df:76:d1:0b:9e:7b:f2:b7" and 1551744000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DVERI FADO, TOV" and pe.signatures [ i ] . serial == "46:2b:aa:da:57:57:0f:70:df:76:d1:0b:9e:7b:f2:b7" and 1551744000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51442,13 +51442,13 @@ rule REVERSINGLABS_Cert_Blocklist_83320D93Dd8Cf16D11F99B1078B0A7Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12ce9be9-4644-5b59-aed2-ce4b04fcc46a" + id = "6b67bf8e-bae0-5e7d-9bd9-e55532015187" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13966-L13984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "94ec5e05357767cc0c4cd1fc8ff6d1a366359ba699c43f3710204d761e7e707f" + logic_hash = "v1_sha256_94ec5e05357767cc0c4cd1fc8ff6d1a366359ba699c43f3710204d761e7e707f" score = 75 quality = 90 tags = "INFO, FILE" @@ -51458,7 +51458,7 @@ rule REVERSINGLABS_Cert_Blocklist_83320D93Dd8Cf16D11F99B1078B0A7Cb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRANS LTD" and (pe.signatures[i].serial=="00:83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" or pe.signatures[i].serial=="83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb") and 1524614400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRANS LTD" and ( pe.signatures [ i ] . serial == "00:83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" or pe.signatures [ i ] . serial == "83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" ) and 1524614400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51467,13 +51467,13 @@ rule REVERSINGLABS_Cert_Blocklist_10Bae1D20Cb4Cc36A0Ffac86 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a07d1c35-0026-526a-bf08-e6b07008da03" + id = "fb5958ba-dee5-52de-a1d9-5ab360bc2158" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13986-L14002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "44e91fbf4da8e81859a21408ee9f1971f1e8f48d22553fcaa6469156d4a0670b" + logic_hash = "v1_sha256_44e91fbf4da8e81859a21408ee9f1971f1e8f48d22553fcaa6469156d4a0670b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51483,7 +51483,7 @@ rule REVERSINGLABS_Cert_Blocklist_10Bae1D20Cb4Cc36A0Ffac86 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="10:ba:e1:d2:0c:b4:cc:36:a0:ff:ac:86" and 1476773830<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "10:ba:e1:d2:0c:b4:cc:36:a0:ff:ac:86" and 1476773830 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51492,13 +51492,13 @@ rule REVERSINGLABS_Cert_Blocklist_230716Bfe915Dd6203B2E2A35674C2Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "849c390e-f81f-558e-88a3-19242c127a56" + id = "f604eee8-319d-57f8-9e90-7043ce254d26" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14004-L14020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0197ff46ceb1017488da4383436fd0ddc375904f36cc16c5a8ef21d633ec387c" + logic_hash = "v1_sha256_0197ff46ceb1017488da4383436fd0ddc375904f36cc16c5a8ef21d633ec387c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51508,7 +51508,7 @@ rule REVERSINGLABS_Cert_Blocklist_230716Bfe915Dd6203B2E2A35674C2Ee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Jiang Liu" and pe.signatures[i].serial=="23:07:16:bf:e9:15:dd:62:03:b2:e2:a3:56:74:c2:ee" and 1472169600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Jiang Liu" and pe.signatures [ i ] . serial == "23:07:16:bf:e9:15:dd:62:03:b2:e2:a3:56:74:c2:ee" and 1472169600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51517,13 +51517,13 @@ rule REVERSINGLABS_Cert_Blocklist_36A77D37E68E02Fd3D043C7197E044Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "721e48fb-3046-5b2d-8ad9-ae340e598794" + id = "958309b7-4e33-5bc1-ba86-a4e95a4340e7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14022-L14038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fc13ac5880cc2c8eac9ff8d09f6c5c2055b2de54d460a284936a4f6cd78192e8" + logic_hash = "v1_sha256_fc13ac5880cc2c8eac9ff8d09f6c5c2055b2de54d460a284936a4f6cd78192e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -51533,7 +51533,7 @@ rule REVERSINGLABS_Cert_Blocklist_36A77D37E68E02Fd3D043C7197E044Ca : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Direct Systems Ltd" and pe.signatures[i].serial=="36:a7:7d:37:e6:8e:02:fd:3d:04:3c:71:97:e0:44:ca" and 1515542400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Direct Systems Ltd" and pe.signatures [ i ] . serial == "36:a7:7d:37:e6:8e:02:fd:3d:04:3c:71:97:e0:44:ca" and 1515542400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51542,13 +51542,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Bff2Fb714F986C1707165F0B0F2E0E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f014b446-0ddc-51df-898c-200bd60181a0" + id = "f10512c5-c954-5026-bfd8-93a661a0c0a5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14040-L14056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d79ab926cbc0049d39f5f4c6e57afc71b1a30311a4816fdb66a9c2e257cc84af" + logic_hash = "v1_sha256_d79ab926cbc0049d39f5f4c6e57afc71b1a30311a4816fdb66a9c2e257cc84af" score = 75 quality = 90 tags = "INFO, FILE" @@ -51558,7 +51558,7 @@ rule REVERSINGLABS_Cert_Blocklist_73Bff2Fb714F986C1707165F0B0F2E0E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Tecnopolis Consulting Ltd" and pe.signatures[i].serial=="73:bf:f2:fb:71:4f:98:6c:17:07:16:5f:0b:0f:2e:0e" and 1090886400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Tecnopolis Consulting Ltd" and pe.signatures [ i ] . serial == "73:bf:f2:fb:71:4f:98:6c:17:07:16:5f:0b:0f:2e:0e" and 1090886400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51567,13 +51567,13 @@ rule REVERSINGLABS_Cert_Blocklist_33B24170694Ca0Cf4D2Bdf4Aadf475A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c02d7aaf-e88a-5aba-a8ee-db34562e53b1" + id = "9dfe1a5f-0958-56a4-8d45-e2e835973c1c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14058-L14074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "795bcb46b41ded084e4d12d98e335748ec1db3e0abbbb2d933e819d955075138" + logic_hash = "v1_sha256_795bcb46b41ded084e4d12d98e335748ec1db3e0abbbb2d933e819d955075138" score = 75 quality = 90 tags = "INFO, FILE" @@ -51583,7 +51583,7 @@ rule REVERSINGLABS_Cert_Blocklist_33B24170694Ca0Cf4D2Bdf4Aadf475A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="33:b2:41:70:69:4c:a0:cf:4d:2b:df:4a:ad:f4:75:a3" and 1474934400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "33:b2:41:70:69:4c:a0:cf:4d:2b:df:4a:ad:f4:75:a3" and 1474934400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51592,13 +51592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A9Bdec10E00E780316Baaebfe7A772C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "56f62454-84a1-5843-b2f4-fa84b37040f3" + id = "efb7781a-8c21-5c3d-9b92-f8d05f5a43fa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14076-L14092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ea9bc11efd2969f6b7112338f2b084ea3551e072e46b1162bd47b08be549cdd4" + logic_hash = "v1_sha256_ea9bc11efd2969f6b7112338f2b084ea3551e072e46b1162bd47b08be549cdd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -51608,7 +51608,7 @@ rule REVERSINGLABS_Cert_Blocklist_3A9Bdec10E00E780316Baaebfe7A772C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "PLAN ALPHA LIMITED" and pe.signatures[i].serial=="3a:9b:de:c1:0e:00:e7:80:31:6b:aa:eb:fe:7a:77:2c" and 1556582400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "PLAN ALPHA LIMITED" and pe.signatures [ i ] . serial == "3a:9b:de:c1:0e:00:e7:80:31:6b:aa:eb:fe:7a:77:2c" and 1556582400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51617,13 +51617,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Cad9C37F7Affa8F4D8229F97607E265 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dae6b474-e4f0-5c73-b32e-d2680f508799" + id = "a8878a12-98c0-5011-853f-708cf991cdab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14094-L14110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0f88989c64bece23e7eccf8022e038fdd9c360766de71268cf71616f74adc56c" + logic_hash = "v1_sha256_0f88989c64bece23e7eccf8022e038fdd9c360766de71268cf71616f74adc56c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51633,7 +51633,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Cad9C37F7Affa8F4D8229F97607E265 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Funbit" and pe.signatures[i].serial=="7c:ad:9c:37:f7:af:fa:8f:4d:82:29:f9:76:07:e2:65" and 1122508800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Funbit" and pe.signatures [ i ] . serial == "7c:ad:9c:37:f7:af:fa:8f:4d:82:29:f9:76:07:e2:65" and 1122508800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51642,13 +51642,13 @@ rule REVERSINGLABS_Cert_Blocklist_098A57 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4604f1a6-2fdb-5917-943d-f0e2dbaaa29e" + id = "99ce0cd0-c024-59e2-94dd-bb966c199f35" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14112-L14128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5e203f87dd4608ba5d583e02ce86fbe230e45fff86a7a697766e149d0cf6f436" + logic_hash = "v1_sha256_5e203f87dd4608ba5d583e02ce86fbe230e45fff86a7a697766e149d0cf6f436" score = 75 quality = 90 tags = "INFO, FILE" @@ -51658,7 +51658,7 @@ rule REVERSINGLABS_Cert_Blocklist_098A57 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ELECTRONIC GROUP" and pe.signatures[i].serial=="09:8a:57" and 1032855179<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ELECTRONIC GROUP" and pe.signatures [ i ] . serial == "09:8a:57" and 1032855179 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51667,13 +51667,13 @@ rule REVERSINGLABS_Cert_Blocklist_5389Cc6286Da3Bfa1Dc4Df498Bf68361 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "973aaf33-25a2-5f40-a5a7-d9f77e3589b3" + id = "9590000c-88ea-5dbb-8638-ad885d3066ad" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14130-L14146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d25d998c980f47f4da065155451503dcbc677ad041af85a6ed7060ecadec66b3" + logic_hash = "v1_sha256_d25d998c980f47f4da065155451503dcbc677ad041af85a6ed7060ecadec66b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -51683,7 +51683,7 @@ rule REVERSINGLABS_Cert_Blocklist_5389Cc6286Da3Bfa1Dc4Df498Bf68361 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Joerm.com" and pe.signatures[i].serial=="53:89:cc:62:86:da:3b:fa:1d:c4:df:49:8b:f6:83:61" and 1495497600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Joerm.com" and pe.signatures [ i ] . serial == "53:89:cc:62:86:da:3b:fa:1d:c4:df:49:8b:f6:83:61" and 1495497600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51692,13 +51692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ed9Caeb7911B31Bd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1eeff730-c2ce-5689-a8cb-455618738a82" + id = "af3b48f1-1216-5699-b7b9-aefa2593c70a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14148-L14166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "02cfdf883212387a465af3e692b29b8d0eb8249e0a260f18bec2f662d775b606" + logic_hash = "v1_sha256_02cfdf883212387a465af3e692b29b8d0eb8249e0a260f18bec2f662d775b606" score = 75 quality = 90 tags = "INFO, FILE" @@ -51708,7 +51708,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ed9Caeb7911B31Bd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\xA4\\xA9\\xE6\\xB8\\xB8\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (pe.signatures[i].serial=="00:ed:9c:ae:b7:91:1b:31:bd" or pe.signatures[i].serial=="ed:9c:ae:b7:91:1b:31:bd") and 1506001740<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\xA4\\xA9\\xE6\\xB8\\xB8\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( pe.signatures [ i ] . serial == "00:ed:9c:ae:b7:91:1b:31:bd" or pe.signatures [ i ] . serial == "ed:9c:ae:b7:91:1b:31:bd" ) and 1506001740 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51717,13 +51717,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fd2B19A941B7009Cc728A37Cb1B10B9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "125c0b95-82bb-5900-8e8c-4359b8cd18ab" + id = "b6c3be89-957c-50ab-84a4-153c8393e0ba" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14168-L14184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6b5cc47f4df9e57c59bc66c32188e02390d4855a1b9e56bd7471fd641a245c3c" + logic_hash = "v1_sha256_6b5cc47f4df9e57c59bc66c32188e02390d4855a1b9e56bd7471fd641a245c3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51733,7 +51733,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Fd2B19A941B7009Cc728A37Cb1B10B9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BEAR AND CILLA LTD" and pe.signatures[i].serial=="0f:d2:b1:9a:94:1b:70:09:cc:72:8a:37:cb:1b:10:b9" and 1560470400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BEAR AND CILLA LTD" and pe.signatures [ i ] . serial == "0f:d2:b1:9a:94:1b:70:09:cc:72:8a:37:cb:1b:10:b9" and 1560470400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51742,13 +51742,13 @@ rule REVERSINGLABS_Cert_Blocklist_2D88C0Af1Fe2609961C171213C03Bd23 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0e844bef-1cfe-5eba-af4d-d8477e55470c" + id = "2f57c6da-bf7f-513a-b6b8-93126f93847a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14186-L14202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2d181b9b517732f14d196c1a6c5661d8de4dbbfe6f120954dd3f9dcad00ff0fe" + logic_hash = "v1_sha256_2d181b9b517732f14d196c1a6c5661d8de4dbbfe6f120954dd3f9dcad00ff0fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -51758,7 +51758,7 @@ rule REVERSINGLABS_Cert_Blocklist_2D88C0Af1Fe2609961C171213C03Bd23 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Zhuzhou Lizhong Precision Manufacturing Technology Co., Ltd." and pe.signatures[i].serial=="2d:88:c0:af:1f:e2:60:99:61:c1:71:21:3c:03:bd:23" and 1683676800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Zhuzhou Lizhong Precision Manufacturing Technology Co., Ltd." and pe.signatures [ i ] . serial == "2d:88:c0:af:1f:e2:60:99:61:c1:71:21:3c:03:bd:23" and 1683676800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51767,13 +51767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E7Cc176062D91225Cfdcbdf5B5F0Ea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cb6ae82f-ac1e-528d-aa17-6dc14019793c" + id = "97cdb975-6872-5e08-85c6-4890f44bcff7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14204-L14220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1d2ffa7ec3559061432c2aff23f568cb580fb9093d0af7d8a6a0b91add89c9cc" + logic_hash = "v1_sha256_1d2ffa7ec3559061432c2aff23f568cb580fb9093d0af7d8a6a0b91add89c9cc" score = 75 quality = 90 tags = "INFO, FILE" @@ -51783,7 +51783,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E7Cc176062D91225Cfdcbdf5B5F0Ea5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SG Internet" and pe.signatures[i].serial=="6e:7c:c1:76:06:2d:91:22:5c:fd:cb:df:5b:5f:0e:a5" and 1317945600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SG Internet" and pe.signatures [ i ] . serial == "6e:7c:c1:76:06:2d:91:22:5c:fd:cb:df:5b:5f:0e:a5" and 1317945600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51792,13 +51792,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cecedd2Efc985C2Dbf0019669D270079 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "60a3e63c-4f44-5c75-9928-69859d77af3e" + id = "81437268-91ab-521c-acd4-054c76aba338" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14222-L14240" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1dfb5959db6929643126a850de84e54a84d7197518cde475c802987721b71020" + logic_hash = "v1_sha256_1dfb5959db6929643126a850de84e54a84d7197518cde475c802987721b71020" score = 75 quality = 90 tags = "INFO, FILE" @@ -51808,7 +51808,7 @@ rule REVERSINGLABS_Cert_Blocklist_Cecedd2Efc985C2Dbf0019669D270079 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRANS LTD" and (pe.signatures[i].serial=="00:ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" or pe.signatures[i].serial=="ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79") and 1527811200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRANS LTD" and ( pe.signatures [ i ] . serial == "00:ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" or pe.signatures [ i ] . serial == "ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" ) and 1527811200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51817,13 +51817,13 @@ rule REVERSINGLABS_Cert_Blocklist_61Fe6F00Bd79684210534050Ff46Bc92 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b88e0bbf-ab3a-51ac-8542-d4f92116f5e9" + id = "7b22f75c-f94c-5e79-a769-b9ae4d45164a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14242-L14258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e8ebc5de081e2d1e653493a2d85699ebfb5227b7fab656468025c2043903f597" + logic_hash = "v1_sha256_e8ebc5de081e2d1e653493a2d85699ebfb5227b7fab656468025c2043903f597" score = 75 quality = 90 tags = "INFO, FILE" @@ -51833,7 +51833,7 @@ rule REVERSINGLABS_Cert_Blocklist_61Fe6F00Bd79684210534050Ff46Bc92 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and pe.signatures[i].serial=="61:fe:6f:00:bd:79:68:42:10:53:40:50:ff:46:bc:92" and 1512000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xingning Dexin Network Technology Co., Ltd." and pe.signatures [ i ] . serial == "61:fe:6f:00:bd:79:68:42:10:53:40:50:ff:46:bc:92" and 1512000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51842,13 +51842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0323Cc4E38735B0E6Efba76Ea25C73B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f3889d5-fb57-5745-999e-7dff0ddf7ee9" + id = "01ce740e-4335-5bff-a240-b0ff4d4e1926" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14260-L14276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "48bda7f61c9705ae70add3940f10d65fc7f7a776cec91a244f0e5bde07303831" + logic_hash = "v1_sha256_48bda7f61c9705ae70add3940f10d65fc7f7a776cec91a244f0e5bde07303831" score = 75 quality = 90 tags = "INFO, FILE" @@ -51858,7 +51858,7 @@ rule REVERSINGLABS_Cert_Blocklist_0323Cc4E38735B0E6Efba76Ea25C73B7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and pe.signatures[i].serial=="03:23:cc:4e:38:73:5b:0e:6e:fb:a7:6e:a2:5c:73:b7" and 1512000000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xingning Dexin Network Technology Co., Ltd." and pe.signatures [ i ] . serial == "03:23:cc:4e:38:73:5b:0e:6e:fb:a7:6e:a2:5c:73:b7" and 1512000000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51867,13 +51867,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F9Aca069Ac1B6Bfb0E14861Ec857Bf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b78e3bc2-5b65-507a-9183-148f97baa3e8" + id = "8da9feac-18c1-598e-8531-5440be611d28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14278-L14294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d7c9a471455768a00deeb73900bf80a98f0b2c9da1fd09d568e2998deaf404d2" + logic_hash = "v1_sha256_d7c9a471455768a00deeb73900bf80a98f0b2c9da1fd09d568e2998deaf404d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -51883,7 +51883,7 @@ rule REVERSINGLABS_Cert_Blocklist_1F9Aca069Ac1B6Bfb0E14861Ec857Bf6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="1f:9a:ca:06:9a:c1:b6:bf:b0:e1:48:61:ec:85:7b:f6" and 1477440000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "1f:9a:ca:06:9a:c1:b6:bf:b0:e1:48:61:ec:85:7b:f6" and 1477440000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51892,13 +51892,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E9D26Dcf703Ca3B140D7E7Ad48312E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3ad650b2-45ea-5324-b8dc-b48094ae2376" + id = "4afee2f5-2c00-5f8c-8947-660ffaeb1207" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14296-L14312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d8f70ba61509f3df34705bea0bfcb4cce3e92a33f0f1b65315d886eb5592f152" + logic_hash = "v1_sha256_d8f70ba61509f3df34705bea0bfcb4cce3e92a33f0f1b65315d886eb5592f152" score = 75 quality = 90 tags = "INFO, FILE" @@ -51908,7 +51908,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E9D26Dcf703Ca3B140D7E7Ad48312E2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dong Qian" and pe.signatures[i].serial=="3e:9d:26:dc:f7:03:ca:3b:14:0d:7e:7a:d4:83:12:e2" and 1440580240<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dong Qian" and pe.signatures [ i ] . serial == "3e:9d:26:dc:f7:03:ca:3b:14:0d:7e:7a:d4:83:12:e2" and 1440580240 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51917,13 +51917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E2523E76Ea455941E75Fb8240474A75 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "be5e6f35-6177-50bb-82ea-55628acda4c2" + id = "1973b4c4-2140-5e54-ba08-d5b81d405168" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14314-L14330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e89f722345fda82fd894d34169d1463997ae1d567d46badbf3138faa04cf8fa4" + logic_hash = "v1_sha256_e89f722345fda82fd894d34169d1463997ae1d567d46badbf3138faa04cf8fa4" score = 75 quality = 90 tags = "INFO, FILE" @@ -51933,7 +51933,7 @@ rule REVERSINGLABS_Cert_Blocklist_4E2523E76Ea455941E75Fb8240474A75 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="4e:25:23:e7:6e:a4:55:94:1e:75:fb:82:40:47:4a:75" and 1476403200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "4e:25:23:e7:6e:a4:55:94:1e:75:fb:82:40:47:4a:75" and 1476403200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51942,13 +51942,13 @@ rule REVERSINGLABS_Cert_Blocklist_6102468293Ba7308D17Efb43Ad6Bfb58 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bcf0f1cc-44f2-5498-b9d7-9ad3f38e33bc" + id = "36991b89-9834-5072-b0c6-e9f9584c3075" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14332-L14348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c1ae1562595ac6515a071a16195b46db6fad4ee0fe9757d366ee78b914e1de7f" + logic_hash = "v1_sha256_c1ae1562595ac6515a071a16195b46db6fad4ee0fe9757d366ee78b914e1de7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -51958,7 +51958,7 @@ rule REVERSINGLABS_Cert_Blocklist_6102468293Ba7308D17Efb43Ad6Bfb58 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="61:02:46:82:93:ba:73:08:d1:7e:fb:43:ad:6b:fb:58" and 1470960000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "61:02:46:82:93:ba:73:08:d1:7e:fb:43:ad:6b:fb:58" and 1470960000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51967,13 +51967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ded1A7Ff6Da152A98A57A2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "033c9ce3-1676-5ad1-9ec1-08b3ffc585bb" + id = "125fad94-de39-5947-95f1-ebec16e726dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14350-L14366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "20ec1e8e0570eb216304fd8453df315a26d9c170224177c325c10cbefc1993fb" + logic_hash = "v1_sha256_20ec1e8e0570eb216304fd8453df315a26d9c170224177c325c10cbefc1993fb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51983,7 +51983,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Ded1A7Ff6Da152A98A57A2F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="6d:ed:1a:7f:f6:da:15:2a:98:a5:7a:2f" and 1479094343<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "6d:ed:1a:7f:f6:da:15:2a:98:a5:7a:2f" and 1479094343 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -51992,13 +51992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ce65Ea057B975D2C17Eaf2C2297B1Eb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f86fbd6f-1635-56d7-b390-e067f81b8705" + id = "c4db1fbd-3bcd-5880-8374-29f8490ecc70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14368-L14384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e17988cb2503e285cfe2ea74d7bc61c577d828e14fd5d8d8062e469dc75c449e" + logic_hash = "v1_sha256_e17988cb2503e285cfe2ea74d7bc61c577d828e14fd5d8d8062e469dc75c449e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52008,7 +52008,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Ce65Ea057B975D2C17Eaf2C2297B1Eb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRANS LTD" and pe.signatures[i].serial=="3c:e6:5e:a0:57:b9:75:d2:c1:7e:af:2c:22:97:b1:eb" and 1528243200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRANS LTD" and pe.signatures [ i ] . serial == "3c:e6:5e:a0:57:b9:75:d2:c1:7e:af:2c:22:97:b1:eb" and 1528243200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52017,13 +52017,13 @@ rule REVERSINGLABS_Cert_Blocklist_5D085A9A288549D09Edc4941 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8fa1f434-2061-5131-9378-58c584eff447" + id = "b1a0b2fb-ba22-5536-ba1f-d175f99e0e16" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14386-L14402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dff7c2d727acca753b030d05028590e1a5577121bb2b4c0dcfcb70b4c9d77cbf" + logic_hash = "v1_sha256_dff7c2d727acca753b030d05028590e1a5577121bb2b4c0dcfcb70b4c9d77cbf" score = 75 quality = 90 tags = "INFO, FILE" @@ -52033,7 +52033,7 @@ rule REVERSINGLABS_Cert_Blocklist_5D085A9A288549D09Edc4941 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="5d:08:5a:9a:28:85:49:d0:9e:dc:49:41" and 1478757821<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "5d:08:5a:9a:28:85:49:d0:9e:dc:49:41" and 1478757821 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52042,13 +52042,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D20Dec3797A1Ac30649Ebb184265B79 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5344bda2-bc11-5700-a0f7-52792c5bb87a" + id = "471a73e2-bbf5-5b22-af10-8950c7c59eaa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14404-L14420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "78c0575a1c9ecf37ef5bac0612c20f96b8641875b0ba786979adc8a77f001a5e" + logic_hash = "v1_sha256_78c0575a1c9ecf37ef5bac0612c20f96b8641875b0ba786979adc8a77f001a5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52058,7 +52058,7 @@ rule REVERSINGLABS_Cert_Blocklist_7D20Dec3797A1Ac30649Ebb184265B79 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Jiang Liu" and pe.signatures[i].serial=="7d:20:de:c3:79:7a:1a:c3:06:49:eb:b1:84:26:5b:79" and 1474156800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Jiang Liu" and pe.signatures [ i ] . serial == "7d:20:de:c3:79:7a:1a:c3:06:49:eb:b1:84:26:5b:79" and 1474156800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52067,13 +52067,13 @@ rule REVERSINGLABS_Cert_Blocklist_187D92861076E469B5B7A19E2A9Fd4Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0a156a49-c737-5bdb-9178-34121af490d6" + id = "b8bc636f-6119-556a-839d-d5678a2736cb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14422-L14438" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7383a7fb31a0a913dff1740015ff702642fbb41d8e5a528a8684c80e66026e9d" + logic_hash = "v1_sha256_7383a7fb31a0a913dff1740015ff702642fbb41d8e5a528a8684c80e66026e9d" score = 75 quality = 90 tags = "INFO, FILE" @@ -52083,7 +52083,7 @@ rule REVERSINGLABS_Cert_Blocklist_187D92861076E469B5B7A19E2A9Fd4Ba : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="18:7d:92:86:10:76:e4:69:b5:b7:a1:9e:2a:9f:d4:ba" and 1476748800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "18:7d:92:86:10:76:e4:69:b5:b7:a1:9e:2a:9f:d4:ba" and 1476748800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52092,13 +52092,13 @@ rule REVERSINGLABS_Cert_Blocklist_199A9476Feca3C004Ff889D34545De07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4bb98380-70e5-5ad9-adb2-2e6e10f35258" + id = "07e338f4-df4c-5a0e-9f2d-195f06ab2256" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14440-L14456" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "39c6efefcbd78d5e08ffd8d3989cab3bdf273a1847b2a961f9e68c9ee95e85b6" + logic_hash = "v1_sha256_39c6efefcbd78d5e08ffd8d3989cab3bdf273a1847b2a961f9e68c9ee95e85b6" score = 75 quality = 90 tags = "INFO, FILE" @@ -52108,7 +52108,7 @@ rule REVERSINGLABS_Cert_Blocklist_199A9476Feca3C004Ff889D34545De07 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Funcall" and pe.signatures[i].serial=="19:9a:94:76:fe:ca:3c:00:4f:f8:89:d3:45:45:de:07" and 1138060800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Funcall" and pe.signatures [ i ] . serial == "19:9a:94:76:fe:ca:3c:00:4f:f8:89:d3:45:45:de:07" and 1138060800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52117,13 +52117,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Efe65 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e402e3b4-a598-504d-85b8-8c1994cb51fc" + id = "494c4607-9ecd-5c55-b171-94b6c8f7a23a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14458-L14474" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f849b6899b6766807cfddf99ecb809fe923f35f04de09b62235da352ce6e6e24" + logic_hash = "v1_sha256_f849b6899b6766807cfddf99ecb809fe923f35f04de09b62235da352ce6e6e24" score = 75 quality = 90 tags = "INFO, FILE" @@ -52133,7 +52133,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Efe65 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Software Plugin Ltd." and pe.signatures[i].serial=="1e:fe:65" and 1063224491<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Software Plugin Ltd." and pe.signatures [ i ] . serial == "1e:fe:65" and 1063224491 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52142,13 +52142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Af7E2B6A3Deb99291Dcaf66 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f9c18796-995e-58f8-8406-9adcad143ae7" + id = "d1a5c8d5-17d4-55c6-9eb6-8d32b57fafa3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14476-L14492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "270b5655a0f54abceb520eaca714ed4f6d4de720883e2759acd5bb2f027dfd2b" + logic_hash = "v1_sha256_270b5655a0f54abceb520eaca714ed4f6d4de720883e2759acd5bb2f027dfd2b" score = 75 quality = 90 tags = "INFO, FILE" @@ -52158,7 +52158,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Af7E2B6A3Deb99291Dcaf66 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="0a:f7:e2:b6:a3:de:b9:92:91:dc:af:66" and 1474523112<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "0a:f7:e2:b6:a3:de:b9:92:91:dc:af:66" and 1474523112 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52167,13 +52167,13 @@ rule REVERSINGLABS_Cert_Blocklist_45E27C4Dfa5E6175566A13B1B6Ddf3F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b4ab6397-5e15-5eb3-9f5d-658c5e3a7e3d" + id = "ffbdeff5-4fbc-567d-9563-67c142f384e1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14494-L14510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9bcbb84207984b259463482f094bf0f3815f0d74317b6b864dab44769ff5e7e8" + logic_hash = "v1_sha256_9bcbb84207984b259463482f094bf0f3815f0d74317b6b864dab44769ff5e7e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -52183,7 +52183,7 @@ rule REVERSINGLABS_Cert_Blocklist_45E27C4Dfa5E6175566A13B1B6Ddf3F5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Selig Michael Irfan" and pe.signatures[i].serial=="45:e2:7c:4d:fa:5e:61:75:56:6a:13:b1:b6:dd:f3:f5" and 1465474542<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Selig Michael Irfan" and pe.signatures [ i ] . serial == "45:e2:7c:4d:fa:5e:61:75:56:6a:13:b1:b6:dd:f3:f5" and 1465474542 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52192,13 +52192,13 @@ rule REVERSINGLABS_Cert_Blocklist_37D36A4E61C0Ac68Ceb8Bfcef2Dbf283 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8fc73b48-6797-558a-8265-9aca396e899f" + id = "600fbb01-f65b-51f2-a269-684cc4cb00e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14512-L14528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "41e126600aae5646b808ed0a4294faa9a63e47842e9cde4fee9e5e65919af7ee" + logic_hash = "v1_sha256_41e126600aae5646b808ed0a4294faa9a63e47842e9cde4fee9e5e65919af7ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -52208,7 +52208,7 @@ rule REVERSINGLABS_Cert_Blocklist_37D36A4E61C0Ac68Ceb8Bfcef2Dbf283 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ANAVERIS LIMITED" and pe.signatures[i].serial=="37:d3:6a:4e:61:c0:ac:68:ce:b8:bf:ce:f2:db:f2:83" and 1532476800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ANAVERIS LIMITED" and pe.signatures [ i ] . serial == "37:d3:6a:4e:61:c0:ac:68:ce:b8:bf:ce:f2:db:f2:83" and 1532476800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52217,13 +52217,13 @@ rule REVERSINGLABS_Cert_Blocklist_4321De10738278B93683Ca542407F103 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bf800655-cde4-59fa-9574-1055522fe074" + id = "8b5ecd67-93aa-50db-b753-86e16884ab15" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14530-L14546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2787375605310877891ef924268f4660d1c8aa020e00674c1b1d7eb3c4f5b2fb" + logic_hash = "v1_sha256_2787375605310877891ef924268f4660d1c8aa020e00674c1b1d7eb3c4f5b2fb" score = 75 quality = 90 tags = "INFO, FILE" @@ -52233,7 +52233,7 @@ rule REVERSINGLABS_Cert_Blocklist_4321De10738278B93683Ca542407F103 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "We Build Toolbars LLC" and pe.signatures[i].serial=="43:21:de:10:73:82:78:b9:36:83:ca:54:24:07:f1:03" and 1367884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "We Build Toolbars LLC" and pe.signatures [ i ] . serial == "43:21:de:10:73:82:78:b9:36:83:ca:54:24:07:f1:03" and 1367884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52242,13 +52242,13 @@ rule REVERSINGLABS_Cert_Blocklist_2A6B2Df210Be14F4E18E10C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "150773ee-5d85-522d-a693-63bb6a7d1de2" + id = "33037c70-449b-5f5a-ae73-1cbd0fe4650c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14548-L14564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24ae1664c35b7947e2e638bf620d9ab572c70df9cdc1403cc00b422a45ff9194" + logic_hash = "v1_sha256_24ae1664c35b7947e2e638bf620d9ab572c70df9cdc1403cc00b422a45ff9194" score = 75 quality = 90 tags = "INFO, FILE" @@ -52258,7 +52258,7 @@ rule REVERSINGLABS_Cert_Blocklist_2A6B2Df210Be14F4E18E10C7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="2a:6b:2d:f2:10:be:14:f4:e1:8e:10:c7" and 1472095404<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "2a:6b:2d:f2:10:be:14:f4:e1:8e:10:c7" and 1472095404 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52267,13 +52267,13 @@ rule REVERSINGLABS_Cert_Blocklist_412Ab2A50E8028Ddcbc499Ddf45F2045 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aabb3a66-5677-5359-9d81-92c8d4c7d910" + id = "d29ea38d-8442-5982-8bee-60f4f5c4f60a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14566-L14582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a5b85d13dee51d68af28394ecee3dcc2efe7add4d26c2a8033d1855b33ac6271" + logic_hash = "v1_sha256_a5b85d13dee51d68af28394ecee3dcc2efe7add4d26c2a8033d1855b33ac6271" score = 75 quality = 90 tags = "INFO, FILE" @@ -52283,7 +52283,7 @@ rule REVERSINGLABS_Cert_Blocklist_412Ab2A50E8028Ddcbc499Ddf45F2045 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Ding Ruan" and pe.signatures[i].serial=="41:2a:b2:a5:0e:80:28:dd:cb:c4:99:dd:f4:5f:20:45" and 1479340800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Ding Ruan" and pe.signatures [ i ] . serial == "41:2a:b2:a5:0e:80:28:dd:cb:c4:99:dd:f4:5f:20:45" and 1479340800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52292,13 +52292,13 @@ rule REVERSINGLABS_Cert_Blocklist_0747F6A8C3542F954B113Fd98C7607Cf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "de5fbb40-7d41-5f3e-97c9-a6882c19ebb5" + id = "87373ffa-d416-5816-8c6f-c3153e89a588" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14584-L14600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9d5e5c98f3ef372532cfc4f544d5d3f620dc2e49d8b6e1c96df29d2a38042019" + logic_hash = "v1_sha256_9d5e5c98f3ef372532cfc4f544d5d3f620dc2e49d8b6e1c96df29d2a38042019" score = 75 quality = 90 tags = "INFO, FILE" @@ -52308,7 +52308,7 @@ rule REVERSINGLABS_Cert_Blocklist_0747F6A8C3542F954B113Fd98C7607Cf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="07:47:f6:a8:c3:54:2f:95:4b:11:3f:d9:8c:76:07:cf" and 1474329600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "07:47:f6:a8:c3:54:2f:95:4b:11:3f:d9:8c:76:07:cf" and 1474329600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52317,13 +52317,13 @@ rule REVERSINGLABS_Cert_Blocklist_2572B484Fa0A61Be7288D785D7Bda7D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b1d71baa-9100-512d-91f4-7286a740e5f2" + id = "0d512280-5702-5502-854e-110c0adcc670" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14602-L14618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6b23ba706a640a1e76ad7ab0a70c845c9366ac8355eea5439f76f6993c9c6be" + logic_hash = "v1_sha256_d6b23ba706a640a1e76ad7ab0a70c845c9366ac8355eea5439f76f6993c9c6be" score = 75 quality = 90 tags = "INFO, FILE" @@ -52333,7 +52333,7 @@ rule REVERSINGLABS_Cert_Blocklist_2572B484Fa0A61Be7288D785D7Bda7D3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "SILVA, OOO" and pe.signatures[i].serial=="25:72:b4:84:fa:0a:61:be:72:88:d7:85:d7:bd:a7:d3" and 1495152000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "SILVA, OOO" and pe.signatures [ i ] . serial == "25:72:b4:84:fa:0a:61:be:72:88:d7:85:d7:bd:a7:d3" and 1495152000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52342,13 +52342,13 @@ rule REVERSINGLABS_Cert_Blocklist_6726Bd04204746C46857887F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef882d82-f535-57c3-9d45-8d47ecc7f607" + id = "6792a104-d47c-523d-890f-eebee8adc6c3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14620-L14636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "11d25dff7e05e6f97725e919cc6c978d7f2e64a91cf04b72461c71d592dfc2dc" + logic_hash = "v1_sha256_11d25dff7e05e6f97725e919cc6c978d7f2e64a91cf04b72461c71d592dfc2dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -52358,7 +52358,7 @@ rule REVERSINGLABS_Cert_Blocklist_6726Bd04204746C46857887F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="67:26:bd:04:20:47:46:c4:68:57:88:7f" and 1474352405<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "67:26:bd:04:20:47:46:c4:68:57:88:7f" and 1474352405 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52367,13 +52367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4463D8B31E0F87C14233D4D0D2C487A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eefd6fa2-7ed7-51d0-bddd-90f0727a93cc" + id = "ced47c95-f379-5a36-9c96-a4f12e195c46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14638-L14654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "04ce664fceb4a617294e860d5364d8a4ce8e055fd2baebb8be69f258d9c70ac7" + logic_hash = "v1_sha256_04ce664fceb4a617294e860d5364d8a4ce8e055fd2baebb8be69f258d9c70ac7" score = 75 quality = 90 tags = "INFO, FILE" @@ -52383,7 +52383,7 @@ rule REVERSINGLABS_Cert_Blocklist_4463D8B31E0F87C14233D4D0D2C487A0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="44:63:d8:b3:1e:0f:87:c1:42:33:d4:d0:d2:c4:87:a0" and 1477612800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "44:63:d8:b3:1e:0f:87:c1:42:33:d4:d0:d2:c4:87:a0" and 1477612800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52392,13 +52392,13 @@ rule REVERSINGLABS_Cert_Blocklist_387982605E542D6D52F231Ca6F5657Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2d5731e1-b18b-544e-ae14-40d70b679618" + id = "aea4f488-2be7-5a28-b119-8de650059a68" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14656-L14672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d55cfd45bc0d330c0ed433a882874e4633ffbaa0d68288bea9058fe269d75ed9" + logic_hash = "v1_sha256_d55cfd45bc0d330c0ed433a882874e4633ffbaa0d68288bea9058fe269d75ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -52408,7 +52408,7 @@ rule REVERSINGLABS_Cert_Blocklist_387982605E542D6D52F231Ca6F5657Cc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Jiang Liu" and pe.signatures[i].serial=="38:79:82:60:5e:54:2d:6d:52:f2:31:ca:6f:56:57:cc" and 1475884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Jiang Liu" and pe.signatures [ i ] . serial == "38:79:82:60:5e:54:2d:6d:52:f2:31:ca:6f:56:57:cc" and 1475884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52417,13 +52417,13 @@ rule REVERSINGLABS_Cert_Blocklist_E0134C41E7Eda6863C4Eee5B003976Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "395c14fd-2fec-53ad-bc8e-2dd4bb3522d2" + id = "69fe4f68-a98c-514f-8103-e37f2066eedd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14674-L14692" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbe34baf52e3fa7d7cdfcfaef9b8851c4cbeb46d17eeade61750e59cf0c13291" + logic_hash = "v1_sha256_fbe34baf52e3fa7d7cdfcfaef9b8851c4cbeb46d17eeade61750e59cf0c13291" score = 75 quality = 90 tags = "INFO, FILE" @@ -52433,7 +52433,7 @@ rule REVERSINGLABS_Cert_Blocklist_E0134C41E7Eda6863C4Eee5B003976Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "5000 LIMITED" and (pe.signatures[i].serial=="00:e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" or pe.signatures[i].serial=="e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd") and 1528070400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "5000 LIMITED" and ( pe.signatures [ i ] . serial == "00:e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" or pe.signatures [ i ] . serial == "e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" ) and 1528070400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52442,13 +52442,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B47A4739Dd8Ffe81D9B5307 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9688b091-9a77-59c2-b7f9-a8b652201b8f" + id = "713a879b-0562-5db0-9ad2-12ceb74aa7fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14694-L14710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5f35f520d4af26fa648553894a5b0db043d0c32302d94f531b6cb48691396a92" + logic_hash = "v1_sha256_5f35f520d4af26fa648553894a5b0db043d0c32302d94f531b6cb48691396a92" score = 75 quality = 90 tags = "INFO, FILE" @@ -52458,7 +52458,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B47A4739Dd8Ffe81D9B5307 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="5b:47:a4:73:9d:d8:ff:e8:1d:9b:53:07" and 1476953007<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "5b:47:a4:73:9d:d8:ff:e8:1d:9b:53:07" and 1476953007 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52467,13 +52467,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F5A9Bf75Da76B949645475473793A7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "90cdf420-bdfc-509a-a64f-f30710f09f3b" + id = "4c2528be-50e0-56bd-8df0-9e79f7f3d4d2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14712-L14728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8c58d30b1b6ef80409d9da5f5f4bc26a8818b01cc388b5966c8b68ed0e4c5a2a" + logic_hash = "v1_sha256_8c58d30b1b6ef80409d9da5f5f4bc26a8818b01cc388b5966c8b68ed0e4c5a2a" score = 75 quality = 90 tags = "INFO, FILE" @@ -52483,7 +52483,7 @@ rule REVERSINGLABS_Cert_Blocklist_4F5A9Bf75Da76B949645475473793A7D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EXEC CONTROL LIMITED" and pe.signatures[i].serial=="4f:5a:9b:f7:5d:a7:6b:94:96:45:47:54:73:79:3a:7d" and 1553817600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EXEC CONTROL LIMITED" and pe.signatures [ i ] . serial == "4f:5a:9b:f7:5d:a7:6b:94:96:45:47:54:73:79:3a:7d" and 1553817600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52492,13 +52492,13 @@ rule REVERSINGLABS_Cert_Blocklist_081Df56C9A48D02571F08907 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4f4fb099-406a-5def-9a26-46c6807cfe7f" + id = "2ed5d1fc-93dc-50c5-8dca-29d88ce9c551" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14730-L14746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "25d91f09e0731ab09a05855442b72589eb30e1c7d5e4c0a7af760eea540d786f" + logic_hash = "v1_sha256_25d91f09e0731ab09a05855442b72589eb30e1c7d5e4c0a7af760eea540d786f" score = 75 quality = 90 tags = "INFO, FILE" @@ -52508,7 +52508,7 @@ rule REVERSINGLABS_Cert_Blocklist_081Df56C9A48D02571F08907 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="08:1d:f5:6c:9a:48:d0:25:71:f0:89:07" and 1474870728<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "08:1d:f5:6c:9a:48:d0:25:71:f0:89:07" and 1474870728 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52517,13 +52517,13 @@ rule REVERSINGLABS_Cert_Blocklist_77D5C1A3E623575999C74409Dc19753C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8f8ce24d-8330-509a-a7a1-2727c6f8bdd9" + id = "1082c8f3-65e8-57e5-8d7d-f45445b7e571" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14748-L14764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "54921ce39a0876511b33ac6fa088c3342e2ea7fa037423fe72825bfe9c83bce6" + logic_hash = "v1_sha256_54921ce39a0876511b33ac6fa088c3342e2ea7fa037423fe72825bfe9c83bce6" score = 75 quality = 90 tags = "INFO, FILE" @@ -52533,7 +52533,7 @@ rule REVERSINGLABS_Cert_Blocklist_77D5C1A3E623575999C74409Dc19753C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="77:d5:c1:a3:e6:23:57:59:99:c7:44:09:dc:19:75:3c" and 1475884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "77:d5:c1:a3:e6:23:57:59:99:c7:44:09:dc:19:75:3c" and 1475884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52542,13 +52542,13 @@ rule REVERSINGLABS_Cert_Blocklist_E9756B3F38B1172Ea89Fdbdfdba5F979 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "77d7470c-0c60-5ef4-b1d9-35642c147afe" + id = "e7d23767-3855-5d5f-9afe-05cdb469a430" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14766-L14784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "997a9433f907896d82f22ae323bf9cfe9aa04a2a49c5505e98adbb34277fcc15" + logic_hash = "v1_sha256_997a9433f907896d82f22ae323bf9cfe9aa04a2a49c5505e98adbb34277fcc15" score = 75 quality = 90 tags = "INFO, FILE" @@ -52558,7 +52558,7 @@ rule REVERSINGLABS_Cert_Blocklist_E9756B3F38B1172Ea89Fdbdfdba5F979 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Kreamer Ltd" and (pe.signatures[i].serial=="00:e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" or pe.signatures[i].serial=="e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79") and 1492732800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Kreamer Ltd" and ( pe.signatures [ i ] . serial == "00:e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" or pe.signatures [ i ] . serial == "e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" ) and 1492732800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52567,13 +52567,13 @@ rule REVERSINGLABS_Cert_Blocklist_09Fb28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e7701457-c6cd-5b20-b227-8a9cdcde8213" + id = "0dc6599e-9add-5823-89cd-7fe3f84f9a1e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14786-L14802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5ed65d33b73977e869460ba51271aff94811fa2f41e4a2993c47233add2f38dd" + logic_hash = "v1_sha256_5ed65d33b73977e869460ba51271aff94811fa2f41e4a2993c47233add2f38dd" score = 75 quality = 90 tags = "INFO, FILE" @@ -52583,7 +52583,7 @@ rule REVERSINGLABS_Cert_Blocklist_09Fb28 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "New Dial spa" and pe.signatures[i].serial=="09:fb:28" and 1046968418<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "New Dial spa" and pe.signatures [ i ] . serial == "09:fb:28" and 1046968418 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52592,13 +52592,13 @@ rule REVERSINGLABS_Cert_Blocklist_197Dc32D915458953562D2Fe78Bf2468 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9c25410f-6a3d-5e6e-b270-ccec3be34e80" + id = "db15dea9-d670-571d-85b0-c544c570fce0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14804-L14820" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e61284a74765592fe97b90ca1c260efa46ea31286e6d09ab32d6c664b8271f2a" + logic_hash = "v1_sha256_e61284a74765592fe97b90ca1c260efa46ea31286e6d09ab32d6c664b8271f2a" score = 75 quality = 90 tags = "INFO, FILE" @@ -52608,7 +52608,7 @@ rule REVERSINGLABS_Cert_Blocklist_197Dc32D915458953562D2Fe78Bf2468 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Y.L. Knafo, Ltd." and pe.signatures[i].serial=="19:7d:c3:2d:91:54:58:95:35:62:d2:fe:78:bf:24:68" and 1575331200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Y.L. Knafo, Ltd." and pe.signatures [ i ] . serial == "19:7d:c3:2d:91:54:58:95:35:62:d2:fe:78:bf:24:68" and 1575331200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52617,13 +52617,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C0Be3D14787351E3156F5F37F2B3663 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "14a292da-36c1-5a37-b27e-20c982e44c25" + id = "1a814dfa-21ed-53c2-b31a-7e6159a0d12c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14822-L14838" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "66c2cd84fccedd2afef00495c49d0c2844e2e5e190e6a859d2970e8ddb4a35c2" + logic_hash = "v1_sha256_66c2cd84fccedd2afef00495c49d0c2844e2e5e190e6a859d2970e8ddb4a35c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -52633,7 +52633,7 @@ rule REVERSINGLABS_Cert_Blocklist_7C0Be3D14787351E3156F5F37F2B3663 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Apex Tech, SIA" and pe.signatures[i].serial=="7c:0b:e3:d1:47:87:35:1e:31:56:f5:f3:7f:2b:36:63" and 1523318400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Apex Tech, SIA" and pe.signatures [ i ] . serial == "7c:0b:e3:d1:47:87:35:1e:31:56:f5:f3:7f:2b:36:63" and 1523318400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52642,13 +52642,13 @@ rule REVERSINGLABS_Cert_Blocklist_05054Fdea356F3Dd7Db479Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c78d42bc-f8ca-579a-af49-ba9c7b63ef07" + id = "36dd4606-2c92-5718-8bec-850b8e700dab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14840-L14856" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "02ec52e060a6b8b3edfad0a1f5b1f2d6c409645d5233612d0d353ad74bcd4568" + logic_hash = "v1_sha256_02ec52e060a6b8b3edfad0a1f5b1f2d6c409645d5233612d0d353ad74bcd4568" score = 75 quality = 90 tags = "INFO, FILE" @@ -52658,7 +52658,7 @@ rule REVERSINGLABS_Cert_Blocklist_05054Fdea356F3Dd7Db479Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="05:05:4f:de:a3:56:f3:dd:7d:b4:79:fa" and 1474436511<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "05:05:4f:de:a3:56:f3:dd:7d:b4:79:fa" and 1474436511 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52667,13 +52667,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Aaa069E92517F21Ce67Ca713F6Ea63 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d468530e-8a51-583e-a108-e409f0144165" + id = "9758a8b0-bf03-526d-9346-d2784f22b5bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14858-L14874" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "28ad7e9c75a701425003cde4a7eb10fa471394628cd5004412778d8d7cddb50b" + logic_hash = "v1_sha256_28ad7e9c75a701425003cde4a7eb10fa471394628cd5004412778d8d7cddb50b" score = 75 quality = 90 tags = "INFO, FILE" @@ -52683,7 +52683,7 @@ rule REVERSINGLABS_Cert_Blocklist_08Aaa069E92517F21Ce67Ca713F6Ea63 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "pioneersoft" and pe.signatures[i].serial=="08:aa:a0:69:e9:25:17:f2:1c:e6:7c:a7:13:f6:ea:63" and 1368403200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "pioneersoft" and pe.signatures [ i ] . serial == "08:aa:a0:69:e9:25:17:f2:1c:e6:7c:a7:13:f6:ea:63" and 1368403200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52692,13 +52692,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B7B54E0Dd4D7E45A0B46834De52658D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "376da749-3cd4-5e37-b1ee-013e839f98ce" + id = "e8ab312c-e192-507f-97f1-38fbe226be45" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14876-L14892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5febbce8c39440bfc4846f509f0b1dd4f71a8b4dc24fa18afb561d26e53c2446" + logic_hash = "v1_sha256_5febbce8c39440bfc4846f509f0b1dd4f71a8b4dc24fa18afb561d26e53c2446" score = 75 quality = 90 tags = "INFO, FILE" @@ -52708,7 +52708,7 @@ rule REVERSINGLABS_Cert_Blocklist_1B7B54E0Dd4D7E45A0B46834De52658D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="1b:7b:54:e0:dd:4d:7e:45:a0:b4:68:34:de:52:65:8d" and 1476662400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "1b:7b:54:e0:dd:4d:7e:45:a0:b4:68:34:de:52:65:8d" and 1476662400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52717,13 +52717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B63E4299D0B0E2Dcdaeb976167A23235 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "44af31cc-e0c9-5f3f-9645-a0453bc81e62" + id = "6c082d8d-cb84-5bb4-a6d2-7fa935b9d9fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14894-L14912" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "da7415d0bc0245dea6a4ec325da5140c79c723c20fb7c04ff14f59a3089a5c88" + logic_hash = "v1_sha256_da7415d0bc0245dea6a4ec325da5140c79c723c20fb7c04ff14f59a3089a5c88" score = 75 quality = 90 tags = "INFO, FILE" @@ -52733,7 +52733,7 @@ rule REVERSINGLABS_Cert_Blocklist_B63E4299D0B0E2Dcdaeb976167A23235 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Baltservis LLC" and (pe.signatures[i].serial=="00:b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" or pe.signatures[i].serial=="b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35") and 1604102400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Baltservis LLC" and ( pe.signatures [ i ] . serial == "00:b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" or pe.signatures [ i ] . serial == "b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" ) and 1604102400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52742,13 +52742,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Dabae616705F5A51152Eac48423F354 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8b050402-d5d3-5733-9a72-02386d850a04" + id = "cceeb5bc-dd0f-5360-ad5a-1c4d60f4ed8b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14914-L14930" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0bb14ececa3a78e1a2e71cfdee8bc57678251b15151d156ef5fa754b2438ee35" + logic_hash = "v1_sha256_0bb14ececa3a78e1a2e71cfdee8bc57678251b15151d156ef5fa754b2438ee35" score = 75 quality = 90 tags = "INFO, FILE" @@ -52758,7 +52758,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Dabae616705F5A51152Eac48423F354 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="1d:ab:ae:61:67:05:f5:a5:11:52:ea:c4:84:23:f3:54" and 1470960000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "1d:ab:ae:61:67:05:f5:a5:11:52:ea:c4:84:23:f3:54" and 1470960000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52767,13 +52767,13 @@ rule REVERSINGLABS_Cert_Blocklist_50D08F3C9Bf86Fba52Cf592B4Fe6Eacf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f315cdda-4b95-534d-94db-9a04e2da6385" + id = "c20c204a-2510-5111-92aa-36b38ff4996c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14932-L14948" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca613e4b45b9bb1ef7564b9fc6321bccc0f683298de692a3db2bf841db9010ef" + logic_hash = "v1_sha256_ca613e4b45b9bb1ef7564b9fc6321bccc0f683298de692a3db2bf841db9010ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -52783,7 +52783,7 @@ rule REVERSINGLABS_Cert_Blocklist_50D08F3C9Bf86Fba52Cf592B4Fe6Eacf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CLEVERCYBER LTD" and pe.signatures[i].serial=="50:d0:8f:3c:9b:f8:6f:ba:52:cf:59:2b:4f:e6:ea:cf" and 1518134400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CLEVERCYBER LTD" and pe.signatures [ i ] . serial == "50:d0:8f:3c:9b:f8:6f:ba:52:cf:59:2b:4f:e6:ea:cf" and 1518134400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52792,13 +52792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C7Fc3616F3157A28F702Cc1Df275Dcd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "78d2adb9-fc1c-5f48-80cb-3f1bd12b6ba5" + id = "7fb866fd-b542-5619-ac6a-5e7d4753922e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14950-L14966" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c2dcea21c7a3e3aef6408f11c23edbce6d8f655f298654552a607a9b0caabb28" + logic_hash = "v1_sha256_c2dcea21c7a3e3aef6408f11c23edbce6d8f655f298654552a607a9b0caabb28" score = 75 quality = 90 tags = "INFO, FILE" @@ -52808,7 +52808,7 @@ rule REVERSINGLABS_Cert_Blocklist_7C7Fc3616F3157A28F702Cc1Df275Dcd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CFES Projects Ltd" and pe.signatures[i].serial=="7c:7f:c3:61:6f:31:57:a2:8f:70:2c:c1:df:27:5d:cd" and 1522972800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CFES Projects Ltd" and pe.signatures [ i ] . serial == "7c:7f:c3:61:6f:31:57:a2:8f:70:2c:c1:df:27:5d:cd" and 1522972800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52817,13 +52817,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Ed1B2F4Bf8Dd37A8Ad9Bb775774592 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "19c9e100-b017-5b5c-8e8f-c94ea9e228c2" + id = "6ae10b54-cef2-59a1-8d76-77a02e22130e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14968-L14984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "69865935e07ea255a5d690e170911b33574ea61550b00bebc2ceff91ba9a33da" + logic_hash = "v1_sha256_69865935e07ea255a5d690e170911b33574ea61550b00bebc2ceff91ba9a33da" score = 75 quality = 90 tags = "INFO, FILE" @@ -52833,7 +52833,7 @@ rule REVERSINGLABS_Cert_Blocklist_73Ed1B2F4Bf8Dd37A8Ad9Bb775774592 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "5000 LIMITED" and pe.signatures[i].serial=="73:ed:1b:2f:4b:f8:dd:37:a8:ad:9b:b7:75:77:45:92" and 1528243200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "5000 LIMITED" and pe.signatures [ i ] . serial == "73:ed:1b:2f:4b:f8:dd:37:a8:ad:9b:b7:75:77:45:92" and 1528243200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52842,13 +52842,13 @@ rule REVERSINGLABS_Cert_Blocklist_211B5Dfe65Bc6F34Bc9D3A54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5181b6e4-6a25-58f6-88c5-0eae98250648" + id = "301e01ac-2c13-596b-9a67-11d02eecd0db" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14986-L15002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cf2e4c0dd98efb77c28b63641196c83e60afc0d6ab64802743c351581506dbb5" + logic_hash = "v1_sha256_cf2e4c0dd98efb77c28b63641196c83e60afc0d6ab64802743c351581506dbb5" score = 75 quality = 90 tags = "INFO, FILE" @@ -52858,7 +52858,7 @@ rule REVERSINGLABS_Cert_Blocklist_211B5Dfe65Bc6F34Bc9D3A54 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RAFO TECHNOLOGY INC" and pe.signatures[i].serial=="21:1b:5d:fe:65:bc:6f:34:bc:9d:3a:54" and 1526717931<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RAFO TECHNOLOGY INC" and pe.signatures [ i ] . serial == "21:1b:5d:fe:65:bc:6f:34:bc:9d:3a:54" and 1526717931 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52867,13 +52867,13 @@ rule REVERSINGLABS_Cert_Blocklist_5400D1C1406528B1Ef625976 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b35f2db-ebf1-5533-858c-644dbd6dfb2b" + id = "23de6ff7-d94d-527c-9fb1-a47aacff6138" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15004-L15020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fbdd37e050d68c4287e897f050a673aea071df105a35b07475d3233da3f03feb" + logic_hash = "v1_sha256_fbdd37e050d68c4287e897f050a673aea071df105a35b07475d3233da3f03feb" score = 75 quality = 90 tags = "INFO, FILE" @@ -52883,7 +52883,7 @@ rule REVERSINGLABS_Cert_Blocklist_5400D1C1406528B1Ef625976 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="54:00:d1:c1:40:65:28:b1:ef:62:59:76" and 1474266628<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "54:00:d1:c1:40:65:28:b1:ef:62:59:76" and 1474266628 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52892,13 +52892,13 @@ rule REVERSINGLABS_Cert_Blocklist_013472D7D665557Bfa0Dc21B350A361B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b63f06d-9808-5936-aad2-d387c74eccdd" + id = "d181bff1-6265-5d47-85bf-26cb0f553a25" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15022-L15038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ab908ef0fca56753bcba8bc85e2fdf5859b4e226c179ec5c6eb6eb3dc4014a8e" + logic_hash = "v1_sha256_ab908ef0fca56753bcba8bc85e2fdf5859b4e226c179ec5c6eb6eb3dc4014a8e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52908,7 +52908,7 @@ rule REVERSINGLABS_Cert_Blocklist_013472D7D665557Bfa0Dc21B350A361B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yongli Zhang" and pe.signatures[i].serial=="01:34:72:d7:d6:65:55:7b:fa:0d:c2:1b:35:0a:36:1b" and 1470960000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yongli Zhang" and pe.signatures [ i ] . serial == "01:34:72:d7:d6:65:55:7b:fa:0d:c2:1b:35:0a:36:1b" and 1470960000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52917,13 +52917,13 @@ rule REVERSINGLABS_Cert_Blocklist_66C758A22Bfbbce327616815616Ddd07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4a7130ad-8b66-52a1-afd2-6d10776b4451" + id = "56159231-f06d-57ba-a6fd-b913a027947d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15040-L15056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "37f0f64e2d84ef6591e1f07a05abca35b37827d26c828269fb5f38d8546a60a7" + logic_hash = "v1_sha256_37f0f64e2d84ef6591e1f07a05abca35b37827d26c828269fb5f38d8546a60a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -52933,7 +52933,7 @@ rule REVERSINGLABS_Cert_Blocklist_66C758A22Bfbbce327616815616Ddd07 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TIM Konstrakshn, TOV" and pe.signatures[i].serial=="66:c7:58:a2:2b:fb:bc:e3:27:61:68:15:61:6d:dd:07" and 1469404800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TIM Konstrakshn, TOV" and pe.signatures [ i ] . serial == "66:c7:58:a2:2b:fb:bc:e3:27:61:68:15:61:6d:dd:07" and 1469404800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52942,13 +52942,13 @@ rule REVERSINGLABS_Cert_Blocklist_E61B0366D940896430Bcfe3E93Baac5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "24eb38c1-48a5-5d9b-a42d-345c4fda6c36" + id = "9025cf63-6274-597f-9c54-5adbd3f40eaf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15058-L15076" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1b1fd0c2237446ab22c7359d1e89d822a4b9b6ad345447740154d7d52635c2ea" + logic_hash = "v1_sha256_1b1fd0c2237446ab22c7359d1e89d822a4b9b6ad345447740154d7d52635c2ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -52958,7 +52958,7 @@ rule REVERSINGLABS_Cert_Blocklist_E61B0366D940896430Bcfe3E93Baac5B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TRANS LTD" and (pe.signatures[i].serial=="00:e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" or pe.signatures[i].serial=="e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b") and 1528156800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TRANS LTD" and ( pe.signatures [ i ] . serial == "00:e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" or pe.signatures [ i ] . serial == "e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" ) and 1528156800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52967,13 +52967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6294B8Acc35Dea7D32A95Ac5D4536F8F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bc380123-20fc-55de-ad1c-4f13ac173cc9" + id = "88b72c24-de02-50f6-af2f-7d4533a42b6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15078-L15094" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ac92ff8e533121071a620ca5280ae66629576f9c4af9831ddac5bb487e4348af" + logic_hash = "v1_sha256_ac92ff8e533121071a620ca5280ae66629576f9c4af9831ddac5bb487e4348af" score = 75 quality = 90 tags = "INFO, FILE" @@ -52983,7 +52983,7 @@ rule REVERSINGLABS_Cert_Blocklist_6294B8Acc35Dea7D32A95Ac5D4536F8F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE6\\x8E\\xA2\\xE9\\x95\\xBF\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="62:94:b8:ac:c3:5d:ea:7d:32:a9:5a:c5:d4:53:6f:8f" and 1517443200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE6\\x8E\\xA2\\xE9\\x95\\xBF\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "62:94:b8:ac:c3:5d:ea:7d:32:a9:5a:c5:d4:53:6f:8f" and 1517443200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -52992,13 +52992,13 @@ rule REVERSINGLABS_Cert_Blocklist_485E4626C32493C16283Cfd9E30D17Ad : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7e6834e5-ce32-5ba6-82cf-99d7b90fb4f0" + id = "b047f50b-0aaf-55ff-8bbd-0aab08884564" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15096-L15112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "faf860786e8473493d24abf6e61cf0b906e98d786516be6d2098181368214020" + logic_hash = "v1_sha256_faf860786e8473493d24abf6e61cf0b906e98d786516be6d2098181368214020" score = 75 quality = 90 tags = "INFO, FILE" @@ -53008,7 +53008,7 @@ rule REVERSINGLABS_Cert_Blocklist_485E4626C32493C16283Cfd9E30D17Ad : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="48:5e:46:26:c3:24:93:c1:62:83:cf:d9:e3:0d:17:ad" and 1473292800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "48:5e:46:26:c3:24:93:c1:62:83:cf:d9:e3:0d:17:ad" and 1473292800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53017,13 +53017,13 @@ rule REVERSINGLABS_Cert_Blocklist_D0312F9177Cd46B943Df3Ef22Db4608B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b36ba3c9-4a64-505a-ae27-ec8ee969dc29" + id = "e856c8fb-2c6e-534f-bb30-e469f5ec15f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15114-L15132" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2eb955e91c927980cee031c6284e48bad315e891c32cdaf41b844090e841c44d" + logic_hash = "v1_sha256_2eb955e91c927980cee031c6284e48bad315e891c32cdaf41b844090e841c44d" score = 75 quality = 90 tags = "INFO, FILE" @@ -53033,7 +53033,7 @@ rule REVERSINGLABS_Cert_Blocklist_D0312F9177Cd46B943Df3Ef22Db4608B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "United Systems Technology, Inc." and (pe.signatures[i].serial=="00:d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" or pe.signatures[i].serial=="d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b") and 1341273600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "United Systems Technology, Inc." and ( pe.signatures [ i ] . serial == "00:d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" or pe.signatures [ i ] . serial == "d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" ) and 1341273600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53042,13 +53042,13 @@ rule REVERSINGLABS_Cert_Blocklist_202702 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "befb8867-37d6-5b0a-9801-c069b92f8edc" + id = "cb88737f-3370-5990-b3c6-a765a9d3ae60" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15134-L15150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bc097e97c1c4c4a71cbf66be811636fecfa23682cb2cc47ab1fcd680a646fb14" + logic_hash = "v1_sha256_bc097e97c1c4c4a71cbf66be811636fecfa23682cb2cc47ab1fcd680a646fb14" score = 75 quality = 90 tags = "INFO, FILE" @@ -53058,7 +53058,7 @@ rule REVERSINGLABS_Cert_Blocklist_202702 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RDCTO Ltd" and pe.signatures[i].serial=="20:27:02" and 1087391361<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RDCTO Ltd" and pe.signatures [ i ] . serial == "20:27:02" and 1087391361 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53067,13 +53067,13 @@ rule REVERSINGLABS_Cert_Blocklist_369A02E5D90B2649040E7F87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b81466f-3eb1-5c12-8878-9257dde968fb" + id = "0442a302-2c79-52e1-accd-44962339af9a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15152-L15168" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e2a2e231914f166410580a42ca9d4aac18c5cba94d1f11d22e7acd6d375851d8" + logic_hash = "v1_sha256_e2a2e231914f166410580a42ca9d4aac18c5cba94d1f11d22e7acd6d375851d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -53083,7 +53083,7 @@ rule REVERSINGLABS_Cert_Blocklist_369A02E5D90B2649040E7F87 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="36:9a:02:e5:d9:0b:26:49:04:0e:7f:87" and 1479094204<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "36:9a:02:e5:d9:0b:26:49:04:0e:7f:87" and 1479094204 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53092,13 +53092,13 @@ rule REVERSINGLABS_Cert_Blocklist_60497070Ff4A83Bc87Bdea24Da5B431D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "510ab702-103b-5863-ac9a-46a917879e72" + id = "d80b8435-311e-5a42-a830-1413dc300b28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15170-L15186" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30998e3f5299a37cdee83b1232249b84dbb3c154ef99237da5ce1b16f9db5da3" + logic_hash = "v1_sha256_30998e3f5299a37cdee83b1232249b84dbb3c154ef99237da5ce1b16f9db5da3" score = 75 quality = 90 tags = "INFO, FILE" @@ -53108,7 +53108,7 @@ rule REVERSINGLABS_Cert_Blocklist_60497070Ff4A83Bc87Bdea24Da5B431D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="60:49:70:70:ff:4a:83:bc:87:bd:ea:24:da:5b:43:1d" and 1477008000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "60:49:70:70:ff:4a:83:bc:87:bd:ea:24:da:5b:43:1d" and 1477008000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53117,13 +53117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A333E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5eaac242-ca22-5c73-9027-308d351080bf" + id = "ad94e250-1cd1-57c5-8e04-9b9ab98f446d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15188-L15204" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f76d21e0ae2cf9b28825c813fc509d533c10aba38f8f0c2884365047c1272c1f" + logic_hash = "v1_sha256_f76d21e0ae2cf9b28825c813fc509d533c10aba38f8f0c2884365047c1272c1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53133,7 +53133,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A333E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Coulomb Limited" and pe.signatures[i].serial=="0a:33:3e" and 1052750648<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Coulomb Limited" and pe.signatures [ i ] . serial == "0a:33:3e" and 1052750648 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53142,13 +53142,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb6519B2528D006D1Da987153Dad2B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "774e28f7-46ba-533d-a73c-00d2536c7d2b" + id = "eb68bdc7-bc08-5990-a901-83d6aca820a2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15206-L15222" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "776402fc3a7de4843373bc1981f965fe9c2a9f1fe2374b142a96952fd05a591b" + logic_hash = "v1_sha256_776402fc3a7de4843373bc1981f965fe9c2a9f1fe2374b142a96952fd05a591b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53158,7 +53158,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb6519B2528D006D1Da987153Dad2B3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "D and D Internet Services" and pe.signatures[i].serial=="1c:b6:51:9b:25:28:d0:06:d1:da:98:71:53:da:d2:b3" and 1012780800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "D and D Internet Services" and pe.signatures [ i ] . serial == "1c:b6:51:9b:25:28:d0:06:d1:da:98:71:53:da:d2:b3" and 1012780800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53167,13 +53167,13 @@ rule REVERSINGLABS_Cert_Blocklist_621E696C3A6371E77A678Cbf0Ee34Ab2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "606749dc-f4ef-526a-8583-486401866759" + id = "0d57ef1b-adfa-5139-b594-c838c3e91286" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15224-L15240" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "67c9fd92681d6dd1172509113e167e74e07f1f86fd62456758b3e3930180b528" + logic_hash = "v1_sha256_67c9fd92681d6dd1172509113e167e74e07f1f86fd62456758b3e3930180b528" score = 75 quality = 90 tags = "INFO, FILE" @@ -53183,7 +53183,7 @@ rule REVERSINGLABS_Cert_Blocklist_621E696C3A6371E77A678Cbf0Ee34Ab2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="62:1e:69:6c:3a:63:71:e7:7a:67:8c:bf:0e:e3:4a:b2" and 1467072000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "62:1e:69:6c:3a:63:71:e7:7a:67:8c:bf:0e:e3:4a:b2" and 1467072000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53192,13 +53192,13 @@ rule REVERSINGLABS_Cert_Blocklist_21B991 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "333a0901-21e7-5b4a-8daa-6a04fc2c4e86" + id = "2383e664-f818-5d58-9a52-c47d2a50302e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15242-L15258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "54ca9b19adfc9357a3fb74f0670ad929319c4d06a7de7ae400f8285a31052276" + logic_hash = "v1_sha256_54ca9b19adfc9357a3fb74f0670ad929319c4d06a7de7ae400f8285a31052276" score = 75 quality = 90 tags = "INFO, FILE" @@ -53208,7 +53208,7 @@ rule REVERSINGLABS_Cert_Blocklist_21B991 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Web Nexus d.o.o." and pe.signatures[i].serial=="21:b9:91" and 1125477041<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Web Nexus d.o.o." and pe.signatures [ i ] . serial == "21:b9:91" and 1125477041 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53217,13 +53217,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cc37De5Dbed097F98F56Dbc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8c362133-a30f-599d-88e0-a1448433178a" + id = "e047ff92-dab8-5dd6-a944-da5029f9fd70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15260-L15276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a2d04275b9fe37308c8f1dca75f4cc3c4a8985930f901e1f46e3ddc2977eea32" + logic_hash = "v1_sha256_a2d04275b9fe37308c8f1dca75f4cc3c4a8985930f901e1f46e3ddc2977eea32" score = 75 quality = 90 tags = "INFO, FILE" @@ -53233,7 +53233,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Cc37De5Dbed097F98F56Dbc : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="1c:c3:7d:e5:db:ed:09:7f:98:f5:6d:bc" and 1476693977<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "1c:c3:7d:e5:db:ed:09:7f:98:f5:6d:bc" and 1476693977 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53242,13 +53242,13 @@ rule REVERSINGLABS_Cert_Blocklist_50F66Ab0D7Ed19B69D48F635E69572Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9938b4c5-4a2b-5f4a-92a0-28c3519b1ed3" + id = "104a1b03-f087-5196-9d02-d14de8d21ae5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15278-L15294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "28f71c0572e769d4a0cb289071912bc79cddfd98a3a8161c5400c7bee7090bf5" + logic_hash = "v1_sha256_28f71c0572e769d4a0cb289071912bc79cddfd98a3a8161c5400c7bee7090bf5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53258,7 +53258,7 @@ rule REVERSINGLABS_Cert_Blocklist_50F66Ab0D7Ed19B69D48F635E69572Fa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Wei Liu" and pe.signatures[i].serial=="50:f6:6a:b0:d7:ed:19:b6:9d:48:f6:35:e6:95:72:fa" and 1467158400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Wei Liu" and pe.signatures [ i ] . serial == "50:f6:6a:b0:d7:ed:19:b6:9d:48:f6:35:e6:95:72:fa" and 1467158400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53267,13 +53267,13 @@ rule REVERSINGLABS_Cert_Blocklist_11212F502836A784752160351Defb136Cf09 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7609083d-145b-5594-a04b-72c2862873eb" + id = "597d0b5d-1be6-585d-8d07-dfb30b500438" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15296-L15312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "63d4c1aaafdf6de14d0ae78035644cf6b0fefab8b0063d2566ca38af9f9498d2" + logic_hash = "v1_sha256_63d4c1aaafdf6de14d0ae78035644cf6b0fefab8b0063d2566ca38af9f9498d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -53283,7 +53283,7 @@ rule REVERSINGLABS_Cert_Blocklist_11212F502836A784752160351Defb136Cf09 : INFO FI importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and pe.signatures[i].serial=="11:21:2f:50:28:36:a7:84:75:21:60:35:1d:ef:b1:36:cf:09" and 1463726573<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and pe.signatures [ i ] . serial == "11:21:2f:50:28:36:a7:84:75:21:60:35:1d:ef:b1:36:cf:09" and 1463726573 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53292,13 +53292,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C16Be9A7Ce2A23Ab7A4B4Eb7Da3400C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4e17aed7-fd76-549f-bcf7-84c97efc44e4" + id = "9d4c474f-a684-5c02-b4f2-05bbaf36851c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15314-L15330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "917f324cbe91718efc9b2f41ef947fa8f1a501dde319936774d702d57b1e6b37" + logic_hash = "v1_sha256_917f324cbe91718efc9b2f41ef947fa8f1a501dde319936774d702d57b1e6b37" score = 75 quality = 90 tags = "INFO, FILE" @@ -53308,7 +53308,7 @@ rule REVERSINGLABS_Cert_Blocklist_2C16Be9A7Ce2A23Ab7A4B4Eb7Da3400C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Prince city music bar" and pe.signatures[i].serial=="2c:16:be:9a:7c:e2:a2:3a:b7:a4:b4:eb:7d:a3:40:0c" and 1371081600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Prince city music bar" and pe.signatures [ i ] . serial == "2c:16:be:9a:7c:e2:a2:3a:b7:a4:b4:eb:7d:a3:40:0c" and 1371081600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53317,13 +53317,13 @@ rule REVERSINGLABS_Cert_Blocklist_22Accad235Fb1Ac7422Ebe5Ea7Ac9Bc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "218543f3-298f-5038-8fa9-3abeda9e4d8f" + id = "0d13dc14-2c84-55b0-bd1f-4086f424c257" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15332-L15348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b348c502aeae036f6d17283260ed4479427f89c8c25f2b6d59e137e90694dbe4" + logic_hash = "v1_sha256_b348c502aeae036f6d17283260ed4479427f89c8c25f2b6d59e137e90694dbe4" score = 75 quality = 90 tags = "INFO, FILE" @@ -53333,7 +53333,7 @@ rule REVERSINGLABS_Cert_Blocklist_22Accad235Fb1Ac7422Ebe5Ea7Ac9Bc5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IMS INTERACTIVE MEDIA SOLUTIONS" and pe.signatures[i].serial=="22:ac:ca:d2:35:fb:1a:c7:42:2e:be:5e:a7:ac:9b:c5" and 1019001600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IMS INTERACTIVE MEDIA SOLUTIONS" and pe.signatures [ i ] . serial == "22:ac:ca:d2:35:fb:1a:c7:42:2e:be:5e:a7:ac:9b:c5" and 1019001600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53342,13 +53342,13 @@ rule REVERSINGLABS_Cert_Blocklist_4D29757C4Fbfc32B97091D96E3723002 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1834597-4e45-5866-97f4-e00c79190930" + id = "95edd9f4-cda9-5f87-8d95-c9d995962094" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15350-L15366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "78ede4b02cb1b07500cd0c4f1f33da598938940d0f58430edda00d79b19b16a5" + logic_hash = "v1_sha256_78ede4b02cb1b07500cd0c4f1f33da598938940d0f58430edda00d79b19b16a5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53358,7 +53358,7 @@ rule REVERSINGLABS_Cert_Blocklist_4D29757C4Fbfc32B97091D96E3723002 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="4d:29:75:7c:4f:bf:c3:2b:97:09:1d:96:e3:72:30:02" and 1474848000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "4d:29:75:7c:4f:bf:c3:2b:97:09:1d:96:e3:72:30:02" and 1474848000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53367,13 +53367,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A949Ef03D9Dd2D150B24B274Ff6D7B4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ea47017-1296-5409-8ff2-ef69434233ff" + id = "41adf049-7cfb-5f5f-bcf4-1ac7d16f6035" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15368-L15384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "88c63a921a300e1b985d084c3ab1a2485713b4c674dafd419d092e5562f121d7" + logic_hash = "v1_sha256_88c63a921a300e1b985d084c3ab1a2485713b4c674dafd419d092e5562f121d7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53383,7 +53383,7 @@ rule REVERSINGLABS_Cert_Blocklist_3A949Ef03D9Dd2D150B24B274Ff6D7B4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="3a:94:9e:f0:3d:9d:d2:d1:50:b2:4b:27:4f:f6:d7:b4" and 1474156800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "3a:94:9e:f0:3d:9d:d2:d1:50:b2:4b:27:4f:f6:d7:b4" and 1474156800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53392,13 +53392,13 @@ rule REVERSINGLABS_Cert_Blocklist_954D0577D5Ce8999E0387A5364829F66 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "70e770dd-95fd-5273-b6ee-9bb5eea30e3b" + id = "62e9febe-fdf7-5a96-b721-2739e5fc290d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15386-L15404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "84ddc08a0a55200f644778a0e3482f15e82d74c524f12a7ad91b1c3d4acfc731" + logic_hash = "v1_sha256_84ddc08a0a55200f644778a0e3482f15e82d74c524f12a7ad91b1c3d4acfc731" score = 75 quality = 90 tags = "INFO, FILE" @@ -53408,7 +53408,7 @@ rule REVERSINGLABS_Cert_Blocklist_954D0577D5Ce8999E0387A5364829F66 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Soblosol Limited" and (pe.signatures[i].serial=="00:95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" or pe.signatures[i].serial=="95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66") and 1543968000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Soblosol Limited" and ( pe.signatures [ i ] . serial == "00:95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" or pe.signatures [ i ] . serial == "95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" ) and 1543968000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53417,13 +53417,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df5121Dc99D1Ab6B7E5229F6832123Ef : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8dfc50be-7316-5a52-937b-4551aa642b7e" + id = "4448b62d-8c44-5a4b-b887-da4934ba1893" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15406-L15424" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3b5e5b81890f1dea3dc0858cade54e7f88a21861818be79c3e7fba066f80d491" + logic_hash = "v1_sha256_3b5e5b81890f1dea3dc0858cade54e7f88a21861818be79c3e7fba066f80d491" score = 75 quality = 90 tags = "INFO, FILE" @@ -53433,7 +53433,7 @@ rule REVERSINGLABS_Cert_Blocklist_Df5121Dc99D1Ab6B7E5229F6832123Ef : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "INC SALYUT" and (pe.signatures[i].serial=="00:df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" or pe.signatures[i].serial=="df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef") and 1613433600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "INC SALYUT" and ( pe.signatures [ i ] . serial == "00:df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" or pe.signatures [ i ] . serial == "df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" ) and 1613433600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53442,13 +53442,13 @@ rule REVERSINGLABS_Cert_Blocklist_760Cef386B63406751Ae83A9Eae92342 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2cbd1fd-ef68-5128-9c45-88b73a49130f" + id = "793fbe35-45cd-5105-814f-5a56f1533721" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15426-L15442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "43b56736afe081a1215db67b933413d7fbafbfc1be8213b330668578921ebca7" + logic_hash = "v1_sha256_43b56736afe081a1215db67b933413d7fbafbfc1be8213b330668578921ebca7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53458,7 +53458,7 @@ rule REVERSINGLABS_Cert_Blocklist_760Cef386B63406751Ae83A9Eae92342 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Gidrokon LLC" and pe.signatures[i].serial=="76:0c:ef:38:6b:63:40:67:51:ae:83:a9:ea:e9:23:42" and 1601942400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Gidrokon LLC" and pe.signatures [ i ] . serial == "76:0c:ef:38:6b:63:40:67:51:ae:83:a9:ea:e9:23:42" and 1601942400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53467,13 +53467,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C2625Fa836A64F4882C56Cc7A45F0Ed : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db968865-fb1e-57b5-8968-6510e83c02ac" + id = "1c67f200-60d6-5c17-ae27-e83a1fa8aaaa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15444-L15460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "85e187684d62c33ef6f69323b837ef2d44facab8278b512d7bd6afd49eaed976" + logic_hash = "v1_sha256_85e187684d62c33ef6f69323b837ef2d44facab8278b512d7bd6afd49eaed976" score = 75 quality = 90 tags = "INFO, FILE" @@ -53483,7 +53483,7 @@ rule REVERSINGLABS_Cert_Blocklist_5C2625Fa836A64F4882C56Cc7A45F0Ed : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="5c:26:25:fa:83:6a:64:f4:88:2c:56:cc:7a:45:f0:ed" and 1474416000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "5c:26:25:fa:83:6a:64:f4:88:2c:56:cc:7a:45:f0:ed" and 1474416000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53492,13 +53492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Df6Fa580F84493C414Ee0E431086737 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "27afa64e-0c9e-58ca-a4e1-db97cde66427" + id = "7a0fabd2-3b29-5414-aa6c-005b57f4f6fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15462-L15478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ef244587c9eb1e1cb2f8a9c161e5dd9ff70e9764586f16e011334400ee400ed9" + logic_hash = "v1_sha256_ef244587c9eb1e1cb2f8a9c161e5dd9ff70e9764586f16e011334400ee400ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -53508,7 +53508,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Df6Fa580F84493C414Ee0E431086737 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="7d:f6:fa:58:0f:84:49:3c:41:4e:e0:e4:31:08:67:37" and 1477440000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "7d:f6:fa:58:0f:84:49:3c:41:4e:e0:e4:31:08:67:37" and 1477440000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53517,13 +53517,13 @@ rule REVERSINGLABS_Cert_Blocklist_309D2E115F1Fe2993Ee2E063 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7182f3f2-7b2a-5c29-b7a9-607feafbe570" + id = "ae735ab8-3c12-5363-afd8-28e1d3cc76bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15480-L15496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "15fdb95fe5429cdc0263615c2b7c90d21f37b52954c5ce568c1293cd3a544730" + logic_hash = "v1_sha256_15fdb95fe5429cdc0263615c2b7c90d21f37b52954c5ce568c1293cd3a544730" score = 75 quality = 90 tags = "INFO, FILE" @@ -53533,7 +53533,7 @@ rule REVERSINGLABS_Cert_Blocklist_309D2E115F1Fe2993Ee2E063 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="30:9d:2e:11:5f:1f:e2:99:3e:e2:e0:63" and 1467102525<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "30:9d:2e:11:5f:1f:e2:99:3e:e2:e0:63" and 1467102525 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53542,13 +53542,13 @@ rule REVERSINGLABS_Cert_Blocklist_90E33C1068F54913315B6Ce9311141B9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "61c5d5ed-ca2c-5f71-893b-4c933b37fa27" + id = "806002dc-f147-532e-a72a-864a33572755" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15498-L15516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4a97171c6dfaa8d249ab0be1ce264b596d266ff4697d869a4d1f90cc0e2c49b7" + logic_hash = "v1_sha256_4a97171c6dfaa8d249ab0be1ce264b596d266ff4697d869a4d1f90cc0e2c49b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53558,7 +53558,7 @@ rule REVERSINGLABS_Cert_Blocklist_90E33C1068F54913315B6Ce9311141B9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GERMES, OOO" and (pe.signatures[i].serial=="00:90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" or pe.signatures[i].serial=="90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9") and 1487635200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GERMES, OOO" and ( pe.signatures [ i ] . serial == "00:90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" or pe.signatures [ i ] . serial == "90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" ) and 1487635200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53567,13 +53567,13 @@ rule REVERSINGLABS_Cert_Blocklist_3F15C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "10bee456-21c0-51a0-988b-43daf65e596b" + id = "1e4ebeed-8b68-5253-916d-15a3eb100f5d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15518-L15534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03ea946fa99ed7a6ab23cb26dbf514b6c062d63371c9e2a5ddf999acd1954955" + logic_hash = "v1_sha256_03ea946fa99ed7a6ab23cb26dbf514b6c062d63371c9e2a5ddf999acd1954955" score = 75 quality = 90 tags = "INFO, FILE" @@ -53583,7 +53583,7 @@ rule REVERSINGLABS_Cert_Blocklist_3F15C3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Certified Software" and pe.signatures[i].serial=="3f:15:c3" and 1110577130<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Certified Software" and pe.signatures [ i ] . serial == "3f:15:c3" and 1110577130 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53592,13 +53592,13 @@ rule REVERSINGLABS_Cert_Blocklist_285Eccbd1D0000E640B84307Ef88Cd9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4dc1523f-edc8-52e2-99aa-7389c0eb5e54" + id = "c19afe42-8c78-5f3a-a2d5-ebe662620a69" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15536-L15552" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "267df1c327b65938b2b82a53ec8345290659560c69c9a70f2866fe7bd73513a7" + logic_hash = "v1_sha256_267df1c327b65938b2b82a53ec8345290659560c69c9a70f2866fe7bd73513a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53608,7 +53608,7 @@ rule REVERSINGLABS_Cert_Blocklist_285Eccbd1D0000E640B84307Ef88Cd9F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DRAGON BUSINESS EQUIPMENT LIMITED" and pe.signatures[i].serial=="28:5e:cc:bd:1d:00:00:e6:40:b8:43:07:ef:88:cd:9f" and 1611619200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DRAGON BUSINESS EQUIPMENT LIMITED" and pe.signatures [ i ] . serial == "28:5e:cc:bd:1d:00:00:e6:40:b8:43:07:ef:88:cd:9f" and 1611619200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53617,13 +53617,13 @@ rule REVERSINGLABS_Cert_Blocklist_55Ab71A3F9Dde3Ef20C788Dd1D5Ff6C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c8b5b632-26e6-5a78-99be-b50b1240dbec" + id = "5efde272-280e-52d1-9004-8e857cb3bc03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15554-L15570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4bee740eaf359462cd85c6232160c6b1fc3df67acfe731da9978f0b8a304a93f" + logic_hash = "v1_sha256_4bee740eaf359462cd85c6232160c6b1fc3df67acfe731da9978f0b8a304a93f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53633,7 +53633,7 @@ rule REVERSINGLABS_Cert_Blocklist_55Ab71A3F9Dde3Ef20C788Dd1D5Ff6C3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Zhengzhoushi Tiekelian Information Technology Co.,Ltd" and pe.signatures[i].serial=="55:ab:71:a3:f9:dd:e3:ef:20:c7:88:dd:1d:5f:f6:c3" and 1323907200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Zhengzhoushi Tiekelian Information Technology Co.,Ltd" and pe.signatures [ i ] . serial == "55:ab:71:a3:f9:dd:e3:ef:20:c7:88:dd:1d:5f:f6:c3" and 1323907200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53642,13 +53642,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Beca26210737A5442Ff8B47 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "30570c07-9ba1-5b7c-a369-c6def80f9dc5" + id = "997a4895-b4c1-5216-8157-a9c4e88cb354" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15572-L15588" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7a1130413ae8807dc1ec96a6b1c3bac705a1520f7268db2848b997f6f3f9fc9b" + logic_hash = "v1_sha256_7a1130413ae8807dc1ec96a6b1c3bac705a1520f7268db2848b997f6f3f9fc9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53658,7 +53658,7 @@ rule REVERSINGLABS_Cert_Blocklist_4Beca26210737A5442Ff8B47 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="4b:ec:a2:62:10:73:7a:54:42:ff:8b:47" and 1476437049<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "4b:ec:a2:62:10:73:7a:54:42:ff:8b:47" and 1476437049 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53667,13 +53667,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F203839A9C63B8798A7Cb31 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc8428f3-ff28-5fcf-9855-f20c68973afe" + id = "3d6a258f-e472-5768-86cd-1d2c2db6728a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15590-L15606" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "604ba3fa671cc98e42caf80d07bc9650d193f898413517b46482f183b0f7008a" + logic_hash = "v1_sha256_604ba3fa671cc98e42caf80d07bc9650d193f898413517b46482f183b0f7008a" score = 75 quality = 90 tags = "INFO, FILE" @@ -53683,7 +53683,7 @@ rule REVERSINGLABS_Cert_Blocklist_0F203839A9C63B8798A7Cb31 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="0f:20:38:39:a9:c6:3b:87:98:a7:cb:31" and 1480923809<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "0f:20:38:39:a9:c6:3b:87:98:a7:cb:31" and 1480923809 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53692,13 +53692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dc992Ea8E6Bb4926931Df656D5Eef8A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "506b217e-ea82-5f14-880e-b6c0cbb001fb" + id = "cade3f03-4bc6-50ef-bd18-559d8b062456" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15608-L15626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2b261624677a1c4a1ef539106bedcef30f272fda3d833d4c8095e9797d592e1f" + logic_hash = "v1_sha256_2b261624677a1c4a1ef539106bedcef30f272fda3d833d4c8095e9797d592e1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53708,7 +53708,7 @@ rule REVERSINGLABS_Cert_Blocklist_Dc992Ea8E6Bb4926931Df656D5Eef8A0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MEGAPOLISELIT, OOO" and (pe.signatures[i].serial=="00:dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" or pe.signatures[i].serial=="dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0") and 1497916800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MEGAPOLISELIT, OOO" and ( pe.signatures [ i ] . serial == "00:dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" or pe.signatures [ i ] . serial == "dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" ) and 1497916800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53717,13 +53717,13 @@ rule REVERSINGLABS_Cert_Blocklist_41Bd49Bb456644D8183B3Dae72Ec8F22 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4645eeae-2aea-59aa-a6bf-095bb9d0d711" + id = "6267cf29-61d7-593c-9921-7bbacdcb5eca" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15628-L15644" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0516af7b27d244f21c9cea62fe599725d412e385e34f5f3f4f618d565365d321" + logic_hash = "v1_sha256_0516af7b27d244f21c9cea62fe599725d412e385e34f5f3f4f618d565365d321" score = 75 quality = 90 tags = "INFO, FILE" @@ -53733,7 +53733,7 @@ rule REVERSINGLABS_Cert_Blocklist_41Bd49Bb456644D8183B3Dae72Ec8F22 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="41:bd:49:bb:45:66:44:d8:18:3b:3d:ae:72:ec:8f:22" and 1468454400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "41:bd:49:bb:45:66:44:d8:18:3b:3d:ae:72:ec:8f:22" and 1468454400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53742,13 +53742,13 @@ rule REVERSINGLABS_Cert_Blocklist_A8D40Da6708679C08Aebddea6D3F6B8A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a4224bf1-1875-5b2c-b79d-998d3766d163" + id = "c7bc8e95-aae7-5341-8dfe-11966ecdf33e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15646-L15664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "27ec32791eaeccb8aa95d023c4fc8943f0435c32d8a17bde98d7d0b02ba17e59" + logic_hash = "v1_sha256_27ec32791eaeccb8aa95d023c4fc8943f0435c32d8a17bde98d7d0b02ba17e59" score = 75 quality = 90 tags = "INFO, FILE" @@ -53758,7 +53758,7 @@ rule REVERSINGLABS_Cert_Blocklist_A8D40Da6708679C08Aebddea6D3F6B8A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VELES LTD." and (pe.signatures[i].serial=="00:a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" or pe.signatures[i].serial=="a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a") and 1547424000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VELES LTD." and ( pe.signatures [ i ] . serial == "00:a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" or pe.signatures [ i ] . serial == "a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" ) and 1547424000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53767,13 +53767,13 @@ rule REVERSINGLABS_Cert_Blocklist_307642E1F3A92C6Cc2E7Fb6E18F2Ddcb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6dd35efb-daea-5668-a01d-f5b80371b04c" + id = "7602e88e-0ce4-5bac-846e-e5ee1d9baf03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15666-L15682" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8c96fbd10672b0b258a80f3abaf0320540c5ff0a4636f011cfe7cfa8ccc482d0" + logic_hash = "v1_sha256_8c96fbd10672b0b258a80f3abaf0320540c5ff0a4636f011cfe7cfa8ccc482d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -53783,7 +53783,7 @@ rule REVERSINGLABS_Cert_Blocklist_307642E1F3A92C6Cc2E7Fb6E18F2Ddcb : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "IBM" and pe.signatures[i].serial=="30:76:42:e1:f3:a9:2c:6c:c2:e7:fb:6e:18:f2:dd:cb" and 1500422400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "IBM" and pe.signatures [ i ] . serial == "30:76:42:e1:f3:a9:2c:6c:c2:e7:fb:6e:18:f2:dd:cb" and 1500422400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53792,13 +53792,13 @@ rule REVERSINGLABS_Cert_Blocklist_52379131A1C69263C795A7D398Db0997 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "478994c1-c1c4-5f11-b78f-fe237b687bef" + id = "22b2e5b4-0fe1-5ceb-96de-ddf17c9a330b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15684-L15700" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "245e994024e08add755ec704b895286c115ac00eb5aeecde98fce96f35f6e9e0" + logic_hash = "v1_sha256_245e994024e08add755ec704b895286c115ac00eb5aeecde98fce96f35f6e9e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -53808,7 +53808,7 @@ rule REVERSINGLABS_Cert_Blocklist_52379131A1C69263C795A7D398Db0997 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="52:37:91:31:a1:c6:92:63:c7:95:a7:d3:98:db:09:97" and 1476748800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "52:37:91:31:a1:c6:92:63:c7:95:a7:d3:98:db:09:97" and 1476748800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53817,13 +53817,13 @@ rule REVERSINGLABS_Cert_Blocklist_44312Cb9A927B4111360762B4D4Bdd6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9bc1a8f4-36b7-52bd-9a65-fcd8ec2acf92" + id = "394edc06-9c9e-55f5-b5dd-b0878aff91ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15702-L15718" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8e34636ed815812af478dd01eacd5298fa2cfeb420ee2f45e055f557534cae71" + logic_hash = "v1_sha256_8e34636ed815812af478dd01eacd5298fa2cfeb420ee2f45e055f557534cae71" score = 75 quality = 90 tags = "INFO, FILE" @@ -53833,7 +53833,7 @@ rule REVERSINGLABS_Cert_Blocklist_44312Cb9A927B4111360762B4D4Bdd6D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BEAR ADAMS CONSULTING LIMITED" and pe.signatures[i].serial=="44:31:2c:b9:a9:27:b4:11:13:60:76:2b:4d:4b:dd:6d" and 1554768000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BEAR ADAMS CONSULTING LIMITED" and pe.signatures [ i ] . serial == "44:31:2c:b9:a9:27:b4:11:13:60:76:2b:4d:4b:dd:6d" and 1554768000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53842,13 +53842,13 @@ rule REVERSINGLABS_Cert_Blocklist_123A5074069162F4Ed68Fc7D48F464C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "601ddd98-8cd5-5c52-a59a-d4a0556fc316" + id = "3c45d36b-2cb1-5666-a4f6-94180cd4a926" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15720-L15736" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f55835c7404edab96bc5c8fe3844f3380f1f6bc8b43da1d51213de899629e8f5" + logic_hash = "v1_sha256_f55835c7404edab96bc5c8fe3844f3380f1f6bc8b43da1d51213de899629e8f5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53858,7 +53858,7 @@ rule REVERSINGLABS_Cert_Blocklist_123A5074069162F4Ed68Fc7D48F464C2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="12:3a:50:74:06:91:62:f4:ed:68:fc:7d:48:f4:64:c2" and 1472428800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "12:3a:50:74:06:91:62:f4:ed:68:fc:7d:48:f4:64:c2" and 1472428800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53867,13 +53867,13 @@ rule REVERSINGLABS_Cert_Blocklist_64Eb04B8Def382B5Efa75F63E0E85Ad0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5f4da614-3bc8-5ae8-b04b-e4b3972522ff" + id = "c6b4bed3-1086-59e8-b59e-f7a05add5d98" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15738-L15754" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "03adb8a9bf2a8f0633b34d5c39816b47e60b9e598208f7de79ad9d9a7ab8cc5e" + logic_hash = "v1_sha256_03adb8a9bf2a8f0633b34d5c39816b47e60b9e598208f7de79ad9d9a7ab8cc5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -53883,7 +53883,7 @@ rule REVERSINGLABS_Cert_Blocklist_64Eb04B8Def382B5Efa75F63E0E85Ad0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "TOV \"MARIYA\"" and pe.signatures[i].serial=="64:eb:04:b8:de:f3:82:b5:ef:a7:5f:63:e0:e8:5a:d0" and 1535587200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "TOV \"MARIYA\"" and pe.signatures [ i ] . serial == "64:eb:04:b8:de:f3:82:b5:ef:a7:5f:63:e0:e8:5a:d0" and 1535587200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53892,13 +53892,13 @@ rule REVERSINGLABS_Cert_Blocklist_76D8D908Eed2F9857Dc5676A680Ceac9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7eae73e-6b12-5507-846e-d3b409243adf" + id = "dbc78450-e2a4-55f2-89ba-0b398f5f8c08" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15756-L15772" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "87f9930967d5832d3003672eeb89669b54feed1ca2ea5eec478c50e3cb7a7571" + logic_hash = "v1_sha256_87f9930967d5832d3003672eeb89669b54feed1ca2ea5eec478c50e3cb7a7571" score = 75 quality = 90 tags = "INFO, FILE" @@ -53908,7 +53908,7 @@ rule REVERSINGLABS_Cert_Blocklist_76D8D908Eed2F9857Dc5676A680Ceac9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="76:d8:d9:08:ee:d2:f9:85:7d:c5:67:6a:68:0c:ea:c9" and 1467158400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "76:d8:d9:08:ee:d2:f9:85:7d:c5:67:6a:68:0c:ea:c9" and 1467158400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53917,13 +53917,13 @@ rule REVERSINGLABS_Cert_Blocklist_083E3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b9a1b1a7-2333-5a6f-85c9-6c19d34c4aa4" + id = "f9e36ab4-57b1-58da-9cac-95a3865d6e23" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15774-L15790" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6977d48a2e31235d780cba1b84b39a90e409ee8ea5555e01cbc34989ecd3882d" + logic_hash = "v1_sha256_6977d48a2e31235d780cba1b84b39a90e409ee8ea5555e01cbc34989ecd3882d" score = 75 quality = 90 tags = "INFO, FILE" @@ -53933,7 +53933,7 @@ rule REVERSINGLABS_Cert_Blocklist_083E3F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Telefonicasa" and pe.signatures[i].serial=="08:3e:3f" and 999002664<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Telefonicasa" and pe.signatures [ i ] . serial == "08:3e:3f" and 999002664 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53942,13 +53942,13 @@ rule REVERSINGLABS_Cert_Blocklist_79227311Acdd575759198Dbd3544Cca7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "350f7c25-f20f-5e8f-aa52-163cf3de3be1" + id = "4d5710b5-578d-5ed6-8dd9-82c2e85455d9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15792-L15808" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "73e920d51faf7150329ce189d1693c29a2285a02d54fee27e5af5afe3238295b" + logic_hash = "v1_sha256_73e920d51faf7150329ce189d1693c29a2285a02d54fee27e5af5afe3238295b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53958,7 +53958,7 @@ rule REVERSINGLABS_Cert_Blocklist_79227311Acdd575759198Dbd3544Cca7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="79:22:73:11:ac:dd:57:57:59:19:8d:bd:35:44:cc:a7" and 1478131200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "79:22:73:11:ac:dd:57:57:59:19:8d:bd:35:44:cc:a7" and 1478131200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53967,13 +53967,13 @@ rule REVERSINGLABS_Cert_Blocklist_13Ae38C9Ae21A8576C0D024D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "416c5eb3-bc6d-5fb0-a7fe-58cdd6c7c39d" + id = "434e8e84-dc01-55a9-b7b6-7e632252a202" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15810-L15826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7be892eaf9e2e31442f7ef5ffd296dd17696d6c95d20eb2758ede2c553b05f38" + logic_hash = "v1_sha256_7be892eaf9e2e31442f7ef5ffd296dd17696d6c95d20eb2758ede2c553b05f38" score = 75 quality = 90 tags = "INFO, FILE" @@ -53983,7 +53983,7 @@ rule REVERSINGLABS_Cert_Blocklist_13Ae38C9Ae21A8576C0D024D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="13:ae:38:c9:ae:21:a8:57:6c:0d:02:4d" and 1475062802<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "13:ae:38:c9:ae:21:a8:57:6c:0d:02:4d" and 1475062802 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -53992,13 +53992,13 @@ rule REVERSINGLABS_Cert_Blocklist_557B0Abf44045827F1F36Efbc96271Ec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "64db0b43-b73f-594d-9f04-2cdf76df7c9b" + id = "61b66c82-103f-5f49-a570-00beb3694491" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15828-L15844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "633e8d6b44d62443d991738fa82b9742ac5634051bba5d0cdb3d6b35d66bdc8f" + logic_hash = "v1_sha256_633e8d6b44d62443d991738fa82b9742ac5634051bba5d0cdb3d6b35d66bdc8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54008,7 +54008,7 @@ rule REVERSINGLABS_Cert_Blocklist_557B0Abf44045827F1F36Efbc96271Ec : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="55:7b:0a:bf:44:04:58:27:f1:f3:6e:fb:c9:62:71:ec" and 1480291200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "55:7b:0a:bf:44:04:58:27:f1:f3:6e:fb:c9:62:71:ec" and 1480291200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54017,13 +54017,13 @@ rule REVERSINGLABS_Cert_Blocklist_7903870184E18A80899740845A15E2B2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a55bed5b-906f-5c9d-bddd-b4d53d6351de" + id = "d01a0062-8bd9-5dd0-9bd0-05f9248a7c29" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15846-L15862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ad32491b463d0b3b4c85ed78e81bb69802e5f90ae835f73e270b28f02b36f840" + logic_hash = "v1_sha256_ad32491b463d0b3b4c85ed78e81bb69802e5f90ae835f73e270b28f02b36f840" score = 75 quality = 90 tags = "INFO, FILE" @@ -54033,7 +54033,7 @@ rule REVERSINGLABS_Cert_Blocklist_7903870184E18A80899740845A15E2B2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Qool Aid, LLC" and pe.signatures[i].serial=="79:03:87:01:84:e1:8a:80:89:97:40:84:5a:15:e2:b2" and 1079654400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Qool Aid, LLC" and pe.signatures [ i ] . serial == "79:03:87:01:84:e1:8a:80:89:97:40:84:5a:15:e2:b2" and 1079654400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54042,13 +54042,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fba9B373F812C16Aef531D4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "129e981a-064a-5930-bd45-d03ed008451c" + id = "e05740d2-9f9d-5d48-b04c-2dcfcf262737" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15864-L15880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8b7340359778e3aa56f6ea300973af74eb77efd54108d2ca2b6b8f04d89a1c39" + logic_hash = "v1_sha256_8b7340359778e3aa56f6ea300973af74eb77efd54108d2ca2b6b8f04d89a1c39" score = 75 quality = 90 tags = "INFO, FILE" @@ -54058,7 +54058,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Fba9B373F812C16Aef531D4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="5f:ba:9b:37:3f:81:2c:16:ae:f5:31:d4" and 1473329076<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "5f:ba:9b:37:3f:81:2c:16:ae:f5:31:d4" and 1473329076 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54067,13 +54067,13 @@ rule REVERSINGLABS_Cert_Blocklist_616A5205238590B01D7B761E444E4Ad9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "09e9e481-c767-53d3-9af1-11dec636cafb" + id = "0dfc5744-d4e7-5ad1-bd75-5ac7292a0d3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15882-L15898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "463ccd3ace9021569a7a6d5fcbaadf34b15d2b07baf3df526b271b547cf2bbc5" + logic_hash = "v1_sha256_463ccd3ace9021569a7a6d5fcbaadf34b15d2b07baf3df526b271b547cf2bbc5" score = 75 quality = 90 tags = "INFO, FILE" @@ -54083,7 +54083,7 @@ rule REVERSINGLABS_Cert_Blocklist_616A5205238590B01D7B761E444E4Ad9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Lerges" and pe.signatures[i].serial=="61:6a:52:05:23:85:90:b0:1d:7b:76:1e:44:4e:4a:d9" and 1421452800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Lerges" and pe.signatures [ i ] . serial == "61:6a:52:05:23:85:90:b0:1d:7b:76:1e:44:4e:4a:d9" and 1421452800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54092,13 +54092,13 @@ rule REVERSINGLABS_Cert_Blocklist_29Be2278113Dd062Eadca32De6B242D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a2dfd6e0-4475-537a-859e-126dd4a02af7" + id = "fe82288d-f41e-57aa-a395-a9ef9f8bfdf4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15900-L15916" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3df7afba9eda9022a64647ce2a91119d0bdf6fe5b164a1e82b1819409024fbee" + logic_hash = "v1_sha256_3df7afba9eda9022a64647ce2a91119d0bdf6fe5b164a1e82b1819409024fbee" score = 75 quality = 90 tags = "INFO, FILE" @@ -54108,7 +54108,7 @@ rule REVERSINGLABS_Cert_Blocklist_29Be2278113Dd062Eadca32De6B242D0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BLADES" and pe.signatures[i].serial=="29:be:22:78:11:3d:d0:62:ea:dc:a3:2d:e6:b2:42:d0" and 1536883200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BLADES" and pe.signatures [ i ] . serial == "29:be:22:78:11:3d:d0:62:ea:dc:a3:2d:e6:b2:42:d0" and 1536883200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54117,13 +54117,13 @@ rule REVERSINGLABS_Cert_Blocklist_05F70A557Afd4A443F44D0Baf0Bc8C60 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9ce5b6c7-fede-508f-a7d0-f9d0b8838645" + id = "f7d24640-2b8a-5738-b07f-639f9b440d0f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15918-L15934" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3945f515b65ca3ffb6c2b64c884bb2790d703a277e1a5ba128c81bc63ed20a25" + logic_hash = "v1_sha256_3945f515b65ca3ffb6c2b64c884bb2790d703a277e1a5ba128c81bc63ed20a25" score = 75 quality = 90 tags = "INFO, FILE" @@ -54133,7 +54133,7 @@ rule REVERSINGLABS_Cert_Blocklist_05F70A557Afd4A443F44D0Baf0Bc8C60 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="05:f7:0a:55:7a:fd:4a:44:3f:44:d0:ba:f0:bc:8c:60" and 1477440000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "05:f7:0a:55:7a:fd:4a:44:3f:44:d0:ba:f0:bc:8c:60" and 1477440000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54142,13 +54142,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E0665D61997072294A70C662F72Eae3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1370a3b5-a254-5197-ac85-5b33e8d9fa38" + id = "eea7f482-4a5b-532d-80a4-f48fb51b35be" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15936-L15952" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f07cdfd522db0a92fe1dba30f158b2c89bb5424bdcdfda50ae42fcfddeac19ba" + logic_hash = "v1_sha256_f07cdfd522db0a92fe1dba30f158b2c89bb5424bdcdfda50ae42fcfddeac19ba" score = 75 quality = 90 tags = "INFO, FILE" @@ -54158,7 +54158,7 @@ rule REVERSINGLABS_Cert_Blocklist_4E0665D61997072294A70C662F72Eae3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="4e:06:65:d6:19:97:07:22:94:a7:0c:66:2f:72:ea:e3" and 1474502400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "4e:06:65:d6:19:97:07:22:94:a7:0c:66:2f:72:ea:e3" and 1474502400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54167,13 +54167,13 @@ rule REVERSINGLABS_Cert_Blocklist_74702Dff5D4056B847D009A2265Fb1B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55f1e321-ce70-519a-9a39-4278162edbef" + id = "715aa8a8-5d61-5e26-84b6-1d3bea017a67" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15954-L15970" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8acc57bbf334a48043dbee6fab7b7a54a44801b2ccd0ccd9d14194689c75c021" + logic_hash = "v1_sha256_8acc57bbf334a48043dbee6fab7b7a54a44801b2ccd0ccd9d14194689c75c021" score = 75 quality = 90 tags = "INFO, FILE" @@ -54183,7 +54183,7 @@ rule REVERSINGLABS_Cert_Blocklist_74702Dff5D4056B847D009A2265Fb1B3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shulan Hou" and pe.signatures[i].serial=="74:70:2d:ff:5d:40:56:b8:47:d0:09:a2:26:5f:b1:b3" and 1469664000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shulan Hou" and pe.signatures [ i ] . serial == "74:70:2d:ff:5d:40:56:b8:47:d0:09:a2:26:5f:b1:b3" and 1469664000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54192,13 +54192,13 @@ rule REVERSINGLABS_Cert_Blocklist_353B1Cf7866Ee0B0Acdd532D0Bb1A220 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "20b95b80-94a9-51c3-9c6c-2a0ef75b0c0b" + id = "f320f38d-8002-59b3-a04d-2ff76a0a0d96" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15972-L15988" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "aa8f0fe1517134b6e562c2accc46420a4f0afd77c3a7bbe98d551c54e68ed4c7" + logic_hash = "v1_sha256_aa8f0fe1517134b6e562c2accc46420a4f0afd77c3a7bbe98d551c54e68ed4c7" score = 75 quality = 90 tags = "INFO, FILE" @@ -54208,7 +54208,7 @@ rule REVERSINGLABS_Cert_Blocklist_353B1Cf7866Ee0B0Acdd532D0Bb1A220 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Network Freak Limited" and pe.signatures[i].serial=="35:3b:1c:f7:86:6e:e0:b0:ac:dd:53:2d:0b:b1:a2:20" and 1558915200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Network Freak Limited" and pe.signatures [ i ] . serial == "35:3b:1c:f7:86:6e:e0:b0:ac:dd:53:2d:0b:b1:a2:20" and 1558915200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54217,13 +54217,13 @@ rule REVERSINGLABS_Cert_Blocklist_093Ff2870Fa33Eaf47259457Ee58C2E0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3fd458e6-bf5a-51f3-9b46-344e9f8e0ffe" + id = "fa66acb4-6005-5e8a-bd57-38fbdbafdbaa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15990-L16006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1aafe547b8645f07498bac6f0ffd6d5aefbac160aa7a6fb8d1d891e70701ce99" + logic_hash = "v1_sha256_1aafe547b8645f07498bac6f0ffd6d5aefbac160aa7a6fb8d1d891e70701ce99" score = 75 quality = 90 tags = "INFO, FILE" @@ -54233,7 +54233,7 @@ rule REVERSINGLABS_Cert_Blocklist_093Ff2870Fa33Eaf47259457Ee58C2E0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AEEPZ Limited" and pe.signatures[i].serial=="09:3f:f2:87:0f:a3:3e:af:47:25:94:57:ee:58:c2:e0" and 1503532800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AEEPZ Limited" and pe.signatures [ i ] . serial == "09:3f:f2:87:0f:a3:3e:af:47:25:94:57:ee:58:c2:e0" and 1503532800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54242,13 +54242,13 @@ rule REVERSINGLABS_Cert_Blocklist_719C17A823839Dca813Ee85888B3B39A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ca5b9ec0-2c46-50db-bc47-b3c6c61e990e" + id = "d4eefd60-9a79-5588-9637-b89c4e75023a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16008-L16024" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a160ada48048e11632082e7538459554d77d31539e53709cd897f3c454af8236" + logic_hash = "v1_sha256_a160ada48048e11632082e7538459554d77d31539e53709cd897f3c454af8236" score = 75 quality = 90 tags = "INFO, FILE" @@ -54258,7 +54258,7 @@ rule REVERSINGLABS_Cert_Blocklist_719C17A823839Dca813Ee85888B3B39A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="71:9c:17:a8:23:83:9d:ca:81:3e:e8:58:88:b3:b3:9a" and 1479686400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "71:9c:17:a8:23:83:9d:ca:81:3e:e8:58:88:b3:b3:9a" and 1479686400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54267,13 +54267,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Dc86Ebf5863568E2237B2D89582D705 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "24741dc7-6252-5964-a69f-bef4b2dfe1a7" + id = "29879b94-696d-5fac-bc5d-d2447df9cf3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16026-L16042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f24cdf890bd0b51a83ca333c37bc22068ab1f7e7ef36b36d94a133773097bd37" + logic_hash = "v1_sha256_f24cdf890bd0b51a83ca333c37bc22068ab1f7e7ef36b36d94a133773097bd37" score = 75 quality = 90 tags = "INFO, FILE" @@ -54283,7 +54283,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Dc86Ebf5863568E2237B2D89582D705 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Dening Hu" and pe.signatures[i].serial=="6d:c8:6e:bf:58:63:56:8e:22:37:b2:d8:95:82:d7:05" and 1471305600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Dening Hu" and pe.signatures [ i ] . serial == "6d:c8:6e:bf:58:63:56:8e:22:37:b2:d8:95:82:d7:05" and 1471305600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54292,13 +54292,13 @@ rule REVERSINGLABS_Cert_Blocklist_214Df59Fe53874Cc011Dd45727035F51 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9265bb94-b183-523f-91bf-9bc76ab63d6b" + id = "a57cbe6a-0c6a-5320-85e6-74557bb86c51" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16044-L16060" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "96269f41f82621aee029f343acfce70c781bf7713588dfe78fac35a3d1d3f7cd" + logic_hash = "v1_sha256_96269f41f82621aee029f343acfce70c781bf7713588dfe78fac35a3d1d3f7cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -54308,7 +54308,7 @@ rule REVERSINGLABS_Cert_Blocklist_214Df59Fe53874Cc011Dd45727035F51 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="21:4d:f5:9f:e5:38:74:cc:01:1d:d4:57:27:03:5f:51" and 1468800000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "21:4d:f5:9f:e5:38:74:cc:01:1d:d4:57:27:03:5f:51" and 1468800000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54317,13 +54317,13 @@ rule REVERSINGLABS_Cert_Blocklist_37Ca4F66Fdcc8732992723199859886C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9dd87769-73d0-5299-b6ed-936703abc78e" + id = "67f1f0c7-4fb1-502c-ac12-ac67123ab544" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16062-L16078" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "190dffc36c17c27c43337d7914683b7bab3ff18a50de5278ed2a66f04b9e395d" + logic_hash = "v1_sha256_190dffc36c17c27c43337d7914683b7bab3ff18a50de5278ed2a66f04b9e395d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54333,7 +54333,7 @@ rule REVERSINGLABS_Cert_Blocklist_37Ca4F66Fdcc8732992723199859886C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Aleman Ltd" and pe.signatures[i].serial=="37:ca:4f:66:fd:cc:87:32:99:27:23:19:98:59:88:6c" and 1505952000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Aleman Ltd" and pe.signatures [ i ] . serial == "37:ca:4f:66:fd:cc:87:32:99:27:23:19:98:59:88:6c" and 1505952000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54342,13 +54342,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be2F22C152Bb218B898C4029056816A9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d5ca9d9d-e80f-56c1-90b7-ef931e61ba92" + id = "0bd4fe17-1f1f-5838-b4f8-ed1a1c6e615e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16080-L16098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "cd99e4d97d9a60f409cf072bbae254486c307ae3cb6e34c5cd9648c972615f36" + logic_hash = "v1_sha256_cd99e4d97d9a60f409cf072bbae254486c307ae3cb6e34c5cd9648c972615f36" score = 75 quality = 90 tags = "INFO, FILE" @@ -54358,7 +54358,7 @@ rule REVERSINGLABS_Cert_Blocklist_Be2F22C152Bb218B898C4029056816A9 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Marts GmbH" and (pe.signatures[i].serial=="00:be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" or pe.signatures[i].serial=="be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9") and 1676246400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Marts GmbH" and ( pe.signatures [ i ] . serial == "00:be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" or pe.signatures [ i ] . serial == "be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" ) and 1676246400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54367,13 +54367,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fc7065Abf8303Fb472B8Af85918F5C24 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1aebd2be-b22c-5102-a449-27025f61cce6" + id = "650f86cf-fc1f-565b-ac98-e47cbb84cf02" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16100-L16118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f57ae32d7efd9cd4c0a207897e30b871dc32405c5b9ad844c9bb7eee4827cc5a" + logic_hash = "v1_sha256_f57ae32d7efd9cd4c0a207897e30b871dc32405c5b9ad844c9bb7eee4827cc5a" score = 75 quality = 90 tags = "INFO, FILE" @@ -54383,7 +54383,7 @@ rule REVERSINGLABS_Cert_Blocklist_Fc7065Abf8303Fb472B8Af85918F5C24 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DIG IN VISION SP Z O O" and (pe.signatures[i].serial=="00:fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" or pe.signatures[i].serial=="fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24") and 1604361600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DIG IN VISION SP Z O O" and ( pe.signatures [ i ] . serial == "00:fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" or pe.signatures [ i ] . serial == "fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" ) and 1604361600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54392,13 +54392,13 @@ rule REVERSINGLABS_Cert_Blocklist_698Ff388Adb50B88Afb832E76B0A0Ad1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8a6f4a15-08a5-5ca5-a743-55075726e744" + id = "6a592d2c-427c-5ece-87af-e0e3bb914654" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16120-L16136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b29bc69c8fd9543dba8f7d2a18d52b1bcbb8a8ae6f553d8b232ca74709b9addc" + logic_hash = "v1_sha256_b29bc69c8fd9543dba8f7d2a18d52b1bcbb8a8ae6f553d8b232ca74709b9addc" score = 75 quality = 90 tags = "INFO, FILE" @@ -54408,7 +54408,7 @@ rule REVERSINGLABS_Cert_Blocklist_698Ff388Adb50B88Afb832E76B0A0Ad1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BELLAP LIMITED" and pe.signatures[i].serial=="69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1" and 1675070541<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BELLAP LIMITED" and pe.signatures [ i ] . serial == "69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1" and 1675070541 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54417,13 +54417,13 @@ rule REVERSINGLABS_Cert_Blocklist_391Ae38670Ab188A5De26E07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aca9ac98-1c3b-5231-b6e5-97e3b8fec6de" + id = "01e16423-6364-5ee6-a013-e00e99aaccee" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16138-L16154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f7ccfadab650ae3b6f950c9d1b35f86aa4a4e6c05479c014ab18881a405678f0" + logic_hash = "v1_sha256_f7ccfadab650ae3b6f950c9d1b35f86aa4a4e6c05479c014ab18881a405678f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -54433,7 +54433,7 @@ rule REVERSINGLABS_Cert_Blocklist_391Ae38670Ab188A5De26E07 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "DVERI FADO, TOV" and pe.signatures[i].serial=="39:1a:e3:86:70:ab:18:8a:5d:e2:6e:07" and 1540832872<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "DVERI FADO, TOV" and pe.signatures [ i ] . serial == "39:1a:e3:86:70:ab:18:8a:5d:e2:6e:07" and 1540832872 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54442,13 +54442,13 @@ rule REVERSINGLABS_Cert_Blocklist_D08D83Ff118Df3777E371C5C482Cce7B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5acd2e61-1c04-5cc5-8773-25856fc163c4" + id = "c98cd3f0-18b6-5e6b-9cf1-e488307fee2f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16156-L16174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5fdaf01c6a23057ab976e3ad2a8b40558b16693161410b0f30d7b884de7e3985" + logic_hash = "v1_sha256_5fdaf01c6a23057ab976e3ad2a8b40558b16693161410b0f30d7b884de7e3985" score = 75 quality = 90 tags = "INFO, FILE" @@ -54458,7 +54458,7 @@ rule REVERSINGLABS_Cert_Blocklist_D08D83Ff118Df3777E371C5C482Cce7B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "AMO-K Limited Liability Company" and (pe.signatures[i].serial=="00:d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" or pe.signatures[i].serial=="d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b") and 1444780800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "AMO-K Limited Liability Company" and ( pe.signatures [ i ] . serial == "00:d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" or pe.signatures [ i ] . serial == "d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" ) and 1444780800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54467,13 +54467,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Ce209477F1Ac19A2049Bdc5846A831 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "21c16e2c-bc0c-5e1d-bc44-6d7c4afc34cb" + id = "04409e81-53a3-5773-ba92-e397dfd07a81" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16176-L16192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "24474c4033a8cad1690160da64b75a1eec570f56e830967256c19574bde59384" + logic_hash = "v1_sha256_24474c4033a8cad1690160da64b75a1eec570f56e830967256c19574bde59384" score = 75 quality = 90 tags = "INFO, FILE" @@ -54483,7 +54483,7 @@ rule REVERSINGLABS_Cert_Blocklist_06Ce209477F1Ac19A2049Bdc5846A831 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Select'Assistance Pro" and pe.signatures[i].serial=="06:ce:20:94:77:f1:ac:19:a2:04:9b:dc:58:46:a8:31" and 1426710344<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Select'Assistance Pro" and pe.signatures [ i ] . serial == "06:ce:20:94:77:f1:ac:19:a2:04:9b:dc:58:46:a8:31" and 1426710344 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54492,13 +54492,13 @@ rule REVERSINGLABS_Cert_Blocklist_447F449121B883211663B7B7E2Ead868 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a3ee3618-0e20-5d9c-a514-9020607bd1b0" + id = "86d4e9fd-3c05-538f-9042-3ed6cb2ab773" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16194-L16210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f473a939d1a27cf53c09d0e4a3753a9444ae3674a55d5b0feafeef6b75dd487f" + logic_hash = "v1_sha256_f473a939d1a27cf53c09d0e4a3753a9444ae3674a55d5b0feafeef6b75dd487f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54508,7 +54508,7 @@ rule REVERSINGLABS_Cert_Blocklist_447F449121B883211663B7B7E2Ead868 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3 AM CHP" and pe.signatures[i].serial=="44:7f:44:91:21:b8:83:21:16:63:b7:b7:e2:ea:d8:68" and 1443052800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3 AM CHP" and pe.signatures [ i ] . serial == "44:7f:44:91:21:b8:83:21:16:63:b7:b7:e2:ea:d8:68" and 1443052800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54517,13 +54517,13 @@ rule REVERSINGLABS_Cert_Blocklist_6366A9Ac97Df4De17366943C9B291Aaa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "77d6756b-e948-5771-9ec1-f5159b0e792c" + id = "0139ec87-00b8-54f8-ba8d-0e933a7fbc65" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16212-L16228" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "dcdfb78d4d779b1cabcdf5b2da1fa27aaa9faaed4d4967630ce45f30304fe227" + logic_hash = "v1_sha256_dcdfb78d4d779b1cabcdf5b2da1fa27aaa9faaed4d4967630ce45f30304fe227" score = 75 quality = 90 tags = "INFO, FILE" @@ -54533,7 +54533,7 @@ rule REVERSINGLABS_Cert_Blocklist_6366A9Ac97Df4De17366943C9B291Aaa : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "xlgames" and pe.signatures[i].serial=="63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" and 1326796477<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "xlgames" and pe.signatures [ i ] . serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" and 1326796477 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54542,13 +54542,13 @@ rule REVERSINGLABS_Cert_Blocklist_66E3F0B4459F15Ac7F2A2B44990Dd709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2fc1303f-e559-59ba-a1b9-b74a154d8805" + id = "eaa42b63-e6a2-5cc7-a6d2-e45f1bf3ea23" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16230-L16246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a563f1485ae8887c46f45d1366f676894c7db55954671825b37372f786ce0d3d" + logic_hash = "v1_sha256_a563f1485ae8887c46f45d1366f676894c7db55954671825b37372f786ce0d3d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54558,7 +54558,7 @@ rule REVERSINGLABS_Cert_Blocklist_66E3F0B4459F15Ac7F2A2B44990Dd709 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "KOG Co., Ltd." and pe.signatures[i].serial=="66:e3:f0:b4:45:9f:15:ac:7f:2a:2b:44:99:0d:d7:09" and 1320288125<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "KOG Co., Ltd." and pe.signatures [ i ] . serial == "66:e3:f0:b4:45:9f:15:ac:7f:2a:2b:44:99:0d:d7:09" and 1320288125 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54567,13 +54567,13 @@ rule REVERSINGLABS_Cert_Blocklist_610039D6349Ee531E4Caa3A65D100C7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "de018b47-9fbd-590e-b3d1-b50029496718" + id = "a15f1b09-678a-505f-b555-4b4c2f5776ef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16248-L16264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e6b6a90cf40283d2e4d2d9c5732a078c9f2f117e3639ab5c0dd6c5323cb7c9ff" + logic_hash = "v1_sha256_e6b6a90cf40283d2e4d2d9c5732a078c9f2f117e3639ab5c0dd6c5323cb7c9ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -54583,7 +54583,7 @@ rule REVERSINGLABS_Cert_Blocklist_610039D6349Ee531E4Caa3A65D100C7D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Wemade Entertainment" and pe.signatures[i].serial=="61:00:39:d6:34:9e:e5:31:e4:ca:a3:a6:5d:10:0c:7d" and 1341792000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Wemade Entertainment" and pe.signatures [ i ] . serial == "61:00:39:d6:34:9e:e5:31:e4:ca:a3:a6:5d:10:0c:7d" and 1341792000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54592,13 +54592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Caa0D0Dadf32A2404A75195Ae47820A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5c1f82a4-c64d-556c-8c7a-213582e7bd5a" + id = "e6b48549-c07d-5ef9-a87d-cf973935bf99" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16266-L16282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ab71e485c0b541fae79d246d34b1f4fb146747c1c3fb723aa87a7a32378ff974" + logic_hash = "v1_sha256_ab71e485c0b541fae79d246d34b1f4fb146747c1c3fb723aa87a7a32378ff974" score = 75 quality = 90 tags = "INFO, FILE" @@ -54608,7 +54608,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Caa0D0Dadf32A2404A75195Ae47820A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LivePlex Corp" and pe.signatures[i].serial=="1c:aa:0d:0d:ad:f3:2a:24:04:a7:51:95:ae:47:82:0a" and 1324425600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LivePlex Corp" and pe.signatures [ i ] . serial == "1c:aa:0d:0d:ad:f3:2a:24:04:a7:51:95:ae:47:82:0a" and 1324425600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54617,13 +54617,13 @@ rule REVERSINGLABS_Cert_Blocklist_140D2C515E8Ee9739Bb5F1B2637Dc478 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "69f3ee46-87d2-5630-ba7c-4ed2924cf650" + id = "6ac84678-ff45-5ab1-9127-182168715673" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16284-L16300" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e6724fe80959592c8741621ce604518d3e964cee5941257a99dda78b9c8bbdac" + logic_hash = "v1_sha256_e6724fe80959592c8741621ce604518d3e964cee5941257a99dda78b9c8bbdac" score = 75 quality = 90 tags = "INFO, FILE" @@ -54633,7 +54633,7 @@ rule REVERSINGLABS_Cert_Blocklist_140D2C515E8Ee9739Bb5F1B2637Dc478 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and pe.signatures[i].serial=="14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" and 1386806400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and pe.signatures [ i ] . serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" and 1386806400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54642,13 +54642,13 @@ rule REVERSINGLABS_Cert_Blocklist_58015Acd501Fc9C344264Eace2Ce5730 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "28a56bcf-1f13-5478-a6d5-7595464da198" + id = "1bc5d209-9243-5b74-8f49-07e4450d4b2d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16302-L16318" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7c1bec5059d40fc326bb08775888ed169abc746228eeb42c897f479992c5acab" + logic_hash = "v1_sha256_7c1bec5059d40fc326bb08775888ed169abc746228eeb42c897f479992c5acab" score = 75 quality = 90 tags = "INFO, FILE" @@ -54658,7 +54658,7 @@ rule REVERSINGLABS_Cert_Blocklist_58015Acd501Fc9C344264Eace2Ce5730 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Nanjing Ranyi Technology Co., Ltd. " and pe.signatures[i].serial=="58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" and 1352246400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Nanjing Ranyi Technology Co., Ltd. " and pe.signatures [ i ] . serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" and 1352246400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54667,13 +54667,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B7279068Beb15Ffe8060D2C56153C35 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "78bfa550-d85e-5776-a65d-ff0039abd2c4" + id = "415507fb-2ce3-50ac-b3d7-13afd351a997" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16320-L16336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca00f1adacd6ff16e54b85be38c3a4545a10c76548e0647f7f3f6cfa4dff412d" + logic_hash = "v1_sha256_ca00f1adacd6ff16e54b85be38c3a4545a10c76548e0647f7f3f6cfa4dff412d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54683,7 +54683,7 @@ rule REVERSINGLABS_Cert_Blocklist_0B7279068Beb15Ffe8060D2C56153C35 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and pe.signatures[i].serial=="0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" and 1350864000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and pe.signatures [ i ] . serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" and 1350864000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54692,13 +54692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc0F18Da36702E302Db170D91Dc9202 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "977d9686-d811-5416-b090-d4f45d7935d0" + id = "ada35248-eb0e-5246-9c51-1798c9f0cc05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16338-L16354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d9ee2cf63a4edb28f894ea49a5b4df9b818d5764d9a74721b1d5222f53859462" + logic_hash = "v1_sha256_d9ee2cf63a4edb28f894ea49a5b4df9b818d5764d9a74721b1d5222f53859462" score = 75 quality = 90 tags = "INFO, FILE" @@ -54708,7 +54708,7 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc0F18Da36702E302Db170D91Dc9202 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Foresee Consulting Inc." and pe.signatures[i].serial=="0b:c0:f1:8d:a3:67:02:e3:02:db:17:0d:91:dc:92:02" and 1637712000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Foresee Consulting Inc." and pe.signatures [ i ] . serial == "0b:c0:f1:8d:a3:67:02:e3:02:db:17:0d:91:dc:92:02" and 1637712000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54717,13 +54717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca9B6F49B8B41204A174C751C73Dc393 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d09658e4-44e4-5c10-a866-ba486000f1b6" + id = "95cd0496-94b7-54eb-b293-83453e75fce6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16356-L16374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0b6558a7a1b78d471aaadced959ba91e411df50e3cc08e447fe9bd97f9e5cced" + logic_hash = "v1_sha256_0b6558a7a1b78d471aaadced959ba91e411df50e3cc08e447fe9bd97f9e5cced" score = 75 quality = 90 tags = "INFO, FILE" @@ -54733,7 +54733,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ca9B6F49B8B41204A174C751C73Dc393 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "CodeDance Ltd" and (pe.signatures[i].serial=="00:ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" or pe.signatures[i].serial=="ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93") and 1654646400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "CodeDance Ltd" and ( pe.signatures [ i ] . serial == "00:ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" or pe.signatures [ i ] . serial == "ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" ) and 1654646400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54742,13 +54742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aaf65B8E7A2E68Bc8C9E8F27331B795C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ccb36b8b-301d-5cc2-9c8e-4956b92c1116" + id = "06ee2521-277f-577a-8ccc-2eccbea2236e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16376-L16394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "390d074da09d8e5b4bb2a6f4157a5125474ab5c22de62729d4fc4075edade289" + logic_hash = "v1_sha256_390d074da09d8e5b4bb2a6f4157a5125474ab5c22de62729d4fc4075edade289" score = 75 quality = 90 tags = "INFO, FILE" @@ -54758,7 +54758,7 @@ rule REVERSINGLABS_Cert_Blocklist_Aaf65B8E7A2E68Bc8C9E8F27331B795C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALISA L LIMITED" and (pe.signatures[i].serial=="00:aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" or pe.signatures[i].serial=="aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c") and 1549324800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALISA L LIMITED" and ( pe.signatures [ i ] . serial == "00:aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" or pe.signatures [ i ] . serial == "aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" ) and 1549324800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54767,13 +54767,13 @@ rule REVERSINGLABS_Cert_Blocklist_C6Ed0Efe2844Fa44Aae350C6845C3331 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d748bea4-8d2b-53b2-8184-ea0972ad9199" + id = "ecbdbf31-8788-52b1-9b28-cab285826998" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16396-L16414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5c4afcd8ceb5cc2f1df2303183ede2081b86365eeee7d4e1319a8ed9a45bbf0b" + logic_hash = "v1_sha256_5c4afcd8ceb5cc2f1df2303183ede2081b86365eeee7d4e1319a8ed9a45bbf0b" score = 75 quality = 90 tags = "INFO, FILE" @@ -54783,7 +54783,7 @@ rule REVERSINGLABS_Cert_Blocklist_C6Ed0Efe2844Fa44Aae350C6845C3331 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "THE COMPANY OF WORDS LTD" and (pe.signatures[i].serial=="00:c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" or pe.signatures[i].serial=="c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31") and 1549324800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "THE COMPANY OF WORDS LTD" and ( pe.signatures [ i ] . serial == "00:c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" or pe.signatures [ i ] . serial == "c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" ) and 1549324800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54792,13 +54792,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ede6Cfbf9Fa18337B0Fdb49C1F693020 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0389d5ba-4535-5277-9c77-bd178e66417f" + id = "63f578d7-4542-5c95-a1a8-f74cc5cbd925" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16416-L16434" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "a7f18d0028cbc0001a196bc915b7881244a5833dd65f96dd7d2e8ab1b0622e0c" + logic_hash = "v1_sha256_a7f18d0028cbc0001a196bc915b7881244a5833dd65f96dd7d2e8ab1b0622e0c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54808,7 +54808,7 @@ rule REVERSINGLABS_Cert_Blocklist_Ede6Cfbf9Fa18337B0Fdb49C1F693020 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "START ARCHITECTURE LTD" and (pe.signatures[i].serial=="00:ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" or pe.signatures[i].serial=="ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20") and 1554940800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "START ARCHITECTURE LTD" and ( pe.signatures [ i ] . serial == "00:ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" or pe.signatures [ i ] . serial == "ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" ) and 1554940800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54817,13 +54817,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eda0F47B3B38E781Cdf6Ef6Be5D3F6Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "308a73cd-a142-56ad-8dca-808ab455b43e" + id = "99f7b743-34e1-557a-a8c9-90d7c3c9f166" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16436-L16454" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "af3cd543a6feec3118ba4e5fdc8455584aa763bd8339f036ab332977fc0fb20e" + logic_hash = "v1_sha256_af3cd543a6feec3118ba4e5fdc8455584aa763bd8339f036ab332977fc0fb20e" score = 75 quality = 90 tags = "INFO, FILE" @@ -54833,7 +54833,7 @@ rule REVERSINGLABS_Cert_Blocklist_Eda0F47B3B38E781Cdf6Ef6Be5D3F6Ee : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ADVANCED ACCESS SERVICES LTD" and (pe.signatures[i].serial=="00:ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" or pe.signatures[i].serial=="ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee") and 1650931200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ADVANCED ACCESS SERVICES LTD" and ( pe.signatures [ i ] . serial == "00:ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" or pe.signatures [ i ] . serial == "ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" ) and 1650931200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54842,13 +54842,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Da173Eb1Ac76340Ac058E1Ff4Bf5E1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f9fa6c6-372d-5948-94ba-9e3fee956647" + id = "b5c4b52d-ea26-5c1d-9863-affcb3700524" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16456-L16472" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "71da69fca275caead6a822e6587e0a07fc882f712afeafe18f4a595c269f6737" + logic_hash = "v1_sha256_71da69fca275caead6a822e6587e0a07fc882f712afeafe18f4a595c269f6737" score = 75 quality = 90 tags = "INFO, FILE" @@ -54858,7 +54858,7 @@ rule REVERSINGLABS_Cert_Blocklist_5Da173Eb1Ac76340Ac058E1Ff4Bf5E1B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ALISA LTD" and pe.signatures[i].serial=="5d:a1:73:eb:1a:c7:63:40:ac:05:8e:1f:f4:bf:5e:1b" and 1550793600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ALISA LTD" and pe.signatures [ i ] . serial == "5d:a1:73:eb:1a:c7:63:40:ac:05:8e:1f:f4:bf:5e:1b" and 1550793600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54867,13 +54867,13 @@ rule REVERSINGLABS_Cert_Blocklist_1380A7Ccf2Bf36Bc496B00D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc473451-e1a9-53b4-acf6-9ff8036ecf31" + id = "b7908367-65f0-5b9c-ba1f-659549dcdfc1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16474-L16490" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "88708d7d139a9d6e92f78df460b527a1ae6a404d0bcccb801c8c8cb1263a46c6" + logic_hash = "v1_sha256_88708d7d139a9d6e92f78df460b527a1ae6a404d0bcccb801c8c8cb1263a46c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -54883,7 +54883,7 @@ rule REVERSINGLABS_Cert_Blocklist_1380A7Ccf2Bf36Bc496B00D8 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="13:80:a7:cc:f2:bf:36:bc:49:6b:00:d8" and 1478069976<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "13:80:a7:cc:f2:bf:36:bc:49:6b:00:d8" and 1478069976 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54892,13 +54892,13 @@ rule REVERSINGLABS_Cert_Blocklist_02Eaf27E6F1575E365Fc7Fe4E0Be43F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d1aad80-9444-5cc3-8ff4-b70fb089cda0" + id = "897993eb-ce09-5ad9-8644-3c90e5499681" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16492-L16508" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "333a43bdfbc400727b8eae1efeb03484b959fc45ed6b8b0dd5e6a553fa27e87f" + logic_hash = "v1_sha256_333a43bdfbc400727b8eae1efeb03484b959fc45ed6b8b0dd5e6a553fa27e87f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54908,7 +54908,7 @@ rule REVERSINGLABS_Cert_Blocklist_02Eaf27E6F1575E365Fc7Fe4E0Be43F7 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Theravada Solutions Ltd" and pe.signatures[i].serial=="02:ea:f2:7e:6f:15:75:e3:65:fc:7f:e4:e0:be:43:f7" and 1562889600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Theravada Solutions Ltd" and pe.signatures [ i ] . serial == "02:ea:f2:7e:6f:15:75:e3:65:fc:7f:e4:e0:be:43:f7" and 1562889600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54917,13 +54917,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb02Ac2Beb9611Ed57Eb12E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "64350364-fe74-54df-886d-1197146e00e7" + id = "9c03fe30-fcca-527e-86fb-51876f17d82f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16510-L16526" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7f2a6c61ae82fec6829924d11190da776aebdd3d72c7e001fdc29b215649261c" + logic_hash = "v1_sha256_7f2a6c61ae82fec6829924d11190da776aebdd3d72c7e001fdc29b215649261c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54933,7 +54933,7 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb02Ac2Beb9611Ed57Eb12E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE5\\x87\\x8C\\xE4\\xBC\\xAF\\xE4\\xB9\\x90\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="6e:b0:2a:c2:be:b9:61:1e:d5:7e:b1:2e" and 1585023767<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\x9D\\xA8\\xE5\\x87\\x8C\\xE4\\xBC\\xAF\\xE4\\xB9\\x90\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "6e:b0:2a:c2:be:b9:61:1e:d5:7e:b1:2e" and 1585023767 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54942,13 +54942,13 @@ rule REVERSINGLABS_Cert_Blocklist_010000000001297Dba69Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f6a63e79-4dde-590f-ad65-ba9cc29ff48c" + id = "b73a522d-d2fd-5eca-bb3c-a8fce0d47e6f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16528-L16544" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bbc3e740d5043d1811ff44c7366c69192fb78c95215b30fd4f4c782812ad591c" + logic_hash = "v1_sha256_bbc3e740d5043d1811ff44c7366c69192fb78c95215b30fd4f4c782812ad591c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54958,7 +54958,7 @@ rule REVERSINGLABS_Cert_Blocklist_010000000001297Dba69Dd : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ROSSO INDEX K.K." and pe.signatures[i].serial=="01:00:00:00:00:01:29:7d:ba:69:dd" and 1277713154<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ROSSO INDEX K.K." and pe.signatures [ i ] . serial == "01:00:00:00:00:01:29:7d:ba:69:dd" and 1277713154 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54967,13 +54967,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Def22Ef4C645B1Decfb36B6D3539Dbf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aeb10a64-633c-5fc6-87af-360e1a402ad4" + id = "c264def8-feff-5322-adaf-0988887bf460" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16546-L16562" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "655ed87ee65f937c7cec95085fe612f8d733e0853c87aa50b4aa1fda9e5f7a5d" + logic_hash = "v1_sha256_655ed87ee65f937c7cec95085fe612f8d733e0853c87aa50b4aa1fda9e5f7a5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54983,7 +54983,7 @@ rule REVERSINGLABS_Cert_Blocklist_7Def22Ef4C645B1Decfb36B6D3539Dbf : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="7d:ef:22:ef:4c:64:5b:1d:ec:fb:36:b6:d3:53:9d:bf" and 1474416000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "7d:ef:22:ef:4c:64:5b:1d:ec:fb:36:b6:d3:53:9d:bf" and 1474416000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -54992,13 +54992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E39C2Ccc494438Bb8C2560F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "87477ad5-fc7e-5407-9c6e-bef3d4d8981d" + id = "07c63f08-cef6-5407-9e36-798169eb3f9d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16564-L16580" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "3b4a55149b3895eeea5f96297d1fc9787eb74e2fcef8170148ef1a2ced334311" + logic_hash = "v1_sha256_3b4a55149b3895eeea5f96297d1fc9787eb74e2fcef8170148ef1a2ced334311" score = 75 quality = 90 tags = "INFO, FILE" @@ -55008,7 +55008,7 @@ rule REVERSINGLABS_Cert_Blocklist_3E39C2Ccc494438Bb8C2560F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="3e:39:c2:cc:c4:94:43:8b:b8:c2:56:0f" and 1466142876<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "3e:39:c2:cc:c4:94:43:8b:b8:c2:56:0f" and 1466142876 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55017,13 +55017,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E3B09F43C3A0Fd53B7D600F08Fae2B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "66025c6e-5d85-5660-87f1-3094a536bbe2" + id = "df472d21-5192-583c-bcf5-85287836128b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16582-L16598" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "86b06519858dce4b77cb870905297a1fd1c767053fd07c0b0469eb7fc3ba6b32" + logic_hash = "v1_sha256_86b06519858dce4b77cb870905297a1fd1c767053fd07c0b0469eb7fc3ba6b32" score = 75 quality = 90 tags = "INFO, FILE" @@ -55033,7 +55033,7 @@ rule REVERSINGLABS_Cert_Blocklist_6E3B09F43C3A0Fd53B7D600F08Fae2B5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Divisible Limited" and pe.signatures[i].serial=="6e:3b:09:f4:3c:3a:0f:d5:3b:7d:60:0f:08:fa:e2:b5" and 1507248000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Divisible Limited" and pe.signatures [ i ] . serial == "6e:3b:09:f4:3c:3a:0f:d5:3b:7d:60:0f:08:fa:e2:b5" and 1507248000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55042,13 +55042,13 @@ rule REVERSINGLABS_Cert_Blocklist_21220646C639D62C16992F46 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b80b1832-6bfa-555b-8462-cd17f9e5e0e1" + id = "e6515650-5853-527f-86e7-f58caafd3519" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16600-L16616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "87202c29867e6410d59c1e3b5ab09a24ebac5c68c61d7b932b91a91dcf3707e2" + logic_hash = "v1_sha256_87202c29867e6410d59c1e3b5ab09a24ebac5c68c61d7b932b91a91dcf3707e2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55058,7 +55058,7 @@ rule REVERSINGLABS_Cert_Blocklist_21220646C639D62C16992F46 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Sivi Technology Limited" and pe.signatures[i].serial=="21:22:06:46:c6:39:d6:2c:16:99:2f:46" and 1466130984<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Sivi Technology Limited" and pe.signatures [ i ] . serial == "21:22:06:46:c6:39:d6:2c:16:99:2f:46" and 1466130984 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55067,13 +55067,13 @@ rule REVERSINGLABS_Cert_Blocklist_738663F2C9E4Adb3Ad5306Aa5E7Cc548 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9fa41321-9736-5e67-b561-005b6d893e3f" + id = "1484186c-d978-5c47-8665-0adb6167f01b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16618-L16634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "518a22e31432ee42e6aceb861815f7f9e84f2430b7fb3a78b498e45c584584ab" + logic_hash = "v1_sha256_518a22e31432ee42e6aceb861815f7f9e84f2430b7fb3a78b498e45c584584ab" score = 75 quality = 90 tags = "INFO, FILE" @@ -55083,7 +55083,7 @@ rule REVERSINGLABS_Cert_Blocklist_738663F2C9E4Adb3Ad5306Aa5E7Cc548 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "GIN-Konsalt" and pe.signatures[i].serial=="73:86:63:f2:c9:e4:ad:b3:ad:53:06:aa:5e:7c:c5:48" and 1498435200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "GIN-Konsalt" and pe.signatures [ i ] . serial == "73:86:63:f2:c9:e4:ad:b3:ad:53:06:aa:5e:7c:c5:48" and 1498435200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55092,13 +55092,13 @@ rule REVERSINGLABS_Cert_Blocklist_4280F2C8Ce1D98E5F8Da7Ecb005Eeae5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "559dc522-bc23-5716-b8ad-9e9df102936b" + id = "51b1dd1e-66cc-5ac1-ab86-8ceffe8f9b85" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16636-L16652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4cc8f00a9704f595f3e48375942a19cd6f8d6c0e53afc932a61f5a4326be4bcb" + logic_hash = "v1_sha256_4cc8f00a9704f595f3e48375942a19cd6f8d6c0e53afc932a61f5a4326be4bcb" score = 75 quality = 90 tags = "INFO, FILE" @@ -55108,7 +55108,7 @@ rule REVERSINGLABS_Cert_Blocklist_4280F2C8Ce1D98E5F8Da7Ecb005Eeae5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="42:80:f2:c8:ce:1d:98:e5:f8:da:7e:cb:00:5e:ea:e5" and 1476316800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "42:80:f2:c8:ce:1d:98:e5:f8:da:7e:cb:00:5e:ea:e5" and 1476316800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55117,13 +55117,13 @@ rule REVERSINGLABS_Cert_Blocklist_2946397Be9C5Ae44E95C99Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "46bc3ade-544c-5ee1-8d5d-4b8a269120c9" + id = "29be00dc-6f70-5626-b4fc-66def0d3498a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16654-L16670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7b4925482fcc47dea81eb3d84af31cc572f1b19080b98dda330b0bf6d7c80f4" + logic_hash = "v1_sha256_b7b4925482fcc47dea81eb3d84af31cc572f1b19080b98dda330b0bf6d7c80f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -55133,7 +55133,7 @@ rule REVERSINGLABS_Cert_Blocklist_2946397Be9C5Ae44E95C99Af : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="29:46:39:7b:e9:c5:ae:44:e9:5c:99:af" and 1476092708<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "29:46:39:7b:e9:c5:ae:44:e9:5c:99:af" and 1476092708 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55142,13 +55142,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Df453588177Cf1C0C297Ff4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c3a18989-239e-56d7-b1c2-92895c02b7d8" + id = "9979f0cc-69bc-5c71-8017-d9263b3a83b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16672-L16688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b0c82388fd87a89841d190ce4020cc5a2ea21c9d765ceca6bc25d64162479231" + logic_hash = "v1_sha256_b0c82388fd87a89841d190ce4020cc5a2ea21c9d765ceca6bc25d64162479231" score = 75 quality = 90 tags = "INFO, FILE" @@ -55158,7 +55158,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Df453588177Cf1C0C297Ff4 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shenzhen Yunhuitianxia Technology Co.,Ltd." and pe.signatures[i].serial=="2d:f4:53:58:81:77:cf:1c:0c:29:7f:f4" and 1479735173<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shenzhen Yunhuitianxia Technology Co.,Ltd." and pe.signatures [ i ] . serial == "2d:f4:53:58:81:77:cf:1c:0c:29:7f:f4" and 1479735173 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55167,13 +55167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0619C5E39A4Fc60A32F9B07F6A4Ca328 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ae3ef9cf-4b67-5cb8-9c9b-3edb95da222c" + id = "f81cb5f0-7cd8-50f1-9683-3cd4539b5a1f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16690-L16706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "75e3dfd593d7fdc268de54430be617c015957a624f2ca36bc0036d4cbde5b686" + logic_hash = "v1_sha256_75e3dfd593d7fdc268de54430be617c015957a624f2ca36bc0036d4cbde5b686" score = 75 quality = 90 tags = "INFO, FILE" @@ -55183,7 +55183,7 @@ rule REVERSINGLABS_Cert_Blocklist_0619C5E39A4Fc60A32F9B07F6A4Ca328 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yuanyuan Zhang" and pe.signatures[i].serial=="06:19:c5:e3:9a:4f:c6:0a:32:f9:b0:7f:6a:4c:a3:28" and 1475884800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yuanyuan Zhang" and pe.signatures [ i ] . serial == "06:19:c5:e3:9a:4f:c6:0a:32:f9:b0:7f:6a:4c:a3:28" and 1475884800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55192,13 +55192,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Bffef48E6A321B418041310Fdb9B0D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a29551f-8359-5394-9acd-00c3b25d7064" + id = "7960333c-3d82-5dee-b6bc-72e55184bbcb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16708-L16724" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "30a079b55b75b292f7af4f5ae99184cbb3cca1ce4cf20f2f5c961b533673db00" + logic_hash = "v1_sha256_30a079b55b75b292f7af4f5ae99184cbb3cca1ce4cf20f2f5c961b533673db00" score = 75 quality = 90 tags = "INFO, FILE" @@ -55208,7 +55208,7 @@ rule REVERSINGLABS_Cert_Blocklist_2Bffef48E6A321B418041310Fdb9B0D0 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "A&D DOMUS LIMITED" and pe.signatures[i].serial=="2b:ff:ef:48:e6:a3:21:b4:18:04:13:10:fd:b9:b0:d0" and 1554681600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "A&D DOMUS LIMITED" and pe.signatures [ i ] . serial == "2b:ff:ef:48:e6:a3:21:b4:18:04:13:10:fd:b9:b0:d0" and 1554681600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55217,13 +55217,13 @@ rule REVERSINGLABS_Cert_Blocklist_34Ec9565805F34204C6966Fb81E36Ba1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bd032608-8622-5c7a-a3a7-808d73e611d7" + id = "ec7546b2-6ade-5990-9d91-c8029639020e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16726-L16742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e434a02f5b9b22a25d8fe7a0bb7bd81b1cd8bc5356b4b626e3bfceb3f554a085" + logic_hash = "v1_sha256_e434a02f5b9b22a25d8fe7a0bb7bd81b1cd8bc5356b4b626e3bfceb3f554a085" score = 75 quality = 90 tags = "INFO, FILE" @@ -55233,7 +55233,7 @@ rule REVERSINGLABS_Cert_Blocklist_34Ec9565805F34204C6966Fb81E36Ba1 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="34:ec:95:65:80:5f:34:20:4c:69:66:fb:81:e3:6b:a1" and 1476921600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "34:ec:95:65:80:5f:34:20:4c:69:66:fb:81:e3:6b:a1" and 1476921600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55242,13 +55242,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2B934B7F01E0Ac1E577814992243709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "19930e7b-09cb-5c04-b838-3d8d73ba194b" + id = "2e28d081-d43f-509b-a9ca-298078554509" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16744-L16762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "37b254ab76d144c09cc7b622dba59f5e372bf01ae12ce260a06143abb52062f6" + logic_hash = "v1_sha256_37b254ab76d144c09cc7b622dba59f5e372bf01ae12ce260a06143abb52062f6" score = 75 quality = 90 tags = "INFO, FILE" @@ -55258,7 +55258,7 @@ rule REVERSINGLABS_Cert_Blocklist_B2B934B7F01E0Ac1E577814992243709 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "MS CORP SOFTWARE LTD" and (pe.signatures[i].serial=="00:b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" or pe.signatures[i].serial=="b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09") and 1590710400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "MS CORP SOFTWARE LTD" and ( pe.signatures [ i ] . serial == "00:b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" or pe.signatures [ i ] . serial == "b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" ) and 1590710400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55267,13 +55267,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A1B397Fd9451E3B5891Fc69681Ed73D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6bdba43f-4003-5807-9adc-20691fbc8d14" + id = "b79d0be4-f0af-5e5a-8ac0-88ce6054ca3a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16764-L16780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca43c7bacd8cb5a896c3135abf4a131bdb4a7f5093e64c8d1df743fad0c1c64a" + logic_hash = "v1_sha256_ca43c7bacd8cb5a896c3135abf4a131bdb4a7f5093e64c8d1df743fad0c1c64a" score = 75 quality = 90 tags = "INFO, FILE" @@ -55283,7 +55283,7 @@ rule REVERSINGLABS_Cert_Blocklist_3A1B397Fd9451E3B5891Fc69681Ed73D : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yongli Zhang" and pe.signatures[i].serial=="3a:1b:39:7f:d9:45:1e:3b:58:91:fc:69:68:1e:d7:3d" and 1470614400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yongli Zhang" and pe.signatures [ i ] . serial == "3a:1b:39:7f:d9:45:1e:3b:58:91:fc:69:68:1e:d7:3d" and 1470614400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55292,13 +55292,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Eb816Aa49E4894D9E9F78729E53Cd48 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2e66765-bdf6-59ff-ac6c-1a82ecefa731" + id = "d4b117d2-3ef6-568b-9178-7c54d14e541d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16782-L16798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "4e22568612aec050c7f78b81ba6749528a9c25c0ba43e14260a581a9bea7a2f0" + logic_hash = "v1_sha256_4e22568612aec050c7f78b81ba6749528a9c25c0ba43e14260a581a9bea7a2f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -55308,7 +55308,7 @@ rule REVERSINGLABS_Cert_Blocklist_1Eb816Aa49E4894D9E9F78729E53Cd48 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE5\\x96\\x84\\xE5\\x90\\x9B \\xE9\\x9F\\xA6" and pe.signatures[i].serial=="1e:b8:16:aa:49:e4:89:4d:9e:9f:78:72:9e:53:cd:48" and 1429056000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE5\\x96\\x84\\xE5\\x90\\x9B \\xE9\\x9F\\xA6" and pe.signatures [ i ] . serial == "1e:b8:16:aa:49:e4:89:4d:9e:9f:78:72:9e:53:cd:48" and 1429056000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55317,13 +55317,13 @@ rule REVERSINGLABS_Cert_Blocklist_383Ca88D6D9379C740609560 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "46166e9e-515d-530a-a651-59821d979f01" + id = "bd72a9d8-f1a5-5588-ab24-f09fefe5085b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16800-L16816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ce41d046a7ca320d034fa226b5e8c22022cc6bfc97eb9ef294b1aca232aaacef" + logic_hash = "v1_sha256_ce41d046a7ca320d034fa226b5e8c22022cc6bfc97eb9ef294b1aca232aaacef" score = 75 quality = 90 tags = "INFO, FILE" @@ -55333,7 +55333,7 @@ rule REVERSINGLABS_Cert_Blocklist_383Ca88D6D9379C740609560 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="38:3c:a8:8d:6d:93:79:c7:40:60:95:60" and 1478250214<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "38:3c:a8:8d:6d:93:79:c7:40:60:95:60" and 1478250214 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55342,13 +55342,13 @@ rule REVERSINGLABS_Cert_Blocklist_6731Cb1430F18B8C0C43Ab40E1154169 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df2423da-37ec-5adc-8497-2ac975b0b7ff" + id = "163f6cc5-b7cd-5674-a64a-db2ec244e4f6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16818-L16834" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "c05349166919ffc18ac6ecb61b822a8365f87a82164c5e110ef94345bdc4de6f" + logic_hash = "v1_sha256_c05349166919ffc18ac6ecb61b822a8365f87a82164c5e110ef94345bdc4de6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55358,7 +55358,7 @@ rule REVERSINGLABS_Cert_Blocklist_6731Cb1430F18B8C0C43Ab40E1154169 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "3 AM CHP" and pe.signatures[i].serial=="67:31:cb:14:30:f1:8b:8c:0c:43:ab:40:e1:15:41:69" and 1436313600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "3 AM CHP" and pe.signatures [ i ] . serial == "67:31:cb:14:30:f1:8b:8c:0c:43:ab:40:e1:15:41:69" and 1436313600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55367,13 +55367,13 @@ rule REVERSINGLABS_Cert_Blocklist_159505E6456B9A9352F7C47168D89B96 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d078c5d-e469-54f1-bd69-aebeec1c25f1" + id = "eba19907-f92c-5cc3-a86d-8d8d8130334c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16836-L16852" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d6d0d5c86dd88afa29fb3c7cc3c0ab2e3401637a23e062ee9bab693a715cf16f" + logic_hash = "v1_sha256_d6d0d5c86dd88afa29fb3c7cc3c0ab2e3401637a23e062ee9bab693a715cf16f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55383,7 +55383,7 @@ rule REVERSINGLABS_Cert_Blocklist_159505E6456B9A9352F7C47168D89B96 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Shan Feng" and pe.signatures[i].serial=="15:95:05:e6:45:6b:9a:93:52:f7:c4:71:68:d8:9b:96" and 1469404800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Shan Feng" and pe.signatures [ i ] . serial == "15:95:05:e6:45:6b:9a:93:52:f7:c4:71:68:d8:9b:96" and 1469404800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55392,13 +55392,13 @@ rule REVERSINGLABS_Cert_Blocklist_04A0E92B0B9Ebbb797Df6Ef52Bd5Ad05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6ba359e-4883-534d-bc86-8c063e54c92f" + id = "2e7a0b23-ae62-5d9c-b77f-53c5b2868769" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16854-L16870" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ff2a2d06c48bd3426fa42526d966152e3e7166c4170b4e08bb65ee5d876eda93" + logic_hash = "v1_sha256_ff2a2d06c48bd3426fa42526d966152e3e7166c4170b4e08bb65ee5d876eda93" score = 75 quality = 90 tags = "INFO, FILE" @@ -55408,7 +55408,7 @@ rule REVERSINGLABS_Cert_Blocklist_04A0E92B0B9Ebbb797Df6Ef52Bd5Ad05 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="04:a0:e9:2b:0b:9e:bb:b7:97:df:6e:f5:2b:d5:ad:05" and 1479081600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "04:a0:e9:2b:0b:9e:bb:b7:97:df:6e:f5:2b:d5:ad:05" and 1479081600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55417,13 +55417,13 @@ rule REVERSINGLABS_Cert_Blocklist_25F222Ab2613Dc4270B2Aabc2519A101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4458df2d-82c2-5377-9746-101c2de52913" + id = "5278ee3b-32d0-5bb2-aa6b-a66cc0506a6d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16872-L16888" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2c6673f6821c4ba11fc015cf3e9edefeb7c45209bc9dcd18501c4681444a9b9e" + logic_hash = "v1_sha256_2c6673f6821c4ba11fc015cf3e9edefeb7c45209bc9dcd18501c4681444a9b9e" score = 75 quality = 90 tags = "INFO, FILE" @@ -55433,7 +55433,7 @@ rule REVERSINGLABS_Cert_Blocklist_25F222Ab2613Dc4270B2Aabc2519A101 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Aeroscan TOV" and pe.signatures[i].serial=="25:f2:22:ab:26:13:dc:42:70:b2:aa:bc:25:19:a1:01" and 1445299200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Aeroscan TOV" and pe.signatures [ i ] . serial == "25:f2:22:ab:26:13:dc:42:70:b2:aa:bc:25:19:a1:01" and 1445299200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55442,13 +55442,13 @@ rule REVERSINGLABS_Cert_Blocklist_212Ca239866F88C3D5B000B3004A569C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b433cddc-25c3-5627-99b5-ff9bc7fa73ed" + id = "4010ffe7-2b73-5458-bb75-96d6d8c8bd8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16890-L16906" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "23ab2343b17dce74fb4166a690ca5dd300b3ed20d3a6b43b922f456410d3035d" + logic_hash = "v1_sha256_23ab2343b17dce74fb4166a690ca5dd300b3ed20d3a6b43b922f456410d3035d" score = 75 quality = 90 tags = "INFO, FILE" @@ -55458,7 +55458,7 @@ rule REVERSINGLABS_Cert_Blocklist_212Ca239866F88C3D5B000B3004A569C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "XECURE LAB CO., LTD." and pe.signatures[i].serial=="21:2c:a2:39:86:6f:88:c3:d5:b0:00:b3:00:4a:56:9c" and 1347840000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "XECURE LAB CO., LTD." and pe.signatures [ i ] . serial == "21:2c:a2:39:86:6f:88:c3:d5:b0:00:b3:00:4a:56:9c" and 1347840000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55467,13 +55467,13 @@ rule REVERSINGLABS_Cert_Blocklist_18B700A319Aa98Ae71B279D4E8030B82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8d1a98aa-a895-5e79-905c-760166352d4f" + id = "77ac5c41-8b2c-51ea-8f41-0d0863cbe4df" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16908-L16924" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "e201498acfd9afebc68321887a806bb5c1d74c64a7cd93530feae2a944bd30fa" + logic_hash = "v1_sha256_e201498acfd9afebc68321887a806bb5c1d74c64a7cd93530feae2a944bd30fa" score = 75 quality = 90 tags = "INFO, FILE" @@ -55483,7 +55483,7 @@ rule REVERSINGLABS_Cert_Blocklist_18B700A319Aa98Ae71B279D4E8030B82 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="18:b7:00:a3:19:aa:98:ae:71:b2:79:d4:e8:03:0b:82" and 1479686400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "18:b7:00:a3:19:aa:98:ae:71:b2:79:d4:e8:03:0b:82" and 1479686400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55492,13 +55492,13 @@ rule REVERSINGLABS_Cert_Blocklist_169138A86954Be1D9B264F47 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "56653f72-39af-50e7-9908-e516f9b21084" + id = "15f910d8-1283-5271-a378-a9282f8418b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16926-L16942" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1584e39b4e2025611bcb7bbbd92b97d25d12ddbb1e5c282db87730a03f7f56b1" + logic_hash = "v1_sha256_1584e39b4e2025611bcb7bbbd92b97d25d12ddbb1e5c282db87730a03f7f56b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -55508,7 +55508,7 @@ rule REVERSINGLABS_Cert_Blocklist_169138A86954Be1D9B264F47 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="16:91:38:a8:69:54:be:1d:9b:26:4f:47" and 1477636474<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "16:91:38:a8:69:54:be:1d:9b:26:4f:47" and 1477636474 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55517,13 +55517,13 @@ rule REVERSINGLABS_Cert_Blocklist_33412168Eeb3C0E4C7Dd0508A9Ffecd5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db2ae33e-d3af-5200-ad15-824e29434e2c" + id = "22b40c83-1572-55c4-9150-7eb2dcac852b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16944-L16960" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d634af0637c3349fe1718ee807b8a75007ab46b141494331901a22ce54e9fc5d" + logic_hash = "v1_sha256_d634af0637c3349fe1718ee807b8a75007ab46b141494331901a22ce54e9fc5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -55533,7 +55533,7 @@ rule REVERSINGLABS_Cert_Blocklist_33412168Eeb3C0E4C7Dd0508A9Ffecd5 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures[i].serial=="33:41:21:68:ee:b3:c0:e4:c7:dd:05:08:a9:ff:ec:d5" and 1467590400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Beijing Caiyunshidai Technology Co., Ltd." and pe.signatures [ i ] . serial == "33:41:21:68:ee:b3:c0:e4:c7:dd:05:08:a9:ff:ec:d5" and 1467590400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55542,13 +55542,13 @@ rule REVERSINGLABS_Cert_Blocklist_422Ab71Ac7Fb125Ad7171B0C99510B0E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "002e344e-a073-5d00-9488-d73fad51c66a" + id = "8a0209eb-1d20-5d1d-a4fc-a29ed279ea46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16962-L16978" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "7366e5064a9a9f66260730575327e404eadea096ba3f6cf28c83c47bef9bca58" + logic_hash = "v1_sha256_7366e5064a9a9f66260730575327e404eadea096ba3f6cf28c83c47bef9bca58" score = 75 quality = 90 tags = "INFO, FILE" @@ -55558,7 +55558,7 @@ rule REVERSINGLABS_Cert_Blocklist_422Ab71Ac7Fb125Ad7171B0C99510B0E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="42:2a:b7:1a:c7:fb:12:5a:d7:17:1b:0c:99:51:0b:0e" and 1475193600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "42:2a:b7:1a:c7:fb:12:5a:d7:17:1b:0c:99:51:0b:0e" and 1475193600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55567,13 +55567,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F18946E5B773B7E32D9E7B4Fb8D434C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "53205508-568c-5356-9717-2915c8f3806c" + id = "c0044a6d-3b98-5a14-9ee5-3d88bdceb912" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16980-L16996" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fa285c17b43d1acdb05888074ecb16047209ade8f7f6191274f58eca7438dadf" + logic_hash = "v1_sha256_fa285c17b43d1acdb05888074ecb16047209ade8f7f6191274f58eca7438dadf" score = 75 quality = 90 tags = "INFO, FILE" @@ -55583,7 +55583,7 @@ rule REVERSINGLABS_Cert_Blocklist_6F18946E5B773B7E32D9E7B4Fb8D434C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VECTOR LLC (VEKTOR, OOO)" and pe.signatures[i].serial=="6f:18:94:6e:5b:77:3b:7e:32:d9:e7:b4:fb:8d:43:4c" and 1454716800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VECTOR LLC (VEKTOR, OOO)" and pe.signatures [ i ] . serial == "6f:18:94:6e:5b:77:3b:7e:32:d9:e7:b4:fb:8d:43:4c" and 1454716800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55592,13 +55592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3596Dfc23B9A42C66700982250Da2906 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "15c3551f-7b08-5e7f-a540-68b3eccac316" + id = "9215ee37-3c56-54f0-8031-506e51caeb7a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16998-L17014" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "1b69bf520fde5255069cf8752d5c67716e9bc297ddde1566551a563a563197ea" + logic_hash = "v1_sha256_1b69bf520fde5255069cf8752d5c67716e9bc297ddde1566551a563a563197ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -55608,7 +55608,7 @@ rule REVERSINGLABS_Cert_Blocklist_3596Dfc23B9A42C66700982250Da2906 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Open Source Developer, Song WU" and pe.signatures[i].serial=="35:96:df:c2:3b:9a:42:c6:67:00:98:22:50:da:29:06" and 1397219344<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Open Source Developer, Song WU" and pe.signatures [ i ] . serial == "35:96:df:c2:3b:9a:42:c6:67:00:98:22:50:da:29:06" and 1397219344 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55617,13 +55617,13 @@ rule REVERSINGLABS_Cert_Blocklist_486Bbddc8C5Ee99F051Ecaeb3F99D2A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "07b43dd7-e8f1-5b14-a0f4-42294b5b597e" + id = "c6a2a350-8969-5785-af6a-3e2707dbd867" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17016-L17032" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "75855e26ba4e01b56a551a006e789c6032cfb02c6f6125a9bdf8becb848db5b2" + logic_hash = "v1_sha256_75855e26ba4e01b56a551a006e789c6032cfb02c6f6125a9bdf8becb848db5b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55633,7 +55633,7 @@ rule REVERSINGLABS_Cert_Blocklist_486Bbddc8C5Ee99F051Ecaeb3F99D2A3 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="48:6b:bd:dc:8c:5e:e9:9f:05:1e:ca:eb:3f:99:d2:a3" and 1473292800<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "48:6b:bd:dc:8c:5e:e9:9f:05:1e:ca:eb:3f:99:d2:a3" and 1473292800 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55642,13 +55642,13 @@ rule REVERSINGLABS_Cert_Blocklist_11211Eea9D0D1D1A325B5Eae1B2B1951120F : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "09b8b3f3-a4aa-5584-b8d0-751cc87267bf" + id = "43b52d35-93b4-5fea-9d0e-fd0e20b3884d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17034-L17050" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bafab986605be61d25a6764042937bc5d8c55196ea8ea9aa9360764d9681351b" + logic_hash = "v1_sha256_bafab986605be61d25a6764042937bc5d8c55196ea8ea9aa9360764d9681351b" score = 75 quality = 90 tags = "INFO, FILE" @@ -55658,7 +55658,7 @@ rule REVERSINGLABS_Cert_Blocklist_11211Eea9D0D1D1A325B5Eae1B2B1951120F : INFO FI importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "LLC HERMES" and pe.signatures[i].serial=="11:21:1e:ea:9d:0d:1d:1a:32:5b:5e:ae:1b:2b:19:51:12:0f" and 1460147212<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "LLC HERMES" and pe.signatures [ i ] . serial == "11:21:1e:ea:9d:0d:1d:1a:32:5b:5e:ae:1b:2b:19:51:12:0f" and 1460147212 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55667,13 +55667,13 @@ rule REVERSINGLABS_Cert_Blocklist_172Fea8Cb06Ffced6Bfac7F2F6B77754 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0890bf55-ebd5-5b68-8047-14692a5f1ae7" + id = "25b24b0e-16de-568b-8138-ee26211bbc8c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17052-L17068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8e1e3e7d002ce084600c5444dc9b0bad8771370cb7919a3bb5ebc899040e4cf2" + logic_hash = "v1_sha256_8e1e3e7d002ce084600c5444dc9b0bad8771370cb7919a3bb5ebc899040e4cf2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55683,7 +55683,7 @@ rule REVERSINGLABS_Cert_Blocklist_172Fea8Cb06Ffced6Bfac7F2F6B77754 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Xin Zhou" and pe.signatures[i].serial=="17:2f:ea:8c:b0:6f:fc:ed:6b:fa:c7:f2:f6:b7:77:54" and 1467936000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Xin Zhou" and pe.signatures [ i ] . serial == "17:2f:ea:8c:b0:6f:fc:ed:6b:fa:c7:f2:f6:b7:77:54" and 1467936000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55692,13 +55692,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ee50Bb98Fadca2D662A0920E76685A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5c35c73e-e4f6-5707-ad91-1db7c0a0ec81" + id = "91cbe98e-d04b-556b-b9af-9c9e5a927587" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17070-L17086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "d232923ed962fbf4a9a30890778c2380d6c6967a693c6f77c2f558bb4347e60e" + logic_hash = "v1_sha256_d232923ed962fbf4a9a30890778c2380d6c6967a693c6f77c2f558bb4347e60e" score = 75 quality = 90 tags = "INFO, FILE" @@ -55708,7 +55708,7 @@ rule REVERSINGLABS_Cert_Blocklist_3Ee50Bb98Fadca2D662A0920E76685A2 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ABDULKADIR SAHIN" and pe.signatures[i].serial=="3e:e5:0b:b9:8f:ad:ca:2d:66:2a:09:20:e7:66:85:a2" and 1330041600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ABDULKADIR SAHIN" and pe.signatures [ i ] . serial == "3e:e5:0b:b9:8f:ad:ca:2d:66:2a:09:20:e7:66:85:a2" and 1330041600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55717,13 +55717,13 @@ rule REVERSINGLABS_Cert_Blocklist_21Bfddb6A66435D1Adce2Ceb23Ed7C9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2009c47b-8a15-50fd-a229-5e34244ede1f" + id = "c1c1a81c-4cff-5522-a920-0f2cc68b31b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17088-L17104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "22ad68974a1c6729da369c26372ba93c25ddf68df880580c727bf2d3ee2d3a86" + logic_hash = "v1_sha256_22ad68974a1c6729da369c26372ba93c25ddf68df880580c727bf2d3ee2d3a86" score = 75 quality = 90 tags = "INFO, FILE" @@ -55733,7 +55733,7 @@ rule REVERSINGLABS_Cert_Blocklist_21Bfddb6A66435D1Adce2Ceb23Ed7C9A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE6\\xB7\\x87\\xE6\\x99\\xBA" and pe.signatures[i].serial=="21:bf:dd:b6:a6:64:35:d1:ad:ce:2c:eb:23:ed:7c:9a" and 1395297334<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE6\\x9D\\xA8\\xE6\\xB7\\x87\\xE6\\x99\\xBA" and pe.signatures [ i ] . serial == "21:bf:dd:b6:a6:64:35:d1:ad:ce:2c:eb:23:ed:7c:9a" and 1395297334 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55742,13 +55742,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B1C3F7Bbaa91Ca49B06A5C1004Ee5Be : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b78e7f2b-8122-5df6-ad79-393db9e0498d" + id = "e33a0889-2d9c-51af-b7ce-8dd878e9e958" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17106-L17122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9a8d9acc87668a6fbd9fdd52b6ef69d18de8f19d8f3d3ca8eeb630c6e8c25c65" + logic_hash = "v1_sha256_9a8d9acc87668a6fbd9fdd52b6ef69d18de8f19d8f3d3ca8eeb630c6e8c25c65" score = 75 quality = 90 tags = "INFO, FILE" @@ -55758,7 +55758,7 @@ rule REVERSINGLABS_Cert_Blocklist_5B1C3F7Bbaa91Ca49B06A5C1004Ee5Be : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Jin Yuguang" and pe.signatures[i].serial=="5b:1c:3f:7b:ba:a9:1c:a4:9b:06:a5:c1:00:4e:e5:be" and 1440643213<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Jin Yuguang" and pe.signatures [ i ] . serial == "5b:1c:3f:7b:ba:a9:1c:a4:9b:06:a5:c1:00:4e:e5:be" and 1440643213 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55767,13 +55767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A2089 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51e603bb-ef21-55e8-8f2b-94865f1213c9" + id = "bcb3dc52-b157-50fe-a3f7-4b212a893f24" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17124-L17140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "07ce4d39af1e56fbbfa400cf139956826999043480f93c0fc43ed056f6420d7f" + logic_hash = "v1_sha256_07ce4d39af1e56fbbfa400cf139956826999043480f93c0fc43ed056f6420d7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55783,7 +55783,7 @@ rule REVERSINGLABS_Cert_Blocklist_0A2089 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "RocketMedia S.r.l." and pe.signatures[i].serial=="0a:20:89" and 1050073884<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "RocketMedia S.r.l." and pe.signatures [ i ] . serial == "0a:20:89" and 1050073884 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55792,13 +55792,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F84E030A0Ed10D5Ffe2B81B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "170dae5a-ed7e-5f20-9ccd-94724e4b2084" + id = "9332b833-3c37-5bbf-90a3-e73ae63e9b37" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17142-L17158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "097655cb2965ae71efb905ddf20ed30c240d25e03d08a1b6c87b472533ccc9d8" + logic_hash = "v1_sha256_097655cb2965ae71efb905ddf20ed30c240d25e03d08a1b6c87b472533ccc9d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -55808,7 +55808,7 @@ rule REVERSINGLABS_Cert_Blocklist_1F84E030A0Ed10D5Ffe2B81B : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures[i].serial=="1f:84:e0:30:a0:ed:10:d5:ff:e2:b8:1b" and 1476869735<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "VANKY TECHNOLOGY LIMITED" and pe.signatures [ i ] . serial == "1f:84:e0:30:a0:ed:10:d5:ff:e2:b8:1b" and 1476869735 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55817,13 +55817,13 @@ rule REVERSINGLABS_Cert_Blocklist_88346267057C0A82E2F39851D1B9694C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3be920eb-7b71-53c4-94b7-0ffc88d14c59" + id = "71f13e2d-4280-5788-8e1d-ba17280d1b5a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17160-L17178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "60acdbad8ad3e1d4a863ce160d93abd0b5e2b214858cba84f7a1b907d2491486" + logic_hash = "v1_sha256_60acdbad8ad3e1d4a863ce160d93abd0b5e2b214858cba84f7a1b907d2491486" score = 75 quality = 90 tags = "INFO, FILE" @@ -55833,7 +55833,7 @@ rule REVERSINGLABS_Cert_Blocklist_88346267057C0A82E2F39851D1B9694C : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Hudson LLC" and (pe.signatures[i].serial=="00:88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" or pe.signatures[i].serial=="88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c") and 1595376000<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Hudson LLC" and ( pe.signatures [ i ] . serial == "00:88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" or pe.signatures [ i ] . serial == "88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" ) and 1595376000 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55842,13 +55842,13 @@ rule REVERSINGLABS_Cert_Blocklist_A46F9D8784778Baa48167C48Bbc56F30 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "72d36a5f-6599-5456-ac67-0589e37bd035" + id = "dd7ec730-dba5-5ccb-ad92-a8e1b0e23451" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17180-L17198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fffb6309355bc6764b0ab033db5964599c86c9a2f6d8985975a07f6b3ebb40ed" + logic_hash = "v1_sha256_fffb6309355bc6764b0ab033db5964599c86c9a2f6d8985975a07f6b3ebb40ed" score = 75 quality = 90 tags = "INFO, FILE" @@ -55858,7 +55858,7 @@ rule REVERSINGLABS_Cert_Blocklist_A46F9D8784778Baa48167C48Bbc56F30 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Mapping OOO" and (pe.signatures[i].serial=="00:a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" or pe.signatures[i].serial=="a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30") and 1618963200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Mapping OOO" and ( pe.signatures [ i ] . serial == "00:a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" or pe.signatures [ i ] . serial == "a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" ) and 1618963200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55867,13 +55867,13 @@ rule REVERSINGLABS_Cert_Blocklist_525B5529Db20D17A85Be284D6B7952Ea : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "52cdf082-7212-53e6-9e55-b86153e6afe8" + id = "e91e29fb-961d-59ca-8fac-e2b2666e12a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17200-L17216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "8fd406004b634e4826659b1dff88c61074fd321969b9fd63ea45d8e9608b35f1" + logic_hash = "v1_sha256_8fd406004b634e4826659b1dff88c61074fd321969b9fd63ea45d8e9608b35f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -55883,7 +55883,7 @@ rule REVERSINGLABS_Cert_Blocklist_525B5529Db20D17A85Be284D6B7952Ea : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and pe.signatures[i].serial=="52:5b:55:29:db:20:d1:7a:85:be:28:4d:6b:79:52:ea" and 1508198400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and pe.signatures [ i ] . serial == "52:5b:55:29:db:20:d1:7a:85:be:28:4d:6b:79:52:ea" and 1508198400 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55892,13 +55892,13 @@ rule REVERSINGLABS_Cert_Blocklist_70Ae0E517D2Ef6D5Eed06B56730A1A9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98c19385-555e-5827-b03c-59645ad2a101" + id = "a49a5912-d381-586f-a930-c1d9afa8f52d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17218-L17234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "017eed878daf706eb96b638a8d1f4428466bc1d00ce27f32628bd249a658a813" + logic_hash = "v1_sha256_017eed878daf706eb96b638a8d1f4428466bc1d00ce27f32628bd249a658a813" score = 75 quality = 90 tags = "INFO, FILE" @@ -55908,7 +55908,7 @@ rule REVERSINGLABS_Cert_Blocklist_70Ae0E517D2Ef6D5Eed06B56730A1A9A : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Yu Bao" and pe.signatures[i].serial=="70:ae:0e:51:7d:2e:f6:d5:ee:d0:6b:56:73:0a:1a:9a" and 1475193600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Yu Bao" and pe.signatures [ i ] . serial == "70:ae:0e:51:7d:2e:f6:d5:ee:d0:6b:56:73:0a:1a:9a" and 1475193600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55917,13 +55917,13 @@ rule REVERSINGLABS_Cert_Blocklist_57C3717C5E2Ce9A2E0Cf0340C03F458E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "47207784-5aee-5fa3-bed9-2c12d9932c38" + id = "405a5f4b-8f23-5d81-81d6-41c18a310cb7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17236-L17252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "fd710146874528c43ad8a9f847b7704c44ba4564cf79e20e6b23aa98b0ee2ea5" + logic_hash = "v1_sha256_fd710146874528c43ad8a9f847b7704c44ba4564cf79e20e6b23aa98b0ee2ea5" score = 75 quality = 90 tags = "INFO, FILE" @@ -55933,7 +55933,7 @@ rule REVERSINGLABS_Cert_Blocklist_57C3717C5E2Ce9A2E0Cf0340C03F458E : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "Citizen Travel Ltd" and pe.signatures[i].serial=="57:c3:71:7c:5e:2c:e9:a2:e0:cf:03:40:c0:3f:45:8e" and 1450915200<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "Citizen Travel Ltd" and pe.signatures [ i ] . serial == "57:c3:71:7c:5e:2c:e9:a2:e0:cf:03:40:c0:3f:45:8e" and 1450915200 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55942,13 +55942,13 @@ rule REVERSINGLABS_Cert_Blocklist_0761110Efe0B688C469D687512828C1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8575a71-124b-5040-91b1-ccad371e10da" + id = "00c04b44-9b83-59b6-a64f-b27e7b61e65d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17254-L17270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0ba60e1f58c7335ba5aa261031d09ee83a0ee51e05f8f26078b2a5c776ad0add" + logic_hash = "v1_sha256_0ba60e1f58c7335ba5aa261031d09ee83a0ee51e05f8f26078b2a5c776ad0add" score = 75 quality = 90 tags = "INFO, FILE" @@ -55958,7 +55958,7 @@ rule REVERSINGLABS_Cert_Blocklist_0761110Efe0B688C469D687512828C1F : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "ENP Games Co., Ltd." and pe.signatures[i].serial=="07:61:11:0e:fe:0b:68:8c:46:9d:68:75:12:82:8c:1f" and 1433721600<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "ENP Games Co., Ltd." and pe.signatures [ i ] . serial == "07:61:11:0e:fe:0b:68:8c:46:9d:68:75:12:82:8c:1f" and 1433721600 <= pe.signatures [ i ] . not_after ) } import "pe" @@ -55967,13 +55967,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Aa03F385F870E3A6D243B74B1Dadf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "64aa17fe-676d-5c6e-babc-15b5e8dc72bb" + id = "db67a5aa-7fa5-5f11-8add-b7cb75ee6c8a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17272-L17288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ef49a28a93d31c55dd2dfd3bec645f757a0a1a7eb8718ce92cf47bf9af126aed" + logic_hash = "v1_sha256_ef49a28a93d31c55dd2dfd3bec645f757a0a1a7eb8718ce92cf47bf9af126aed" score = 75 quality = 90 tags = "INFO, FILE" @@ -55983,20 +55983,20 @@ rule REVERSINGLABS_Cert_Blocklist_08Aa03F385F870E3A6D243B74B1Dadf6 : INFO FILE importance = 25 condition: - uint16(0)==0x5A4D and for any i in (0..pe.number_of_signatures) : (pe.signatures[i].subject contains "\\xE4\\xB8\\x9C\\xE8\\x8E\\x9E\\xE5\\xB8\\x82\\xE8\\x85\\xBE\\xE4\\xBA\\x91\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures[i].serial=="08:aa:03:f3:85:f8:70:e3:a6:d2:43:b7:4b:1d:ad:f6" and 1352678400<=pe.signatures[i].not_after) + uint16( 0 ) == 0x5A4D and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . subject contains "\\xE4\\xB8\\x9C\\xE8\\x8E\\x9E\\xE5\\xB8\\x82\\xE8\\x85\\xBE\\xE4\\xBA\\x91\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and pe.signatures [ i ] . serial == "08:aa:03:f3:85:f8:70:e3:a6:d2:43:b7:4b:1d:ad:f6" and 1352678400 <= pe.signatures [ i ] . not_after ) } rule REVERSINGLABS_Bytecode_MSIL_Infostealer_Gomorrahstealer : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects GomorrahStealer infostealer." author = "ReversingLabs" - id = "f3c14d23-47a2-5b09-8f48-0c2f9350516a" + id = "b4125be8-065c-5e79-a077-eb64d74b6c24" date = "2024-11-27" modified = "2024-11-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/ByteCode.MSIL.Infostealer.GomorrahStealer.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "75d86ea2ef9f24487ef54979508170651cd60abba6daa4c3117e20a77bb3b086" + logic_hash = "v1_sha256_75d86ea2ef9f24487ef54979508170651cd60abba6daa4c3117e20a77bb3b086" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56080,20 +56080,20 @@ rule REVERSINGLABS_Bytecode_MSIL_Infostealer_Gomorrahstealer : TC_DETECTION MALI } condition: - uint16(0)==0x5A4D and ($get_browser_autofill_data) and ($get_browser_cookies) and ($take_screenshot) and ($get_antivirus_information) and ($get_browser_history) + uint16( 0 ) == 0x5A4D and ( $get_browser_autofill_data ) and ( $get_browser_cookies ) and ( $take_screenshot ) and ( $get_antivirus_information ) and ( $get_browser_history ) } rule REVERSINGLABS_Win64_Infostealer_Daolpu : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects Daolpu infostealer." author = "ReversingLabs" - id = "bf815556-6ccf-506a-b858-5f4c18282c05" + id = "3ef2721e-f125-554a-aa22-c324870cca9b" date = "2024-08-26" modified = "2024-08-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win64.Infostealer.Daolpu.yara#L1-L322" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "5ffd0427c6c8e666cfabc48426e7771595a7024548706f37a1de3538e4e2d559" + logic_hash = "v1_sha256_5ffd0427c6c8e666cfabc48426e7771595a7024548706f37a1de3538e4e2d559" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56378,20 +56378,20 @@ rule REVERSINGLABS_Win64_Infostealer_Daolpu : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and (($network_communication) and ( all of ($find_sensitive_files_p*)) and ( all of ($parse_firefox_configuration_p*)) and ( all of ($collect_browser_passwords_p*)) and ( all of ($collect_cookies_p*))) + uint16( 0 ) == 0x5A4D and ( ( $network_communication ) and ( all of ( $find_sensitive_files_p* ) ) and ( all of ( $parse_firefox_configuration_p* ) ) and ( all of ( $collect_browser_passwords_p* ) ) and ( all of ( $collect_cookies_p* ) ) ) } rule REVERSINGLABS_Win32_Infostealer_Lumarstealer : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects LumarStealer infostealer." author = "ReversingLabs" - id = "a1358846-7cc2-53ac-89a9-c6c99f492284" + id = "1f7206a7-3f3f-54f8-b0ff-741ac988d5e1" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.LumarStealer.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "0bc9e12396b1e85f69b965e9ea50960c59c50aba40317fb4de8f6abd092ec7d2" + logic_hash = "v1_sha256_0bc9e12396b1e85f69b965e9ea50960c59c50aba40317fb4de8f6abd092ec7d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56553,20 +56553,20 @@ rule REVERSINGLABS_Win32_Infostealer_Lumarstealer : TC_DETECTION MALICIOUS MALWA } condition: - uint16(0)==0x5A4D and ( all of ($collect_os_information_p*)) and ( all of ($send_data_to_c2_p*)) and ( all of ($find_files_p*)) and ( all of ($find_crypto_wallets_*)) + uint16( 0 ) == 0x5A4D and ( all of ( $collect_os_information_p* ) ) and ( all of ( $send_data_to_c2_p* ) ) and ( all of ( $find_files_p* ) ) and ( all of ( $find_crypto_wallets_* ) ) } rule REVERSINGLABS_Win32_Infostealer_Stealc : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects StealC infostealer." author = "ReversingLabs" - id = "b53bbf15-3e94-513c-91a9-83dda421063b" + id = "f8e00c44-6860-539b-8a54-09434ea67ef1" date = "2023-06-07" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.StealC.yara#L1-L57" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "bea1cf370150387eb185deff726e10e660e7eb571c20d22878def08b36f457bf" + logic_hash = "v1_sha256_bea1cf370150387eb185deff726e10e660e7eb571c20d22878def08b36f457bf" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56604,20 +56604,20 @@ rule REVERSINGLABS_Win32_Infostealer_Stealc : TC_DETECTION MALICIOUS MALWARE FIL } condition: - uint16(0)==0x5A4D and ($resolve_windows_api) and ($load_sqlite3_functions) and ($check_license_expiration_date) + uint16( 0 ) == 0x5A4D and ( $resolve_windows_api ) and ( $load_sqlite3_functions ) and ( $check_license_expiration_date ) } rule REVERSINGLABS_Win32_Infostealer_Multigrainpos : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects MultigrainPOS infostealer." author = "ReversingLabs" - id = "595c04af-802f-556d-b22b-23cac79b256e" + id = "867670fd-531e-5ea8-bbf2-3c10f887d1b4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "9808c95b850a54677c4132057b8372cabf0159920b7e0e6834a83f0d39c088fa" + logic_hash = "v1_sha256_9808c95b850a54677c4132057b8372cabf0159920b7e0e6834a83f0d39c088fa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56688,20 +56688,20 @@ rule REVERSINGLABS_Win32_Infostealer_Multigrainpos : TC_DETECTION MALICIOUS MALW } condition: - uint16(0)==0x5A4D and (($data_exfiltration_v10_1 and $memory_scraping_v10_1 and $process_search_v10_1 and $service_creation_v10_1) or ($process_search_v11_1 and $memory_scraping_v11_1 and $data_exfiltration_v11_1 and $service_creation_v11_1)) + uint16( 0 ) == 0x5A4D and ( ( $data_exfiltration_v10_1 and $memory_scraping_v10_1 and $process_search_v10_1 and $service_creation_v10_1 ) or ( $process_search_v11_1 and $memory_scraping_v11_1 and $data_exfiltration_v11_1 and $service_creation_v11_1 ) ) } rule REVERSINGLABS_Win32_Infostealer_Projecthookpos : TC_DETECTION MALICIOUS MALWARE FILE { meta: description = "Yara rule that detects ProjectHookPOS infostealer." author = "ReversingLabs" - id = "dcb96a99-c8c0-5878-a3a5-fe3cfeec43c6" + id = "b1dc1c2f-d5f4-53d5-8b1e-699e1878d033" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara#L1-L98" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "b7534c9e905256aaf80f04b746a92c50689437b288f7e393ef13fde1740c4a4e" + logic_hash = "v1_sha256_b7534c9e905256aaf80f04b746a92c50689437b288f7e393ef13fde1740c4a4e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56783,7 +56783,7 @@ rule REVERSINGLABS_Win32_Infostealer_Projecthookpos : TC_DETECTION MALICIOUS MAL } condition: - uint16(0)==0x5A4D and ($calc_luhn and $track_1_reverse and $check_validity_1 and $encode_and_send_1 and $form_create_1 and $form_create_2 and $form_create_3) + uint16( 0 ) == 0x5A4D and ( $calc_luhn and $track_1_reverse and $check_validity_1 and $encode_and_send_1 and $form_create_1 and $form_create_2 and $form_create_3 ) } import "pe" @@ -56792,13 +56792,13 @@ rule REVERSINGLABS_Win32_Virus_Elerad : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Elerad virus." author = "ReversingLabs" - id = "0307a136-ea2c-584c-bfda-f41e2c46fd09" + id = "de786e90-72b0-5eed-a379-f685388f96f4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Elerad.yara#L3-L33" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "930594bf99daf55ef02542ce7b393c1c23ead75946b3da3b555102a2e7142e33" + logic_hash = "v1_sha256_930594bf99daf55ef02542ce7b393c1c23ead75946b3da3b555102a2e7142e33" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56821,7 +56821,7 @@ rule REVERSINGLABS_Win32_Virus_Elerad : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($elerad_body at pe.entry_point) + uint16( 0 ) == 0x5A4D and ( $elerad_body at pe.entry_point ) } import "pe" @@ -56830,13 +56830,13 @@ rule REVERSINGLABS_Win32_Virus_Mocket : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Mocket virus." author = "ReversingLabs" - id = "878c2162-9a79-52e6-af7b-95f9667f9e78" + id = "d0ef9e50-0964-5811-98df-e2698b7aed0b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Mocket.yara#L3-L58" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "af16974396efe7a1a46aa39b812482dcc49d0fe95db6640c1703db479e7ea9dc" + logic_hash = "v1_sha256_af16974396efe7a1a46aa39b812482dcc49d0fe95db6640c1703db479e7ea9dc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56883,7 +56883,7 @@ rule REVERSINGLABS_Win32_Virus_Mocket : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($mocket_body_1 at pe.entry_point) and $mocket_body_2 and $mocket_body_3 + uint16( 0 ) == 0x5A4D and ( $mocket_body_1 at pe.entry_point ) and $mocket_body_2 and $mocket_body_3 } import "pe" @@ -56892,13 +56892,13 @@ rule REVERSINGLABS_Win32_Virus_Greenp : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Greenp virus." author = "ReversingLabs" - id = "5751e91c-652b-59bd-93b8-ece677ad4911" + id = "9082ed95-7709-50f3-ac8d-e83588f916b9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Greenp.yara#L3-L46" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "ca6df34ee2ad9d93e35b0d1a2d4765f681f3981ffe2786bbc822c3090212fd02" + logic_hash = "v1_sha256_ca6df34ee2ad9d93e35b0d1a2d4765f681f3981ffe2786bbc822c3090212fd02" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56934,7 +56934,7 @@ rule REVERSINGLABS_Win32_Virus_Greenp : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($greenp_body_1 at pe.entry_point) and $greenp_body_2 + uint16( 0 ) == 0x5A4D and ( $greenp_body_1 at pe.entry_point ) and $greenp_body_2 } import "pe" @@ -56943,13 +56943,13 @@ rule REVERSINGLABS_Win32_Virus_Cmay : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cmay virus." author = "ReversingLabs" - id = "d61e09f1-1d3f-5e1e-9884-25f1a465e88d" + id = "e8597e05-e609-5061-8b7a-5baff08ba291" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Cmay.yara#L3-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "f3bdf772eb80c632a913621732d12ae4a02bc7d3ba41f51711aa329be2ca6220" + logic_hash = "v1_sha256_f3bdf772eb80c632a913621732d12ae4a02bc7d3ba41f51711aa329be2ca6220" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57010,7 +57010,7 @@ rule REVERSINGLABS_Win32_Virus_Cmay : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($cmay_body_1 at pe.entry_point) and $cmay_body_2 + uint16( 0 ) == 0x5A4D and ( $cmay_body_1 at pe.entry_point ) and $cmay_body_2 } import "elf" @@ -57019,14 +57019,14 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Vit virus." author = "ReversingLabs" - id = "4515fe43-4c5a-521d-82b7-273823f0c64e" - date = "2024-12-08" - date = "2024-12-08" + id = "744a8269-5855-5222-ad8f-525c5d0534e6" + date = "2024-12-15" + date = "2024-12-15" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Linux.Virus.Vit.yara#L3-L36" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "2fba7a081dfca85aee5c7f3b33414b799ed52ca6aa5bbf031da040aaa75acde9" + logic_hash = "v1_sha256_2fba7a081dfca85aee5c7f3b33414b799ed52ca6aa5bbf031da040aaa75acde9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57050,7 +57050,7 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE $vit_str = "vi324.tmp" condition: - uint32(0)==0x464C457F and $vit_entry_point at elf.entry_point and $vit_str + uint32( 0 ) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str } import "pe" @@ -57059,13 +57059,13 @@ rule REVERSINGLABS_Win32_Virus_Deadcode : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects DeadCode virus." author = "ReversingLabs" - id = "89ec2e39-a163-5ba6-9b19-9c94b1923d47" + id = "56101239-8d9d-519a-9548-2751b7c54e0f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.DeadCode.yara#L3-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "6ac2e48daaed222f0a19afd4d03a02834705e0e3762db3217f68569554171846" + logic_hash = "v1_sha256_6ac2e48daaed222f0a19afd4d03a02834705e0e3762db3217f68569554171846" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57123,7 +57123,7 @@ rule REVERSINGLABS_Win32_Virus_Deadcode : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ((($deadcode_ep_1 at pe.entry_point) and ($deadcode_marker at 0x40)) or (($deadcode_ep_2 at pe.entry_point) and ($deadcode_marker at 0x40)) or (($deadcode_ep_3 at pe.entry_point) and ($deadcode_marker at 0x40)) or ($deadcode_body_1 and $deadcode_body_2)) + uint16( 0 ) == 0x5A4D and ( ( ( $deadcode_ep_1 at pe.entry_point ) and ( $deadcode_marker at 0x40 ) ) or ( ( $deadcode_ep_2 at pe.entry_point ) and ( $deadcode_marker at 0x40 ) ) or ( ( $deadcode_ep_3 at pe.entry_point ) and ( $deadcode_marker at 0x40 ) ) or ( $deadcode_body_1 and $deadcode_body_2 ) ) } import "pe" @@ -57132,13 +57132,13 @@ rule REVERSINGLABS_Win32_Virus_Negt : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Negt virus." author = "ReversingLabs" - id = "80e83105-dd98-5fad-9119-f851ec3199af" + id = "cf1c0932-76f9-5725-bbe4-37a56fba372b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Negt.yara#L3-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "43057ef111fc505678606386c8d428653da391f4b65844d81479ca05e3517346" + logic_hash = "v1_sha256_43057ef111fc505678606386c8d428653da391f4b65844d81479ca05e3517346" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57216,7 +57216,7 @@ rule REVERSINGLABS_Win32_Virus_Negt : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and (($negt_infector at pe.entry_point) or (($negt_body_and_infector_1 at pe.entry_point) and $negt_body_and_infector_2 and $negt_body_and_infector_3 and $negt_body_and_infector_4)) + uint16( 0 ) == 0x5A4D and ( ( $negt_infector at pe.entry_point ) or ( ( $negt_body_and_infector_1 at pe.entry_point ) and $negt_body_and_infector_2 and $negt_body_and_infector_3 and $negt_body_and_infector_4 ) ) } import "pe" @@ -57225,13 +57225,13 @@ rule REVERSINGLABS_Win32_Virus_Awfull : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Awfull virus." author = "ReversingLabs" - id = "34104923-b401-5d39-883b-aa9a5a8e64f3" + id = "5effb5c5-8574-5d88-a9f2-97bea792460c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Awfull.yara#L3-L33" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "84a4faee4cbbb3387ad25bd9230c6482b8db461bc008312bc782f23e3df2eae3" + logic_hash = "v1_sha256_84a4faee4cbbb3387ad25bd9230c6482b8db461bc008312bc782f23e3df2eae3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57254,15 +57254,15 @@ rule REVERSINGLABS_Win32_Virus_Awfull : TC_DETECTION MALICIOUS MALWARE FILE } condition: - uint16(0)==0x5A4D and ($awfull_body at pe.entry_point) + uint16( 0 ) == 0x5A4D and ( $awfull_body at pe.entry_point ) } /* * YARA Rule Set * Repository Name: Elastic * Repository: https://github.com/elastic/protections-artifacts/ - * Retrieval Date: 2024-12-08 - * Git Commit: 8824c8f250f189be8f7caf30dac0d045b7fb8651 - * Number of Rules: 1842 + * Retrieval Date: 2024-12-15 + * Git Commit: 401b9f547292bee56d26a35f5f9d313b0c513e89 + * Number of Rules: 1848 * Skipped: 0 (age), 7 (quality), 0 (score), 0 (importance) * * @@ -57372,10 +57372,10 @@ rule ELASTIC_Windows_Trojan_Warmcookie_7D32Fa90 : FILE MEMORY date = "2024-04-29" modified = "2024-05-08" reference = "https://www.elastic.co/security-labs/dipping-into-danger" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WarmCookie.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WarmCookie.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13" - logic_hash = "ed3be6e5c6127ef87f9ef6fe35b17815b96706e8e73a393ee9b0a8e3b0cd8f66" + logic_hash = "v1_sha256_ed3be6e5c6127ef87f9ef6fe35b17815b96706e8e73a393ee9b0a8e3b0cd8f66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57402,7 +57402,7 @@ rule ELASTIC_Windows_Trojan_Warmcookie_7D32Fa90 : FILE MEMORY $decrypt_str6 = "%ls\\*.*" wide fullword condition: - (3 of ($plain*)) or (2 of ($seq*)) or 4 of ($decrypt*) + (3 of ( $plain* ) ) or ( 2 of ( $seq* ) ) or 4 of ( $decrypt* ) } rule ELASTIC_Windows_Trojan_Warmcookie_E8Cd480D : FILE MEMORY { @@ -57413,10 +57413,10 @@ rule ELASTIC_Windows_Trojan_Warmcookie_E8Cd480D : FILE MEMORY date = "2024-09-20" modified = "2024-09-30" reference = "https://www.elastic.co/security-labs/dipping-into-danger" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WarmCookie.yar#L34-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WarmCookie.yar#L34-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659" - logic_hash = "addbc2e454771592a0ce6e92784ceec3f9c061f2798fe7450ac750cda5734d36" + logic_hash = "v1_sha256_addbc2e454771592a0ce6e92784ceec3f9c061f2798fe7450ac750cda5734d36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57446,10 +57446,10 @@ rule ELASTIC_Linux_Trojan_Truncpx_894D60F8 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Truncpx.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Truncpx.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2f09f2884fd5d3f5193bfc392656005bce6b935c12b3049ac8eb96862e4645ba" - logic_hash = "9bc0a7fbddac532b53c72681f349bca0370b1fe6fb2d16f539560085b3ec4be3" + logic_hash = "v1_sha256_9bc0a7fbddac532b53c72681f349bca0370b1fe6fb2d16f539560085b3ec4be3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57475,10 +57475,10 @@ rule ELASTIC_Windows_Trojan_Blackshades_9D095C44 : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BlackShades.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BlackShades.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e58e352edaa8ae7f95ab840c53fcaf7f14eb640df9223475304788533713c722" - logic_hash = "2a2e6325d3de9289cc8bc26e1fe89a8fa81d9aae50b92ba2cf21c4cc6556ac9e" + logic_hash = "v1_sha256_2a2e6325d3de9289cc8bc26e1fe89a8fa81d9aae50b92ba2cf21c4cc6556ac9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57500,7 +57500,7 @@ rule ELASTIC_Windows_Trojan_Blackshades_9D095C44 : FILE MEMORY $b5 = "tmrLiveLogger" ascii fullword condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Trojan_Blackshades_Be382Dac : FILE MEMORY { @@ -57511,10 +57511,10 @@ rule ELASTIC_Windows_Trojan_Blackshades_Be382Dac : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BlackShades.yar#L28-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BlackShades.yar#L28-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e58e352edaa8ae7f95ab840c53fcaf7f14eb640df9223475304788533713c722" - logic_hash = "a13e37e7930d2d1ed1aa4fdeb282f11bfeb7fe008625589e2bfeab0beea43580" + logic_hash = "v1_sha256_a13e37e7930d2d1ed1aa4fdeb282f11bfeb7fe008625589e2bfeab0beea43580" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57540,10 +57540,10 @@ rule ELASTIC_Windows_Exploit_Generic_E95Cc41C : FILE date = "2024-02-28" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Generic.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Generic.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d" - logic_hash = "9b620988a6ee84ed0cbb0fb0a3cca633fffc8e6369ed45455e9e1e6c021ea461" + logic_hash = "v1_sha256_9b620988a6ee84ed0cbb0fb0a3cca633fffc8e6369ed45455e9e1e6c021ea461" score = 75 quality = 75 tags = "FILE" @@ -57582,10 +57582,10 @@ rule ELASTIC_Windows_Exploit_Generic_008359Cf : FILE date = "2024-02-28" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Generic.yar#L34-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Generic.yar#L34-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "73225a3a54560965f4c4fae73f7ee234e31217bc06ff8ba1d0b36ebab5e76a87" - logic_hash = "9514241b5573c8d01ccd012195e29aefc3ef8a12eb982e6dd9ec66b00c064bd8" + logic_hash = "v1_sha256_9514241b5573c8d01ccd012195e29aefc3ef8a12eb982e6dd9ec66b00c064bd8" score = 75 quality = 75 tags = "FILE" @@ -57605,7 +57605,7 @@ rule ELASTIC_Windows_Exploit_Generic_008359Cf : FILE $b4 = "NtDeviceIoControlFile" condition: - 1 of ($a*) and 3 of ($b*) + 1 of ( $a* ) and 3 of ( $b* ) } rule ELASTIC_Windows_Exploit_Generic_8C54846D : FILE { @@ -57616,10 +57616,10 @@ rule ELASTIC_Windows_Exploit_Generic_8C54846D : FILE date = "2024-02-29" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Generic.yar#L59-L87" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Generic.yar#L59-L87" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b6ea4815a38e606d4a2d6e6d711e610afec084db6899b7d6fc874491dd939495" - logic_hash = "0662c8edb449e15b16be3e53a88cf62af46b4a656c1a49b399e131c2ad71b55a" + logic_hash = "v1_sha256_0662c8edb449e15b16be3e53a88cf62af46b4a656c1a49b399e131c2ad71b55a" score = 75 quality = 71 tags = "FILE" @@ -57644,7 +57644,7 @@ rule ELASTIC_Windows_Exploit_Generic_8C54846D : FILE $b2 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C } condition: - any of ($a*) or all of ($b*) + any of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Trojan_Donutloader_F40E3759 : FILE MEMORY { @@ -57655,9 +57655,9 @@ rule ELASTIC_Windows_Trojan_Donutloader_F40E3759 : FILE MEMORY date = "2021-09-15" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Donutloader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "541a4ca1da41f7cf54dff3fee917b219fadb60fd93a89b93b5efa3c1a57af81d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Donutloader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_541a4ca1da41f7cf54dff3fee917b219fadb60fd93a89b93b5efa3c1a57af81d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57684,9 +57684,9 @@ rule ELASTIC_Windows_Trojan_Donutloader_5C38878D : FILE MEMORY date = "2021-09-15" modified = "2021-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Donutloader.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "897880d13318027ac5008fe8d008f09780d6fa807d6cc828b57975443358750c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Donutloader.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_897880d13318027ac5008fe8d008f09780d6fa807d6cc828b57975443358750c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57712,10 +57712,10 @@ rule ELASTIC_Windows_Trojan_Donutloader_21E801E0 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Donutloader.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Donutloader.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c3bda62725bb1047d203575bbe033f0f95d4dd6402c05f9d0c69d24bd3224ca6" - logic_hash = "19ef7bc8c7117024ca72956376954254c36eeb673f9379aa00475f763084a169" + logic_hash = "v1_sha256_19ef7bc8c7117024ca72956376954254c36eeb673f9379aa00475f763084a169" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57741,9 +57741,9 @@ rule ELASTIC_Windows_Trojan_Snakekeylogger_Af3Faa65 : FILE MEMORY date = "2021-04-06" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SnakeKeylogger.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "54180a642d40b5366f1b400c347c25dc31397d662d6bb8af33c7d2319c97d3fb" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SnakeKeylogger.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_54180a642d40b5366f1b400c347c25dc31397d662d6bb8af33c7d2319c97d3fb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -57772,7 +57772,7 @@ rule ELASTIC_Windows_Trojan_Snakekeylogger_Af3Faa65 : FILE MEMORY $c1 = "SNAKE-KEYLOGGER" ascii fullword condition: - 8 of ($a*) or #b1>5 or #c1>5 + 8 of ( $a* ) or #b1 > 5 or #c1 > 5 } rule ELASTIC_Windows_Hacktool_Seatbelt_674Fd535 : FILE MEMORY { @@ -57783,10 +57783,10 @@ rule ELASTIC_Windows_Hacktool_Seatbelt_674Fd535 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Seatbelt.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Seatbelt.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7" - logic_hash = "1bff820ec5cc9e56e7be4b290a48628115cc1ace5e41278fa76898bf39ef893e" + logic_hash = "v1_sha256_1bff820ec5cc9e56e7be4b290a48628115cc1ace5e41278fa76898bf39ef893e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -57808,7 +57808,7 @@ rule ELASTIC_Windows_Hacktool_Seatbelt_674Fd535 : FILE MEMORY $str6 = "(http|ftp|https|file)://([\\w_-]+(?:(?:\\.[\\w_-]+)+))([\\w.,@?^=%&:/~+#-]*[\\w@?^=%&/~+#-])?" ascii wide condition: - $guid or all of ($str*) + $guid or all of ( $str* ) } rule ELASTIC_Linux_Trojan_Subsevux_E9E80C1E : FILE MEMORY { @@ -57819,10 +57819,10 @@ rule ELASTIC_Linux_Trojan_Subsevux_E9E80C1E : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Subsevux.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Subsevux.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4ccd399ea99d4e31fbf2bbf8017c5368d29e630dc2985e90f07c10c980fa084" - logic_hash = "8bc38f26da5a3350cbae3e93b890220bb461ff77e83993a842f68db8f757e435" + logic_hash = "v1_sha256_8bc38f26da5a3350cbae3e93b890220bb461ff77e83993a842f68db8f757e435" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57848,10 +57848,10 @@ rule ELASTIC_Windows_Trojan_Darkcloud_9905Abce : FILE MEMORY date = "2023-05-03" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DarkCloud.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DarkCloud.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "500cb8459c19acd5a1144c4b509c14dbddec74ad623896bfe946fde1cd99a571" - logic_hash = "27d3841d6acf87f5c9c03d643c7859d9eaf42e49ed0241b761f858c669c4e931" + logic_hash = "v1_sha256_27d3841d6acf87f5c9c03d643c7859d9eaf42e49ed0241b761f858c669c4e931" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57878,10 +57878,10 @@ rule ELASTIC_Windows_Trojan_Nanocore_D8C4E3C5 : FILE MEMORY date = "2021-06-13" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Nanocore.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Nanocore.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd" - logic_hash = "fcc13e834cd8a1f86b453fe3c0333cd358e129d6838a339a824f1a095d85552d" + logic_hash = "v1_sha256_fcc13e834cd8a1f86b453fe3c0333cd358e129d6838a339a824f1a095d85552d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57906,7 +57906,7 @@ rule ELASTIC_Windows_Trojan_Nanocore_D8C4E3C5 : FILE MEMORY $b9 = "IClientLoggingHost" ascii fullword condition: - 1 of ($a*) or 6 of ($b*) + 1 of ( $a* ) or 6 of ( $b* ) } rule ELASTIC_Linux_Trojan_Hiddad_E35Bff7B : FILE MEMORY { @@ -57917,10 +57917,10 @@ rule ELASTIC_Linux_Trojan_Hiddad_E35Bff7B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Hiddad.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Hiddad.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "22a418e660b5a7a2e0cc1c1f3fe1d150831d75c4fedeed9817a221194522efcf" - logic_hash = "3881222807585dc933cb61473751d13297fa7eb085a50d435d3b680354a35ee9" + logic_hash = "v1_sha256_3881222807585dc933cb61473751d13297fa7eb085a50d435d3b680354a35ee9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57946,10 +57946,10 @@ rule ELASTIC_Linux_Ransomware_Erebus_Ead4F55B : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Erebus.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Erebus.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6558330f07a7c90c40006346ed09e859b588d031193f8a9679fe11a85c8ccb37" - logic_hash = "82e81577372298623ee3ed3583bb18b2c0cfff30abbacf2909e7efca35c83bd7" + logic_hash = "v1_sha256_82e81577372298623ee3ed3583bb18b2c0cfff30abbacf2909e7efca35c83bd7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57977,10 +57977,10 @@ rule ELASTIC_Windows_Vulndriver_Echodrv_D17Ff31C : FILE date = "2023-10-31" modified = "2023-11-03" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_EchoDrv.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_EchoDrv.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9" - logic_hash = "0b2eb3c5da8703749ee63662495d6e8738ccdc353f3ac3df48e25a77312c0da0" + logic_hash = "v1_sha256_0b2eb3c5da8703749ee63662495d6e8738ccdc353f3ac3df48e25a77312c0da0" score = 75 quality = 75 tags = "FILE" @@ -57995,7 +57995,7 @@ rule ELASTIC_Windows_Vulndriver_Echodrv_D17Ff31C : FILE $str1 = "D:\\WACATACC\\Projects\\Programs\\Echo\\x64\\Release\\echo-driver.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $str1 } rule ELASTIC_Windows_Trojan_Deimos_F53Aee03 : FILE MEMORY { @@ -58006,10 +58006,10 @@ rule ELASTIC_Windows_Trojan_Deimos_F53Aee03 : FILE MEMORY date = "2021-09-18" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Deimos.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Deimos.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e" - logic_hash = "07675844a8790f8485b6545e7466cdef8ac4f92dec4cd8289aeaad2a0a448691" + logic_hash = "v1_sha256_07675844a8790f8485b6545e7466cdef8ac4f92dec4cd8289aeaad2a0a448691" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58026,7 +58026,7 @@ rule ELASTIC_Windows_Trojan_Deimos_F53Aee03 : FILE MEMORY $a3 = "Deimos" ascii fullword condition: - all of ($a*) + all of ( $a* ) } rule ELASTIC_Windows_Trojan_Deimos_C70677B4 : FILE MEMORY { @@ -58037,10 +58037,10 @@ rule ELASTIC_Windows_Trojan_Deimos_C70677B4 : FILE MEMORY date = "2021-09-18" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Deimos.yar#L24-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Deimos.yar#L24-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e" - logic_hash = "c969221f025b114b9d5738d43b6021ab9481dbc6b35eb129ea4f806160b1adc3" + logic_hash = "v1_sha256_c969221f025b114b9d5738d43b6021ab9481dbc6b35eb129ea4f806160b1adc3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58056,7 +58056,7 @@ rule ELASTIC_Windows_Trojan_Deimos_C70677B4 : FILE MEMORY $a2 = { 0C 08 16 1F 68 9D 08 17 1F 77 9D 08 18 1F 69 9D 08 19 1F 64 9D } condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Macos_Infostealer_Mdquerypassw_6125F987 : FILE MEMORY { @@ -58067,9 +58067,9 @@ rule ELASTIC_Macos_Infostealer_Mdquerypassw_6125F987 : FILE MEMORY date = "2023-04-11" modified = "2024-08-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Infostealer_MdQueryPassw.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "72e0c1a7507733157f93e2bff82e6ec10d50986020eeeb27a02aba5cd8c78a81" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Infostealer_MdQueryPassw.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_72e0c1a7507733157f93e2bff82e6ec10d50986020eeeb27a02aba5cd8c78a81" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -58085,7 +58085,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerypassw_6125F987 : FILE MEMORY $string2 = /kMDItemDisplayName\s{1,50}==\s{1,50}\S{1,50}passw\S{1,50}/ ascii wide nocase condition: - any of ($string1,$string2) + any of ( $string1 , $string2 ) } rule ELASTIC_Linux_Trojan_Rooter_C8D08D3A : FILE MEMORY { @@ -58096,10 +58096,10 @@ rule ELASTIC_Linux_Trojan_Rooter_C8D08D3A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rooter.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rooter.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f55e3aa4d875d8322cdd7caa17aa56e620473fe73c9b5ae0e18da5fbc602a6ba" - logic_hash = "c91f3112cc61acec08ab3cd59bab2ae833ba0d8ac565ffb26a46982f38af0e71" + logic_hash = "v1_sha256_c91f3112cc61acec08ab3cd59bab2ae833ba0d8ac565ffb26a46982f38af0e71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58125,10 +58125,10 @@ rule ELASTIC_Linux_Trojan_Shark_B918Ab75 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Shark.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Shark.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8b6fe9f496996784e42b75fb42702aa47aefe32eac6f63dd16a0eb55358b6054" - logic_hash = "16302c29f2ae4109b8679933eb7fd9ef9306b0c215f20e8fff992b0b848974a9" + logic_hash = "v1_sha256_16302c29f2ae4109b8679933eb7fd9ef9306b0c215f20e8fff992b0b848974a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58154,10 +58154,10 @@ rule ELASTIC_Windows_Vulndriver_Procexp_Aeb4E5C0 : FILE date = "2022-04-04" modified = "2022-10-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ProcExp.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ProcExp.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - logic_hash = "827bb2efb6d3442233f81e87a42a3f5ee5caaeadc459070c6d347c6515866c93" + logic_hash = "v1_sha256_827bb2efb6d3442233f81e87a42a3f5ee5caaeadc459070c6d347c6515866c93" score = 75 quality = 75 tags = "FILE" @@ -58174,7 +58174,7 @@ rule ELASTIC_Windows_Vulndriver_Procexp_Aeb4E5C0 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\xff][\x00-\xff])([\x00-\x10][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\xff][\x00-\xff])([\x00-\x0f][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\xfe][\x00-\xff])([\x00-\x10][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\xff][\x00-\xff])([\x00-\x10][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xfe][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Trojan_Servhelper_F4Dee200 : FILE MEMORY { @@ -58185,10 +58185,10 @@ rule ELASTIC_Windows_Trojan_Servhelper_F4Dee200 : FILE MEMORY date = "2022-03-22" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ServHelper.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ServHelper.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05d183430a7afe16a3857fc4e87568fcc18518e108823c37eabf0514660aa17c" - logic_hash = "abab541ebddf36c05e351d506d4f978a30d8a44ff09233a667d62a1692dabe15" + logic_hash = "v1_sha256_abab541ebddf36c05e351d506d4f978a30d8a44ff09233a667d62a1692dabe15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58215,10 +58215,10 @@ rule ELASTIC_Windows_Trojan_Servhelper_370C5287 : FILE MEMORY date = "2022-03-24" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ServHelper.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ServHelper.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05d183430a7afe16a3857fc4e87568fcc18518e108823c37eabf0514660aa17c" - logic_hash = "8a2934c28efef6a5fed26dc88d074aee15b0869370c66f6a4d6eaedf070eaa9e" + logic_hash = "v1_sha256_8a2934c28efef6a5fed26dc88d074aee15b0869370c66f6a4d6eaedf070eaa9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58244,10 +58244,10 @@ rule ELASTIC_Linux_Exploit_CVE_2018_10561_0F246E33 : FILE MEMORY CVE_2018_10561 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2018_10561.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2018_10561.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eac08c105495e6fadd8651d2e9e650b6feba601ec78f537b17fb0e73f2973a1c" - logic_hash = "2c3785ddfded7128e983f3ec17a9f77c856d903f07e325b08f9f463950576ebe" + logic_hash = "v1_sha256_2c3785ddfded7128e983f3ec17a9f77c856d903f07e325b08f9f463950576ebe" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2018-10561" @@ -58273,9 +58273,9 @@ rule ELASTIC_Windows_Ransomware_Thanos_C3522Fd0 : BETA FILE MEMORY date = "2020-11-03" modified = "2021-08-23" reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Thanos.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "00d28aafd242308ad6561547ed8c80dad3086859dacab09ffdd43d436bf9ec52" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Thanos.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_00d28aafd242308ad6561547ed8c80dad3086859dacab09ffdd43d436bf9ec52" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58293,7 +58293,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_C3522Fd0 : BETA FILE MEMORY $c3 = { 00 2F 00 18 46 00 54 00 50 00 20 00 55 00 73 00 65 00 72 00 4E 00 } condition: - 2 of ($c*) + 2 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Thanos_A6C09942 : BETA FILE MEMORY { @@ -58304,9 +58304,9 @@ rule ELASTIC_Windows_Ransomware_Thanos_A6C09942 : BETA FILE MEMORY date = "2020-11-03" modified = "2021-08-23" reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Thanos.yar#L24-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "cecdeb21e041c90769b8fd8431fa87943461c1f7faa5ad15918524b91ba5c792" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Thanos.yar#L24-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_cecdeb21e041c90769b8fd8431fa87943461c1f7faa5ad15918524b91ba5c792" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58323,7 +58323,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_A6C09942 : BETA FILE MEMORY $b2 = { 01 0E 0E 05 00 02 0E 0E 0E 04 00 01 01 0E 04 00 01 0E 0E 06 00 03 01 0E 0E 0E 80 90 55 00 30 00 39 00 47 00 56 00 46 00 64 00 42 00 55 00 6B 00 56 00 63 00 54 00 57 00 6C 00 6A 00 63 00 6D 00 39 00 7A 00 62 00 32 00 5A 00 30 00 58 00 46 00 64 00 70 00 62 00 6D 00 52 00 76 00 64 00 33 00 4D 00 67 00 54 00 6C 00 52 00 63 00 51 00 33 00 56 00 79 00 63 00 6D 00 56 00 75 00 64 00 46 00 5A 00 6C 00 63 00 6E 00 4E 00 70 00 62 00 32 00 35 00 63 00 56 00 32 00 6C 00 } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Thanos_E19Feca1 : BETA FILE MEMORY { @@ -58334,9 +58334,9 @@ rule ELASTIC_Windows_Ransomware_Thanos_E19Feca1 : BETA FILE MEMORY date = "2020-11-03" modified = "2021-08-23" reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Thanos.yar#L46-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1f5a69b6749e887a5576843abb83388d5364e47601cf11fcac594008ace8e973" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Thanos.yar#L46-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1f5a69b6749e887a5576843abb83388d5364e47601cf11fcac594008ace8e973" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58364,7 +58364,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_E19Feca1 : BETA FILE MEMORY $b9 = "c3RvcCBjY0V2dE1nciAveQ==" wide fullword condition: - (4 of ($a*)) or (3 of ($b*)) + (4 of ( $a* ) ) or ( 3 of ( $b* ) ) } rule ELASTIC_Windows_Hacktool_Godpotato_5F1Aad81 : FILE MEMORY { @@ -58375,10 +58375,10 @@ rule ELASTIC_Windows_Hacktool_Godpotato_5F1Aad81 : FILE MEMORY date = "2024-06-24" modified = "2024-07-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_GodPotato.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_GodPotato.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00171bb6e9e4a9b8601e988a8c4ac6f5413e31e1b6d86d24b0b53520cd02184c" - logic_hash = "3028c84a616d47b37b4ef2d41d35ccef5121c06aa042096bca8ea53b528a1eb9" + logic_hash = "v1_sha256_3028c84a616d47b37b4ef2d41d35ccef5121c06aa042096bca8ea53b528a1eb9" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -58413,10 +58413,10 @@ rule ELASTIC_Windows_Trojan_Xworm_732E6C12 : FILE MEMORY date = "2023-04-03" modified = "2024-10-15" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_XWorm.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_XWorm.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2" - logic_hash = "6aa72029eeeb2edd2472bf0db80b9c0ae4033d7d977cbee75ac94414d1cdff7a" + logic_hash = "v1_sha256_6aa72029eeeb2edd2472bf0db80b9c0ae4033d7d977cbee75ac94414d1cdff7a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58448,10 +58448,10 @@ rule ELASTIC_Windows_Trojan_Xworm_B7D6Eaa8 : FILE MEMORY date = "2024-09-10" modified = "2024-10-15" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_XWorm.yar#L27-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_XWorm.yar#L27-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6fc4ff3f025545f7e092408b035066c1138253b972a2e9ef178e871d36f03acd" - logic_hash = "6a9da68dd1475974e71043a0e5a51d70762473c385d6acef34945019c7016b02" + logic_hash = "v1_sha256_6a9da68dd1475974e71043a0e5a51d70762473c385d6acef34945019c7016b02" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58482,10 +58482,10 @@ rule ELASTIC_Windows_Trojan_Xworm_7078E1C8 : FILE MEMORY date = "2024-10-10" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_XWorm.yar#L52-L70" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_XWorm.yar#L52-L70" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "034c8a18c15521069af36595357d9c8413a33544af8d3ea5f0ac7d471841e0ec" - logic_hash = "4c69648e4a68c8c46cf435f4dcac79176a023d8cd7209f9fa6a6b244797c66f3" + logic_hash = "v1_sha256_4c69648e4a68c8c46cf435f4dcac79176a023d8cd7209f9fa6a6b244797c66f3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58511,10 +58511,10 @@ rule ELASTIC_Windows_Backdoor_Teamviewer_Df8E7326 : FILE MEMORY date = "2022-10-29" modified = "2022-12-20" reference = "https://vms.drweb.com/virus/?i=8172096" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Backdoor_TeamViewer.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Backdoor_TeamViewer.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "68d9ffb6e00c2694d0d827108d0410d5a66d4f8cf839afddd17c5887b0149350" - logic_hash = "3d42c76626c76959e450a81001c73d8d47b52789cab324e0cc7af09303c1367d" + logic_hash = "v1_sha256_3d42c76626c76959e450a81001c73d8d47b52789cab324e0cc7af09303c1367d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58534,7 +58534,7 @@ rule ELASTIC_Windows_Backdoor_Teamviewer_Df8E7326 : FILE MEMORY $b1 = { 55 8B EC 56 E8 BF 25 00 00 50 E8 7B 5B 00 00 8B F0 59 85 F6 75 2C 8B 75 08 56 E8 A9 25 00 00 50 } condition: - 5 of ($a*) or 1 of ($b*) + 5 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Linux_Ransomware_Agenda_4562A654 : FILE MEMORY { @@ -58545,10 +58545,10 @@ rule ELASTIC_Linux_Ransomware_Agenda_4562A654 : FILE MEMORY date = "2024-09-12" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Agenda.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Agenda.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f" - logic_hash = "9e9adad7640cda1142c31e801d1473e4ddb84574ce1bb1694e40d96850fcb815" + logic_hash = "v1_sha256_9e9adad7640cda1142c31e801d1473e4ddb84574ce1bb1694e40d96850fcb815" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58577,10 +58577,10 @@ rule ELASTIC_Macos_Trojan_Kandykorn_A7Bb6944 : FILE MEMORY date = "2023-10-23" modified = "2023-10-23" reference = "https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_KandyKorn.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_KandyKorn.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077" - logic_hash = "65decd519dee947894dd684c52d91202ebe5587acfecc0b8b56cd73f2981e387" + logic_hash = "v1_sha256_65decd519dee947894dd684c52d91202ebe5587acfecc0b8b56cd73f2981e387" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58604,7 +58604,7 @@ rule ELASTIC_Macos_Trojan_Kandykorn_A7Bb6944 : FILE MEMORY $rc4_key = { D9 F9 36 CE 62 8C 3E 5D 9B 36 95 69 4D 1C DE 79 E4 70 E9 38 06 4D 98 FB F4 EF 98 0A 55 58 D1 C9 0C 7E 65 0C 23 62 A2 1B 91 4A BD 17 3A BA 5C 0E 58 37 C4 7B 89 F7 4C 5B 23 A7 29 4C C1 CF D1 1B } condition: - 4 of ($str*) or 3 of ($seq*) or $rc4_key + 4 of ( $str* ) or 3 of ( $seq* ) or $rc4_key } rule ELASTIC_Windows_Trojan_Quasarrat_E52Df647 : FILE MEMORY { @@ -58615,10 +58615,10 @@ rule ELASTIC_Windows_Trojan_Quasarrat_E52Df647 : FILE MEMORY date = "2021-06-27" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Quasarrat.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Quasarrat.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d" - logic_hash = "41f32e0c9b3b43d10baef10060e064ad860558bcdeb4281a30d30c16615ed21d" + logic_hash = "v1_sha256_41f32e0c9b3b43d10baef10060e064ad860558bcdeb4281a30d30c16615ed21d" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -58648,10 +58648,10 @@ rule ELASTIC_Windows_Trojan_Sourshark_F0247Cce : FILE MEMORY date = "2024-06-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SourShark.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SourShark.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07eb88c69437ee6e3ea2fbab5f2fbd8e846125d18c1da7d72bb462e9d083c9fc" - logic_hash = "0c5d802b5bfc771bdf5df541b18c7ab9de4f420fd3928bfd85b1a71cca2af1bc" + logic_hash = "v1_sha256_0c5d802b5bfc771bdf5df541b18c7ab9de4f420fd3928bfd85b1a71cca2af1bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58679,10 +58679,10 @@ rule ELASTIC_Windows_Trojan_Sourshark_Adee8A17 : FILE MEMORY date = "2024-06-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SourShark.yar#L23-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SourShark.yar#L23-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07eb88c69437ee6e3ea2fbab5f2fbd8e846125d18c1da7d72bb462e9d083c9fc" - logic_hash = "98a4d31849a1828c2154b5032a81580f5dcc8d4a65b96dea3a727e2a82a51666" + logic_hash = "v1_sha256_98a4d31849a1828c2154b5032a81580f5dcc8d4a65b96dea3a727e2a82a51666" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58708,10 +58708,10 @@ rule ELASTIC_Windows_Shellcode_Rdi_Edc62A10 : FILE MEMORY date = "2023-06-23" modified = "2023-07-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Shellcode_Rdi.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Shellcode_Rdi.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "64485ffc283e981c8b77db5a675c7ba2a04d3effaced522531185aa46eb6a36b" - logic_hash = "986cb6c28d2d9767a2fd084fdd71edb7a1c36e78ddedf3c562076cf6f5b5afd1" + logic_hash = "v1_sha256_986cb6c28d2d9767a2fd084fdd71edb7a1c36e78ddedf3c562076cf6f5b5afd1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58737,10 +58737,10 @@ rule ELASTIC_Windows_Shellcode_Rdi_Eee75D2C : FILE MEMORY date = "2023-08-25" modified = "2023-11-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Shellcode_Rdi.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Shellcode_Rdi.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c4de69e89dcc659d2fff52d695764f1efd7e64e0a80983ce6d0cb9eeddb806c" - logic_hash = "18cd9be4af210686872610f832ac0ad58a48588a1226fc6093348ceb8371c6b4" + logic_hash = "v1_sha256_18cd9be4af210686872610f832ac0ad58a48588a1226fc6093348ceb8371c6b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58766,10 +58766,10 @@ rule ELASTIC_Linux_Hacktool_Ligolong_027C0134 : FILE MEMORY date = "2024-09-20" modified = "2024-11-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_LigoloNG.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_LigoloNG.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eda6037bda3ccf6bbbaf105be0826669d5c4ac205273fefe103d8c648271de54" - logic_hash = "a6f3c1f4c044765d841992758f451666e8bf5225e1a9f02925619c99fe8e03cb" + logic_hash = "v1_sha256_a6f3c1f4c044765d841992758f451666e8bf5225e1a9f02925619c99fe8e03cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58797,9 +58797,9 @@ rule ELASTIC_Linux_Trojan_Xorddos_2Aef46A6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d2c88774eb5227cf2d133644c648ebe5ba40c7e0acb2b432bc6a1a9da10bfb3f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d2c88774eb5227cf2d133644c648ebe5ba40c7e0acb2b432bc6a1a9da10bfb3f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -58825,10 +58825,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_A6572D63 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L20-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L20-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2ff33adb421a166895c3816d506a63dff4e1e8fa91f2ac8fb763dc6e8df59d6e" - logic_hash = "237392fe51c8528cb5ed446facfcd3535b8e1d594d77a542361873bd52426fa7" + logic_hash = "v1_sha256_237392fe51c8528cb5ed446facfcd3535b8e1d594d77a542361873bd52426fa7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58854,9 +58854,9 @@ rule ELASTIC_Linux_Trojan_Xorddos_E41143E1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L40-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4564bf2019ff5086071ff147c9cf1e16b8627ce5d70cbe8370aecbd518d94b57" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L40-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4564bf2019ff5086071ff147c9cf1e16b8627ce5d70cbe8370aecbd518d94b57" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58882,10 +58882,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_0Eb147Ca : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L59-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L59-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b" - logic_hash = "b20479af0767e5e8579489b5298648b9cc84b3e0778f58d8dc9deb252d0f4806" + logic_hash = "v1_sha256_b20479af0767e5e8579489b5298648b9cc84b3e0778f58d8dc9deb252d0f4806" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58911,10 +58911,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ba961Ed2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L79-L97" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L79-L97" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b" - logic_hash = "5b486c698c9c61dc126be5dbeea862b1f9bb5a6859c02a0fff125a9890147a6b" + logic_hash = "v1_sha256_5b486c698c9c61dc126be5dbeea862b1f9bb5a6859c02a0fff125a9890147a6b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58940,9 +58940,9 @@ rule ELASTIC_Linux_Trojan_Xorddos_2084099A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L99-L116" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6674be1438ec290550c9586afda335755279a4aedadde455ffc0b41d1a0e634d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L99-L116" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6674be1438ec290550c9586afda335755279a4aedadde455ffc0b41d1a0e634d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58968,10 +58968,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_61C88137 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L118-L136" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L118-L136" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "479ef38fa00bb13a3aa8448aa4a4434613c6729975e193eec29fc5047f339111" - logic_hash = "e999355606ee7389be160ce3e96c6a62d7f9132b95cfec7d9f8b1a670551e6b8" + logic_hash = "v1_sha256_e999355606ee7389be160ce3e96c6a62d7f9132b95cfec7d9f8b1a670551e6b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58997,10 +58997,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_Debb98A1 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L138-L156" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L138-L156" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "494f549e3dd144e8bcb230dd7b3faa8ff5107d86d9548b21b619a0318e362cad" - logic_hash = "c2e43818fcf18d34a6a3611aaaafde31d96b41867d15dfdb1dec20203f5907eb" + logic_hash = "v1_sha256_c2e43818fcf18d34a6a3611aaaafde31d96b41867d15dfdb1dec20203f5907eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59026,10 +59026,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_1D6E10Fd : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L158-L176" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L158-L176" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c7851316f01ae84ee64165be3ba910ab9b415d7f0e2f5b7e5c5a0eaefa3c287" - logic_hash = "01ec1af1ca03173e867113c3bec7911990a0c8c2d9f19b5233715a7f7490f5f1" + logic_hash = "v1_sha256_01ec1af1ca03173e867113c3bec7911990a0c8c2d9f19b5233715a7f7490f5f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59055,10 +59055,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_E3Ffbbcc : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L178-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L178-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "28b7ddf2548411910af033b41982cdc74efd8a6ef059a54fda1b6cbd59faa8f6" - logic_hash = "54711c2d3e6d73cf4358ba4a65cb19d996adcfa905c0089a18a61fe841fe9a34" + logic_hash = "v1_sha256_54711c2d3e6d73cf4358ba4a65cb19d996adcfa905c0089a18a61fe841fe9a34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59084,10 +59084,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_30F3B4D4 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L198-L216" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L198-L216" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b15d43d3535965ec9b84334cf9def0e8c3d064ffc022f6890320cd6045175bc" - logic_hash = "99efc257ff2afb779304451bd9f6f6ce9e88f54954189601ed10e95e2268dd4f" + logic_hash = "v1_sha256_99efc257ff2afb779304451bd9f6f6ce9e88f54954189601ed10e95e2268dd4f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59113,10 +59113,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ca75589C : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L218-L236" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L218-L236" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0448c1b2c7c738404ba11ff4b38cdc8f865ccf1e202f6711345da53ce46e7e16" - logic_hash = "c717e6f85a5b30514803ba43c85d82e2aaa4533b7f74db5345df83d1cc4c6551" + logic_hash = "v1_sha256_c717e6f85a5b30514803ba43c85d82e2aaa4533b7f74db5345df83d1cc4c6551" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59142,10 +59142,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_7909Cdd2 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L238-L256" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L238-L256" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0a4a5874f43adbe71da88dc0ef124f1bf2f4e70d0b1b5461b2788587445f79d9" - logic_hash = "4b2557ab78d22ae4f46e5813ba5dc4663cd92b945a1add3155f77d3030ccc92d" + logic_hash = "v1_sha256_4b2557ab78d22ae4f46e5813ba5dc4663cd92b945a1add3155f77d3030ccc92d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59171,10 +59171,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_2522D611 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L258-L276" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L258-L276" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c2be53e298c285db8b028f563e97bf1cdced0c4564a34e740289b340db2aac1" - logic_hash = "59f2552809bc48e16719cb9b4d2a7b99999307803fce031ca39eb24e14b88908" + logic_hash = "v1_sha256_59f2552809bc48e16719cb9b4d2a7b99999307803fce031ca39eb24e14b88908" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59200,10 +59200,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_56Bd04D3 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L278-L296" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L278-L296" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d2ce3891851808fb36779a348a83bf4aa9de1a2b2684fd0692434682afac5ec" - logic_hash = "47a33fcd69dd78cbc6c3274aeaa8dddabe119ae65b59077e1807657b8a67fed3" + logic_hash = "v1_sha256_47a33fcd69dd78cbc6c3274aeaa8dddabe119ae65b59077e1807657b8a67fed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59229,10 +59229,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_F412E4B4 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L298-L316" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L298-L316" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0e3a3f7973f747fcb23c72289116659c7f158c604d937d6ca7302fbab71851e9" - logic_hash = "b4e1b193e80aa88b91255df3a5f2e45de7f23fdba4a28d3ceb12db63098e70e5" + logic_hash = "v1_sha256_b4e1b193e80aa88b91255df3a5f2e45de7f23fdba4a28d3ceb12db63098e70e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59258,10 +59258,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_71F8E26C : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L318-L336" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L318-L336" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13f873f83b84a0d38eb3437102f174f24a0ad3c5a53b83f0ee51c62c29fb1465" - logic_hash = "f9f2f22acd4f52cc313e3ecf425604651e0b8c78e33480d4d05bae5b8c9661fb" + logic_hash = "v1_sha256_f9f2f22acd4f52cc313e3ecf425604651e0b8c78e33480d4d05bae5b8c9661fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59287,10 +59287,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_1A562D3B : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L338-L356" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L338-L356" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15731db615b32c49c34f41fe84944eeaf2fc79dafaaa9ad6bf1b07d26482f055" - logic_hash = "8d3b369bdcecd675f99cedf26dba202256555be0f5feae612404f9b5e109fa93" + logic_hash = "v1_sha256_8d3b369bdcecd675f99cedf26dba202256555be0f5feae612404f9b5e109fa93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59316,10 +59316,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_410256Ac : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L358-L376" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L358-L376" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15f44e10ece90dec1a6104d5be1effefa17614d9f0cfb2784305dab85367b741" - logic_hash = "88227af6d2f365b761961bdf4b94bed81bca79e23d546e69900faa17c3e4dc71" + logic_hash = "v1_sha256_88227af6d2f365b761961bdf4b94bed81bca79e23d546e69900faa17c3e4dc71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59345,10 +59345,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_93Fa87F1 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L378-L396" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L378-L396" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "165b4a28fd6335d4e4dfefb6c40f41f16d8c7d9ab0941ccd23e36cda931f715e" - logic_hash = "2a1e797d4dd2599b5c67e73e3c909a1803e604edf0b6ba228713ee375ccc9b16" + logic_hash = "v1_sha256_2a1e797d4dd2599b5c67e73e3c909a1803e604edf0b6ba228713ee375ccc9b16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59374,10 +59374,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_8677Dca3 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L398-L416" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L398-L416" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "23813dc4aa56683e1426e5823adc3aab854469c9c0f3ec1a3fad40fa906929f2" - logic_hash = "9902758dfb61e8b60b281f3f51cda8a10d58eb0cc20743f97998d7bcf120c299" + logic_hash = "v1_sha256_9902758dfb61e8b60b281f3f51cda8a10d58eb0cc20743f97998d7bcf120c299" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59403,10 +59403,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ebce4304 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L418-L436" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L418-L436" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b" - logic_hash = "42fbfc2c2636c2e3a5da5e51c6bf99f6114ec7d00b88371a34e1fdbe81d1264a" + logic_hash = "v1_sha256_42fbfc2c2636c2e3a5da5e51c6bf99f6114ec7d00b88371a34e1fdbe81d1264a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59432,10 +59432,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_073E6161 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L438-L456" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L438-L456" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b" - logic_hash = "2c98058add77c55ab68491eec041d7670f726a9ec93258ae7bb8f0e6721b4ca3" + logic_hash = "v1_sha256_2c98058add77c55ab68491eec041d7670f726a9ec93258ae7bb8f0e6721b4ca3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59461,10 +59461,10 @@ rule ELASTIC_Linux_Trojan_Xorddos_Bef22375 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xorddos.yar#L458-L476" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xorddos.yar#L458-L476" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f47baf48deb71910716beab9da1b1e24dc6de9575963e238735b6bcedfe73122" - logic_hash = "3991ebdb310338516d5fdd137ba2ac63dc870337785a31d59dcad49135f190e5" + logic_hash = "v1_sha256_3991ebdb310338516d5fdd137ba2ac63dc870337785a31d59dcad49135f190e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59490,10 +59490,10 @@ rule ELASTIC_Windows_Trojan_Dodgebox_095012D2 : FILE MEMORY date = "2024-07-11" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DodgeBox.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DodgeBox.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db" - logic_hash = "f1fe9b05deaebaddd83dda0ad98602b49682f8ba767de8c0ffad761d344c5115" + logic_hash = "v1_sha256_f1fe9b05deaebaddd83dda0ad98602b49682f8ba767de8c0ffad761d344c5115" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59523,10 +59523,10 @@ rule ELASTIC_Windows_Trojan_Systembc_5E883723 : FILE MEMORY date = "2022-03-22" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SystemBC.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SystemBC.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14" - logic_hash = "fde2e0b5debd4d26838fb245fdf8e5103ab5aab9feff900cbba00c1950adc61a" + logic_hash = "v1_sha256_fde2e0b5debd4d26838fb245fdf8e5103ab5aab9feff900cbba00c1950adc61a" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -59557,10 +59557,10 @@ rule ELASTIC_Windows_Trojan_Systembc_C1B58C2F : FILE MEMORY date = "2024-05-02" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SystemBC.yar#L26-L49" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SystemBC.yar#L26-L49" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "016fc1db90d9d18fe25ed380606346ef12b886e1db0d80fe58c22da23f6d677d" - logic_hash = "16ed14dac0c30500c5e91759b0a1b321f3bd53ae6aab1389a685582eba72c222" + logic_hash = "v1_sha256_16ed14dac0c30500c5e91759b0a1b321f3bd53ae6aab1389a685582eba72c222" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59591,10 +59591,10 @@ rule ELASTIC_Linux_Trojan_Xhide_7F0A131B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xhide.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xhide.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "4843042576d1f4f37b5a7cda1b261831030d9145c49b57e9b4c66e2658cc8cf9" + logic_hash = "v1_sha256_4843042576d1f4f37b5a7cda1b261831030d9145c49b57e9b4c66e2658cc8cf9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59620,10 +59620,10 @@ rule ELASTIC_Linux_Trojan_Xhide_Cd8489F7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xhide.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xhide.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "34924260c811f1796ae37faec922bc21bb312ebb0672042d3ec27855f63ed61e" + logic_hash = "v1_sha256_34924260c811f1796ae37faec922bc21bb312ebb0672042d3ec27855f63ed61e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59649,10 +59649,10 @@ rule ELASTIC_Linux_Trojan_Xhide_840B27C7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xhide.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xhide.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "6b0bfe69558399af6e0469a31741dcf2eb91fbe3e130267139240d3458eb8a0d" + logic_hash = "v1_sha256_6b0bfe69558399af6e0469a31741dcf2eb91fbe3e130267139240d3458eb8a0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59678,10 +59678,10 @@ rule ELASTIC_Linux_Hacktool_Prochide_7333221A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Prochide.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Prochide.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fad956a6a38abac8a8a0f14cc50f473ec6fc1c9fd204e235b89523183931090b" - logic_hash = "413f19744240eae0a87d56da1e524e2afa0fe0ec385bd9369218713b13a93495" + logic_hash = "v1_sha256_413f19744240eae0a87d56da1e524e2afa0fe0ec385bd9369218713b13a93495" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59707,10 +59707,10 @@ rule ELASTIC_Linux_Trojan_Sfloost_69A5343A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sfloost.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sfloost.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0cd73db5165671c7bbd9493c34d693d25b845a9a21706081e1bf44bf0312ef9" - logic_hash = "bd3cd33d02c7ca1d3a0364e5e3e2f968f32da8f087f744232f3cb786da6c7875" + logic_hash = "v1_sha256_bd3cd33d02c7ca1d3a0364e5e3e2f968f32da8f087f744232f3cb786da6c7875" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59736,10 +59736,10 @@ rule ELASTIC_Linux_Trojan_Iroffer_53692410 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Iroffer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Iroffer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "b8aa25fbde4d9ca36656f583e7601118a06e57703862c8b28b273881eef504fe" + logic_hash = "v1_sha256_b8aa25fbde4d9ca36656f583e7601118a06e57703862c8b28b273881eef504fe" score = 60 quality = 23 tags = "FILE, MEMORY" @@ -59765,10 +59765,10 @@ rule ELASTIC_Linux_Trojan_Iroffer_013E07De : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Iroffer.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Iroffer.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "ce21de61f94d41aa3abb73b9391a4d9c8ddeea75f1a2b36be58111b70a9590fe" + logic_hash = "v1_sha256_ce21de61f94d41aa3abb73b9391a4d9c8ddeea75f1a2b36be58111b70a9590fe" score = 60 quality = 25 tags = "FILE, MEMORY" @@ -59794,10 +59794,10 @@ rule ELASTIC_Linux_Trojan_Iroffer_0De95Cab : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Iroffer.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Iroffer.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "717bea3902109d1b1d57e57c26b81442c0705af774139cd73105b2994ab89514" - logic_hash = "adec3e1d3110bcc22262d5f1f2ad14a347616f4a809f29170a9fbb5d1669a4c3" + logic_hash = "v1_sha256_adec3e1d3110bcc22262d5f1f2ad14a347616f4a809f29170a9fbb5d1669a4c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59823,10 +59823,10 @@ rule ELASTIC_Linux_Trojan_Iroffer_711259E4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Iroffer.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Iroffer.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "a71dbb979bc1f7671ab9958b6aa502e6ded4ee1c1b026080fd377eb772ebb1d5" + logic_hash = "v1_sha256_a71dbb979bc1f7671ab9958b6aa502e6ded4ee1c1b026080fd377eb772ebb1d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59852,10 +59852,10 @@ rule ELASTIC_Linux_Trojan_Iroffer_7478Ddd9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Iroffer.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Iroffer.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "20e1509c23d7ef14b15823e4c56b9a590e70c5b7960a04e94b662fc34152266c" - logic_hash = "e650ee830b735a11088b628e865cd40a15054437ca05849f2eaa7838eac152e3" + logic_hash = "v1_sha256_e650ee830b735a11088b628e865cd40a15054437ca05849f2eaa7838eac152e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59881,10 +59881,10 @@ rule ELASTIC_Windows_Vulndriver_Lha_F72Bff9A : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Lha.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Lha.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - logic_hash = "cea05432b47cf14982bda74476c8c8582068c22fe7dec6468c9756c20412dca2" + logic_hash = "v1_sha256_cea05432b47cf14982bda74476c8c8582068c22fe7dec6468c9756c20412dca2" score = 75 quality = 75 tags = "FILE" @@ -59900,7 +59900,7 @@ rule ELASTIC_Windows_Vulndriver_Lha_F72Bff9A : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00 48 00 41 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Linux_Worm_Generic_920D273F : FILE MEMORY { @@ -59911,10 +59911,10 @@ rule ELASTIC_Linux_Worm_Generic_920D273F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Worm_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Worm_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "04a65bc73fab91f654d448b2d7f8f15ac782965dcdeec586e20b5c7a8cc42d73" - logic_hash = "d0ed260857ae3002483ea7ef242b82514caaa95c2700b39dd0a03d39fdde090d" + logic_hash = "v1_sha256_d0ed260857ae3002483ea7ef242b82514caaa95c2700b39dd0a03d39fdde090d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59940,10 +59940,10 @@ rule ELASTIC_Linux_Worm_Generic_98Efcd38 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Worm_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Worm_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "87507f5cd73fffdb264d76db9b75f30fe21cc113bcf82c524c5386b5a380d4bb" - logic_hash = "c1a130d2ef8d09cb28adc4e347cbd1a083c78241752ecf3f935b03d774d00a81" + logic_hash = "v1_sha256_c1a130d2ef8d09cb28adc4e347cbd1a083c78241752ecf3f935b03d774d00a81" score = 60 quality = 25 tags = "FILE, MEMORY" @@ -59969,10 +59969,10 @@ rule ELASTIC_Linux_Worm_Generic_Bd64472E : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Worm_Generic.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Worm_Generic.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3334a3b61b1a3fc14763dc3d590100ed5e85a97493c89b499b02b76f7a0a7d0" - logic_hash = "9a7267a0ebc1073d0b1f81a61b963642cc816b563b43ff4d9508dd8bc195a0e1" + logic_hash = "v1_sha256_9a7267a0ebc1073d0b1f81a61b963642cc816b563b43ff4d9508dd8bc195a0e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59998,10 +59998,10 @@ rule ELASTIC_Linux_Worm_Generic_3Ff8F75B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Worm_Generic.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Worm_Generic.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "991175a96b719982f3a846df4a66161a02225c21b12a879e233e19124e90bd35" - logic_hash = "798e98f286201f1cda18bf1bf433826cf8a949b584f016b24a684425069d1024" + logic_hash = "v1_sha256_798e98f286201f1cda18bf1bf433826cf8a949b584f016b24a684425069d1024" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60027,10 +60027,10 @@ rule ELASTIC_Windows_Vulndriver_Asio_5F9F29Be : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_AsIo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_AsIo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15" - logic_hash = "a901d81737c7e6d00e87f0eec758dd063eade59d9883e85e04a33bb18f2f99de" + logic_hash = "v1_sha256_a901d81737c7e6d00e87f0eec758dd063eade59d9883e85e04a33bb18f2f99de" score = 75 quality = 75 tags = "FILE" @@ -60045,7 +60045,7 @@ rule ELASTIC_Windows_Vulndriver_Asio_5F9F29Be : FILE $str1 = "\\AsIO.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Zpevdo_7F563544 : FILE MEMORY { @@ -60056,9 +60056,9 @@ rule ELASTIC_Linux_Trojan_Zpevdo_7F563544 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Zpevdo.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "9cbbb5a9166184cef630d1aba8fec721f676b868d22b1f96ffc1430e98ae974c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Zpevdo.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_9cbbb5a9166184cef630d1aba8fec721f676b868d22b1f96ffc1430e98ae974c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60084,10 +60084,10 @@ rule ELASTIC_Linux_Cryptominer_Miancha_646803Ef : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Miancha.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Miancha.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c7761c9376ed065887dc6ce852491641419eb2d1f393c37ed0a5cb29bd108d4" - logic_hash = "8fd386c0e7037565e8ab206642cc8c11f05ca727b365b94ffdd991f4bed95556" + logic_hash = "v1_sha256_8fd386c0e7037565e8ab206642cc8c11f05ca727b365b94ffdd991f4bed95556" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60113,10 +60113,10 @@ rule ELASTIC_Windows_Trojan_Babble_0D6C9505 : FILE MEMORY date = "2024-11-18" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Babble.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Babble.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fa292bfcf81223bab0f79d4ce08187e37d68960005629df0241ea22f0b95d7a8" - logic_hash = "e77a2e865e0a13bf2b5445e21d85d21fb0d1f816ac5c315cefda98cbb6cb7cca" + logic_hash = "v1_sha256_e77a2e865e0a13bf2b5445e21d85d21fb0d1f816ac5c315cefda98cbb6cb7cca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60143,10 +60143,10 @@ rule ELASTIC_Windows_Infostealer_Strela_0Dc3E4A1 : MEMORY date = "2024-03-25" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Infostealer_Strela.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Infostealer_Strela.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1" - logic_hash = "ac1b53f2857fd13ba0e33aa94c65f0d5fa22b76d504fff347b3ff0a53f37ee26" + logic_hash = "v1_sha256_ac1b53f2857fd13ba0e33aa94c65f0d5fa22b76d504fff347b3ff0a53f37ee26" score = 75 quality = 75 tags = "MEMORY" @@ -60167,7 +60167,7 @@ rule ELASTIC_Windows_Infostealer_Strela_0Dc3E4A1 : MEMORY $old_pdb = "Projects\\StrelaDLLCompile\\Release\\StrelaDLLCompile.pdb" fullword condition: - 3 of ($s*) or $old_pdb + 3 of ( $s* ) or $old_pdb } rule ELASTIC_Windows_Virus_Expiro_84E99Ff0 : FILE MEMORY { @@ -60178,10 +60178,10 @@ rule ELASTIC_Windows_Virus_Expiro_84E99Ff0 : FILE MEMORY date = "2023-09-26" modified = "2023-11-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Virus_Expiro.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Virus_Expiro.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "47107836ead700bddbe9e8a0c016b5b1443c785442b2addbb50a70445779bad7" - logic_hash = "ce4847bf5850c1f30dca9603bfbbfbb69339285f096ac469c6d2d4b04f5562b4" + logic_hash = "v1_sha256_ce4847bf5850c1f30dca9603bfbbfbb69339285f096ac469c6d2d4b04f5562b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60208,10 +60208,10 @@ rule ELASTIC_Windows_Virus_Neshta_2A5A14C8 : FILE MEMORY date = "2024-01-22" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Virus_Neshta.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Virus_Neshta.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f298214764ee9ab690cb4b376d8a7893edcd9c05a3c4e6f3a56010974a130bd7" - logic_hash = "0b5d0603f4c20a2368f697dd84cfe1790a5d0e5904c76066601c9e3d1b5ed1e1" + logic_hash = "v1_sha256_0b5d0603f4c20a2368f697dd84cfe1790a5d0e5904c76066601c9e3d1b5ed1e1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -60238,9 +60238,9 @@ rule ELASTIC_Windows_Trojan_Powerseal_D63F5E54 : FILE MEMORY date = "2023-03-16" modified = "2023-05-26" reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PowerSeal.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "523dcff68a51ea8fb022066b5f09394e8174d6c157222a08100de30669898057" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PowerSeal.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_523dcff68a51ea8fb022066b5f09394e8174d6c157222a08100de30669898057" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60269,9 +60269,9 @@ rule ELASTIC_Windows_Trojan_Powerseal_2E50F393 : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PowerSeal.yar#L24-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3ca1d4568fea7b2e4e9d30ba03662a2c28ee8623d887a0336e27989b5c98b55f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PowerSeal.yar#L24-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3ca1d4568fea7b2e4e9d30ba03662a2c28ee8623d887a0336e27989b5c98b55f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60299,10 +60299,10 @@ rule ELASTIC_Windows_Vulndriver_Powertool_044A8645 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_PowerTool.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_PowerTool.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - logic_hash = "b21c16cb72d003c505aa0ac4cc21b92513a100bad6870460090994c02cad875a" + logic_hash = "v1_sha256_b21c16cb72d003c505aa0ac4cc21b92513a100bad6870460090994c02cad875a" score = 75 quality = 75 tags = "FILE" @@ -60318,7 +60318,7 @@ rule ELASTIC_Windows_Vulndriver_Powertool_044A8645 : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 6B 00 45 00 76 00 50 00 36 00 34 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Trojan_Icedid_1Cd868A6 : FILE MEMORY { @@ -60329,10 +60329,10 @@ rule ELASTIC_Windows_Trojan_Icedid_1Cd868A6 : FILE MEMORY date = "2021-02-28" modified = "2021-08-23" reference = "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "68dce9f214e7691db77a2f03af16a669a3cb655699f31a6c1f5aaede041468ff" - logic_hash = "4765b2b1d463f09d7e21367c2832b3ad668aa67d8078798a14295b6e6c846c1c" + logic_hash = "v1_sha256_4765b2b1d463f09d7e21367c2832b3ad668aa67d8078798a14295b6e6c846c1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60358,10 +60358,10 @@ rule ELASTIC_Windows_Trojan_Icedid_237E9Fb6 : FILE MEMORY date = "2021-02-28" modified = "2021-08-23" reference = "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b21f9afc6443548427bf83b5f93e7a54ac3af306d9d71b8348a6f146b2819457" - logic_hash = "31479eae077b2d78cb1770eef3b37bec941f35c9ceb329e01dd65a32e785fa74" + logic_hash = "v1_sha256_31479eae077b2d78cb1770eef3b37bec941f35c9ceb329e01dd65a32e785fa74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60387,10 +60387,10 @@ rule ELASTIC_Windows_Trojan_Icedid_F1Ce2F0A : FILE MEMORY date = "2021-02-28" modified = "2021-08-23" reference = "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L45-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L45-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b21f9afc6443548427bf83b5f93e7a54ac3af306d9d71b8348a6f146b2819457" - logic_hash = "a1f1824a7208201616dde40bea514dfc2cdf908bd8ed24b9f96c2bcad2c8107f" + logic_hash = "v1_sha256_a1f1824a7208201616dde40bea514dfc2cdf908bd8ed24b9f96c2bcad2c8107f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60416,10 +60416,10 @@ rule ELASTIC_Windows_Trojan_Icedid_08530E24 : FILE MEMORY date = "2021-03-21" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L67-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L67-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "31db92c7920e82e49a968220480e9f130dea9b386083b78a79985b554ecdc6e4" - logic_hash = "a63511edde9d873e184ddb4720b4752b0e7df4bdb2114b05c16f2ca0594eb6b8" + logic_hash = "v1_sha256_a63511edde9d873e184ddb4720b4752b0e7df4bdb2114b05c16f2ca0594eb6b8" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -60447,7 +60447,7 @@ rule ELASTIC_Windows_Trojan_Icedid_08530E24 : FILE MEMORY $b10 = "WinHttpSetStatusCallback" ascii fullword condition: - all of ($a*) and 5 of ($b*) + all of ( $a* ) and 5 of ( $b* ) } rule ELASTIC_Windows_Trojan_Icedid_11D24D35 : FILE MEMORY { @@ -60458,10 +60458,10 @@ rule ELASTIC_Windows_Trojan_Icedid_11D24D35 : FILE MEMORY date = "2022-02-16" modified = "2022-04-06" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L101-L121" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L101-L121" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982" - logic_hash = "4a5d0f37e3e80e370ae79fd45256dbd274ed8f8bcd021e8d6f95a0bc0bc5321f" + logic_hash = "v1_sha256_4a5d0f37e3e80e370ae79fd45256dbd274ed8f8bcd021e8d6f95a0bc0bc5321f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60477,7 +60477,7 @@ rule ELASTIC_Windows_Trojan_Icedid_11D24D35 : FILE MEMORY $a2 = "loader_dll_64.dll" ascii fullword condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Trojan_Icedid_0B62E783 : FILE MEMORY { @@ -60488,10 +60488,10 @@ rule ELASTIC_Windows_Trojan_Icedid_0B62E783 : FILE MEMORY date = "2022-04-06" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L123-L142" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L123-L142" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "aca126529dfa8047ed7dfdc60d970759ab5307448d7d764f88e402cd8d2a016f" + logic_hash = "v1_sha256_aca126529dfa8047ed7dfdc60d970759ab5307448d7d764f88e402cd8d2a016f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60517,10 +60517,10 @@ rule ELASTIC_Windows_Trojan_Icedid_91562D18 : FILE MEMORY date = "2022-04-06" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L144-L163" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L144-L163" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "81c87d0d6726bc2dde42fe93c77af53cdd29bb6437fe3d47d1b4550140722c88" + logic_hash = "v1_sha256_81c87d0d6726bc2dde42fe93c77af53cdd29bb6437fe3d47d1b4550140722c88" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60546,10 +60546,10 @@ rule ELASTIC_Windows_Trojan_Icedid_2086Aecb : FILE MEMORY date = "2022-04-06" modified = "2022-03-02" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L165-L184" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L165-L184" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "561bf7eacfbbf1b4e0c111347f0d6ff4325bdbce8db73bee1ba836b610569c0d" + logic_hash = "v1_sha256_561bf7eacfbbf1b4e0c111347f0d6ff4325bdbce8db73bee1ba836b610569c0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60575,10 +60575,10 @@ rule ELASTIC_Windows_Trojan_Icedid_48029E37 : FILE MEMORY date = "2022-04-06" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L186-L205" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L186-L205" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "1fe337d7a0607938aaf57cf25c1373aadf315b7a8cec133d6d30a38bd58e1027" + logic_hash = "v1_sha256_1fe337d7a0607938aaf57cf25c1373aadf315b7a8cec133d6d30a38bd58e1027" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60604,10 +60604,10 @@ rule ELASTIC_Windows_Trojan_Icedid_56459277 : FILE MEMORY date = "2022-08-21" modified = "2023-03-02" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L207-L237" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L207-L237" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c" - logic_hash = "a18557217c69a3bb8c3da7725d2e0ed849741f8e36341a4ea80eea09d47a5b45" + logic_hash = "v1_sha256_a18557217c69a3bb8c3da7725d2e0ed849741f8e36341a4ea80eea09d47a5b45" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60633,7 +60633,7 @@ rule ELASTIC_Windows_Trojan_Icedid_56459277 : FILE MEMORY $seq_string_decrypt = { 0F B7 44 24 ?? 0F B7 4C 24 ?? 3B C1 7D ?? 8B 4C 24 ?? E8 [4] 89 44 24 ?? 0F B7 44 24 ?? 48 8B 4C 24 ?? 0F B6 04 01 0F B6 4C 24 ?? 33 C1 0F B7 4C 24 ?? 48 8B 54 24 ?? 88 04 0A EB } condition: - 5 of ($str*) or 2 of ($seq_*) + 5 of ( $str* ) or 2 of ( $seq_* ) } rule ELASTIC_Windows_Trojan_Icedid_7C1619E3 : FILE MEMORY { @@ -60644,10 +60644,10 @@ rule ELASTIC_Windows_Trojan_Icedid_7C1619E3 : FILE MEMORY date = "2022-12-20" modified = "2023-02-01" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L239-L261" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L239-L261" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4f6de748628b8b06eeef3a5fabfe486bfd7aaa92f50dc5a8a8c70ec038cd33b1" - logic_hash = "24ddaf474dabc5e91cce08734a035feced9048a3faac4ff236bc97e6caabd642" + logic_hash = "v1_sha256_24ddaf474dabc5e91cce08734a035feced9048a3faac4ff236bc97e6caabd642" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60676,10 +60676,10 @@ rule ELASTIC_Windows_Trojan_Icedid_D8B23Cd6 : FILE MEMORY date = "2023-01-03" modified = "2023-01-03" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L263-L294" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L263-L294" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd4da2f84c29437bc7efe9599a3a41f574105d449ac0d9b270faaca8795153ab" - logic_hash = "47e427a4f088de523115f438cad9fc26233158b0518d87703c282df351110762" + logic_hash = "v1_sha256_47e427a4f088de523115f438cad9fc26233158b0518d87703c282df351110762" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60717,9 +60717,9 @@ rule ELASTIC_Windows_Trojan_Icedid_A2Ca5F80 : FILE MEMORY date = "2023-01-16" modified = "2023-04-23" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L296-L323" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e36266cd66b9542f2eb9d38f9a01f7b480f2bcdbe61fe20944dca33e22bd3281" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L296-L323" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e36266cd66b9542f2eb9d38f9a01f7b480f2bcdbe61fe20944dca33e22bd3281" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60754,10 +60754,10 @@ rule ELASTIC_Windows_Trojan_Icedid_B8C59889 : FILE MEMORY date = "2023-05-05" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L325-L349" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L325-L349" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a63d08cd53053bfda17b8707ab3a94cf3d6021097335dc40d5d211fb9faed045" - logic_hash = "08c6c604d1791c35a8494e5ec8a96e8c5dd2ca3d6c57971da20057ce8960fa1d" + logic_hash = "v1_sha256_08c6c604d1791c35a8494e5ec8a96e8c5dd2ca3d6c57971da20057ce8960fa1d" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -60777,7 +60777,7 @@ rule ELASTIC_Windows_Trojan_Icedid_B8C59889 : FILE MEMORY $seq_crypto = { 83 E1 03 83 E0 03 48 8D 14 8A 41 8B 0C 80 4D 8D 04 80 41 0F B6 00 83 E1 07 02 02 41 32 04 29 41 88 04 19 49 FF C1 8B 02 } condition: - 4 of ($a*) or 1 of ($seq*) + 4 of ( $a* ) or 1 of ( $seq* ) } rule ELASTIC_Windows_Trojan_Icedid_81Eff9A3 : FILE MEMORY { @@ -60788,10 +60788,10 @@ rule ELASTIC_Windows_Trojan_Icedid_81Eff9A3 : FILE MEMORY date = "2023-05-05" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_IcedID.yar#L351-L371" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_IcedID.yar#L351-L371" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96dacdf50d1db495c8395d7cf454aa3a824801cf366ac368fe496f89b5f98fe7" - logic_hash = "923dd8166cce0ec32b3b8b20cad192b3c15b7ce7c17fd44ddda739ad205a6c06" + logic_hash = "v1_sha256_923dd8166cce0ec32b3b8b20cad192b3c15b7ce7c17fd44ddda739ad205a6c06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60818,10 +60818,10 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_8859E8E8 : FILE MEMORY date = "2021-05-03" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hellokitty.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hellokitty.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9" - logic_hash = "72cc718724d9d9a391a9f7a0932ebf397c2ab79558437533bef6e380b06baff9" + logic_hash = "v1_sha256_72cc718724d9d9a391a9f7a0932ebf397c2ab79558437533bef6e380b06baff9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60849,7 +60849,7 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_8859E8E8 : FILE MEMORY $b4 = "stop %s" wide fullword condition: - (2 of ($a*) and 2 of ($b*)) or (5 of ($a*)) + (2 of ( $a* ) and 2 of ( $b* ) ) or ( 5 of ( $a* ) ) } rule ELASTIC_Windows_Ransomware_Hellokitty_4B668121 : FILE MEMORY { @@ -60860,10 +60860,10 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_4B668121 : FILE MEMORY date = "2021-05-03" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hellokitty.yar#L34-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hellokitty.yar#L34-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0" - logic_hash = "00c7a492c304f12b9909e35cf069618a1103311a69e3e8951ca196c3c663b12a" + logic_hash = "v1_sha256_00c7a492c304f12b9909e35cf069618a1103311a69e3e8951ca196c3c663b12a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60896,10 +60896,10 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_D9391A1A : FILE MEMORY date = "2021-05-03" modified = "2023-01-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hellokitty.yar#L61-L80" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hellokitty.yar#L61-L80" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768" - logic_hash = "074ca47c0526d9828f3c07c7d6dbdd1cec609670d70340b022ae2c712ad80305" + logic_hash = "v1_sha256_074ca47c0526d9828f3c07c7d6dbdd1cec609670d70340b022ae2c712ad80305" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60926,10 +60926,10 @@ rule ELASTIC_Windows_Vulndriver_Viragt_5F92F226 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Viragt.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Viragt.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - logic_hash = "e7ade7aec563c1dc602dfd7fda8c063058f47ae2a915959468792fce389b38f1" + logic_hash = "v1_sha256_e7ade7aec563c1dc602dfd7fda8c063058f47ae2a915959468792fce389b38f1" score = 75 quality = 75 tags = "FILE" @@ -60946,7 +60946,7 @@ rule ELASTIC_Windows_Vulndriver_Viragt_5F92F226 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x50][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x4f][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Viragt_84D508Ad : FILE { @@ -60957,10 +60957,10 @@ rule ELASTIC_Windows_Vulndriver_Viragt_84D508Ad : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Viragt.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Viragt.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - logic_hash = "a3e1b41155c7dd347976a1057cb763ab60c50c34e981fef050bd54f060a412fc" + logic_hash = "v1_sha256_a3e1b41155c7dd347976a1057cb763ab60c50c34e981fef050bd54f060a412fc" score = 75 quality = 75 tags = "FILE" @@ -60977,7 +60977,7 @@ rule ELASTIC_Windows_Vulndriver_Viragt_84D508Ad : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x0b][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Ransomware_Cuba_E64A16B1 : FILE MEMORY { @@ -60988,10 +60988,10 @@ rule ELASTIC_Windows_Ransomware_Cuba_E64A16B1 : FILE MEMORY date = "2021-08-04" modified = "2021-10-04" reference = "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Cuba.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Cuba.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e" - logic_hash = "915425ad49f1b9ebde114f92155d5969ec707304403f46d891d014b399165a4d" + logic_hash = "v1_sha256_915425ad49f1b9ebde114f92155d5969ec707304403f46d891d014b399165a4d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61018,10 +61018,10 @@ rule ELASTIC_Windows_Ransomware_Cuba_95A98E69 : FILE MEMORY date = "2021-08-04" modified = "2021-10-04" reference = "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Cuba.yar#L23-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Cuba.yar#L23-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00f18713f860dc8394fb23a1a2b6280d1eb2f20a487c175433a7b495a1ba408d" - logic_hash = "d17ef93943e826613be4c21ad1e41d1daa33db9da0fa6106bb8ba6334ebe1d08" + logic_hash = "v1_sha256_d17ef93943e826613be4c21ad1e41d1daa33db9da0fa6106bb8ba6334ebe1d08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61049,10 +61049,10 @@ rule ELASTIC_Multi_Hacktool_Rakshasa_D5D3Ef21 : FILE MEMORY date = "2024-01-24" modified = "2024-01-29" reference = "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_Rakshasa.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_Rakshasa.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ccfa30a40445d5237aaee1e015ecfcd9bdbe7665a6dc2736b28e5ebf07ec4597" - logic_hash = "123cbea0ce02012a9b22a4a241d11aa9acbb58b50a1bd9228da7cadbf0fa1b4e" + logic_hash = "v1_sha256_123cbea0ce02012a9b22a4a241d11aa9acbb58b50a1bd9228da7cadbf0fa1b4e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61082,10 +61082,10 @@ rule ELASTIC_Windows_Trojan_Sythe_02B2811A : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Sythe.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Sythe.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2d54a8ba40cc9a1c74db7a889bc75a38f16ae2d025268aa07851c1948daa1b4d" - logic_hash = "ba472b35f583dd4cf125df575129d07de289d6d7dc12ecdcc518ce1eb9f18def" + logic_hash = "v1_sha256_ba472b35f583dd4cf125df575129d07de289d6d7dc12ecdcc518ce1eb9f18def" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61114,10 +61114,10 @@ rule ELASTIC_Windows_Hacktool_Executeassembly_F41F4Df6 : FILE MEMORY date = "2023-03-28" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_ExecuteAssembly.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_ExecuteAssembly.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a468ba2ba77aafa2a572c8947d414e74604a7c1c6e68a0b87fbfce4f8854dd61" - logic_hash = "ab72dec636a96338e16fd57f2db4bb52e38fe61315b42c2ffe9c4566fc0326d3" + logic_hash = "v1_sha256_ab72dec636a96338e16fd57f2db4bb52e38fe61315b42c2ffe9c4566fc0326d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61144,9 +61144,9 @@ rule ELASTIC_Windows_Trojan_Modpipe_12Bc2604 : FILE MEMORY date = "2023-07-27" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ModPipe.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0a26de1b2fb48d65cde61b60c0eba478da73a3eeaeb785d1b2d6095eccbe34e2" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ModPipe.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0a26de1b2fb48d65cde61b60c0eba478da73a3eeaeb785d1b2d6095eccbe34e2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61175,10 +61175,10 @@ rule ELASTIC_Macos_Trojan_Adload_4995469F : FILE MEMORY date = "2021-10-04" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Adload.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Adload.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6464ca7b36197cccf0dac00f21c43f0cb09f900006b1934e2b3667b367114de5" - logic_hash = "cceb804a11b93b0e3f491016c47a823d9e6a31294c3ed05d4404601323b30993" + logic_hash = "v1_sha256_cceb804a11b93b0e3f491016c47a823d9e6a31294c3ed05d4404601323b30993" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61204,10 +61204,10 @@ rule ELASTIC_Macos_Trojan_Adload_9B9F86C7 : FILE MEMORY date = "2021-10-04" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Adload.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Adload.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "952e6004ce164ba607ac7fddc1df3d0d6cac07d271d90be02d790c52e49cb73c" - logic_hash = "82297db23e036f22c90eee7b2654e84df847eb1c2b1ea4dcf358c48a14819709" + logic_hash = "v1_sha256_82297db23e036f22c90eee7b2654e84df847eb1c2b1ea4dcf358c48a14819709" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -61233,10 +61233,10 @@ rule ELASTIC_Macos_Trojan_Adload_F6B18A0A : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Adload.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Adload.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "06f38bb811e6a6c38b5e2db708d4063f4aea27fcd193d57c60594f25a86488c8" - logic_hash = "20d43fbf0b8155940e2e181f376a7b1979ce248d88dc08409aaa1a916777231c" + logic_hash = "v1_sha256_20d43fbf0b8155940e2e181f376a7b1979ce248d88dc08409aaa1a916777231c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61262,10 +61262,10 @@ rule ELASTIC_Linux_Trojan_Connectback_Bf194C93 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Connectback.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Connectback.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6784cb86460bddf1226f71f5f5361463cbda487f813d19cd88e8a4a1eb1a417b" - logic_hash = "148626e05caee4a2b2542726ea4e4dab074eeab0572a65fdbd32f5d96544daf8" + logic_hash = "v1_sha256_148626e05caee4a2b2542726ea4e4dab074eeab0572a65fdbd32f5d96544daf8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61291,10 +61291,10 @@ rule ELASTIC_Linux_Exploit_CVE_2014_3153_1C1E02Ad : FILE MEMORY CVE_2014_3153 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2014_3153.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2014_3153.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "64b8c61b73f0c0c0bd44ea5c2bcfb7b665fcca219dbe074a4a16ae20cd565812" - logic_hash = "42e9de7f306343c4c3e7fd02b414b429faacb837fb2910f98f0c1519da40074c" + logic_hash = "v1_sha256_42e9de7f306343c4c3e7fd02b414b429faacb837fb2910f98f0c1519da40074c" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2014-3153" @@ -61320,10 +61320,10 @@ rule ELASTIC_Windows_Ransomware_Makop_3Ac2C13C : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Makop.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Makop.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "854226fc4f5388d40cd9e7312797dd63739444d69a67e4126ef60817fa6972ad" - logic_hash = "3fa7c506010a87ac97f415db32c21af091dff26fd912a8f9f5bb5e8d43a8da9e" + logic_hash = "v1_sha256_3fa7c506010a87ac97f415db32c21af091dff26fd912a8f9f5bb5e8d43a8da9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61349,10 +61349,10 @@ rule ELASTIC_Windows_Ransomware_Makop_3E388338 : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Makop.yar#L21-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Makop.yar#L21-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "854226fc4f5388d40cd9e7312797dd63739444d69a67e4126ef60817fa6972ad" - logic_hash = "5a6e5fd725f3d042c0c95b42ad00c93965a49aa6bda6ec5383a239f18d74742e" + logic_hash = "v1_sha256_5a6e5fd725f3d042c0c95b42ad00c93965a49aa6bda6ec5383a239f18d74742e" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -61383,10 +61383,10 @@ rule ELASTIC_Windows_Trojan_Darkgate_Fa1F1338 : FILE MEMORY date = "2023-12-14" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DarkGate.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DarkGate.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1fce9ee9254dd0641387cc3b6ea5f6a60f4753132c20ca03ce4eed2aa1042876" - logic_hash = "d5447a57fc57af52c263b84522346a3e94a464a698de8be77eab3b56156164f2" + logic_hash = "v1_sha256_d5447a57fc57af52c263b84522346a3e94a464a698de8be77eab3b56156164f2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61414,10 +61414,10 @@ rule ELASTIC_Windows_Trojan_Darkgate_07Ef6F14 : FILE MEMORY date = "2023-12-14" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DarkGate.yar#L23-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DarkGate.yar#L23-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1fce9ee9254dd0641387cc3b6ea5f6a60f4753132c20ca03ce4eed2aa1042876" - logic_hash = "2820286b362b107fc7fc3ec8f1a004a7d7926a84318f2943f58239f1f7e8f1f0" + logic_hash = "v1_sha256_2820286b362b107fc7fc3ec8f1a004a7d7926a84318f2943f58239f1f7e8f1f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61444,10 +61444,10 @@ rule ELASTIC_Windows_Ransomware_Magniber_Ea0140A1 : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Magniber.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Magniber.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2448b93d7c50801056052fb429d04bcf94a478a0a012191d60e595fed63eec4" - logic_hash = "e2c05e2c92444d7bcb2bf68e97f809072d2ccdc8a171214d2e7a498b20d08f90" + logic_hash = "v1_sha256_e2c05e2c92444d7bcb2bf68e97f809072d2ccdc8a171214d2e7a498b20d08f90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61473,10 +61473,10 @@ rule ELASTIC_Windows_Ransomware_Magniber_97D7575B : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Magniber.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Magniber.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2448b93d7c50801056052fb429d04bcf94a478a0a012191d60e595fed63eec4" - logic_hash = "9c85f98aaae28e9e90a94d6ce18389467013ea6b569f46f6acaf26a6c7e027fc" + logic_hash = "v1_sha256_9c85f98aaae28e9e90a94d6ce18389467013ea6b569f46f6acaf26a6c7e027fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61502,10 +61502,10 @@ rule ELASTIC_Macos_Infostealer_Encodedosascript_Eeb54A7E : FILE MEMORY date = "2024-08-19" modified = "2024-08-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Macos_Infostealer_EncodedOsascript.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Macos_Infostealer_EncodedOsascript.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05" - logic_hash = "2f450c9afd92f52cdd8333e39e41b7334a01ddc39371c118260820a878359742" + logic_hash = "v1_sha256_2f450c9afd92f52cdd8333e39e41b7334a01ddc39371c118260820a878359742" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -61533,10 +61533,10 @@ rule ELASTIC_Linux_Trojan_Xzbackdoor_74E87A9D : FILE MEMORY date = "2024-03-30" modified = "2024-04-03" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_XZBackdoor.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_XZBackdoor.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049" - logic_hash = "c777171c36d9369ade7bf44c7cc4e5aee16bb4c803431bc480cc0f8ebb2819c0" + logic_hash = "v1_sha256_c777171c36d9369ade7bf44c7cc4e5aee16bb4c803431bc480cc0f8ebb2819c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61555,7 +61555,7 @@ rule ELASTIC_Linux_Trojan_Xzbackdoor_74E87A9D : FILE MEMORY $b3 = { 4D 8B 6C 24 08 45 8B 3C 24 4C 8B 63 10 89 85 78 F1 FF FF 31 C0 83 BD 78 F1 FF FF 00 F3 AB 79 07 } condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Ransomware_Pandora_Bca8Ce23 : FILE MEMORY { @@ -61566,10 +61566,10 @@ rule ELASTIC_Windows_Ransomware_Pandora_Bca8Ce23 : FILE MEMORY date = "2022-03-14" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Pandora.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Pandora.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" - logic_hash = "52203c1af994667ba6833defe547e886dd02167e4d76c57711080e3be0473bfc" + logic_hash = "v1_sha256_52203c1af994667ba6833defe547e886dd02167e4d76c57711080e3be0473bfc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61597,10 +61597,10 @@ rule ELASTIC_Macos_Backdoor_Applejeus_31872Ae2 : FILE MEMORY date = "2021-10-18" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Backdoor_Applejeus.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Backdoor_Applejeus.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" - logic_hash = "1d6f06668a7d048a93e53b294c5ab8ffe4cd610f3bef3fd80f14425ef8a85a29" + logic_hash = "v1_sha256_1d6f06668a7d048a93e53b294c5ab8ffe4cd610f3bef3fd80f14425ef8a85a29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61626,10 +61626,10 @@ rule ELASTIC_Windows_Ransomware_Haron_A1C12E7E : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Haron.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Haron.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c" - logic_hash = "84df5a13495acee5dc2007cf1d6e1828a832d46fcbad2ca8676643fd47756248" + logic_hash = "v1_sha256_84df5a13495acee5dc2007cf1d6e1828a832d46fcbad2ca8676643fd47756248" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61656,10 +61656,10 @@ rule ELASTIC_Windows_Ransomware_Haron_23B76Cb7 : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Haron.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Haron.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c" - logic_hash = "e53c92be617444da0057680ee1ac45cbc1f707194281644bececa44e4ebe3580" + logic_hash = "v1_sha256_e53c92be617444da0057680ee1ac45cbc1f707194281644bececa44e4ebe3580" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61686,10 +61686,10 @@ rule ELASTIC_Windows_Trojan_Oskistealer_A158B1E3 : FILE MEMORY date = "2022-03-21" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_OskiStealer.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_OskiStealer.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" - logic_hash = "0ddbe0b234ed60f5a3fc537cdaebf39f639ee24fd66143c9036a9f4786d4c51b" + logic_hash = "v1_sha256_0ddbe0b234ed60f5a3fc537cdaebf39f639ee24fd66143c9036a9f4786d4c51b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61719,10 +61719,10 @@ rule ELASTIC_Linux_Exploit_Pulse_2Bea17E8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Pulse.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Pulse.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c29cb4c2d83127cf4731573a7fac531f90f27799857f5e250b9f71362108f559" - logic_hash = "bc71efa6cc79171666d89fe3e755411ee8032f56ae5bd73e0de440eee5b718ab" + logic_hash = "v1_sha256_bc71efa6cc79171666d89fe3e755411ee8032f56ae5bd73e0de440eee5b718ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61748,10 +61748,10 @@ rule ELASTIC_Linux_Exploit_Pulse_246E6F31 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Pulse.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Pulse.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c29cb4c2d83127cf4731573a7fac531f90f27799857f5e250b9f71362108f559" - logic_hash = "f6755f10863b78303899cefcd81f609884fbbf2dffabd9219686ed869f2cc7e3" + logic_hash = "v1_sha256_f6755f10863b78303899cefcd81f609884fbbf2dffabd9219686ed869f2cc7e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61777,9 +61777,9 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6660D29F : BETA FILE MEMORY date = "2020-06-28" modified = "2021-08-23" reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4c12eaa44f82c6f729e51242c9c1836eb1856959c682e2d2e21b975104c197b6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4c12eaa44f82c6f729e51242c9c1836eb1856959c682e2d2e21b975104c197b6" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61796,7 +61796,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6660D29F : BETA FILE MEMORY $a2 = "RtlComputeCrc32" ascii fullword condition: - 2 of ($a*) + 2 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Doppelpaymer_6Ab188Da : BETA FILE MEMORY { @@ -61807,9 +61807,9 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6Ab188Da : BETA FILE MEMORY date = "2020-06-28" modified = "2021-08-23" reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L23-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "429c87d293b7f517a594e8be020cbe7f8302a8b6eb8337f090ca18973aafbde4" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L23-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_429c87d293b7f517a594e8be020cbe7f8302a8b6eb8337f090ca18973aafbde4" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61825,7 +61825,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6Ab188Da : BETA FILE MEMORY $d1 = { 56 55 55 55 F7 EF B8 56 55 55 55 8B EA F7 E9 8B C2 8B D1 C1 FA 1F 2B C2 C1 FF 1F 2B EF 8D 14 40 B8 F3 1A CA 6B 2B CA 03 E9 F7 ED 8B CD C1 FA 05 C1 F9 1F 2B D1 6B CA B4 03 CD 74 1C 81 E1 03 00 00 80 7D 07 83 E9 01 83 C9 FC 41 8B C1 F7 D8 85 C9 8D 7C 05 04 0F 45 EF 8D 44 55 02 5D 5F C3 } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Windows_Ransomware_Doppelpaymer_4Fb1A155 : BETA FILE MEMORY { @@ -61836,9 +61836,9 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_4Fb1A155 : BETA FILE MEMORY date = "2020-06-28" modified = "2021-08-23" reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L44-L63" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "eb041a836b2bc73312a2f87523d817d5274f3d43d3e5fe6aacfad1399c61a9de" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L44-L63" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_eb041a836b2bc73312a2f87523d817d5274f3d43d3e5fe6aacfad1399c61a9de" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61854,7 +61854,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_4Fb1A155 : BETA FILE MEMORY $c1 = { 83 EC 64 8B E9 8B 44 24 ?? 8B 00 0F B7 10 83 FA 5C 75 } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Trojan_Limerat_24269A79 : FILE MEMORY { @@ -61865,10 +61865,10 @@ rule ELASTIC_Windows_Trojan_Limerat_24269A79 : FILE MEMORY date = "2021-08-17" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Limerat.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Limerat.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" - logic_hash = "053a6abe589db23c4b9baed24729c8bcdd9019535fd0d9efc60ab4035c9779f3" + logic_hash = "v1_sha256_053a6abe589db23c4b9baed24729c8bcdd9019535fd0d9efc60ab4035c9779f3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61894,9 +61894,9 @@ rule ELASTIC_Linux_Trojan_Godlua_Ed8E6228 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Godlua.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "848ef3b198737f080f19c5fa55dfbc31356427398074f9125c65cb532c52ce7a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Godlua.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_848ef3b198737f080f19c5fa55dfbc31356427398074f9125c65cb532c52ce7a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61922,9 +61922,9 @@ rule ELASTIC_Windows_Ransomware_Egregor_F24023F3 : BETA FILE MEMORY date = "2020-10-15" modified = "2021-08-23" reference = "https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Egregor.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5695b44f6ce018a91a99b6c94feae740ff4ac187e232bc9044e51d62d1f42bfa" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Egregor.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5695b44f6ce018a91a99b6c94feae740ff4ac187e232bc9044e51d62d1f42bfa" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61945,7 +61945,7 @@ rule ELASTIC_Windows_Ransomware_Egregor_F24023F3 : BETA FILE MEMORY $a6 = "Do not redact this special technical block, we need this to authorize you." ascii wide condition: - 2 of ($a*) + 2 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Egregor_4Ec2B90C : BETA FILE MEMORY { @@ -61956,9 +61956,9 @@ rule ELASTIC_Windows_Ransomware_Egregor_4Ec2B90C : BETA FILE MEMORY date = "2020-10-15" modified = "2021-08-23" reference = "https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Egregor.yar#L27-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8342d92e1486b1289645828e5ee5f1f6f21a0e645dd7cc4eca908ed59c2f1c4c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Egregor.yar#L27-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8342d92e1486b1289645828e5ee5f1f6f21a0e645dd7cc4eca908ed59c2f1c4c" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -61976,7 +61976,7 @@ rule ELASTIC_Windows_Ransomware_Egregor_4Ec2B90C : BETA FILE MEMORY $b3 = { BB 05 10 D4 BB 05 10 E0 BB 05 10 EC BB 05 10 F8 BB 05 10 04 BC 05 10 10 BC 05 10 1C BC 05 10 2C BC 05 10 3C BC 05 10 50 BC 05 10 68 BC 05 10 80 BC 05 10 90 BC 05 10 A8 BC 05 10 B4 BC 05 10 C0 } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Metastealer_F94E2464 : FILE MEMORY { @@ -61987,10 +61987,10 @@ rule ELASTIC_Windows_Trojan_Metastealer_F94E2464 : FILE MEMORY date = "2024-03-27" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MetaStealer.yar#L1-L34" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MetaStealer.yar#L1-L34" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "14ca15c0751207103c38f1a2f8fdc73e5dd3d58772f6e5641e54e0c790ecd132" - logic_hash = "bf374bda2ca7c7bcec1ff092bbc9c3fd95c33faa78a6ea105a7b12b8e80a2e23" + logic_hash = "v1_sha256_bf374bda2ca7c7bcec1ff092bbc9c3fd95c33faa78a6ea105a7b12b8e80a2e23" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62031,10 +62031,10 @@ rule ELASTIC_Windows_Trojan_Metastealer_A07E395C : FILE MEMORY date = "2024-10-23" modified = "2024-10-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MetaStealer.yar#L36-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MetaStealer.yar#L36-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a" - logic_hash = "2464cf1dc5747c93598354329371ea6111c3cbf34a6db83076c9465b867a0e47" + logic_hash = "v1_sha256_2464cf1dc5747c93598354329371ea6111c3cbf34a6db83076c9465b867a0e47" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62062,9 +62062,9 @@ rule ELASTIC_Macos_Infostealer_Mdquerysecret_5535Ab96 : FILE MEMORY date = "2023-04-11" modified = "2024-08-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Infostealer_MdQuerySecret.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c755e617b9dd41505bb225ea836ecdde8f3f6f9ab7ae79697e6d85190e206c41" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Infostealer_MdQuerySecret.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c755e617b9dd41505bb225ea836ecdde8f3f6f9ab7ae79697e6d85190e206c41" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62080,7 +62080,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerysecret_5535Ab96 : FILE MEMORY $string2 = /kMDItemDisplayName\s{1,50}==\s{1,50}\S{1,50}secret\S{1,50}/ ascii wide nocase condition: - any of ($string1,$string2) + any of ( $string1 , $string2 ) } rule ELASTIC_Windows_Generic_Threat_Bc6Ae28D : FILE MEMORY { @@ -62091,10 +62091,10 @@ rule ELASTIC_Windows_Generic_Threat_Bc6Ae28D : FILE MEMORY date = "2023-12-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ce00873eb423c0259c18157a07bf7fd9b07333e528a5b9d48be79194310c9d97" - logic_hash = "0ca5ec945858a5238eac048520dea4597f706ad2c96be322d341c84c4ddbce33" + logic_hash = "v1_sha256_0ca5ec945858a5238eac048520dea4597f706ad2c96be322d341c84c4ddbce33" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62120,10 +62120,10 @@ rule ELASTIC_Windows_Generic_Threat_Ce98C4Bc : FILE MEMORY date = "2023-12-17" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L21-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L21-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "950e8a29f516ef3cf1a81501e97fbbbedb289ad9fb93352edb563f749378da35" - logic_hash = "74914f41c03cb2dcb1dc3175cc76574a0d40b66a1a3854af8f50c9858704b66b" + logic_hash = "v1_sha256_74914f41c03cb2dcb1dc3175cc76574a0d40b66a1a3854af8f50c9858704b66b" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62150,10 +62150,10 @@ rule ELASTIC_Windows_Generic_Threat_0Cc1481E : FILE MEMORY date = "2023-12-17" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L42-L60" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L42-L60" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6ec7781e472a6827c1406a53ed4699407659bd57c33dd4ab51cabfe8ece6f23f" - logic_hash = "1a094cf337cb85aa4b7d1d2025571ab0661a7be1fd03d53d8c7370a90385f38c" + logic_hash = "v1_sha256_1a094cf337cb85aa4b7d1d2025571ab0661a7be1fd03d53d8c7370a90385f38c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62179,10 +62179,10 @@ rule ELASTIC_Windows_Generic_Threat_2507C37C : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L62-L80" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L62-L80" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "04296258f054a958f0fd013b3c6a3435280b28e9a27541463e6fc9afe30363cc" - logic_hash = "8c5ea1290260993ea5140baa4645f3fd0ebb4d43fce0e9a25f8e8948e683aec1" + logic_hash = "v1_sha256_8c5ea1290260993ea5140baa4645f3fd0ebb4d43fce0e9a25f8e8948e683aec1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62208,10 +62208,10 @@ rule ELASTIC_Windows_Generic_Threat_E052D248 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L82-L100" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L82-L100" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ed2bbc0d120665044aacb089d8c99d7c946b54d1b08a078aebbb3b91f593da6e" - logic_hash = "1a16ce6d1c6707560425156e625ad19a82315564b3f03adafbcc3e65b0e98a6d" + logic_hash = "v1_sha256_1a16ce6d1c6707560425156e625ad19a82315564b3f03adafbcc3e65b0e98a6d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62237,10 +62237,10 @@ rule ELASTIC_Windows_Generic_Threat_2Bb7Fbe3 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L102-L120" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L102-L120" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "65cc8704c0e431589d196eadb0ac8a19151631c8d4ab7375d7cb18f7b763ba7b" - logic_hash = "36e1ab766e09e8d06b9179f67a1cb842ba257f140610964a941fb462ed3e803c" + logic_hash = "v1_sha256_36e1ab766e09e8d06b9179f67a1cb842ba257f140610964a941fb462ed3e803c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62266,10 +62266,10 @@ rule ELASTIC_Windows_Generic_Threat_994F2330 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L122-L140" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L122-L140" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0a30cb09c480a2659b6f989ac9fe1bfba1802ae3aad98fa5db7cdd146fee3916" - logic_hash = "ace99deae7f5faa22f273ec4fe45ef07f03acd1ae4d9c0f18687ef6cf5b560c2" + logic_hash = "v1_sha256_ace99deae7f5faa22f273ec4fe45ef07f03acd1ae4d9c0f18687ef6cf5b560c2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62295,10 +62295,10 @@ rule ELASTIC_Windows_Generic_Threat_Bf7Aae24 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L142-L160" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L142-L160" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6dfc63894f15fc137e27516f2d2a56514c51f25b41b00583123142cf50645e4e" - logic_hash = "b6dfa6f4c46bddd643f2f89f6275404c19fd4ed1bbae561029fffa884e99e167" + logic_hash = "v1_sha256_b6dfa6f4c46bddd643f2f89f6275404c19fd4ed1bbae561029fffa884e99e167" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62324,10 +62324,10 @@ rule ELASTIC_Windows_Generic_Threat_D542E5A5 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L162-L180" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L162-L180" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3fc4ae7115e0bfa3fc6b75dcff867e7bf9ade9c7f558f31916359d37d001901b" - logic_hash = "3c16c02d4fc6e019f0ab0ff4daad61f59275afd8fb3ee263b1b59876233a686e" + logic_hash = "v1_sha256_3c16c02d4fc6e019f0ab0ff4daad61f59275afd8fb3ee263b1b59876233a686e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62353,10 +62353,10 @@ rule ELASTIC_Windows_Generic_Threat_8D10790B : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L182-L200" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L182-L200" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "911535923a5451c10239e20e7130d371e8ee37172e0f14fc8cf224d41f7f4c0f" - logic_hash = "84c017abbce1c8702efbe8657e5a857ae222721b0db2260dc814652f4528df26" + logic_hash = "v1_sha256_84c017abbce1c8702efbe8657e5a857ae222721b0db2260dc814652f4528df26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62382,10 +62382,10 @@ rule ELASTIC_Windows_Generic_Threat_347F9F54 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L202-L220" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L202-L220" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45a051651ce1edddd33ecef09bb0fbb978adec9044e64f786b13ed81cabf6a3f" - logic_hash = "63df388393a45ffec68ba01ae6d7707b6d5277e0162ded6e631c1f76ad76b711" + logic_hash = "v1_sha256_63df388393a45ffec68ba01ae6d7707b6d5277e0162ded6e631c1f76ad76b711" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62411,10 +62411,10 @@ rule ELASTIC_Windows_Generic_Threat_20469956 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L222-L240" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L222-L240" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a1f2923f68f5963499a64bfd0affe0a729f5e7bd6bcccfb9bed1d62831a93c47" - logic_hash = "da351bec0039a32bb9de1d8623ab3dc26eb752d30a64e613de96f70e1b1c2463" + logic_hash = "v1_sha256_da351bec0039a32bb9de1d8623ab3dc26eb752d30a64e613de96f70e1b1c2463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62440,10 +62440,10 @@ rule ELASTIC_Windows_Generic_Threat_742E8A70 : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L242-L260" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L242-L260" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "94f7678be47651aa457256375f3e4d362ae681a9524388c97dc9ed34ba881090" - logic_hash = "2925eb8da80ef791b5cf7800a9bf9462203ab6aa743bc69f4fd2343e97eaab7c" + logic_hash = "v1_sha256_2925eb8da80ef791b5cf7800a9bf9462203ab6aa743bc69f4fd2343e97eaab7c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62469,10 +62469,10 @@ rule ELASTIC_Windows_Generic_Threat_79174B5C : FILE MEMORY date = "2023-12-18" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L262-L280" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L262-L280" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c15118230059e85e7a6b65fe1c0ceee8997a3d4e9f1966c8340017a41e0c254c" - logic_hash = "06a2f0613719f1273a6b3f62f248c22b1cab2fe6054904619e3720f3f6c55e2e" + logic_hash = "v1_sha256_06a2f0613719f1273a6b3f62f248c22b1cab2fe6054904619e3720f3f6c55e2e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62498,10 +62498,10 @@ rule ELASTIC_Windows_Generic_Threat_232B71A9 : FILE MEMORY date = "2023-12-20" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L282-L300" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L282-L300" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1e8b34da2d675af96b34041d4e493e34139fc8779f806dbcf62a6c9c4d9980fe" - logic_hash = "c3bef1509c0d0172dbbc7e0e2b5c69e5ec47dc22365d98a914002b53b0f7d918" + logic_hash = "v1_sha256_c3bef1509c0d0172dbbc7e0e2b5c69e5ec47dc22365d98a914002b53b0f7d918" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62527,10 +62527,10 @@ rule ELASTIC_Windows_Generic_Threat_D331D190 : FILE MEMORY date = "2023-12-20" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L302-L320" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L302-L320" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6d869d320d977f83aa3f0e7719967c7e54c1bdae9ae3729668d755ee3397a96f" - logic_hash = "901601c892d709fa596c44df1fbe7772a9f20576c71666570713bf96727a809b" + logic_hash = "v1_sha256_901601c892d709fa596c44df1fbe7772a9f20576c71666570713bf96727a809b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62556,10 +62556,10 @@ rule ELASTIC_Windows_Generic_Threat_24191082 : FILE MEMORY date = "2023-12-20" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L322-L340" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L322-L340" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4d20878c16d2b401e76d8e7c288cf8ef5aa3c8d4865f440ee6b44d9f3d0cbf33" - logic_hash = "a5ea76032a9c189f923d91cd03deb44bd61868e5ad6081afe63249156cbd8927" + logic_hash = "v1_sha256_a5ea76032a9c189f923d91cd03deb44bd61868e5ad6081afe63249156cbd8927" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62585,10 +62585,10 @@ rule ELASTIC_Windows_Generic_Threat_Efdb9E81 : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L342-L361" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L342-L361" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1c3302b14324c9f4e07829f41cd767ec654db18ff330933c6544c46bd19e89dd" - logic_hash = "eae78b07f6c31e3a30ae041a27c67553bb8ea915bc7724583d78832475021955" + logic_hash = "v1_sha256_eae78b07f6c31e3a30ae041a27c67553bb8ea915bc7724583d78832475021955" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62615,10 +62615,10 @@ rule ELASTIC_Windows_Generic_Threat_34622A35 : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L363-L381" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L363-L381" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c021c6adca0ddf38563a13066a652e4d97726175983854674b8dae2f6e59c83f" - logic_hash = "2b49bd5d3a18307a46f44d9dfeea858ddaa6084f86f96b83b874cee7603e1c11" + logic_hash = "v1_sha256_2b49bd5d3a18307a46f44d9dfeea858ddaa6084f86f96b83b874cee7603e1c11" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62644,10 +62644,10 @@ rule ELASTIC_Windows_Generic_Threat_0Ff403Df : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L383-L401" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L383-L401" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3119dc4cea05bef51d1f373b87d69bcff514f6575d4c92da4b1c557f8d8db8f" - logic_hash = "38bdd9b6f61ab4bb13abc7af94e92151928df95ade061756611218104e7245fd" + logic_hash = "v1_sha256_38bdd9b6f61ab4bb13abc7af94e92151928df95ade061756611218104e7245fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62673,10 +62673,10 @@ rule ELASTIC_Windows_Generic_Threat_B1F6F662 : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L403-L423" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L403-L423" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b7eaef3cf1bb8021a00df092c829932cccac333990db1c5dac6558a5d906400" - logic_hash = "e52ff1eaee00334e1a07367bf88f3907bb0b13035717683d9d98371b92bc45c0" + logic_hash = "v1_sha256_e52ff1eaee00334e1a07367bf88f3907bb0b13035717683d9d98371b92bc45c0" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62704,10 +62704,10 @@ rule ELASTIC_Windows_Generic_Threat_2C80562D : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L425-L445" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L425-L445" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ee8decf1e8e5a927e3a6c10e88093bb4b7708c3fd542d98d43f1a882c6b0198e" - logic_hash = "07487ae646ac81b94f940c8d3493dbee023bce687297465fe09375f40dff0fb2" + logic_hash = "v1_sha256_07487ae646ac81b94f940c8d3493dbee023bce687297465fe09375f40dff0fb2" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62735,10 +62735,10 @@ rule ELASTIC_Windows_Generic_Threat_E96F9E97 : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L447-L465" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L447-L465" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bfbab69e9fc517bc46ae88afd0603a498a4c77409e83466d05db2797234ea7fc" - logic_hash = "1dcf81b8982425ff74107b899e85e2432f0464554e923f85a7555cda65293b54" + logic_hash = "v1_sha256_1dcf81b8982425ff74107b899e85e2432f0464554e923f85a7555cda65293b54" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62764,10 +62764,10 @@ rule ELASTIC_Windows_Generic_Threat_005Fd471 : FILE MEMORY date = "2024-01-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L467-L487" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L467-L487" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "502814ed565a923da15626d46fde8cc7fd422790e32b3cad973ed8ec8602b228" - logic_hash = "10493253a6b2ce3141ee980e0607bdbba72580bb4a076f2f4636e9665ffc6db8" + logic_hash = "v1_sha256_10493253a6b2ce3141ee980e0607bdbba72580bb4a076f2f4636e9665ffc6db8" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62795,10 +62795,10 @@ rule ELASTIC_Windows_Generic_Threat_54B0Ec47 : FILE MEMORY date = "2024-01-03" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L489-L508" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L489-L508" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9c14203069ff6003e7f408bed71e75394de7a6c1451266c59c5639360bf5718c" - logic_hash = "e3d74162a8874fe05042fec98d25b8db50e7f537566fd9f4e40f92bfe868259a" + logic_hash = "v1_sha256_e3d74162a8874fe05042fec98d25b8db50e7f537566fd9f4e40f92bfe868259a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62825,10 +62825,10 @@ rule ELASTIC_Windows_Generic_Threat_Acf6222B : FILE MEMORY date = "2024-01-03" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L510-L528" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L510-L528" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ce0def96be08193ab96817ce1279e8406746a76cfcf4bf44e394920d7acbcaa6" - logic_hash = "a284b6c163dbc022bd36f19fbc1d7ff70143bee566328ad23e7b8b79abd39e91" + logic_hash = "v1_sha256_a284b6c163dbc022bd36f19fbc1d7ff70143bee566328ad23e7b8b79abd39e91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62854,10 +62854,10 @@ rule ELASTIC_Windows_Generic_Threat_5E718A0C : FILE MEMORY date = "2024-01-03" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L530-L548" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L530-L548" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "430b9369b779208bd3976bd2adc3e63d3f71e5edfea30490e6e93040c1b3bac6" - logic_hash = "45068afeda7abae0fe922a21f8f768b6c74a6e0f8e9e8b1f68c3ddf92940bf9a" + logic_hash = "v1_sha256_45068afeda7abae0fe922a21f8f768b6c74a6e0f8e9e8b1f68c3ddf92940bf9a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62883,10 +62883,10 @@ rule ELASTIC_Windows_Generic_Threat_Fac6D993 : FILE MEMORY date = "2024-01-03" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L550-L568" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L550-L568" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e7c88e72cf0c1f4cbee588972fc1434065f7cc9bd95d52379bade1b8520278" - logic_hash = "3486793324dbe43c908432e1956bbbdb870beb4641da46b3786581fd3e78811a" + logic_hash = "v1_sha256_3486793324dbe43c908432e1956bbbdb870beb4641da46b3786581fd3e78811a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62912,9 +62912,9 @@ rule ELASTIC_Windows_Generic_Threat_E7Eaa4Ca : FILE MEMORY date = "2024-01-04" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L570-L587" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "600da0c88dc0606e05f60ecd3b9a90469eef8ac7a702ef800c833f7fd17eb13e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L570-L587" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_600da0c88dc0606e05f60ecd3b9a90469eef8ac7a702ef800c833f7fd17eb13e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62940,10 +62940,10 @@ rule ELASTIC_Windows_Generic_Threat_97703189 : FILE MEMORY date = "2024-01-04" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L589-L607" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L589-L607" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "968ba3112c54f3437b9abb6137f633d919d75137d790af074df40a346891cfb5" - logic_hash = "318bc82d49e9a3467ec0e0086aaf1092d2aa7c589b5f16ce6fbb3778eda7ef0b" + logic_hash = "v1_sha256_318bc82d49e9a3467ec0e0086aaf1092d2aa7c589b5f16ce6fbb3778eda7ef0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62969,10 +62969,10 @@ rule ELASTIC_Windows_Generic_Threat_Ca0686E1 : FILE MEMORY date = "2024-01-05" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L609-L627" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L609-L627" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5" - logic_hash = "12b2ff66d1be6e2d27f24489b389b5c84660921e8de41653b2b425077cc87669" + logic_hash = "v1_sha256_12b2ff66d1be6e2d27f24489b389b5c84660921e8de41653b2b425077cc87669" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62998,10 +62998,10 @@ rule ELASTIC_Windows_Generic_Threat_97C1A260 : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L629-L647" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L629-L647" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2cc85ebb1ef07948b1ddf1a793809b76ee61d78c07b8bf6e702c9b17346a20f1" - logic_hash = "5bd84cbdd4ba699c9e9d87e684071342b23138538bd83ffea8c524fcee26a59b" + logic_hash = "v1_sha256_5bd84cbdd4ba699c9e9d87e684071342b23138538bd83ffea8c524fcee26a59b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63027,10 +63027,10 @@ rule ELASTIC_Windows_Generic_Threat_A440F624 : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L649-L668" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L649-L668" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3564fec3d47dfafc7e9c662654865aed74aedeac7371af8a77e573ea92cbd072" - logic_hash = "23c759a0db5698b28a69232077a6b714f71e8eaa069d2f02a7d3efc48b178a2b" + logic_hash = "v1_sha256_23c759a0db5698b28a69232077a6b714f71e8eaa069d2f02a7d3efc48b178a2b" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63057,10 +63057,10 @@ rule ELASTIC_Windows_Generic_Threat_B577C086 : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L670-L688" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L670-L688" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "27dd61d4d9997738e63e813f8b8ea9d5cf1291eb02d20d1a2ad75ac8aa99459c" - logic_hash = "a7684340171415ee01e855706192cdffcccd6c82362707229b2c1d096f87dfa8" + logic_hash = "v1_sha256_a7684340171415ee01e855706192cdffcccd6c82362707229b2c1d096f87dfa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63086,10 +63086,10 @@ rule ELASTIC_Windows_Generic_Threat_62E1F5Fc : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L690-L710" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L690-L710" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4a692e244a389af0339de8c2d429b541d6d763afb0a2b1bb20bee879330f2f42" - logic_hash = "76e21746ee396f13073b3db1e876246f01cef547d312691dff3dc895ea3a2b82" + logic_hash = "v1_sha256_76e21746ee396f13073b3db1e876246f01cef547d312691dff3dc895ea3a2b82" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63117,10 +63117,10 @@ rule ELASTIC_Windows_Generic_Threat_55D6A1Ab : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L712-L731" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L712-L731" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ca6ed610479b5aaaf193a2afed8f2ca1e32c0c5550a195d88f689caab60c6fb" - logic_hash = "4f3a0b2e45ae4e6a00f137798b700a0925fa6eb19ea6b871d7eeb565548888ba" + logic_hash = "v1_sha256_4f3a0b2e45ae4e6a00f137798b700a0925fa6eb19ea6b871d7eeb565548888ba" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63147,10 +63147,10 @@ rule ELASTIC_Windows_Generic_Threat_F7D3Cdfd : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L733-L751" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L733-L751" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f9df83d0b0e06884cdb4a02cd2091ee1fadeabb2ea16ca34cbfef4129ede251f" - logic_hash = "23e1008f222eb94a4bd34372834924377e813dc76efa8544b0dcbe7d3e3addde" + logic_hash = "v1_sha256_23e1008f222eb94a4bd34372834924377e813dc76efa8544b0dcbe7d3e3addde" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63176,10 +63176,10 @@ rule ELASTIC_Windows_Generic_Threat_0350Ed31 : FILE MEMORY date = "2024-01-07" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L753-L771" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L753-L771" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "008f9352765d1b3360726363e3e179b527a566bc59acecea06bd16eb16b66c5d" - logic_hash = "149dd26466f47b2e7f514bdcc9822470334490da2898840f35fe6b537ce104f6" + logic_hash = "v1_sha256_149dd26466f47b2e7f514bdcc9822470334490da2898840f35fe6b537ce104f6" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63205,10 +63205,10 @@ rule ELASTIC_Windows_Generic_Threat_A1Cef0Cd : FILE MEMORY date = "2024-01-08" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L773-L791" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L773-L791" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "71f519c6bd598e17e1298d247a4ad37b78685ca6fd423d560d397d34d16b7db8" - logic_hash = "2772906e3a8a088e7c6ea1370af5e5bbe2cbae4f49de9b939524e317be8ddde4" + logic_hash = "v1_sha256_2772906e3a8a088e7c6ea1370af5e5bbe2cbae4f49de9b939524e317be8ddde4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63234,10 +63234,10 @@ rule ELASTIC_Windows_Generic_Threat_E5F4703F : FILE MEMORY date = "2024-01-09" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L793-L811" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L793-L811" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "362bda1fad3fefce7d173617909d3c1a0a8e234e22caf3215ee7c6cef6b2743b" - logic_hash = "f81476d5e5a9bcb42b32d6ec3d4b620165f2878c50691ecf59ef6f34b6ad9d1b" + logic_hash = "v1_sha256_f81476d5e5a9bcb42b32d6ec3d4b620165f2878c50691ecf59ef6f34b6ad9d1b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63263,10 +63263,10 @@ rule ELASTIC_Windows_Generic_Threat_8B790Aba : FILE MEMORY date = "2024-01-09" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L813-L832" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L813-L832" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ec98bfff01d384bdff6bbbc5e17620b31fa57c662516157fd476ef587b8d239e" - logic_hash = "8a0b2af3d0c95466ca138dfcc3d6f6a702ec92f5cd4f791b1200c79ffd973840" + logic_hash = "v1_sha256_8a0b2af3d0c95466ca138dfcc3d6f6a702ec92f5cd4f791b1200c79ffd973840" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63293,10 +63293,10 @@ rule ELASTIC_Windows_Generic_Threat_76A7579F : FILE MEMORY date = "2024-01-09" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L834-L852" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L834-L852" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "76c73934bcff7e4ee08b068d1e02b8f5c22161262d127de2b4ac2e81d09d84f6" - logic_hash = "08ed2d318e7154195911aaf3705626307b48a54aa195eaa054ec53766d3e198d" + logic_hash = "v1_sha256_08ed2d318e7154195911aaf3705626307b48a54aa195eaa054ec53766d3e198d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63322,10 +63322,10 @@ rule ELASTIC_Windows_Generic_Threat_3F060B9C : FILE MEMORY date = "2024-01-10" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L854-L872" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L854-L872" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "32e7a40b13ddbf9fc73bd12c234336b1ae11e2f39476de99ebacd7bbfd22fba0" - logic_hash = "193583f63f22452f96c8372fdc9ef04e2a684f847564a7fe75145ea30d426901" + logic_hash = "v1_sha256_193583f63f22452f96c8372fdc9ef04e2a684f847564a7fe75145ea30d426901" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63351,10 +63351,10 @@ rule ELASTIC_Windows_Generic_Threat_Dbae6542 : FILE MEMORY date = "2024-01-10" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L874-L892" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L874-L892" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c73f533f96ed894b9ff717da195083a594673e218ee9a269e360353b9c9a0283" - logic_hash = "673c6b4e6aaa127d45b21d0283437000fbc507a84ecd7a326448869d63759aee" + logic_hash = "v1_sha256_673c6b4e6aaa127d45b21d0283437000fbc507a84ecd7a326448869d63759aee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63380,10 +63380,10 @@ rule ELASTIC_Windows_Generic_Threat_808F680E : FILE MEMORY date = "2024-01-10" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L894-L912" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L894-L912" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "df6955522532e365239b94e9d834ff5eeeb354eec3e3672c48be88725849ac1c" - logic_hash = "22d91a87c01b401d4a203fbabb93a9b45fd6d8819125c56d9c427449b06d2f84" + logic_hash = "v1_sha256_22d91a87c01b401d4a203fbabb93a9b45fd6d8819125c56d9c427449b06d2f84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63409,10 +63409,10 @@ rule ELASTIC_Windows_Generic_Threat_073909Cf : FILE MEMORY date = "2024-01-10" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L914-L932" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L914-L932" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "89a6dc518c119b39252889632bd18d9dfdae687f7621310fb14b684d2f85dad8" - logic_hash = "5b42a74010549c884ff85a67b9add6b82a8109a953473cc1439581976f8f545e" + logic_hash = "v1_sha256_5b42a74010549c884ff85a67b9add6b82a8109a953473cc1439581976f8f545e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63438,10 +63438,10 @@ rule ELASTIC_Windows_Generic_Threat_820Fe9C9 : FILE MEMORY date = "2024-01-11" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L934-L952" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L934-L952" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1102a499b8a863bdbfd978a1d17270990e6b7fe60ce54b9dd17492234aad2f8c" - logic_hash = "81a1359bd5781e1eefb6ae06c6b2ad9e94cc6318c1f81f84c06f0b236b6e84d1" + logic_hash = "v1_sha256_81a1359bd5781e1eefb6ae06c6b2ad9e94cc6318c1f81f84c06f0b236b6e84d1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63467,10 +63467,10 @@ rule ELASTIC_Windows_Generic_Threat_89Efd1B4 : FILE MEMORY date = "2024-01-11" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L954-L972" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L954-L972" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "937c8bc3c89bb9c05b2cb859c4bf0f47020917a309bbadca36236434c8cdc8b9" - logic_hash = "49a7875fd9c31c5c9b593aed75a28fadb586294422b75c7a8eeba2e8ff254753" + logic_hash = "v1_sha256_49a7875fd9c31c5c9b593aed75a28fadb586294422b75c7a8eeba2e8ff254753" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63496,10 +63496,10 @@ rule ELASTIC_Windows_Generic_Threat_61315534 : FILE MEMORY date = "2024-01-11" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L974-L992" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L974-L992" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "819447ca71080f083b1061ed6e333bd9ef816abd5b0dd0b5e6a58511ab1ce8b9" - logic_hash = "0fdfe3bb6ebdaac4324a45dac8680f00684d0030419f26f3f72ed002bf5a2a34" + logic_hash = "v1_sha256_0fdfe3bb6ebdaac4324a45dac8680f00684d0030419f26f3f72ed002bf5a2a34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63525,10 +63525,10 @@ rule ELASTIC_Windows_Generic_Threat_Eab96Cf2 : FILE MEMORY date = "2024-01-11" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L994-L1012" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L994-L1012" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2be8a2c524f1fb2acb2af92bc56eb9377c4e16923a06f5ac2373811041ea7982" - logic_hash = "cc1dfc2c9c5e1fbc6282342dfbf3a6c834fa56fb6fc46569a24fa78535c5845f" + logic_hash = "v1_sha256_cc1dfc2c9c5e1fbc6282342dfbf3a6c834fa56fb6fc46569a24fa78535c5845f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63554,10 +63554,10 @@ rule ELASTIC_Windows_Generic_Threat_11A56097 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1014-L1033" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1014-L1033" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "98d538c8f074d831b7a91e549e78f6549db5d2c53a10dbe82209d15d1c2e9b56" - logic_hash = "42f955c079752c787ac70682bc41fa31f3196d30051d7032276a0d4279d59d58" + logic_hash = "v1_sha256_42f955c079752c787ac70682bc41fa31f3196d30051d7032276a0d4279d59d58" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63584,10 +63584,10 @@ rule ELASTIC_Windows_Generic_Threat_F3Bef434 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1035-L1053" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1035-L1053" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "98d538c8f074d831b7a91e549e78f6549db5d2c53a10dbe82209d15d1c2e9b56" - logic_hash = "efba0e1fbe6562a9aeaac23b851c31350e4ac6551e505be4986bddade92ca303" + logic_hash = "v1_sha256_efba0e1fbe6562a9aeaac23b851c31350e4ac6551e505be4986bddade92ca303" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63613,10 +63613,10 @@ rule ELASTIC_Windows_Generic_Threat_C6F131C5 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1055-L1073" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1055-L1073" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "247314baaaa993b8db9de7ef0e2998030f13b99d6fd0e17ffd59e31a8d17747a" - logic_hash = "5702a77fee0cd564916abdbfedf76d069bb7a5b6de0c4623150991d52dc02e42" + logic_hash = "v1_sha256_5702a77fee0cd564916abdbfedf76d069bb7a5b6de0c4623150991d52dc02e42" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63642,10 +63642,10 @@ rule ELASTIC_Windows_Generic_Threat_B2A054F8 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1075-L1095" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1075-L1095" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "63d2478a5db820731a48a7ad5a20d7a4deca35c6b865a17de86248bef7a64da7" - logic_hash = "f64b1666f78646322a4c37dc887d8fcfdb275b0bca812e360579cefd9e323c02" + logic_hash = "v1_sha256_f64b1666f78646322a4c37dc887d8fcfdb275b0bca812e360579cefd9e323c02" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63673,10 +63673,10 @@ rule ELASTIC_Windows_Generic_Threat_Fcab7E76 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1097-L1115" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1097-L1115" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "67d7e016e401bd5d435eecaa9e8ead341aed2f373a1179069f53b64bda3f1f56" - logic_hash = "90f50d1227b8e462eaa393690dc2b25601444bf80f2108445a0413bff6bedae8" + logic_hash = "v1_sha256_90f50d1227b8e462eaa393690dc2b25601444bf80f2108445a0413bff6bedae8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63702,10 +63702,10 @@ rule ELASTIC_Windows_Generic_Threat_90E4F085 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1117-L1137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1117-L1137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1a6a290d98f5957d00756fc55187c78030de7031544a981fd2bb4cfeae732168" - logic_hash = "2afeae6de965ae155914dcedbfe375327a9fca3b42733c23360dd4fddfcc8a3d" + logic_hash = "v1_sha256_2afeae6de965ae155914dcedbfe375327a9fca3b42733c23360dd4fddfcc8a3d" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63733,10 +63733,10 @@ rule ELASTIC_Windows_Generic_Threat_04A9C177 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1139-L1157" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1139-L1157" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0cccdde4dcc8916fb6399c181722eb0da2775d86146ce3cb3fc7f8cf6cd67c29" - logic_hash = "ca7cf71228b1e13ec05c62cd9924ea5089fdf903d8ea4a5151866996ea81e01e" + logic_hash = "v1_sha256_ca7cf71228b1e13ec05c62cd9924ea5089fdf903d8ea4a5151866996ea81e01e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63762,10 +63762,10 @@ rule ELASTIC_Windows_Generic_Threat_45D1E986 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1159-L1177" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1159-L1177" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fd159cf2f9bd48b0f6f5958eef8af8feede2bcbbea035a7e56ce1ff72d3f47eb" - logic_hash = "d53a4d189b9a49f9b6477e12bce0d41e62827306d1df79e6494ab67669d84f35" + logic_hash = "v1_sha256_d53a4d189b9a49f9b6477e12bce0d41e62827306d1df79e6494ab67669d84f35" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63791,10 +63791,10 @@ rule ELASTIC_Windows_Generic_Threat_83C38E63 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1179-L1198" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1179-L1198" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2121a0e5debcfeedf200d7473030062bc9f5fbd5edfdcd464dfedde272ff1ae7" - logic_hash = "89d4036290a29b372918205bba85698d6343109503766cbb13999b5177fc3152" + logic_hash = "v1_sha256_89d4036290a29b372918205bba85698d6343109503766cbb13999b5177fc3152" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63821,10 +63821,10 @@ rule ELASTIC_Windows_Generic_Threat_Bd24Be68 : FILE MEMORY date = "2024-01-12" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1200-L1218" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1200-L1218" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fd159cf2f9bd48b0f6f5958eef8af8feede2bcbbea035a7e56ce1ff72d3f47eb" - logic_hash = "8536593696930d03f1e62586886f0df5438d13fb796b4605df7ad67d9633d5f9" + logic_hash = "v1_sha256_8536593696930d03f1e62586886f0df5438d13fb796b4605df7ad67d9633d5f9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63850,10 +63850,10 @@ rule ELASTIC_Windows_Generic_Threat_A0C7B402 : FILE MEMORY date = "2024-01-16" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1220-L1238" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1220-L1238" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5814d7712304800d92487b8e1108d20ad7b44f48910b1fb0a99e9b36baa4333a" - logic_hash = "d0aa75debbefb301b9fc46ceca4944ae8c4b009118214a9589440b59089b853e" + logic_hash = "v1_sha256_d0aa75debbefb301b9fc46ceca4944ae8c4b009118214a9589440b59089b853e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63879,10 +63879,10 @@ rule ELASTIC_Windows_Generic_Threat_42B3E0D7 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1240-L1258" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1240-L1258" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "99ad416b155970fda383a63fe61de2e4d0254e9c9e09564e17938e8e2b49b5b7" - logic_hash = "58b4c667b6d796f4525afeb706394f593d03393e3a48e2a0b7664f121e6a78fe" + logic_hash = "v1_sha256_58b4c667b6d796f4525afeb706394f593d03393e3a48e2a0b7664f121e6a78fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63908,10 +63908,10 @@ rule ELASTIC_Windows_Generic_Threat_66142106 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1260-L1278" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1260-L1278" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd164a65fb2a496ad7b54c782f25fbfca0540d46d2c0d6b098d7be516c4ce021" - logic_hash = "bf5d8db3ed6d2abc3158b04e904351250bf17a6d766e31769b3c5a6e534165b0" + logic_hash = "v1_sha256_bf5d8db3ed6d2abc3158b04e904351250bf17a6d766e31769b3c5a6e534165b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63937,10 +63937,10 @@ rule ELASTIC_Windows_Generic_Threat_51A1D82B : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1280-L1298" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1280-L1298" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1a7adde856991fa25fac79048461102fba58cda9492d4f5203b817d767a81018" - logic_hash = "2d6b0560e1980deb6aad8e0902d065eeda406506b70bb8bb27c7fa58be9842f8" + logic_hash = "v1_sha256_2d6b0560e1980deb6aad8e0902d065eeda406506b70bb8bb27c7fa58be9842f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63966,10 +63966,10 @@ rule ELASTIC_Windows_Generic_Threat_Dee3B4Bf : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1300-L1318" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1300-L1318" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c7f4b63fa5c7386d6444c0d0428a8fe328446efcef5fda93821f05e86efd2fba" - logic_hash = "cfd7f9250ab44ffe12b62f84ae753032642d9aa2524d88a6d4d989a2afa043a3" + logic_hash = "v1_sha256_cfd7f9250ab44ffe12b62f84ae753032642d9aa2524d88a6d4d989a2afa043a3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63995,10 +63995,10 @@ rule ELASTIC_Windows_Generic_Threat_Fdbcd3F2 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1320-L1338" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1320-L1338" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9258e4fe077be21ad7ae348868f1ac6226f6e9d404c664025006ab4b64222369" - logic_hash = "ca9136ca44a61795cca44ac9bb0494fdc34c08d6578603ba3be3582956f4a98f" + logic_hash = "v1_sha256_ca9136ca44a61795cca44ac9bb0494fdc34c08d6578603ba3be3582956f4a98f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64024,10 +64024,10 @@ rule ELASTIC_Windows_Generic_Threat_B7852Ccf : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1340-L1360" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1340-L1360" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5ac70fa959be4ee37c0c56f0dd04061a5fed78fcbde21b8449fc93e44a8c133a" - logic_hash = "4d5c29cceaacfda0c41bcd13cf95e90397b1b6c0c6beeb19b9184f435c8669b9" + logic_hash = "v1_sha256_4d5c29cceaacfda0c41bcd13cf95e90397b1b6c0c6beeb19b9184f435c8669b9" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64055,10 +64055,10 @@ rule ELASTIC_Windows_Generic_Threat_C3C8F21A : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1362-L1380" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1362-L1380" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9a102873dd37d08f53dcf6b5dad2555598a954d18fb3090bbf842655c5fded35" - logic_hash = "b4d2b28fb2c9d46884b0b34f7821151b88891a8d881885c704e0e192cf7fca70" + logic_hash = "v1_sha256_b4d2b28fb2c9d46884b0b34f7821151b88891a8d881885c704e0e192cf7fca70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64084,10 +64084,10 @@ rule ELASTIC_Windows_Generic_Threat_A3D51E0C : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1382-L1400" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1382-L1400" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "18bd25df1025cd04b0642e507b0170bc1a2afba71b2dc4bd5e83cc487860db0d" - logic_hash = "f128f6a037abb4af2c11605b182852146780be6451b3062a2914bedb5c286843" + logic_hash = "v1_sha256_f128f6a037abb4af2c11605b182852146780be6451b3062a2914bedb5c286843" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64113,10 +64113,10 @@ rule ELASTIC_Windows_Generic_Threat_54Ccad4D : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1402-L1422" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1402-L1422" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe4aad002722d2173dd661b7b34cdb0e3d4d8cd600e4165975c48bf1b135763f" - logic_hash = "b9fb525be22dd2f235c3ac68688ced5298da45194ad032423689f5a085df6e31" + logic_hash = "v1_sha256_b9fb525be22dd2f235c3ac68688ced5298da45194ad032423689f5a085df6e31" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64144,10 +64144,10 @@ rule ELASTIC_Windows_Generic_Threat_6Ee18020 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1424-L1442" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1424-L1442" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d58d8f5a7efcb02adac92362d8c608e6d056824641283497b2e1c1f0e2d19b0a" - logic_hash = "8a08973ae2ddde275e007686fc6eca831c1fb398b7221d5022da10f90da0e44d" + logic_hash = "v1_sha256_8a08973ae2ddde275e007686fc6eca831c1fb398b7221d5022da10f90da0e44d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64173,10 +64173,10 @@ rule ELASTIC_Windows_Generic_Threat_8Eb547Db : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1444-L1462" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1444-L1462" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3fc821b63dfa653b86b11201073997fa4dc273124d050c2a7c267ac789d8a447" - logic_hash = "73cabad0656c6b347def017b07138fdbdd5b41da5ccf7d701fea764669058f39" + logic_hash = "v1_sha256_73cabad0656c6b347def017b07138fdbdd5b41da5ccf7d701fea764669058f39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64202,10 +64202,10 @@ rule ELASTIC_Windows_Generic_Threat_803Feff4 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1464-L1482" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1464-L1482" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8f150dfb13e4a2ff36231f873e4c0677b5db4aa235d8f0aeb41e02f7e31c1e05" - logic_hash = "e22b8b208ff104e2843d897c425467f2f0ec0c586c4db578da90aeaef0209e1d" + logic_hash = "v1_sha256_e22b8b208ff104e2843d897c425467f2f0ec0c586c4db578da90aeaef0209e1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64231,10 +64231,10 @@ rule ELASTIC_Windows_Generic_Threat_9C7D2333 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1484-L1502" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1484-L1502" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "85219f1402c88ab1e69aa99fe4bed75b2ad1918f4e95c448cdc6a4b9d2f9a5d4" - logic_hash = "561290ebf3ca2a01914f514d63121be930e7a8c06cfc90ff4b8f0c7cef3408fe" + logic_hash = "v1_sha256_561290ebf3ca2a01914f514d63121be930e7a8c06cfc90ff4b8f0c7cef3408fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64260,10 +64260,10 @@ rule ELASTIC_Windows_Generic_Threat_747B58Af : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1504-L1524" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1504-L1524" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ee28e93412c59d63155fd79bc99979a5664c48dcb3c77e121d17fa985fcb0ebe" - logic_hash = "fd6b36ca50c1017035474b491f716bfb0d53b181fce4b5478a57a1d1a6ddc3e7" + logic_hash = "v1_sha256_fd6b36ca50c1017035474b491f716bfb0d53b181fce4b5478a57a1d1a6ddc3e7" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64291,10 +64291,10 @@ rule ELASTIC_Windows_Generic_Threat_C3C4E847 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1526-L1544" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1526-L1544" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "86b37f0b2d9d7a810b5739776b4104f1ded3a1228c4ec2d104d26d8eb26aa7ba" - logic_hash = "fa147abf7aa872f409e7684c4c60485fc58f57543062573526e56ff9866f8dfe" + logic_hash = "v1_sha256_fa147abf7aa872f409e7684c4c60485fc58f57543062573526e56ff9866f8dfe" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64320,10 +64320,10 @@ rule ELASTIC_Windows_Generic_Threat_6542Ebda : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1546-L1564" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1546-L1564" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2073e51c7db7040c6046e36585873a0addc2bcddeb6e944b46f96c607dd83595" - logic_hash = "30263341bf51a001503dfda9be5771d401bc5b5423682c29a6d4ebc457415d3e" + logic_hash = "v1_sha256_30263341bf51a001503dfda9be5771d401bc5b5423682c29a6d4ebc457415d3e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64349,10 +64349,10 @@ rule ELASTIC_Windows_Generic_Threat_1417511B : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1566-L1584" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1566-L1584" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2fc9bd91753ff3334ef7f9861dc1ae79cf5915d79fa50f7104cbb3262b7037da" - logic_hash = "e6b53082fa447ac3cf56784771aca742696922e6f740a24d014e04250dc5020c" + logic_hash = "v1_sha256_e6b53082fa447ac3cf56784771aca742696922e6f740a24d014e04250dc5020c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64378,10 +64378,10 @@ rule ELASTIC_Windows_Generic_Threat_7526F106 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1586-L1605" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1586-L1605" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5a297c446c27a8d851c444b6b32a346a7f9f5b5e783564742d39e90cd583e0f0" - logic_hash = "a0f9eb760be05196f0c5c3e3bf250929b48341a58a11c24722978fa19c4a9f57" + logic_hash = "v1_sha256_a0f9eb760be05196f0c5c3e3bf250929b48341a58a11c24722978fa19c4a9f57" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -64408,10 +64408,10 @@ rule ELASTIC_Windows_Generic_Threat_Cbe3313A : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1607-L1625" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1607-L1625" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ca2a28c851070b9bfe1f7dd655f2ea10ececef49276c998a1d2a1b48f84cef3" - logic_hash = "41a731cefe0c8ee95f1db598b68a8860ef7ff06137ce94d0dd0b5c60c4240e85" + logic_hash = "v1_sha256_41a731cefe0c8ee95f1db598b68a8860ef7ff06137ce94d0dd0b5c60c4240e85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64437,10 +64437,10 @@ rule ELASTIC_Windows_Generic_Threat_779Cf969 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1627-L1645" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1627-L1645" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ef281230c248442c804f1930caba48f0ae6cef110665020139f826ab99bbf274" - logic_hash = "ad0f2d78386abf4c6dc6b5a4a88b4dcf8e5bf8086b08bac91e5e00be9936e908" + logic_hash = "v1_sha256_ad0f2d78386abf4c6dc6b5a4a88b4dcf8e5bf8086b08bac91e5e00be9936e908" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64466,10 +64466,10 @@ rule ELASTIC_Windows_Generic_Threat_D568682A : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1647-L1665" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1647-L1665" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d98bc52259e0625ec2f24078cf4ae3233e5be0ade8f97a80ca590a0f1418582" - logic_hash = "97e172502037c7a5d66327fcc4a237e5548694fc7d73a535838ad56367f15d76" + logic_hash = "v1_sha256_97e172502037c7a5d66327fcc4a237e5548694fc7d73a535838ad56367f15d76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64495,10 +64495,10 @@ rule ELASTIC_Windows_Generic_Threat_Ccb6A7A2 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1667-L1686" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1667-L1686" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "60503212db3f27a4d68bbfc94048ffede04ad37c78a19c4fe428b50f27af7a0d" - logic_hash = "312265bbc4330a463bbe7478c70233f5df3353bda3c450562f2414f3675ba91e" + logic_hash = "v1_sha256_312265bbc4330a463bbe7478c70233f5df3353bda3c450562f2414f3675ba91e" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -64525,10 +64525,10 @@ rule ELASTIC_Windows_Generic_Threat_D62F1D01 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1688-L1706" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1688-L1706" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "380892397b86f47ec5e6ed1845317bf3fd9c00d01f516cedfe032c0549eef239" - logic_hash = "fd65eb56f3a48c37f83d3544c039d29c231cac1e2f8f07d176d709432a75a4c3" + logic_hash = "v1_sha256_fd65eb56f3a48c37f83d3544c039d29c231cac1e2f8f07d176d709432a75a4c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64554,10 +64554,10 @@ rule ELASTIC_Windows_Generic_Threat_2Bb6F41D : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1708-L1728" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1708-L1728" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "afa060352346dda4807dffbcac75bf07e8800d87ff72971b65e9805fabef39c0" - logic_hash = "7c4e62b69880eb8a901d7e94b7539786e8ac58808df07cb1cbe9ff45efce518e" + logic_hash = "v1_sha256_7c4e62b69880eb8a901d7e94b7539786e8ac58808df07cb1cbe9ff45efce518e" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64585,9 +64585,9 @@ rule ELASTIC_Windows_Generic_Threat_C54Ed0Ed : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1730-L1747" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f0f4878cb003371522ed1419984f15fd5049f1adeb8e051b8b51b31b0d620e96" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1730-L1747" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f0f4878cb003371522ed1419984f15fd5049f1adeb8e051b8b51b31b0d620e96" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64613,10 +64613,10 @@ rule ELASTIC_Windows_Generic_Threat_Dbe41439 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1749-L1767" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1749-L1767" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "64afd2bc6cec17402473a29b94325ae2e26989caf5a8b916dc21952149d71b00" - logic_hash = "288cdc285d024f2b69847e0d49bd4dc1c86a2a6a24a7b4fb248071855ba39a38" + logic_hash = "v1_sha256_288cdc285d024f2b69847e0d49bd4dc1c86a2a6a24a7b4fb248071855ba39a38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64642,10 +64642,10 @@ rule ELASTIC_Windows_Generic_Threat_51A52B44 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1769-L1787" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1769-L1787" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "303aafcc660baa803344bed6a3a7a5b150668f88a222c28182db588fc1e744e0" - logic_hash = "aad1c350f43cf2e0512e085e1a04db6099c568e375423afb9518b1fb89801c21" + logic_hash = "v1_sha256_aad1c350f43cf2e0512e085e1a04db6099c568e375423afb9518b1fb89801c21" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64671,10 +64671,10 @@ rule ELASTIC_Windows_Generic_Threat_5C18A7F9 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1789-L1807" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1789-L1807" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fd272678098eae8f5ec8428cf25d2f1d8b65566c59e363d42c7ce9ffab90faaa" - logic_hash = "05cea396567ed3e23907dec4e6e3a6629cd1044d9123cde0575a04b73bae6c20" + logic_hash = "v1_sha256_05cea396567ed3e23907dec4e6e3a6629cd1044d9123cde0575a04b73bae6c20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64700,10 +64700,10 @@ rule ELASTIC_Windows_Generic_Threat_Ab01Ba9E : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1809-L1829" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1809-L1829" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2b237716d0c0c9877f54b3fa03823068728dfe0710c5b05e9808eab365a1408e" - logic_hash = "cc8d79950e21270938d2ea7e501c7c8fdbebe92767b48b46bb03c08c377e095b" + logic_hash = "v1_sha256_cc8d79950e21270938d2ea7e501c7c8fdbebe92767b48b46bb03c08c377e095b" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64731,10 +64731,10 @@ rule ELASTIC_Windows_Generic_Threat_917D7645 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1831-L1849" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1831-L1849" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19b54a20cfa74cbb0f4724155244b52ca854054a205be6d148f826fa008d6c55" - logic_hash = "65748ff2e4448f305b9541ea9864cc6bda054d37be5ed34110a2f64c8fef30c7" + logic_hash = "v1_sha256_65748ff2e4448f305b9541ea9864cc6bda054d37be5ed34110a2f64c8fef30c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64760,10 +64760,10 @@ rule ELASTIC_Windows_Generic_Threat_7A09E97D : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1851-L1869" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1851-L1869" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0c1e333e60547a90ec9d9dac3fc6698b088769bc0f5ec25883b2c4d1fd680a9" - logic_hash = "b65b2d12901953c137687a7b466c78e0537a2830c37a4cb13dd0eda457bba937" + logic_hash = "v1_sha256_b65b2d12901953c137687a7b466c78e0537a2830c37a4cb13dd0eda457bba937" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64789,10 +64789,10 @@ rule ELASTIC_Windows_Generic_Threat_Dc4Ede3B : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1871-L1889" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1871-L1889" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c49f20c5b42c6d813e6364b1fcb68c1b63a2f7def85a3ddfc4e664c4e90f8798" - logic_hash = "c402d5f16f2be32912d7a054b51ab6dafc6173bb5a267a7846b3ac9df1c4c19f" + logic_hash = "v1_sha256_c402d5f16f2be32912d7a054b51ab6dafc6173bb5a267a7846b3ac9df1c4c19f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64818,10 +64818,10 @@ rule ELASTIC_Windows_Generic_Threat_Bb480769 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1891-L1909" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1891-L1909" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "010e3aeb26533d418bb7d2fdcfb5ec21b36603b6abb63511be25a37f99635bce" - logic_hash = "1087e0befceac2606ce5dc5f2b42b45ebad888e7d3e451c3fb89de7e932a31f5" + logic_hash = "v1_sha256_1087e0befceac2606ce5dc5f2b42b45ebad888e7d3e451c3fb89de7e932a31f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64847,10 +64847,10 @@ rule ELASTIC_Windows_Generic_Threat_5Fbf5680 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1911-L1929" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1911-L1929" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b0553a9873d4cda213f5464b5e98904163e347a49282db679394f70d4571e77" - logic_hash = "ec5399f6fb29125cb4c096851b9194fa35fb1e5ddd1f4d4f07b155471ae5c619" + logic_hash = "v1_sha256_ec5399f6fb29125cb4c096851b9194fa35fb1e5ddd1f4d4f07b155471ae5c619" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64876,10 +64876,10 @@ rule ELASTIC_Windows_Generic_Threat_Aa30A738 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1931-L1949" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1931-L1949" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7726a691bd6c1ee51a9682e0087403a2c5a798ad172c1402acf2209c34092d18" - logic_hash = "64967fbc0e74435452752731a8b9385345cc771d27ee33cd018cccdeb26bb75e" + logic_hash = "v1_sha256_64967fbc0e74435452752731a8b9385345cc771d27ee33cd018cccdeb26bb75e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64905,10 +64905,10 @@ rule ELASTIC_Windows_Generic_Threat_9A8Dc290 : FILE MEMORY date = "2024-01-21" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1951-L1969" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1951-L1969" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d951562a841f3706005d7696052d45397e3b4296d4cd96bf187920175fbb1676" - logic_hash = "0097a13187b953ebe97809dda2be818cfcd94991c03e75f344e34a3d2c4fe902" + logic_hash = "v1_sha256_0097a13187b953ebe97809dda2be818cfcd94991c03e75f344e34a3d2c4fe902" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64934,10 +64934,10 @@ rule ELASTIC_Windows_Generic_Threat_Bbf2A354 : FILE MEMORY date = "2024-01-22" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1971-L1989" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1971-L1989" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b4e6c748ad88070e39b53a9373946e9e404623326f710814bed439e5ea61fc3e" - logic_hash = "6be2fae41199daea6b9d0394c9af7713543333a50620ef417bb8439d5a07f336" + logic_hash = "v1_sha256_6be2fae41199daea6b9d0394c9af7713543333a50620ef417bb8439d5a07f336" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64963,10 +64963,10 @@ rule ELASTIC_Windows_Generic_Threat_Da0F3Cbb : FILE MEMORY date = "2024-01-22" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L1991-L2009" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L1991-L2009" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b2c456d0051ffe1ca7e9de1e944692b10ed466eabb38242ea88e663a23157c58" - logic_hash = "262d0bbb69adde8c4c8645813b048f3aaa2dbcc83996606e7ca21c3edea2b5d8" + logic_hash = "v1_sha256_262d0bbb69adde8c4c8645813b048f3aaa2dbcc83996606e7ca21c3edea2b5d8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64992,10 +64992,10 @@ rule ELASTIC_Windows_Generic_Threat_7D555B55 : FILE MEMORY date = "2024-01-22" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2011-L2029" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2011-L2029" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7efa5c8fd55a20fbc3a270cf2329d4a38f10ca372f3428bee4c42279fbe6f9c3" - logic_hash = "dc3a3622abbc7d0a02d8d9ed4446d0a72a603ecfd6594ecfa615e5418a9c9970" + logic_hash = "v1_sha256_dc3a3622abbc7d0a02d8d9ed4446d0a72a603ecfd6594ecfa615e5418a9c9970" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65021,10 +65021,10 @@ rule ELASTIC_Windows_Generic_Threat_0A38C7D0 : FILE MEMORY date = "2024-01-22" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2031-L2049" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2031-L2049" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "69ea7d2ea3ed6826ddcefb3c1daa63d8ab53dc6e66c59cf5c2506a8af1c62ef4" - logic_hash = "e3fde76825772683c57f830759168fc9a3b3f3387f091828fd971e9ebba06d8a" + logic_hash = "v1_sha256_e3fde76825772683c57f830759168fc9a3b3f3387f091828fd971e9ebba06d8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65050,10 +65050,10 @@ rule ELASTIC_Windows_Generic_Threat_98527D90 : FILE MEMORY date = "2024-01-24" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2051-L2069" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2051-L2069" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fa24e7c6777e89928afa2a0afb2fab4db854ed3887056b5a76aef42ae38c3c82" - logic_hash = "5a93f0a372f3a51233c6b2334539017df922f35a0d5f7d1749e0dd79268cb836" + logic_hash = "v1_sha256_5a93f0a372f3a51233c6b2334539017df922f35a0d5f7d1749e0dd79268cb836" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65079,10 +65079,10 @@ rule ELASTIC_Windows_Generic_Threat_Baba80Fb : FILE MEMORY date = "2024-01-24" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2071-L2089" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2071-L2089" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dd22cb2318d66fa30702368a7f06e445fba4b69daf9c45f8e83562d2c170a073" - logic_hash = "ba0da35bc00b776ae9b427e3a4b312b1b75bdc9b972fb52f26a5df6737f1ddc9" + logic_hash = "v1_sha256_ba0da35bc00b776ae9b427e3a4b312b1b75bdc9b972fb52f26a5df6737f1ddc9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65108,10 +65108,10 @@ rule ELASTIC_Windows_Generic_Threat_9F4A80B2 : FILE MEMORY date = "2024-01-24" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2091-L2109" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2091-L2109" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "47d57d00e2de43f33cd56ff653adb59b804e4dbe37304a5fa6a202ee20b50c24" - logic_hash = "1df3b8245bc0e995443d598feb5fe2605e05df64b863d4f47c17ecbe8d28c3ea" + logic_hash = "v1_sha256_1df3b8245bc0e995443d598feb5fe2605e05df64b863d4f47c17ecbe8d28c3ea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65137,10 +65137,10 @@ rule ELASTIC_Windows_Generic_Threat_39E1Eb4C : FILE MEMORY date = "2024-01-24" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2111-L2129" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2111-L2129" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a733258bf04ffa058db95c8c908a79650400ebd92600b96dd28ceecac311f94a" - logic_hash = "d7791ae7513bc5645bcfa93a2d7bf9f7ef47a6727ea2ba5eb85f3c8528761429" + logic_hash = "v1_sha256_d7791ae7513bc5645bcfa93a2d7bf9f7ef47a6727ea2ba5eb85f3c8528761429" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65166,10 +65166,10 @@ rule ELASTIC_Windows_Generic_Threat_D51Dd31B : FILE MEMORY date = "2024-01-24" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2131-L2150" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2131-L2150" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2a61c0305d82b6b4180c3d817c28286ab8ee56de44e171522bd07a60a1d8492d" - logic_hash = "85fc7aa81489b304c348ead2d7042bb5518ff4579b1d3e837290032c4b144e47" + logic_hash = "v1_sha256_85fc7aa81489b304c348ead2d7042bb5518ff4579b1d3e837290032c4b144e47" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65196,10 +65196,10 @@ rule ELASTIC_Windows_Generic_Threat_3A321F0A : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2152-L2170" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2152-L2170" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91056e8c53dc1e97c7feafab31f0943f150d89a0b0026bcfb3664d2e93ccfe2b" - logic_hash = "83834dd7d4df5de4b6a032f1896f52c1ebdf16ca8ad9766e8872243f1a6da67e" + logic_hash = "v1_sha256_83834dd7d4df5de4b6a032f1896f52c1ebdf16ca8ad9766e8872243f1a6da67e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65225,10 +65225,10 @@ rule ELASTIC_Windows_Generic_Threat_A82F45A8 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2172-L2190" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2172-L2190" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad07428104d3aa7abec2fd86562eaa8600d3e4b0f8d78ba1446f340d10008b53" - logic_hash = "70ebab6b03af38ef8c81664cf49ab07066a9672666599d99c91291a9d2e3af0b" + logic_hash = "v1_sha256_70ebab6b03af38ef8c81664cf49ab07066a9672666599d99c91291a9d2e3af0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65254,10 +65254,10 @@ rule ELASTIC_Windows_Generic_Threat_D6625Ad7 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2192-L2210" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2192-L2210" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "878c9745320593573597d62c8f3adb3bef0b554cd51b18216f6d9f5d1a32a931" - logic_hash = "e90aff7c35f60cc3446f9eeb2131edb7125bfa04eb8f90c5671d06e9ff269755" + logic_hash = "v1_sha256_e90aff7c35f60cc3446f9eeb2131edb7125bfa04eb8f90c5671d06e9ff269755" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65283,10 +65283,10 @@ rule ELASTIC_Windows_Generic_Threat_61Bbb571 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2212-L2230" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2212-L2230" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "41e2a6cecb1735e8f09b1ba5dccff3c08afe395b6214396e545347927d1815a8" - logic_hash = "6b1ec666f3689638b9db9f041b0a89660b27c32590b747c5da3f4a02f01c7112" + logic_hash = "v1_sha256_6b1ec666f3689638b9db9f041b0a89660b27c32590b747c5da3f4a02f01c7112" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65312,10 +65312,10 @@ rule ELASTIC_Windows_Generic_Threat_4A605E93 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2232-L2250" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2232-L2250" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1a84e25505a54e8e308714b53123396df74df1bde223bb306c0dc6220c1f0bbb" - logic_hash = "6ad7afa5bd03916917e2bbf4d736331f4319b20bfde296d7e62315584813699f" + logic_hash = "v1_sha256_6ad7afa5bd03916917e2bbf4d736331f4319b20bfde296d7e62315584813699f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65341,10 +65341,10 @@ rule ELASTIC_Windows_Generic_Threat_B509Dfc8 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2252-L2270" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2252-L2270" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9b5124e5e1be30d3f2ad1020bbdb93e2ceeada4c4d36f71b2abbd728bd5292b8" - logic_hash = "90b00caf612f56a898b24c28ae6febda3fd11f382ab1deba522bdd2e2ba254b4" + logic_hash = "v1_sha256_90b00caf612f56a898b24c28ae6febda3fd11f382ab1deba522bdd2e2ba254b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65370,10 +65370,10 @@ rule ELASTIC_Windows_Generic_Threat_7A49053E : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2272-L2292" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2272-L2292" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "29fb2b18cfd72a2966640ff59e67c89f93f83fc17afad2dfcacf9f53e9ea3446" - logic_hash = "6db95f20a2bcdfd7cb37cb33dae6351dd19f51a8c3cae54b1bb034af17378094" + logic_hash = "v1_sha256_6db95f20a2bcdfd7cb37cb33dae6351dd19f51a8c3cae54b1bb034af17378094" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -65401,10 +65401,10 @@ rule ELASTIC_Windows_Generic_Threat_Fca7F863 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2294-L2312" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2294-L2312" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d0e786dd8f1dc05eae910c6bcf15b5d05b4b6b0543618ca0c2ff3c4bb657af3" - logic_hash = "ad45fe6e8257d012824b36aaee1beccb82c1b78031de86c1f1dd26d5be88aa6f" + logic_hash = "v1_sha256_ad45fe6e8257d012824b36aaee1beccb82c1b78031de86c1f1dd26d5be88aa6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65430,10 +65430,10 @@ rule ELASTIC_Windows_Generic_Threat_Cafbd6A3 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2314-L2333" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2314-L2333" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "97081a51aa016d0e6c9ecadc09ff858bf43364265a006db9d7cc133f8429bc46" - logic_hash = "28813fc8a49b6ec3fe7675409fde923f0f30851429a526c142e0a228b4e0efa6" + logic_hash = "v1_sha256_28813fc8a49b6ec3fe7675409fde923f0f30851429a526c142e0a228b4e0efa6" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65460,10 +65460,10 @@ rule ELASTIC_Windows_Generic_Threat_D8F834A9 : FILE MEMORY date = "2024-01-29" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2335-L2353" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2335-L2353" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c118c2064a5839ebd57a67a7be731fffe89669a8f17c1fe678432d4ff85e7929" - logic_hash = "9fa1a65f3290867e4c59f14242f7261741e792b8be48c053ac320a315f2c1beb" + logic_hash = "v1_sha256_9fa1a65f3290867e4c59f14242f7261741e792b8be48c053ac320a315f2c1beb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65489,10 +65489,10 @@ rule ELASTIC_Windows_Generic_Threat_De3F91C6 : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2355-L2373" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2355-L2373" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2cd4a8ccbf4a3a93c1387c66d94e9506b5981357004929ce5a41fcedfffb20f" - logic_hash = "032ac2adb11782d823f50bfedf4e4decb731dbe7d3abbb3b05ccff598ba7edb8" + logic_hash = "v1_sha256_032ac2adb11782d823f50bfedf4e4decb731dbe7d3abbb3b05ccff598ba7edb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65518,10 +65518,10 @@ rule ELASTIC_Windows_Generic_Threat_F0516E98 : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2375-L2394" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2375-L2394" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "21d01bd53f43aa54f22786d7776c7bc90320ec6f7a6501b168790be46ff69632" - logic_hash = "28f5b1a05d90745f432aee6bb9da3855d70b18d556153059794c5e53bbd5117c" + logic_hash = "v1_sha256_28f5b1a05d90745f432aee6bb9da3855d70b18d556153059794c5e53bbd5117c" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65548,10 +65548,10 @@ rule ELASTIC_Windows_Generic_Threat_3C4D9Cbe : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2396-L2414" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2396-L2414" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "21d01bd53f43aa54f22786d7776c7bc90320ec6f7a6501b168790be46ff69632" - logic_hash = "b32f9a3b86c60d4d69c59250ac59e93aee70ede890b059b13be999adbe043d2c" + logic_hash = "v1_sha256_b32f9a3b86c60d4d69c59250ac59e93aee70ede890b059b13be999adbe043d2c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65577,10 +65577,10 @@ rule ELASTIC_Windows_Generic_Threat_Deb82E8C : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2416-L2435" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2416-L2435" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0f5791588a9898a3db29326785d31b52b524c3097370f6aa28564473d353cd38" - logic_hash = "c24baecab39c72f6bb30713022297cb9fb41ef5339a353702f3f780a630d5b27" + logic_hash = "v1_sha256_c24baecab39c72f6bb30713022297cb9fb41ef5339a353702f3f780a630d5b27" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65607,10 +65607,10 @@ rule ELASTIC_Windows_Generic_Threat_278C589E : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2437-L2455" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2437-L2455" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cccc6c1bf15a7d5725981de950475e272c277bc3b9d266c5debf0fc698770355" - logic_hash = "59bbbecd73541750f7221b12895ccf51e1a6863ceca62e23f541df904ad23587" + logic_hash = "v1_sha256_59bbbecd73541750f7221b12895ccf51e1a6863ceca62e23f541df904ad23587" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65636,10 +65636,10 @@ rule ELASTIC_Windows_Generic_Threat_6B621667 : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2457-L2475" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2457-L2475" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b50b39e460ecd7633a42f0856359088de20512c932fc35af6531ff48c9fa638a" - logic_hash = "3574b7ef24c4387a9919ed9831af7657047b26d8922ab78788619bbd3d0edd56" + logic_hash = "v1_sha256_3574b7ef24c4387a9919ed9831af7657047b26d8922ab78788619bbd3d0edd56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65665,10 +65665,10 @@ rule ELASTIC_Windows_Generic_Threat_7693D7Fd : FILE MEMORY date = "2024-02-13" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2477-L2495" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2477-L2495" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc40cc5d0bd3722126302f74ace414e6934eca3a8a5c63a11feada2130b34b89" - logic_hash = "886ad084f33faf8baae8a650a88095757c2cff9e18c8f5c50ff36120b43ec082" + logic_hash = "v1_sha256_886ad084f33faf8baae8a650a88095757c2cff9e18c8f5c50ff36120b43ec082" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65694,10 +65694,10 @@ rule ELASTIC_Windows_Generic_Threat_Df5De012 : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2497-L2515" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2497-L2515" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13c06d7b030a46c6bb6351f40184af9fafaf4c67b6a2627a45925dd17501d659" - logic_hash = "1a1ce3644c33a4591ab6582525366d47e07bdc2350aa6066ec5b5fedc605b037" + logic_hash = "v1_sha256_1a1ce3644c33a4591ab6582525366d47e07bdc2350aa6066ec5b5fedc605b037" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65723,10 +65723,10 @@ rule ELASTIC_Windows_Generic_Threat_0E8530F5 : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2517-L2536" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2517-L2536" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9f44d9acf79ed4450195223a9da185c0b0e8a8ea661d365a3ddea38f2732e2b8" - logic_hash = "f4a010366625c059151d3e704f6ece1808f367401729feaf6cc423cf4d5c5c60" + logic_hash = "v1_sha256_f4a010366625c059151d3e704f6ece1808f367401729feaf6cc423cf4d5c5c60" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65753,10 +65753,10 @@ rule ELASTIC_Windows_Generic_Threat_Ba807E3E : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2538-L2556" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2538-L2556" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cabd0633b37e6465ece334195ff4cc5c3f44cfe46211165efc07f4073aed1049" - logic_hash = "896eedb949eec6dff3e867ae3179b741382dd25ba06c6db452ac1ae5bc6bc757" + logic_hash = "v1_sha256_896eedb949eec6dff3e867ae3179b741382dd25ba06c6db452ac1ae5bc6bc757" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65782,10 +65782,10 @@ rule ELASTIC_Windows_Generic_Threat_4578Ee8C : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2558-L2576" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2558-L2576" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "699fecdb0bf27994d67492dc480f4ba1320acdd75e5881afbc5f73c982453fed" - logic_hash = "1a519bb84aae29057536ea09e53ff97cfe34a70c84ac6fa7d1ec173de3754f03" + logic_hash = "v1_sha256_1a519bb84aae29057536ea09e53ff97cfe34a70c84ac6fa7d1ec173de3754f03" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65811,10 +65811,10 @@ rule ELASTIC_Windows_Generic_Threat_Ebf62328 : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2578-L2598" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2578-L2598" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dfce19aa2e1a3e983c3bfb2e4bbd7617b96d57602d7a6da6fee7b282e354c9e1" - logic_hash = "e99b56dde761c5efad14f935befa4d1dbb31cd305b5d6af05a90d44dc3cd0098" + logic_hash = "v1_sha256_e99b56dde761c5efad14f935befa4d1dbb31cd305b5d6af05a90d44dc3cd0098" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -65842,10 +65842,10 @@ rule ELASTIC_Windows_Generic_Threat_Dcc622A4 : FILE MEMORY date = "2024-02-14" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2600-L2618" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2600-L2618" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "94a3f10396c07783586070119becf0924de9a7caf449d6e07065837d54e6222d" - logic_hash = "9254226918f39389ccc347de1c5064552a8500ccef1884b8e27b6e98c651f45b" + logic_hash = "v1_sha256_9254226918f39389ccc347de1c5064552a8500ccef1884b8e27b6e98c651f45b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65871,10 +65871,10 @@ rule ELASTIC_Windows_Generic_Threat_046Aa1Ec : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2620-L2638" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2620-L2638" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c74cf499fb9298d43a6e64930addb1f8a8d8336c796b9bc02ffc260684ec60a2" - logic_hash = "da6552da3db4851806f5a0ce3c324a79acf4ee4b2690cb02cc8d8c88a2ba28f8" + logic_hash = "v1_sha256_da6552da3db4851806f5a0ce3c324a79acf4ee4b2690cb02cc8d8c88a2ba28f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65900,10 +65900,10 @@ rule ELASTIC_Windows_Generic_Threat_85C73807 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2640-L2658" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2640-L2658" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7f560a22c1f7511518656ac30350229f7a6847d26e1b3857e283f7dcee2604a0" - logic_hash = "90aa64f17b91ccdf367e1976cd1f5e89e15c7369a58b2d19187143e70939d756" + logic_hash = "v1_sha256_90aa64f17b91ccdf367e1976cd1f5e89e15c7369a58b2d19187143e70939d756" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65929,10 +65929,10 @@ rule ELASTIC_Windows_Generic_Threat_642Df623 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2660-L2678" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2660-L2678" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e5ba85d1a6a54df38b5fa655703c3457783f4a4f71e178f83d8aac878d4847da" - logic_hash = "555eb66f117312fa4ff3a49c0c40f89caddec3eb4b93d11bda2cce40529d46a0" + logic_hash = "v1_sha256_555eb66f117312fa4ff3a49c0c40f89caddec3eb4b93d11bda2cce40529d46a0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65958,10 +65958,10 @@ rule ELASTIC_Windows_Generic_Threat_27A2994F : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2680-L2698" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2680-L2698" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e534914e06d90e119ce87f5abb446c57ec3473a29a7a9e7dc066fdc00dc68adc" - logic_hash = "66f34ba3052e2369528aeaf076f10d58f8f3dca420666246e02191fecb057f8c" + logic_hash = "v1_sha256_66f34ba3052e2369528aeaf076f10d58f8f3dca420666246e02191fecb057f8c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65987,10 +65987,10 @@ rule ELASTIC_Windows_Generic_Threat_Dbceec58 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2700-L2718" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2700-L2718" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fbec30528e6f261aebf0d41f3cd6d35fcc937f1e20e1070f99b1b327f02b91e0" - logic_hash = "2a99fb7b342b43e3a4f0136d7d618625ca5708ae32e6fcabb11420bd8c89915b" + logic_hash = "v1_sha256_2a99fb7b342b43e3a4f0136d7d618625ca5708ae32e6fcabb11420bd8c89915b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66016,10 +66016,10 @@ rule ELASTIC_Windows_Generic_Threat_7407Eb79 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2720-L2738" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2720-L2738" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9ae0f053c8e2c4f4381eac8265170b79301d4a22ec1fdb86e5eb212c51a75d14" - logic_hash = "a60c3e54493f9dab71584ba301c41c43f30d554df8c0b05674995faaf407ee48" + logic_hash = "v1_sha256_a60c3e54493f9dab71584ba301c41c43f30d554df8c0b05674995faaf407ee48" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66045,10 +66045,10 @@ rule ELASTIC_Windows_Generic_Threat_3613Fa12 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2740-L2758" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2740-L2758" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1403ec99f262c964e3de133a10815e34d2f104b113b0197ab43c6b7b40b536c0" - logic_hash = "77b23aaf384de138214e64342e170f3dce667ee41c3063c999286da9af6fff42" + logic_hash = "v1_sha256_77b23aaf384de138214e64342e170f3dce667ee41c3063c999286da9af6fff42" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66074,10 +66074,10 @@ rule ELASTIC_Windows_Generic_Threat_B125Fff2 : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2760-L2778" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2760-L2778" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9c641c0c8c2fd8831ee4e3b29a2a65f070b54775e64821c50b8ccd387e602097" - logic_hash = "054f3f36c688e1f5c3116e7a926df12df90f79dc1d42bee2616b5251f6ad2c24" + logic_hash = "v1_sha256_054f3f36c688e1f5c3116e7a926df12df90f79dc1d42bee2616b5251f6ad2c24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66103,10 +66103,10 @@ rule ELASTIC_Windows_Generic_Threat_D7E5Ec2D : FILE MEMORY date = "2024-02-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2780-L2798" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2780-L2798" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe711664a565566cbc710d5e678a9a30063a2db151ebec226e2abcd24c0a7e68" - logic_hash = "4edb8cc1da81e0b9b3a8facc9a9a7d1e27dff0d2db7851d06a209beec3ccb463" + logic_hash = "v1_sha256_4edb8cc1da81e0b9b3a8facc9a9a7d1e27dff0d2db7851d06a209beec3ccb463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66132,10 +66132,10 @@ rule ELASTIC_Windows_Generic_Threat_1636C2Bf : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2800-L2818" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2800-L2818" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e43916db43d8217214bbe4eb32ed3d82d0ac423cffc91d053a317a3dbe6dafb" - logic_hash = "c8b198cd5f9277ff3808ee2a313ab979d544b9e609d6623876d2e3c3c5668e38" + logic_hash = "v1_sha256_c8b198cd5f9277ff3808ee2a313ab979d544b9e609d6623876d2e3c3c5668e38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66161,10 +66161,10 @@ rule ELASTIC_Windows_Generic_Threat_0A640296 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2820-L2838" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2820-L2838" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3682eff62caaf2c90adef447d3ff48a3f9c34c571046f379d2eaf121976f1d07" - logic_hash = "743c47c7a58e7d65261818b4b444aaf8015b9b55d3e54526b1d63a8770a6c5aa" + logic_hash = "v1_sha256_743c47c7a58e7d65261818b4b444aaf8015b9b55d3e54526b1d63a8770a6c5aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66190,10 +66190,10 @@ rule ELASTIC_Windows_Generic_Threat_B1Ef4828 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2840-L2859" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2840-L2859" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "29b20ff8ebad05e4a33c925251d08824ca155f5d9fa72d6f9e359e6ec6c61279" - logic_hash = "d5d63f38308c6f8e5ca54567c7c8b93fcde69601fbcc28d56d5231edd28163cf" + logic_hash = "v1_sha256_d5d63f38308c6f8e5ca54567c7c8b93fcde69601fbcc28d56d5231edd28163cf" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66220,10 +66220,10 @@ rule ELASTIC_Windows_Generic_Threat_48Cbdc20 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2861-L2880" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2861-L2880" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7a7704c64e64d3a1f76fc718d5b5a5e3d46beeeb62f0493f22e50865ddf66594" - logic_hash = "687d0f3dc85a7e4b23019deec59ee77c211101d40ed6622a952e69ebc4151483" + logic_hash = "v1_sha256_687d0f3dc85a7e4b23019deec59ee77c211101d40ed6622a952e69ebc4151483" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66250,10 +66250,10 @@ rule ELASTIC_Windows_Generic_Threat_420E1Cdc : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2882-L2900" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2882-L2900" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b20254e03f7f1e79fec51d614ee0cfe0cb87432f3a53cf98cf8c047c13e2d774" - logic_hash = "6bd8a7bd4392e04d64f2e0b93d80978f59f9af634a0c971ca61cb9cb593743e0" + logic_hash = "v1_sha256_6bd8a7bd4392e04d64f2e0b93d80978f59f9af634a0c971ca61cb9cb593743e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66279,10 +66279,10 @@ rule ELASTIC_Windows_Generic_Threat_4C37E16E : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2902-L2921" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2902-L2921" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d83a8ed5e192b3fe9d74f3a9966fa094d23676c7e6586c9240d97c252b8e4e74" - logic_hash = "dabac8aa6a3f4d4bd726161fc6573ca9de4088e7d818c3cf33cafc91f680e7aa" + logic_hash = "v1_sha256_dabac8aa6a3f4d4bd726161fc6573ca9de4088e7d818c3cf33cafc91f680e7aa" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66309,10 +66309,10 @@ rule ELASTIC_Windows_Generic_Threat_5Be3A474 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2923-L2941" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2923-L2941" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b902954d634307260d5bd8fb6248271f933c1cbc649aa2073bf05e79c1aedb66" - logic_hash = "0f0f46e3bdebb47a4f43ccb64d65ab1e15d68d38c117cb25e5723ec16e7e0758" + logic_hash = "v1_sha256_0f0f46e3bdebb47a4f43ccb64d65ab1e15d68d38c117cb25e5723ec16e7e0758" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66338,10 +66338,10 @@ rule ELASTIC_Windows_Generic_Threat_B191061E : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2943-L2961" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2943-L2961" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258" - logic_hash = "cbee10eab984249ceb9f8a82dc06aa014d6a249321f3d4f0d1e5657aab205ec8" + logic_hash = "v1_sha256_cbee10eab984249ceb9f8a82dc06aa014d6a249321f3d4f0d1e5657aab205ec8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66367,10 +66367,10 @@ rule ELASTIC_Windows_Generic_Threat_05F52E4D : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2963-L2981" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2963-L2981" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e578b795f8ed77c1057d8e6b827f7426fd4881f02949bfc83bcad11fa7eb2403" - logic_hash = "79898b59b6d3564aad85d823a1450600faff5b1d2dbfbe0cee4cc59971e4f542" + logic_hash = "v1_sha256_79898b59b6d3564aad85d823a1450600faff5b1d2dbfbe0cee4cc59971e4f542" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66396,10 +66396,10 @@ rule ELASTIC_Windows_Generic_Threat_C34E19E9 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L2983-L3001" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L2983-L3001" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f9048348a59d9f824b45b16b1fdba9bfeda513aa9fbe671442f84b81679232db" - logic_hash = "87999b6f2cf359b6436ee7e57691ac73fc41f3947bf8fef3f6b98148e17f180d" + logic_hash = "v1_sha256_87999b6f2cf359b6436ee7e57691ac73fc41f3947bf8fef3f6b98148e17f180d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66425,10 +66425,10 @@ rule ELASTIC_Windows_Generic_Threat_E691Eaa1 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3003-L3021" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3003-L3021" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "afa5f36860e69b9134b93e9ad32fed0a5923772e701437e1054ea98e76f28a77" - logic_hash = "0ac310e3f7cf99b77c2dcfea582752e2f1414caf43965c25d2f3f03cf27586cc" + logic_hash = "v1_sha256_0ac310e3f7cf99b77c2dcfea582752e2f1414caf43965c25d2f3f03cf27586cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66454,10 +66454,10 @@ rule ELASTIC_Windows_Generic_Threat_5E33Bb4B : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3023-L3041" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3023-L3041" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13c06d7b030a46c6bb6351f40184af9fafaf4c67b6a2627a45925dd17501d659" - logic_hash = "7e2002c3917ccab7d9f56a7aa20ea75be71aa7fdc64b7c3f87edb68be38e74b2" + logic_hash = "v1_sha256_7e2002c3917ccab7d9f56a7aa20ea75be71aa7fdc64b7c3f87edb68be38e74b2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66483,10 +66483,10 @@ rule ELASTIC_Windows_Generic_Threat_Be64Ba10 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3043-L3062" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3043-L3062" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a" - logic_hash = "c6acce53610baf119a0e2d55fc698a976463bbd21b739d4ac39a75383fa5fed2" + logic_hash = "v1_sha256_c6acce53610baf119a0e2d55fc698a976463bbd21b739d4ac39a75383fa5fed2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66513,10 +66513,10 @@ rule ELASTIC_Windows_Generic_Threat_7Bb75582 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3064-L3082" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3064-L3082" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "35f9698e9b9f611b3dd92466f18f97f4a8b4506ed6f10d4ac84303177f43522d" - logic_hash = "d959f755d28782b332248085034950a8d4cad3cde13b22254c90ca3952919e1b" + logic_hash = "v1_sha256_d959f755d28782b332248085034950a8d4cad3cde13b22254c90ca3952919e1b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66542,10 +66542,10 @@ rule ELASTIC_Windows_Generic_Threat_59698796 : FILE MEMORY date = "2024-03-04" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3084-L3102" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3084-L3102" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "35f9698e9b9f611b3dd92466f18f97f4a8b4506ed6f10d4ac84303177f43522d" - logic_hash = "59569049dbb09b7e15110fb8de1a146eb7fd606f116b4dd6c75ca973fb62296e" + logic_hash = "v1_sha256_59569049dbb09b7e15110fb8de1a146eb7fd606f116b4dd6c75ca973fb62296e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66571,10 +66571,10 @@ rule ELASTIC_Windows_Generic_Threat_2Ae9B09E : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3104-L3122" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3104-L3122" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc8f4784c368676cd411b7d618407c416d9e56d116dd3cd17c3f750e6cb60c40" - logic_hash = "183249214e5f8143eb91caf20778b870d17d7a52b6d71ad603827e8716e7e447" + logic_hash = "v1_sha256_183249214e5f8143eb91caf20778b870d17d7a52b6d71ad603827e8716e7e447" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66600,10 +66600,10 @@ rule ELASTIC_Windows_Generic_Threat_604A8763 : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3124-L3142" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3124-L3142" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2a51fb11032ec011448184a4f2837d05638a7673d16dcf5dcf4005de3f87883a" - logic_hash = "cf88c0d102680fc7c16d49b6e8dc49c16b27d5940edf078e667a45e70ebe3883" + logic_hash = "v1_sha256_cf88c0d102680fc7c16d49b6e8dc49c16b27d5940edf078e667a45e70ebe3883" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66629,10 +66629,10 @@ rule ELASTIC_Windows_Generic_Threat_F45B3F09 : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3144-L3162" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3144-L3162" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "577f1dbd76030c7e44ed28c748551691d446e268189af94e1fa1545f06395178" - logic_hash = "9b01ad1271cc5052a793e5a885aa7289cbaea4a928f60d64194477c3036496ed" + logic_hash = "v1_sha256_9b01ad1271cc5052a793e5a885aa7289cbaea4a928f60d64194477c3036496ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66658,10 +66658,10 @@ rule ELASTIC_Windows_Generic_Threat_3F390999 : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3164-L3182" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3164-L3182" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b6fc4eaef3515058f85551e7e5dffb68b9a0550cd7f9ebcbac158dac9ababf1" - logic_hash = "462a7a38ebbb39515ac2c0a10353660d0cadcfb99360adcd200edc1db5a716ba" + logic_hash = "v1_sha256_462a7a38ebbb39515ac2c0a10353660d0cadcfb99360adcd200edc1db5a716ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66687,10 +66687,10 @@ rule ELASTIC_Windows_Generic_Threat_Abd1C09D : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3184-L3202" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3184-L3202" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ff09d2352c2163465d8c86f94baa25ba85c35698a5e3fbc52bc95afc06b7e85" - logic_hash = "80e6f317e5cd91cb3819e9251efc8c96218071bec577a38c8784826dd4a657cb" + logic_hash = "v1_sha256_80e6f317e5cd91cb3819e9251efc8c96218071bec577a38c8784826dd4a657cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66716,10 +66716,10 @@ rule ELASTIC_Windows_Generic_Threat_B7870213 : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3204-L3222" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3204-L3222" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "04cb0d5eecea673acc575e54439398cc00e78cc54d8f43c4b9bc353e4fc4430d" - logic_hash = "79b8385543def42259cd9c09d4d7059ff6bb02a9e87cff1bc0a8861e3b333c5f" + logic_hash = "v1_sha256_79b8385543def42259cd9c09d4d7059ff6bb02a9e87cff1bc0a8861e3b333c5f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66745,10 +66745,10 @@ rule ELASTIC_Windows_Generic_Threat_2Bba6Bae : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3224-L3242" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3224-L3242" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d9955c716371422750b77d64256dade6fbd028c8d965db05c0d889d953480373" - logic_hash = "59e4b173c21b0ab161adf8d89f253f21403bca706b6bf40b3da00697f87dd509" + logic_hash = "v1_sha256_59e4b173c21b0ab161adf8d89f253f21403bca706b6bf40b3da00697f87dd509" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66774,10 +66774,10 @@ rule ELASTIC_Windows_Generic_Threat_4Db75701 : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3244-L3262" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3244-L3262" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fa7847d21d5a350cf96d7ecbcf13dce63e6a0937971cfb479700c5b31850bba9" - logic_hash = "65f7d15ed551e069b30ce6c0a5f15d01d24b8b29727950269c9956fcf6dc799d" + logic_hash = "v1_sha256_65f7d15ed551e069b30ce6c0a5f15d01d24b8b29727950269c9956fcf6dc799d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66803,10 +66803,10 @@ rule ELASTIC_Windows_Generic_Threat_54A914C9 : FILE MEMORY date = "2024-03-25" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3264-L3282" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3264-L3282" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c418c5ad8030985bb5067cda61caba3b7a0d24cb8d3f93fc09d452fbdf4174ec" - logic_hash = "0cc3797564b4c722423f915493e07b0e0fec3085e7a535f9914f82d73c797bed" + logic_hash = "v1_sha256_0cc3797564b4c722423f915493e07b0e0fec3085e7a535f9914f82d73c797bed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66832,10 +66832,10 @@ rule ELASTIC_Windows_Generic_Threat_38A88967 : FILE MEMORY date = "2024-03-25" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3284-L3302" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3284-L3302" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e425eb1a27c4337f05d12992e33fe0047e30259380002797639d51ef9509739" - logic_hash = "ddbdb1c39a07141d83173504214c889aff75487570d906413ebc6f262fedf9ae" + logic_hash = "v1_sha256_ddbdb1c39a07141d83173504214c889aff75487570d906413ebc6f262fedf9ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66861,10 +66861,10 @@ rule ELASTIC_Windows_Generic_Threat_E8Abb835 : FILE MEMORY date = "2024-03-26" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3304-L3322" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3304-L3322" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e42262671325bec300afa722cefb584e477c3f2782c8d4c6402d6863df348cac" - logic_hash = "0ad56b8c741a79a600a0d5588c4e8760a6d19fef72ff7814a00cfb84a90f23aa" + logic_hash = "v1_sha256_0ad56b8c741a79a600a0d5588c4e8760a6d19fef72ff7814a00cfb84a90f23aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66890,10 +66890,10 @@ rule ELASTIC_Windows_Generic_Threat_492D7223 : FILE MEMORY date = "2024-03-26" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3324-L3342" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3324-L3342" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0d9c9297836aceb4400bcb0877d1df90ca387f18f735de195852a909c67b7ef" - logic_hash = "9fb2a00def86ed8476d906514a0bc630e28093ac37d757541d8801d2c8e0efc3" + logic_hash = "v1_sha256_9fb2a00def86ed8476d906514a0bc630e28093ac37d757541d8801d2c8e0efc3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66919,10 +66919,10 @@ rule ELASTIC_Windows_Generic_Threat_Ea296356 : FILE MEMORY date = "2024-05-22" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3344-L3362" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3344-L3362" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c48a0fe90f3da7bfdd32961da7771a0124b77e1ac1910168020babe8143e959" - logic_hash = "73ffd16f0047cd57311853aa9083fc21427f2eb21646c6edc7b8def86da90f90" + logic_hash = "v1_sha256_73ffd16f0047cd57311853aa9083fc21427f2eb21646c6edc7b8def86da90f90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66948,10 +66948,10 @@ rule ELASTIC_Windows_Generic_Threat_Aeaeb5Cf : FILE MEMORY date = "2024-05-22" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3364-L3382" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3364-L3382" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f57d955d485904f0c729acff9db1de9cb42f32af993393d58538f07fa273b431" - logic_hash = "640966296bad70234e0fe7b6f87b92fcf4fc111189d307d44f32e926785f76cb" + logic_hash = "v1_sha256_640966296bad70234e0fe7b6f87b92fcf4fc111189d307d44f32e926785f76cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66977,10 +66977,10 @@ rule ELASTIC_Windows_Generic_Threat_C8424507 : FILE MEMORY date = "2024-05-22" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3384-L3403" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3384-L3403" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d556b02733385b823cfe4db7e562e90aa520e2e6fb00fceb76cc0a6a1ff47692" - logic_hash = "78d56257cb6e1d67f9343ee30b844fe20138e27ca3b6312a07112e5dbb797851" + logic_hash = "v1_sha256_78d56257cb6e1d67f9343ee30b844fe20138e27ca3b6312a07112e5dbb797851" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -67007,10 +67007,10 @@ rule ELASTIC_Windows_Generic_Threat_9Af87Ddb : FILE MEMORY date = "2024-05-23" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3405-L3423" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3405-L3423" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b1fbc11744e21dc08599412887a3a966572614ce25ccd3c8c98f04bcbdda3898" - logic_hash = "99174c5740324d7704a5c6ae924254f9b5f241c97901dfdb771fc176a76e4a30" + logic_hash = "v1_sha256_99174c5740324d7704a5c6ae924254f9b5f241c97901dfdb771fc176a76e4a30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67036,10 +67036,10 @@ rule ELASTIC_Windows_Generic_Threat_D7B57912 : FILE MEMORY date = "2024-05-23" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3425-L3443" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3425-L3443" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0906599be152dd598c7f540498c44cc38efe9ea976731da05137ee6520288fe4" - logic_hash = "a774e3030d81e29805a9784cfbbc0b69c4fedebe0daa25e403777e1f46f9094f" + logic_hash = "v1_sha256_a774e3030d81e29805a9784cfbbc0b69c4fedebe0daa25e403777e1f46f9094f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67065,10 +67065,10 @@ rule ELASTIC_Windows_Generic_Threat_23D33B48 : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3445-L3463" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3445-L3463" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "acbc22df07888498ae6f52f5458e3fb8e0682e443a8c2bc97177a0320b4e2098" - logic_hash = "c9fb93bb74e4d45197d0da5b641860738a42a583b15cc098e86ea79bb8690bf7" + logic_hash = "v1_sha256_c9fb93bb74e4d45197d0da5b641860738a42a583b15cc098e86ea79bb8690bf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67094,10 +67094,10 @@ rule ELASTIC_Windows_Generic_Threat_4B0B73Ce : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3465-L3483" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3465-L3483" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "236fc00cd7c75f70904239935ab90f51b03ff347798f56cec1bdd73a286b24c1" - logic_hash = "d53923df612dd7fe0b1b2c94c1c5d747b08723df129089326ec27c5049769cef" + logic_hash = "v1_sha256_d53923df612dd7fe0b1b2c94c1c5d747b08723df129089326ec27c5049769cef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67123,10 +67123,10 @@ rule ELASTIC_Windows_Generic_Threat_1F2E969C : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3485-L3503" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3485-L3503" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7def75df729ed66511fbe91eadf15bc69a03618e78c48e27c35497db2a6a97ae" - logic_hash = "7d984a902f9bf40c9b49da89aba9249f80b41b24ca1cdb6189f541b40ef41742" + logic_hash = "v1_sha256_7d984a902f9bf40c9b49da89aba9249f80b41b24ca1cdb6189f541b40ef41742" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67152,10 +67152,10 @@ rule ELASTIC_Windows_Generic_Threat_27C975Fd : FILE MEMORY date = "2024-10-10" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3505-L3523" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3505-L3523" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0108af363959f90919f24220caf426fba50be3d61f3735bb0f2acbbcc1f56e0c" - logic_hash = "f4c500331ce0857b17970206fae4f8501c6f3a65824f37b6cdde47d0a03ceb78" + logic_hash = "v1_sha256_f4c500331ce0857b17970206fae4f8501c6f3a65824f37b6cdde47d0a03ceb78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67181,10 +67181,10 @@ rule ELASTIC_Windows_Generic_Threat_D170474C : FILE MEMORY date = "2024-10-10" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3525-L3543" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3525-L3543" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "63da7ea6d4cd240485ad5c546dd60b90cb98d6f4f18df4bc708f5ec689be952f" - logic_hash = "45089557acec0549acc3f5856c4eef89543ed048984474718376a73085edcb08" + logic_hash = "v1_sha256_45089557acec0549acc3f5856c4eef89543ed048984474718376a73085edcb08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67210,10 +67210,10 @@ rule ELASTIC_Windows_Generic_Threat_F57E5E2A : FILE MEMORY date = "2024-10-10" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3545-L3563" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3545-L3563" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bff5112830cc3547c206fb1d028c592a11a3c7cd457ef445b765af86a1e76001" - logic_hash = "ce972e45f87792599b0800883e848221b0c2c99c9a0432659c655903f530e852" + logic_hash = "v1_sha256_ce972e45f87792599b0800883e848221b0c2c99c9a0432659c655903f530e852" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67239,10 +67239,10 @@ rule ELASTIC_Windows_Generic_Threat_4Fe0Deb6 : FILE MEMORY date = "2024-10-10" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3565-L3583" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3565-L3583" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5836ef66985e851b37a369b04cce579afdb3b241d46a096bf8b1e8d4df053cd2" - logic_hash = "7737c264c98a0256c0a0075ab6b2e9525550e0ef60fd64a6c50cf8075639e96c" + logic_hash = "v1_sha256_7737c264c98a0256c0a0075ab6b2e9525550e0ef60fd64a6c50cf8075639e96c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67268,10 +67268,10 @@ rule ELASTIC_Windows_Generic_Threat_C9003B7B : FILE MEMORY date = "2024-10-10" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3585-L3603" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3585-L3603" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ff2a1def8c4fae4166e249edab62d73f44ba3c05d5e3c9fda11399bfe1fcee6c" - logic_hash = "deac86398c04c462d4aa3361c911acec99d422e2ce995ba82fc3e8fe9772c33b" + logic_hash = "v1_sha256_deac86398c04c462d4aa3361c911acec99d422e2ce995ba82fc3e8fe9772c33b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67297,10 +67297,10 @@ rule ELASTIC_Windows_Generic_Threat_21253888 : FILE MEMORY date = "2024-10-11" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3605-L3623" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3605-L3623" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "95e523f4003a10a906ef7c68a258d402e25f235fa9f2b022faff7cae41185b9c" - logic_hash = "121fc74ff09ebd9f2d6eda370b6fa6b5137e0ae59cf6d6f8f18d13e1cc053e15" + logic_hash = "v1_sha256_121fc74ff09ebd9f2d6eda370b6fa6b5137e0ae59cf6d6f8f18d13e1cc053e15" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -67326,10 +67326,10 @@ rule ELASTIC_Windows_Generic_Threat_06Dcb833 : FILE MEMORY date = "2024-10-11" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3625-L3643" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3625-L3643" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f7fde85aefb7123ef805c85394907ef73e0983499b49f2290a83aa2b0a2e5e9d" - logic_hash = "cbddf2b858278ad4a9330dac767f0a0bc7691cbf6a93ac389f48cb2286c8cbdc" + logic_hash = "v1_sha256_cbddf2b858278ad4a9330dac767f0a0bc7691cbf6a93ac389f48cb2286c8cbdc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67355,10 +67355,10 @@ rule ELASTIC_Windows_Generic_Threat_5435Fe36 : FILE MEMORY date = "2024-10-11" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3645-L3663" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3645-L3663" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c0e26af4f9c783844ea457c3eb7bb2bbe1bf3f860ce180bacab00456f3ae7c1" - logic_hash = "7295e8addf2dcd6192eab261d7a2ca817006a3962dd2e792f51154495be54298" + logic_hash = "v1_sha256_7295e8addf2dcd6192eab261d7a2ca817006a3962dd2e792f51154495be54298" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67384,10 +67384,10 @@ rule ELASTIC_Windows_Generic_Threat_491A8310 : FILE MEMORY date = "2024-10-11" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3665-L3683" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3665-L3683" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59c6846b4676378d9c80d7ced825f0463d1b333546bfcad919ee262cbf6db250" - logic_hash = "45b1017a7ba8d5dc321ac018613587c371380a3340f6893a046a6bdc8a1d2431" + logic_hash = "v1_sha256_45b1017a7ba8d5dc321ac018613587c371380a3340f6893a046a6bdc8a1d2431" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67413,10 +67413,10 @@ rule ELASTIC_Windows_Generic_Threat_2F726F2D : FILE MEMORY date = "2024-10-11" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Generic_Threat.yar#L3685-L3703" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Generic_Threat.yar#L3685-L3703" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ede9bd928a216c9844f290be0de6985ed54dceaff041906dca3a3468293464b6" - logic_hash = "41314d0685f957a3cdfa37f8f2275ab19137da289c57069b8d3a3e40e4b802e7" + logic_hash = "v1_sha256_41314d0685f957a3cdfa37f8f2275ab19137da289c57069b8d3a3e40e4b802e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67442,10 +67442,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_52A15A93 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "ceaf5b06108baa6043e31010d777099ed6ac9b4054e86d41309bd7c2b0ffda11" + logic_hash = "v1_sha256_ceaf5b06108baa6043e31010d777099ed6ac9b4054e86d41309bd7c2b0ffda11" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67471,10 +67471,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_D0Ad9C82 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "8351cb61f5b712c65962e734a7c29271fa4805720e14b6badc9bc1c0364778f8" + logic_hash = "v1_sha256_8351cb61f5b712c65962e734a7c29271fa4805720e14b6badc9bc1c0364778f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67500,10 +67500,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_E2C89606 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "64cb8d8ec04a53f663b216208279afba3c10f148fe99822f9a45100a4f73ed28" + logic_hash = "v1_sha256_64cb8d8ec04a53f663b216208279afba3c10f148fe99822f9a45100a4f73ed28" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67529,9 +67529,9 @@ rule ELASTIC_Linux_Trojan_Mobidash_82B4E3F3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L61-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8c91f85bc807605a3233d28a5eb8b6e1cf847fb288cbc4427e86226eed7a2055" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L61-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8c91f85bc807605a3233d28a5eb8b6e1cf847fb288cbc4427e86226eed7a2055" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67557,10 +67557,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_601352Dc : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L80-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L80-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5714e130075f4780e025fb3810f58a63e618659ac34d12abe211a1b6f2f80269" - logic_hash = "adeeea73b711fc867b88775c06a14011380118ed85691660ba771381e51160e3" + logic_hash = "v1_sha256_adeeea73b711fc867b88775c06a14011380118ed85691660ba771381e51160e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67586,9 +67586,9 @@ rule ELASTIC_Linux_Trojan_Mobidash_Ddca1181 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L100-L117" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "076d4ac69f6bc29975b22e19d429c25ef357443ec8fcaf5165e0a8069112af74" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L100-L117" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_076d4ac69f6bc29975b22e19d429c25ef357443ec8fcaf5165e0a8069112af74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67614,10 +67614,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_65E666C0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L119-L137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L119-L137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19f9b5382d3e8e604be321aefd47cb72c2337a170403613b853307c266d065dd" - logic_hash = "2d2bec8f89986b19bf1c806b6654405ac6523f49aeafd759b7631d9587d780c8" + logic_hash = "v1_sha256_2d2bec8f89986b19bf1c806b6654405ac6523f49aeafd759b7631d9587d780c8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67643,10 +67643,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_494D5B0F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L139-L157" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L139-L157" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7e08df5279f4d22f1f27553946b0dadd60bb8242d522a8dceb45ab7636433c2f" - logic_hash = "6ddb94f9f44fe749a442592d491343a99bd870ea2d79596631d857516425e72b" + logic_hash = "v1_sha256_6ddb94f9f44fe749a442592d491343a99bd870ea2d79596631d857516425e72b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67672,10 +67672,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_Bb4F7F39 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L159-L177" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L159-L177" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "33e8fcbb29cc38b4a8365845eb3a1488e13be964f7383b28a158a98fb259acb4" + logic_hash = "v1_sha256_33e8fcbb29cc38b4a8365845eb3a1488e13be964f7383b28a158a98fb259acb4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67701,9 +67701,9 @@ rule ELASTIC_Linux_Trojan_Mobidash_8679E1Cb : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L179-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6055ac4800397f6582e60cdf15fa74584986e1e7cf49a541b0ec746445834819" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L179-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6055ac4800397f6582e60cdf15fa74584986e1e7cf49a541b0ec746445834819" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67729,9 +67729,9 @@ rule ELASTIC_Linux_Trojan_Mobidash_29B86E6A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L198-L215" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "dd5f44249cc4c91f39a0e7d0b236ebeed8f78d5fcb03c7ebc80ef1c738b18336" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L198-L215" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_dd5f44249cc4c91f39a0e7d0b236ebeed8f78d5fcb03c7ebc80ef1c738b18336" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67757,10 +67757,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_E3086563 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L217-L235" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L217-L235" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "5545f7ce8fa45dc56bc4bb5140ce1db527997dfaa1dd2bbb1e4a12af45300065" + logic_hash = "v1_sha256_5545f7ce8fa45dc56bc4bb5140ce1db527997dfaa1dd2bbb1e4a12af45300065" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67786,10 +67786,10 @@ rule ELASTIC_Linux_Trojan_Mobidash_2F114992 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mobidash.yar#L237-L255" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mobidash.yar#L237-L255" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "f93fe72e08c8ec135cccc8cdab2ecedbb694e9ad39f2572d060864bb3290e25c" + logic_hash = "v1_sha256_f93fe72e08c8ec135cccc8cdab2ecedbb694e9ad39f2572d060864bb3290e25c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67815,10 +67815,10 @@ rule ELASTIC_Windows_Trojan_Xtremerat_Cd5B60Be : FILE MEMORY date = "2022-03-15" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_XtremeRAT.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_XtremeRAT.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "735f7bf255bdc5ce8e69259c8e24164e5364aeac3ee78782b7b5275c1d793da8" - logic_hash = "a6997ae4842bd45c440925ef2a5848b57c58e2373c0971ce6b328ea297ee97b4" + logic_hash = "v1_sha256_a6997ae4842bd45c440925ef2a5848b57c58e2373c0971ce6b328ea297ee97b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67842,7 +67842,7 @@ rule ELASTIC_Windows_Trojan_Xtremerat_Cd5B60Be : FILE MEMORY $s10 = "shellexecute=" wide fullword condition: - 7 of ($s*) + 7 of ( $s* ) } rule ELASTIC_Windows_Trojan_Bughatch_21269Be4 : FILE MEMORY { @@ -67853,10 +67853,10 @@ rule ELASTIC_Windows_Trojan_Bughatch_21269Be4 : FILE MEMORY date = "2022-05-09" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/bughatch-malware-analysis" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bughatch.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bughatch.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f" - logic_hash = "a8a2cae51a31e48ffe729df61ec96e3257f9c997ad5234075f85ed55de96f11d" + logic_hash = "v1_sha256_a8a2cae51a31e48ffe729df61ec96e3257f9c997ad5234075f85ed55de96f11d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67884,10 +67884,10 @@ rule ELASTIC_Windows_Trojan_Bughatch_98F3C0Be : FILE MEMORY date = "2022-05-09" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/bughatch-malware-analysis" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bughatch.yar#L24-L51" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bughatch.yar#L24-L51" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f" - logic_hash = "d578515fece7bd464bb09cc5ddb5caf70f4022e8b10388db689e67e662d57f66" + logic_hash = "v1_sha256_d578515fece7bd464bb09cc5ddb5caf70f4022e8b10388db689e67e662d57f66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67921,10 +67921,10 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_C2907D77 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Cleanlog.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Cleanlog.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "613ac236130ab1654f051d6f0661fa62414f3bef036ea4cc585b4b21a4bb9d2b" - logic_hash = "39b72973bbcddf14604b8ea08339657cba317c23fd4d69d4aa0903b262397988" + logic_hash = "v1_sha256_39b72973bbcddf14604b8ea08339657cba317c23fd4d69d4aa0903b262397988" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67950,10 +67950,10 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_3Eb725D1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Cleanlog.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Cleanlog.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4df4ebcc61ab2cdb8e5112eeb4e2f29e4e841048de43d7426b1ec11afe175bf6" - logic_hash = "a9530aca53d935f3e77a5f0fc332db16e3a2832be67c067e5a6d18e7ec00e39f" + logic_hash = "v1_sha256_a9530aca53d935f3e77a5f0fc332db16e3a2832be67c067e5a6d18e7ec00e39f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67979,10 +67979,10 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_400B7595 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Cleanlog.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Cleanlog.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4df4ebcc61ab2cdb8e5112eeb4e2f29e4e841048de43d7426b1ec11afe175bf6" - logic_hash = "e36acf708875efda88143124e11fef5b0e2f99d17b0c49344db969cf0d454db1" + logic_hash = "v1_sha256_e36acf708875efda88143124e11fef5b0e2f99d17b0c49344db969cf0d454db1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68008,10 +68008,10 @@ rule ELASTIC_Linux_Trojan_Ddostf_E4874Cd4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ddostf.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ddostf.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "1523fe8f7bbbc7e42f8c2efe5b28dd381007846a1ba7078a6f1a30aedace884b" + logic_hash = "v1_sha256_1523fe8f7bbbc7e42f8c2efe5b28dd381007846a1ba7078a6f1a30aedace884b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68037,9 +68037,9 @@ rule ELASTIC_Linux_Trojan_Ddostf_32C35334 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ddostf.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d62d450d48756c09f8788b27301de889c864e597924a0526a325fa602f91f376" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ddostf.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d62d450d48756c09f8788b27301de889c864e597924a0526a325fa602f91f376" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68065,10 +68065,10 @@ rule ELASTIC_Linux_Trojan_Ddostf_6Dc1Caab : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ddostf.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ddostf.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f4587bd45e57d4106ebe502d2eaa1d97fd68613095234038d67490e74c62ba70" - logic_hash = "fd70960ed6e06f4d152bbd211fbe491dad596010da12cd53c93b577b551b8053" + logic_hash = "v1_sha256_fd70960ed6e06f4d152bbd211fbe491dad596010da12cd53c93b577b551b8053" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68094,10 +68094,10 @@ rule ELASTIC_Linux_Trojan_Ddostf_Dc47A873 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ddostf.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ddostf.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "2f5bd9e012fd778388074cf29b56c7cd59391840f994835d087b7b661445d316" + logic_hash = "v1_sha256_2f5bd9e012fd778388074cf29b56c7cd59391840f994835d087b7b661445d316" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68123,10 +68123,10 @@ rule ELASTIC_Linux_Trojan_Ddostf_Cb0358A0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ddostf.yar#L80-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ddostf.yar#L80-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "1f152b69bf0b2bfa539fdd42c432e456b9efb3766a450333a987313bb12c1826" + logic_hash = "v1_sha256_1f152b69bf0b2bfa539fdd42c432e456b9efb3766a450333a987313bb12c1826" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68152,10 +68152,10 @@ rule ELASTIC_Windows_Hacktool_Sharpup_E5C87C9A : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpUp.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpUp.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27" - logic_hash = "62e9aafd308aacbc7a124c707e230c5a9ffde4f6929a5feada5497e3eae7668c" + logic_hash = "v1_sha256_62e9aafd308aacbc7a124c707e230c5a9ffde4f6929a5feada5497e3eae7668c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68176,7 +68176,7 @@ rule ELASTIC_Windows_Hacktool_Sharpup_E5C87C9A : FILE MEMORY $print_str3 = "Registry AutoLogon Found" ascii wide condition: - $guid or ( all of ($str*) and 1 of ($print_str*)) + $guid or ( all of ( $str* ) and 1 of ( $print_str* ) ) } rule ELASTIC_Linux_Cryptominer_Casdet_5D0D33Be : FILE MEMORY { @@ -68187,10 +68187,10 @@ rule ELASTIC_Linux_Cryptominer_Casdet_5D0D33Be : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Casdet.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Casdet.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b09115c876a8b610e1941c768100e03c963c76b250fdd5b12a74253ef9e5fb6" - logic_hash = "e3264f614e257d853070907866b838d1cb53c1f60f7a0123ec503f1d540a15d7" + logic_hash = "v1_sha256_e3264f614e257d853070907866b838d1cb53c1f60f7a0123ec503f1d540a15d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68216,10 +68216,10 @@ rule ELASTIC_Windows_Hacktool_Coffloader_81Ba13B8 : FILE MEMORY date = "2024-04-22" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_COFFLoader.yar#L1-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_COFFLoader.yar#L1-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c2e03659eb1594dc958e01344cfa9ba126d66736b089db5e3dd1b1c3e3e7d2f7" - logic_hash = "d4f061af200a0ae9f3276fd6dfcb09ecdf662f29b7c43ea47c69a53d9fe66793" + logic_hash = "v1_sha256_d4f061af200a0ae9f3276fd6dfcb09ecdf662f29b7c43ea47c69a53d9fe66793" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68258,7 +68258,7 @@ rule ELASTIC_Windows_Hacktool_Coffloader_81Ba13B8 : FILE MEMORY $b2 = "COFFLoader.x86.dll" condition: - 5 of ($a*) or 1 of ($b*) + 5 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Nimplant_44Ff3211 : FILE MEMORY { @@ -68269,10 +68269,10 @@ rule ELASTIC_Windows_Trojan_Nimplant_44Ff3211 : FILE MEMORY date = "2023-06-23" modified = "2023-07-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Nimplant.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Nimplant.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b56e20384f98e1d2417bb7dcdbfb375987dd075911b74ea7ead082494836b8f4" - logic_hash = "ee519d8d722404ed440b385d283a41921bc34ee11f0e7273cdc074b377494c39" + logic_hash = "v1_sha256_ee519d8d722404ed440b385d283a41921bc34ee11f0e7273cdc074b377494c39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68300,10 +68300,10 @@ rule ELASTIC_Linux_Exploit_Wuftpd_0991E62F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Wuftpd.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Wuftpd.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" - logic_hash = "71ad26a182c7f16e7e0ad7f7afe0dcf1d38fe953dc0806341d7e21ee4acea87d" + logic_hash = "v1_sha256_71ad26a182c7f16e7e0ad7f7afe0dcf1d38fe953dc0806341d7e21ee4acea87d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68329,10 +68329,10 @@ rule ELASTIC_Windows_Hacktool_Capcom_7Abae448 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Capcom.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Capcom.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24" - logic_hash = "88f25c479cc8970e05ef9d08143afbbbfa17322f34379ba571e3a09105b33ee0" + logic_hash = "v1_sha256_88f25c479cc8970e05ef9d08143afbbbfa17322f34379ba571e3a09105b33ee0" score = 75 quality = 75 tags = "FILE" @@ -68348,7 +68348,7 @@ rule ELASTIC_Windows_Hacktool_Capcom_7Abae448 : FILE $subject_name = { 06 03 55 04 03 [2] 43 41 50 43 4F 4D 20 43 6F 2E 2C 4C 74 64 2E } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Windows_Trojan_Latrodectus_841Ff697 : FILE MEMORY { @@ -68359,10 +68359,10 @@ rule ELASTIC_Windows_Trojan_Latrodectus_841Ff697 : FILE MEMORY date = "2024-03-13" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Latrodectus.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Latrodectus.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c" - logic_hash = "aa1a4813a18b4eb4f07e805ff9c87523ad74f59c0ed538212918335eaeee29d7" + logic_hash = "v1_sha256_aa1a4813a18b4eb4f07e805ff9c87523ad74f59c0ed538212918335eaeee29d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68395,10 +68395,10 @@ rule ELASTIC_Linux_Rootkit_Fontonlake_8Fa41F5E : FILE MEMORY date = "2021-10-12" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Fontonlake.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Fontonlake.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "826222d399e2fb17ae6bc6a4e1493003881b1406154c4b817f0216249d04a234" - logic_hash = "e90ace26dd74ae948d2469c6f532af5ec3070a21092f8b2c4d47c4f5b9d04c09" + logic_hash = "v1_sha256_e90ace26dd74ae948d2469c6f532af5ec3070a21092f8b2c4d47c4f5b9d04c09" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -68420,7 +68420,7 @@ rule ELASTIC_Linux_Rootkit_Fontonlake_8Fa41F5E : FILE MEMORY $tmp2 = "/tmp/.tmp_" fullword condition: - ( all of ($a*) and 1 of ($tmp*)) or ( all of ($h*)) + ( all of ( $a* ) and 1 of ( $tmp* ) ) or ( all of ( $h* ) ) } rule ELASTIC_Linux_Trojan_Orbit_57C23178 : FILE MEMORY { @@ -68431,10 +68431,10 @@ rule ELASTIC_Linux_Trojan_Orbit_57C23178 : FILE MEMORY date = "2022-07-20" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Orbit.yar#L1-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Orbit.yar#L1-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020" - logic_hash = "25b29e874ea9d400662418ddbb1c995a5a5b49f8ba6f51f59f7aa57cdda74054" + logic_hash = "v1_sha256_25b29e874ea9d400662418ddbb1c995a5a5b49f8ba6f51f59f7aa57cdda74054" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68470,7 +68470,7 @@ rule ELASTIC_Linux_Trojan_Orbit_57C23178 : FILE MEMORY $hosts_access = { 8B 45 ?? 48 98 C6 84 05 D0 EF FF FF 00 48 8B 05 ?? ?? ?? ?? 48 8B 80 ?? ?? 00 00 48 8B 95 C8 EF FF FF 48 89 D7 FF D0 89 45 ?? 48 8D 85 D0 EF FF FF 48 89 45 ?? EB } condition: - 7 of ($loaderstrings*) or ( all of ($functionName*) and $tmppath and all of ($execvStrings*)) or 2 of ($pam_log_password,$load_hidden_ports,$hosts_access) + 7 of ( $loaderstrings* ) or ( all of ( $functionName* ) and $tmppath and all of ( $execvStrings* ) ) or 2 of ( $pam_log_password , $load_hidden_ports , $hosts_access ) } rule ELASTIC_Linux_Ransomware_Gonnacry_53C3832D : FILE MEMORY { @@ -68481,10 +68481,10 @@ rule ELASTIC_Linux_Ransomware_Gonnacry_53C3832D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Gonnacry.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Gonnacry.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" - logic_hash = "2b7453c4eb71b71e6a241f728b077a2ee63d988d55a64fedf61c34222799e262" + logic_hash = "v1_sha256_2b7453c4eb71b71e6a241f728b077a2ee63d988d55a64fedf61c34222799e262" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68510,10 +68510,10 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2908_406C2Fef : FILE MEMORY CVE_2009_2908 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2009_2908.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2009_2908.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd" - logic_hash = "ae379ca7564eb97f141f6ad71ca12973bf1a38cda4bc03e3f4dca1939a9b6b38" + logic_hash = "v1_sha256_ae379ca7564eb97f141f6ad71ca12973bf1a38cda4bc03e3f4dca1939a9b6b38" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2908" @@ -68539,10 +68539,10 @@ rule ELASTIC_Linux_Ransomware_Itssoeasy_30Bd68E0 : FILE MEMORY date = "2023-07-28" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_ItsSoEasy.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_ItsSoEasy.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "efb1024654e86c0c30d2ac5f97d27f5f27b4dd3f7f6ada65d58691f0d703461c" - logic_hash = "a8838af442d1106bc9a7df93d6d8335ff0275bf5928acbb605e9bad58ce6bbd4" + logic_hash = "v1_sha256_a8838af442d1106bc9a7df93d6d8335ff0275bf5928acbb605e9bad58ce6bbd4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -68569,10 +68569,10 @@ rule ELASTIC_Windows_Ransomware_Gandcrab_8D0Ca31D : FILE MEMORY date = "2024-08-27" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_GandCrab.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_GandCrab.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "29eee4f8b088ec1cdac03a04ca834479fce9a0fdf696224c6f19d573f4e2a703" - logic_hash = "0ee46c41031a7e7fbdae0b80bd8c53bfd1a0b9d255072971e74470988e492430" + logic_hash = "v1_sha256_0ee46c41031a7e7fbdae0b80bd8c53bfd1a0b9d255072971e74470988e492430" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68600,10 +68600,10 @@ rule ELASTIC_Linux_Trojan_Masan_5369C678 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Masan.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Masan.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f2de9f39ca3910d5b383c245d8ca3c1bdf98e2309553599e0283062e0aeff17f" - logic_hash = "e57b105004216a6054b0561b69cce00c35255c5bd33aa8e403d0a3967cd0697e" + logic_hash = "v1_sha256_e57b105004216a6054b0561b69cce00c35255c5bd33aa8e403d0a3967cd0697e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68629,10 +68629,10 @@ rule ELASTIC_Linux_Ransomware_Babuk_Bd216Cab : FILE MEMORY date = "2024-05-09" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Babuk.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Babuk.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d305a30017baef4f08cee38a851b57869676e45c66e64bb7cc58d40bf0142fe0" - logic_hash = "b0538be9d8deccc3f77640da28e5fd38a07557e9e5e3c09b11349d7eb50a56b5" + logic_hash = "v1_sha256_b0538be9d8deccc3f77640da28e5fd38a07557e9e5e3c09b11349d7eb50a56b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68659,10 +68659,10 @@ rule ELASTIC_Linux_Trojan_Mechbot_F2E1C5Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mechbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mechbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5f8e80e6877ff2de09a12135ee1fc17bee8eb6d811a65495bcbcddf14ecb44a3" - logic_hash = "2ba9ece1ab2360702a59a737a20b6dbd8fca276b543477f9290ab80c6f51e2f1" + logic_hash = "v1_sha256_2ba9ece1ab2360702a59a737a20b6dbd8fca276b543477f9290ab80c6f51e2f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68688,10 +68688,10 @@ rule ELASTIC_Windows_Trojan_Remcos_B296E965 : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Remcos.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Remcos.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" - logic_hash = "069072abd1182eee50cb9937503d47845e7315d8e3cd6b63576adc8f21820c82" + logic_hash = "v1_sha256_069072abd1182eee50cb9937503d47845e7315d8e3cd6b63576adc8f21820c82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68720,10 +68720,10 @@ rule ELASTIC_Windows_Trojan_Remcos_7591E9F1 : FILE MEMORY date = "2023-06-23" modified = "2023-07-10" reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Remcos.yar#L25-L49" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Remcos.yar#L25-L49" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4e6e5ecd1cf9c88d536c894d74320c77967fe08c75066098082bf237283842fa" - logic_hash = "96acf1ba7740a8d34d929ed4a4fa446c984c3a8f64a603d428e782b6997e4d20" + logic_hash = "v1_sha256_96acf1ba7740a8d34d929ed4a4fa446c984c3a8f64a603d428e782b6997e4d20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68754,10 +68754,10 @@ rule ELASTIC_Windows_Trojan_Zeus_E51C60D7 : FILE MEMORY date = "2021-02-07" modified = "2021-10-04" reference = "https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Zeus.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Zeus.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3" - logic_hash = "cde738f95dbad1fbad59e20528b2f577e5e3ee5fcb37c68a45d53c689d2af525" + logic_hash = "v1_sha256_cde738f95dbad1fbad59e20528b2f577e5e3ee5fcb37c68a45d53c689d2af525" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68788,10 +68788,10 @@ rule ELASTIC_Windows_Hacktool_Phant0M_2D6F9B57 : FILE MEMORY date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Phant0m.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Phant0m.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "30978aadd7d7bc86e735facb5046942792ad1beab6919754e6765e0ccbcf89d6" - logic_hash = "a66f8779f77b216f7831617a34c008e4202f36e74f2866c9792cee34b804408d" + logic_hash = "v1_sha256_a66f8779f77b216f7831617a34c008e4202f36e74f2866c9792cee34b804408d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68811,7 +68811,7 @@ rule ELASTIC_Windows_Hacktool_Phant0M_2D6F9B57 : FILE MEMORY $s5 = "Windows EventLog module %S at %p" condition: - $api and 2 of ($s*) + $api and 2 of ( $s* ) } rule ELASTIC_Linux_Trojan_Metasploit_69E20012 : FILE MEMORY { @@ -68822,10 +68822,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_69E20012 : FILE MEMORY date = "2024-05-03" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "debb5d12c1b876f47a0057aad19b897c21f17de7b02c0e42f4cce478970f0120" - logic_hash = "5d3c3e3ba7d5d0c20d2fa1a53032da9a93a6727dcd6cb3497bb7bfb8272e4f2b" + logic_hash = "v1_sha256_5d3c3e3ba7d5d0c20d2fa1a53032da9a93a6727dcd6cb3497bb7bfb8272e4f2b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68856,10 +68856,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_0C629849 : FILE MEMORY date = "2024-05-03" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L26-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L26-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad070542729f3c80d6a981b351095ab8ac836b89a5c788dff367760a2d8b1dbb" - logic_hash = "2bea8f569728ba81af4024bf062a06a5c91b1f057a0b62fe6d51b6fcadedf58c" + logic_hash = "v1_sha256_2bea8f569728ba81af4024bf062a06a5c91b1f057a0b62fe6d51b6fcadedf58c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68889,10 +68889,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_849Cc5D5 : FILE MEMORY date = "2024-05-03" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L50-L71" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L50-L71" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "42d734dbd33295bd68e5a545a29303a2104a5a92e5fee31d645e2a6410cc03e9" - logic_hash = "01c708b1e000aecf473e0a1cf23f3812a337b9b21f5b81f7a5e481d06fdaeb16" + logic_hash = "v1_sha256_01c708b1e000aecf473e0a1cf23f3812a337b9b21f5b81f7a5e481d06fdaeb16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68910,7 +68910,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_849Cc5D5 : FILE MEMORY $shell2 = { 48 96 6A 2B 58 0F 05 50 56 5F 6A 09 58 99 B6 10 48 89 D6 4D 31 C9 6A 22 41 5A B2 07 0F 05 48 96 48 97 5F 0F 05 FF E6 } condition: - all of ($init*) and 1 of ($shell*) + all of ( $init* ) and 1 of ( $shell* ) } rule ELASTIC_Linux_Trojan_Metasploit_Da378432 : FILE MEMORY { @@ -68921,10 +68921,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_Da378432 : FILE MEMORY date = "2024-05-03" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L73-L93" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L73-L93" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "277499da700e0dbe27269c7cfb1fc385313c4483912a9a3f0c15adba33ecd0bf" - logic_hash = "cd9df6dff23986d61176e4d3440516b0590abdeebef0e456d1f4924724556fe9" + logic_hash = "v1_sha256_cd9df6dff23986d61176e4d3440516b0590abdeebef0e456d1f4924724556fe9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68952,10 +68952,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_B957E45D : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L95-L115" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L95-L115" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "78af84bad4934283024f4bf72dfbf9cc081d2b92a9de32cc36e1289131c783ab" - logic_hash = "27281303d007e6723308e88f335f52723b3ff0ef733d1a0712f5ba268e53a073" + logic_hash = "v1_sha256_27281303d007e6723308e88f335f52723b3ff0ef733d1a0712f5ba268e53a073" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68983,10 +68983,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_1A98F2E2 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L117-L137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L117-L137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "89be4507c9c24c4ec9a7282f197a9a6819e696d2832df81f7e544095d048fc22" - logic_hash = "23ea1c255472a67746b470e50d982bc91d22ede5e2582cf5cfaa90a1ed4e8805" + logic_hash = "v1_sha256_23ea1c255472a67746b470e50d982bc91d22ede5e2582cf5cfaa90a1ed4e8805" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69014,10 +69014,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_D74153F6 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L139-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L139-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2823d27492e2e7a95b67a08cb269eb6f4175451d58b098ae429330913397d40a" - logic_hash = "c60e7e63183f5bf0354a03f8399576e494e44a30257339ebccb6c19e954d6f3a" + logic_hash = "v1_sha256_c60e7e63183f5bf0354a03f8399576e494e44a30257339ebccb6c19e954d6f3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69045,10 +69045,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_F7A31E87 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L161-L182" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L161-L182" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "82b55d8c0f0175d02399aaf88ad9e92e2e37ef27d52c7f71271f3516ba884847" - logic_hash = "49583ba4f2bedb9337a8c10df4246bb76a3e60b08ba1a6b8684537fee985d911" + logic_hash = "v1_sha256_49583ba4f2bedb9337a8c10df4246bb76a3e60b08ba1a6b8684537fee985d911" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69066,7 +69066,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_F7A31E87 : FILE MEMORY $payload2 = { 5F 89 FB 6A 02 59 6A 3F 58 CD 80 49 79 ?? 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80 } condition: - $setup and 1 of ($payload*) + $setup and 1 of ( $payload* ) } rule ELASTIC_Linux_Trojan_Metasploit_B0D2D4A4 : FILE MEMORY { @@ -69077,10 +69077,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_B0D2D4A4 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L184-L205" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L184-L205" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a37c888875e84069763303476f0df6769df6015b33aded59fc1e23eb604f2163" - logic_hash = "bcabf74900222074ecf9051b6e0cb4ca7a240acd047a1b27137d1d198e23f161" + logic_hash = "v1_sha256_bcabf74900222074ecf9051b6e0cb4ca7a240acd047a1b27137d1d198e23f161" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69109,10 +69109,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_5D26689F : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L207-L229" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L207-L229" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dafefb4d79d848384442a697b1316d93fef2741fca854be744896ce1d7f82073" - logic_hash = "e7906273aa7f42920be9d06cdae89c81e0a99e532cdcd7bd714acc5f2bbb0ed5" + logic_hash = "v1_sha256_e7906273aa7f42920be9d06cdae89c81e0a99e532cdcd7bd714acc5f2bbb0ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69131,7 +69131,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_5D26689F : FILE MEMORY $reg_bind_execve = { B0 0B 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 41 CD 80 } condition: - ($tiny_bind) or ( all of ($reg_bind*)) + ($tiny_bind ) or ( all of ( $reg_bind* ) ) } rule ELASTIC_Linux_Trojan_Metasploit_1C8C98Ae : FILE MEMORY { @@ -69142,10 +69142,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_1C8C98Ae : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L231-L251" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L231-L251" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1a2c40531584ed485f3ff532f4269241a76ff171956d03e4f0d3f9c950f186d4" - logic_hash = "fc32aa29f58478f0b7f4f5be61aadec65842c05b7d8ded840530503eae28b8eb" + logic_hash = "v1_sha256_fc32aa29f58478f0b7f4f5be61aadec65842c05b7d8ded840530503eae28b8eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69173,10 +69173,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_47F4B334 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L253-L277" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L253-L277" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c3821f63a7ec8861a6168b4bb494bf8cbac436b3abf5eaffbc6907fd68ebedb8" - logic_hash = "34c8182d3b5ecbebd122d2d58fc0502a6bbca020b528ffdcc9ee988f21512d99" + logic_hash = "v1_sha256_34c8182d3b5ecbebd122d2d58fc0502a6bbca020b528ffdcc9ee988f21512d99" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69197,7 +69197,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_47F4B334 : FILE MEMORY $payload3c = { 57 53 89 E1 CD 80 } condition: - $payload1 or ( all of ($payload2*)) or ( all of ($payload3*)) + $payload1 or ( all of ( $payload2* ) ) or ( all of ( $payload3* ) ) } rule ELASTIC_Linux_Trojan_Metasploit_0B014E0E : FILE MEMORY { @@ -69208,10 +69208,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_0B014E0E : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L279-L303" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L279-L303" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a24443331508cc72b3391353f91cd009cafcc223ac5939eab12faf57447e3162" - logic_hash = "cb19a0461d5fe6066d1fed4898ea12a9818be69d870e511559b19d5c7c959819" + logic_hash = "v1_sha256_cb19a0461d5fe6066d1fed4898ea12a9818be69d870e511559b19d5c7c959819" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69232,7 +69232,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_0B014E0E : FILE MEMORY $payload3c = { 56 57 54 5E 6A 3B 58 0F 05 } condition: - $payload1 or ( all of ($payload2*)) or ( all of ($payload3*)) + $payload1 or ( all of ( $payload2* ) ) or ( all of ( $payload3* ) ) } rule ELASTIC_Linux_Trojan_Metasploit_Ccc99Be1 : FILE MEMORY { @@ -69243,10 +69243,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_Ccc99Be1 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L305-L327" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L305-L327" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0e9f52d7aa6bff33bfbdba6513d402db3913d4036a5e1c1c83f4ccd5cc8107c8" - logic_hash = "96af2123251587ece32e424202ff61cfa70faf2916cacddf5fcd9d81bf483032" + logic_hash = "v1_sha256_96af2123251587ece32e424202ff61cfa70faf2916cacddf5fcd9d81bf483032" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69276,10 +69276,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_Ed4B2C85 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L329-L348" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L329-L348" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0709a60149ca110f6e016a257f9ac35c6f64f50cfbd71075c4ca8bfe843c3211" - logic_hash = "79e466b2f40a6769db498cc28cb22ba72ec20f92c8450d6f1f8301d00012f967" + logic_hash = "v1_sha256_79e466b2f40a6769db498cc28cb22ba72ec20f92c8450d6f1f8301d00012f967" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69306,10 +69306,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_2B0Ad6F0 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L350-L371" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L350-L371" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aa2bce61511c72ac03562b5178aad57bce8b46916160689ed07693790cbfbeec" - logic_hash = "91b4547e44c40cafe09dd415f0b5dfe5980fcb10d50aeae844cf21e7608d9a9d" + logic_hash = "v1_sha256_91b4547e44c40cafe09dd415f0b5dfe5980fcb10d50aeae844cf21e7608d9a9d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69338,10 +69338,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_Bf205D5A : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L373-L397" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L373-L397" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2162a89f70edd7a7f93f8972c6a13782fb466cdada41f255f0511730ec20d037" - logic_hash = "9f4c84fadc3d7555c80efc9c9c5dcb01d4ea65d2ff191aa63ae8316f763ded3f" + logic_hash = "v1_sha256_9f4c84fadc3d7555c80efc9c9c5dcb01d4ea65d2ff191aa63ae8316f763ded3f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69362,7 +69362,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Bf205D5A : FILE MEMORY $socket = { 51 50 89 E1 6A 66 58 CD 80 D1 E3 B0 66 CD 80 57 43 B0 66 89 51 04 CD 80 } condition: - 3 of ($str*) and $ipv6 and $socket + 3 of ( $str* ) and $ipv6 and $socket } rule ELASTIC_Linux_Trojan_Metasploit_E5B61173 : FILE MEMORY { @@ -69373,10 +69373,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_E5B61173 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L399-L420" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L399-L420" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8032a7a320102c8e038db16d51b8615ee49f04dab1444326463f75ce0c5947a5" - logic_hash = "f60d2de0b7fac06b62616d7c7f51e9374df3895eb30a07040e742cbcb462a418" + logic_hash = "v1_sha256_f60d2de0b7fac06b62616d7c7f51e9374df3895eb30a07040e742cbcb462a418" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69405,10 +69405,10 @@ rule ELASTIC_Linux_Trojan_Metasploit_Dd5Fd075 : FILE MEMORY date = "2024-05-07" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Metasploit.yar#L422-L443" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Metasploit.yar#L422-L443" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b47132a92b66c32c88f39fe36d0287c6b864043273939116225235d4c5b4043a" - logic_hash = "f5101d5ddb1a84127e755677da70d9154849c546ac6ef0e7ef2639c82911eb92" + logic_hash = "v1_sha256_f5101d5ddb1a84127e755677da70d9154849c546ac6ef0e7ef2639c82911eb92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69437,9 +69437,9 @@ rule ELASTIC_Linux_Cryptominer_Bulz_2Aa8Fbb5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Bulz.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "21d8bec73476783e01d2a51a99233f186d7c72b49c9292c42e19e1aa6397d415" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Bulz.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_21d8bec73476783e01d2a51a99233f186d7c72b49c9292c42e19e1aa6397d415" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69465,9 +69465,9 @@ rule ELASTIC_Linux_Cryptominer_Bulz_0998F811 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Bulz.yar#L20-L37" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "178f6c42582dd99cc5418388d020d4d76f2a9204297a673359fe0a300121c35b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Bulz.yar#L20-L37" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_178f6c42582dd99cc5418388d020d4d76f2a9204297a673359fe0a300121c35b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69493,10 +69493,10 @@ rule ELASTIC_Windows_Trojan_Pandastealer_8B333E76 : FILE MEMORY date = "2021-09-02" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Pandastealer.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Pandastealer.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" - logic_hash = "5878799338fc18bac0f946faeadd59c921dee32c9391fc12d22c72c0cd6733a8" + logic_hash = "v1_sha256_5878799338fc18bac0f946faeadd59c921dee32c9391fc12d22c72c0cd6733a8" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -69526,10 +69526,10 @@ rule ELASTIC_Linux_Trojan_Mirai_268Aac0B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "6eae3aba35d3379fa194b66a1b4e0d78d0d0b88386cd4ea5dfeb3c072642c7ba" + logic_hash = "v1_sha256_6eae3aba35d3379fa194b66a1b4e0d78d0d0b88386cd4ea5dfeb3c072642c7ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69555,10 +69555,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D5F2Abe2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c490586fbf90d360cf3b2f9e2dc943809441df3dfd64dadad27fc9f5ee96ec74" - logic_hash = "169e7e5d1a7ea8c219464e22df9be8bc8caa2e78e1bc725674c8e0b14f6b9fc5" + logic_hash = "v1_sha256_169e7e5d1a7ea8c219464e22df9be8bc8caa2e78e1bc725674c8e0b14f6b9fc5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69584,9 +69584,9 @@ rule ELASTIC_Linux_Trojan_Mirai_1Cb033F3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L41-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ebaf45ce58124aa91b07ebb48779e6da73baa0b80b13e663c13d8fb2bb47ad0d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L41-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ebaf45ce58124aa91b07ebb48779e6da73baa0b80b13e663c13d8fb2bb47ad0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69612,10 +69612,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Fa3Ad9D0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "5890c85872ea4508e673235b20b481972f613f6e5f9564c0237c458995532347" + logic_hash = "v1_sha256_5890c85872ea4508e673235b20b481972f613f6e5f9564c0237c458995532347" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69641,10 +69641,10 @@ rule ELASTIC_Linux_Trojan_Mirai_0Cb1699C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L80-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L80-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "97307f583240290de2bfc663b99f8dcdedace92885bd3e0c0340709b94c0bc2a" + logic_hash = "v1_sha256_97307f583240290de2bfc663b99f8dcdedace92885bd3e0c0340709b94c0bc2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69670,10 +69670,10 @@ rule ELASTIC_Linux_Trojan_Mirai_6F021787 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L100-L118" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L100-L118" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88183d71359c16d91a3252085ad5a270ad3e196fe431e3019b0810ecfd85ae10" - logic_hash = "7e8062682a0babbaa3c00975807ba9fc34c465afde55e4144944e7598f0ea1fd" + logic_hash = "v1_sha256_7e8062682a0babbaa3c00975807ba9fc34c465afde55e4144944e7598f0ea1fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69699,10 +69699,10 @@ rule ELASTIC_Linux_Trojan_Mirai_1E0C5Ce0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L120-L138" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L120-L138" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d" - logic_hash = "591cc3ef6932bf990f56c932866b34778e8eccd0e343f9bd6126eb8205a12ecc" + logic_hash = "v1_sha256_591cc3ef6932bf990f56c932866b34778e8eccd0e343f9bd6126eb8205a12ecc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69728,10 +69728,10 @@ rule ELASTIC_Linux_Trojan_Mirai_22965A6D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L140-L158" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L140-L158" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "09c821aa8977f67878f8769f717c792d69436a951bb5ac06ce5052f46da80a48" - logic_hash = "6b2a46694edf709d28267268252cfe95d88049b7dca854059cfe44479ada7423" + logic_hash = "v1_sha256_6b2a46694edf709d28267268252cfe95d88049b7dca854059cfe44479ada7423" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69757,10 +69757,10 @@ rule ELASTIC_Linux_Trojan_Mirai_4032Ade1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L160-L178" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L160-L178" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6150fbbefb916583a0e888dee8ed3df8ec197ba7c04f89fb24f31de50226e688" - logic_hash = "9c5e24c4efd4035408897f638d3579c3798139fd18178cee4a944b49c13e1532" + logic_hash = "v1_sha256_9c5e24c4efd4035408897f638d3579c3798139fd18178cee4a944b49c13e1532" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69786,9 +69786,9 @@ rule ELASTIC_Linux_Trojan_Mirai_B14F4C5D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L180-L197" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1a2114a7b397c850d732940a0e154bc04fbee1fdc12d343947b343b9b27a8af1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L180-L197" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1a2114a7b397c850d732940a0e154bc04fbee1fdc12d343947b343b9b27a8af1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69814,10 +69814,10 @@ rule ELASTIC_Linux_Trojan_Mirai_C8385B81 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L199-L217" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L199-L217" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3d27736caccdd3199a14ce29d91b1812d1d597a4fa8472698e6df6ef716f5ce9" - logic_hash = "4ff1f0912fb92e7ac5af49e1738dac897ff1f0a118d8ff905da45b0a91b3f4a7" + logic_hash = "v1_sha256_4ff1f0912fb92e7ac5af49e1738dac897ff1f0a118d8ff905da45b0a91b3f4a7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69843,10 +69843,10 @@ rule ELASTIC_Linux_Trojan_Mirai_122Ff2E6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L219-L237" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L219-L237" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4" - logic_hash = "62884309b9095cdd6219c9ef6cd77a0f712640d8a1db4afe5b1d01f4bbe5acc2" + logic_hash = "v1_sha256_62884309b9095cdd6219c9ef6cd77a0f712640d8a1db4afe5b1d01f4bbe5acc2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69872,10 +69872,10 @@ rule ELASTIC_Linux_Trojan_Mirai_26Cba88C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L239-L257" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L239-L257" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b4758bff3dcaa5640e340d27abba5c2e2b02c3c4a582374e183986375e49be8" - logic_hash = "bb5a0f9e68655556ab9fccc27d11bf7828c299720bb67948455579d6a7eb2a9f" + logic_hash = "v1_sha256_bb5a0f9e68655556ab9fccc27d11bf7828c299720bb67948455579d6a7eb2a9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69901,10 +69901,10 @@ rule ELASTIC_Linux_Trojan_Mirai_93Fc3657 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L259-L277" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L259-L277" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "0b5278feddd00b0b24ca735bf7cd1440379c6ce5aca6d2a6f38c9fdcedcb3c0d" + logic_hash = "v1_sha256_0b5278feddd00b0b24ca735bf7cd1440379c6ce5aca6d2a6f38c9fdcedcb3c0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69930,9 +69930,9 @@ rule ELASTIC_Linux_Trojan_Mirai_7C88Acbc : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L279-L296" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "76373f8e09b7467ac5d36e8baad3025a57568e891434297e53f2629a72cf8929" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L279-L296" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_76373f8e09b7467ac5d36e8baad3025a57568e891434297e53f2629a72cf8929" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69958,10 +69958,10 @@ rule ELASTIC_Linux_Trojan_Mirai_804F8E7C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L298-L316" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L298-L316" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "711d74406d9b0d658b3b29f647bd659699ac0af9cd482403122124ec6054f1ec" + logic_hash = "v1_sha256_711d74406d9b0d658b3b29f647bd659699ac0af9cd482403122124ec6054f1ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69987,10 +69987,10 @@ rule ELASTIC_Linux_Trojan_Mirai_A2D2E15A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L318-L336" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L318-L336" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "567c3ce9bbbda760be81c286bfb2252418f551a64ba1189f6c0ec8ec059cee49" - logic_hash = "c76fe953c4a70110346a020f2b27c7e79f4ad8a24fd92ac26e5ddd1fed068f65" + logic_hash = "v1_sha256_c76fe953c4a70110346a020f2b27c7e79f4ad8a24fd92ac26e5ddd1fed068f65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70016,10 +70016,10 @@ rule ELASTIC_Linux_Trojan_Mirai_5946F41B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L338-L356" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L338-L356" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f0b6bf8a683f8692973ea8291129c9764269a6739650ec3f9ee50d222df0a38a" - logic_hash = "43691675db419426413ccc24aa9dfe94456fa1007630652b08a625eafd1f17b8" + logic_hash = "v1_sha256_43691675db419426413ccc24aa9dfe94456fa1007630652b08a625eafd1f17b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70045,10 +70045,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Da4Aa3B3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L358-L376" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L358-L376" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dbc246032d432318f23a4c1e5b6fcd787df29da3bf418613f588f758dcd80617" - logic_hash = "84ddc505d2e2be955b88a0fe3b78d435f73c0a315b513e105933e84be78ba2ad" + logic_hash = "v1_sha256_84ddc505d2e2be955b88a0fe3b78d435f73c0a315b513e105933e84be78ba2ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70074,10 +70074,10 @@ rule ELASTIC_Linux_Trojan_Mirai_70Ef58F1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L378-L396" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L378-L396" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "3ad201d643e8f93a6f9075c03a76020d78186702a19bf9174b08688a2e94ef5c" + logic_hash = "v1_sha256_3ad201d643e8f93a6f9075c03a76020d78186702a19bf9174b08688a2e94ef5c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70103,10 +70103,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Ea584243 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L398-L416" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L398-L416" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f363d9bd2132d969cd41e79f29c53ef403da64ca8afc4643084cc50076ddfb47" - logic_hash = "34c6f800c849c295797cdd971fb4f3d16d680530f9a98c291388345569708208" + logic_hash = "v1_sha256_34c6f800c849c295797cdd971fb4f3d16d680530f9a98c291388345569708208" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70132,10 +70132,10 @@ rule ELASTIC_Linux_Trojan_Mirai_564B8Eda : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L418-L436" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L418-L436" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee" - logic_hash = "4bf11492f480911629623250146554f2456f3a527f5f80402ef74b22c1460462" + logic_hash = "v1_sha256_4bf11492f480911629623250146554f2456f3a527f5f80402ef74b22c1460462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70161,10 +70161,10 @@ rule ELASTIC_Linux_Trojan_Mirai_7E9F85Fb : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L438-L456" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L438-L456" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4333e80fd311b28c948bab7fb3f5efb40adda766f1ea4bed96a8db5fe0d80ea1" - logic_hash = "f4ce912e190bc5dcb56541f54ba8e47b6103c482bdc7e83b44693d2c066c0170" + logic_hash = "v1_sha256_f4ce912e190bc5dcb56541f54ba8e47b6103c482bdc7e83b44693d2c066c0170" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70190,10 +70190,10 @@ rule ELASTIC_Linux_Trojan_Mirai_3A85A418 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L458-L476" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L458-L476" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a" - logic_hash = "bd7fe497fb2557c9e9c26ec90e783f03cbbc9bdaa8d20b364ce65edf6c1e5fa3" + logic_hash = "v1_sha256_bd7fe497fb2557c9e9c26ec90e783f03cbbc9bdaa8d20b364ce65edf6c1e5fa3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70219,10 +70219,10 @@ rule ELASTIC_Linux_Trojan_Mirai_24C5B7D6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L478-L496" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L478-L496" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4" - logic_hash = "f790f6b8fcf932773054525ed74a3f15998d91a2626ae9c56486de8dabc2035c" + logic_hash = "v1_sha256_f790f6b8fcf932773054525ed74a3f15998d91a2626ae9c56486de8dabc2035c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70248,10 +70248,10 @@ rule ELASTIC_Linux_Trojan_Mirai_99D78950 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L498-L516" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L498-L516" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "bfd628a9973f85ed0a8be2723c7ff4bd028af00ea98c9cbcde9df6aabcf394b2" + logic_hash = "v1_sha256_bfd628a9973f85ed0a8be2723c7ff4bd028af00ea98c9cbcde9df6aabcf394b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70277,9 +70277,9 @@ rule ELASTIC_Linux_Trojan_Mirai_3Fe3C668 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L518-L535" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e75b2dca7de7d9f31a0ae5940dc45d0e6d0f1ca110b5458fc99912400da97bde" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L518-L535" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e75b2dca7de7d9f31a0ae5940dc45d0e6d0f1ca110b5458fc99912400da97bde" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70305,10 +70305,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Eedfbfc6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L537-L555" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L537-L555" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7342f7437a3a16805a7a8d4a667e0e018584f9a99591413650e05d21d3e6da6" - logic_hash = "949b32db1a00570fc84fbbe510f57f6e898d089efd3fedbd7719f8059021b6bc" + logic_hash = "v1_sha256_949b32db1a00570fc84fbbe510f57f6e898d089efd3fedbd7719f8059021b6bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70334,10 +70334,10 @@ rule ELASTIC_Linux_Trojan_Mirai_6D96Ae91 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L557-L575" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L557-L575" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e3a1d92df6fb566e09c389cfb085126d2ea0f51a776ec099afb8913ef5e96f9b" - logic_hash = "43b0ac7090620eb6c892f1105778c395bf18f5ac309ce1b2d9015b5abccbfc2a" + logic_hash = "v1_sha256_43b0ac7090620eb6c892f1105778c395bf18f5ac309ce1b2d9015b5abccbfc2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70363,10 +70363,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D8779A57 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L577-L595" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L577-L595" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c490586fbf90d360cf3b2f9e2dc943809441df3dfd64dadad27fc9f5ee96ec74" - logic_hash = "2154786bbb6dbcc280aaa9e2b75106b585d04c7c85f6162f441c81dc54663cb3" + logic_hash = "v1_sha256_2154786bbb6dbcc280aaa9e2b75106b585d04c7c85f6162f441c81dc54663cb3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70392,10 +70392,10 @@ rule ELASTIC_Linux_Trojan_Mirai_3E72E107 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L597-L615" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L597-L615" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "57d04035b68950246dd152054e949008dafb810f3705710d09911876cd44aec7" - logic_hash = "ba0ba56ded8977502ad9f8a1ceebd30efbff964d576bbfeedff5761f0538d8f0" + logic_hash = "v1_sha256_ba0ba56ded8977502ad9f8a1ceebd30efbff964d576bbfeedff5761f0538d8f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70421,10 +70421,10 @@ rule ELASTIC_Linux_Trojan_Mirai_5C62E6B2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L617-L635" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L617-L635" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "6505c4272f0f7c8c5f2d3f7cefdc3947c4015b0dfd94efde4357a506af93a99d" + logic_hash = "v1_sha256_6505c4272f0f7c8c5f2d3f7cefdc3947c4015b0dfd94efde4357a506af93a99d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70450,10 +70450,10 @@ rule ELASTIC_Linux_Trojan_Mirai_C5430Ff9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L637-L655" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L637-L655" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5676773882a84d0efc220dd7595c4594bc824cbe3eeddfadc00ac3c8e899aa77" - logic_hash = "8c385980560cd4b24e703744b57a9d5ea1bca8fbeea066e98dd4b40009e56104" + logic_hash = "v1_sha256_8c385980560cd4b24e703744b57a9d5ea1bca8fbeea066e98dd4b40009e56104" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70479,10 +70479,10 @@ rule ELASTIC_Linux_Trojan_Mirai_402Adc45 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L657-L675" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L657-L675" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ae0cd7e5bac967e31771873b4b41a1887abddfcdfcc76fa9149bb2054b03ca4" - logic_hash = "dab879d57507d5e119ddf4ce6ed33570c74f185a2260e97a7ec1d6c844943e5d" + logic_hash = "v1_sha256_dab879d57507d5e119ddf4ce6ed33570c74f185a2260e97a7ec1d6c844943e5d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70508,9 +70508,9 @@ rule ELASTIC_Linux_Trojan_Mirai_A39Dfaa7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L677-L694" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "98fde36fc412b6aa50c80c12118975a6bf754a9fba94f1cc3cdeed22565d6b0d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L677-L694" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_98fde36fc412b6aa50c80c12118975a6bf754a9fba94f1cc3cdeed22565d6b0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70536,10 +70536,10 @@ rule ELASTIC_Linux_Trojan_Mirai_E3E6D768 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L696-L714" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L696-L714" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b505cb26d3ead5a0ef82d2c87a9b352cc0268ef0571f5e28defca7131065545e" - logic_hash = "b848c7200f405d77553d661a6c49fb958df225875957ead35b35091995f307d1" + logic_hash = "v1_sha256_b848c7200f405d77553d661a6c49fb958df225875957ead35b35091995f307d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70565,9 +70565,9 @@ rule ELASTIC_Linux_Trojan_Mirai_520Deeb8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L716-L733" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "671c17835f30cce1e5d68dbf3a73d340069b1b55a2ac42fc132c008cb2da622e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L716-L733" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_671c17835f30cce1e5d68dbf3a73d340069b1b55a2ac42fc132c008cb2da622e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70593,10 +70593,10 @@ rule ELASTIC_Linux_Trojan_Mirai_77137320 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L735-L753" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L735-L753" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "ee48e0478845a61dbbdb5cc3ee5194eb272fcf6dcf139381f068c9af1557d0d4" + logic_hash = "v1_sha256_ee48e0478845a61dbbdb5cc3ee5194eb272fcf6dcf139381f068c9af1557d0d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70622,9 +70622,9 @@ rule ELASTIC_Linux_Trojan_Mirai_A6A81F9C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L755-L772" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0d31cc1f4a673c13e6c81c492acbe16e1e0dfb0b15913fb276ea4abff18b32af" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L755-L772" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0d31cc1f4a673c13e6c81c492acbe16e1e0dfb0b15913fb276ea4abff18b32af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70650,10 +70650,10 @@ rule ELASTIC_Linux_Trojan_Mirai_485C4B13 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L774-L792" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L774-L792" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "9625e4190559cc77f41ebef24f9bfa5e3d2e2259c12b301148c614b0f98b5835" + logic_hash = "v1_sha256_9625e4190559cc77f41ebef24f9bfa5e3d2e2259c12b301148c614b0f98b5835" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70679,9 +70679,9 @@ rule ELASTIC_Linux_Trojan_Mirai_7146E518 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L794-L811" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "374602254be1f5c1dbb00ad25d870722e03d674033dfcf953a2895e1f50c637d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L794-L811" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_374602254be1f5c1dbb00ad25d870722e03d674033dfcf953a2895e1f50c637d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70707,9 +70707,9 @@ rule ELASTIC_Linux_Trojan_Mirai_6A77Af0F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L813-L830" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7d7623dfc1e16c7c02294607ddf46edd12cdc7d39a2b920d8711dc47c383731b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L813-L830" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7d7623dfc1e16c7c02294607ddf46edd12cdc7d39a2b920d8711dc47c383731b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70735,9 +70735,9 @@ rule ELASTIC_Linux_Trojan_Mirai_5F7B67B8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L832-L849" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b2aedc0361c1093d7a996f26d907da3e4654c32a6dbcdbab441c19d4207f2e2a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L832-L849" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b2aedc0361c1093d7a996f26d907da3e4654c32a6dbcdbab441c19d4207f2e2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70763,10 +70763,10 @@ rule ELASTIC_Linux_Trojan_Mirai_A3Cedc45 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L851-L869" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L851-L869" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ae0cd7e5bac967e31771873b4b41a1887abddfcdfcc76fa9149bb2054b03ca4" - logic_hash = "9233e6faa43d8ea43ff3c71ecb5248d5d311b2a593825c299cac4466278cd020" + logic_hash = "v1_sha256_9233e6faa43d8ea43ff3c71ecb5248d5d311b2a593825c299cac4466278cd020" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70792,10 +70792,10 @@ rule ELASTIC_Linux_Trojan_Mirai_7D05725E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L871-L889" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L871-L889" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "ac2d0b81325ce7984bc09f93e61b42c8e312a31c75f09d37313d70cd40d3cf8b" + logic_hash = "v1_sha256_ac2d0b81325ce7984bc09f93e61b42c8e312a31c75f09d37313d70cd40d3cf8b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70821,10 +70821,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Fa48B592 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L891-L909" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L891-L909" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee" - logic_hash = "5648bcc96b1fdd1529b4b8765b1738594d0d61f7880b763e803cd89bd117e96b" + logic_hash = "v1_sha256_5648bcc96b1fdd1529b4b8765b1738594d0d61f7880b763e803cd89bd117e96b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70850,9 +70850,9 @@ rule ELASTIC_Linux_Trojan_Mirai_B9A9D04B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L911-L928" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "61575576be4c1991bc381965a40e5d9d751bba2680a42907b0148651716419fc" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L911-L928" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_61575576be4c1991bc381965a40e5d9d751bba2680a42907b0148651716419fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70878,10 +70878,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D2205527 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L930-L948" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L930-L948" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e4f584d1f75f0d7c98b325adc55025304d55907e8eb77b328c007600180d6f06" - logic_hash = "172ba256873cce61047a5198733cacaff4ef343c9cbd76f2fbbf0e1ed8003236" + logic_hash = "v1_sha256_172ba256873cce61047a5198733cacaff4ef343c9cbd76f2fbbf0e1ed8003236" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70907,10 +70907,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Ab073861 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L950-L968" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L950-L968" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "175444a9c9ca78565de4b2eabe341f51b55e59dec00090574ee0f1875422cbac" - logic_hash = "251b92c4fec9d113025c6869c279247a3dd16ee094c8861fe43a33f87132bf75" + logic_hash = "v1_sha256_251b92c4fec9d113025c6869c279247a3dd16ee094c8861fe43a33f87132bf75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70936,9 +70936,9 @@ rule ELASTIC_Linux_Trojan_Mirai_637F2C04 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L970-L987" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "cff4aa6c613ccc64f64441f7e40f79d3a22b5c12856c32814545bd41d5f112bd" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L970-L987" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_cff4aa6c613ccc64f64441f7e40f79d3a22b5c12856c32814545bd41d5f112bd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70964,9 +70964,9 @@ rule ELASTIC_Linux_Trojan_Mirai_Aa39Fb02 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L989-L1006" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ffa95d92a2b619008bd5918cd34a17cd034b2830dc09d495db4b0c397b1cb53a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L989-L1006" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ffa95d92a2b619008bd5918cd34a17cd034b2830dc09d495db4b0c397b1cb53a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70992,10 +70992,10 @@ rule ELASTIC_Linux_Trojan_Mirai_0Bce98A2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1008-L1026" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1008-L1026" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80" - logic_hash = "04d10ef03c178fb101d3c6b6d3b36f0aa04149b9b35a33c3d10d17af1fc07625" + logic_hash = "v1_sha256_04d10ef03c178fb101d3c6b6d3b36f0aa04149b9b35a33c3d10d17af1fc07625" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71021,9 +71021,9 @@ rule ELASTIC_Linux_Trojan_Mirai_3A56423B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1028-L1045" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0c2765a5c1b331eb9ff5e542bc72eff7be3506e6caef94128413d500086715c6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1028-L1045" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0c2765a5c1b331eb9ff5e542bc72eff7be3506e6caef94128413d500086715c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71049,10 +71049,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D18B3463 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1047-L1065" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1047-L1065" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3" - logic_hash = "f906c6f9baae6d6fa3f42e84607549bae44ed9ca847fd916d04f2671eef1caa1" + logic_hash = "v1_sha256_f906c6f9baae6d6fa3f42e84607549bae44ed9ca847fd916d04f2671eef1caa1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71078,9 +71078,9 @@ rule ELASTIC_Linux_Trojan_Mirai_Fe721Dc5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1067-L1084" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e9312eefb5f14a27d96e973139e45098c2f62a24d5254ca24dea64b9888a4448" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1067-L1084" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e9312eefb5f14a27d96e973139e45098c2f62a24d5254ca24dea64b9888a4448" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71106,9 +71106,9 @@ rule ELASTIC_Linux_Trojan_Mirai_575F5Bc8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1086-L1103" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "dec143d096f5774f297ce90ef664ae50c40ae4f87843bbb34e496565c0faf3b2" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1086-L1103" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_dec143d096f5774f297ce90ef664ae50c40ae4f87843bbb34e496565c0faf3b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71134,10 +71134,10 @@ rule ELASTIC_Linux_Trojan_Mirai_449937Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1105-L1123" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1105-L1123" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe" - logic_hash = "d459e46893115dbdef46bcaceb6a66255ef3a389f1bf7173b0e0bd0d8ce024fb" + logic_hash = "v1_sha256_d459e46893115dbdef46bcaceb6a66255ef3a389f1bf7173b0e0bd0d8ce024fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71163,10 +71163,10 @@ rule ELASTIC_Linux_Trojan_Mirai_2E3F67A9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1125-L1143" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1125-L1143" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "8c83c5d32c58041444f33264f692a7580c76324d2cbad736fdd737bdfcd63595" + logic_hash = "v1_sha256_8c83c5d32c58041444f33264f692a7580c76324d2cbad736fdd737bdfcd63595" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71192,9 +71192,9 @@ rule ELASTIC_Linux_Trojan_Mirai_01E4A728 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1145-L1162" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "753936b97a36c774975a1d0988f6f908d4b5e5906498aa34c606d4cd971f1ba5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1145-L1162" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_753936b97a36c774975a1d0988f6f908d4b5e5906498aa34c606d4cd971f1ba5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71220,10 +71220,10 @@ rule ELASTIC_Linux_Trojan_Mirai_64D5Cde2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1164-L1182" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1164-L1182" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "caf2a8c199156db2f39dbb0a303db56040f615c4410e074ef56be2662752ca9d" - logic_hash = "08f3635e5517185cae936b39f503bbeba5aed2e36abdd805170a259bc5e3644f" + logic_hash = "v1_sha256_08f3635e5517185cae936b39f503bbeba5aed2e36abdd805170a259bc5e3644f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71249,10 +71249,10 @@ rule ELASTIC_Linux_Trojan_Mirai_0D73971C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1184-L1202" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1184-L1202" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "56f3bac05fce0a0458e5b80197335e7bef6dcd50b9feb6f1008b8679f29cf37a" + logic_hash = "v1_sha256_56f3bac05fce0a0458e5b80197335e7bef6dcd50b9feb6f1008b8679f29cf37a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71278,10 +71278,10 @@ rule ELASTIC_Linux_Trojan_Mirai_82C361D4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1204-L1222" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1204-L1222" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f8dbcf0fc52f0c717c8680cb5171a8c6c395f14fd40a2af75efc9ba5684a5b49" - logic_hash = "766a964d7d35525fbc88adcf86fb69d11f9c63c0d28ceefb3ae79797a7161193" + logic_hash = "v1_sha256_766a964d7d35525fbc88adcf86fb69d11f9c63c0d28ceefb3ae79797a7161193" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71307,10 +71307,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Ec591E81 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1224-L1242" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1224-L1242" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7d45a4a128c25f317020b5d042ab893e9875b6ff0ef17482b984f5b3fe87e451" - logic_hash = "f2a147fe7f98d2b3141a1fda118ee803c81d9bc6f498bfaf3557665397eb44da" + logic_hash = "v1_sha256_f2a147fe7f98d2b3141a1fda118ee803c81d9bc6f498bfaf3557665397eb44da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71336,10 +71336,10 @@ rule ELASTIC_Linux_Trojan_Mirai_0Eba3F5A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1244-L1262" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1244-L1262" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e4f89c76dfefd4b2bfd1cf0467ac0324026355723950d12d7ed51195fd998cf" - logic_hash = "bcb2f1e1659102f39977fac43b119c58d6c72f828c3065e2318f671146e911da" + logic_hash = "v1_sha256_bcb2f1e1659102f39977fac43b119c58d6c72f828c3065e2318f671146e911da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71365,10 +71365,10 @@ rule ELASTIC_Linux_Trojan_Mirai_E43A8744 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1264-L1282" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1264-L1282" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f363d9bd2132d969cd41e79f29c53ef403da64ca8afc4643084cc50076ddfb47" - logic_hash = "17c52d2b720fa2e98c3e9bb077525a695a6e547a66e8c44fcc1e26e48df81adf" + logic_hash = "v1_sha256_17c52d2b720fa2e98c3e9bb077525a695a6e547a66e8c44fcc1e26e48df81adf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71394,9 +71394,9 @@ rule ELASTIC_Linux_Trojan_Mirai_6E8E9257 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1284-L1301" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "67973257e578783838f18dc8ae994f221ad1c1b3f4a04a2b6b523da5ebd8c95b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1284-L1301" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_67973257e578783838f18dc8ae994f221ad1c1b3f4a04a2b6b523da5ebd8c95b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71422,10 +71422,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Ac253E4F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1303-L1321" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1303-L1321" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "1ab463fce01148c2cc95659fdf8b05e597d9b4eeabe81a9cdfa1da3632d72291" + logic_hash = "v1_sha256_1ab463fce01148c2cc95659fdf8b05e597d9b4eeabe81a9cdfa1da3632d72291" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71451,10 +71451,10 @@ rule ELASTIC_Linux_Trojan_Mirai_994535C4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1323-L1341" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1323-L1341" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "376a2771a2a973628e22379b3dbb9a8015c828505bbe18a0c027b5d513c9e90d" - logic_hash = "c83c8c9cdfea1bf322115e5b23d751b226a5dbf42fc41faac172d36192ccf31f" + logic_hash = "v1_sha256_c83c8c9cdfea1bf322115e5b23d751b226a5dbf42fc41faac172d36192ccf31f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71480,10 +71480,10 @@ rule ELASTIC_Linux_Trojan_Mirai_A68E498C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1343-L1361" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1343-L1361" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "e4552813dc92b397c5ba78f32ee6507520f337b55779a3fc705de7e961f8eb8f" + logic_hash = "v1_sha256_e4552813dc92b397c5ba78f32ee6507520f337b55779a3fc705de7e961f8eb8f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71509,10 +71509,10 @@ rule ELASTIC_Linux_Trojan_Mirai_88De437F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1363-L1381" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1363-L1381" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "233dbf3d13c35f4c9c7078d67ea60086355c801ce6515f9d3c518e95afd39d85" + logic_hash = "v1_sha256_233dbf3d13c35f4c9c7078d67ea60086355c801ce6515f9d3c518e95afd39d85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71538,10 +71538,10 @@ rule ELASTIC_Linux_Trojan_Mirai_95E0056C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1383-L1401" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1383-L1401" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45f67d4c18abc1bad9a9cc6305983abf3234cd955d2177f1a72c146ced50a380" - logic_hash = "9e34891d28034d1f4fc3da5cb99df8fc74f0b876903088f5eab5fe36e0e0e603" + logic_hash = "v1_sha256_9e34891d28034d1f4fc3da5cb99df8fc74f0b876903088f5eab5fe36e0e0e603" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71567,10 +71567,10 @@ rule ELASTIC_Linux_Trojan_Mirai_B548632D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1403-L1421" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1403-L1421" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "639d9d6da22e84fb6b6fc676a1c4cfd74a8ed546ce8661500ab2ef971242df07" - logic_hash = "bfb46457f8b79548726e3988d649f94e04f26f9e546aae70ece94defae6bab8a" + logic_hash = "v1_sha256_bfb46457f8b79548726e3988d649f94e04f26f9e546aae70ece94defae6bab8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71596,9 +71596,9 @@ rule ELASTIC_Linux_Trojan_Mirai_E0Cf29E2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1423-L1440" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "693e27da8cbab32954cc2c9ba648151ad9fc21fe53251628145d7b436ec5e976" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1423-L1440" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_693e27da8cbab32954cc2c9ba648151ad9fc21fe53251628145d7b436ec5e976" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71624,10 +71624,10 @@ rule ELASTIC_Linux_Trojan_Mirai_1754B331 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1442-L1460" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1442-L1460" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d89fc59d0de2584af0e4614a1561d1d343faa766edfef27d1ea96790ac7014b" - logic_hash = "fde04b0e31a00326f9d011198995999ff9b15628f5ff4139ec7dec19ac0c59c9" + logic_hash = "v1_sha256_fde04b0e31a00326f9d011198995999ff9b15628f5ff4139ec7dec19ac0c59c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71653,10 +71653,10 @@ rule ELASTIC_Linux_Trojan_Mirai_3278F1B8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1462-L1480" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1462-L1480" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "4d709e8e2062099ac06b241408e52bcb86bbf8163faaffbcff68a05f864e1b3f" + logic_hash = "v1_sha256_4d709e8e2062099ac06b241408e52bcb86bbf8163faaffbcff68a05f864e1b3f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71682,10 +71682,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Ab804Bb7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1482-L1500" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1482-L1500" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8f0cc764729498b4cb9c5446f1a84cde54e828e913dc78faf537004a7df21b20" - logic_hash = "cef2ffafe152332502fb0d72d014c81b90dc9ad4f4491f1b2f2f9c1f73cc7958" + logic_hash = "v1_sha256_cef2ffafe152332502fb0d72d014c81b90dc9ad4f4491f1b2f2f9c1f73cc7958" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71711,10 +71711,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Dca3B9B4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1502-L1520" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1502-L1520" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a839437deba6d30e7a22104561e38f60776729199a96a71da3a88a7c7990246a" - logic_hash = "f85dfc1c00706d7ac11ef35c41c471383ef8b019a5c2566b27072a5ef5ad5c93" + logic_hash = "v1_sha256_f85dfc1c00706d7ac11ef35c41c471383ef8b019a5c2566b27072a5ef5ad5c93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71740,9 +71740,9 @@ rule ELASTIC_Linux_Trojan_Mirai_Ae9D0Fa6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1522-L1539" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8da5b14b95d96de5ced8bcab98e23973e449c1b5ca101f39a2114bb8e74fd9a5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1522-L1539" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8da5b14b95d96de5ced8bcab98e23973e449c1b5ca101f39a2114bb8e74fd9a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71768,10 +71768,10 @@ rule ELASTIC_Linux_Trojan_Mirai_612B407C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1541-L1559" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1541-L1559" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7833bc89778461a9f46cc47a78c67dda48b498ee40b09a80a21e67cb70c6add1" - logic_hash = "6514725a32f7c28be7de5ff6fe1363df7c50e2cd6c8c79824ec4cbeadda2ca31" + logic_hash = "v1_sha256_6514725a32f7c28be7de5ff6fe1363df7c50e2cd6c8c79824ec4cbeadda2ca31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71797,10 +71797,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D5Da717F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1561-L1579" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1561-L1579" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1f6bcdfc7d1c56228897cd7548266bb0b9a41b913be354036816643ac21b6f66" - logic_hash = "034dae5bea7536e8c8aa22b8b891b9c991b94f04be12c9fe6d78ddf07a2365d9" + logic_hash = "v1_sha256_034dae5bea7536e8c8aa22b8b891b9c991b94f04be12c9fe6d78ddf07a2365d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71826,10 +71826,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D33095D4 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1581-L1599" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1581-L1599" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "72326a3a9160e9481dd6fc87159f7ebf8a358f52bf0c17fbc3df80217d032635" - logic_hash = "b7feaec65d72907d08c98b09fb4ac494ceee7d7bd51c09063363c617e3f057a4" + logic_hash = "v1_sha256_b7feaec65d72907d08c98b09fb4ac494ceee7d7bd51c09063363c617e3f057a4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71855,10 +71855,10 @@ rule ELASTIC_Linux_Trojan_Mirai_4E2246Fb : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1601-L1619" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1601-L1619" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1f6bcdfc7d1c56228897cd7548266bb0b9a41b913be354036816643ac21b6f66" - logic_hash = "6d2e1300286751a5e1ae683e9aab2f59bfbb20d1cc18dcce89c06ecadf25a3e6" + logic_hash = "v1_sha256_6d2e1300286751a5e1ae683e9aab2f59bfbb20d1cc18dcce89c06ecadf25a3e6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71884,10 +71884,10 @@ rule ELASTIC_Linux_Trojan_Mirai_D5981806 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1621-L1639" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1621-L1639" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "784f2005853b5375efaf3995208e4611b81b8c52f67b6dc139fd9fec7b49d9dc" - logic_hash = "e625323543aa5c8374a179dfa51c3f5be1446459c45fa7c7a27ae383cf0f551b" + logic_hash = "v1_sha256_e625323543aa5c8374a179dfa51c3f5be1446459c45fa7c7a27ae383cf0f551b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71913,10 +71913,10 @@ rule ELASTIC_Linux_Trojan_Mirai_C6055Dc9 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1641-L1659" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1641-L1659" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1718d7fdeef886caa33951e75cbd9139467fa1724605fdf76c8cdb1ec20e024" - logic_hash = "4d9d7c44f0d3ae60275720ae5faf3c25c368aa6e7d9ab5ed706a30f9a7ffd3b8" + logic_hash = "v1_sha256_4d9d7c44f0d3ae60275720ae5faf3c25c368aa6e7d9ab5ed706a30f9a7ffd3b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71942,10 +71942,10 @@ rule ELASTIC_Linux_Trojan_Mirai_3B9675Fd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1661-L1679" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1661-L1679" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4ec4bc88156bd51451fdaf0550c21c799c6adacbfc654c8ec634ebca3383bd66" - logic_hash = "61ff7cb8d664291de5cf0c82b80cf0f4001c41d3f02b7f4762f67eb8128df15d" + logic_hash = "v1_sha256_61ff7cb8d664291de5cf0c82b80cf0f4001c41d3f02b7f4762f67eb8128df15d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71971,10 +71971,10 @@ rule ELASTIC_Linux_Trojan_Mirai_1C0D246D : FILE MEMORY date = "2021-04-13" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1681-L1700" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1681-L1700" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "211cfe9d158c8a6840a53f2d1db2bf94ae689946fffb791eed3acceef7f0e3dd" - logic_hash = "7a101e6d2265e09eb6c8d0f1a2fe54c9aa353dfd8bd156926937f4aec86c3ef1" + logic_hash = "v1_sha256_7a101e6d2265e09eb6c8d0f1a2fe54c9aa353dfd8bd156926937f4aec86c3ef1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72001,9 +72001,9 @@ rule ELASTIC_Linux_Trojan_Mirai_Ad337D2F : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "012b717909a8b251ec1e0c284b3c795865a32a1f4b79706d2254a4eb289c30a7" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1702-L1720" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "dba630c1deb00b0dbd9f895a9b93393bc634150c8f32527b02d8dd71dc806e7d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1702-L1720" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_dba630c1deb00b0dbd9f895a9b93393bc634150c8f32527b02d8dd71dc806e7d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72029,9 +72029,9 @@ rule ELASTIC_Linux_Trojan_Mirai_88A1B067 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1722-L1740" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0755f1f974734ccd4ecc444217bf52ed306d1dc32c05841ba9ca6d259e1a147e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1722-L1740" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0755f1f974734ccd4ecc444217bf52ed306d1dc32c05841ba9ca6d259e1a147e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72057,9 +72057,9 @@ rule ELASTIC_Linux_Trojan_Mirai_76Bbc4Ca : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1a9ff86a66d417678c387102932a71fd879972173901c04f3462de0e519c3b51" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1742-L1760" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "855b7938b92b5645fcefd2ec1e2ccb71269654816f362282ccbf9aef1c01c8a0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1742-L1760" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_855b7938b92b5645fcefd2ec1e2ccb71269654816f362282ccbf9aef1c01c8a0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72085,10 +72085,10 @@ rule ELASTIC_Linux_Trojan_Mirai_0Bfc17Bd : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1762-L1780" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1762-L1780" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1cdd94f2a1cb2b93134646c171d947e325a498f7a13db021e88c05a4cbb68903" - logic_hash = "ef83bc9ae3c881d09b691db42a1712b500a5bb8df34060a6786cfdc6caaf5530" + logic_hash = "v1_sha256_ef83bc9ae3c881d09b691db42a1712b500a5bb8df34060a6786cfdc6caaf5530" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72114,10 +72114,10 @@ rule ELASTIC_Linux_Trojan_Mirai_389Ee3E9 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1782-L1800" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1782-L1800" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "fedeae98d468a11c3eaa561b9d5433ec206bdd4caed5aed7926434730f7f866b" + logic_hash = "v1_sha256_fedeae98d468a11c3eaa561b9d5433ec206bdd4caed5aed7926434730f7f866b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72143,10 +72143,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Cc93863B : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1802-L1820" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1802-L1820" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "881998dee010270d7cefae5b59a888e541d4a2b93e3e52ae0abe0df41371c50d" + logic_hash = "v1_sha256_881998dee010270d7cefae5b59a888e541d4a2b93e3e52ae0abe0df41371c50d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72172,10 +72172,10 @@ rule ELASTIC_Linux_Trojan_Mirai_8Aa7B5D3 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1822-L1840" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1822-L1840" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "3c99b7b126184b75802c7198c81f4783af776920edc6e964dbe726d28d88f64d" + logic_hash = "v1_sha256_3c99b7b126184b75802c7198c81f4783af776920edc6e964dbe726d28d88f64d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72201,10 +72201,10 @@ rule ELASTIC_Linux_Trojan_Mirai_76908C99 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1842-L1860" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1842-L1860" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "533a90959bfb337fd7532fb844501fd568f5f4a49998d5d479daf5dfbd01abb2" - logic_hash = "bd8254e888b1ea93ca9aad92ea2c8ece1f2d03ae2949ca4c3743b6e339ee21e0" + logic_hash = "v1_sha256_bd8254e888b1ea93ca9aad92ea2c8ece1f2d03ae2949ca4c3743b6e339ee21e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72230,10 +72230,10 @@ rule ELASTIC_Linux_Trojan_Mirai_1538Ce1A : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1862-L1880" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1862-L1880" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "cf2dd11da520640c6a64e05c4679072a714d8cf93d5f5aa3a1eca8eb3e9c8b3b" + logic_hash = "v1_sha256_cf2dd11da520640c6a64e05c4679072a714d8cf93d5f5aa3a1eca8eb3e9c8b3b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72259,10 +72259,10 @@ rule ELASTIC_Linux_Trojan_Mirai_07B1F4F6 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1882-L1900" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1882-L1900" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "4af1a20e29e0c9b62e1530031e49a3d7b37d4e9a547d89a270a2e59e0c7852cc" + logic_hash = "v1_sha256_4af1a20e29e0c9b62e1530031e49a3d7b37d4e9a547d89a270a2e59e0c7852cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72288,10 +72288,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Feaa98Ff : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1902-L1920" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1902-L1920" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "06be9d8bcfcb7e6b600103cf29fa8a94a457ff56e8c7018336c270978a57ccbf" + logic_hash = "v1_sha256_06be9d8bcfcb7e6b600103cf29fa8a94a457ff56e8c7018336c270978a57ccbf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72317,10 +72317,10 @@ rule ELASTIC_Linux_Trojan_Mirai_3Acd6Ed4 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1922-L1940" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1922-L1940" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2644447de8befa1b4fe39b2117d49754718a2f230d6d5f977166386aa88e7b84" - logic_hash = "ab284d41af8e1920fa54ac8bfab84bac493adf816aebce60490ab22c0e502201" + logic_hash = "v1_sha256_ab284d41af8e1920fa54ac8bfab84bac493adf816aebce60490ab22c0e502201" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72346,10 +72346,10 @@ rule ELASTIC_Linux_Trojan_Mirai_Eb940856 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mirai.yar#L1942-L1960" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mirai.yar#L1942-L1960" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fbf814c04234fc95b6a288b62fb9513d6bbad2e601b96db14bb65ab153e65fef" - logic_hash = "d7bb2373a35ea97a11513e80e9a561f53a8f0b9345f392e8e7f042d4cb2d7d20" + logic_hash = "v1_sha256_d7bb2373a35ea97a11513e80e9a561f53a8f0b9345f392e8e7f042d4cb2d7d20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72375,10 +72375,10 @@ rule ELASTIC_Macos_Trojan_Electrorat_B4Dbfd1D : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Electrorat.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Electrorat.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b1028b38fcce0d54f2013c89a9c0605ccb316c36c27faf3a35adf435837025a4" - logic_hash = "a36143a8c93cb187dba0a88a15550219c19f1483502f782dfefc1e53829cfbf1" + logic_hash = "v1_sha256_a36143a8c93cb187dba0a88a15550219c19f1483502f782dfefc1e53829cfbf1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -72407,10 +72407,10 @@ rule ELASTIC_Windows_Trojan_Suddenicon_99487621 : FILE MEMORY date = "2023-03-29" modified = "2023-03-30" reference = "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SuddenIcon.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SuddenIcon.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - logic_hash = "9a441c47e8b95d8aaec6f495d6ddfec2ed6b0762637ea48e64c9ea01b0945019" + logic_hash = "v1_sha256_9a441c47e8b95d8aaec6f495d6ddfec2ed6b0762637ea48e64c9ea01b0945019" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72431,7 +72431,7 @@ rule ELASTIC_Windows_Trojan_Suddenicon_99487621 : FILE MEMORY $seq_virtualprotect = { FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF D5 48 85 C0 74 ?? 81 7B ?? CA 7D 0F 00 75 ?? 48 8D 54 24 ?? 48 8D 4C 24 ?? FF D0 8B F8 44 8B 44 24 ?? 4C 8D 4C 24 ?? BA 00 10 00 00 48 8B CD FF 15 ?? ?? ?? ?? } condition: - 5 of ($str*) or 2 of ($seq*) + 5 of ( $str* ) or 2 of ( $seq* ) } rule ELASTIC_Windows_Trojan_Suddenicon_8B07C275 : FILE MEMORY { @@ -72442,10 +72442,10 @@ rule ELASTIC_Windows_Trojan_Suddenicon_8B07C275 : FILE MEMORY date = "2023-03-29" modified = "2023-03-30" reference = "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SuddenIcon.yar#L28-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SuddenIcon.yar#L28-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - logic_hash = "64e8bd8929c9fb8cae16f772e3266b02b4ddec770ff8d5379a93a483eb8ff660" + logic_hash = "v1_sha256_64e8bd8929c9fb8cae16f772e3266b02b4ddec770ff8d5379a93a483eb8ff660" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72472,9 +72472,9 @@ rule ELASTIC_Windows_Trojan_Suddenicon_Ac021Ae0 : FILE MEMORY date = "2023-03-30" modified = "2023-03-30" reference = "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SuddenIcon.yar#L50-L76" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "033eabdd8ce8ecc4e1a657161c1f298c7dfe536ee2dbf9375cfda894638a7bee" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SuddenIcon.yar#L50-L76" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_033eabdd8ce8ecc4e1a657161c1f298c7dfe536ee2dbf9375cfda894638a7bee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72497,7 +72497,7 @@ rule ELASTIC_Windows_Trojan_Suddenicon_Ac021Ae0 : FILE MEMORY $b1 = "\\3CXDesktopApp\\config.json" wide fullword condition: - 6 of ($str*) or 1 of ($b*) + 6 of ( $str* ) or 1 of ( $b* ) } rule ELASTIC_Windows_Vulndriver_Llaccess_C57534E8 : FILE { @@ -72508,10 +72508,10 @@ rule ELASTIC_Windows_Vulndriver_Llaccess_C57534E8 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_LLAccess.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_LLAccess.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - logic_hash = "8bf629fd2ce0b1f15c7aacd573659b649dcf968556232683b29d68b27d12e577" + logic_hash = "v1_sha256_8bf629fd2ce0b1f15c7aacd573659b649dcf968556232683b29d68b27d12e577" score = 75 quality = 75 tags = "FILE" @@ -72528,7 +72528,7 @@ rule ELASTIC_Windows_Vulndriver_Llaccess_C57534E8 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x12][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x11][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Shellcode_Generic_8C487E57 : FILE MEMORY { @@ -72539,9 +72539,9 @@ rule ELASTIC_Windows_Shellcode_Generic_8C487E57 : FILE MEMORY date = "2022-05-23" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Shellcode_Generic.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a86ea8e15248e83ce7322c10e308a5a24096b1d7c67f5673687563dec8229dfe" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Shellcode_Generic.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a86ea8e15248e83ce7322c10e308a5a24096b1d7c67f5673687563dec8229dfe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72567,9 +72567,9 @@ rule ELASTIC_Windows_Shellcode_Generic_F27D7Beb : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Shellcode_Generic.yar#L20-L37" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8530a74a002d0286711cd86545aff0bf853de6b6684473b6211d678797c3639f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Shellcode_Generic.yar#L20-L37" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8530a74a002d0286711cd86545aff0bf853de6b6684473b6211d678797c3639f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72595,9 +72595,9 @@ rule ELASTIC_Windows_Shellcode_Generic_29Dcbf7A : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Shellcode_Generic.yar#L39-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c2a81cc27e696a2e488df7d2f96784bbaed83df5783efab312fc5ccbfd524b43" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Shellcode_Generic.yar#L39-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c2a81cc27e696a2e488df7d2f96784bbaed83df5783efab312fc5ccbfd524b43" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72623,10 +72623,10 @@ rule ELASTIC_Windows_Hacktool_Cpulocker_73B41444 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_CpuLocker.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_CpuLocker.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66" - logic_hash = "8fb33744326781c51bb6bd18d0574602256b813b62ec8344d5338e6442bb2de0" + logic_hash = "v1_sha256_8fb33744326781c51bb6bd18d0574602256b813b62ec8344d5338e6442bb2de0" score = 75 quality = 75 tags = "FILE" @@ -72641,7 +72641,7 @@ rule ELASTIC_Windows_Hacktool_Cpulocker_73B41444 : FILE $str1 = "\\CPULocker.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Ngioweb_8Bd3002C : FILE MEMORY { @@ -72652,10 +72652,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_8Bd3002C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "578fd1c3e6091df9550b3c2caf999d7a0432f037b0cc4b15642531e7fdffd7b7" + logic_hash = "v1_sha256_578fd1c3e6091df9550b3c2caf999d7a0432f037b0cc4b15642531e7fdffd7b7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72681,10 +72681,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_A592A280 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "b16cf5b527782680cc1da6f61dd537596792fed615993b19965ef2dbde701e64" + logic_hash = "v1_sha256_b16cf5b527782680cc1da6f61dd537596792fed615993b19965ef2dbde701e64" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72710,10 +72710,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_D57Aa841 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "555d60bd863caff231700c5f606d0034d5aa8362862d1fd0c816615d59f582f7" - logic_hash = "b0db72ad81d27f5b2ac2d2bb903ff10849c304d40619fd95a39e7d48c64c45ba" + logic_hash = "v1_sha256_b0db72ad81d27f5b2ac2d2bb903ff10849c304d40619fd95a39e7d48c64c45ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72739,10 +72739,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_B97E0253 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "dc11d50166a4d1b400c0df81295054192d42822dd3e065e374a92a31727d4dbd" + logic_hash = "v1_sha256_dc11d50166a4d1b400c0df81295054192d42822dd3e065e374a92a31727d4dbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72768,10 +72768,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_66C465A0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7454ee074812d7fa49044de8190e17b5034b3f08625f547d1b04aae4054fd81a" - logic_hash = "71f224e3ee1ff29787258a61f29a37a9ddc51e9cb5df0693ea52fd4b6f0b5ad8" + logic_hash = "v1_sha256_71f224e3ee1ff29787258a61f29a37a9ddc51e9cb5df0693ea52fd4b6f0b5ad8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72797,10 +72797,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_D8573802 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7454ee074812d7fa49044de8190e17b5034b3f08625f547d1b04aae4054fd81a" - logic_hash = "b51ab7a7c26e889a4e8efc2b9883f709c17d82032b0c28ab3e30229d6f296367" + logic_hash = "v1_sha256_b51ab7a7c26e889a4e8efc2b9883f709c17d82032b0c28ab3e30229d6f296367" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72826,10 +72826,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_7926Bc8E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "555d60bd863caff231700c5f606d0034d5aa8362862d1fd0c816615d59f582f7" - logic_hash = "ac42dd714696825d64402861e96122cce7cd09ae8d9c43a19dd9cf95d7b09610" + logic_hash = "v1_sha256_ac42dd714696825d64402861e96122cce7cd09ae8d9c43a19dd9cf95d7b09610" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72855,10 +72855,10 @@ rule ELASTIC_Linux_Trojan_Ngioweb_E2377400 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b88daf00a0e890b6750e691856b0fe7428d90d417d9503f62a917053e340228b" - logic_hash = "71276698d1bdb9bc494fe6f1aa9755940583331836abc490e0b5ac3454d35de6" + logic_hash = "v1_sha256_71276698d1bdb9bc494fe6f1aa9755940583331836abc490e0b5ac3454d35de6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72884,9 +72884,9 @@ rule ELASTIC_Linux_Trojan_Ngioweb_994F1E97 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ngioweb.yar#L161-L178" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2384e787877b622445d7d14053a8340d2e97d3ab103a3fabfa08a40068726ad0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ngioweb.yar#L161-L178" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2384e787877b622445d7d14053a8340d2e97d3ab103a3fabfa08a40068726ad0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72912,10 +72912,10 @@ rule ELASTIC_Windows_Hacktool_Sharpshares_88Cdcd52 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpShares.yar#L1-L30" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpShares.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41" - logic_hash = "85c59b939da6158f931e779c2884cea77b80fab54ee5e157d86afa19f0253db3" + logic_hash = "v1_sha256_85c59b939da6158f931e779c2884cea77b80fab54ee5e157d86afa19f0253db3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -72941,7 +72941,7 @@ rule ELASTIC_Windows_Hacktool_Sharpshares_88Cdcd52 : FILE MEMORY $str7 = "[-] \\\\{0}\\{1}" ascii wide condition: - $guid or all of ($print_str*) or 4 of ($str*) + $guid or all of ( $print_str* ) or 4 of ( $str* ) } rule ELASTIC_Windows_Trojan_Mylobot_A895174A : FILE MEMORY { @@ -72952,10 +72952,10 @@ rule ELASTIC_Windows_Trojan_Mylobot_A895174A : FILE MEMORY date = "2024-05-15" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MyloBot.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MyloBot.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "33831d9ad64d0f52f507f08ef81607aafa6ced58a189969af6cf57c659c982d2" - logic_hash = "16f2d8eeb6c85944030a33bd250e4e8b98985a6c877a0ec3ad5a6037e7c00159" + logic_hash = "v1_sha256_16f2d8eeb6c85944030a33bd250e4e8b98985a6c877a0ec3ad5a6037e7c00159" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -72987,10 +72987,10 @@ rule ELASTIC_Windows_Vulndriver_Msio_Aa20A3C6 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_MsIo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_MsIo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6" - logic_hash = "3b383934dc91536f69e2c6cb2cf2054c5f8a08766ecf1d1804c57f3a2c39c1c2" + logic_hash = "v1_sha256_3b383934dc91536f69e2c6cb2cf2054c5f8a08766ecf1d1804c57f3a2c39c1c2" score = 75 quality = 75 tags = "FILE" @@ -73005,7 +73005,7 @@ rule ELASTIC_Windows_Vulndriver_Msio_Aa20A3C6 : FILE $str1 = "\\MsIo32.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Msio_Ce0Bda23 : FILE { @@ -73016,10 +73016,10 @@ rule ELASTIC_Windows_Vulndriver_Msio_Ce0Bda23 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_MsIo.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_MsIo.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - logic_hash = "f7fbe0255a006cce42aff61b294512c11e1cceaf11d5c1b6f75b96fb3b155895" + logic_hash = "v1_sha256_f7fbe0255a006cce42aff61b294512c11e1cceaf11d5c1b6f75b96fb3b155895" score = 75 quality = 75 tags = "FILE" @@ -73034,7 +73034,7 @@ rule ELASTIC_Windows_Vulndriver_Msio_Ce0Bda23 : FILE $str1 = "\\MsIo64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Virus_Gmon_E544D891 : FILE MEMORY { @@ -73045,10 +73045,10 @@ rule ELASTIC_Linux_Virus_Gmon_E544D891 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Virus_Gmon.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Virus_Gmon.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d0fe377664aa0bc0d1fd3a307650f211dd3ef2e2f04597abee465e836e6a6f32" - logic_hash = "6dcfd51aaa79d7bac0100d9c891aa4275b8e1f7614cda46a5da4c738d376c729" + logic_hash = "v1_sha256_6dcfd51aaa79d7bac0100d9c891aa4275b8e1f7614cda46a5da4c738d376c729" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73074,10 +73074,10 @@ rule ELASTIC_Linux_Virus_Gmon_192Bd9B3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Virus_Gmon.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Virus_Gmon.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d0fe377664aa0bc0d1fd3a307650f211dd3ef2e2f04597abee465e836e6a6f32" - logic_hash = "3df275349d14a845c73087375f96e0c9a069ff685beb89249590ef9448e50373" + logic_hash = "v1_sha256_3df275349d14a845c73087375f96e0c9a069ff685beb89249590ef9448e50373" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73103,10 +73103,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_57C0C6D7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "100dc1ede4c0832a729d77725784d9deb358b3a768dfaf7ff9e96535f5b5a361" - logic_hash = "d3a272d488cebe4f774c994001a14d825372a27f16267bc0339b7e3b22ada8db" + logic_hash = "v1_sha256_d3a272d488cebe4f774c994001a14d825372a27f16267bc0339b7e3b22ada8db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73132,10 +73132,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_7E42Bf80 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "551b6e6617fa3f438ec1b3bd558b3cbc981141904cab261c0ac082a697e5b07d" - logic_hash = "ad8c8f0081d07f7e2a5400de6af2c6b311f77ff336d7576f7fb0bfe2593a9062" + logic_hash = "v1_sha256_ad8c8f0081d07f7e2a5400de6af2c6b311f77ff336d7576f7fb0bfe2593a9062" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73161,10 +73161,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_271121Fb : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19aeafb63430b5ac98e93dfd6469c20b9c1145e6b5b86202553bd7bd9e118842" - logic_hash = "f43b1527ad4bbd07023126def89c1af47698cc832f71f4a1381ed0d621d79ed5" + logic_hash = "v1_sha256_f43b1527ad4bbd07023126def89c1af47698cc832f71f4a1381ed0d621d79ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73190,9 +73190,9 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_E7E64Fb7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L61-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e325ac02c51526c5a36bdd6c2bcb3bee51f1214d78eff8048c8a1ae88334a9e8" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L61-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e325ac02c51526c5a36bdd6c2bcb3bee51f1214d78eff8048c8a1ae88334a9e8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73218,9 +73218,9 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_79B42B21 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L80-L97" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "db42871193960ea4c2cbe5f5040cbc1097d57d9e4dc291bcc77ed72b588311ab" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L80-L97" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_db42871193960ea4c2cbe5f5040cbc1097d57d9e4dc291bcc77ed72b588311ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73246,10 +73246,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_77Fbc695 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L99-L117" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L99-L117" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e723a2b976adddb01abb1101f2d3407b783067bec042a135b21b14d63bc18a68" - logic_hash = "af8e09cd5d6b7532af0c06273aa465cf6c40ad6c919a679fd09191a1c2a302f5" + logic_hash = "v1_sha256_af8e09cd5d6b7532af0c06273aa465cf6c40ad6c919a679fd09191a1c2a302f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73275,10 +73275,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_403B0A12 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L119-L137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L119-L137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "54d806b3060404ccde80d9f3153eebe8fdda49b6e8cdba197df0659c6724a52d" - logic_hash = "5b7662124eb980b11f88a50665292e7a405595f7ad85c5c448dd087ea096689a" + logic_hash = "v1_sha256_5b7662124eb980b11f88a50665292e7a405595f7ad85c5c448dd087ea096689a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73304,9 +73304,9 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Bffa106B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L139-L156" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d7214ad9c4291205b50567d142d99b8a19a9cfa69d3cd0a644774c3a1adb6b49" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L139-L156" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d7214ad9c4291205b50567d142d99b8a19a9cfa69d3cd0a644774c3a1adb6b49" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73332,10 +73332,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_73Faf972 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L158-L176" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L158-L176" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00e29303b66cb39a8bc23fe91379c087376ea26baa21f6b7f7817289ba89f655" - logic_hash = "a6a9d304d215302bf399c90ed0dd77a681796254c51a2a20e4a316dba43b387f" + logic_hash = "v1_sha256_a6a9d304d215302bf399c90ed0dd77a681796254c51a2a20e4a316dba43b387f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73361,10 +73361,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Af809Eea : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L178-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L178-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00e29303b66cb39a8bc23fe91379c087376ea26baa21f6b7f7817289ba89f655" - logic_hash = "4ae4b119a3eecfdb47a88fe5a89a4f79ae96eecf5d08eef08997357de7e6538a" + logic_hash = "v1_sha256_4ae4b119a3eecfdb47a88fe5a89a4f79ae96eecf5d08eef08997357de7e6538a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73390,10 +73390,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_9F6Ac00F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L198-L216" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L198-L216" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9cd58c1759056c0c5bbd78248b9192c4f8c568ed89894aff3724fdb2be44ca43" - logic_hash = "9fa8e7be5c35c9a649c42613d0d5d5cecff3d9c3e9a572e4be1ca661876748a5" + logic_hash = "v1_sha256_9fa8e7be5c35c9a649c42613d0d5d5cecff3d9c3e9a572e4be1ca661876748a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73419,10 +73419,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Dbcc9D87 : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrig.yar#L218-L236" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrig.yar#L218-L236" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "da9b8fb5c26e81fb3aed3b0bc95d855339fced303aae2af281daf0f1a873e585" - logic_hash = "b7fa60e32cb53484d8b76b13066eda1f2275ee2660ac2dc02b0078b921998e79" + logic_hash = "v1_sha256_b7fa60e32cb53484d8b76b13066eda1f2275ee2660ac2dc02b0078b921998e79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73448,10 +73448,10 @@ rule ELASTIC_Linux_Trojan_Gognt_50C3D9Da : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gognt.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gognt.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79602bc786edda7017c5f576814b683fba41e4cb4cf3f837e963c6d0d42c50ee" - logic_hash = "ecd9cd94b3bf8c50c347e70aab3da03ea6589530b20941a9f62dac501f8144fc" + logic_hash = "v1_sha256_ecd9cd94b3bf8c50c347e70aab3da03ea6589530b20941a9f62dac501f8144fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73477,10 +73477,10 @@ rule ELASTIC_Linux_Trojan_Gognt_05B10F4B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gognt.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gognt.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e43aaf2345dbb5c303d5a5e53cd2e2e84338d12f69ad809865f20fd1a5c2716f" - logic_hash = "1dfc3417f75aa81aea5eda3d6da076f1cacf82dbfc039252b1d16f52b81a5a65" + logic_hash = "v1_sha256_1dfc3417f75aa81aea5eda3d6da076f1cacf82dbfc039252b1d16f52b81a5a65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73506,10 +73506,10 @@ rule ELASTIC_Macos_Hacktool_Jokerspy_58A6B26D : FILE MEMORY date = "2023-06-19" modified = "2023-06-19" reference = "https://www.elastic.co/security-labs/inital-research-of-jokerspy" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Macos_Hacktool_JokerSpy.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Macos_Hacktool_JokerSpy.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - logic_hash = "e9e1333c7172d5a0f06093a902edefd7f128963dbaadf77e829f032ccb04ce56" + logic_hash = "v1_sha256_e9e1333c7172d5a0f06093a902edefd7f128963dbaadf77e829f032ccb04ce56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73540,10 +73540,10 @@ rule ELASTIC_Windows_Trojan_Cybergate_517Aac7D : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CyberGate.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CyberGate.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365" - logic_hash = "50e061d0c358655c03b95ccbe2d05e252501c3e6afd21dd20513019cd67e6147" + logic_hash = "v1_sha256_50e061d0c358655c03b95ccbe2d05e252501c3e6afd21dd20513019cd67e6147" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -73573,10 +73573,10 @@ rule ELASTIC_Windows_Trojan_Cybergate_9996D800 : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CyberGate.yar#L25-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CyberGate.yar#L25-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365" - logic_hash = "efefc171b6390c9792145973708358f62b18b8d0180feacaf5b9267563c3f7cc" + logic_hash = "v1_sha256_efefc171b6390c9792145973708358f62b18b8d0180feacaf5b9267563c3f7cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73602,10 +73602,10 @@ rule ELASTIC_Windows_Trojan_Cybergate_C219A2F3 : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CyberGate.yar#L45-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CyberGate.yar#L45-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7204f8caf6ace6ae1aed267de0ad6b39660d0e636d8ee0ecf88135f8a58dc42" - logic_hash = "8075892728c610c1ceacd0df54615d2a3e833d728d631a9bf81311e8c6485f6e" + logic_hash = "v1_sha256_8075892728c610c1ceacd0df54615d2a3e833d728d631a9bf81311e8c6485f6e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73632,10 +73632,10 @@ rule ELASTIC_Linux_Hacktool_Aduh_6Cae7C78 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Aduh.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Aduh.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9c67207546ad274dc78a0819444d1c8805537f9ac36d3c53eba9278ed44b360c" - logic_hash = "130df108de5b6cdfb9227f96301bdaa1e272d47b8cb9ad96c3aa574bf65870b2" + logic_hash = "v1_sha256_130df108de5b6cdfb9227f96301bdaa1e272d47b8cb9ad96c3aa574bf65870b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73661,10 +73661,10 @@ rule ELASTIC_Windows_Vulndriver_Mhyprot_26214176 : FILE date = "2022-08-25" modified = "2022-08-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Mhyprot.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Mhyprot.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6" - logic_hash = "61d1713c689b9d663f2d3360d07735b07ca10365b5ce424b2df726bd6cc434d3" + logic_hash = "v1_sha256_61d1713c689b9d663f2d3360d07735b07ca10365b5ce424b2df726bd6cc434d3" score = 75 quality = 75 tags = "FILE" @@ -73682,7 +73682,7 @@ rule ELASTIC_Windows_Vulndriver_Mhyprot_26214176 : FILE $str1 = "\\Device\\mhyprot2" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $subject_name and $version and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $subject_name and $version and $str1 } rule ELASTIC_Multi_Hacktool_Gsocket_761D3A0F : FILE MEMORY { @@ -73693,10 +73693,10 @@ rule ELASTIC_Multi_Hacktool_Gsocket_761D3A0F : FILE MEMORY date = "2024-09-20" modified = "2024-11-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_Gsocket.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_Gsocket.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "193efd61ae10f286d06390968537fa85e4df40995fd424d1afe426c089d172ab" - logic_hash = "6f60b63f406b42ac2a43cbe3afbbc98789504d7c6036d50f852a5bc4a6c46cef" + logic_hash = "v1_sha256_6f60b63f406b42ac2a43cbe3afbbc98789504d7c6036d50f852a5bc4a6c46cef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73735,10 +73735,10 @@ rule ELASTIC_Windows_Trojan_Eagerbee_7029Ba21 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_EagerBee.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_EagerBee.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "09005775fc587ac7bf150c05352e59dc01008b7bf8c1d870d1cea87561aa0b06" - logic_hash = "874959361b14ba74e13e6e674da75c9bdb6b9475d8b286572825c940b41f679f" + logic_hash = "v1_sha256_874959361b14ba74e13e6e674da75c9bdb6b9475d8b286572825c940b41f679f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73765,10 +73765,10 @@ rule ELASTIC_Windows_Trojan_Eagerbee_A64B323B : FILE MEMORY date = "2023-09-04" modified = "2023-09-20" reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_EagerBee.yar#L23-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_EagerBee.yar#L23-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "339e4fdbccb65b0b06a1421c719300a8da844789a2016d58e8ce4227cb5dc91b" - logic_hash = "e1c25cf8ce0ff434727c9104c6b79110ff5cfa84eb3e939119fd05cf676727c6" + logic_hash = "v1_sha256_e1c25cf8ce0ff434727c9104c6b79110ff5cfa84eb3e939119fd05cf676727c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73797,10 +73797,10 @@ rule ELASTIC_Linux_Trojan_Lala_51Deb1F9 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Lala.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Lala.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3af65d3307fbdc2e8ce6e1358d1413ebff5eeb5dbedc051394377a4dabffa82" - logic_hash = "73a7ec230be9aabcc301095c9c075f839852155419bdd8d5542287f34699ab33" + logic_hash = "v1_sha256_73a7ec230be9aabcc301095c9c075f839852155419bdd8d5542287f34699ab33" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73826,10 +73826,10 @@ rule ELASTIC_Windows_Trojan_Bitrat_34Bd6C83 : FILE MEMORY date = "2021-06-13" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bitrat.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bitrat.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a" - logic_hash = "d386fc2a4b6a98638328d1aa05a8d8dbb7a1bbcd72943457b1a5a27b056744ef" + logic_hash = "v1_sha256_d386fc2a4b6a98638328d1aa05a8d8dbb7a1bbcd72943457b1a5a27b056744ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73859,10 +73859,10 @@ rule ELASTIC_Windows_Trojan_Bitrat_54916275 : FILE MEMORY date = "2022-08-29" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bitrat.yar#L25-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bitrat.yar#L25-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d3b2c410b431c006c59f14b33e95c0e44e6221b1118340c745911712296f659f" - logic_hash = "4c66f79f4bf6bde49bfb9208e6dc1d3b5d041927565e7302381838b0f32da6f4" + logic_hash = "v1_sha256_4c66f79f4bf6bde49bfb9208e6dc1d3b5d041927565e7302381838b0f32da6f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73888,10 +73888,10 @@ rule ELASTIC_Linux_Trojan_Mumblehard_523450Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mumblehard.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mumblehard.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a637ea8f070e1edf2c9c81450e83934c177696171b24b4dff32dfb23cefa56d3" - logic_hash = "60b4cc388975ce030e03c5c3a48adcfeec25299105206909163f20100fbf45d8" + logic_hash = "v1_sha256_60b4cc388975ce030e03c5c3a48adcfeec25299105206909163f20100fbf45d8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73917,10 +73917,10 @@ rule ELASTIC_Windows_Hacktool_Sharpstay_Eac706C5 : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpStay.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpStay.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa" - logic_hash = "b85679018658e33e81cd2589e9f99cf9ed16ac25b27d93bece26cb5ccc2e379a" + logic_hash = "v1_sha256_b85679018658e33e81cd2589e9f99cf9ed16ac25b27d93bece26cb5ccc2e379a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -73939,7 +73939,7 @@ rule ELASTIC_Windows_Hacktool_Sharpstay_Eac706C5 : FILE MEMORY $print_str3 = "[+] Cleaned up %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Indexing.{0}" ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Pipedance_01C18057 : FILE MEMORY { @@ -73950,10 +73950,10 @@ rule ELASTIC_Windows_Trojan_Pipedance_01C18057 : FILE MEMORY date = "2023-02-02" modified = "2023-02-22" reference = "https://www.elastic.co/security-labs/twice-around-the-dance-floor-with-pipedance" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PipeDance.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PipeDance.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d3f739e35182992f1e3ade48b8999fb3a5049f48c14db20e38ee63eddc5a1e7" - logic_hash = "0c03a725ae930eb829d6a6a9f681489d61aa7f69e72b6b298776f75a98115398" + logic_hash = "v1_sha256_0c03a725ae930eb829d6a6a9f681489d61aa7f69e72b6b298776f75a98115398" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73975,7 +73975,7 @@ rule ELASTIC_Windows_Trojan_Pipedance_01C18057 : FILE MEMORY $seq_icmp = { 59 6A 61 5E 89 45 ?? 8B D0 89 5D ?? 2B F0 8D 04 16 8D 4B ?? 88 0A 83 F8 77 7E ?? 80 E9 17 88 0A 43 42 83 FB 20 } condition: - 4 of ($str*) or 2 of ($seq*) + 4 of ( $str* ) or 2 of ( $seq* ) } rule ELASTIC_Linux_Trojan_Ganiw_99349371 : FILE MEMORY { @@ -73986,10 +73986,10 @@ rule ELASTIC_Linux_Trojan_Ganiw_99349371 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ganiw.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ganiw.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e8dbb246fdd1a50226a36c407ac90eb44b0cf5e92bf0b92c89218f474f9c2afb" - logic_hash = "26160e855c63fc0b73e415de2fe058f2005df1ec5544d21865d022c5474df30c" + logic_hash = "v1_sha256_26160e855c63fc0b73e415de2fe058f2005df1ec5544d21865d022c5474df30c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74015,9 +74015,9 @@ rule ELASTIC_Linux_Trojan_Ganiw_B9F045Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ganiw.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2565101b261bee22ddecf6898ff0ac8a114d09c822d8db26ba3e3571ebe06b12" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ganiw.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2565101b261bee22ddecf6898ff0ac8a114d09c822d8db26ba3e3571ebe06b12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74043,10 +74043,10 @@ rule ELASTIC_Linux_Trojan_Dnsamp_C31Eebd4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dnsamp.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dnsamp.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b86de97819a49a90961d59f9c3ab9f8e57e19add9fe1237d2a2948b4ff22de6" - logic_hash = "b998065eff9f67a1cdf19644a13edb0cef3c619d8b6e16c412d58f5d538e4617" + logic_hash = "v1_sha256_b998065eff9f67a1cdf19644a13edb0cef3c619d8b6e16c412d58f5d538e4617" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74072,10 +74072,10 @@ rule ELASTIC_Multi_Generic_Threat_19854Dc2 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Generic_Threat.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Generic_Threat.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "be216fa9cbf0b64d769d1e8ecddcfc3319c7ca8e610e438dcdfefc491730d208" - logic_hash = "beed6d6cd7b7b6eb3f4ab6a45fd19f2ebfb661e470d468691b68634994e2eef7" + logic_hash = "v1_sha256_beed6d6cd7b7b6eb3f4ab6a45fd19f2ebfb661e470d468691b68634994e2eef7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74101,10 +74101,10 @@ rule ELASTIC_Linux_Trojan_Sdbot_98628Ea1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sdbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sdbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5568ae1f8a1eb879eb4705db5b3820e36c5ecea41eb54a8eef5b742f477cbdd8" - logic_hash = "55b8e3fa755965b85a043015f9303644b8e06fe8bfdc0e2062de75bdc2881541" + logic_hash = "v1_sha256_55b8e3fa755965b85a043015f9303644b8e06fe8bfdc0e2062de75bdc2881541" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74130,10 +74130,10 @@ rule ELASTIC_Windows_Vulndriver_Elrawdisk_F9Fd1A80 : FILE date = "2022-10-07" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ElRawDisk.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ElRawDisk.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ed4f2b3db9a79535228af253959a0749b93291ad8b1058c7a41644b73035931b" - logic_hash = "43f9f1f6ad6c1defe2f0d6dd0cd380bea1a8ead19bc0bf203bdfe4f83b9c284d" + logic_hash = "v1_sha256_43f9f1f6ad6c1defe2f0d6dd0cd380bea1a8ead19bc0bf203bdfe4f83b9c284d" score = 75 quality = 75 tags = "FILE" @@ -74148,7 +74148,7 @@ rule ELASTIC_Windows_Vulndriver_Elrawdisk_F9Fd1A80 : FILE $str1 = "\\elrawdsk.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Multi_Trojan_Sliver_42298C4A : FILE MEMORY { @@ -74159,10 +74159,10 @@ rule ELASTIC_Multi_Trojan_Sliver_42298C4A : FILE MEMORY date = "2021-10-20" modified = "2022-01-14" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Sliver.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Sliver.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007" - logic_hash = "a84bdb51fcdeb4629365bdb727b53087604ee0eb112c8d6c3ecf315598ec678a" + logic_hash = "v1_sha256_a84bdb51fcdeb4629365bdb727b53087604ee0eb112c8d6c3ecf315598ec678a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74194,10 +74194,10 @@ rule ELASTIC_Multi_Trojan_Sliver_3Bde542D : FILE MEMORY date = "2022-08-31" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Sliver.yar#L27-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Sliver.yar#L27-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05461e1c2a2e581a7c30e14d04bd3d09670e281f9f7c60f4169e9614d22ce1b3" - logic_hash = "23a0e28c1423f577a147efdf927f2dc71871760e38d4d7494ead2920b90ef05e" + logic_hash = "v1_sha256_23a0e28c1423f577a147efdf927f2dc71871760e38d4d7494ead2920b90ef05e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74217,7 +74217,7 @@ rule ELASTIC_Multi_Trojan_Sliver_3Bde542D : FILE MEMORY $b5 = "RegistryReadReq" ascii fullword condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Multi_Trojan_Sliver_3D6B7Cd3 : FILE MEMORY { @@ -74228,10 +74228,10 @@ rule ELASTIC_Multi_Trojan_Sliver_3D6B7Cd3 : FILE MEMORY date = "2022-12-01" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Sliver.yar#L52-L88" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Sliver.yar#L52-L88" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9846124cfd124eed466465d187eeacb4d405c558dd84ba8e575d8a7b3290403e" - logic_hash = "3cbd3358b7d59d6a2912069f4cb8de005b6fafd61e44111d1f6cf0418eb2d1fc" + logic_hash = "v1_sha256_3cbd3358b7d59d6a2912069f4cb8de005b6fafd61e44111d1f6cf0418eb2d1fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74264,7 +74264,7 @@ rule ELASTIC_Multi_Trojan_Sliver_3D6B7Cd3 : FILE MEMORY $register_x86_5 = { 8B 04 24 89 84 24 ?? ?? ?? ?? 8B 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 04 24 8B 4C 24 ?? 8B 54 24 ?? 85 D2 74 ?? 31 C0 31 C9 89 4C 24 ?? 89 84 24 ?? ?? ?? ?? 8D 15 ?? ?? ?? ?? 89 14 24 E8 ?? ?? ?? ?? } condition: - 1 of ($session_start_*) and 1 of ($register_*) + 1 of ( $session_start_* ) and 1 of ( $register_* ) } rule ELASTIC_Windows_PUP_Mediaarena_A9E3B4A1 : FILE MEMORY { @@ -74275,10 +74275,10 @@ rule ELASTIC_Windows_PUP_Mediaarena_A9E3B4A1 : FILE MEMORY date = "2023-06-02" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_PUP_MediaArena.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_PUP_MediaArena.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c071e0b67e4c105c87b876183900f97a4e8bc1a7c18e61c028dee59ce690b1ac" - logic_hash = "8e52b29f2848498aae2fd7ad35494362d6c07f0e752b628840a256923aca32c7" + logic_hash = "v1_sha256_8e52b29f2848498aae2fd7ad35494362d6c07f0e752b628840a256923aca32c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74310,9 +74310,9 @@ rule ELASTIC_Multi_EICAR_Ac8F42D6 : FILE MEMORY date = "2021-01-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_EICAR.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "05c92058aab1229dfa31e006276c2c83fa484e813bdfe66edf387763797d9d57" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_EICAR.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_05c92058aab1229dfa31e006276c2c83fa484e813bdfe66edf387763797d9d57" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -74338,10 +74338,10 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_53Df500F : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Maxofferdeal.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Maxofferdeal.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ecd62ef880da057726ca55c6826ce4e1584ec6fc3afaabed7f66154fc39ffef8" - logic_hash = "ed63c14e31c200f906b525c7ef1cd671511a89c8833cfa1a605fc9870fe91043" + logic_hash = "v1_sha256_ed63c14e31c200f906b525c7ef1cd671511a89c8833cfa1a605fc9870fe91043" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74367,10 +74367,10 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_F4681Eba : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Maxofferdeal.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Maxofferdeal.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ecd62ef880da057726ca55c6826ce4e1584ec6fc3afaabed7f66154fc39ffef8" - logic_hash = "cf478ec5313b40d74d110e4d6e97da5f671d5af331adc3ab059a69616e78c76c" + logic_hash = "v1_sha256_cf478ec5313b40d74d110e4d6e97da5f671d5af331adc3ab059a69616e78c76c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74396,10 +74396,10 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_4091E373 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Maxofferdeal.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Maxofferdeal.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c38c4bdd3c1fa16fd32db06d44d0db1b25bb099462f8d2936dbdd42af325b37c" - logic_hash = "ce82f6d3a2e4b7ffe7010629bf91a9144a94e50513682a6c0622603d28248d51" + logic_hash = "v1_sha256_ce82f6d3a2e4b7ffe7010629bf91a9144a94e50513682a6c0622603d28248d51" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74425,10 +74425,10 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_20A0091E : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Maxofferdeal.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Maxofferdeal.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b00a61c908cd06dbc26bee059ba290e7ce2ad6b66c453ea272c7287ffa29c5ab" - logic_hash = "bb90b7e1637fd86e91763b4801a0b3bb8a1b956f328d07e96cf1b26e42b1931b" + logic_hash = "v1_sha256_bb90b7e1637fd86e91763b4801a0b3bb8a1b956f328d07e96cf1b26e42b1931b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74454,10 +74454,10 @@ rule ELASTIC_Linux_Webshell_Generic_E80Ff633 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Webshell_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Webshell_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7640ba6f2417931ef901044152d5bfe1b266219d13b5983d92ddbdf644de5818" - logic_hash = "d345e6ce3e51ed55064aafb1709e9bee7ef2ce87ec80165ac1b58eebd83cefee" + logic_hash = "v1_sha256_d345e6ce3e51ed55064aafb1709e9bee7ef2ce87ec80165ac1b58eebd83cefee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74483,9 +74483,9 @@ rule ELASTIC_Linux_Webshell_Generic_41A5Fa40 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "18ac7fbc3d8d3bb8581139a20a7fee8ea5b7fcfea4a9373e3d22c71bae3c9de0" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Webshell_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "574148bc58626aac00add1989c65ad56315c7e2a8d27c7b96be404d831a7a576" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Webshell_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_574148bc58626aac00add1989c65ad56315c7e2a8d27c7b96be404d831a7a576" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74511,10 +74511,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_4557_B7E15F5E : FILE MEMORY CVE_2016_4557 date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_4557.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_4557.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271" - logic_hash = "9c40233fec9607404ca4f78313e0f62922180e5ef88dbf801dd60725af61bdde" + logic_hash = "v1_sha256_9c40233fec9607404ca4f78313e0f62922180e5ef88dbf801dd60725af61bdde" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2016-4557" @@ -74540,10 +74540,10 @@ rule ELASTIC_Linux_Trojan_Skidmap_Aa7B661D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Skidmap.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Skidmap.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4282ba9b7bee69d42bfff129fff45494fb8f7db0e1897fc5aa1e4265cb6831d9" - logic_hash = "aa976158d004d582234a92ff648d4581440f9c933a0abef212d9d837d9607ba4" + logic_hash = "v1_sha256_aa976158d004d582234a92ff648d4581440f9c933a0abef212d9d837d9607ba4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74569,10 +74569,10 @@ rule ELASTIC_Linux_Trojan_Skidmap_52Fb8489 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Skidmap.yar#L21-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Skidmap.yar#L21-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4282ba9b7bee69d42bfff129fff45494fb8f7db0e1897fc5aa1e4265cb6831d9" - logic_hash = "9d199666f36a703b77d6b2a47e8d2065c25746a5776df63f5bfacb912afa582b" + logic_hash = "v1_sha256_9d199666f36a703b77d6b2a47e8d2065c25746a5776df63f5bfacb912afa582b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74605,7 +74605,7 @@ rule ELASTIC_Linux_Trojan_Skidmap_52Fb8489 : FILE MEMORY $str4 = "kswaped" condition: - 3 of ($func*) or 4 of ($hook*) or 3 of ($str*) + 3 of ( $func* ) or 4 of ( $hook* ) or 3 of ( $str* ) } rule ELASTIC_Linux_Trojan_Backegmm_B59712E6 : FILE MEMORY { @@ -74616,10 +74616,10 @@ rule ELASTIC_Linux_Trojan_Backegmm_B59712E6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Backegmm.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Backegmm.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d6c8e15cb65102b442b7ee42186c58fa69cd0cb68f4fd47eb5ad23763371e0be" - logic_hash = "a2e6016bfd8475880c28c89b5f5beeef1335de9529d44bbe7c5aaa352aab9a29" + logic_hash = "v1_sha256_a2e6016bfd8475880c28c89b5f5beeef1335de9529d44bbe7c5aaa352aab9a29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74645,10 +74645,10 @@ rule ELASTIC_Linux_Trojan_Roopre_B6B9E71D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Roopre.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Roopre.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36ae2bf773135fdb0ead7fbbd46f90fd41d6f973569de1941c8723158fc6cfcc" - logic_hash = "32294e476a014a919d2d738bdc940a7fc5f91e1b13c005f164a5b6bf84eb2635" + logic_hash = "v1_sha256_32294e476a014a919d2d738bdc940a7fc5f91e1b13c005f164a5b6bf84eb2635" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74674,10 +74674,10 @@ rule ELASTIC_Linux_Trojan_Roopre_05F7F237 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Roopre.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Roopre.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36ae2bf773135fdb0ead7fbbd46f90fd41d6f973569de1941c8723158fc6cfcc" - logic_hash = "12e14ac31932033f2448b7a3bfd6ce826fff17494547ac4baefb20f6713baf5f" + logic_hash = "v1_sha256_12e14ac31932033f2448b7a3bfd6ce826fff17494547ac4baefb20f6713baf5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74703,10 +74703,10 @@ rule ELASTIC_Windows_Clickfraud_Luckyslots_A82433B6 : FILE MEMORY date = "2024-08-21" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Clickfraud_LuckySlots.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Clickfraud_LuckySlots.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84" - logic_hash = "342dafb67ae8557de66ac810482e2747ae88c76f07c244f1a465351fcc72cab9" + logic_hash = "v1_sha256_342dafb67ae8557de66ac810482e2747ae88c76f07c244f1a465351fcc72cab9" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -74738,10 +74738,10 @@ rule ELASTIC_Linux_Backdoor_Python_00606Bac : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Python.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Python.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3e3728d43535f47a1c15b915c2d29835d9769a9dc69eb1b16e40d5ba1b98460" - logic_hash = "92ad2cf4aa848c8f3bcedd319654bf5ef873cd4daba62572381c7e20f0296b82" + logic_hash = "v1_sha256_92ad2cf4aa848c8f3bcedd319654bf5ef873cd4daba62572381c7e20f0296b82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74767,10 +74767,10 @@ rule ELASTIC_Windows_Trojan_Asyncrat_11A11Ba1 : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Asyncrat.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Asyncrat.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1" - logic_hash = "c6c4ce9ccf01c280be6c25c0c82c34b601626bc200b84d3e77b08be473335d3d" + logic_hash = "v1_sha256_c6c4ce9ccf01c280be6c25c0c82c34b601626bc200b84d3e77b08be473335d3d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74801,10 +74801,10 @@ rule ELASTIC_Windows_Trojan_M0Yv_92F66467 : FILE MEMORY date = "2023-05-03" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_M0yv.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_M0yv.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0004d22dd18c0239b722c085101c0a32b967159e2066a0b7b9104bb43f5cdea0" - logic_hash = "a47b20679aee9559213de22783cfbc55c6091785e4dc288349963e863b78cf41" + logic_hash = "v1_sha256_a47b20679aee9559213de22783cfbc55c6091785e4dc288349963e863b78cf41" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -74832,10 +74832,10 @@ rule ELASTIC_Windows_Trojan_Whispergate_9192618B : FILE MEMORY date = "2022-01-17" modified = "2022-01-17" reference = "https://www.elastic.co/security-labs/operation-bleeding-bear" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WhisperGate.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WhisperGate.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" - logic_hash = "28bb08d61d99d2bfc49ba18cdbabc34c31a715ae6439ab25bbce8cc6958ed381" + logic_hash = "v1_sha256_28bb08d61d99d2bfc49ba18cdbabc34c31a715ae6439ab25bbce8cc6958ed381" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74865,10 +74865,10 @@ rule ELASTIC_Linux_Exploit_Intfour_0Ca45Cd3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Intfour.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Intfour.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d32c5447aa5182b4be66b7a283616cf531a2fd3ba3dde1bc363b24d8b22682f" - logic_hash = "088d8daa9ba4f53c8de229282ed8a7b30b1e567687e7807ac6c3df9524dabba9" + logic_hash = "v1_sha256_088d8daa9ba4f53c8de229282ed8a7b30b1e567687e7807ac6c3df9524dabba9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74894,10 +74894,10 @@ rule ELASTIC_Linux_Downloader_Generic_0Bd15Ae0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Downloader_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Downloader_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e511efb068e76a4a939c2ce2f2f0a089ef55ca56ee5f2ba922828d23e6181f09" - logic_hash = "c9558562d9e9d3b55bd1fba9e55b332e6b4db5a170e0dd349bef1e35f0c7fd21" + logic_hash = "v1_sha256_c9558562d9e9d3b55bd1fba9e55b332e6b4db5a170e0dd349bef1e35f0c7fd21" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74923,9 +74923,9 @@ rule ELASTIC_Windows_Trojan_Rudebird_3Cbf7Bc6 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RudeBird.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2095c3b6bde779b5661c7796b5e33bb0c43facf791b272a603b786f889a06a95" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RudeBird.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2095c3b6bde779b5661c7796b5e33bb0c43facf791b272a603b786f889a06a95" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74951,10 +74951,10 @@ rule ELASTIC_Linux_Cryptominer_Bscope_348B7Fa0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Bscope.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Bscope.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a6fb80d77986e00a6b861585bd4e573a927e970fb0061bf5516f83400ad7c0db" - logic_hash = "bc6a59dcc36676273c61fa71231fd8709884beebb7ab64b58f22551393b20c71" + logic_hash = "v1_sha256_bc6a59dcc36676273c61fa71231fd8709884beebb7ab64b58f22551393b20c71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74980,10 +74980,10 @@ rule ELASTIC_Linux_Hacktool_Earthworm_4De7B584 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Earthworm.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Earthworm.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d61aabcf935121b4f7fc6b0d082d7d6c31cb43bf253a8603dd46435e66b7955" - logic_hash = "019b2504df192e673f96a86464bb5e8ba5e89190e51bfe7d702753f76c00b979" + logic_hash = "v1_sha256_019b2504df192e673f96a86464bb5e8ba5e89190e51bfe7d702753f76c00b979" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75009,10 +75009,10 @@ rule ELASTIC_Linux_Hacktool_Earthworm_E3Da43E2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Earthworm.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Earthworm.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "da0cffc4222d11825778fe4fa985fef2945caa0cc3b4de26af0a06509ebafb21" - logic_hash = "b129b7060b6af4ff2aae2678a455b969579132891fba44e4fdc2481a5437bdf9" + logic_hash = "v1_sha256_b129b7060b6af4ff2aae2678a455b969579132891fba44e4fdc2481a5437bdf9" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -75038,10 +75038,10 @@ rule ELASTIC_Linux_Hacktool_Earthworm_82D5C4Cf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Earthworm.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Earthworm.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc412d4f2b0e9ca92063a47adfb0657507d3f2a54a415619db5a7ccb59afb204" - logic_hash = "81f35293bd3dd0cfbbf67f036773e16625bb74e06320fa1fff5bc428ef2f3a43" + logic_hash = "v1_sha256_81f35293bd3dd0cfbbf67f036773e16625bb74e06320fa1fff5bc428ef2f3a43" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -75067,10 +75067,10 @@ rule ELASTIC_Linux_Hacktool_Earthworm_4Ec2Ec63 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Earthworm.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Earthworm.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc412d4f2b0e9ca92063a47adfb0657507d3f2a54a415619db5a7ccb59afb204" - logic_hash = "25f616c5440a48aef0f824cb6859e88787db4f42c1ec904a3d3bd72f3a64116e" + logic_hash = "v1_sha256_25f616c5440a48aef0f824cb6859e88787db4f42c1ec904a3d3bd72f3a64116e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75096,10 +75096,10 @@ rule ELASTIC_Windows_Hacktool_Darkloadlibrary_C25Ee4Eb : FILE MEMORY date = "2022-12-02" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_DarkLoadLibrary.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_DarkLoadLibrary.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5546194a71bc449789c3697f9c106860ac0a21e1ccf2b1196120b3f92f4b5306" - logic_hash = "c585abbe72834e9ba2e5f1c8070a43b0f10c2b574c72ffe1def4bfd431096415" + logic_hash = "v1_sha256_c585abbe72834e9ba2e5f1c8070a43b0f10c2b574c72ffe1def4bfd431096415" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75124,7 +75124,7 @@ rule ELASTIC_Windows_Hacktool_Darkloadlibrary_C25Ee4Eb : FILE MEMORY $print_str9 = "Failed to close handle on DLL file" wide condition: - $guid or 4 of ($print_str*) + $guid or 4 of ( $print_str* ) } rule ELASTIC_Linux_Rootkit_Generic_61229Bdf : FILE MEMORY { @@ -75135,9 +75135,9 @@ rule ELASTIC_Linux_Rootkit_Generic_61229Bdf : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Generic.yar#L1-L74" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "624c599a073c59f9c7f7c7492053470e4aafd1735519bf2c3eef290999e4e4ad" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Generic.yar#L1-L74" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_624c599a073c59f9c7f7c7492053470e4aafd1735519bf2c3eef290999e4e4ad" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -75208,7 +75208,140 @@ rule ELASTIC_Linux_Rootkit_Generic_61229Bdf : FILE MEMORY $str57 = "unhide_udp6_port" condition: - 4 of ($str*) + 4 of ( $str* ) +} +rule ELASTIC_Linux_Rootkit_Generic_482Bca48 : FILE MEMORY +{ + meta: + description = "Detects Linux Rootkit Generic (Linux.Rootkit.Generic)" + author = "Elastic Security" + id = "482bca48-c337-45d9-9513-301909cbda73" + date = "2024-11-14" + modified = "2024-12-09" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Generic.yar#L76-L116" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5b73588523e7ae66e9346c1b7a078cc04fab42672c8d2ff5900d4346385143c7" + score = 75 + quality = 73 + tags = "FILE, MEMORY" + fingerprint = "a2a005777e1bc236a30f3efff8d85af360665bd9418b77aa8d0aaf72a72df88a" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "linux" + + strings: + $str1 = "sys_call_table" + $str2 = "kallsyms_lookup_name" + $str3 = "retpoline=Y" + $str4 = "kprobe" + $rk1 = "rootkit" + $rk2 = "hide_" + $rk3 = "hacked_" + $rk4 = "fake_" + $rk5 = "hooked_" + $hook1 = "_getdents" + $hook2 = "_kill" + $hook3 = "_seq_show_ipv4_tcp" + $hook4 = "_seq_show_ipv4_udp" + $hook5 = "_seq_show_ipv6_tcp" + $hook6 = "_seq_show_ipv6_udp" + $hook7 = "_tcp4_port" + $hook8 = "_tcp4_seq_show" + $hook9 = "_tcp6_port" + $hook10 = "_tcp6_seq_show" + $hook11 = "_udp4_port" + $hook12 = "_udp4_seq_show" + $hook13 = "_udp6_port" + $hook14 = "_udp6_seq_show" + $hook15 = "_unlink" + + condition: + 3 of ( $str* ) and ( ( all of ( $rk* ) ) or ( 3 of ( $rk* ) and 5 of ( $hook* ) ) ) +} +rule ELASTIC_Linux_Rootkit_Generic_D0C5Cfe0 : FILE MEMORY +{ + meta: + description = "Detects Linux Rootkit Generic (Linux.Rootkit.Generic)" + author = "Elastic Security" + id = "d0c5cfe0-850b-432c-924d-547252ca0dd0" + date = "2024-11-14" + modified = "2024-12-09" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Generic.yar#L118-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e5d7e5a7147724f3c6baa3697ab51ed105d34ffbd7a14dec22a95181a6361d5f" + score = 75 + quality = 73 + tags = "FILE, MEMORY" + fingerprint = "6c005d7126485220c8ea1a7fb2a3215ade16f1b9dda7b89daf7a8cc408288efa" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "linux" + + strings: + $str1 = "sys_call_table" + $str2 = "kallsyms_lookup_name" + $str3 = "retpoline=Y" + $str4 = "kprobe" + $init1 = "init_module" + $init2 = "finit_module" + $hook1 = "getdents" + $hook2 = "seq_show_ipv4_tcp" + $hook3 = "seq_show_ipv4_udp" + $hook4 = "seq_show_ipv6_tcp" + $hook5 = "seq_show_ipv6_udp" + $hook6 = "sys_kill" + $hook7 = "tcp4_port" + $hook8 = "tcp4_seq_show" + $hook9 = "tcp6_port" + $hook10 = "tcp6_seq_show" + $hook11 = "udp4_port" + $hook12 = "udp4_seq_show" + $hook13 = "udp6_port" + $hook14 = "udp6_seq_show" + $rk1 = "rootkit" + $rk2 = "dropper" + $rk3 = "hide" + $rk4 = "hook" + $rk5 = "hacked" + + condition: + 2 of ( $str* ) and 1 of ( $init* ) and 3 of ( $hook* ) and 3 of ( $rk* ) +} +rule ELASTIC_Linux_Rootkit_Generic_F07Bcabe : FILE MEMORY +{ + meta: + description = "Detects Linux Rootkit Generic (Linux.Rootkit.Generic)" + author = "Elastic Security" + id = "f07bcabe-f91e-4872-8677-dee6307e79d0" + date = "2024-12-02" + modified = "2024-12-09" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Generic.yar#L161-L180" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2e63ceede0347ad6cf80f9a0d8acce42c8b34bd1a549cfc20993af76f780dd2f" + score = 75 + quality = 75 + tags = "FILE, MEMORY" + fingerprint = "7335426e705383ff6f62299943a139390b83ce2af4cbfc145cfe78c0f0015a26" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "linux" + + strings: + $str1 = "fh_install_hook" + $str2 = "fh_remove_hook" + $str3 = "fh_resolve_hook_address" + + condition: + 2 of them } rule ELASTIC_Linux_Cryptominer_Attribute_3683D149 : FILE MEMORY { @@ -75219,10 +75352,10 @@ rule ELASTIC_Linux_Cryptominer_Attribute_3683D149 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Attribute.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Attribute.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ec9e74d52d745275718fe272bfd755335739ad5f680f73f5a4e66df6eb141a63" - logic_hash = "71aa8aa4171671af4aa0271b64da95ac1d8766de12a949c97ebcac9369224ecd" + logic_hash = "v1_sha256_71aa8aa4171671af4aa0271b64da95ac1d8766de12a949c97ebcac9369224ecd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75248,10 +75381,10 @@ rule ELASTIC_Windows_Ransomware_Akira_C8C298Ba : FILE MEMORY date = "2024-05-02" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Akira.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Akira.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc" - logic_hash = "9058c83693e93f6daee8894453e56e0d9a4867d551ec3a6b66d7a517f65d8b07" + logic_hash = "v1_sha256_9058c83693e93f6daee8894453e56e0d9a4867d551ec3a6b66d7a517f65d8b07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75282,9 +75415,9 @@ rule ELASTIC_Windows_Ransomware_Snake_550E0265 : BETA FILE MEMORY date = "2020-06-30" modified = "2021-08-23" reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Snake.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d9c2f6961a4ef560743060ed176bdc606561ca1b8270b8826cb0dbadaf4e5dbc" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Snake.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d9c2f6961a4ef560743060ed176bdc606561ca1b8270b8826cb0dbadaf4e5dbc" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75304,7 +75437,7 @@ rule ELASTIC_Windows_Ransomware_Snake_550E0265 : BETA FILE MEMORY $a5 = "%Desktop%\\Fix-Your-Files.txt" nocase condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Snake_119F9C83 : BETA FILE MEMORY { @@ -75315,9 +75448,9 @@ rule ELASTIC_Windows_Ransomware_Snake_119F9C83 : BETA FILE MEMORY date = "2020-06-30" modified = "2021-08-23" reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Snake.yar#L26-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "cf6c81e7332acc798409a05a548460bad0ac3621402672c242e48a1b6bccdae6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Snake.yar#L26-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_cf6c81e7332acc798409a05a548460bad0ac3621402672c242e48a1b6bccdae6" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75334,7 +75467,7 @@ rule ELASTIC_Windows_Ransomware_Snake_119F9C83 : BETA FILE MEMORY $c2 = { 00 30 64 7C 00 50 64 7C 00 70 64 7C 00 B0 64 7C 00 D0 64 7C 00 30 73 7C 00 F0 64 7C 00 90 71 7C 00 10 65 7C 00 30 65 7C 00 50 65 7C 00 90 72 7C 00 B0 72 7C 00 70 6E 7C 00 70 65 7C 00 B0 65 7C 00 D0 65 7C 00 F0 65 7C 00 10 66 7C 00 30 66 7C 00 50 66 7C 00 70 66 7C 00 90 66 7C 00 B0 66 7C 00 D0 66 7C 00 F0 66 7C 00 30 67 7C 00 90 6E 7C 00 B0 6E 7C 00 D0 6E 7C } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Snake_20Bc5Abc : BETA FILE MEMORY { @@ -75345,9 +75478,9 @@ rule ELASTIC_Windows_Ransomware_Snake_20Bc5Abc : BETA FILE MEMORY date = "2020-06-30" modified = "2021-08-23" reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Snake.yar#L48-L67" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f3d8a523e04e516e8e059c9f13df355e6caf29a528cfebdf730e3a7d135e3351" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Snake.yar#L48-L67" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f3d8a523e04e516e8e059c9f13df355e6caf29a528cfebdf730e3a7d135e3351" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75363,7 +75496,7 @@ rule ELASTIC_Windows_Ransomware_Snake_20Bc5Abc : BETA FILE MEMORY $b1 = { 57 12 1A 10 1A 10 1A 10 1A 10 1A 10 1A 10 1A 10 1A 10 1A 10 1A } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Fickerstealer_Cc02E75E : FILE MEMORY { @@ -75374,10 +75507,10 @@ rule ELASTIC_Windows_Trojan_Fickerstealer_Cc02E75E : FILE MEMORY date = "2021-07-22" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Fickerstealer.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Fickerstealer.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6" - logic_hash = "ccfd7edf7625c13eea5b88fa29f9b8d3d873688f328f3e52c0500ac722c84511" + logic_hash = "v1_sha256_ccfd7edf7625c13eea5b88fa29f9b8d3d873688f328f3e52c0500ac722c84511" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75404,10 +75537,10 @@ rule ELASTIC_Windows_Trojan_Fickerstealer_F2159Bec : FILE MEMORY date = "2021-07-22" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Fickerstealer.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Fickerstealer.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6" - logic_hash = "d36cb90b526a291858291d615272baa78881309c83376f4d4cce1768c740ddbc" + logic_hash = "v1_sha256_d36cb90b526a291858291d615272baa78881309c83376f4d4cce1768c740ddbc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75433,10 +75566,10 @@ rule ELASTIC_Linux_Ransomware_Redalert_39642D52 : FILE MEMORY date = "2022-07-06" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_RedAlert.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_RedAlert.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" - logic_hash = "fa8fc16f0c8a55dd78781d334d7f55db6aa5e60f76cebf5282150af8ceb08dc3" + logic_hash = "v1_sha256_fa8fc16f0c8a55dd78781d334d7f55db6aa5e60f76cebf5282150af8ceb08dc3" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -75455,7 +75588,7 @@ rule ELASTIC_Linux_Ransomware_Redalert_39642D52 : FILE MEMORY $byte_checkvm = { 48 8B 14 DD ?? ?? ?? ?? 31 C0 48 83 C9 FF FC 48 89 EE 48 89 D7 F2 AE 4C 89 E7 48 F7 D1 E8 } condition: - 3 of ($str_*) or ($byte_checkvm and $str_print) + 3 of ( $str_* ) or ( $byte_checkvm and $str_print ) } rule ELASTIC_Macos_Backdoor_Useragent_1A02Fc3A : FILE MEMORY { @@ -75466,10 +75599,10 @@ rule ELASTIC_Macos_Backdoor_Useragent_1A02Fc3A : FILE MEMORY date = "2021-11-11" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Backdoor_Useragent.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Backdoor_Useragent.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" - logic_hash = "90debdfc24ef100952302808a2e418bca2a46be3e505add9a0ccf4c49aff5102" + logic_hash = "v1_sha256_90debdfc24ef100952302808a2e418bca2a46be3e505add9a0ccf4c49aff5102" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75499,10 +75632,10 @@ rule ELASTIC_Windows_Trojan_Xeno_F92Ffb82 : FILE MEMORY date = "2024-10-10" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Xeno.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Xeno.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "22dbdbcdd4c8b6899006f9f07e87c19b6a2947eeff8cc89c653309379b388cf4" - logic_hash = "17d5107b297c150cf737382c175e491e6bc4b17b2db583ff193f4acd40fdd459" + logic_hash = "v1_sha256_17d5107b297c150cf737382c175e491e6bc4b17b2db583ff193f4acd40fdd459" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75528,10 +75661,10 @@ rule ELASTIC_Windows_Trojan_Xeno_89F9F060 : FILE MEMORY date = "2024-10-25" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Xeno.yar#L21-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Xeno.yar#L21-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b74733d68e95220ab0630a68ddf973b0c959fd421628e639c1b91e465ba9299b" - logic_hash = "a98bf8d1411449b41f0e35d368de3355ace837d9a406eee4f8fb087737eb283e" + logic_hash = "v1_sha256_a98bf8d1411449b41f0e35d368de3355ace837d9a406eee4f8fb087737eb283e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75552,7 +75685,7 @@ rule ELASTIC_Windows_Trojan_Xeno_89F9F060 : FILE MEMORY $str_5 = "XenoStealer" ascii fullword condition: - (($sc_1 or $sc_2) and ($str_1 or $str_2)) and (1 of ($str_3,$str_4,$str_5)) + (( $sc_1 or $sc_2 ) and ( $str_1 or $str_2 ) ) and ( 1 of ( $str_3 , $str_4 , $str_5 ) ) } rule ELASTIC_Windows_Trojan_Caesarkbd_32Bb198B : FILE { @@ -75563,10 +75696,10 @@ rule ELASTIC_Windows_Trojan_Caesarkbd_32Bb198B : FILE date = "2022-04-04" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CaesarKbd.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CaesarKbd.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" - logic_hash = "f708706524515f98ebf612ac98318ee7172347096251d9ccd723f439070521de" + logic_hash = "v1_sha256_f708706524515f98ebf612ac98318ee7172347096251d9ccd723f439070521de" score = 75 quality = 75 tags = "FILE" @@ -75581,7 +75714,7 @@ rule ELASTIC_Windows_Trojan_Caesarkbd_32Bb198B : FILE $str1 = "CaesarKbd_IOCtrl" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Xtier_48Bb4B2C : FILE { @@ -75592,10 +75725,10 @@ rule ELASTIC_Windows_Vulndriver_Xtier_48Bb4B2C : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_XTier.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_XTier.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f" - logic_hash = "fd6ae610a4d2cbf02aae2302d181d07780e723ac7e61b5aa3fd18ba834160729" + logic_hash = "v1_sha256_fd6ae610a4d2cbf02aae2302d181d07780e723ac7e61b5aa3fd18ba834160729" score = 75 quality = 75 tags = "FILE" @@ -75612,7 +75745,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_48Bb4B2C : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x0c][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x0b][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Xtier_8A2F6Dc1 : FILE { @@ -75623,10 +75756,10 @@ rule ELASTIC_Windows_Vulndriver_Xtier_8A2F6Dc1 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_XTier.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_XTier.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - logic_hash = "90e1efd9d918f15459dd3fabb4737cbdeded66da1d556becca051bdda5867c11" + logic_hash = "v1_sha256_90e1efd9d918f15459dd3fabb4737cbdeded66da1d556becca051bdda5867c11" score = 75 quality = 75 tags = "FILE" @@ -75643,7 +75776,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_8A2F6Dc1 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x0c][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x0b][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Xtier_F4760D4A : FILE { @@ -75654,10 +75787,10 @@ rule ELASTIC_Windows_Vulndriver_Xtier_F4760D4A : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_XTier.yar#L45-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_XTier.yar#L45-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003" - logic_hash = "dc83771e08b8530bf138782ba8c7724e7ecff40c973407a7f654346302a284d5" + logic_hash = "v1_sha256_dc83771e08b8530bf138782ba8c7724e7ecff40c973407a7f654346302a284d5" score = 75 quality = 75 tags = "FILE" @@ -75674,7 +75807,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_F4760D4A : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x0c][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x0b][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Xtier_6A7De49F : FILE { @@ -75685,10 +75818,10 @@ rule ELASTIC_Windows_Vulndriver_Xtier_6A7De49F : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_XTier.yar#L67-L87" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_XTier.yar#L67-L87" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7" - logic_hash = "de0d25377103d50b33a95a804b9c3eb9ef221d56fa1dfda0a32f14dcd95ee4b1" + logic_hash = "v1_sha256_de0d25377103d50b33a95a804b9c3eb9ef221d56fa1dfda0a32f14dcd95ee4b1" score = 75 quality = 75 tags = "FILE" @@ -75705,7 +75838,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_6A7De49F : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x0c][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x0b][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Backdoor_Bash_E427876D : FILE MEMORY { @@ -75716,10 +75849,10 @@ rule ELASTIC_Linux_Backdoor_Bash_E427876D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Bash.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Bash.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "fdd066b746416730419787d21eb53fa2ba997679a237d9db3a2e1365d43df892" + logic_hash = "v1_sha256_fdd066b746416730419787d21eb53fa2ba997679a237d9db3a2e1365d43df892" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75745,10 +75878,10 @@ rule ELASTIC_Windows_Hacktool_Certify_Ffe1Cca2 : FILE MEMORY date = "2024-03-27" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Certify.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Certify.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3c7f759a6c38d0c0780fba2d43be6dcf9e4869d54b66f16c0703ec8e58124953" - logic_hash = "e1d37ad683bfbe34433dc5e13ae2cf7c873fed640e1c58a3b0274b4b34900e53" + logic_hash = "v1_sha256_e1d37ad683bfbe34433dc5e13ae2cf7c873fed640e1c58a3b0274b4b34900e53" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -75771,7 +75904,7 @@ rule ELASTIC_Windows_Hacktool_Certify_Ffe1Cca2 : FILE MEMORY $b4 = "Certify.exe request /ca" wide condition: - all of ($a*) or any of ($b*) + all of ( $a* ) or any of ( $b* ) } rule ELASTIC_Linux_Rootkit_Reptile_B2Ccf852 : FILE MEMORY { @@ -75782,10 +75915,10 @@ rule ELASTIC_Linux_Rootkit_Reptile_B2Ccf852 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Reptile.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Reptile.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "efb4c0a9894e09b5a2a614a02810524e66b21f00b76ad583cc1eb551f4a73dcc" + logic_hash = "v1_sha256_efb4c0a9894e09b5a2a614a02810524e66b21f00b76ad583cc1eb551f4a73dcc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75804,7 +75937,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_B2Ccf852 : FILE MEMORY $func5 = "reptile_exit" condition: - 2 of ($func*) + 2 of ( $func* ) } rule ELASTIC_Linux_Rootkit_Reptile_C9F8806D : FILE MEMORY { @@ -75815,10 +75948,10 @@ rule ELASTIC_Linux_Rootkit_Reptile_C9F8806D : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Reptile.yar#L25-L53" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Reptile.yar#L25-L53" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "de1f8dc139ca506581119edcbd8d9b19576b0522e86b7f36713538f67a235446" + logic_hash = "v1_sha256_de1f8dc139ca506581119edcbd8d9b19576b0522e86b7f36713538f67a235446" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75843,7 +75976,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_C9F8806D : FILE MEMORY $blob = "_blob" condition: - ((3 of ($str*)) or ( all of ($loader*))) and $blob + (( 3 of ( $str* ) ) or ( all of ( $loader* ) ) ) and $blob } rule ELASTIC_Linux_Rootkit_Reptile_Eb201301 : FILE MEMORY { @@ -75854,10 +75987,10 @@ rule ELASTIC_Linux_Rootkit_Reptile_Eb201301 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Reptile.yar#L55-L92" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Reptile.yar#L55-L92" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "665c791cdcdc3aed7b9dcd6b839b12e3f9a838bef54c698b5d353b44922ea87c" + logic_hash = "v1_sha256_665c791cdcdc3aed7b9dcd6b839b12e3f9a838bef54c698b5d353b44922ea87c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75891,7 +76024,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_Eb201301 : FILE MEMORY $rep2 = "S3cr3tP@ss" condition: - all of ($rep*) or (1 of ($str*) and (4 of ($opt*) or 4 of ($help*))) + all of ( $rep* ) or ( 1 of ( $str* ) and ( 4 of ( $opt* ) or 4 of ( $help* ) ) ) } rule ELASTIC_Linux_Rootkit_Reptile_85Abf958 : FILE MEMORY { @@ -75902,10 +76035,10 @@ rule ELASTIC_Linux_Rootkit_Reptile_85Abf958 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Reptile.yar#L94-L118" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Reptile.yar#L94-L118" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "955dc251eeec64216eafa5c1ff7574e2ee96e72413b689ba147de9fbfc994864" + logic_hash = "v1_sha256_955dc251eeec64216eafa5c1ff7574e2ee96e72413b689ba147de9fbfc994864" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75926,7 +76059,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_85Abf958 : FILE MEMORY $str2 = "exec bash --rcfi" condition: - any of ($byte*) or all of ($str*) + any of ( $byte* ) or all of ( $str* ) } rule ELASTIC_Linux_Cryptominer_Ksmdbot_Ebeedb3C : FILE MEMORY { @@ -75937,10 +76070,10 @@ rule ELASTIC_Linux_Cryptominer_Ksmdbot_Ebeedb3C : FILE MEMORY date = "2022-12-14" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Ksmdbot.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Ksmdbot.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54" - logic_hash = "67f97cc4f2886ed296b5b3827dc1d1792136ba8d9d27c20b677c9467618c879d" + logic_hash = "v1_sha256_67f97cc4f2886ed296b5b3827dc1d1792136ba8d9d27c20b677c9467618c879d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75970,11 +76103,11 @@ rule ELASTIC_Windows_Vulndriver_Iobitunlocker_Defb90Fd : FILE date = "2023-07-25" modified = "2023-07-25" reference = "https://theevilbit.github.io/posts/iobit_unlocker_lpe/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_IoBitUnlocker.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_IoBitUnlocker.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0aff83f28d70f425539fee3d6a780210d0406264f8a4eb124e32b074e8ffd556" hash = "5ce1a8eac73ef1d0741f34d9fb2661da322117a63bffe60ccad092da89664c42" - logic_hash = "4b0f440c66b7c9a193f0d6675c2a4246036ebc5c0c83856f45ec40a041e9cd07" + logic_hash = "v1_sha256_4b0f440c66b7c9a193f0d6675c2a4246036ebc5c0c83856f45ec40a041e9cd07" score = 75 quality = 75 tags = "FILE" @@ -75993,7 +76126,7 @@ rule ELASTIC_Windows_Vulndriver_Iobitunlocker_Defb90Fd : FILE $pdb_filename = "IObitUnlocker.pdb" fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and (($original_file_name and $product_version) or ($subject and $pdb_filename)) + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and ( ( $original_file_name and $product_version ) or ( $subject and $pdb_filename ) ) } rule ELASTIC_Windows_Trojan_Bumblebee_35F50Bea : FILE MEMORY { @@ -76004,10 +76137,10 @@ rule ELASTIC_Windows_Trojan_Bumblebee_35F50Bea : FILE MEMORY date = "2022-04-28" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bumblebee.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bumblebee.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6" - logic_hash = "9f22b1b7f9e2d7858738d02730ef5477f8d430ad3606ebf4ac8b01314fdc9c46" + logic_hash = "v1_sha256_9f22b1b7f9e2d7858738d02730ef5477f8d430ad3606ebf4ac8b01314fdc9c46" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76034,10 +76167,10 @@ rule ELASTIC_Windows_Trojan_Bumblebee_70Bed4F3 : FILE MEMORY date = "2022-04-28" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bumblebee.yar#L22-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bumblebee.yar#L22-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6" - logic_hash = "3ff97986bfd8df812c4ef94395b3ac7f9ead4d059c398f8984ee217a1bcee4af" + logic_hash = "v1_sha256_3ff97986bfd8df812c4ef94395b3ac7f9ead4d059c398f8984ee217a1bcee4af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76069,10 +76202,10 @@ rule ELASTIC_Windows_Trojan_Spectralviper_43Abeeeb : FILE MEMORY date = "2023-04-13" modified = "2023-05-26" reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SpectralViper.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SpectralViper.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7e35ba39c2c77775b0394712f89679308d1a4577b6e5d0387835ac6c06e556cb" - logic_hash = "976e5b5b4ba73f1b392c2f6b32a86b09b5fd9e5a3510c60b77a39f1e0d705822" + logic_hash = "v1_sha256_976e5b5b4ba73f1b392c2f6b32a86b09b5fd9e5a3510c60b77a39f1e0d705822" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76105,10 +76238,10 @@ rule ELASTIC_Windows_Trojan_Spectralviper_368C36A0 : FILE MEMORY date = "2023-05-10" modified = "2023-05-10" reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SpectralViper.yar#L29-L53" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SpectralViper.yar#L29-L53" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d1c32176b46ce171dbce46493eb3c5312db134b0a3cfa266071555c704e6cff8" - logic_hash = "6182bde93e18dc6a83a94b50b193f5f29ed9abfa89b53c290818e7dab5bbb334" + logic_hash = "v1_sha256_6182bde93e18dc6a83a94b50b193f5f29ed9abfa89b53c290818e7dab5bbb334" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76128,7 +76261,7 @@ rule ELASTIC_Windows_Trojan_Spectralviper_368C36A0 : FILE MEMORY $s3 = { 48 83 EC 28 4C 8B 41 18 4C 8B C9 48 B8 AB AA AA AA AA AA AA AA 48 F7 61 10 48 8B 49 08 48 C1 EA } condition: - 2 of ($a*) or any of ($s*) + 2 of ( $a* ) or any of ( $s* ) } rule ELASTIC_Windows_Trojan_Downtown_901C4Fdd : FILE MEMORY { @@ -76139,9 +76272,9 @@ rule ELASTIC_Windows_Trojan_Downtown_901C4Fdd : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DownTown.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6368d37fa9ba4e32131e16bceaee322f2fa8507873d01ebd687536e593354725" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DownTown.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6368d37fa9ba4e32131e16bceaee322f2fa8507873d01ebd687536e593354725" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76169,9 +76302,9 @@ rule ELASTIC_Windows_Trojan_Downtown_145Ecd2F : FILE MEMORY date = "2023-08-23" modified = "2023-09-20" reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DownTown.yar#L23-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "744a51c5317e265177185d9d0b8838a8fc939b4c56cc5e5bc51d5432d046d9f1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DownTown.yar#L23-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_744a51c5317e265177185d9d0b8838a8fc939b4c56cc5e5bc51d5432d046d9f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76200,10 +76333,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_9130C0F3 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bed3561210e44c290cd410adadcdc58462816a03c15d20b5be45d227cd7dca6b" - logic_hash = "20e9ea15a437a17c4ef68f2472186f6d1ab3118d5b392f84fcb2bd376ec3863a" + logic_hash = "v1_sha256_20e9ea15a437a17c4ef68f2472186f6d1ab3118d5b392f84fcb2bd376ec3863a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76232,10 +76365,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_Fc2E1271 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "a20c76e53874fc0fec5fd2660c63c6f1e7c1b2055cbd2a9efdfd114cd6bdda5c" + logic_hash = "v1_sha256_a20c76e53874fc0fec5fd2660c63c6f1e7c1b2055cbd2a9efdfd114cd6bdda5c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76261,10 +76394,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_86F9Ef0C : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L44-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L44-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59fb018e338908eb69be72ab11837baebf8d96cdb289757f1f4977228e7640a0" - logic_hash = "426d533d39e594123f742b15d0a93ded986b9b308685f7b2cfaf5de0b32cdbff" + logic_hash = "v1_sha256_426d533d39e594123f742b15d0a93ded986b9b308685f7b2cfaf5de0b32cdbff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76290,10 +76423,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_40F9C1C3 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L64-L82" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L64-L82" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e402063ca317867de71e8e3189de67988e2be28d5d773bbaf75618202e80f9f6" - logic_hash = "546edc2d6d715eac47e7a8d3ceb91cf314fa6dbee04f0475a5c4a84ba53fd722" + logic_hash = "v1_sha256_546edc2d6d715eac47e7a8d3ceb91cf314fa6dbee04f0475a5c4a84ba53fd722" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76319,10 +76452,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_0F9Fe37C : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L84-L102" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L84-L102" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "84f9e8938d7e2b0210003fc8334b8fa781a40afffeda8d2341970b84ed5d3b5a" + logic_hash = "v1_sha256_84f9e8938d7e2b0210003fc8334b8fa781a40afffeda8d2341970b84ed5d3b5a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76348,10 +76481,10 @@ rule ELASTIC_Macos_Trojan_Thiefquest_1F4Bac78 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Thiefquest.yar#L104-L122" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Thiefquest.yar#L104-L122" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "96db33e135138846f978026867bb2536226539997d060f41e7081f7f29b66c85" + logic_hash = "v1_sha256_96db33e135138846f978026867bb2536226539997d060f41e7081f7f29b66c85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76377,10 +76510,10 @@ rule ELASTIC_Linux_Ransomware_Blacksuit_9F53E7E5 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_BlackSuit.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_BlackSuit.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e" - logic_hash = "121e0139385cfef5dff394c4ea36d950314b00c6d7021cf2ca667ee942e74763" + logic_hash = "v1_sha256_121e0139385cfef5dff394c4ea36d950314b00c6d7021cf2ca667ee942e74763" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -76408,10 +76541,10 @@ rule ELASTIC_Macos_Trojan_Generic_A829D361 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b2a1cd801ae68a890b40dbd1601cdfeb5085574637ae8658417d0975be8acb5" - logic_hash = "70a954e8b44b1ce46f5ce0ebcf43b46e1292f0b8cdb46aa67f980d3c9b0a6f61" + logic_hash = "v1_sha256_70a954e8b44b1ce46f5ce0ebcf43b46e1292f0b8cdb46aa67f980d3c9b0a6f61" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76437,10 +76570,10 @@ rule ELASTIC_Windows_Exploit_CVE_2022_38028_31Fdb122 : FILE MEMORY CVE_2022_3802 date = "2024-06-06" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_CVE_2022_38028.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_CVE_2022_38028.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" - logic_hash = "df0ef11ce8e840c331d1db8f98917367dc2a33b6f1be48adb9d0b86729ecbe99" + logic_hash = "v1_sha256_df0ef11ce8e840c331d1db8f98917367dc2a33b6f1be48adb9d0b86729ecbe99" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2022-38028" @@ -76466,10 +76599,10 @@ rule ELASTIC_Macos_Trojan_Rustbucket_E64F7A92 : FILE MEMORY date = "2023-06-26" modified = "2023-06-29" reference = "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_RustBucket.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_RustBucket.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" - logic_hash = "bd6005d72faba6aaeebdcbd8c771995cbfc667faf01eb93825afe985954a47fc" + logic_hash = "v1_sha256_bd6005d72faba6aaeebdcbd8c771995cbfc667faf01eb93825afe985954a47fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76497,10 +76630,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_D13544D7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "85fa30ba59602199fd99463acf50bd607e755c2e18cd8843ffcfb6b1aca24bb3" - logic_hash = "fcb2fc7a84fbcd23f9a9d9fd2750c45ff881689670a373fce0cc444183d11999" + logic_hash = "v1_sha256_fcb2fc7a84fbcd23f9a9d9fd2750c45ff881689670a373fce0cc444183d11999" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76526,10 +76659,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Ad09E090 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "6c2d548ba9f01444e8fe4b0aa8a0556970acac06d39bb7c87446b6b91ab0d129" + logic_hash = "v1_sha256_6c2d548ba9f01444e8fe4b0aa8a0556970acac06d39bb7c87446b6b91ab0d129" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76555,10 +76688,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_12299814 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eb3802496bd2fef72bd2a07e32ea753f69f1c2cc0b5a605e480f3bbb80b22676" - logic_hash = "52e8bcd0512cedf0fa048b6990a5d331f4302d99b00681c83a76587415894b1e" + logic_hash = "v1_sha256_52e8bcd0512cedf0fa048b6990a5d331f4302d99b00681c83a76587415894b1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76584,10 +76717,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_A47B77E4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "995b43ccb20343494e314824343a567fd85f430e241fdeb43704d9d4937d76cc" - logic_hash = "bd2b14c8b8e2649af837224fadb32bf0fb67ac403189063a8cb10ad344fb8015" + logic_hash = "v1_sha256_bd2b14c8b8e2649af837224fadb32bf0fb67ac403189063a8cb10ad344fb8015" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76613,10 +76746,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_21D0550B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "c9a12eee281b1e944b5572142c5e18ff087989f45026a94268df22d483210178" + logic_hash = "v1_sha256_c9a12eee281b1e944b5572142c5e18ff087989f45026a94268df22d483210178" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76642,10 +76775,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_C8Adb449 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00ec7a6e9611b5c0e26c148ae5ebfedc57cf52b21e93c2fe3eac85bf88edc7ea" - logic_hash = "9c43602dc752dd737a983874bee5ec6af145ce5fdd45d03864a1afdc2aec3ad4" + logic_hash = "v1_sha256_9c43602dc752dd737a983874bee5ec6af145ce5fdd45d03864a1afdc2aec3ad4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76671,10 +76804,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Bcab1E8F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19df7fd22051abe3f782432398ea30f8be88cf42ef14bc301b1676f35b37cd7e" - logic_hash = "72643b2860f40c7e901c671d7cc9992870b91912df5d75d2ffba0dfb8684f8d3" + logic_hash = "v1_sha256_72643b2860f40c7e901c671d7cc9992870b91912df5d75d2ffba0dfb8684f8d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76700,10 +76833,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_6671F33A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "85fa30ba59602199fd99463acf50bd607e755c2e18cd8843ffcfb6b1aca24bb3" - logic_hash = "a15c842c7c7ec3b11183a1502f8ec03ea786e3f0d47fbab58c62ffff7b018030" + logic_hash = "v1_sha256_a15c842c7c7ec3b11183a1502f8ec03ea786e3f0d47fbab58c62ffff7b018030" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76729,10 +76862,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_74418Ec5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d79ad967ac9fc0b1b6d54e844de60d7ba3eaad673ee69d30f9f804e5ccbf2880" - logic_hash = "e74463f53611baaec7c8e126218d8353c6e3a5e71c20e98a7035df6b771b690b" + logic_hash = "v1_sha256_e74463f53611baaec7c8e126218d8353c6e3a5e71c20e98a7035df6b771b690b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76758,9 +76891,9 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_979160F6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L181-L198" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e70097fb263c90576e87e76cc7be391dbf9c9d73bbd7fb8e5ec282e6ac1f648d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L181-L198" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e70097fb263c90576e87e76cc7be391dbf9c9d73bbd7fb8e5ec282e6ac1f648d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76786,10 +76919,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Fe7139E5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L200-L218" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L200-L218" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8b13dc59db58b6c4cd51abf9c1d6f350fa2cb0dbb44b387d3e171eacc82a04de" - logic_hash = "d1ef74f2a74950845091b2ebc2f7fd05980bcbd2aea4fdd9549c54cec1768501" + logic_hash = "v1_sha256_d1ef74f2a74950845091b2ebc2f7fd05980bcbd2aea4fdd9549c54cec1768501" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76815,10 +76948,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_F35A670C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L220-L238" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L220-L238" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a73808211ba00b92f8d0027831b3aa74db15f068c53dd7f20fcadb294224f480" - logic_hash = "95a8aeffb7193c3f4adfea5b7f0741a53528620c57cbdb4d471d756db03c6493" + logic_hash = "v1_sha256_95a8aeffb7193c3f4adfea5b7f0741a53528620c57cbdb4d471d756db03c6493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76844,10 +76977,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_70E5946E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L240-L258" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L240-L258" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "324deafee2b14c125100e49b90ea95bc1fc55020a7e81a69c7730a57430560f4" + logic_hash = "v1_sha256_324deafee2b14c125100e49b90ea95bc1fc55020a7e81a69c7730a57430560f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76873,10 +77006,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_033F06Dd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L260-L278" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L260-L278" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3afc8d2d85aca61108d21f82355ad813eba7a189e81dde263d318988c5ea50bd" - logic_hash = "a0c788dbcd43cab2af1614d5d90ed9e07a45b547241f729e09709d2a1ec24e60" + logic_hash = "v1_sha256_a0c788dbcd43cab2af1614d5d90ed9e07a45b547241f729e09709d2a1ec24e60" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -76902,10 +77035,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Ce0C185F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L280-L298" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L280-L298" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "f88c5a295cc62f5a91e26731fc60aaf450376cbb282f43304ba2a5ac5d149dd4" + logic_hash = "v1_sha256_f88c5a295cc62f5a91e26731fc60aaf450376cbb282f43304ba2a5ac5d149dd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76931,10 +77064,10 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Da08E491 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Malxmr.yar#L300-L318" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Malxmr.yar#L300-L318" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4638d9ece32cd1385121146378772d487666548066aecd7e40c3ba5231f54cc0" - logic_hash = "f98252c33f8d76981bbc51de87a11a7edca7292a864fc2a305d29cd21961729e" + logic_hash = "v1_sha256_f98252c33f8d76981bbc51de87a11a7edca7292a864fc2a305d29cd21961729e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76960,10 +77093,10 @@ rule ELASTIC_Windows_Trojan_Plugx_5F3844Ff : FILE MEMORY date = "2023-08-28" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PlugX.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PlugX.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a823380e46878dfa8deb3ca0dc394db1db23bb2544e2d6e49c0eceeffb595875" - logic_hash = "a1a484f4cf00ec0775a3f322bae66ce5f9cc52f08306b38f079445233c49bf52" + logic_hash = "v1_sha256_a1a484f4cf00ec0775a3f322bae66ce5f9cc52f08306b38f079445233c49bf52" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76993,10 +77126,10 @@ rule ELASTIC_Windows_Trojan_Plugx_F338Dab5 : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PlugX.yar#L25-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PlugX.yar#L25-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8af3fc1f8bd13519d78ee83af43daaa8c5e2c3f184c09f5c41941e0c6f68f0f7" - logic_hash = "0482305a73bc500aa7c266536cb8286ea796f6b1eaba39547bed22313bbb4457" + logic_hash = "v1_sha256_0482305a73bc500aa7c266536cb8286ea796f6b1eaba39547bed22313bbb4457" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77024,10 +77157,10 @@ rule ELASTIC_Linux_Trojan_Merlin_55Beddd3 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Merlin.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Merlin.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15ccdf2b948fe6bd3d3a7f5370e72cf3badec83f0ec7f47cdf116990fb551adf" - logic_hash = "293158c981463544abd0c38694bfc8635ad1a679bbae115521b65879f145cea6" + logic_hash = "v1_sha256_293158c981463544abd0c38694bfc8635ad1a679bbae115521b65879f145cea6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77053,10 +77186,10 @@ rule ELASTIC_Linux_Trojan_Merlin_Bbad69B8 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Merlin.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Merlin.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d9955487f7d08f705e41a5ff848fb6f02d6c88286a52ec837b7b555fb422d1b6" - logic_hash = "e18079c9f018dc8d7f2fdf5c950b405f9f84ad2a5b18775dbef829fe1cb770c3" + logic_hash = "v1_sha256_e18079c9f018dc8d7f2fdf5c950b405f9f84ad2a5b18775dbef829fe1cb770c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77082,10 +77215,10 @@ rule ELASTIC_Linux_Trojan_Merlin_C6097296 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Merlin.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Merlin.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d9955487f7d08f705e41a5ff848fb6f02d6c88286a52ec837b7b555fb422d1b6" - logic_hash = "f48ed7f19ab29633600fde4bfea274bf36e7f60d700c9806b334d38a51d28b92" + logic_hash = "v1_sha256_f48ed7f19ab29633600fde4bfea274bf36e7f60d700c9806b334d38a51d28b92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77111,10 +77244,10 @@ rule ELASTIC_Windows_Vulndriver_Hrsword_15B431Ee : FILE MEMORY date = "2023-05-25" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_HrSword.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_HrSword.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "272e934cec4a84ab92b2bccb98539d73542ea9184960a2c9923d4edc667f4d4f" - logic_hash = "d8aed70f101a717efe83adceea0f220fb0b145ab8aa39b6250ac2bc057bf51ce" + logic_hash = "v1_sha256_d8aed70f101a717efe83adceea0f220fb0b145ab8aa39b6250ac2bc057bf51ce" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77130,7 +77263,7 @@ rule ELASTIC_Windows_Vulndriver_Hrsword_15B431Ee : FILE MEMORY $str1 = "Huorong Internet Security Core Kext" wide condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $original_file_name and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $original_file_name and $str1 } rule ELASTIC_Windows_Ransomware_Stop_1E8D48Ff : FILE MEMORY { @@ -77141,10 +77274,10 @@ rule ELASTIC_Windows_Ransomware_Stop_1E8D48Ff : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Stop.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Stop.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" - logic_hash = "d743feae072a5f3e1b008354352bef48218bb041bc8a5ba39526815ab9cd2690" + logic_hash = "v1_sha256_d743feae072a5f3e1b008354352bef48218bb041bc8a5ba39526815ab9cd2690" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77171,10 +77304,10 @@ rule ELASTIC_Windows_Hacktool_Blackbone_2Ff5Ec38 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_BlackBone.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_BlackBone.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017" - logic_hash = "0c32bd04460cdf7a56664253992a684c2c684b15ac9ca853b27ab24f07f71607" + logic_hash = "v1_sha256_0c32bd04460cdf7a56664253992a684c2c684b15ac9ca853b27ab24f07f71607" score = 75 quality = 75 tags = "FILE" @@ -77189,7 +77322,7 @@ rule ELASTIC_Windows_Hacktool_Blackbone_2Ff5Ec38 : FILE $str1 = "BlackBone: %s: ZwCreateThreadEx hThread 0x%X" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Cryptominer_Xmrminer_70C153B5 : FILE MEMORY { @@ -77200,10 +77333,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_70C153B5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "55b133ba805bb691dc27a5d16d3473650360c988e48af8adc017377eed07935b" - logic_hash = "e2fc0721435c656a16e59b6747563df17f0f54a4620efc403a3bba717ccb0f38" + logic_hash = "v1_sha256_e2fc0721435c656a16e59b6747563df17f0f54a4620efc403a3bba717ccb0f38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77229,10 +77362,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_98B00F9C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c01b88c5d3df7ce828e567bd8d639b135c48106e388cd81497fcbd5dcf30f332" - logic_hash = "cf8c5deddf22e7699cd880bd3f9f28721db5ece6705be4f932e1d041893eef71" + logic_hash = "v1_sha256_cf8c5deddf22e7699cd880bd3f9f28721db5ece6705be4f932e1d041893eef71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77258,10 +77391,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_2B250178 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "636605cf63d3e335fe9481d4d110c43572e9ab365edfa2b6d16d96b52d6283ef" - logic_hash = "067705c52de710372b4a2a3b77427106068ad2d9a8e56602e315d09e7b8b6206" + logic_hash = "v1_sha256_067705c52de710372b4a2a3b77427106068ad2d9a8e56602e315d09e7b8b6206" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77287,10 +77420,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_67Bf4B54 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d33fba4fda6831d22afc72bf3d6d5349c5393abb3823dfa2a5c9e391d2b9ddf" - logic_hash = "448f5b9dc3c17984464c15f6d542f495a52b0531acc362dedfe3d1a20b932969" + logic_hash = "v1_sha256_448f5b9dc3c17984464c15f6d542f495a52b0531acc362dedfe3d1a20b932969" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77316,9 +77449,9 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_504B42Ca : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L81-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "dd3ed5350e0229ac714178a30de28893c30708734faec329c776e189493cf930" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L81-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_dd3ed5350e0229ac714178a30de28893c30708734faec329c776e189493cf930" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77344,10 +77477,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D1Bb752F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L100-L118" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L100-L118" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bea55bc9495ee51c78ceedadf3a685ea9d6dd428170888c67276c100d4d94beb" - logic_hash = "47aa5516350d5c00d1387649df46ce8f09d87bdfafeaa4cbf1c3ef5f2e0b9023" + logic_hash = "v1_sha256_47aa5516350d5c00d1387649df46ce8f09d87bdfafeaa4cbf1c3ef5f2e0b9023" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77373,9 +77506,9 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D625Fcd2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L120-L137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b95b66392e1a07e0b6acd718a9501cede76e57561e69701e9e881bd3fbd3fe39" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L120-L137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b95b66392e1a07e0b6acd718a9501cede76e57561e69701e9e881bd3fbd3fe39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77401,10 +77534,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_02D19C01 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L139-L157" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L139-L157" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b6df662f5f7566851b95884c0058e7476e49aeb7a96d2aa203393d88e584972f" - logic_hash = "43a1dc49bf75cd13637c37290d47b4d6fc1b2c2ac252b64725c0c64e1dd745c6" + logic_hash = "v1_sha256_43a1dc49bf75cd13637c37290d47b4d6fc1b2c2ac252b64725c0c64e1dd745c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77430,10 +77563,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_2Dd045Fc : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L159-L177" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L159-L177" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4" - logic_hash = "fa23ca75027f7a5e73652173c9e84112a0b5cd3008fc453fdb33c980dc7b7b24" + logic_hash = "v1_sha256_fa23ca75027f7a5e73652173c9e84112a0b5cd3008fc453fdb33c980dc7b7b24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77459,10 +77592,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D1A814B0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L179-L197" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L179-L197" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bea55bc9495ee51c78ceedadf3a685ea9d6dd428170888c67276c100d4d94beb" - logic_hash = "a06f5d5be87153be1253c2e20a60fa36701a745813926be03ee466ce8e2285b0" + logic_hash = "v1_sha256_a06f5d5be87153be1253c2e20a60fa36701a745813926be03ee466ce8e2285b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77488,10 +77621,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_C6218E30 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L199-L217" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L199-L217" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b43ddd8e355b0c538c123c43832e7c8c557e4aee9e914baaed0866ee5d68ee55" - logic_hash = "3efbc3cb1591a9340df10640b411a9ab4c41e0aa26c1677d9def8b82e4c246f4" + logic_hash = "v1_sha256_3efbc3cb1591a9340df10640b411a9ab4c41e0aa26c1677d9def8b82e4c246f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77517,10 +77650,10 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_B17A7888 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xmrminer.yar#L219-L237" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xmrminer.yar#L219-L237" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "65c9fdd7c559554af06cd394dcebece1bc0fdc7dd861929a35c74547376324a6" - logic_hash = "a7f6daa5c42d186d2c5a027fdb35b45287c3564a7b57b8a2f53659e6ca90602a" + logic_hash = "v1_sha256_a7f6daa5c42d186d2c5a027fdb35b45287c3564a7b57b8a2f53659e6ca90602a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77546,10 +77679,10 @@ rule ELASTIC_Windows_Trojan_Behinder_B9A49F4B : FILE MEMORY date = "2023-03-02" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Behinder.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Behinder.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b" - logic_hash = "2303ef82e4dc5e8be87ddc4563dcd06963d17e1fbf25cf246a6c81e4e74adbcb" + logic_hash = "v1_sha256_2303ef82e4dc5e8be87ddc4563dcd06963d17e1fbf25cf246a6c81e4e74adbcb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -77577,10 +77710,10 @@ rule ELASTIC_Windows_Trojan_Dustywarehouse_A6Cfc9F7 : FILE MEMORY date = "2023-08-25" modified = "2023-11-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DustyWarehouse.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DustyWarehouse.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c4de69e89dcc659d2fff52d695764f1efd7e64e0a80983ce6d0cb9eeddb806c" - logic_hash = "2b4cd9316e2fda882c95673edecb9c82a03ef4fdcc2d2e25783644cc5dfb5bf0" + logic_hash = "v1_sha256_2b4cd9316e2fda882c95673edecb9c82a03ef4fdcc2d2e25783644cc5dfb5bf0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77610,10 +77743,10 @@ rule ELASTIC_Windows_Trojan_Dustywarehouse_3Fef514B : FILE MEMORY date = "2024-05-30" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DustyWarehouse.yar#L25-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DustyWarehouse.yar#L25-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4ad024f53595fdd380f5b5950b62595cd47ac424d2427c176a7b2dfe4e1f35f7" - logic_hash = "865ea1e54950a465b71939a41f7a726ccddcfa9f0d777ea853926f65bca0da84" + logic_hash = "v1_sha256_865ea1e54950a465b71939a41f7a726ccddcfa9f0d777ea853926f65bca0da84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77639,10 +77772,10 @@ rule ELASTIC_Linux_Exploit_Criscras_Fc505C1D : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Criscras.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Criscras.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7399f6b8fbd6d6c6fb56ab350c84910fe19cc5da67e4de37065ff3d4648078ab" - logic_hash = "4d84570c13c584fb7360e798df9f3e6039ee74fdb6ad597add0ea150e3deaa80" + logic_hash = "v1_sha256_4d84570c13c584fb7360e798df9f3e6039ee74fdb6ad597add0ea150e3deaa80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77668,10 +77801,10 @@ rule ELASTIC_Windows_Hacktool_Sharpgpoabuse_14Ea480E : FILE MEMORY date = "2024-03-25" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpGPOAbuse.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpGPOAbuse.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d13f87b9eaf09ef95778b2f1469aa34d03186d127c8f73c73299957d386c78d1" - logic_hash = "efc1259f4ed05c8f41df75c056d36fd5a808a92b5c88cfb0522caedea39476b4" + logic_hash = "v1_sha256_efc1259f4ed05c8f41df75c056d36fd5a808a92b5c88cfb0522caedea39476b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77693,7 +77826,7 @@ rule ELASTIC_Windows_Hacktool_Sharpgpoabuse_14Ea480E : FILE MEMORY $s7 = "NewImmediateTask" wide fullword condition: - ($name and 1 of ($s*)) or all of ($s*) + ($name and 1 of ( $s* ) ) or all of ( $s* ) } rule ELASTIC_Windows_Vulndriver_Threatfire_Cbe7Ac92 : FILE MEMORY { @@ -77704,10 +77837,10 @@ rule ELASTIC_Windows_Vulndriver_Threatfire_Cbe7Ac92 : FILE MEMORY date = "2024-08-19" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ThreatFire.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ThreatFire.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856" - logic_hash = "689e17c9fdfc9de10a2cf3d39306103712504ab46db35ac65ed0340c83af240d" + logic_hash = "v1_sha256_689e17c9fdfc9de10a2cf3d39306103712504ab46db35ac65ed0340c83af240d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77723,7 +77856,7 @@ rule ELASTIC_Windows_Vulndriver_Threatfire_Cbe7Ac92 : FILE MEMORY $str1 = "ThreatFire" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and all of them + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and all of them } rule ELASTIC_Windows_Hacktool_Clroxide_D92D9575 : FILE MEMORY { @@ -77734,10 +77867,10 @@ rule ELASTIC_Windows_Hacktool_Clroxide_D92D9575 : FILE MEMORY date = "2024-02-29" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_ClrOxide.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_ClrOxide.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3a4900eff80563bff586ced172c3988347980f902aceef2f9f9f6d188fac8e3" - logic_hash = "01bb071e1286bb139c5e1c37e421153ef1b28a5994feeaedf6ad27ad7dade5e9" + logic_hash = "v1_sha256_01bb071e1286bb139c5e1c37e421153ef1b28a5994feeaedf6ad27ad7dade5e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77769,9 +77902,9 @@ rule ELASTIC_Windows_Hacktool_Askcreds_34E3E3D4 : FILE MEMORY date = "2023-05-16" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_AskCreds.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d911566ca546a8546928cd0ffa838fd344b35f75a4a7e80789d20e52c7cd38d0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_AskCreds.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d911566ca546a8546928cd0ffa838fd344b35f75a4a7e80789d20e52c7cd38d0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77799,10 +77932,10 @@ rule ELASTIC_Windows_Trojan_Generic_A681F24A : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa" - logic_hash = "72bfefc8f92dbe65d197e02bf896315dcbc54d7b68d0434f43de026ccf934f40" + logic_hash = "v1_sha256_72bfefc8f92dbe65d197e02bf896315dcbc54d7b68d0434f43de026ccf934f40" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -77830,9 +77963,9 @@ rule ELASTIC_Windows_Trojan_Generic_Ae824B13 : REF1296 FILE MEMORY date = "2022-02-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "cee46c1efdaa1815606f932a4f79b316e02c1b481e73c4c2f8b7c72023e8684c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_cee46c1efdaa1815606f932a4f79b316e02c1b481e73c4c2f8b7c72023e8684c" score = 75 quality = 67 tags = "REF1296, FILE, MEMORY" @@ -77861,9 +77994,9 @@ rule ELASTIC_Windows_Trojan_Generic_Eb47E754 : REF1296 FILE MEMORY date = "2022-02-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L45-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1d96e813ed0261bd0d7caca2803ed8d5fe4d77ea00efc9130eef86aa872c4656" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L45-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1d96e813ed0261bd0d7caca2803ed8d5fe4d77ea00efc9130eef86aa872c4656" score = 75 quality = 67 tags = "REF1296, FILE, MEMORY" @@ -77892,10 +78025,10 @@ rule ELASTIC_Windows_Trojan_Generic_C7Fd8D38 : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L67-L89" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L67-L89" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a1702ec12c2bf4a52e11fbdab6156358084ad2c662c8b3691918ef7eabacde96" - logic_hash = "81c56cd741692a7f2a894c2b8f2676aad47f14221228b9466a2ab0f05d76c623" + logic_hash = "v1_sha256_81c56cd741692a7f2a894c2b8f2676aad47f14221228b9466a2ab0f05d76c623" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77925,10 +78058,10 @@ rule ELASTIC_Windows_Trojan_Generic_Bbe6C282 : FILE MEMORY date = "2022-03-02" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L91-L109" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L91-L109" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" - logic_hash = "fe874d69ae71775cf997845c90e731479569e2ac1ac882a4b8c3c73d015b1f30" + logic_hash = "v1_sha256_fe874d69ae71775cf997845c90e731479569e2ac1ac882a4b8c3c73d015b1f30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77954,10 +78087,10 @@ rule ELASTIC_Windows_Trojan_Generic_889B1248 : FILE MEMORY date = "2022-03-11" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L111-L132" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L111-L132" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a48d57a139c7e3efa0c47f8699e2cf6159dc8cdd823b16ce36257eb8c9d14d53" - logic_hash = "b3bb93b95377d6c6606d29671395b78c0954cc47d5cc450436799638d0458469" + logic_hash = "v1_sha256_b3bb93b95377d6c6606d29671395b78c0954cc47d5cc450436799638d0458469" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -77986,10 +78119,10 @@ rule ELASTIC_Windows_Trojan_Generic_02A87A20 : FILE MEMORY date = "2022-03-04" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L134-L152" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L134-L152" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - logic_hash = "610db1b429ed2ecfc552f73ed4782cb56254e6fc98b728ffeff6938fbcce9616" + logic_hash = "v1_sha256_610db1b429ed2ecfc552f73ed4782cb56254e6fc98b728ffeff6938fbcce9616" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78015,10 +78148,10 @@ rule ELASTIC_Windows_Trojan_Generic_4Fbff084 : FILE MEMORY date = "2023-02-28" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L154-L175" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L154-L175" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7010a69ba77e65e70f4f3f4a10af804e6932c2218ff4abd5f81240026822b401" - logic_hash = "47d1a01e0edee3239d99ff1f32eb4cfc77d6e38823fed799a562e142d3d3a22d" + logic_hash = "v1_sha256_47d1a01e0edee3239d99ff1f32eb4cfc77d6e38823fed799a562e142d3d3a22d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78047,10 +78180,10 @@ rule ELASTIC_Windows_Trojan_Generic_73Ed7375 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L177-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L177-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2b17328a3ef0e389419c9c86f81db4118cf79640799e5c6fdc97de0fc65ad556" - logic_hash = "7e27c9377d0b2058a2a36da4ac7d37a54c566f3246e69aa356171edae6b478c5" + logic_hash = "v1_sha256_7e27c9377d0b2058a2a36da4ac7d37a54c566f3246e69aa356171edae6b478c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78077,10 +78210,10 @@ rule ELASTIC_Windows_Trojan_Generic_96Cdf3C4 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L198-L217" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L198-L217" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9a4d68de36f1706a3083de7eb41f839d8c7a4b8b585cc767353df12866a48c81" - logic_hash = "f92e5549aca320d71e1eec8daa82e8bbf3517c7f23f376bb355fdfa32da2e7a9" + logic_hash = "v1_sha256_f92e5549aca320d71e1eec8daa82e8bbf3517c7f23f376bb355fdfa32da2e7a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78107,10 +78240,10 @@ rule ELASTIC_Windows_Trojan_Generic_F0C79978 : FILE MEMORY date = "2023-07-27" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L219-L238" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L219-L238" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8f800b35bfbc8474f64b76199b846fe56b24a3ffd8c7529b92ff98a450d3bd38" - logic_hash = "b16971ed0947660dda8d79c11531a9498a80e00f2dbc2c0eb63895b7f5c5f980" + logic_hash = "v1_sha256_b16971ed0947660dda8d79c11531a9498a80e00f2dbc2c0eb63895b7f5c5f980" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78137,10 +78270,10 @@ rule ELASTIC_Windows_Trojan_Generic_40899C85 : FILE MEMORY date = "2023-12-15" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L240-L260" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L240-L260" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88eb4f2e7085947bfbd03c69573fdca0de4a74bab844f09ecfcf88e358af20cc" - logic_hash = "317034add0343baa26548712de8b2acc04946385fbee048cea0bd8d7ae642b36" + logic_hash = "v1_sha256_317034add0343baa26548712de8b2acc04946385fbee048cea0bd8d7ae642b36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78168,9 +78301,9 @@ rule ELASTIC_Windows_Trojan_Generic_9997489C : FILE MEMORY date = "2024-01-31" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L262-L290" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "857bbf64ced06f76eb50afbfbb699c62e11625196213c2e5267b828cca911b74" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L262-L290" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_857bbf64ced06f76eb50afbfbb699c62e11625196213c2e5267b828cca911b74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78207,10 +78340,10 @@ rule ELASTIC_Windows_Trojan_Generic_2993E5A5 : FILE MEMORY date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L292-L310" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L292-L310" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9f9b926cef69e879462d9fa914dda8c60a01f3d409b55afb68c3fb94bf1a339b" - logic_hash = "37a10597d1afeb9411f6c652537186628291cbe6af680abe12bb96591add7e78" + logic_hash = "v1_sha256_37a10597d1afeb9411f6c652537186628291cbe6af680abe12bb96591add7e78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78236,10 +78369,10 @@ rule ELASTIC_Windows_Trojan_Generic_0E135D58 : FILE MEMORY date = "2024-03-19" modified = "2024-03-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Generic.yar#L312-L330" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Generic.yar#L312-L330" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c" - logic_hash = "bc10218b1d761f72836bb5f9bb41d3f0fe13c4baa1109025269f938ec642aec4" + logic_hash = "v1_sha256_bc10218b1d761f72836bb5f9bb41d3f0fe13c4baa1109025269f938ec642aec4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78265,10 +78398,10 @@ rule ELASTIC_Windows_Vulndriver_Cpuz_A53D1446 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Cpuz.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Cpuz.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - logic_hash = "37da20f5fe1377fe85594055dc811424f52e53a9d77060c6784c2e4d1279e26f" + logic_hash = "v1_sha256_37da20f5fe1377fe85594055dc811424f52e53a9d77060c6784c2e4d1279e26f" score = 75 quality = 75 tags = "FILE" @@ -78285,7 +78418,7 @@ rule ELASTIC_Windows_Vulndriver_Cpuz_A53D1446 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x04][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x03][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Trojan_Bloodalchemy_3793364E : FILE MEMORY { @@ -78296,9 +78429,9 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_3793364E : FILE MEMORY date = "2023-09-25" modified = "2023-09-25" reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BloodAlchemy.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c9f03767b92bb2c44f6b386e1f0a521f1a7a063cf73799844cc3423d4a7de7be" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BloodAlchemy.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c9f03767b92bb2c44f6b386e1f0a521f1a7a063cf73799844cc3423d4a7de7be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78325,9 +78458,9 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_E510798D : FILE MEMORY date = "2023-09-25" modified = "2023-09-25" reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BloodAlchemy.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7919bb5f19745a1620e6be91622c40083cbd2ddb02905215736a2ed11e9af5c4" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BloodAlchemy.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7919bb5f19745a1620e6be91622c40083cbd2ddb02905215736a2ed11e9af5c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78354,9 +78487,9 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_63084Eea : FILE MEMORY date = "2023-09-25" modified = "2023-09-25" reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BloodAlchemy.yar#L43-L61" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3fe64502992281511e942b8f4541d61b33e900dbe23ea9f976c7eb9522ce4cbd" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BloodAlchemy.yar#L43-L61" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3fe64502992281511e942b8f4541d61b33e900dbe23ea9f976c7eb9522ce4cbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78382,9 +78515,9 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_C2D80609 : FILE MEMORY date = "2023-09-25" modified = "2023-09-25" reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BloodAlchemy.yar#L63-L81" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "694a0f917f106fbdde4c8e5dd8f9cdce56e9423ce5a7c3a5bf30bf43308d42e9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BloodAlchemy.yar#L63-L81" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_694a0f917f106fbdde4c8e5dd8f9cdce56e9423ce5a7c3a5bf30bf43308d42e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78410,9 +78543,9 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_De591C5A : FILE MEMORY date = "2023-09-25" modified = "2023-11-02" reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BloodAlchemy.yar#L83-L106" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fd5cfe2558a7c02a617003140cdcf477ec451ecea4adf2808bef8f93673c28f1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BloodAlchemy.yar#L83-L106" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fd5cfe2558a7c02a617003140cdcf477ec451ecea4adf2808bef8f93673c28f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78432,7 +78565,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_De591C5A : FILE MEMORY $com_tm_iid = { C0 C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85 } condition: - any of ($crypto_*) and all of ($com_tm_*) + any of ( $crypto_* ) and all of ( $com_tm_* ) } rule ELASTIC_Windows_Vulndriver_Rweverything_Aee156A5 : FILE { @@ -78443,10 +78576,10 @@ rule ELASTIC_Windows_Vulndriver_Rweverything_Aee156A5 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_RWEverything.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_RWEverything.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b" - logic_hash = "46b7f2ad46564c6b99f0df6146dff7c88ccbe3ad6c6d1bcbefe756606c4fe40e" + logic_hash = "v1_sha256_46b7f2ad46564c6b99f0df6146dff7c88ccbe3ad6c6d1bcbefe756606c4fe40e" score = 75 quality = 75 tags = "FILE" @@ -78462,7 +78595,7 @@ rule ELASTIC_Windows_Vulndriver_Rweverything_Aee156A5 : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 52 00 77 00 44 00 72 00 76 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Trojan_Bazar_711D59F6 : FILE MEMORY { @@ -78473,10 +78606,10 @@ rule ELASTIC_Windows_Trojan_Bazar_711D59F6 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bazar.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bazar.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f29253139dab900b763ef436931213387dc92e860b9d3abb7dcd46040ac28a0e" - logic_hash = "3bde62b468c44bdc18878fd369a7f0cf06f7be64149587a11524f725fa875f69" + logic_hash = "v1_sha256_3bde62b468c44bdc18878fd369a7f0cf06f7be64149587a11524f725fa875f69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78502,10 +78635,10 @@ rule ELASTIC_Windows_Trojan_Bazar_9Dddea36 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bazar.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bazar.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "63df43daa61f9a0fbea2e5409b8f0063f7af3363b6bc8d6984ce7e90c264727d" - logic_hash = "cf88e2e896fce742ad3325d53523167d6eb42188309ed4e66f73601bbb85574e" + logic_hash = "v1_sha256_cf88e2e896fce742ad3325d53523167d6eb42188309ed4e66f73601bbb85574e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78531,10 +78664,10 @@ rule ELASTIC_Windows_Trojan_Bazar_3A2Cc53B : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bazar.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bazar.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417" - logic_hash = "8cde37be646dbcf7e7f5e3f28f0fe8c95480861c62fa2ee8cdd990859313756c" + logic_hash = "v1_sha256_8cde37be646dbcf7e7f5e3f28f0fe8c95480861c62fa2ee8cdd990859313756c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78560,10 +78693,10 @@ rule ELASTIC_Windows_Trojan_Bazar_De8D625A : FILE MEMORY date = "2022-01-14" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bazar.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bazar.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ad9ac4785b82c8bfa355c7343b9afc7b1f163471c41671ea2f9152a1b550f0c" - logic_hash = "5fd7bb4ac818ec1b4bfcb7d236868a31b2f726182407c07c7f06c1d7e9c15d02" + logic_hash = "v1_sha256_5fd7bb4ac818ec1b4bfcb7d236868a31b2f726182407c07c7f06c1d7e9c15d02" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78589,10 +78722,10 @@ rule ELASTIC_Windows_Trojan_Xpertrat_Ce03C41D : FILE MEMORY date = "2021-08-06" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Xpertrat.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Xpertrat.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" - logic_hash = "f6ff0a11f261bc75c9d0015131f177d39bb9e8e30346a75209ba8fa808ac4fcb" + logic_hash = "v1_sha256_f6ff0a11f261bc75c9d0015131f177d39bb9e8e30346a75209ba8fa808ac4fcb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78620,10 +78753,10 @@ rule ELASTIC_Windows_Hacktool_Sharplaps_381C3F40 : FILE MEMORY date = "2022-12-22" modified = "2022-12-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpLAPS.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpLAPS.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ef0d508b3051fe6f99ba55202a17237f29fdbc0085e3f5c99b1aef52c8ebe425" - logic_hash = "d94f9e4200a63283346919c121873130ad90e4ad5979c017cb71dc0cc910a64a" + logic_hash = "v1_sha256_d94f9e4200a63283346919c121873130ad90e4ad5979c017cb71dc0cc910a64a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -78645,7 +78778,7 @@ rule ELASTIC_Windows_Hacktool_Sharplaps_381C3F40 : FILE MEMORY $str6 = "ms-Mcs-AdmPwd" ascii wide condition: - $guid or 6 of ($str*) + $guid or 6 of ( $str* ) } rule ELASTIC_Windows_Trojan_Masslogger_511B001E : FILE MEMORY { @@ -78656,10 +78789,10 @@ rule ELASTIC_Windows_Trojan_Masslogger_511B001E : FILE MEMORY date = "2022-03-02" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MassLogger.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MassLogger.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "177875c756a494872c516000beb6011cec22bd9a73e58ba6b2371dba2ab8c337" - logic_hash = "5abac5e32e55467710842e19c25cab5c7f1cdb0f8a68fb6808d54467c69ebdf6" + logic_hash = "v1_sha256_5abac5e32e55467710842e19c25cab5c7f1cdb0f8a68fb6808d54467c69ebdf6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78690,10 +78823,10 @@ rule ELASTIC_Linux_Rootkit_Melofee_25D42Bdd : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Melofee.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Melofee.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5830862707711a032728dfa6a85c904020766fa316ea85b3eef9c017f0e898cc" - logic_hash = "5af18434295e80403c3587165cd9db3b771d8f06eaa467e1161a0cd213446bee" + logic_hash = "v1_sha256_5af18434295e80403c3587165cd9db3b771d8f06eaa467e1161a0cd213446bee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78727,10 +78860,10 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_581F57A9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Loudminer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Loudminer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "82db0985f215da1d84e16fce94df7553b43b06082bf5475515dbbcf016c40fe4" + logic_hash = "v1_sha256_82db0985f215da1d84e16fce94df7553b43b06082bf5475515dbbcf016c40fe4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78756,10 +78889,10 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_F2298A50 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Loudminer.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Loudminer.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "6c2c9b6aea1fb35f8f600dd084ed9cfd56123f7502036e76dd168ccd8b43b28f" + logic_hash = "v1_sha256_6c2c9b6aea1fb35f8f600dd084ed9cfd56123f7502036e76dd168ccd8b43b28f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78785,10 +78918,10 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_851Fc7Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Loudminer.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Loudminer.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "9f271a16fe30fbf0c16533522b733228f19e0c44d173e4c0ef43bf13323e7383" + logic_hash = "v1_sha256_9f271a16fe30fbf0c16533522b733228f19e0c44d173e4c0ef43bf13323e7383" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78814,10 +78947,10 @@ rule ELASTIC_Windows_Vulndriver_Windivert_25991186 : FILE MEMORY date = "2024-06-20" modified = "2024-07-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_WinDivert.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_WinDivert.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8da085332782708d8767bcace5327a6ec7283c17cfb85e40b03cd2323a90ddc2" - logic_hash = "a67679bb2f23d1f6691c9ad23da1fd4c2402701ba1929c7abf078d7d95011a08" + logic_hash = "v1_sha256_a67679bb2f23d1f6691c9ad23da1fd4c2402701ba1929c7abf078d7d95011a08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78832,7 +78965,7 @@ rule ELASTIC_Windows_Vulndriver_Windivert_25991186 : FILE MEMORY $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 44 00 69 00 76 00 65 00 72 00 74 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $original_file_name } rule ELASTIC_Linux_Trojan_Sshdkit_18A0B82A : FILE MEMORY { @@ -78843,10 +78976,10 @@ rule ELASTIC_Linux_Trojan_Sshdkit_18A0B82A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdkit.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdkit.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "003245047359e17706e4504f8988905a219fcb48865afea934e6aafa7f97cef6" - logic_hash = "4b7a78ebf3c114809148cc9855379b2e63c959966272ad45759838d570b42016" + logic_hash = "v1_sha256_4b7a78ebf3c114809148cc9855379b2e63c959966272ad45759838d570b42016" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78872,10 +79005,10 @@ rule ELASTIC_Windows_Trojan_Raccoon_Af6Decc6 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Raccoon.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Raccoon.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe09bef10b21f085e9ca411e24e0602392ab5044b7268eaa95fb88790f1a124d" - logic_hash = "50ec446e8fd51129c7333c943dfe62db099fe1379530441f6b102fcbe3bc0dbd" + logic_hash = "v1_sha256_50ec446e8fd51129c7333c943dfe62db099fe1379530441f6b102fcbe3bc0dbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78902,10 +79035,10 @@ rule ELASTIC_Windows_Trojan_Raccoon_58091F64 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Raccoon.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Raccoon.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe09bef10b21f085e9ca411e24e0602392ab5044b7268eaa95fb88790f1a124d" - logic_hash = "8a7388e9c3dd0dd1a79215dbabcd964a0afa883490611afb6bb500635fbfff9a" + logic_hash = "v1_sha256_8a7388e9c3dd0dd1a79215dbabcd964a0afa883490611afb6bb500635fbfff9a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78931,10 +79064,10 @@ rule ELASTIC_Windows_Trojan_Raccoon_Deb6325C : FILE MEMORY date = "2022-06-28" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Raccoon.yar#L42-L63" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Raccoon.yar#L42-L63" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27" - logic_hash = "94f70c60ed4fab021e013cf6a632321e0e1bdeef25a48a598d9e7388e7e445ca" + logic_hash = "v1_sha256_94f70c60ed4fab021e013cf6a632321e0e1bdeef25a48a598d9e7388e7e445ca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78963,10 +79096,10 @@ rule ELASTIC_Windows_Vulndriver_Arpot_09C714C5 : FILE date = "2022-04-27" modified = "2022-05-03" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ArPot.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ArPot.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - logic_hash = "e5f972ad9a31aefbd20237e6ea3dd19a025c2e3487fa080e9f9b8acf1e3f58e6" + logic_hash = "v1_sha256_e5f972ad9a31aefbd20237e6ea3dd19a025c2e3487fa080e9f9b8acf1e3f58e6" score = 75 quality = 75 tags = "FILE" @@ -78983,7 +79116,7 @@ rule ELASTIC_Windows_Vulndriver_Arpot_09C714C5 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x15][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\xbb][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x14][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x15][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x15][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xba][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Trojan_Rekoobe_E75472Fa : FILE MEMORY { @@ -78994,10 +79127,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_E75472Fa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8d2a9e363752839a09001a9e3044ab7919daffd9d9aee42d936bc97394164a88" - logic_hash = "e3e9934ee8ce6933f676949c5b5c82ad044ac32f08fe86697b0a0cf7fb63fc5e" + logic_hash = "v1_sha256_e3e9934ee8ce6933f676949c5b5c82ad044ac32f08fe86697b0a0cf7fb63fc5e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79023,10 +79156,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_52462Fe8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1d8c64105caecbd90c6e19cf89301a4dc091c44ab108e780bdc8791a94caaad" - logic_hash = "1ab6979392eeaa7bd6bd84f8d3531bd9071c54b58306a42dcfdd27bf7ec8f8cd" + logic_hash = "v1_sha256_1ab6979392eeaa7bd6bd84f8d3531bd9071c54b58306a42dcfdd27bf7ec8f8cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79052,10 +79185,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_De9E7Bdf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "447da7bee72c98c2202f1919561543e54ec1b9b67bd67e639b9fb6e42172d951" - logic_hash = "bdc4a3e4eeffc0d32e6a86dda54beceab8301d0065731d9ade390392ab4c6126" + logic_hash = "v1_sha256_bdc4a3e4eeffc0d32e6a86dda54beceab8301d0065731d9ade390392ab4c6126" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79081,10 +79214,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_B41F70C2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19c1a54279be1710724fc75a112741575936fe70379d166effc557420da714cd" - logic_hash = "02de55c537da1cc03af26a171c768ad87984e45983c3739f90ad9983c70e7ccf" + logic_hash = "v1_sha256_02de55c537da1cc03af26a171c768ad87984e45983c3739f90ad9983c70e7ccf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79110,10 +79243,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_1D307D7C : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00bc669f79b2903c5d9e6412050655486111647c646698f9a789e481a7c98662" - logic_hash = "de4807353d2ba977459a1bf7f51fd815e311c0bdc5fccd5e99fd44a766f6866f" + logic_hash = "v1_sha256_de4807353d2ba977459a1bf7f51fd815e311c0bdc5fccd5e99fd44a766f6866f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79139,10 +79272,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_7F7Aba78 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7" - logic_hash = "a3b46d29fa51dd6a911cb9cb0e67e9d57d3f3b6697dc8edcc4d82f09d9819a92" + logic_hash = "v1_sha256_a3b46d29fa51dd6a911cb9cb0e67e9d57d3f3b6697dc8edcc4d82f09d9819a92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79168,10 +79301,10 @@ rule ELASTIC_Linux_Trojan_Rekoobe_Ab8Ba790 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rekoobe.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rekoobe.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2aee0c74d9642ffab1f313179c26400acf60d7cbd2188bade28534d403f468d4" - logic_hash = "2a7a71712ad3f756a2dc53ec80bd9fb625f7c679fd9566945ebfeb392b9874a9" + logic_hash = "v1_sha256_2a7a71712ad3f756a2dc53ec80bd9fb625f7c679fd9566945ebfeb392b9874a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79197,10 +79330,10 @@ rule ELASTIC_Linux_Trojan_Dofloo_Be1973Ed : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dofloo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dofloo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "65f9daabf44006fe4405032bf93570185248bc62cd287650c68f854b23aa2158" + logic_hash = "v1_sha256_65f9daabf44006fe4405032bf93570185248bc62cd287650c68f854b23aa2158" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79226,10 +79359,10 @@ rule ELASTIC_Linux_Trojan_Dofloo_1D057993 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dofloo.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dofloo.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "c5e15e21946816052d5a8dc293db3830f1d6d06cdbf22eb8667b655206dbbc1f" + logic_hash = "v1_sha256_c5e15e21946816052d5a8dc293db3830f1d6d06cdbf22eb8667b655206dbbc1f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79255,10 +79388,10 @@ rule ELASTIC_Linux_Trojan_Dofloo_29C12775 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dofloo.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dofloo.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "a8eb79fdf57811f4ffd5a7c5ec54cf46c06281f8cd4d677aec1ad168d6648a08" + logic_hash = "v1_sha256_a8eb79fdf57811f4ffd5a7c5ec54cf46c06281f8cd4d677aec1ad168d6648a08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79284,10 +79417,10 @@ rule ELASTIC_Linux_Trojan_Pnscan_20E34E35 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Pnscan.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Pnscan.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7dbd5b709f16296ba7dac66dc35b9c3373cf88452396d79d0c92d7502c1b0005" - logic_hash = "1e69ef50d25ffd0f38ed0eb81ab3295822aa183c5e06f307caf02826b1dfa011" + logic_hash = "v1_sha256_1e69ef50d25ffd0f38ed0eb81ab3295822aa183c5e06f307caf02826b1dfa011" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79313,10 +79446,10 @@ rule ELASTIC_Linux_Cryptominer_Stak_05088561 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Stak.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Stak.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d0d2bab33076121cf6a0a2c4ff1738759464a09ae4771c39442a865a76daff59" - logic_hash = "2b0f8a4efdfb13abcc2a1b43e9c39828ea1de6015fef0ef613bd754da5aa3e9a" + logic_hash = "v1_sha256_2b0f8a4efdfb13abcc2a1b43e9c39828ea1de6015fef0ef613bd754da5aa3e9a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79342,9 +79475,9 @@ rule ELASTIC_Linux_Cryptominer_Stak_Ae8B98A9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Stak.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "aade76488aa2f557de9082647153cca374a4819cd8e539ebba4bfef2334221b0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Stak.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_aade76488aa2f557de9082647153cca374a4819cd8e539ebba4bfef2334221b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79370,10 +79503,10 @@ rule ELASTIC_Linux_Cryptominer_Stak_D707Fd3A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Stak.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Stak.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d0d2bab33076121cf6a0a2c4ff1738759464a09ae4771c39442a865a76daff59" - logic_hash = "b825247372aace6e3ce0ff1d9685b6bb041b7277f8967d5f5926b49813cfadc9" + logic_hash = "v1_sha256_b825247372aace6e3ce0ff1d9685b6bb041b7277f8967d5f5926b49813cfadc9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79399,10 +79532,10 @@ rule ELASTIC_Linux_Cryptominer_Stak_52Dc7Af3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Stak.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Stak.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a9c14b51f95d0c368bf90fb10e7d821a2fbcc79df32fd9f068a7fc053cbd7e83" - logic_hash = "81998164f517b6f1ef72b10227cfff86aa8bbd2b4e2668f946c8ed59696ae74d" + logic_hash = "v1_sha256_81998164f517b6f1ef72b10227cfff86aa8bbd2b4e2668f946c8ed59696ae74d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79428,10 +79561,10 @@ rule ELASTIC_Linux_Cryptominer_Stak_Bb3153Ac : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Stak.yar#L80-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Stak.yar#L80-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b974b6e6a239bcdc067c53cc8a6180c900052d7874075244dc49aaaa9414cca" - logic_hash = "e8516a24358b12863fe52c823ca67f0004457017334fe77dabf5f08d6bf2d907" + logic_hash = "v1_sha256_e8516a24358b12863fe52c823ca67f0004457017334fe77dabf5f08d6bf2d907" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -79457,10 +79590,10 @@ rule ELASTIC_Windows_Ransomware_Blackmatter_B548D151 : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Blackmatter.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Blackmatter.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486" - logic_hash = "cf76a311de9d292a2ea09b3937b8eb7fd761b7c33a464a31acf6b9a5bf121959" + logic_hash = "v1_sha256_cf76a311de9d292a2ea09b3937b8eb7fd761b7c33a464a31acf6b9a5bf121959" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79486,10 +79619,10 @@ rule ELASTIC_Windows_Ransomware_Blackmatter_8394F6D5 : FILE MEMORY date = "2021-08-03" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Blackmatter.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Blackmatter.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486" - logic_hash = "50a9b65ca6dde4fc32d2d57e72042f4380dd6c263ec5c33ce7c158151b91a5ae" + logic_hash = "v1_sha256_50a9b65ca6dde4fc32d2d57e72042f4380dd6c263ec5c33ce7c158151b91a5ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79515,10 +79648,10 @@ rule ELASTIC_Windows_Trojan_STRRAT_A3E48Cd2 : MEMORY date = "2024-03-13" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_STRRAT.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_STRRAT.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9" - logic_hash = "32f79695829f703bf9996d212aeb563791aed28e1bbb9f700cb45325fd02db77" + logic_hash = "v1_sha256_32f79695829f703bf9996d212aeb563791aed28e1bbb9f700cb45325fd02db77" score = 75 quality = 75 tags = "MEMORY" @@ -79545,10 +79678,10 @@ rule ELASTIC_Linux_Rootkit_Perfctl_Ce456896 : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Perfctl.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Perfctl.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "69de4c062eebb13bf2ee3ee0febfd4a621f2a17c3048416d897aecf14503213a" - logic_hash = "d3782e9674b20fc3efccf7491659969e09f74c2467f1643fe8f5019102f4ee54" + logic_hash = "v1_sha256_d3782e9674b20fc3efccf7491659969e09f74c2467f1643fe8f5019102f4ee54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79567,7 +79700,7 @@ rule ELASTIC_Linux_Rootkit_Perfctl_Ce456896 : FILE MEMORY $str3 = "rrr01" wide condition: - any of ($a*) or 2 of ($str*) + any of ( $a* ) or 2 of ( $str* ) } rule ELASTIC_Windows_Ransomware_Rook_Ee21Fa67 : FILE MEMORY { @@ -79578,10 +79711,10 @@ rule ELASTIC_Windows_Ransomware_Rook_Ee21Fa67 : FILE MEMORY date = "2022-01-14" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Rook.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Rook.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" - logic_hash = "6fe19cfc572a3dceba5e26615d111a3c0fa1036e275a5640a5c5a8f8cdaf6dc1" + logic_hash = "v1_sha256_6fe19cfc572a3dceba5e26615d111a3c0fa1036e275a5640a5c5a8f8cdaf6dc1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79607,10 +79740,10 @@ rule ELASTIC_Windows_Ransomware_Maui_266Dea64 : FILE MEMORY date = "2022-07-08" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Maui.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Maui.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e" - logic_hash = "2094920615b6297adb222003d25a8d0934a89f24869e7e70644a4956021c7afc" + logic_hash = "v1_sha256_2094920615b6297adb222003d25a8d0934a89f24869e7e70644a4956021c7afc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79635,7 +79768,7 @@ rule ELASTIC_Windows_Ransomware_Maui_266Dea64 : FILE MEMORY $seq_get_pub_key = { B9 F4 FF FF FF 2B 4C 24 ?? 6A 02 51 53 E8 ?? ?? ?? ?? 8B 54 24 ?? 8B 07 53 6A ?? 52 50 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 32 DB 8B C7 E8 ?? ?? ?? ?? 89 46 28 8B 0F 51 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 83 C4 ?? 5F 8B C6 5E 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 } condition: - 5 of ($a*) or 2 of ($seq*) + 5 of ( $a* ) or 2 of ( $seq* ) } rule ELASTIC_Windows_Vulndriver_Fidpci_Cb7F69B5 : FILE { @@ -79646,10 +79779,10 @@ rule ELASTIC_Windows_Vulndriver_Fidpci_Cb7F69B5 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Fidpci.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Fidpci.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" - logic_hash = "459429fb4e5156890f19c451e48676c9cd06eaab1c2eaea9236737c795086b5f" + logic_hash = "v1_sha256_459429fb4e5156890f19c451e48676c9cd06eaab1c2eaea9236737c795086b5f" score = 75 quality = 75 tags = "FILE" @@ -79664,7 +79797,7 @@ rule ELASTIC_Windows_Vulndriver_Fidpci_Cb7F69B5 : FILE $str1 = "\\fidpcidrv64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Rootkit_Arkd_Bbd56917 : FILE MEMORY { @@ -79675,10 +79808,10 @@ rule ELASTIC_Linux_Rootkit_Arkd_Bbd56917 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Arkd.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Arkd.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e0765f0e90839b551778214c2f9ae567dd44838516a3df2c73396a488227a600" - logic_hash = "5e1ce9c37d92222e21b43f9e5f3275a70c6e8eb541c3762f9382c5d5c72fb50d" + logic_hash = "v1_sha256_5e1ce9c37d92222e21b43f9e5f3275a70c6e8eb541c3762f9382c5d5c72fb50d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79704,10 +79837,10 @@ rule ELASTIC_Windows_Hacktool_Sharpdump_7C17D8B1 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpDump.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpDump.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca" - logic_hash = "10ca29b097d9f1cef27349751e8f1e584ead1056a636224a80f00823ca878c13" + logic_hash = "v1_sha256_10ca29b097d9f1cef27349751e8f1e584ead1056a636224a80f00823ca878c13" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -79726,7 +79859,7 @@ rule ELASTIC_Windows_Hacktool_Sharpdump_7C17D8B1 : FILE MEMORY $print_str3 = "[X] Not in high integrity, unable to MiniDump!" ascii wide condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Linux_Ransomware_Royalpest_502A3Db6 : FILE MEMORY { @@ -79737,10 +79870,10 @@ rule ELASTIC_Linux_Ransomware_Royalpest_502A3Db6 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_RoyalPest.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_RoyalPest.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "09a79e5e20fa4f5aae610c8ce3fe954029a91972b56c6576035ff7e0ec4c1d14" - logic_hash = "aefb5a286636b827b50e4bc0ea978a75ba6a9e572504bfbc0a7700372c54a077" + logic_hash = "v1_sha256_aefb5a286636b827b50e4bc0ea978a75ba6a9e572504bfbc0a7700372c54a077" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79769,10 +79902,10 @@ rule ELASTIC_Windows_Rootkit_R77_5Bab748B : FILE MEMORY date = "2022-03-04" modified = "2022-04-12" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" - logic_hash = "ebf851ef41fde8e3118acc742cd2b38651f662a00f11dd6f7c65cf56019c43d5" + logic_hash = "v1_sha256_ebf851ef41fde8e3118acc742cd2b38651f662a00f11dd6f7c65cf56019c43d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79798,10 +79931,10 @@ rule ELASTIC_Windows_Rootkit_R77_Eb366Abc : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "21e7f69986987fc75bce67c4deda42bd7605365bac83cf2cecb25061b2d86d4f" - logic_hash = "3d6f1c60bf749c53f4a4fcfd6490d309e4450d5f7e64de4665c3d80af1bce44f" + logic_hash = "v1_sha256_3d6f1c60bf749c53f4a4fcfd6490d309e4450d5f7e64de4665c3d80af1bce44f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79828,10 +79961,10 @@ rule ELASTIC_Windows_Rootkit_R77_99050E7D : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L44-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L44-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3dc94c88caa3169e096715eb6c2e6de1b011120117c0a51d12f572b4ba999ea6" - logic_hash = "0fedf4698cc652076090b1fe256d05d2c0bc3ad2ab7ed5faa270c5c7fe0efca1" + logic_hash = "v1_sha256_0fedf4698cc652076090b1fe256d05d2c0bc3ad2ab7ed5faa270c5c7fe0efca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79858,10 +79991,10 @@ rule ELASTIC_Windows_Rootkit_R77_Be403E3C : FILE MEMORY date = "2023-05-18" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L66-L85" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L66-L85" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91c6e2621121a6871af091c52fafe41220ae12d6e47e52fd13a7b9edd8e31796" - logic_hash = "efbf924c7a299f2543c639b6262007eb3bdbf6ff5e33dab7d6102814b9477811" + logic_hash = "v1_sha256_efbf924c7a299f2543c639b6262007eb3bdbf6ff5e33dab7d6102814b9477811" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79887,10 +80020,10 @@ rule ELASTIC_Windows_Rootkit_R77_Ee853C9F : FILE MEMORY date = "2023-05-18" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L87-L112" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L87-L112" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "916c805b0d512dd7bbd88f46632d66d9613de61691b4bd368e4b7cb1f0ac7f60" - logic_hash = "94f080f310ecace76da32ba2b4edcc80dedfb339113823708167c1d842db8cf3" + logic_hash = "v1_sha256_94f080f310ecace76da32ba2b4edcc80dedfb339113823708167c1d842db8cf3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79911,7 +80044,7 @@ rule ELASTIC_Windows_Rootkit_R77_Ee853C9F : FILE MEMORY $amsi_patch_ps = "[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3)" wide fullword condition: - ($obfuscate_ps and $amsi_patch_ps) or ( all of ($r77_str*)) + ($obfuscate_ps and $amsi_patch_ps ) or ( all of ( $r77_str* ) ) } rule ELASTIC_Windows_Rootkit_R77_D0367E28 : FILE MEMORY { @@ -79922,10 +80055,10 @@ rule ELASTIC_Windows_Rootkit_R77_D0367E28 : FILE MEMORY date = "2023-05-18" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Rootkit_R77.yar#L114-L141" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Rootkit_R77.yar#L114-L141" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96849108e13172d14591169f8fdcbf8a8aa6be05b7b6ef396d65529eacc02d89" - logic_hash = "588b18c54c344ca267b86143df20c7dcaab081e0ef6acae0bd0dae61593eb521" + logic_hash = "v1_sha256_588b18c54c344ca267b86143df20c7dcaab081e0ef6acae0bd0dae61593eb521" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79948,7 +80081,7 @@ rule ELASTIC_Windows_Rootkit_R77_D0367E28 : FILE MEMORY $binary1 = { 8B 56 04 8B 4F 04 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 08 8B 4F 08 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 0C 8B 4F 0C E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 10 8B 4F 10 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 14 8B 4F 14 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 18 8B 4F 18 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 56 1C 8B 4F 1C } condition: - ( all of ($str*)) or $binary0 or $binary1 + ( all of ( $str* ) ) or $binary0 or $binary1 } rule ELASTIC_Linux_Exploit_Perl_4A4B8A42 : FILE MEMORY { @@ -79959,10 +80092,10 @@ rule ELASTIC_Linux_Exploit_Perl_4A4B8A42 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Perl.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Perl.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "c1f7b1c20fe6db6acbe46be38cc97a40de6ca047a4e4490e86610dbff356b395" + logic_hash = "v1_sha256_c1f7b1c20fe6db6acbe46be38cc97a40de6ca047a4e4490e86610dbff356b395" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -79988,10 +80121,10 @@ rule ELASTIC_Linux_Exploit_Perl_982Bb709 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Perl.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Perl.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e4e2b5af9d0c72aae83cec57e5c091a95c549f826e8f13559aaf7d300f6e13" - logic_hash = "b38e6cb15034c38c31f6b267b9ecaabe8dfa950a2fc8863cfff7705182cffb3a" + logic_hash = "v1_sha256_b38e6cb15034c38c31f6b267b9ecaabe8dfa950a2fc8863cfff7705182cffb3a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80017,10 +80150,10 @@ rule ELASTIC_Windows_Trojan_Diamondfox_18Bc11E3 : FILE MEMORY date = "2022-03-02" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DiamondFox.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DiamondFox.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" - logic_hash = "c64e4b3349b33cfd0fec1fe41f91ad819bb6b6751e822d7ab8d14638ad27571d" + logic_hash = "v1_sha256_c64e4b3349b33cfd0fec1fe41f91ad819bb6b6751e822d7ab8d14638ad27571d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80050,10 +80183,10 @@ rule ELASTIC_Windows_Trojan_Amadey_7Abb059B : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Amadey.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Amadey.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "33e6b58ce9571ca7208d1c98610005acd439f3e37d2329dae8eb871a2c4c297e" - logic_hash = "23b75d6df9e2a7f8e1efee46ecaf1fc84247312b19a8a1941ddbca1b2ce5e1db" + logic_hash = "v1_sha256_23b75d6df9e2a7f8e1efee46ecaf1fc84247312b19a8a1941ddbca1b2ce5e1db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80079,10 +80212,10 @@ rule ELASTIC_Windows_Trojan_Amadey_C4Df8D4A : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Amadey.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Amadey.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9039d31d0bd88d0c15ee9074a84f8d14e13f5447439ba80dd759bf937ed20bf2" - logic_hash = "7f96c4de585223033fb7e7906be6d6898651ecf30be51ed01abde18ef52c0e1e" + logic_hash = "v1_sha256_7f96c4de585223033fb7e7906be6d6898651ecf30be51ed01abde18ef52c0e1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80108,10 +80241,10 @@ rule ELASTIC_Linux_Trojan_Swrort_5Ad1A4F9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Swrort.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Swrort.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fa5695c355a6dc1f368a4b36a45e8f18958dacdbe0eac80c618fbec976bac8fe" - logic_hash = "3a1fa978e0c8ab0dd4e7965a3f91306d6123c19f21b86d3f8088979bf58c3a07" + logic_hash = "v1_sha256_3a1fa978e0c8ab0dd4e7965a3f91306d6123c19f21b86d3f8088979bf58c3a07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80137,10 +80270,10 @@ rule ELASTIC_Linux_Trojan_Swrort_4Cb5B116 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Swrort.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Swrort.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "703c16d4fcc6f815f540d50d8408ea00b4cf8060cc5f6f3ba21be047e32758e0" - logic_hash = "9404856fc3290f3a8f9bf891fde9a614fc4484719eb3b51ce7ab601a41e0c3a5" + logic_hash = "v1_sha256_9404856fc3290f3a8f9bf891fde9a614fc4484719eb3b51ce7ab601a41e0c3a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80166,10 +80299,10 @@ rule ELASTIC_Linux_Trojan_Swrort_22C2D6B6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Swrort.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Swrort.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6df073767f48dd79f98e60aa1079f3ab0b89e4f13eedc1af3c2c073e5e235bbc" - logic_hash = "f661544d267a55feec786ab3d4fc4f002afa8e2b58833461f56b745ec65acfd4" + logic_hash = "v1_sha256_f661544d267a55feec786ab3d4fc4f002afa8e2b58833461f56b745ec65acfd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80195,10 +80328,10 @@ rule ELASTIC_Windows_Trojan_Doubleback_D2246A35 : FILE MEMORY date = "2022-05-29" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DoubleBack.yar#L1-L31" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DoubleBack.yar#L1-L31" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "03d2a0747d06458ccddf65ff5847a511a105e0ad4dcb5134082623af6f705012" - logic_hash = "2241d2c6e5b5896fe6f3b02cb1786c39fa620ee503c4585bd75c8763b6d3c06a" + logic_hash = "v1_sha256_2241d2c6e5b5896fe6f3b02cb1786c39fa620ee503c4585bd75c8763b6d3c06a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80225,7 +80358,7 @@ rule ELASTIC_Windows_Trojan_Doubleback_D2246A35 : FILE MEMORY $x86_guid = { 55 8B EC 83 EC ?? B8 DD CC BB AA 56 57 6A ?? 8D 75 ?? 5F } condition: - 5 of ($s*) or 2 of ($x64_*) or 2 of ($x86_*) + 5 of ( $s* ) or 2 of ( $x64_* ) or 2 of ( $x86_* ) } rule ELASTIC_Windows_Wiper_Caddywiper_484Bd98A : FILE MEMORY { @@ -80236,10 +80369,10 @@ rule ELASTIC_Windows_Wiper_Caddywiper_484Bd98A : FILE MEMORY date = "2022-03-14" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Wiper_CaddyWiper.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Wiper_CaddyWiper.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea" - logic_hash = "f473673afc211b02328f4e9d88e709acd95bf4b1fa565f5aca972b92324bf589" + logic_hash = "v1_sha256_f473673afc211b02328f4e9d88e709acd95bf4b1fa565f5aca972b92324bf589" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80268,10 +80401,10 @@ rule ELASTIC_Windows_Hacktool_Ringq_B9715540 : FILE MEMORY date = "2024-06-28" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_RingQ.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_RingQ.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "450e01c32618cd4e4a327147896352ed1b34dca9fb28389dba450acf95f8b735" - logic_hash = "80d693c43a7026d28121e035ae875689512fd46d7f06c3f469b83d6fe707f36b" + logic_hash = "v1_sha256_80d693c43a7026d28121e035ae875689512fd46d7f06c3f469b83d6fe707f36b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80303,10 +80436,10 @@ rule ELASTIC_Windows_Hacktool_Sharpwmi_A67D6Fe5 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpWMI.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpWMI.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15" - logic_hash = "de8749951ece8d4798ade4661d531515e12edf8e8606ddc330000d847a66a26c" + logic_hash = "v1_sha256_de8749951ece8d4798ade4661d531515e12edf8e8606ddc330000d847a66a26c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80329,7 +80462,7 @@ rule ELASTIC_Windows_Hacktool_Sharpwmi_A67D6Fe5 : FILE MEMORY $print_str1 = "[+] Attempted to terminate remote process ({0}). Returned: {1}" ascii wide condition: - $guid or ( all of ($str*) and 1 of ($print_str*)) + $guid or ( all of ( $str* ) and 1 of ( $print_str* ) ) } rule ELASTIC_Windows_Vulndriver_Powerprofiler_2Eedff78 : FILE { @@ -80340,10 +80473,10 @@ rule ELASTIC_Windows_Vulndriver_Powerprofiler_2Eedff78 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_PowerProfiler.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_PowerProfiler.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - logic_hash = "c4a7ae2ffdf70984cea5b543af93b202c78b6108da1e442186d24071b44d6259" + logic_hash = "v1_sha256_c4a7ae2ffdf70984cea5b543af93b202c78b6108da1e442186d24071b44d6259" score = 75 quality = 75 tags = "FILE" @@ -80360,7 +80493,7 @@ rule ELASTIC_Windows_Vulndriver_Powerprofiler_2Eedff78 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x06][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x06][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Iqvw_B8B45E6B : FILE { @@ -80371,10 +80504,10 @@ rule ELASTIC_Windows_Vulndriver_Iqvw_B8B45E6B : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Iqvw.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Iqvw.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - logic_hash = "b0a8716f550ba231ca7db61bafd6effbc351faa45864f9ebf7be81f63f14a933" + logic_hash = "v1_sha256_b0a8716f550ba231ca7db61bafd6effbc351faa45864f9ebf7be81f63f14a933" score = 60 quality = 55 tags = "FILE" @@ -80391,7 +80524,7 @@ rule ELASTIC_Windows_Vulndriver_Iqvw_B8B45E6B : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x04][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x03][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Virus_Rst_1214E2Ae : FILE MEMORY { @@ -80402,10 +80535,10 @@ rule ELASTIC_Linux_Virus_Rst_1214E2Ae : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Virus_Rst.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Virus_Rst.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b0e4f44d2456960bb6b20cb468c4ca1390338b83774b7af783c3d03e49eebe44" - logic_hash = "82de4a97f414d591daba2d5d49b941ec4c51d6a6af36f97f062eaac5c74ebe30" + logic_hash = "v1_sha256_82de4a97f414d591daba2d5d49b941ec4c51d6a6af36f97f062eaac5c74ebe30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80431,10 +80564,10 @@ rule ELASTIC_Windows_Trojan_Revcoderat_8E6D4182 : FILE MEMORY date = "2021-09-02" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Revcoderat.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Revcoderat.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210" - logic_hash = "35626d752b291e343350534aece35f1d875068c2c050d12312a60e67753c71e1" + logic_hash = "v1_sha256_35626d752b291e343350534aece35f1d875068c2c050d12312a60e67753c71e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80463,10 +80596,10 @@ rule ELASTIC_Windows_Trojan_Vidar_9007Feb2 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Vidar.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Vidar.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec" - logic_hash = "fcdef7397f17ee402155e526c6fa8b51f3ea96e203a095b0b4c36cb7d3cc83d1" + logic_hash = "v1_sha256_fcdef7397f17ee402155e526c6fa8b51f3ea96e203a095b0b4c36cb7d3cc83d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80492,10 +80625,10 @@ rule ELASTIC_Windows_Trojan_Vidar_114258D5 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Vidar.yar#L21-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Vidar.yar#L21-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec" - logic_hash = "9ea3ea0533d14edd0332fa688497efd566a890d1507214fc8591a0a11433d060" + logic_hash = "v1_sha256_9ea3ea0533d14edd0332fa688497efd566a890d1507214fc8591a0a11433d060" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80515,7 +80648,7 @@ rule ELASTIC_Windows_Trojan_Vidar_114258D5 : FILE MEMORY $b3 = "Autofill\\%s_%s.txt" fullword condition: - 1 of ($a*) and 1 of ($b*) + 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Vidar_32Fea8Da : FILE MEMORY { @@ -80526,10 +80659,10 @@ rule ELASTIC_Windows_Trojan_Vidar_32Fea8Da : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Vidar.yar#L46-L66" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Vidar.yar#L46-L66" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6f5c24fc5af2085233c96159402cec9128100c221cb6cb0d1c005ced7225e211" - logic_hash = "1a18cdc3bd533c34eb05b239830ecec418dc76ee9f4fcfc48afc73b07d55b3cd" + logic_hash = "v1_sha256_1a18cdc3bd533c34eb05b239830ecec418dc76ee9f4fcfc48afc73b07d55b3cd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80557,10 +80690,10 @@ rule ELASTIC_Windows_Trojan_Vidar_C374Cd85 : FILE MEMORY date = "2024-01-31" modified = "2024-10-14" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Vidar.yar#L68-L86" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Vidar.yar#L68-L86" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1c677585a8b724332849c411ffe2563b2b753fd6699c210f0720352f52a6ab72" - logic_hash = "8e183f780400f3bf9840798d53b431a4bf28bc43e07d69a3d614217e02f5dd79" + logic_hash = "v1_sha256_8e183f780400f3bf9840798d53b431a4bf28bc43e07d69a3d614217e02f5dd79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80586,10 +80719,10 @@ rule ELASTIC_Windows_Trojan_Vidar_65D3D7E5 : FILE MEMORY date = "2024-10-14" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Vidar.yar#L88-L114" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Vidar.yar#L88-L114" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "83d7c2b437a5cbb314c457d3b7737305dadb2bc02d6562a98a8a8994061fe929" - logic_hash = "2b340f43faf563c7edbce6323d551208c4d9541d7153ea6c1c0d9a95b351e54b" + logic_hash = "v1_sha256_2b340f43faf563c7edbce6323d551208c4d9541d7153ea6c1c0d9a95b351e54b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80623,10 +80756,10 @@ rule ELASTIC_Windows_Trojan_Havoc_77F3D40E : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Havoc.yar#L1-L35" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Havoc.yar#L1-L35" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3427dac129b760a03f2c40590c01065c9bf2340d2dfa4a4a7cf4830a02e95879" - logic_hash = "3d2733ed24d90e9e851ec36a08c497e9c90b47c3dcbb8755e3f6b6a6bd3a8b54" + logic_hash = "v1_sha256_3d2733ed24d90e9e851ec36a08c497e9c90b47c3dcbb8755e3f6b6a6bd3a8b54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80657,7 +80790,7 @@ rule ELASTIC_Windows_Trojan_Havoc_77F3D40E : FILE MEMORY $hashes_14 = { D7 53 22 AC } condition: - $core or ($commands_table and all of ($hashes*)) + $core or ( $commands_table and all of ( $hashes* ) ) } rule ELASTIC_Windows_Trojan_Havoc_9C7Bb863 : FILE MEMORY { @@ -80668,10 +80801,10 @@ rule ELASTIC_Windows_Trojan_Havoc_9C7Bb863 : FILE MEMORY date = "2023-04-28" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Havoc.yar#L37-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Havoc.yar#L37-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "261b92d9e8dcb9d0abf1627b791831ec89779f2b7973b1926c6ec9691288dd57" - logic_hash = "c1245c38c54b0a72fb335680d9ea191390e4e2fe7e47a3ed776878c5e01a3e16" + logic_hash = "v1_sha256_c1245c38c54b0a72fb335680d9ea191390e4e2fe7e47a3ed776878c5e01a3e16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80698,10 +80831,10 @@ rule ELASTIC_Windows_Trojan_Havoc_88053562 : FILE MEMORY date = "2024-01-04" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Havoc.yar#L58-L76" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Havoc.yar#L58-L76" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2f0b59f8220edd0d34fba92905faf0b51aead95d53be8b5f022eed7e21bdb4af" - logic_hash = "f79b39cc2ca4bbf6ad4b6585a9914a75797110d6fb68bcb7141c5c3d0429c412" + logic_hash = "v1_sha256_f79b39cc2ca4bbf6ad4b6585a9914a75797110d6fb68bcb7141c5c3d0429c412" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80727,10 +80860,10 @@ rule ELASTIC_Windows_Trojan_Havoc_Ffecc8Af : FILE MEMORY date = "2024-04-29" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Havoc.yar#L78-L107" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Havoc.yar#L78-L107" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "495d323651c252e38814b77b9c6c913b9489e769252ac8bbaf8432f15e0efe44" - logic_hash = "c9da6215db1de91a6cd52dd6558dc5a60bbd69abc6fa0db8714f001cdae20ddb" + logic_hash = "v1_sha256_c9da6215db1de91a6cd52dd6558dc5a60bbd69abc6fa0db8714f001cdae20ddb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80756,7 +80889,7 @@ rule ELASTIC_Windows_Trojan_Havoc_Ffecc8Af : FILE MEMORY $hash_ntopenthreadtoken = { D2 47 33 80 } condition: - $commands_table and 4 of ($hash_*) + $commands_table and 4 of ( $hash_* ) } rule ELASTIC_Linux_Trojan_Snessik_D166F98C : FILE MEMORY { @@ -80767,10 +80900,10 @@ rule ELASTIC_Linux_Trojan_Snessik_D166F98C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Snessik.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Snessik.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3ececc2edfff2f92d80ed3a5140af55b6bebf7cae8642a0d46843162eeddddd" - logic_hash = "44f15a87d48338aafa408d4bcabef844c8864cd95640ad99208b5035e28ccd27" + logic_hash = "v1_sha256_44f15a87d48338aafa408d4bcabef844c8864cd95640ad99208b5035e28ccd27" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80796,10 +80929,10 @@ rule ELASTIC_Linux_Trojan_Snessik_E435A79C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Snessik.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Snessik.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e24749b07f824a4839b462ec4e086a4064b29069e7224c24564e2ad7028d5d60" - logic_hash = "4850530a0566844447f56f4e5cb43c5982b1dcb784bb1aef3e377525b8651ed3" + logic_hash = "v1_sha256_4850530a0566844447f56f4e5cb43c5982b1dcb784bb1aef3e377525b8651ed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80825,10 +80958,10 @@ rule ELASTIC_Linux_Rootkit_Hiddenwasp_8408057B : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_HiddenWasp.yar#L1-L34" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_HiddenWasp.yar#L1-L34" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7c5e20872bc0ac5cce83d4c68485743cd16a818cd1e495f97438caad0399c847" - logic_hash = "1d21cdd38d7428c498eface37fb8b1ca1e99295c88f57cb638871753d0be0f15" + logic_hash = "v1_sha256_1d21cdd38d7428c498eface37fb8b1ca1e99295c88f57cb638871753d0be0f15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80858,7 +80991,7 @@ rule ELASTIC_Linux_Rootkit_Hiddenwasp_8408057B : FILE MEMORY $func14 = "hidden_services" condition: - all of ($str*) or 5 of ($func*) + all of ( $str* ) or 5 of ( $func* ) } rule ELASTIC_Linux_Ransomware_Monti_9C64F016 : FILE MEMORY { @@ -80869,10 +81002,10 @@ rule ELASTIC_Linux_Ransomware_Monti_9C64F016 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Monti.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Monti.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad8d1b28405d9aebae6f42db1a09daec471bf342e9e0a10ab4e0a258a7fa8713" - logic_hash = "c22a4efaaf97d68deaf1978e637dd7f790541e5007c6323629bcc9e3d4eecd06" + logic_hash = "v1_sha256_c22a4efaaf97d68deaf1978e637dd7f790541e5007c6323629bcc9e3d4eecd06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80901,9 +81034,9 @@ rule ELASTIC_Linux_Trojan_Ebury_7B13E9B6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ebury.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "30d126ffc5b782236663c23734f1eef21e1cc929d549a37bba8e1e7b41321111" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ebury.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_30d126ffc5b782236663c23734f1eef21e1cc929d549a37bba8e1e7b41321111" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80929,10 +81062,10 @@ rule ELASTIC_Linux_Backdoor_Fontonlake_Fe916A45 : FILE MEMORY date = "2021-10-12" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Fontonlake.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Fontonlake.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee" - logic_hash = "590b28264345ea0bdbd53791f422cb4f1fad143df2b790824fc182356a568d7d" + logic_hash = "v1_sha256_590b28264345ea0bdbd53791f422cb4f1fad143df2b790824fc182356a568d7d" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -80968,10 +81101,10 @@ rule ELASTIC_Windows_Vulndriver_Asrock_986D2D3C : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Asrock.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Asrock.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - logic_hash = "d767a1ecdff557753f80ac9d73f02364dd035f7a287d0f260316f807364af2d5" + logic_hash = "v1_sha256_d767a1ecdff557753f80ac9d73f02364dd035f7a287d0f260316f807364af2d5" score = 75 quality = 75 tags = "FILE" @@ -80986,7 +81119,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_986D2D3C : FILE $str1 = "\\AsrDrv106.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Asrock_Cdf192F9 : FILE { @@ -80997,10 +81130,10 @@ rule ELASTIC_Windows_Vulndriver_Asrock_Cdf192F9 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Asrock.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Asrock.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - logic_hash = "2f844b6d3fa19fd39097395175162578ad71d78c61dad104efd320cd8285fa6b" + logic_hash = "v1_sha256_2f844b6d3fa19fd39097395175162578ad71d78c61dad104efd320cd8285fa6b" score = 75 quality = 75 tags = "FILE" @@ -81015,7 +81148,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_Cdf192F9 : FILE $str1 = "\\AsrDrv103.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Asrock_0Eca57Dc : FILE { @@ -81026,11 +81159,11 @@ rule ELASTIC_Windows_Vulndriver_Asrock_0Eca57Dc : FILE date = "2023-07-20" modified = "2023-07-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Asrock.yar#L41-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Asrock.yar#L41-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" - logic_hash = "82a0cba571dc58ed8d3fd87d3650ec0c1016e6c8e972547f6120ba91c8febce1" + logic_hash = "v1_sha256_82a0cba571dc58ed8d3fd87d3650ec0c1016e6c8e972547f6120ba91c8febce1" score = 75 quality = 75 tags = "FILE" @@ -81047,7 +81180,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_0Eca57Dc : FILE $file_version = { 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E [1-8] 31 00 2E 00 30 00 30 00 2E 00 30 00 30 00 2E 00 30 00 30 00 30 00 30 00 20 00 62 00 75 00 69 00 6C 00 74 00 20 00 62 00 79 00 3A 00 20 00 57 00 69 00 6E 00 44 00 44 00 4B } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $file_version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $file_version } rule ELASTIC_Windows_Trojan_Phoreal_66E91De3 : FILE MEMORY { @@ -81058,10 +81191,10 @@ rule ELASTIC_Windows_Trojan_Phoreal_66E91De3 : FILE MEMORY date = "2022-02-16" modified = "2022-04-12" reference = "https://www.elastic.co/security-labs/phoreal-malware-targets-the-southeast-asian-financial-sector" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Phoreal.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Phoreal.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88f073552b30462a00d1d612b1638b0508e4ef02c15cf46203998091f0aef4de" - logic_hash = "c68131fd5e0272d3d473db387a186056a38e6611925ae448d5b668022e6e163a" + logic_hash = "v1_sha256_c68131fd5e0272d3d473db387a186056a38e6611925ae448d5b668022e6e163a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81090,10 +81223,10 @@ rule ELASTIC_Windows_Trojan_Hancitor_6738D84A : FILE MEMORY date = "2021-06-17" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Hancitor.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Hancitor.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" - logic_hash = "448243b6925c4e419b1fd492ac5e8d43a7baa4492ba7a5a0b44bc8e036c77ec2" + logic_hash = "v1_sha256_448243b6925c4e419b1fd492ac5e8d43a7baa4492ba7a5a0b44bc8e036c77ec2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81110,7 +81243,7 @@ rule ELASTIC_Windows_Trojan_Hancitor_6738D84A : FILE MEMORY $b2 = "MASSLoader.dll" ascii fullword condition: - $a1 or all of ($b*) + $a1 or all of ( $b* ) } rule ELASTIC_Windows_Vulndriver_Speedfan_9B590Eee : FILE { @@ -81121,10 +81254,10 @@ rule ELASTIC_Windows_Vulndriver_Speedfan_9B590Eee : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Speedfan.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Speedfan.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - logic_hash = "6f75c0e6b89dd1ceb85c73b7e51fd261ca2804e14a5f8ed6ce3352b3f1bcdfe4" + logic_hash = "v1_sha256_6f75c0e6b89dd1ceb85c73b7e51fd261ca2804e14a5f8ed6ce3352b3f1bcdfe4" score = 75 quality = 75 tags = "FILE" @@ -81140,7 +81273,7 @@ rule ELASTIC_Windows_Vulndriver_Speedfan_9B590Eee : FILE $subject_name = { 06 03 55 04 03 [2] 53 6F 6B 6E 6F 20 53 2E 52 2E 4C 2E } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Linux_Hacktool_Flooder_825B6808 : FILE MEMORY { @@ -81151,10 +81284,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_825B6808 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7db9a0760dd16e23cb299559a0e31a431b836a105d5309a9880fa4b821937659" - logic_hash = "f5f997d8401f1505e81072dcb0e24ad7a78f0b56133698b70d8dd93ef25ddaf3" + logic_hash = "v1_sha256_f5f997d8401f1505e81072dcb0e24ad7a78f0b56133698b70d8dd93ef25ddaf3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81180,10 +81313,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_A44Ab8Cd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b2068a4a666b0279358b8eb4f480d2df4c518a8b4518d0d77c6687c3bff0a32" - logic_hash = "a0501f76aff532366292189d34a57844ba999748b94f349be2f391dfd96e2106" + logic_hash = "v1_sha256_a0501f76aff532366292189d34a57844ba999748b94f349be2f391dfd96e2106" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81209,10 +81342,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_7026F674 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7a77ebb66664c54d01a57abed5bb034ef2933a9590b595bba0566938b099438" - logic_hash = "ec8ece1f922260f620fb30d82469f77a4d0239da536fc464fc37a3943cd6e463" + logic_hash = "v1_sha256_ec8ece1f922260f620fb30d82469f77a4d0239da536fc464fc37a3943cd6e463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81238,10 +81371,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_761Ad88E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "2b0c64da713e2f8ff671cbe086638810bc02a983d42851e78c68a57bde9f023c" + logic_hash = "v1_sha256_2b0c64da713e2f8ff671cbe086638810bc02a983d42851e78c68a57bde9f023c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81267,9 +81400,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_B93655D3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L81-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "34cb06385543c6c2c562f757df2f641d8402e7c9f95fa924e17652a1c38d695f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L81-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_34cb06385543c6c2c562f757df2f641d8402e7c9f95fa924e17652a1c38d695f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81295,10 +81428,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_Af9F75E6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L100-L118" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L100-L118" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705" - logic_hash = "b74f5fad3c7219038e51eb4fa12fb9d55d7f65a9f4bab0adff8609fabb0afdab" + logic_hash = "v1_sha256_b74f5fad3c7219038e51eb4fa12fb9d55d7f65a9f4bab0adff8609fabb0afdab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81324,10 +81457,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_1Bf0E994 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L120-L138" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L120-L138" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ea2dc13eec0d7a8ec20307f5afac8e9344d827a6037bb96a54ad7b12f65b59c" - logic_hash = "2c1099b8078ac306f7cb67be5b5b5e34f57414b9aa26bdd6c26d3636c80846cd" + logic_hash = "v1_sha256_2c1099b8078ac306f7cb67be5b5b5e34f57414b9aa26bdd6c26d3636c80846cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81353,10 +81486,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_D710A5Da : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L140-L158" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L140-L158" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ba895a9c449bf9bf6c092df88b6d862a3e8ed4079ef795e5520cb163a45bcdb4" - logic_hash = "118a29cc0ccd191181dabc134de282ba134e041113faaa4d95e0aa201646438b" + logic_hash = "v1_sha256_118a29cc0ccd191181dabc134de282ba134e041113faaa4d95e0aa201646438b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81382,10 +81515,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_F434A3Fb : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L160-L178" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L160-L178" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ba895a9c449bf9bf6c092df88b6d862a3e8ed4079ef795e5520cb163a45bcdb4" - logic_hash = "11b173f73b87f50775be50c6b4528bd9b148ea4266297aec76ae126cab0facb0" + logic_hash = "v1_sha256_11b173f73b87f50775be50c6b4528bd9b148ea4266297aec76ae126cab0facb0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81411,10 +81544,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_A2795A4C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L180-L198" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L180-L198" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9a564d6b29d2aaff960e6f84cd0ef4c701fefa2a62e2ea690106f3fdbabb0d71" - logic_hash = "18e15b8a417f9ff2fd9277a01eb3224c761807ce9541ece568f4525ae66eb81f" + logic_hash = "v1_sha256_18e15b8a417f9ff2fd9277a01eb3224c761807ce9541ece568f4525ae66eb81f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81440,10 +81573,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_678C1145 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L200-L218" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L200-L218" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "559793b9cb5340478f76aaf5f81c8dbfbcfa826657713d5257dac3c496b243a6" - logic_hash = "5ff15c8d92bca62700bbb67aeebc41fd603687dbc0c93733955bf59375df40a1" + logic_hash = "v1_sha256_5ff15c8d92bca62700bbb67aeebc41fd603687dbc0c93733955bf59375df40a1" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -81469,10 +81602,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_3Cbdfb1F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L220-L238" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L220-L238" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd40ac964f3ad2011841c7eb4bf7cab332d4d95191122e830ab031dc9511c079" - logic_hash = "38e8ca59bf55c32b99aa76a89f60edcf09956b7cad0b4745fab92eca327c52db" + logic_hash = "v1_sha256_38e8ca59bf55c32b99aa76a89f60edcf09956b7cad0b4745fab92eca327c52db" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81498,10 +81631,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_8B63Ff02 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L240-L258" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L240-L258" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a57de6cd3468f55b4bfded5f1eed610fdb2cbffbb584660ae000c20663d5b304" - logic_hash = "3b68353c8eeb21a3eba7a02ae76b66b4f094ec52d5309582544d247cc6548da3" + logic_hash = "v1_sha256_3b68353c8eeb21a3eba7a02ae76b66b4f094ec52d5309582544d247cc6548da3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81527,10 +81660,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_30973084 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L260-L278" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L260-L278" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a22ffa748bcaaed801f48f38b26a9cfdd5e62183a9f6f31c8a1d4a8443bf62a4" - logic_hash = "d965a032c0fb6020c6187aa3117f7251dd8c9287c45453e3d5ae2ac62b3067bb" + logic_hash = "v1_sha256_d965a032c0fb6020c6187aa3117f7251dd8c9287c45453e3d5ae2ac62b3067bb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81556,10 +81689,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_1Cfa95Dd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L280-L298" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L280-L298" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "f73a96cc379c8dc060bfe5668ef7e47c5bcd037b3f41c300ef20c2f2f653cb00" + logic_hash = "v1_sha256_f73a96cc379c8dc060bfe5668ef7e47c5bcd037b3f41c300ef20c2f2f653cb00" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81585,10 +81718,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_25C48456 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L300-L318" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L300-L318" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eba6f3e4f7b53e22522d82bdbdf5271c3fc701cbe07e9ecb7b4c0b85adc9d6b4" - logic_hash = "4ed4b901fccaed834b9908fb447da1521bf31f283ae55b6d8f6090814cf8fcd2" + logic_hash = "v1_sha256_4ed4b901fccaed834b9908fb447da1521bf31f283ae55b6d8f6090814cf8fcd2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81614,10 +81747,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_B1Ca2Abd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L320-L338" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L320-L338" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "05b906a9823bf9ba25ba1ed490beb8f338429cbc744ca230c5c4cbb41ab9f140" + logic_hash = "v1_sha256_05b906a9823bf9ba25ba1ed490beb8f338429cbc744ca230c5c4cbb41ab9f140" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81643,10 +81776,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_Cce8C792 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L340-L358" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L340-L358" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ea56da9584fc36dc67cb1e746bd13c95c4d878f9d594e33221baad7e01571ee6" - logic_hash = "14700d24e8682ec04f2aae02f5820c4d956db60583b1bc61038b47e709705d0d" + logic_hash = "v1_sha256_14700d24e8682ec04f2aae02f5820c4d956db60583b1bc61038b47e709705d0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81672,10 +81805,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_4Bcea1C4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L360-L378" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L360-L378" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9a564d6b29d2aaff960e6f84cd0ef4c701fefa2a62e2ea690106f3fdbabb0d71" - logic_hash = "76019729a3a33fc04ff983f38b4fbf174a66da7ffc05cd07eb93e3cd5aecaaa2" + logic_hash = "v1_sha256_76019729a3a33fc04ff983f38b4fbf174a66da7ffc05cd07eb93e3cd5aecaaa2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81701,10 +81834,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_Ab561A1B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L380-L398" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L380-L398" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b7df0d491974bead05d04ede6cf763ecac30ecff4d27bb4097c90cc9c3f4155" - logic_hash = "5720d2ada4b33514f2d528417876606d2951786df8b0512f9e8833b8ec87127a" + logic_hash = "v1_sha256_5720d2ada4b33514f2d528417876606d2951786df8b0512f9e8833b8ec87127a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81730,10 +81863,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_1A4Eb229 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L400-L418" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L400-L418" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705" - logic_hash = "83b04e366a05a46ad67b9aaf6b9658520e119003cd65941dd69416cbc5229c30" + logic_hash = "v1_sha256_83b04e366a05a46ad67b9aaf6b9658520e119003cd65941dd69416cbc5229c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81759,10 +81892,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_51Ef0659 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L420-L438" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L420-L438" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7a2bc75dd9c44c38b2a6e4e7e579142ece92a75b8a3f815940c5aa31470be2b" - logic_hash = "26dd95cb1cdaec10d408e294a3baca85d741cf5e56649cdcc79ef7216e4cb440" + logic_hash = "v1_sha256_26dd95cb1cdaec10d408e294a3baca85d741cf5e56649cdcc79ef7216e4cb440" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81788,10 +81921,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_D90C4Cbe : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L440-L458" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L440-L458" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "145d32f8a06af18e6f13b0905cc51fd7b1a9e00b41b0f0a5d537ada2b54a94b5" + logic_hash = "v1_sha256_145d32f8a06af18e6f13b0905cc51fd7b1a9e00b41b0f0a5d537ada2b54a94b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81817,10 +81950,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_C680C9Fd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L460-L478" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L460-L478" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ea56da9584fc36dc67cb1e746bd13c95c4d878f9d594e33221baad7e01571ee6" - logic_hash = "a283132ffdd109b8b1f01e5a3e2700b70b742945c7ae8b15b2b244fb249a5e3d" + logic_hash = "v1_sha256_a283132ffdd109b8b1f01e5a3e2700b70b742945c7ae8b15b2b244fb249a5e3d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81846,10 +81979,10 @@ rule ELASTIC_Linux_Hacktool_Flooder_E63396F4 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L480-L498" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L480-L498" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "913e6d2538bd7eed3a8f3d958cf445fe11c5c299a70e5385e0df6a9b2f638323" - logic_hash = "d3f7c62a7411caf86ee574a686b4b1972066602f89d39ae9e49ba66d9917c7c9" + logic_hash = "v1_sha256_d3f7c62a7411caf86ee574a686b4b1972066602f89d39ae9e49ba66d9917c7c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81875,9 +82008,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_7D5355Da : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "03397525f90c8c2242058d2f6afc81ceab199c5abcab8fd460fabb6b083d8d20" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L500-L518" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b4540f941ca1a36c460d056ef263ebd67c6388f3f6f373f50371f7cca2739bc4" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L500-L518" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b4540f941ca1a36c460d056ef263ebd67c6388f3f6f373f50371f7cca2739bc4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81903,9 +82036,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_A9E8A90F : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "0558cf8cab0ba1515b3b69ac32975e5e18d754874e7a54d19098e7240ebf44e4" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L520-L538" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8f1fcb736a9363142a25426ef2d166f92526bffaf8069f1b12056c9cf5825379" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L520-L538" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8f1fcb736a9363142a25426ef2d166f92526bffaf8069f1b12056c9cf5825379" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81931,9 +82064,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_A598192A : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "101f2240cd032831b9c0930a68ea6f74688f68ae801c776c71b488e17bc71871" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L540-L558" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "19909f53acca8c84125c95fc651765a25162c5f916366da8351e67675393e583" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L540-L558" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_19909f53acca8c84125c95fc651765a25162c5f916366da8351e67675393e583" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81959,9 +82092,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_53Bf4E37 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "101f2240cd032831b9c0930a68ea6f74688f68ae801c776c71b488e17bc71871" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L560-L578" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d1aabf8067b74dac114e197722d51c4bbb9a78e6ba9b5401399930c29d55bdcc" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L560-L578" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d1aabf8067b74dac114e197722d51c4bbb9a78e6ba9b5401399930c29d55bdcc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81987,9 +82120,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_50158A6E : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1e0cdb655e48d21a6b02d2e1e62052ffaaec9fdfe65a3d180fc8afabc249e1d8" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L580-L598" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "67c22fcf514a3e8c2c27817798c796aacf00ba82e1090894aa2c1170a1e2a096" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L580-L598" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_67c22fcf514a3e8c2c27817798c796aacf00ba82e1090894aa2c1170a1e2a096" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82015,9 +82148,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_F454Ec10 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L600-L618" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e5afb215632ad6359ba95df86316d496ea5e36edb79901c34e0710a6bd9c97d1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L600-L618" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e5afb215632ad6359ba95df86316d496ea5e36edb79901c34e0710a6bd9c97d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82043,9 +82176,9 @@ rule ELASTIC_Linux_Hacktool_Flooder_9417F77B : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "60ff13e27dad5e6eadb04011aa653a15e1a07200b6630fdd0d0d72a9ba797d68" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Flooder.yar#L620-L638" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "470b7e44cd875b1f6abcfa5e4d33d2808a65630dc914b38643c9efb14db5f1ff" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Flooder.yar#L620-L638" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_470b7e44cd875b1f6abcfa5e4d33d2808a65630dc914b38643c9efb14db5f1ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82071,9 +82204,9 @@ rule ELASTIC_Windows_Trojan_Dcrat_1Aeea1Ac : FILE MEMORY date = "2022-01-15" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DCRat.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6163e04a40ed52d5e94662131511c3ae08d473719c364e0f7de60dff7fa92cf7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DCRat.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6163e04a40ed52d5e94662131511c3ae08d473719c364e0f7de60dff7fa92cf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82094,7 +82227,7 @@ rule ELASTIC_Windows_Trojan_Dcrat_1Aeea1Ac : FILE MEMORY $b2 = "DcRat By qwqdanchun1" ascii fullword condition: - 5 of ($a*) or 1 of ($b*) + 5 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Wineloader_13E8860A : FILE MEMORY { @@ -82105,10 +82238,10 @@ rule ELASTIC_Windows_Trojan_Wineloader_13E8860A : FILE MEMORY date = "2024-03-24" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WineLoader.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WineLoader.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d" - logic_hash = "c072abb73377ed59c0dd9fab25a4c84575ab9badbddfda1ed51e576e4e12fa82" + logic_hash = "v1_sha256_c072abb73377ed59c0dd9fab25a4c84575ab9badbddfda1ed51e576e4e12fa82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82136,10 +82269,10 @@ rule ELASTIC_Windows_Hacktool_Dinvokerust_512D3B59 : FILE MEMORY date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_DinvokeRust.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_DinvokeRust.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ebf0f1bfd166d2d49b642fa43cb0c7364c0c605d9a7f108dc49d9f1cc859ab4a" - logic_hash = "7be1a4e25cf41e47ab135c718b7ec5a49a2890cf873c52597f8dab4d47636ed8" + logic_hash = "v1_sha256_7be1a4e25cf41e47ab135c718b7ec5a49a2890cf873c52597f8dab4d47636ed8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -82170,10 +82303,10 @@ rule ELASTIC_Windows_Trojan_Shadowpad_Be71209D : FILE MEMORY date = "2023-01-31" modified = "2023-02-01" reference = "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ShadowPad.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ShadowPad.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "452b08d6d2aa673fb6ccc4af6cebdcb12b5df8722f4d70d1c3491479e7b39c05" - logic_hash = "24e035bbcd5d44877e6e582a995d0035ad26c53e832c34b0c8a3836cb1a11637" + logic_hash = "v1_sha256_24e035bbcd5d44877e6e582a995d0035ad26c53e832c34b0c8a3836cb1a11637" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82200,10 +82333,10 @@ rule ELASTIC_Windows_Trojan_Shadowpad_0D899241 : MEMORY date = "2023-01-31" modified = "2023-02-01" reference = "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ShadowPad.yar#L23-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ShadowPad.yar#L23-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cb3a425565b854f7b892e6ebfb3734c92418c83cd590fc1ee9506bcf4d8e02ea" - logic_hash = "57385e149c6419aed2dcd3ecbbe26d8598918395a6480dd5cdb799ce7328901a" + logic_hash = "v1_sha256_57385e149c6419aed2dcd3ecbbe26d8598918395a6480dd5cdb799ce7328901a" score = 75 quality = 75 tags = "MEMORY" @@ -82235,10 +82368,10 @@ rule ELASTIC_Windows_Backdoor_Goldbackdoor_91902940 : FILE MEMORY date = "2022-04-29" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028" - logic_hash = "71e26cce6d730560e1303b2a4f49d0da6d1341263bb47ade46338f03e528cbf7" + logic_hash = "v1_sha256_71e26cce6d730560e1303b2a4f49d0da6d1341263bb47ade46338f03e528cbf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82260,7 +82393,7 @@ rule ELASTIC_Windows_Backdoor_Goldbackdoor_91902940 : FILE MEMORY $b = { 66 8B 02 83 C2 02 66 85 C0 75 ?? 2B D1 D1 FA 75 ?? 33 C0 E9 ?? ?? ?? ?? 6A 40 8D 45 ?? 6A 00 50 E8 } condition: - ($pdf and $agent) or ( all of ($str*) and $a and $b) + ($pdf and $agent ) or ( all of ( $str* ) and $a and $b ) } rule ELASTIC_Windows_Backdoor_Goldbackdoor_F11D57Df : FILE MEMORY { @@ -82271,10 +82404,10 @@ rule ELASTIC_Windows_Backdoor_Goldbackdoor_F11D57Df : FILE MEMORY date = "2022-04-29" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L28-L51" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L28-L51" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45ece107409194f5f1ec2fbd902d041f055a914e664f8ed2aa1f90e223339039" - logic_hash = "6401b215523289a3842dec6d3e016a2ca99512c5889e87cb5ff13023bb0b8e1e" + logic_hash = "v1_sha256_6401b215523289a3842dec6d3e016a2ca99512c5889e87cb5ff13023bb0b8e1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82305,10 +82438,10 @@ rule ELASTIC_Windows_Trojan_Hijackloader_A8444812 : FILE MEMORY date = "2023-11-15" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_HijackLoader.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_HijackLoader.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "065c379a33ef1539e8a68fd4b7638fe8a30ec19fc128642ed0c68539656374b9" - logic_hash = "6cd88adc7a0d35013a26d1135efb294ee6f9ddab99b4549e82d3d6f5f65509b6" + logic_hash = "v1_sha256_6cd88adc7a0d35013a26d1135efb294ee6f9ddab99b4549e82d3d6f5f65509b6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82339,10 +82472,10 @@ rule ELASTIC_Windows_Trojan_Arkeistealer_84C7086A : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ArkeiStealer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ArkeiStealer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" - logic_hash = "b7129094389f789f0b43f0da54645c24a6d1149f53d6536c14714e3ff44f935b" + logic_hash = "v1_sha256_b7129094389f789f0b43f0da54645c24a6d1149f53d6536c14714e3ff44f935b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82368,9 +82501,9 @@ rule ELASTIC_Windows_Ransomware_Clop_6A1670Aa : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Clop.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "afe28000d50495bf2f2adc6cbf0159591ce87bff207f3c6a1d38e09f9ed328d7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Clop.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_afe28000d50495bf2f2adc6cbf0159591ce87bff207f3c6a1d38e09f9ed328d7" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82386,7 +82519,7 @@ rule ELASTIC_Windows_Ransomware_Clop_6A1670Aa : BETA FILE MEMORY $b1 = { FF 15 04 E1 40 00 83 F8 03 74 0A 83 F8 02 } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Clop_E04959B5 : BETA FILE MEMORY { @@ -82397,9 +82530,9 @@ rule ELASTIC_Windows_Ransomware_Clop_E04959B5 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Clop.yar#L22-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "039fcb0e48898c7546588cd095fac16f06cf5e5568141aefb6db382a61e80a8d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Clop.yar#L22-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_039fcb0e48898c7546588cd095fac16f06cf5e5568141aefb6db382a61e80a8d" score = 75 quality = 50 tags = "BETA, FILE, MEMORY" @@ -82424,7 +82557,7 @@ rule ELASTIC_Windows_Ransomware_Clop_E04959B5 : BETA FILE MEMORY $a10 = "MoneyP#666" wide fullword condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Clop_9Ac9Ea3E : BETA FILE MEMORY { @@ -82435,9 +82568,9 @@ rule ELASTIC_Windows_Ransomware_Clop_9Ac9Ea3E : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Clop.yar#L52-L71" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1228ee4b934faf1d5f8cf4518974cd2c80a73d84c8a354bde4813fb97ba516d7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Clop.yar#L52-L71" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1228ee4b934faf1d5f8cf4518974cd2c80a73d84c8a354bde4813fb97ba516d7" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82453,7 +82586,7 @@ rule ELASTIC_Windows_Ransomware_Clop_9Ac9Ea3E : BETA FILE MEMORY $c1 = { 8B 1D D8 E0 40 00 33 F6 8B 3D BC E0 40 00 } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Clop_606020E7 : BETA FILE MEMORY { @@ -82464,9 +82597,9 @@ rule ELASTIC_Windows_Ransomware_Clop_606020E7 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Clop.yar#L73-L92" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f5169b324bc19f6f5a04c99f1d3326c97300d038ec383c3eab94eb258963ac30" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Clop.yar#L73-L92" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f5169b324bc19f6f5a04c99f1d3326c97300d038ec383c3eab94eb258963ac30" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82482,7 +82615,7 @@ rule ELASTIC_Windows_Ransomware_Clop_606020E7 : BETA FILE MEMORY $d1 = { B8 E1 83 0F 3E F7 E6 8B C6 C1 EA 04 8B CA C1 E1 05 03 CA } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Windows_Trojan_Metasploit_A6E956C9 : FILE MEMORY { @@ -82493,9 +82626,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_A6E956C9 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fb4e3e54618075d5ef6ec98d1ba9c332ce9f677f0879e07b34a2ca08b2180dd9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fb4e3e54618075d5ef6ec98d1ba9c332ce9f677f0879e07b34a2ca08b2180dd9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82522,9 +82655,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_38B8Ceec : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8e3bc02661cedb9885467373f8120542bb7fc8b0944803bc01642fbc8426298b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8e3bc02661cedb9885467373f8120542bb7fc8b0944803bc01642fbc8426298b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82551,9 +82684,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_7Bc0F998 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "29cb48086dbcd48bd83c5042ed78370e127e1ea5170ee7383b88659b31e896b5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_29cb48086dbcd48bd83c5042ed78370e127e1ea5170ee7383b88659b31e896b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82580,9 +82713,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_F7F826B4 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2f5264e07c65d5ef4efe49a48c24ccef9a4b9379db581d2cf18e1131982e6f2f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2f5264e07c65d5ef4efe49a48c24ccef9a4b9379db581d2cf18e1131982e6f2f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82609,9 +82742,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_24338919 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "af8cceebdebca863019860afca5d7c6400b68c8450bc17b7d7b74aeab2d62d16" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_af8cceebdebca863019860afca5d7c6400b68c8450bc17b7d7b74aeab2d62d16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82638,9 +82771,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_0F5A852D : FILE MEMORY date = "2021-04-07" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "11cddf2191a2f70222a0c8c591e387b4b5667bc432a2f686629def9252361c1d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_11cddf2191a2f70222a0c8c591e387b4b5667bc432a2f686629def9252361c1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82667,9 +82800,9 @@ rule ELASTIC_Windows_Trojan_Metasploit_C9773203 : FILE MEMORY date = "2021-04-07" modified = "2021-08-23" reference = "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L121-L140" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1d6503ccf05b8e8b4368ed0fb2e57aa2be94151ce7e2445b5face7b226a118e9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L121-L140" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1d6503ccf05b8e8b4368ed0fb2e57aa2be94151ce7e2445b5face7b226a118e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82696,10 +82829,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_Dd5Ce989 : FILE MEMORY date = "2021-04-14" modified = "2021-08-23" reference = "https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L142-L164" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L142-L164" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360" - logic_hash = "5c094979be1cd347ffee944816b819b6fbb62804b183a6120cd3a93d2759155b" + logic_hash = "v1_sha256_5c094979be1cd347ffee944816b819b6fbb62804b183a6120cd3a93d2759155b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82717,7 +82850,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_Dd5Ce989 : FILE MEMORY $b1 = "ReflectiveLoader" condition: - 1 of ($a*) and 1 of ($b*) + 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Metasploit_96233B6B : FILE MEMORY { @@ -82728,10 +82861,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_96233B6B : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L166-L185" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L166-L185" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e7a2d966deea3a2df6ce1aeafa8c2caa753824215a8368e0a96b394fb46b753b" - logic_hash = "09a2b9414a126367df65322966b671fe7ea963cd65ef48e316c9d139ee502d31" + logic_hash = "v1_sha256_09a2b9414a126367df65322966b671fe7ea963cd65ef48e316c9d139ee502d31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82758,10 +82891,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_4A1C4Da8 : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L187-L206" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L187-L206" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22" - logic_hash = "9d3a3164ed1019dcb557cf20734a81be9964a555ddb2e0104f7202880b2ed177" + logic_hash = "v1_sha256_9d3a3164ed1019dcb557cf20734a81be9964a555ddb2e0104f7202880b2ed177" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82788,10 +82921,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_91Bc5D7D : FILE MEMORY date = "2021-08-02" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L208-L226" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L208-L226" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987" - logic_hash = "74154902b03c36a4ee9bc54ae9399bae9e6afb7fe8d0fe232b88250afc368d6f" + logic_hash = "v1_sha256_74154902b03c36a4ee9bc54ae9399bae9e6afb7fe8d0fe232b88250afc368d6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82817,10 +82950,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_A91A6571 : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L228-L246" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L228-L246" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ff7795edff95a45b15b03d698cbdf70c19bc452daf4e2d5e86b2bbac55494472" - logic_hash = "cc59320ba9f8907d1d9b9dc120d8b4807b419e49c55be1fd5d2cdbb0c5d4e5cc" + logic_hash = "v1_sha256_cc59320ba9f8907d1d9b9dc120d8b4807b419e49c55be1fd5d2cdbb0c5d4e5cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82846,10 +82979,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_B29Fe355 : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L248-L268" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L248-L268" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4f0ab4e42e6c10bc9e4a699d8d8819b04c17ed1917047f770dc6980a0a378a68" - logic_hash = "7a2189b59175acb66a7497c692a43c413a476f5c4371f797bf03a8ddb550992c" + logic_hash = "v1_sha256_7a2189b59175acb66a7497c692a43c413a476f5c4371f797bf03a8ddb550992c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82877,10 +83010,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_66140F58 : FILE MEMORY date = "2022-08-15" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L270-L288" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L270-L288" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01a0c5630fbbfc7043d21a789440fa9dadc6e4f79640b370f1a21c6ebf6a710a" - logic_hash = "0a855b7296f7cea39cc5d57b239d3906133ea43a0811ec60e4d91765cf89aced" + logic_hash = "v1_sha256_0a855b7296f7cea39cc5d57b239d3906133ea43a0811ec60e4d91765cf89aced" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82906,10 +83039,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_2092C42A : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L290-L309" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L290-L309" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e47d88c11a89dcc84257841de0c9f1ec388698006f55a0e15567354b33f07d3c" - logic_hash = "83c46c6b957f10d406ea9985c518eb2fba3e82b9023bfdefa8bdd4be7fb67826" + logic_hash = "v1_sha256_83c46c6b957f10d406ea9985c518eb2fba3e82b9023bfdefa8bdd4be7fb67826" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -82936,10 +83069,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_46E1C247 : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L311-L330" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L311-L330" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ef70e1faa3b1f40d92b0a161c96e13c96c43ec6651e7c87ee3977ed07b950bab" - logic_hash = "760a4e28e312a7d744208dc833ffad8d139ce7c536b407625a7fb0dff5ddb1d1" + logic_hash = "v1_sha256_760a4e28e312a7d744208dc833ffad8d139ce7c536b407625a7fb0dff5ddb1d1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -82966,10 +83099,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_B62Aac1E : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L332-L351" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L332-L351" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "af9af81f7e46217330b447900f80c9ce38171655becb3b63e51f913b95c71e70" - logic_hash = "3ef6b7fb258b060ae00b060dbf9b07620f8cda0d9a827985bbb3ed9617969ef6" + logic_hash = "v1_sha256_3ef6b7fb258b060ae00b060dbf9b07620f8cda0d9a827985bbb3ed9617969ef6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82996,10 +83129,10 @@ rule ELASTIC_Windows_Trojan_Metasploit_47F5D54A : FILE MEMORY date = "2023-11-13" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Metasploit.yar#L353-L372" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Metasploit.yar#L353-L372" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bc3754cf4a04491a7ad7a75f69dd3bb2ddf0d8592ce078b740d7c9c7bc85a7e1" - logic_hash = "be080d0aae457348c4a02c204507a8cb14d1728d1bc50d7cf12b577aa06daf9f" + logic_hash = "v1_sha256_be080d0aae457348c4a02c204507a8cb14d1728d1bc50d7cf12b577aa06daf9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83026,10 +83159,10 @@ rule ELASTIC_Windows_Trojan_Dbatloader_F93A8E90 : FILE MEMORY date = "2022-03-11" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DBatLoader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DBatLoader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" - logic_hash = "6fe91d91bb383c66a6dc623b02817411a39b88030142517f4048c5c25fbb4ac5" + logic_hash = "v1_sha256_6fe91d91bb383c66a6dc623b02817411a39b88030142517f4048c5c25fbb4ac5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83055,10 +83188,10 @@ rule ELASTIC_Linux_Hacktool_Portscan_A40C7Ef0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Portscan.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Portscan.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c389c42bac5d4261dbca50c848f22c701df4c9a2c5877dc01e2eaa81300bdc29" - logic_hash = "6118ea86d628450e79ee658f4b95bae40080764a25240698d8ca7fcb7e6adaaf" + logic_hash = "v1_sha256_6118ea86d628450e79ee658f4b95bae40080764a25240698d8ca7fcb7e6adaaf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83084,10 +83217,10 @@ rule ELASTIC_Linux_Hacktool_Portscan_6C6000C2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Portscan.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Portscan.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8877009fc8ee27ba3b35a7680b80d21c84ee7296bcabe1de51aeeafcc8978da7" - logic_hash = "0cae81cbc0fdf48b4e7ac09865f05e2ad93d79b7a6f1af76a632727127ab050f" + logic_hash = "v1_sha256_0cae81cbc0fdf48b4e7ac09865f05e2ad93d79b7a6f1af76a632727127ab050f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83113,10 +83246,10 @@ rule ELASTIC_Linux_Hacktool_Portscan_E191222D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Portscan.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Portscan.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2f4313538c3ef23adbfc50f37451c318bfd1ffd0e5aaa346cce4cc37417f812" - logic_hash = "6ffb2add4a76214ffd555cf1fe356371acd3638216094097b355670ecfe02ecd" + logic_hash = "v1_sha256_6ffb2add4a76214ffd555cf1fe356371acd3638216094097b355670ecfe02ecd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83142,10 +83275,10 @@ rule ELASTIC_Linux_Hacktool_Portscan_E57B0A0C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Portscan.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Portscan.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f8ee385316b60ee551565876287c06d76ac5765f005ca584d1ca6da13a6eb619" - logic_hash = "b2f67805e9381864591fdf61846284da97f8dd2f5c60484ce9c6e76d2f6f3872" + logic_hash = "v1_sha256_b2f67805e9381864591fdf61846284da97f8dd2f5c60484ce9c6e76d2f6f3872" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83171,10 +83304,10 @@ rule ELASTIC_Linux_Trojan_Rozena_56651C1D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rozena.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rozena.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "997684fb438af3f5530b0066d2c9e0d066263ca9da269d6a7e160fa757a51e04" - logic_hash = "a6d283b0c398cb1004defe7f5669f912112262e5aaf677ae4ca7fd15565cb988" + logic_hash = "v1_sha256_a6d283b0c398cb1004defe7f5669f912112262e5aaf677ae4ca7fd15565cb988" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83200,10 +83333,10 @@ rule ELASTIC_Windows_Trojan_A310Logger_520Cd7Ec : FILE MEMORY date = "2022-01-11" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_A310logger.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_A310logger.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" - logic_hash = "6095ce913e3fb1cfc2f1b091598fc06b2dfec30c2353be7df08dcbb1a06b07c3" + logic_hash = "v1_sha256_6095ce913e3fb1cfc2f1b091598fc06b2dfec30c2353be7df08dcbb1a06b07c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83233,10 +83366,10 @@ rule ELASTIC_Windows_Trojan_Dridex_63Ddf193 : FILE MEMORY date = "2021-08-07" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Dridex.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Dridex.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b1d66350978808577159acc7dc7faaa273e82c103487a90bf0d040afa000cb0d" - logic_hash = "e792f4693be0a7c71d1e638212a8fb3acb1e14dedd48218861fad8c09811da29" + logic_hash = "v1_sha256_e792f4693be0a7c71d1e638212a8fb3acb1e14dedd48218861fad8c09811da29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83263,10 +83396,10 @@ rule ELASTIC_Windows_Trojan_Dridex_C6F01353 : FILE MEMORY date = "2021-08-07" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Dridex.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Dridex.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "739682ccb54170e435730c54ba9f7e09f32a3473c07d2d18ae669235dcfe84de" - logic_hash = "7146204d779610c04badfc7d884ff882ff5f1439b61f889d1edf4419240c5751" + logic_hash = "v1_sha256_7146204d779610c04badfc7d884ff882ff5f1439b61f889d1edf4419240c5751" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83292,10 +83425,10 @@ rule ELASTIC_Linux_Trojan_Getshell_98D002Bf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Getshell.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Getshell.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "97b7650ab083f7ba23417e6d5d9c1d133b9158e2c10427d1f1e50dfe6c0e7541" - logic_hash = "358575f55910b060bde94bbc55daa9650a43cf1470b77d1842ddcaa8b299700a" + logic_hash = "v1_sha256_358575f55910b060bde94bbc55daa9650a43cf1470b77d1842ddcaa8b299700a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83321,9 +83454,9 @@ rule ELASTIC_Linux_Trojan_Getshell_213D4D69 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "05fc4dcce9e9e1e627ebf051a190bd1f73bc83d876c78c6b3d86fc97b0dfd8e8" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Getshell.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2075def88b31ac32e44c270ab20273c8b91f37e25a837c0353f76bcf431cdcb3" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Getshell.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2075def88b31ac32e44c270ab20273c8b91f37e25a837c0353f76bcf431cdcb3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83349,9 +83482,9 @@ rule ELASTIC_Linux_Trojan_Getshell_3Cf5480B : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "0e41c0d6286fb7cd3288892286548eaebf67c16f1a50a69924f39127eb73ff38" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Getshell.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "87b0db74e81d4f236b11f51a72fba2e4263c988402292b2182d19293858c6126" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Getshell.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_87b0db74e81d4f236b11f51a72fba2e4263c988402292b2182d19293858c6126" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83377,9 +83510,9 @@ rule ELASTIC_Linux_Trojan_Getshell_8A79B859 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1154ba394176730e51c7c7094ff3274e9f68aaa2ed323040a94e1c6f7fb976a2" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Getshell.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2aa3914ec4cc04e5daa2da1460410b4f0e5e7a37c5a2eae5a02ff5f55382f1fe" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Getshell.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2aa3914ec4cc04e5daa2da1460410b4f0e5e7a37c5a2eae5a02ff5f55382f1fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83405,10 +83538,10 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_7Df5A747 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Ryzen.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Ryzen.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - logic_hash = "192b51f0bbd2cab4c1d3da6f82fbee7129a53abaa6e8769d3681821112017824" + logic_hash = "v1_sha256_192b51f0bbd2cab4c1d3da6f82fbee7129a53abaa6e8769d3681821112017824" score = 75 quality = 75 tags = "FILE" @@ -83425,7 +83558,7 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_7Df5A747 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x05][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x04][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Ryzen_9B01C718 : FILE { @@ -83436,10 +83569,10 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_9B01C718 : FILE date = "2023-01-22" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Ryzen.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Ryzen.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bb82d8c29127955d58dff58978605a9daa718425c74c4bce5ae3e53712909148" - logic_hash = "5734f6a249656f22a2a363b42ae77b5e6b7673bc96bad34b04b1be7f2b584b08" + logic_hash = "v1_sha256_5734f6a249656f22a2a363b42ae77b5e6b7673bc96bad34b04b1be7f2b584b08" score = 75 quality = 75 tags = "FILE" @@ -83456,7 +83589,7 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_9B01C718 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x07][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x06][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $original_file_name and $version } rule ELASTIC_Linux_Exploit_CVE_2019_13272_583Dd2C0 : FILE MEMORY CVE_2019_13272 { @@ -83467,10 +83600,10 @@ rule ELASTIC_Linux_Exploit_CVE_2019_13272_583Dd2C0 : FILE MEMORY CVE_2019_13272 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2019_13272.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2019_13272.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3191b9473f3e59f55e062e6bdcfe61b88974602c36477bfa6855ccd92ff7ca83" - logic_hash = "0b25f0d979d2fc3f7d646a9b3eccf2a293b41181b499c790d3e99515fcd09603" + logic_hash = "v1_sha256_0b25f0d979d2fc3f7d646a9b3eccf2a293b41181b499c790d3e99515fcd09603" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2019-13272" @@ -83496,9 +83629,9 @@ rule ELASTIC_Windows_Trojan_Octopus_15813E26 : FILE MEMORY date = "2021-11-10" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Octopus.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0d30b96ead4ccba75e08f6ba1db73cee61a29b5b0c7ee0fb523cbcd61dce9d87" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Octopus.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0d30b96ead4ccba75e08f6ba1db73cee61a29b5b0c7ee0fb523cbcd61dce9d87" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83525,10 +83658,10 @@ rule ELASTIC_Linux_Trojan_Dinodasrat_1D371D10 : FILE MEMORY date = "2024-04-02" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_DinodasRAT.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_DinodasRAT.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf830191215e0c8db207ea320d8e795990cf6b3e6698932e6e0c9c0588fc9eff" - logic_hash = "933e78882be1d8dd9553ba90f038963d1b6f8f643888258541b7668aa3434808" + logic_hash = "v1_sha256_933e78882be1d8dd9553ba90f038963d1b6f8f643888258541b7668aa3434808" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83559,10 +83692,10 @@ rule ELASTIC_Windows_Trojan_Flawedgrace_8C5Eb04B : FILE MEMORY date = "2023-11-01" modified = "2023-11-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_FlawedGrace.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_FlawedGrace.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "966112f3143d751a95c000a990709572ac8b49b23c0e57b2691955d6fda1016e" - logic_hash = "dc07197cb9a02ff8d271f78756c2784c74d09e530af20377a584dbfe77e973aa" + logic_hash = "v1_sha256_dc07197cb9a02ff8d271f78756c2784c74d09e530af20377a584dbfe77e973aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83592,10 +83725,10 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_13B3C88B : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Rtkio.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Rtkio.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - logic_hash = "1e37650292884e28dcc51c42bc1b1d1e8efc13b0727f7865ff1dc7b8e1a72380" + logic_hash = "v1_sha256_1e37650292884e28dcc51c42bc1b1d1e8efc13b0727f7865ff1dc7b8e1a72380" score = 75 quality = 75 tags = "FILE" @@ -83611,7 +83744,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_13B3C88B : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 74 00 6B 00 69 00 6F 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Vulndriver_Rtkio_D595781E : FILE { @@ -83622,10 +83755,10 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_D595781E : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Rtkio.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Rtkio.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - logic_hash = "289eb17025d989cc74e109b1c03378e9760817a84f1a759153ff6ff6b6401e6d" + logic_hash = "v1_sha256_289eb17025d989cc74e109b1c03378e9760817a84f1a759153ff6ff6b6401e6d" score = 75 quality = 75 tags = "FILE" @@ -83641,7 +83774,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_D595781E : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 74 00 6B 00 69 00 6F 00 36 00 34 00 2E 00 73 00 79 00 73 00 20 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Vulndriver_Rtkio_B09Af431 : FILE { @@ -83652,10 +83785,10 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_B09Af431 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Rtkio.yar#L43-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Rtkio.yar#L43-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - logic_hash = "916a6e63dc4c7ee0bfdf4a455ee467a1d03c1042db60806511aa7cbf3b096190" + logic_hash = "v1_sha256_916a6e63dc4c7ee0bfdf4a455ee467a1d03c1042db60806511aa7cbf3b096190" score = 75 quality = 75 tags = "FILE" @@ -83671,7 +83804,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_B09Af431 : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 74 00 6B 00 69 00 6F 00 77 00 38 00 78 00 36 00 34 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Vulndriver_Rtkio_5693E967 : FILE { @@ -83682,10 +83815,10 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_5693E967 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Rtkio.yar#L64-L83" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Rtkio.yar#L64-L83" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - logic_hash = "4cbc7a52de7f610cdb12bf40a9099bcfae818dcb5e4119a8c34499433aeebd7e" + logic_hash = "v1_sha256_4cbc7a52de7f610cdb12bf40a9099bcfae818dcb5e4119a8c34499433aeebd7e" score = 75 quality = 75 tags = "FILE" @@ -83701,7 +83834,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_5693E967 : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 74 00 6B 00 69 00 6F 00 77 00 31 00 30 00 78 00 36 00 34 00 2E 00 73 00 79 00 73 00 20 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Trojan_Darkcomet_1Df27Bcc : FILE MEMORY { @@ -83712,10 +83845,10 @@ rule ELASTIC_Windows_Trojan_Darkcomet_1Df27Bcc : FILE MEMORY date = "2021-08-16" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Darkcomet.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Darkcomet.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" - logic_hash = "5886e3316839e64f934a0e84d85074e076f3e1e44f86fee35a87eb560bfa2aa7" + logic_hash = "v1_sha256_5886e3316839e64f934a0e84d85074e076f3e1e44f86fee35a87eb560bfa2aa7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83745,10 +83878,10 @@ rule ELASTIC_Linux_Trojan_Generic_402Be6C5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d30a8f5971763831f92d9a6dd4720f52a1638054672a74fdb59357ae1c9e6deb" - logic_hash = "b32111972bc21822f0f2c8e47198c90b70e78667410175257b9542c212fc3a1d" + logic_hash = "v1_sha256_b32111972bc21822f0f2c8e47198c90b70e78667410175257b9542c212fc3a1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83774,10 +83907,10 @@ rule ELASTIC_Linux_Trojan_Generic_5420D3E7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "103b8fced0aebd73cb8ba9eff1a55e6b6fa13bb0a099c9234521f298ee8d2f9f" - logic_hash = "8ba3566ec900e37f05f11d40c65ffe1dfc587c553fa9c28b71ced7a9a90f50c3" + logic_hash = "v1_sha256_8ba3566ec900e37f05f11d40c65ffe1dfc587c553fa9c28b71ced7a9a90f50c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83803,10 +83936,10 @@ rule ELASTIC_Linux_Trojan_Generic_4F4Cc3Ea : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "32e25641360dbfd50125c43754cd327cf024f1b3bfd75b617cdf8a17024e2da5" - logic_hash = "9eb0d93b8c1a579ca8362d033edecbbe6a9ade82f6ae5688c183b97ed7b97faa" + logic_hash = "v1_sha256_9eb0d93b8c1a579ca8362d033edecbbe6a9ade82f6ae5688c183b97ed7b97faa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -83832,10 +83965,10 @@ rule ELASTIC_Linux_Trojan_Generic_703A0258 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b086d0119042fc960fe540c23d0a274dd0fb6f3570607823895c9158d4f75974" - logic_hash = "cb37930637b8da91188d199ee20f1b64a0b1f13e966a99e69b983e623dac51de" + logic_hash = "v1_sha256_cb37930637b8da91188d199ee20f1b64a0b1f13e966a99e69b983e623dac51de" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83861,10 +83994,10 @@ rule ELASTIC_Linux_Trojan_Generic_378765E4 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ed42910e09e88777ae9958439d14176cb77271edf110053e1a29372fce21ec1" - logic_hash = "dd10305f553fa94ff83fafa84cff3d544f097b617fca20760eef838902e1f7db" + logic_hash = "v1_sha256_dd10305f553fa94ff83fafa84cff3d544f097b617fca20760eef838902e1f7db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83890,10 +84023,10 @@ rule ELASTIC_Linux_Trojan_Generic_F657Fb4F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ed42910e09e88777ae9958439d14176cb77271edf110053e1a29372fce21ec1" - logic_hash = "af4fa2c21b47f360b425ebbfea624e3728cd682e54e367d265b4f3a6515b0720" + logic_hash = "v1_sha256_af4fa2c21b47f360b425ebbfea624e3728cd682e54e367d265b4f3a6515b0720" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83919,10 +84052,10 @@ rule ELASTIC_Linux_Trojan_Generic_Be1757Ef : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e4e2b5af9d0c72aae83cec57e5c091a95c549f826e8f13559aaf7d300f6e13" - logic_hash = "567d33c262e5f812c6a702bcc0a1f0cf576b67bf7cf67bb82b5f9ce9f233aaff" + logic_hash = "v1_sha256_567d33c262e5f812c6a702bcc0a1f0cf576b67bf7cf67bb82b5f9ce9f233aaff" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -83948,10 +84081,10 @@ rule ELASTIC_Linux_Trojan_Generic_7A95Ef79 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f59340a740af8f7f4b96e3ea46d38dbe81f2b776820b6f53b7028119c5db4355" - logic_hash = "6da43e4bab6b2024b49dfc943f099fb21c06d8d4a082a05594b07cb55989183c" + logic_hash = "v1_sha256_6da43e4bab6b2024b49dfc943f099fb21c06d8d4a082a05594b07cb55989183c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83977,10 +84110,10 @@ rule ELASTIC_Linux_Trojan_Generic_1C5E42B7 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f" - logic_hash = "cd759b87a303fafb9461d0a73b6a6b3f468b1f3db0189ba0e584a629e5d78da1" + logic_hash = "v1_sha256_cd759b87a303fafb9461d0a73b6a6b3f468b1f3db0189ba0e584a629e5d78da1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84006,10 +84139,10 @@ rule ELASTIC_Linux_Trojan_Generic_8Ca4B663 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ddf479e504867dfa27a2f23809e6255089fa0e2e7dcf31b6ce7d08f8d88947e" - logic_hash = "43b8cae2075f55a98b226f865d54e1c96345db0564815d849b3458d3f3ffee7f" + logic_hash = "v1_sha256_43b8cae2075f55a98b226f865d54e1c96345db0564815d849b3458d3f3ffee7f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84035,10 +84168,10 @@ rule ELASTIC_Linux_Trojan_Generic_D3Fe3Fae : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2a2542142adb05bff753e0652e119c1d49232d61c49134f13192425653332dc3" - logic_hash = "0b980a0bcf8340410fe2b53d109f629c6e871ebe82af467153d7b50b73fd8644" + logic_hash = "v1_sha256_0b980a0bcf8340410fe2b53d109f629c6e871ebe82af467153d7b50b73fd8644" score = 60 quality = 43 tags = "FILE, MEMORY" @@ -84064,10 +84197,10 @@ rule ELASTIC_Linux_Trojan_Generic_5E981634 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L221-L239" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L221-L239" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "448e8d71e335cabf5c4e9e8d2d31e6b52f620dbf408d8cc9a6232a81c051441b" - logic_hash = "4623c07a15588788ec8a484642a33f2d18127849302d57520a0dac875564f62c" + logic_hash = "v1_sha256_4623c07a15588788ec8a484642a33f2d18127849302d57520a0dac875564f62c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84093,10 +84226,10 @@ rule ELASTIC_Linux_Trojan_Generic_D8953Ca0 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L241-L259" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L241-L259" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "552753661c3cc7b3a4326721789808482a4591cb662bc813ee50d95f101a3501" - logic_hash = "cbc1a60a1d9525f7230336dff07f56e6a0b99e7c70c99d3f4363c06ed0071716" + logic_hash = "v1_sha256_cbc1a60a1d9525f7230336dff07f56e6a0b99e7c70c99d3f4363c06ed0071716" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84122,10 +84255,10 @@ rule ELASTIC_Linux_Trojan_Generic_181054Af : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L261-L279" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L261-L279" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e677f1eed0dbb4c680549e0bf86d92b0a28a85c6d571417baaba0d0719da5f93" - logic_hash = "e92807b603dd33fe7a083985644a213913a77e81c068623fdac7931148207b91" + logic_hash = "v1_sha256_e92807b603dd33fe7a083985644a213913a77e81c068623fdac7931148207b91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84151,10 +84284,10 @@ rule ELASTIC_Linux_Trojan_Generic_C3D529A2 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L281-L299" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L281-L299" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b46135ae52db6399b680e5c53f891d101228de5cd6c06b6ae115e4a763a5fb22" - logic_hash = "a508acd95844a4385943166f715606199048d96be0098bc89f9be7b9db34833e" + logic_hash = "v1_sha256_a508acd95844a4385943166f715606199048d96be0098bc89f9be7b9db34833e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84180,10 +84313,10 @@ rule ELASTIC_Linux_Trojan_Generic_4675Dffa : FILE MEMORY date = "2023-07-28" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L301-L320" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L301-L320" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "43e14c9713b1ca1f3a7f4bcb57dd3959d3a964be5121eb5aba312de41e2fb7a6" - logic_hash = "d2865a869d0cf0bf784106fe6242a4c7f58e58a43c4d4ae0241b10569810904d" + logic_hash = "v1_sha256_d2865a869d0cf0bf784106fe6242a4c7f58e58a43c4d4ae0241b10569810904d" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84210,9 +84343,9 @@ rule ELASTIC_Linux_Trojan_Generic_5E3Bc3B3 : FILE MEMORY date = "2024-09-20" modified = "2024-11-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Generic.yar#L322-L344" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "33c14a6b8b5a2fc105ea6f1d5ee89e53f6c5e44126b9cf687058de64d649b5ca" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Generic.yar#L322-L344" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_33c14a6b8b5a2fc105ea6f1d5ee89e53f6c5e44126b9cf687058de64d649b5ca" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -84232,7 +84365,7 @@ rule ELASTIC_Linux_Trojan_Generic_5E3Bc3B3 : FILE MEMORY $key = "yyyyyyyy" condition: - 1 of ($enc*) and $key + 1 of ( $enc* ) and $key } rule ELASTIC_Windows_Backdoor_Dragoncastling_4Ecf6F9F : FILE MEMORY { @@ -84243,10 +84376,10 @@ rule ELASTIC_Windows_Backdoor_Dragoncastling_4Ecf6F9F : FILE MEMORY date = "2022-11-08" modified = "2022-12-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Backdoor_DragonCastling.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Backdoor_DragonCastling.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9776c7ae6ca73f87d7c838257a5bcd946372fbb77ebed42eebdfb633b13cd387" - logic_hash = "26ff86354230f1006bd451eab5c1634b91888330d124a06dd2dfa5ab515d6e1a" + logic_hash = "v1_sha256_26ff86354230f1006bd451eab5c1634b91888330d124a06dd2dfa5ab515d6e1a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84280,10 +84413,10 @@ rule ELASTIC_Windows_Trojan_Squirrelwaffle_88033Ff1 : FILE MEMORY date = "2021-09-20" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c" - logic_hash = "695d7d411a4de23ba1517a06bda3ce73add37dca1e6fe9046e7c2dcae237389e" + logic_hash = "v1_sha256_695d7d411a4de23ba1517a06bda3ce73add37dca1e6fe9046e7c2dcae237389e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84312,10 +84445,10 @@ rule ELASTIC_Windows_Trojan_Squirrelwaffle_D3B685A1 : FILE MEMORY date = "2021-09-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c" - logic_hash = "7d187aa75fc767f5009f3090852de4894776f4b3f99f189478e7e9fd9c3acbe7" + logic_hash = "v1_sha256_7d187aa75fc767f5009f3090852de4894776f4b3f99f189478e7e9fd9c3acbe7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84341,10 +84474,10 @@ rule ELASTIC_Linux_Exploit_Abrox_5641Ba81 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Abrox.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Abrox.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8de96c8e61536cae870f4a24127d28b86bd8122428bf13965c596f92182625aa" - logic_hash = "29c894720c8d9134623427768ab1ab3d5e66fbeae86dd957f449d00091db9019" + logic_hash = "v1_sha256_29c894720c8d9134623427768ab1ab3d5e66fbeae86dd957f449d00091db9019" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84370,9 +84503,9 @@ rule ELASTIC_Multi_Attacksimulation_Blindspot_D93F54C5 : FILE MEMORY date = "2022-05-23" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_AttackSimulation_Blindspot.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "41984a0ad20ab21186252bb2f3f68604d2cbeea0e1ce22895dd163f7acbf2ca1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_AttackSimulation_Blindspot.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_41984a0ad20ab21186252bb2f3f68604d2cbeea0e1ce22895dd163f7acbf2ca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84398,10 +84531,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_B97Baf37 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aff94f915fc81d5a2649ebd7c21ec8a4c2fc0d622ec9b790b43cc49f7feb83da" - logic_hash = "e58130c33242bc3020602c2c0254bed2bbc564c4a11806c6cfcd858fd724c362" + logic_hash = "v1_sha256_e58130c33242bc3020602c2c0254bed2bbc564c4a11806c6cfcd858fd724c362" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84427,10 +84560,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_E2443Be5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aff94f915fc81d5a2649ebd7c21ec8a4c2fc0d622ec9b790b43cc49f7feb83da" - logic_hash = "85733ff904cfa3eddaa4c4fbfc51c00494c3a3725e2eb722bbf33c82e7135336" + logic_hash = "v1_sha256_85733ff904cfa3eddaa4c4fbfc51c00494c3a3725e2eb722bbf33c82e7135336" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84456,10 +84589,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_683C2Ba1 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a02e166fbf002dd4217c012f24bb3a8dbe310a9f0b0635eb20a7d315049367e1" - logic_hash = "eef2bdef7e20633f7dc92f653b43e3a217e8cbdbac63d05540bdd520e22dd1ed" + logic_hash = "v1_sha256_eef2bdef7e20633f7dc92f653b43e3a217e8cbdbac63d05540bdd520e22dd1ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84485,10 +84618,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_8Bca73F6 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e7c17b7916b38494b9a07c249acb99499808959ba67125c29afec194ca4ae36c" - logic_hash = "2cfad4e436198391185fdae5c4af18ae43841db19da33473fdf18b64b0399613" + logic_hash = "v1_sha256_2cfad4e436198391185fdae5c4af18ae43841db19da33473fdf18b64b0399613" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84514,10 +84647,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_C4018572 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1515b3a7a91650948af7577b613ee019166f116729b7ff6309b218047141f6d" - logic_hash = "10d70540532c5c2984dc7e492672450924cb8f34c8158638191886057596b0a1" + logic_hash = "v1_sha256_10d70540532c5c2984dc7e492672450924cb8f34c8158638191886057596b0a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84543,10 +84676,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_733C0330 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b303f241a2687dba8d7b4987b7a46b5569bd2272e2da3e0c5e597b342d4561b6" - logic_hash = "37bf7777e26e556f09b8cb0e7e3c8425226a6412c3bed0d95fdab7229b6f4815" + logic_hash = "v1_sha256_37bf7777e26e556f09b8cb0e7e3c8425226a6412c3bed0d95fdab7229b6f4815" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84572,10 +84705,10 @@ rule ELASTIC_Linux_Trojan_Dropperl_39F4Cd0D : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Dropperl.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Dropperl.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c08e1347877dc77ad73c1e017f928c69c8c78a0e3c16ac5455668d2ad22500f3" - logic_hash = "5b61f54604b110d2c8efaf1782a2e520baac96c6d3e8d1eda0877475c504bf89" + logic_hash = "v1_sha256_5b61f54604b110d2c8efaf1782a2e520baac96c6d3e8d1eda0877475c504bf89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84601,10 +84734,10 @@ rule ELASTIC_Macos_Trojan_Fplayer_1C1Fae37 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Fplayer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Fplayer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725" - logic_hash = "0d65717bdbac694ffb2535a1ff584f7ec2aa7b553a08d29113c6e2bd7b2ff1aa" + logic_hash = "v1_sha256_0d65717bdbac694ffb2535a1ff584f7ec2aa7b553a08d29113c6e2bd7b2ff1aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84630,10 +84763,10 @@ rule ELASTIC_Windows_Remoteadmin_Ultravnc_965F054A : FILE MEMORY date = "2023-03-18" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_RemoteAdmin_UltraVNC.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_RemoteAdmin_UltraVNC.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59bddb5ccdc1c37c838c8a3d96a865a28c75b5807415fd931eaff0af931d1820" - logic_hash = "a9b9d0958f09b23fa7b27ef7ec32b3feb98edca3be5a21552a3a2f50e3fd41c1" + logic_hash = "v1_sha256_a9b9d0958f09b23fa7b27ef7ec32b3feb98edca3be5a21552a3a2f50e3fd41c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84665,10 +84798,10 @@ rule ELASTIC_Linux_Trojan_Sambashell_F423755D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sambashell.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sambashell.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd8a3728a59afbf433799578ef597b9a7211c8d62e87a25209398814851a77ea" - logic_hash = "b93c671fae87cd635679142d248cb2b754389ba3b416f3370ea331640eb906ab" + logic_hash = "v1_sha256_b93c671fae87cd635679142d248cb2b754389ba3b416f3370ea331640eb906ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84694,9 +84827,9 @@ rule ELASTIC_Linux_Trojan_Kinsing_196523Fa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kinsing.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "baa5808fcf22700ae96844dbf8cb3bec52425eec365d2ba4c71b73ece11a69a2" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kinsing.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_baa5808fcf22700ae96844dbf8cb3bec52425eec365d2ba4c71b73ece11a69a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84722,10 +84855,10 @@ rule ELASTIC_Linux_Trojan_Kinsing_7Cdbe9Fa : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kinsing.yar#L20-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kinsing.yar#L20-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "c6f5d2cf0430301ec0eae57808100203b69428f258e0e6882fecbc762d73f4bf" + logic_hash = "v1_sha256_c6f5d2cf0430301ec0eae57808100203b69428f258e0e6882fecbc762d73f4bf" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84751,10 +84884,10 @@ rule ELASTIC_Linux_Trojan_Kinsing_2C1Ffe78 : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kinsing.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kinsing.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "9561511710eef5877c5afa49890b77fbad31a6e312b5cd33fc01f91ff2a73583" + logic_hash = "v1_sha256_9561511710eef5877c5afa49890b77fbad31a6e312b5cd33fc01f91ff2a73583" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84780,10 +84913,10 @@ rule ELASTIC_Linux_Trojan_Kinsing_85276Fb4 : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kinsing.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kinsing.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "6919afd133e7e369eece10ea79d9d17a1a3fbb6210593395e0be157f8c262811" + logic_hash = "v1_sha256_6919afd133e7e369eece10ea79d9d17a1a3fbb6210593395e0be157f8c262811" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84809,10 +84942,10 @@ rule ELASTIC_Windows_Trojan_Falsefont_D1F0D357 : FILE MEMORY date = "2024-03-26" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_FalseFont.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_FalseFont.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614" - logic_hash = "af356dec77f773cec01626a3823dbea7e9d3719b9d152ec4057c0b97efabf0df" + logic_hash = "v1_sha256_af356dec77f773cec01626a3823dbea7e9d3719b9d152ec4057c0b97efabf0df" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84845,10 +84978,10 @@ rule ELASTIC_Linux_Exploit_CVE_2009_1897_6Cf0A073 : FILE MEMORY CVE_2009_1897 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2009_1897.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2009_1897.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "85f371bf73ee6d8fcb6fa9a8a68b38c5e023151257fd549855c4c290cc340724" - logic_hash = "dcde454fda09cb6bc7b213b76d70eafd65d2601cfda70ff25c6940b55ce3adb6" + logic_hash = "v1_sha256_dcde454fda09cb6bc7b213b76d70eafd65d2601cfda70ff25c6940b55ce3adb6" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-1897" @@ -84874,10 +85007,10 @@ rule ELASTIC_Linux_Trojan_Snowlight_F5C83D35 : FILE MEMORY date = "2024-05-16" modified = "2024-06-12" reference = "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Snowlight.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Snowlight.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7d6652d8fa3748d7f58d7e15cefee5a48126d0209cf674818f55e9a68248be01" - logic_hash = "fef8f44e897a0f453be2f84d28886d27e261f8256c53c0425c5265b138ce5f40" + logic_hash = "v1_sha256_fef8f44e897a0f453be2f84d28886d27e261f8256c53c0425c5265b138ce5f40" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84903,10 +85036,10 @@ rule ELASTIC_Linux_Ransomware_Conti_53A640F4 : FILE MEMORY date = "2022-09-22" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Conti.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Conti.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" - logic_hash = "b83a47664d8acce7de17ac5972d9fd5e708c8cd3d8ebedc2bacf1397fd25f5d3" + logic_hash = "v1_sha256_b83a47664d8acce7de17ac5972d9fd5e708c8cd3d8ebedc2bacf1397fd25f5d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84932,10 +85065,10 @@ rule ELASTIC_Linux_Ransomware_Conti_A89C26Cf : FILE MEMORY date = "2023-07-30" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Conti.yar#L21-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Conti.yar#L21-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7" - logic_hash = "301f3f3ece06a1cd6788db6e3003497b27470780eaaad95f40ed926e7623793e" + logic_hash = "v1_sha256_301f3f3ece06a1cd6788db6e3003497b27470780eaaad95f40ed926e7623793e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84964,10 +85097,10 @@ rule ELASTIC_Linux_Hacktool_Fontonlake_68Ad8568 : FILE MEMORY date = "2021-10-12" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Fontonlake.yar#L1-L30" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Fontonlake.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "717953f52318e7687fc95626561cc607d4875d77ff7e3cf5c7b21cf91f576fa4" - logic_hash = "63dd5769305c715e27e3c62160f7b0f65b57204009ed46383b5b477c67cfac8e" + logic_hash = "v1_sha256_63dd5769305c715e27e3c62160f7b0f65b57204009ed46383b5b477c67cfac8e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85004,10 +85137,10 @@ rule ELASTIC_Windows_Trojan_Pony_D5516Fe8 : FILE MEMORY date = "2021-08-14" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Pony.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Pony.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567" - logic_hash = "4a850d32fb28477e7e3fef2dda6ba327b800e2ebcae1a483970cde78f34a4ff7" + logic_hash = "v1_sha256_4a850d32fb28477e7e3fef2dda6ba327b800e2ebcae1a483970cde78f34a4ff7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85039,10 +85172,10 @@ rule ELASTIC_Windows_Trojan_Twistedtinsel_Aa56E527 : FILE MEMORY date = "2023-12-06" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_TwistedTinsel.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_TwistedTinsel.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ef1cbdf9a23ae028a858e1d09529982eaeda61197ae029e091918690d3a86e2e" - logic_hash = "de31d0a5560baf6b37897eba3a637b00b539f542a2620983c3407a6898e003c7" + logic_hash = "v1_sha256_de31d0a5560baf6b37897eba3a637b00b539f542a2620983c3407a6898e003c7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -85069,10 +85202,10 @@ rule ELASTIC_Linux_Exploit_CVE_2017_100011_21025F50 : FILE MEMORY CVE_2017_10001 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2017_100011.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2017_100011.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "32db88b2c964ce48e6d1397ca655075ea54ce298340af55ea890a2411a67d554" - logic_hash = "3ec54a7639ccfc019e01fa287f69a93af57087e2d67d0c8574a646afb9043db5" + logic_hash = "v1_sha256_3ec54a7639ccfc019e01fa287f69a93af57087e2d67d0c8574a646afb9043db5" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2017-100011" @@ -85098,10 +85231,10 @@ rule ELASTIC_Windows_Vulndriver_Rentdrv_B6711B6B : FILE MEMORY date = "2024-08-19" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_RentDrv.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_RentDrv.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5" - logic_hash = "3b3d66fefb4f0efbc8b86687925eac25284a6efad3acc74ad4a627d975cd5e7b" + logic_hash = "v1_sha256_3b3d66fefb4f0efbc8b86687925eac25284a6efad3acc74ad4a627d975cd5e7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85117,7 +85250,7 @@ rule ELASTIC_Windows_Vulndriver_Rentdrv_B6711B6B : FILE MEMORY $str2 = "KillProcess" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and all of them + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and all of them } rule ELASTIC_Windows_Vulndriver_Rtcore_4Eeb2Ce5 : FILE { @@ -85128,10 +85261,10 @@ rule ELASTIC_Windows_Vulndriver_Rtcore_4Eeb2Ce5 : FILE date = "2022-04-04" modified = "2022-08-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_RtCore.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_RtCore.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" - logic_hash = "f547bce6554c60e8f3ef8e128c05533cf1f35ce0ee414d5a1c5e9a205b05d8fe" + logic_hash = "v1_sha256_f547bce6554c60e8f3ef8e128c05533cf1f35ce0ee414d5a1c5e9a205b05d8fe" score = 75 quality = 75 tags = "FILE" @@ -85147,7 +85280,7 @@ rule ELASTIC_Windows_Vulndriver_Rtcore_4Eeb2Ce5 : FILE $str2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 and not $str2 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 and not $str2 } rule ELASTIC_Windows_Trojan_Babylonrat_0F66E73B : FILE MEMORY { @@ -85158,10 +85291,10 @@ rule ELASTIC_Windows_Trojan_Babylonrat_0F66E73B : FILE MEMORY date = "2021-09-02" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Babylonrat.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Babylonrat.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" - logic_hash = "66223dc9e2ef7330e26c91f0c82c555e96e4c794a637ab2cbe36410f3eca202a" + logic_hash = "v1_sha256_66223dc9e2ef7330e26c91f0c82c555e96e4c794a637ab2cbe36410f3eca202a" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -85190,10 +85323,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_D7Bd0E5D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "afcfd67af99e437f553029ccf97b91ed0ca891f9bcc01c148c2b38c75482d671" - logic_hash = "1f87721fdfe58d029c0696bc99385a0052c771bc48b2c9ce01b72c3e42359654" + logic_hash = "v1_sha256_1f87721fdfe58d029c0696bc99385a0052c771bc48b2c9ce01b72c3e42359654" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85219,10 +85352,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_69E1A763 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b04d9fabd1e8fc42d1fa8e90a3299a3c36e6f05d858dfbed9f5e90a84b68bcbb" - logic_hash = "d0dac8e2c9571d9e622c8c1250a54a7671ad1b9b00dba584c3741b714c22d8e0" + logic_hash = "v1_sha256_d0dac8e2c9571d9e622c8c1250a54a7671ad1b9b00dba584c3741b714c22d8e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85248,10 +85381,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_397A86Bd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79c47a80ecc6e0f5f87749319f6d5d6a3f0fbff7c34082d747155b9b20510cde" - logic_hash = "6b46a82d1aea0357f5a48c9ae1d93e3d4d31bd98b9c9b4e0b0d0629e7f159499" + logic_hash = "v1_sha256_6b46a82d1aea0357f5a48c9ae1d93e3d4d31bd98b9c9b4e0b0d0629e7f159499" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85277,10 +85410,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_37C3F8D3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "efbddf1020d0845b7a524da357893730981b9ee65a90e54976d7289d46d0ffd4" - logic_hash = "e7bdd185ea4227b0960c3e677e7d8ac7488d53eaa77efd631be828b2ca079bb8" + logic_hash = "v1_sha256_e7bdd185ea4227b0960c3e677e7d8ac7488d53eaa77efd631be828b2ca079bb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85306,10 +85439,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_28A80546 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96cc225cf20240592e1dcc8a13a69f2f97637ed8bc89e30a78b8b2423991d850" - logic_hash = "120e9f7cad0fc8aebd843374c0edca8cbb701882ab55a7f24aced1d80d8cd697" + logic_hash = "v1_sha256_120e9f7cad0fc8aebd843374c0edca8cbb701882ab55a7f24aced1d80d8cd697" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85335,10 +85468,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_9D531F70 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36f2ce4e34faf42741f0a15f62e8b3477d69193bf289818e22d0e3ee3e906eb0" - logic_hash = "87d3cb7049975d52f2a6d6aa10e6b6d0d008d166ca5f9889ad1413a573d8b58e" + logic_hash = "v1_sha256_87d3cb7049975d52f2a6d6aa10e6b6d0d008d166ca5f9889ad1413a573d8b58e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85364,10 +85497,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_23A5C29A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1320d7a2b5e3b65fe974a95374b4ea7ed1a5aa27d76cd3d9517d3a271121103f" - logic_hash = "c2608e7ee73102e0737a859a18c5482877c6dc0e597d8a14d8d41f5e01a0b1f4" + logic_hash = "v1_sha256_c2608e7ee73102e0737a859a18c5482877c6dc0e597d8a14d8d41f5e01a0b1f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85393,10 +85526,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_Ea5703Ce : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bec6eea63025e2afa5940d27ead403bfda3a7b95caac979079cabef88af5ee0b" - logic_hash = "bbf0191ecff24fd24376fd3dec2e96644188ca4d26b4ca4f087e212bae2eab85" + logic_hash = "v1_sha256_bbf0191ecff24fd24376fd3dec2e96644188ca4d26b4ca4f087e212bae2eab85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85422,10 +85555,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_6A4F4255 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "133290dc7423174bb3b41b152bab038d118b47baaca52705b66fd9be01692a03" + logic_hash = "v1_sha256_133290dc7423174bb3b41b152bab038d118b47baaca52705b66fd9be01692a03" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85451,10 +85584,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_9088D00B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8abb2b058ec475b0b6fd0c994685db72e98d87ee3eec58e29cf5c324672df04a" - logic_hash = "3ebc8cb6d647138e72194528dafc644c90222440855d657ec50109f11ff936da" + logic_hash = "v1_sha256_3ebc8cb6d647138e72194528dafc644c90222440855d657ec50109f11ff936da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85480,10 +85613,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_71024C4A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "afe81c84dcb693326ee207ccd8aeed6ed62603ad3c8d361e8d75035f6ce7c80f" - logic_hash = "0c66a3388fe8546ae180e52d50ef05a28755d24e47b3b56f390d5c6fcb0b89eb" + logic_hash = "v1_sha256_0c66a3388fe8546ae180e52d50ef05a28755d24e47b3b56f390d5c6fcb0b89eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85509,10 +85642,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_D81368A3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L221-L239" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L221-L239" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "71225e4702f2e0a0ecf79f7ec6c6a1efc95caf665fda93a646519f6f5744990b" - logic_hash = "0e30c9ebd8f2d3a489180f114daf91a3655ce9075ae25ea3d6ef5be472d7721a" + logic_hash = "v1_sha256_0e30c9ebd8f2d3a489180f114daf91a3655ce9075ae25ea3d6ef5be472d7721a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85538,10 +85671,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_97E9Cebe : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L241-L259" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L241-L259" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b4ff62d92bd4d423379f26b37530776b3f4d927cc8a22bd9504ef6f457de4b7a" - logic_hash = "8aad31db2646fb9971b9af886e30f6c5a62a9c7de86cb9dc9e1341ac3b7762eb" + logic_hash = "v1_sha256_8aad31db2646fb9971b9af886e30f6c5a62a9c7de86cb9dc9e1341ac3b7762eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85567,10 +85700,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_98Ff0F36 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L261-L279" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L261-L279" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c14aaf05149bb38bbff041432bf9574dd38e851038638aeb121b464a1e60dcc" - logic_hash = "60f17855b08cfc51e497003cbb5ed25d9168fb29c57d8bfd7105b9b5e714e3a1" + logic_hash = "v1_sha256_60f17855b08cfc51e497003cbb5ed25d9168fb29c57d8bfd7105b9b5e714e3a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85596,10 +85729,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_1512Cf40 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L281-L299" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L281-L299" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc063a0e763894e86cdfcd2b1c73d588ae6ecb411c97df2a7a802cd85ee3f46d" - logic_hash = "0d43e6a4bd5036c2b6adb61f2d7b11e625c20e9a3d29242c7c34cfc7708561be" + logic_hash = "v1_sha256_0d43e6a4bd5036c2b6adb61f2d7b11e625c20e9a3d29242c7c34cfc7708561be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85625,10 +85758,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_0D6005A1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L301-L319" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L301-L319" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "230d46b39b036552e8ca6525a0d2f7faadbf4246cdb5e0ac9a8569584ef295d4" - logic_hash = "c3fd32e7582f0900b94fe3ba6b6bcdf238f78e2e343d70d5b0196a968a41cf26" + logic_hash = "v1_sha256_c3fd32e7582f0900b94fe3ba6b6bcdf238f78e2e343d70d5b0196a968a41cf26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85654,10 +85787,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_E1Ff020A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L321-L339" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L321-L339" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b611898f1605751a3d518173b5b3d4864b4bb4d1f8d9064cc90ad836dd61812" - logic_hash = "be801989b9770f3b70217bd5f13795b5dd0b516209f631d900b6647e0afe8d98" + logic_hash = "v1_sha256_be801989b9770f3b70217bd5f13795b5dd0b516209f631d900b6647e0afe8d98" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85683,10 +85816,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_102D6F7C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L341-L359" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L341-L359" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd40c2fbf775e3c8cb4de4a1c7c02bc4bcfa5b459855b2e5f1a8ab40f2fb1f9e" - logic_hash = "52966eaaef5522e711dc89bd796b1e12019a8485ee789e8d5112d86f7e630170" + logic_hash = "v1_sha256_52966eaaef5522e711dc89bd796b1e12019a8485ee789e8d5112d86f7e630170" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85712,10 +85845,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_9C8F3B1A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L361-L379" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L361-L379" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "74d8344139c5deea854d8f82970e06fc6a51a6bf845e763de603bde7b8aa80ac" - logic_hash = "f7ab9990b417c1c81903dcb7adaae910d20ea7fce6689d4846dd6002bea3e721" + logic_hash = "v1_sha256_f7ab9990b417c1c81903dcb7adaae910d20ea7fce6689d4846dd6002bea3e721" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85741,10 +85874,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_76Cb94A9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L381-L399" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L381-L399" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1320d7a2b5e3b65fe974a95374b4ea7ed1a5aa27d76cd3d9517d3a271121103f" - logic_hash = "758ee41048c94576e7a872bfdacc6b6f2be3d460169905c876585037e11fdaa8" + logic_hash = "v1_sha256_758ee41048c94576e7a872bfdacc6b6f2be3d460169905c876585037e11fdaa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85770,10 +85903,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_616Afaa1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L401-L419" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L401-L419" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0901672d2688660baa26fdaac05082c9e199c06337871d2ae40f369f5d575f71" - logic_hash = "53a309a6a274558e4ae8cfa8f3e258f23dc9ceafab3be46351c00d24f5d790ec" + logic_hash = "v1_sha256_53a309a6a274558e4ae8cfa8f3e258f23dc9ceafab3be46351c00d24f5d790ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85799,10 +85932,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_18Af74B2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L421-L439" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L421-L439" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "52707aa413c488693da32bf2705d4ac702af34faee3f605b207db55cdcc66318" - logic_hash = "d8ec9bd01fcabdd4a80e07287ecc85026007672bbc3cd2d4cbb2aef98da88ed5" + logic_hash = "v1_sha256_d8ec9bd01fcabdd4a80e07287ecc85026007672bbc3cd2d4cbb2aef98da88ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85828,10 +85961,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_1B76C066 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L441-L459" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L441-L459" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f60302de1a0e756e3af9da2547a28da5f57864191f448e341af1911d64e5bc8b" - logic_hash = "be239bc14d1adf05a5c6bf2b2557551566330644a049b256a7a5c0ab9549bd06" + logic_hash = "v1_sha256_be239bc14d1adf05a5c6bf2b2557551566330644a049b256a7a5c0ab9549bd06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85857,10 +85990,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_B6Ea5Ee1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L461-L479" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L461-L479" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19b442c9aa229cd724ed9cbaa73f9dfaf0ed61aa3fd1bee7bf8ba964fc23a2b8" - logic_hash = "529119e07aa0243afddc3141dc441c314c3f75bdf3aee473b8bb7749c95fa78a" + logic_hash = "v1_sha256_529119e07aa0243afddc3141dc441c314c3f75bdf3aee473b8bb7749c95fa78a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85886,10 +86019,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_050Ac14C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L481-L499" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L481-L499" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36f2ce4e34faf42741f0a15f62e8b3477d69193bf289818e22d0e3ee3e906eb0" - logic_hash = "c34b0ff3ce867a76ef57fad7642de7916fa7baebf1a2a8d514f7b74be7231fd4" + logic_hash = "v1_sha256_c34b0ff3ce867a76ef57fad7642de7916fa7baebf1a2a8d514f7b74be7231fd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85915,10 +86048,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_Df937Caa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L501-L519" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L501-L519" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "19b442c9aa229cd724ed9cbaa73f9dfaf0ed61aa3fd1bee7bf8ba964fc23a2b8" - logic_hash = "d76a6008576687088f28674fb752e1a79ad2046e0208a65c21d0fcd284812ad8" + logic_hash = "v1_sha256_d76a6008576687088f28674fb752e1a79ad2046e0208a65c21d0fcd284812ad8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85944,10 +86077,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_E9Ff82A8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L521-L539" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L521-L539" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "62ea137e42ce32680066693f02f57a0fb03483f78c365dffcebc1f992bb49c7a" - logic_hash = "9309aaad6643fa212bb04ce8dc7d24978839fe475f17d36e3b692320563b6fad" + logic_hash = "v1_sha256_9309aaad6643fa212bb04ce8dc7d24978839fe475f17d36e3b692320563b6fad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85973,10 +86106,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_A5267Ea3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L541-L559" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L541-L559" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b342ceeef58b3eeb7a312038622bcce4d76fc112b9925379566b24f45390be7d" - logic_hash = "081633b5aa0490dbffcc0b8ab9850b59dbbd67d947c0fe68d28338a352e94676" + logic_hash = "v1_sha256_081633b5aa0490dbffcc0b8ab9850b59dbbd67d947c0fe68d28338a352e94676" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86002,10 +86135,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_4E9075E6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L561-L579" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L561-L579" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "098bf2f1ce9d7f125e1c9618f349ae798a987316e95345c037a744964277f0fe" - logic_hash = "fe117f65666b9eac19fa588ee631f9be7551a3a9e3695b7ecbb77806658678aa" + logic_hash = "v1_sha256_fe117f65666b9eac19fa588ee631f9be7551a3a9e3695b7ecbb77806658678aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86031,9 +86164,9 @@ rule ELASTIC_Linux_Cryptominer_Generic_3A8D0974 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "193fe9ea690759f8e155458ef8f8e9efe9efc8c22ec8073bbb760e4f96b5aef7" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L581-L599" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7039d461d8339d635a543fae2c6dbea284ce1b727d6585b69d8d621c603f37ac" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L581-L599" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7039d461d8339d635a543fae2c6dbea284ce1b727d6585b69d8d621c603f37ac" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86059,10 +86192,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_B9E6Ffdf : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L601-L619" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L601-L619" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0f3200a93f1be4589eec562c4f688e379e687d09c03d1d8850cc4b5f90f192a" - logic_hash = "57d5b3eb5812a849d04695bdb1fb728a5ebd3bf5201ac3e7f36d37af0622eec2" + logic_hash = "v1_sha256_57d5b3eb5812a849d04695bdb1fb728a5ebd3bf5201ac3e7f36d37af0622eec2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86088,10 +86221,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_7Ef74003 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L621-L639" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L621-L639" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a172cfecdec8ebd365603ae094a16e247846fdbb47ba7fd79564091b7e8942a0" - logic_hash = "1bde07dbb88357fcc02171512725be94d9fc0427c03afb2d59fbd0658c5d8e2e" + logic_hash = "v1_sha256_1bde07dbb88357fcc02171512725be94d9fc0427c03afb2d59fbd0658c5d8e2e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86117,10 +86250,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_1D0700B8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L641-L659" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L641-L659" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "de59bee1793b88e7b48b6278a52e579770f5204e92042142cc3a9b2d683798dd" - logic_hash = "a24264cb071d269c82718aed5bc5c6c955e1cb2c7a63fe74d4033bfa6adf8385" + logic_hash = "v1_sha256_a24264cb071d269c82718aed5bc5c6c955e1cb2c7a63fe74d4033bfa6adf8385" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86146,10 +86279,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_55Beb2Ee : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L661-L679" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L661-L679" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "edda1c6b3395e7f14dd201095c1e9303968d02c127ff9bf6c76af6b3d02e80ad" - logic_hash = "8a31b4866100b35d559d50f5db6f80d51bced93f9aac3f0d2d1de71ba692a3c5" + logic_hash = "v1_sha256_8a31b4866100b35d559d50f5db6f80d51bced93f9aac3f0d2d1de71ba692a3c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86175,10 +86308,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_Fdd7340F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L681-L699" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L681-L699" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "de59bee1793b88e7b48b6278a52e579770f5204e92042142cc3a9b2d683798dd" - logic_hash = "fd39ba5cf050d23de0889feefa9cd74dfb6385a09aa9dba90dc1d5d6cb020867" + logic_hash = "v1_sha256_fd39ba5cf050d23de0889feefa9cd74dfb6385a09aa9dba90dc1d5d6cb020867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86204,10 +86337,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_E36A35B0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L701-L719" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L701-L719" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ab6d8f09df67a86fed4faabe4127cc65570dbb9ec56a1bdc484e72b72476f5a4" - logic_hash = "0572f584746a2af6f545798b25445fd4e764a9eecc01b7476e5c1af631eb314a" + logic_hash = "v1_sha256_0572f584746a2af6f545798b25445fd4e764a9eecc01b7476e5c1af631eb314a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86233,10 +86366,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_6Dad0380 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L721-L739" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L721-L739" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "628b1cc8ccdbe2ae0d4ef621da047e07e2532d00fe3d4da65f0a0bcab20fb546" - logic_hash = "b305448d5517212adb7586e7af12842095e1a263520511329e40f0865fe4f81b" + logic_hash = "v1_sha256_b305448d5517212adb7586e7af12842095e1a263520511329e40f0865fe4f81b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86262,10 +86395,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_E73F501E : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L741-L759" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L741-L759" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2f646ced4d05ba1807f8e08a46ae92ae3eea7199e4a58daf27f9bd0f63108266" - logic_hash = "2f6187f3447f9409485e9e8aa047114aa3c38bcc338106c3ed8680152dff121a" + logic_hash = "v1_sha256_2f6187f3447f9409485e9e8aa047114aa3c38bcc338106c3ed8680152dff121a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86291,10 +86424,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_5E56D076 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L761-L779" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L761-L779" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "32e1cb0369803f817a0c61f25ca410774b4f37882cab966133b4f3e9c74fac09" - logic_hash = "c8e2ebcffe8a169c2cc311c95538b674937fa87e06d2946a6ed3b0c1f039f7fc" + logic_hash = "v1_sha256_c8e2ebcffe8a169c2cc311c95538b674937fa87e06d2946a6ed3b0c1f039f7fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86320,10 +86453,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_54357231 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L781-L799" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L781-L799" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "388b927b850b388e0a46a6c9a22b733d469e0f93dc053ebd78996e903b25e38a" - logic_hash = "a895c9fd124d6bd55748093c3ef54606e5692285260aa21bd70dca02126239d2" + logic_hash = "v1_sha256_a895c9fd124d6bd55748093c3ef54606e5692285260aa21bd70dca02126239d2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86349,10 +86482,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_467C4D46 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L801-L819" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L801-L819" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "388b927b850b388e0a46a6c9a22b733d469e0f93dc053ebd78996e903b25e38a" - logic_hash = "b28f871365c1fa6315b1c2fc6698bdd224961972cd578db05c311406c239ac22" + logic_hash = "v1_sha256_b28f871365c1fa6315b1c2fc6698bdd224961972cd578db05c311406c239ac22" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86378,10 +86511,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_E0Cca9Dc : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L821-L839" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L821-L839" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383" - logic_hash = "fa4089f74fc78e99427b4e8eda9f8348e042dc876c7281a4a2173c83076bfbd2" + logic_hash = "v1_sha256_fa4089f74fc78e99427b4e8eda9f8348e042dc876c7281a4a2173c83076bfbd2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86407,10 +86540,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_36E404E2 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L841-L859" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L841-L859" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383" - logic_hash = "d38cc5714721c0b00cfa47cb9828fd76ff57ec8180e5cfe1fec67a092dd87904" + logic_hash = "v1_sha256_d38cc5714721c0b00cfa47cb9828fd76ff57ec8180e5cfe1fec67a092dd87904" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86436,10 +86569,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_947Dcc5E : FILE MEMORY date = "2024-04-19" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L861-L879" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L861-L879" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7c5a6ac425abe60e8ea5df5dfa8211a7c34a307048b4e677336b735237dcd8fd" - logic_hash = "c4aac006561386fbfe0fa0fe3df6b6798d2915a3dbfb5384583ebf9b2f413115" + logic_hash = "v1_sha256_c4aac006561386fbfe0fa0fe3df6b6798d2915a3dbfb5384583ebf9b2f413115" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86465,10 +86598,10 @@ rule ELASTIC_Linux_Cryptominer_Generic_B4C2D007 : FILE MEMORY date = "2024-04-19" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Generic.yar#L881-L899" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Generic.yar#L881-L899" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e1e518ba226d30869e404b92bfa810bae27c8b1476766934961e80c44e39c738" - logic_hash = "cb52d9233028918210b8bd3959a6649d75b5c6873befff0cf62d9e71dfecc302" + logic_hash = "v1_sha256_cb52d9233028918210b8bd3959a6649d75b5c6873befff0cf62d9e71dfecc302" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86494,10 +86627,10 @@ rule ELASTIC_Windows_Vulndriver_Vmdrv_7C674F8E : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Vmdrv.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Vmdrv.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - logic_hash = "87f29b861d5239c60e44541fe31ed90696068225b1b6d824dc9b06fcdb1597ae" + logic_hash = "v1_sha256_87f29b861d5239c60e44541fe31ed90696068225b1b6d824dc9b06fcdb1597ae" score = 75 quality = 75 tags = "FILE" @@ -86514,7 +86647,7 @@ rule ELASTIC_Windows_Vulndriver_Vmdrv_7C674F8E : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\x00][\x00-\x40]|[\x00-\xff][\x00-\x3f])([\x00-\x1b][\x00-\x27]|[\x00-\xff][\x00-\x26])|([\x00-\xff][\x00-\xff])([\x00-\x09][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x1a][\x00-\x27]|[\x00-\xff][\x00-\x26]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Hacktool_Sharphound_5Adf9D6D : FILE MEMORY { @@ -86525,10 +86658,10 @@ rule ELASTIC_Windows_Hacktool_Sharphound_5Adf9D6D : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpHound.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpHound.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4" - logic_hash = "2c9f38187866985109a42ffdf8940b5d195aadd3815b2de952b190d4b0b95c3c" + logic_hash = "v1_sha256_2c9f38187866985109a42ffdf8940b5d195aadd3815b2de952b190d4b0b95c3c" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -86547,7 +86680,7 @@ rule ELASTIC_Windows_Hacktool_Sharphound_5Adf9D6D : FILE MEMORY $print_str2 = "[-] Removed DCOM Collection" ascii wide condition: - $guid0 or $guid1 or all of ($print_str*) + $guid0 or $guid1 or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Smokeloader_4E31426E : FILE MEMORY { @@ -86558,10 +86691,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_4E31426E : FILE MEMORY date = "2021-07-21" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174" - logic_hash = "44ac7659964519ae72f83076bcd1b3e5244eb9cadd9a3b123dda78b0e9e07424" + logic_hash = "v1_sha256_44ac7659964519ae72f83076bcd1b3e5244eb9cadd9a3b123dda78b0e9e07424" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86587,10 +86720,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_4Ee15B92 : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2" - logic_hash = "7d5ba6a4cc1f1b87f7ea1963b41749f5488197ea28b31f20a235091236250463" + logic_hash = "v1_sha256_7d5ba6a4cc1f1b87f7ea1963b41749f5488197ea28b31f20a235091236250463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86616,10 +86749,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_Ea14B2A5 : FILE MEMORY date = "2023-05-03" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L41-L60" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L41-L60" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15fe237276b9c2c6ceae405c0739479d165b406321891c8a31883023e7b15d54" - logic_hash = "8a96985902f82979f1512d4d30cfa41fd23562b8f86bf2f722351ef2adf4365f" + logic_hash = "v1_sha256_8a96985902f82979f1512d4d30cfa41fd23562b8f86bf2f722351ef2adf4365f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86646,10 +86779,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_De52Ed44 : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L62-L81" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L62-L81" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c689a384f626616005d37a94e6a5a713b9eead1b819a238e4e586452871f6718" - logic_hash = "95a60079a316016ca3f78f18e7920b962f5770bef4211dd70e37f45bbe069406" + logic_hash = "v1_sha256_95a60079a316016ca3f78f18e7920b962f5770bef4211dd70e37f45bbe069406" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86676,10 +86809,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_Bf391Fe0 : FILE MEMORY date = "2024-08-27" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L83-L102" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L83-L102" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe2489230d024f5e0e7d0da0210f93e70248dc282192c092cbb5e0eddc7bd528" - logic_hash = "8a697596f8aa9a2af230b294c64ee844fcb593814a070ebf10e084c18e7f5ac7" + logic_hash = "v1_sha256_8a697596f8aa9a2af230b294c64ee844fcb593814a070ebf10e084c18e7f5ac7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86706,10 +86839,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_A01Aa3Ab : FILE MEMORY date = "2024-08-27" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L104-L123" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L104-L123" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3a189a736cfdfbb1e3789326c35cecfa901a2adccc08c66c5de1cac8e4c1791b" - logic_hash = "385f93a98e71f8e78e2f916775bd8db182842c8439a2f15238780388b63e2e91" + logic_hash = "v1_sha256_385f93a98e71f8e78e2f916775bd8db182842c8439a2f15238780388b63e2e91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86736,10 +86869,10 @@ rule ELASTIC_Windows_Trojan_Smokeloader_62Eb5427 : FILE MEMORY date = "2024-08-27" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Smokeloader.yar#L125-L145" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Smokeloader.yar#L125-L145" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "21e7fcce8ffb7826108800b6aee21d6b8ea9275975b639ed5ca9f8ddd747329e" - logic_hash = "e3c70731792a8fbf0b08443f6df3c42f44a548fa9d19be7ee98c677952600e5b" + logic_hash = "v1_sha256_e3c70731792a8fbf0b08443f6df3c42f44a548fa9d19be7ee98c677952600e5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86767,10 +86900,10 @@ rule ELASTIC_Windows_Trojan_Raspberryrobin_4B4D6899 : FILE MEMORY date = "2023-12-13" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RaspberryRobin.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RaspberryRobin.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2f0451f38adb74cb96c857de455887b00c5038b68210294c7f52b0b5ff64cc1e" - logic_hash = "bbafad9509b367e811e86cb8f2f64d9c1d59f82b5cd58a7af43325bb7fa9d9c3" + logic_hash = "v1_sha256_bbafad9509b367e811e86cb8f2f64d9c1d59f82b5cd58a7af43325bb7fa9d9c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86796,10 +86929,10 @@ rule ELASTIC_Linux_Trojan_Azeela_Aad9D6Cc : FILE MEMORY date = "2021-01-12" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Azeela.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Azeela.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6c476a7457ae07eca3d3d19eda6bb6b6b3fa61fa72722958b5a77caff899aaa6" - logic_hash = "8cd3c383ac2149e0cd18589bf838848d81b5ff72e3123a8b523ee2467023a8f6" + logic_hash = "v1_sha256_8cd3c383ac2149e0cd18589bf838848d81b5ff72e3123a8b523ee2467023a8f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86815,7 +86948,7 @@ rule ELASTIC_Linux_Trojan_Azeela_Aad9D6Cc : FILE MEMORY $a2 = "The whole earth has been corrupted through the works that were taught by Azazel: to him ascribe all sin." condition: - any of ($a*) + any of ( $a* ) } rule ELASTIC_Linux_Trojan_Xpmmap_7Dcc3534 : FILE MEMORY { @@ -86826,10 +86959,10 @@ rule ELASTIC_Linux_Trojan_Xpmmap_7Dcc3534 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Xpmmap.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Xpmmap.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "765546a981921187a4a2bed9904fbc2ccb2a5876e0d45c72e79f04a517c1bda3" - logic_hash = "f88cc0f02797651e8cdf8e25b67a92f7825ec616b79df21daae798b613baf334" + logic_hash = "v1_sha256_f88cc0f02797651e8cdf8e25b67a92f7825ec616b79df21daae798b613baf334" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86855,10 +86988,10 @@ rule ELASTIC_Windows_Vulndriver_Ccprotect_0D3Ee86F : FILE MEMORY date = "2024-09-09" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_CCProtect.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_CCProtect.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5f0cfe8357bb52b45068ddbac053e32bc38e6cb5e086746f5402657b0a5cfb1c" - logic_hash = "4da5cf6b5cd00f8f7ba6daf8e8b4c6161cf9e0166dea39943b32a54f35dfd6c2" + logic_hash = "v1_sha256_4da5cf6b5cd00f8f7ba6daf8e8b4c6161cf9e0166dea39943b32a54f35dfd6c2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86875,7 +87008,7 @@ rule ELASTIC_Windows_Vulndriver_Ccprotect_0D3Ee86F : FILE MEMORY $file_version = { 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 2E 00 ( 30 | 31 | 32 | 33 ) 00 3? 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and all of them + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and all of them } rule ELASTIC_Linux_Trojan_Shellbot_65Aa6568 : FILE MEMORY { @@ -86886,10 +87019,10 @@ rule ELASTIC_Linux_Trojan_Shellbot_65Aa6568 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Shellbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Shellbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "457d1f4e1db41a9bdbfad78a6815f42e45da16ad0252673b9a2b5dcefc02c47b" - logic_hash = "46558801151ddc2f25bf46a278719f027acca2a18d2a9fcb275f4d787fbb1f0b" + logic_hash = "v1_sha256_46558801151ddc2f25bf46a278719f027acca2a18d2a9fcb275f4d787fbb1f0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86915,10 +87048,10 @@ rule ELASTIC_Linux_Trojan_Nuker_12F26779 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Nuker.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Nuker.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "440105a62c75dea5575a1660fe217c9104dc19fb5a9238707fe40803715392bf" - logic_hash = "8bafbc2792bd4cacd309efd72d2d8787342685d66785ea41cb57c91519a3c545" + logic_hash = "v1_sha256_8bafbc2792bd4cacd309efd72d2d8787342685d66785ea41cb57c91519a3c545" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86944,10 +87077,10 @@ rule ELASTIC_Windows_Ransomware_Wannacry_D9855102 : FILE MEMORY date = "2022-08-29" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_WannaCry.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_WannaCry.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0b7878babbaf7c63d808f3ce32c7306cb785fdfb1ceb73be07fb48fdd091fdfb" - logic_hash = "5edf6a42c9f20de3819b46f24be243940b79e7e9004fee3d601794ea0b534cf1" + logic_hash = "v1_sha256_5edf6a42c9f20de3819b46f24be243940b79e7e9004fee3d601794ea0b534cf1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86969,7 +87102,7 @@ rule ELASTIC_Windows_Ransomware_Wannacry_D9855102 : FILE MEMORY $b3 = { 56 8B 74 24 08 57 8B 3D 70 70 00 10 56 E8 2E FF FF FF 83 C4 04 A3 8C DD 00 10 85 C0 75 09 68 88 } condition: - 5 of ($a*) or 1 of ($b*) + 5 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Linux_Virus_Staffcounter_D2D608A8 : FILE MEMORY { @@ -86980,9 +87113,9 @@ rule ELASTIC_Linux_Virus_Staffcounter_D2D608A8 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "06e562b54b7ee2ffee229c2410c9e2c42090e77f6211ce4b9fa26459ff310315" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Virus_Staffcounter.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e30f1312eb1cbbc4faba3f67527a4e0e955b5684a1ba58cdd82a7a0f1ce3d2b9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Virus_Staffcounter.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e30f1312eb1cbbc4faba3f67527a4e0e955b5684a1ba58cdd82a7a0f1ce3d2b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87008,10 +87141,10 @@ rule ELASTIC_Linux_Ransomware_Ragnarlocker_9F5982B8 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_RagnarLocker.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_RagnarLocker.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f668f74d8808f5658153ff3e6aee8653b6324ada70a4aa2034dfa20d96875836" - logic_hash = "c08579dc675a709add392a0189d01e05af61034b72f451d2b024c89c1299ee6c" + logic_hash = "v1_sha256_c08579dc675a709add392a0189d01e05af61034b72f451d2b024c89c1299ee6c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87039,10 +87172,10 @@ rule ELASTIC_Windows_Ransomware_Royal_B7D42109 : FILE MEMORY date = "2022-11-04" modified = "2022-12-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Royal.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Royal.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80" - logic_hash = "06f4a1487e97e0b8c1f5df380ab4f90b37ef0a508aba7dac272c16c8371d8143" + logic_hash = "v1_sha256_06f4a1487e97e0b8c1f5df380ab4f90b37ef0a508aba7dac272c16c8371d8143" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87071,10 +87204,10 @@ rule ELASTIC_Windows_Ransomware_Lockbit_89E64044 : FILE MEMORY date = "2021-08-06" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Lockbit.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Lockbit.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d" - logic_hash = "bd504b078704b9f307a50c8556c143eee061015a9727670137aadc47ae93e2a6" + logic_hash = "v1_sha256_bd504b078704b9f307a50c8556c143eee061015a9727670137aadc47ae93e2a6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87102,10 +87235,10 @@ rule ELASTIC_Windows_Ransomware_Lockbit_A1C60939 : FILE MEMORY date = "2021-08-06" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Lockbit.yar#L23-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Lockbit.yar#L23-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d" - logic_hash = "6e6d88251e93f69788ad22fc915133f3ba0267984d6a5004d5ca44dcd9f5f052" + logic_hash = "v1_sha256_6e6d88251e93f69788ad22fc915133f3ba0267984d6a5004d5ca44dcd9f5f052" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87131,10 +87264,10 @@ rule ELASTIC_Windows_Ransomware_Lockbit_369E1E94 : FILE MEMORY date = "2022-07-05" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Lockbit.yar#L43-L67" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Lockbit.yar#L43-L67" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee" - logic_hash = "c34dafc024d85902b85fc3424573abb8781d6fab58edd86c255266db3635ce98" + logic_hash = "v1_sha256_c34dafc024d85902b85fc3424573abb8781d6fab58edd86c255266db3635ce98" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87155,7 +87288,7 @@ rule ELASTIC_Windows_Ransomware_Lockbit_369E1E94 : FILE MEMORY $b4 = "Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!" ascii fullword condition: - 2 of ($a*) or all of ($b*) + 2 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Ransomware_Darkside_D7Fc4594 : FILE MEMORY { @@ -87166,10 +87299,10 @@ rule ELASTIC_Windows_Ransomware_Darkside_D7Fc4594 : FILE MEMORY date = "2021-05-20" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Darkside.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Darkside.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893" - logic_hash = "0083fb64955973e7dbbb35d08cb780fa0b4ff4d064c102dc8f86e29af8358bad" + logic_hash = "v1_sha256_0083fb64955973e7dbbb35d08cb780fa0b4ff4d064c102dc8f86e29af8358bad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87195,10 +87328,10 @@ rule ELASTIC_Windows_Ransomware_Darkside_Aceac5D9 : FILE MEMORY date = "2021-05-20" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Darkside.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Darkside.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893" - logic_hash = "888ab06b55b07879ee6b9a45c04f1a09c570aeb4be55c698300566d57fd47252" + logic_hash = "v1_sha256_888ab06b55b07879ee6b9a45c04f1a09c570aeb4be55c698300566d57fd47252" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87224,10 +87357,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_1388212A : FILE MEMORY date = "2021-04-13" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L1-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L1-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a" - logic_hash = "1b717453810455e3f530e399f5f9f163d1ad0d71a5464fa5c68aa82edd699cda" + logic_hash = "v1_sha256_1b717453810455e3f530e399f5f9f163d1ad0d71a5464fa5c68aa82edd699cda" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -87266,7 +87399,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_1388212A : FILE MEMORY $a25 = " * Username : %wZ" wide fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule ELASTIC_Windows_Hacktool_Mimikatz_674Fd079 : FILE MEMORY { @@ -87277,10 +87410,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_674Fd079 : FILE MEMORY date = "2021-04-14" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L45-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L45-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a" - logic_hash = "f63f3de05dd4f4f40cda6df67b75e37d7baa82c4b4cafd3ebdca35adfb0b15f8" + logic_hash = "v1_sha256_f63f3de05dd4f4f40cda6df67b75e37d7baa82c4b4cafd3ebdca35adfb0b15f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87309,7 +87442,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_674Fd079 : FILE MEMORY $b1 = { 6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67 } condition: - all of ($a*) or $b1 + all of ( $a* ) or $b1 } rule ELASTIC_Windows_Hacktool_Mimikatz_355D5D3A : FILE MEMORY { @@ -87320,10 +87453,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_355D5D3A : FILE MEMORY date = "2021-04-14" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L79-L112" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L79-L112" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96" - logic_hash = "c6b48ab2cc92deb507d7eead1fb6381ee40b698e84d9eaac45288f95dbda66b3" + logic_hash = "v1_sha256_c6b48ab2cc92deb507d7eead1fb6381ee40b698e84d9eaac45288f95dbda66b3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87353,7 +87486,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_355D5D3A : FILE MEMORY $c10 = "#If a remote process to inject in to is specified, get a handle to it" fullword condition: - (1 of ($a*) or 2 of ($b*)) or 5 of ($c*) + (1 of ( $a* ) or 2 of ( $b* ) ) or 5 of ( $c* ) } rule ELASTIC_Windows_Hacktool_Mimikatz_71Fe23D9 : FILE { @@ -87364,10 +87497,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_71Fe23D9 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L114-L133" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L114-L133" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "856687718b208341e7caeea2d96da10f880f9b5a75736796a1158d4c8755f678" - logic_hash = "6d1e84bb8532c6271ad3966055eac8d60ec019d8ae6632efb59463c35b46ad9b" + logic_hash = "v1_sha256_6d1e84bb8532c6271ad3966055eac8d60ec019d8ae6632efb59463c35b46ad9b" score = 75 quality = 75 tags = "FILE" @@ -87383,7 +87516,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_71Fe23D9 : FILE $subject_name = { 06 03 55 04 03 [2] 42 65 6E 6A 61 6D 69 6E 20 44 65 6C 70 79 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Windows_Hacktool_Mimikatz_B393864F : FILE { @@ -87394,10 +87527,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_B393864F : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L135-L154" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L135-L154" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" - logic_hash = "d09cb7f753675e0b6ecd8a7977ca7f8d313e5d525f05170fc54b265c2ae6c188" + logic_hash = "v1_sha256_d09cb7f753675e0b6ecd8a7977ca7f8d313e5d525f05170fc54b265c2ae6c188" score = 75 quality = 75 tags = "FILE" @@ -87413,7 +87546,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_B393864F : FILE $subject_name = { 06 03 55 04 03 [2] 4F 70 65 6E 20 53 6F 75 72 63 65 20 44 65 76 65 6C 6F 70 65 72 2C 20 42 65 6E 6A 61 6D 69 6E 20 44 65 6C 70 79 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Windows_Hacktool_Mimikatz_1Ff74F7E : FILE MEMORY { @@ -87424,10 +87557,10 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_1Ff74F7E : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Mimikatz.yar#L156-L175" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Mimikatz.yar#L156-L175" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b6aad500d45de7b076942d31b7c3e77487643811a335ae5ce6783368a4a5081" - logic_hash = "f47f760b4c373a073399c69681e76eb9dde6cfdb36c1cc31d7131376493931c0" + logic_hash = "v1_sha256_f47f760b4c373a073399c69681e76eb9dde6cfdb36c1cc31d7131376493931c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87454,10 +87587,10 @@ rule ELASTIC_Windows_Vulndriver_Hpportio_B31E3473 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_HpPortIo.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_HpPortIo.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - logic_hash = "e449b45f3cf2836254614bbdc957aa7093162fc1acd672edd931d5f240503963" + logic_hash = "v1_sha256_e449b45f3cf2836254614bbdc957aa7093162fc1acd672edd931d5f240503963" score = 75 quality = 75 tags = "FILE" @@ -87474,7 +87607,7 @@ rule ELASTIC_Windows_Vulndriver_Hpportio_B31E3473 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x02][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x09][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Exploit_CVE_2009_2698_12374E97 : FILE MEMORY CVE_2009_2698 { @@ -87485,10 +87618,10 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2698_12374E97 : FILE MEMORY CVE_2009_2698 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "656fddc1bf4743a08a455628b6151076b81e604ff49c93d797fa49b1f7d09c2f" - logic_hash = "ed86a239b909681f2ab3503cfedf202dbe5f53a6f554cf4db13f08bee625c0b7" + logic_hash = "v1_sha256_ed86a239b909681f2ab3503cfedf202dbe5f53a6f554cf4db13f08bee625c0b7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2698" @@ -87514,10 +87647,10 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2698_Cc04Dddd : FILE MEMORY CVE_2009_2698 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "502b73ea04095e8a7ec4e8d7cc306242b45850ad28690156754beac8cd8d7b2d" - logic_hash = "68daa56ca98cc8f713faa138432190d19c27f07b2182a1f82347a3bfc5821ebb" + logic_hash = "v1_sha256_68daa56ca98cc8f713faa138432190d19c27f07b2182a1f82347a3bfc5821ebb" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2698" @@ -87543,10 +87676,10 @@ rule ELASTIC_Linux_Trojan_Morpes_D2Ae1Edf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Morpes.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Morpes.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "14c4c297388afe4be47be091146aea6c6230880e9ea43759ef29fc1471c4b86b" - logic_hash = "27eb8b4d0f91477c2ac26a5e25bfc52903faf5501300ec40773d3fc6797c3218" + logic_hash = "v1_sha256_27eb8b4d0f91477c2ac26a5e25bfc52903faf5501300ec40773d3fc6797c3218" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87572,10 +87705,10 @@ rule ELASTIC_Windows_Trojan_Tofsee_26124Fe4 : FILE MEMORY date = "2022-03-31" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Tofsee.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Tofsee.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494" - logic_hash = "e765953dec7c7b2a1fbebf92c2fff46453c8258722ad5ca92ba4c7526a8b0c66" + logic_hash = "v1_sha256_e765953dec7c7b2a1fbebf92c2fff46453c8258722ad5ca92ba4c7526a8b0c66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87602,10 +87735,10 @@ rule ELASTIC_Windows_Vulndriver_Biostar_D6Cc23Af : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Biostar.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Biostar.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - logic_hash = "6a1f5de3a0daf446ceb812a9f5749410a3a7752dce44e935adc288c95816f59d" + logic_hash = "v1_sha256_6a1f5de3a0daf446ceb812a9f5749410a3a7752dce44e935adc288c95816f59d" score = 75 quality = 75 tags = "FILE" @@ -87622,7 +87755,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_D6Cc23Af : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\x98][\x00-\x08]|[\x00-\xff][\x00-\x07])([\x00-\x0e][\x00-\x07]|[\x00-\xff][\x00-\x06])|([\x00-\xff][\x00-\xff])([\x00-\x09][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x0d][\x00-\x07]|[\x00-\xff][\x00-\x06]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Biostar_68682378 : FILE { @@ -87633,10 +87766,10 @@ rule ELASTIC_Windows_Vulndriver_Biostar_68682378 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Biostar.yar#L23-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Biostar.yar#L23-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - logic_hash = "8510de6fc33bde153f3bd4d1bb8b0d98ce69aae479d242c6043ac8c712dbb888" + logic_hash = "v1_sha256_8510de6fc33bde153f3bd4d1bb8b0d98ce69aae479d242c6043ac8c712dbb888" score = 75 quality = 75 tags = "FILE" @@ -87653,7 +87786,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_68682378 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x01][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Biostar_684A5123 : FILE { @@ -87664,10 +87797,10 @@ rule ELASTIC_Windows_Vulndriver_Biostar_684A5123 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Biostar.yar#L45-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Biostar.yar#L45-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - logic_hash = "7c0c7e14f9b5085a87e5dbe27feb8e49bdb4d2fdcfbcbc643999d7969d118240" + logic_hash = "v1_sha256_7c0c7e14f9b5085a87e5dbe27feb8e49bdb4d2fdcfbcbc643999d7969d118240" score = 75 quality = 75 tags = "FILE" @@ -87684,7 +87817,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_684A5123 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x09][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Biostar_E0B6Cf55 : FILE { @@ -87695,10 +87828,10 @@ rule ELASTIC_Windows_Vulndriver_Biostar_E0B6Cf55 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Biostar.yar#L67-L85" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Biostar.yar#L67-L85" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e" - logic_hash = "dccbf6fa46de1a8bc6438578b651055e2d02d15bd04461be74059e6fde40fca3" + logic_hash = "v1_sha256_dccbf6fa46de1a8bc6438578b651055e2d02d15bd04461be74059e6fde40fca3" score = 75 quality = 75 tags = "FILE" @@ -87713,7 +87846,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_E0B6Cf55 : FILE $str1 = "\\BS_RCIO.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Ransomware_Conti_89F3F6Fa : FILE MEMORY { @@ -87724,10 +87857,10 @@ rule ELASTIC_Windows_Ransomware_Conti_89F3F6Fa : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Conti.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Conti.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" - logic_hash = "4c1834e45d5e42f466249b75a89561ce1e88b9e3c07070e2833d4897fbed22ee" + logic_hash = "v1_sha256_4c1834e45d5e42f466249b75a89561ce1e88b9e3c07070e2833d4897fbed22ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87753,10 +87886,10 @@ rule ELASTIC_Macos_Backdoor_Keyboardrecord_832F7Bac : FILE date = "2021-11-11" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Backdoor_Keyboardrecord.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Backdoor_Keyboardrecord.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6" - logic_hash = "5719681d50134edacb5341034314c33ed27e9325de0ae26b2a01d350429c533b" + logic_hash = "v1_sha256_5719681d50134edacb5341034314c33ed27e9325de0ae26b2a01d350429c533b" score = 75 quality = 75 tags = "FILE" @@ -87777,6 +87910,35 @@ rule ELASTIC_Macos_Backdoor_Keyboardrecord_832F7Bac : FILE condition: 3 of them } +rule ELASTIC_Windows_Trojan_Sadbridge_6E83Eaeb : FILE MEMORY +{ + meta: + description = "Detects Windows Trojan Sadbridge (Windows.Trojan.SadBridge)" + author = "Elastic Security" + id = "6e83eaeb-12f8-4abd-8ad9-17f9a301a1c8" + date = "2024-11-05" + modified = "2024-12-04" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SadBridge.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + hash = "b432cdd217b171f3ad4a8a959fa0357bd7917f078a9546aed1649af00fc4bda6" + logic_hash = "v1_sha256_5883675a7c6f0271f26d70031a48ed59504ef4f01826e978124ab4876d23cbf2" + score = 75 + quality = 75 + tags = "FILE, MEMORY" + fingerprint = "0b53af98d044001a34779b27bc77f9d61f590826361441d93b6460fdbd1086d0" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + + strings: + $a = { 48 81 EC A0 07 00 33 FF C7 00 45 A0 30 31 32 33 48 8B 00 DA 40 88 7D AC 0F 57 C0 09 C0 00 BC 33 A1 00 CC 8B F1 48 00 89 45 F0 48 8D 55 A0 C7 00 45 A4 34 35 36 37 48 8D 00 4D D0 C7 45 A8 38 39 } + + condition: + all of them +} rule ELASTIC_Windows_Hacktool_Sleepobfloader_460A1A75 : FILE MEMORY { meta: @@ -87786,10 +87948,10 @@ rule ELASTIC_Windows_Hacktool_Sleepobfloader_460A1A75 : FILE MEMORY date = "2024-01-24" modified = "2024-01-29" reference = "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SleepObfLoader.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SleepObfLoader.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "84b3bc58ec04ab272544d31f5e573c0dd7812b56df4fa445194e7466f280e16d" - logic_hash = "c0bc1b7ef71c1a91fc487f904315c6f187530ab39825f90f55ac36625d5b93cf" + logic_hash = "v1_sha256_c0bc1b7ef71c1a91fc487f904315c6f187530ab39825f90f55ac36625d5b93cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87817,10 +87979,10 @@ rule ELASTIC_Windows_Vulndriver_Tmcomm_333F3851 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_TmComm.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_TmComm.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - logic_hash = "a4464fb7edbacb6d9c8d6b385f9cc28685f0bed40876eecd5a7c87e0707e3025" + logic_hash = "v1_sha256_a4464fb7edbacb6d9c8d6b385f9cc28685f0bed40876eecd5a7c87e0707e3025" score = 75 quality = 75 tags = "FILE" @@ -87837,7 +87999,7 @@ rule ELASTIC_Windows_Vulndriver_Tmcomm_333F3851 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x08][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x07][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Fiddrv_E7875A5A : FILE { @@ -87848,10 +88010,10 @@ rule ELASTIC_Windows_Vulndriver_Fiddrv_E7875A5A : FILE date = "2023-07-25" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_FidDrv.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_FidDrv.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158" - logic_hash = "aa1635c651c8364ad2ee93b369dd583fce699001d753e46de013c476d185eef1" + logic_hash = "v1_sha256_aa1635c651c8364ad2ee93b369dd583fce699001d753e46de013c476d185eef1" score = 75 quality = 75 tags = "FILE" @@ -87870,7 +88032,7 @@ rule ELASTIC_Windows_Vulndriver_Fiddrv_E7875A5A : FILE $ioctl_check = { 48 8B 82 B8 00 00 00 8B 48 18 81 E9 84 2A 22 00 0F 84 ?? ?? ?? ?? 83 E9 04 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and all of them + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and all of them } rule ELASTIC_Windows_Trojan_Netwire_6A7Df287 : FILE MEMORY { @@ -87881,10 +88043,10 @@ rule ELASTIC_Windows_Trojan_Netwire_6A7Df287 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Netwire.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Netwire.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254" - logic_hash = "d5f36e2a81cf0a9037267d39266b4c31ca9c07b05fb9772e296aeac2da6051a5" + logic_hash = "v1_sha256_d5f36e2a81cf0a9037267d39266b4c31ca9c07b05fb9772e296aeac2da6051a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87910,10 +88072,10 @@ rule ELASTIC_Windows_Trojan_Netwire_1B43Df38 : FILE MEMORY date = "2021-06-28" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Netwire.yar#L22-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Netwire.yar#L22-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254" - logic_hash = "bb0eb1c1969bc1416e933822843293c5d41bf9bc3d402fa5dbdc3cdf2f4b394a" + logic_hash = "v1_sha256_bb0eb1c1969bc1416e933822843293c5d41bf9bc3d402fa5dbdc3cdf2f4b394a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87941,10 +88103,10 @@ rule ELASTIC_Windows_Trojan_Netwire_F85E4Abc : FILE MEMORY date = "2022-08-14" modified = "2022-09-29" reference = "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Netwire.yar#L45-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Netwire.yar#L45-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776" - logic_hash = "af8fc8fff2e1a0b6c87ac6d24fecf2e1cefe6313ec66da13fddd1be25c1c3d92" + logic_hash = "v1_sha256_af8fc8fff2e1a0b6c87ac6d24fecf2e1cefe6313ec66da13fddd1be25c1c3d92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87970,10 +88132,10 @@ rule ELASTIC_Windows_Trojan_Netwire_F42Cb379 : FILE MEMORY date = "2022-08-14" modified = "2022-09-29" reference = "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Netwire.yar#L66-L90" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Netwire.yar#L66-L90" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776" - logic_hash = "fc1436596987d3971a464e707ee6fd5689e7d2800df471c125c1e3f748537f5d" + logic_hash = "v1_sha256_fc1436596987d3971a464e707ee6fd5689e7d2800df471c125c1e3f748537f5d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88004,10 +88166,10 @@ rule ELASTIC_Windows_Exploit_Rpcjunction_0405253B : FILE date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_RpcJunction.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_RpcJunction.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05588fe3d2aae1273e9d0b0ac00c867d92bcdea41c33661760dcbe84439e7949" - logic_hash = "c663285d81e00bf6b028cdb043da3c6d5033a0c100d9c626acfa26d67bc1c093" + logic_hash = "v1_sha256_c663285d81e00bf6b028cdb043da3c6d5033a0c100d9c626acfa26d67bc1c093" score = 75 quality = 75 tags = "FILE" @@ -88035,10 +88197,10 @@ rule ELASTIC_Windows_PUP_Veriato_Fae5978C : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_PUP_Veriato.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_PUP_Veriato.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "53f09e60b188e67cdbf28bda669728a1f83d47b0279debf3d0a8d5176479d17f" - logic_hash = "8ae6f8b2b6e3849b33e6a477af52982efe137d7ebeff0c92cee5667d75f05145" + logic_hash = "v1_sha256_8ae6f8b2b6e3849b33e6a477af52982efe137d7ebeff0c92cee5667d75f05145" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88055,7 +88217,7 @@ rule ELASTIC_Windows_PUP_Veriato_Fae5978C : FILE MEMORY $a2 = "C:\\Windows\\winipbin\\svrltmgr64.dll" fullword condition: - $s1 and ($a1 or $a2) + $s1 and ( $a1 or $a2 ) } rule ELASTIC_Windows_Hacktool_Sharpersist_06606812 : FILE MEMORY { @@ -88066,10 +88228,10 @@ rule ELASTIC_Windows_Hacktool_Sharpersist_06606812 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharPersist.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharPersist.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8" - logic_hash = "ddabfb54422f6fb2ad6999b724b1d8f186adf71f96f01a8770715029529e869a" + logic_hash = "v1_sha256_ddabfb54422f6fb2ad6999b724b1d8f186adf71f96f01a8770715029529e869a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88088,7 +88250,7 @@ rule ELASTIC_Windows_Hacktool_Sharpersist_06606812 : FILE MEMORY $print_str3 = "[+] SUCCESS: Keepass persistence backdoor added" ascii wide condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Lurker_0Ee51802 : FILE { @@ -88099,10 +88261,10 @@ rule ELASTIC_Windows_Trojan_Lurker_0Ee51802 : FILE date = "2022-04-04" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lurker.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lurker.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" - logic_hash = "782926c927dce82b95e51634d5607c474937e1edc0f7f739acefa0f4c03aa753" + logic_hash = "v1_sha256_782926c927dce82b95e51634d5607c474937e1edc0f7f739acefa0f4c03aa753" score = 75 quality = 75 tags = "FILE" @@ -88117,7 +88279,7 @@ rule ELASTIC_Windows_Trojan_Lurker_0Ee51802 : FILE $str1 = "\\Device\\ZHWLurker0410" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Ransomware_Echoraix_Ea9532Df : FILE MEMORY { @@ -88128,10 +88290,10 @@ rule ELASTIC_Linux_Ransomware_Echoraix_Ea9532Df : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_EchoRaix.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_EchoRaix.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dfe32d97eb48fb2afc295eecfda3196cba5d27ced6217532d119a764071c6297" - logic_hash = "4944f5a2632bfe0abebfa6f658ed3f71e4d97efcb428ed0987e2071dfd66e6a9" + logic_hash = "v1_sha256_4944f5a2632bfe0abebfa6f658ed3f71e4d97efcb428ed0987e2071dfd66e6a9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88157,10 +88319,10 @@ rule ELASTIC_Linux_Ransomware_Echoraix_Ee0C719A : FILE MEMORY date = "2023-07-29" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_EchoRaix.yar#L21-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_EchoRaix.yar#L21-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e711b2d9323582aa390cf34846a2064457ae065c7d2ee1a78f5ed0859b40f9c0" - logic_hash = "3ca12ea0f1794935ea570dda83f33d04ffb19b6664cc1c8b1cbeed59ac04a01a" + logic_hash = "v1_sha256_3ca12ea0f1794935ea570dda83f33d04ffb19b6664cc1c8b1cbeed59ac04a01a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88187,10 +88349,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_364F3B7B : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d4c43bf0cdd6486a4bcab988517e58b8c15d276f41600e596ecc28b0b728e69" - logic_hash = "5950195453232e4752b58c9e466c4df1b5ca2b22d5325730de69cd4178438aa7" + logic_hash = "v1_sha256_5950195453232e4752b58c9e466c4df1b5ca2b22d5325730de69cd4178438aa7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88216,10 +88378,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_3A2Ed31B : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ebbf3bc39ec661e2029d88960a5608e348de92089099019348bc0e891841690f" - logic_hash = "30cd10e38cbda719d9c344efd813e9a19e738a5251e3622957c8349e94366a29" + logic_hash = "v1_sha256_30cd10e38cbda719d9c344efd813e9a19e738a5251e3622957c8349e94366a29" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88245,10 +88407,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_7448814C : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e95d0783b635e34743109d090af17aef2e507e8c90060d171e71d9ac79e083ba" - logic_hash = "0024b2cc22bf6c2dfc3b73ba91080cea8d502659db38d94b19338382e2fc0c84" + logic_hash = "v1_sha256_0024b2cc22bf6c2dfc3b73ba91080cea8d502659db38d94b19338382e2fc0c84" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88274,10 +88436,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_2Fa988E3 : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "679392e78d4abefc05b885e43aaccc2da235bd7f2a267c6ecfbe2cf824776993" - logic_hash = "55c3992ca62ebaf8d45aff818d3261838d239f2004125689ea81edca2cfa59c2" + logic_hash = "v1_sha256_55c3992ca62ebaf8d45aff818d3261838d239f2004125689ea81edca2cfa59c2" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88303,10 +88465,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ea8801Ac : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7acccfd8c2e5555a3e3bf979ad2314c12a939c1ef32b66e61e30a712f07164fd" - logic_hash = "00a7f71a0559f937ace15465059147839598897467db6176040882d86111bcd2" + logic_hash = "v1_sha256_00a7f71a0559f937ace15465059147839598897467db6176040882d86111bcd2" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88332,10 +88494,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_B2Ebdebd : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dee49d4b7f406fd1728dad4dc217484ced2586e014e2cd265ea64eff70a2633d" - logic_hash = "a9d6ffa65b503f9aa13a0054fa92e346c86585418b6b72131efc00340f8ec224" + logic_hash = "v1_sha256_a9d6ffa65b503f9aa13a0054fa92e346c86585418b6b72131efc00340f8ec224" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88361,10 +88523,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_9190D516 : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "837ffed1f23293dc9c7cb994601488fc121751a249ffde51326947c33c5fca7f" - logic_hash = "370248d2b6bb625d65f160b62f1b4a7d2809f3fedfb98a009b19dab61f0ba57e" + logic_hash = "v1_sha256_370248d2b6bb625d65f160b62f1b4a7d2809f3fedfb98a009b19dab61f0ba57e" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88390,10 +88552,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_3B460716 : FILE MEMORY CVE_2016_5195 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c4d49d4881ebdab1bd0e083d4e644cfc8eb7af3b96664598526ab3d175fc420" - logic_hash = "759e08c9e3405d841aa467c3343cfac01fed9e9d86aca90139d0eae8855942e5" + logic_hash = "v1_sha256_759e08c9e3405d841aa467c3343cfac01fed9e9d86aca90139d0eae8855942e5" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88419,10 +88581,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ccfd7518 : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b1017db71cf195aa565c57fed91ff1cdfcce344dc76526256d5817018f1351bf" - logic_hash = "02720152af167f1a7e5707f97aa920c6d955458df58d8ef0d9eba868da6a16af" + logic_hash = "v1_sha256_02720152af167f1a7e5707f97aa920c6d955458df58d8ef0d9eba868da6a16af" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88448,10 +88610,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_D41C2C63 : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4e5751b4e8fa2e9b70e1e234f435a03290c414f9547dc7709ce2ee4263a35f1" - logic_hash = "c9460cfc2b6d686145be9afd3ed670619f04c7155b03caa193222cba8405160d" + logic_hash = "v1_sha256_c9460cfc2b6d686145be9afd3ed670619f04c7155b03caa193222cba8405160d" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88477,10 +88639,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ffa7F059 : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a073c6be047ea7b4500b1ffdc8bdadd9a06f9efccd38c88e0fc976b97b2b2df5" - logic_hash = "b558066b80232ceb32c625f49a0ddeccd4b3bc52e664e5a72f2aa7361bcec352" + logic_hash = "v1_sha256_b558066b80232ceb32c625f49a0ddeccd4b3bc52e664e5a72f2aa7361bcec352" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88506,10 +88668,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Fb24C7E4 : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L221-L239" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L221-L239" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a073c6be047ea7b4500b1ffdc8bdadd9a06f9efccd38c88e0fc976b97b2b2df5" - logic_hash = "17a2a628f2d1fa088a1e0c5b2ad3f08e24b8504033b328c944b9ae83a5d12fcc" + logic_hash = "v1_sha256_17a2a628f2d1fa088a1e0c5b2ad3f08e24b8504033b328c944b9ae83a5d12fcc" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88535,10 +88697,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_B45098Df : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L241-L259" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L241-L259" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e053aca86570b3781b3e08daab51382712270d2a375257c8b5789d3d87149314" - logic_hash = "4622551b73a12c5399df1f4e052ce32b4cee04486a870bc92942c8597dcad1f7" + logic_hash = "v1_sha256_4622551b73a12c5399df1f4e052ce32b4cee04486a870bc92942c8597dcad1f7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88564,10 +88726,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_9C67A994 : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L261-L279" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L261-L279" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "70429d67402a43ed801e295b1ae1757e4fccd5d786c09ee054591ae51dfc1b25" - logic_hash = "742ce59fadefe242ca97d8ce603976fa8b5e1ba55ede38434c04dcd6f4891712" + logic_hash = "v1_sha256_742ce59fadefe242ca97d8ce603976fa8b5e1ba55ede38434c04dcd6f4891712" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88593,10 +88755,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ab87C1Ed : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L281-L299" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L281-L299" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c13c32d3a14cbc9c2580b1c76625cce8d48c5ae683230149a3f41640655e7f28" - logic_hash = "737f5ff982d2b656918ad3258ca20bce2ec416f2af743335b9a87a86f78be810" + logic_hash = "v1_sha256_737f5ff982d2b656918ad3258ca20bce2ec416f2af743335b9a87a86f78be810" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88622,10 +88784,10 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_F1C0482A : FILE MEMORY CVE_2016_5195 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L301-L319" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L301-L319" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a12a1e8253ee1244b018fd3bdcb6b7729dfe16e06aed470f6b08344a110a4061" - logic_hash = "084ba60d8464ef5bf3a3aa942bb88caf447c6cee3ebf023157bd261226057663" + logic_hash = "v1_sha256_084ba60d8464ef5bf3a3aa942bb88caf447c6cee3ebf023157bd261226057663" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88651,10 +88813,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_5B78Aa01 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e1d909e4a6ba843194f9912826728bd2639b0f34ee512e0c3c9e5ce4d27828e" - logic_hash = "bcf285ac220b2b2ed9caf0943fa22ee830e5b26501c54a223e483a33e2fc63c0" + logic_hash = "v1_sha256_bcf285ac220b2b2ed9caf0943fa22ee830e5b26501c54a223e483a33e2fc63c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88680,10 +88842,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_1B443A9B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a33112daa5a7d31ea1a1ca9b910475843b7d8c84d4658ccc00bafee044382709" - logic_hash = "4afcd7103a14d59abc08d9e03182a985e3d0250c09aad5e81fd110c6a95f29e0" + logic_hash = "v1_sha256_4afcd7103a14d59abc08d9e03182a985e3d0250c09aad5e81fd110c6a95f29e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88709,10 +88871,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_7C36D3Dd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "def4de838d58c70f9f0ae026cdad3bf09b711a55af97ed20804fa1e34e7b59e9" - logic_hash = "c1b61fce7593a44e47043fac8a6356f9aa9e74b66db005400684a5a79b69a5cd" + logic_hash = "v1_sha256_c1b61fce7593a44e47043fac8a6356f9aa9e74b66db005400684a5a79b69a5cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88738,10 +88900,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_3E81B1B7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "def4de838d58c70f9f0ae026cdad3bf09b711a55af97ed20804fa1e34e7b59e9" - logic_hash = "54253df560e6552a728dc2651c557bc23ae8ec4847760290701438821c52342e" + logic_hash = "v1_sha256_54253df560e6552a728dc2651c557bc23ae8ec4847760290701438821c52342e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88767,10 +88929,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_Cde7Cfd4 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd646a1d59c99b9e038098b91cdb63c3fe9b35bb10583bef0ab07260dbd4d23d" - logic_hash = "47967d90a6dbb4461e22998aff5b7e68b4b9007ea7e5e30574ae1f1cfcbaa573" + logic_hash = "v1_sha256_47967d90a6dbb4461e22998aff5b7e68b4b9007ea7e5e30574ae1f1cfcbaa573" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88796,10 +88958,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_32D9Fb1B : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ee1f6dbea40d198e437e8c2ae81193472c89e41d1998bee071867dab1ce16b90" - logic_hash = "35ef4f3970484a46d705e6976a9932639d576717454b8e07ed24a72114d9c42d" + logic_hash = "v1_sha256_35ef4f3970484a46d705e6976a9932639d576717454b8e07ed24a72114d9c42d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88825,10 +88987,10 @@ rule ELASTIC_Linux_Trojan_Sshdoor_7C3Cfc62 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sshdoor.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sshdoor.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ee1f6dbea40d198e437e8c2ae81193472c89e41d1998bee071867dab1ce16b90" - logic_hash = "da9804489f30b575d2b459f82570f5df07c1777f105cd373c4268f8a31fa4e43" + logic_hash = "v1_sha256_da9804489f30b575d2b459f82570f5df07c1777f105cd373c4268f8a31fa4e43" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88854,10 +89016,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_A1311F49 : FILE MEMORY date = "2023-10-06" modified = "2023-10-26" reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0175448655e593aa299278d5f11b81f2af76638859e104975bdb5d30af5c0c11" - logic_hash = "21838f230ac1a77f09d01d30f4ea3b66313618660e63ab7012b030e0b819547e" + logic_hash = "v1_sha256_21838f230ac1a77f09d01d30f4ea3b66313618660e63ab7012b030e0b819547e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88884,9 +89046,9 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_3Fe1D02D : FILE MEMORY date = "2023-10-12" modified = "2023-10-26" reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L23-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4ef78d436a153ed751a8483c1e43ec2ba053dedfa0da2780fded42012d3042c1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L23-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4ef78d436a153ed751a8483c1e43ec2ba053dedfa0da2780fded42012d3042c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88912,10 +89074,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_3673D337 : FILE MEMORY date = "2023-12-11" modified = "2024-01-12" reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L43-L63" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L43-L63" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3013ba32838f6d97d7d75e25394f9611b1c5def94d93588f0a05c90b25b7d6d5" - logic_hash = "a92815f27533338e17afd5ebdbe82e382636fb81167a82d1b613c0dccc5b7ed3" + logic_hash = "v1_sha256_a92815f27533338e17afd5ebdbe82e382636fb81167a82d1b613c0dccc5b7ed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88942,10 +89104,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_8Ae8310B : FILE MEMORY date = "2024-05-27" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L65-L84" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L65-L84" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b64f91b41a7390d89cd3b1fccf02b08b18b7fed17a43b0bfac63d75dc0df083" - logic_hash = "b3873a3c728e98d65984033620c0ac8ee93be21db5b6d9bd4665b9f7d0d759fa" + logic_hash = "v1_sha256_b3873a3c728e98d65984033620c0ac8ee93be21db5b6d9bd4665b9f7d0d759fa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88972,10 +89134,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_9E22C56D : FILE MEMORY date = "2024-07-21" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L86-L106" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L86-L106" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df" - logic_hash = "5dbd0d6a936a73e933181017c67c36fde7576b47643ec00848f7b58170bd9c6b" + logic_hash = "v1_sha256_5dbd0d6a936a73e933181017c67c36fde7576b47643ec00848f7b58170bd9c6b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89003,10 +89165,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_Bb38Fcb3 : FILE MEMORY date = "2024-10-15" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L108-L127" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L108-L127" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae" - logic_hash = "95a7f663f0bac81a5426d722ec95e11f37fcde45cbf8ebd4e32b9f4c72873c2b" + logic_hash = "v1_sha256_95a7f663f0bac81a5426d722ec95e11f37fcde45cbf8ebd4e32b9f4c72873c2b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89033,10 +89195,10 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_Caea316B : FILE MEMORY date = "2024-10-10" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostPulse.yar#L129-L147" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostPulse.yar#L129-L147" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "454e898405a10ecc06b4243c25f86c855203722a4970dee4c4e1a4e8e75f5137" - logic_hash = "740dad0ce9d6b7c5a4125db9c6ad36e767bacba478ee627032b7fe00431c6d7b" + logic_hash = "v1_sha256_740dad0ce9d6b7c5a4125db9c6ad36e767bacba478ee627032b7fe00431c6d7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89062,10 +89224,10 @@ rule ELASTIC_Linux_Trojan_Malxmr_7054A0D0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Malxmr.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Malxmr.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3a6b3552ffac13aa70e24fef72b69f683ac221105415efb294fb9a2fc81c260a" - logic_hash = "f7153fb11e0e4bf422021cc0fab99536c2a193198bf70d7f2af2fa5c1971c028" + logic_hash = "v1_sha256_f7153fb11e0e4bf422021cc0fab99536c2a193198bf70d7f2af2fa5c1971c028" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -89091,10 +89253,10 @@ rule ELASTIC_Linux_Trojan_Malxmr_144994A5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Malxmr.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Malxmr.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "4d40337895e63d3dc6f0d94889863f0f5017533658210b902b08d84cf3588cab" + logic_hash = "v1_sha256_4d40337895e63d3dc6f0d94889863f0f5017533658210b902b08d84cf3588cab" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -89120,10 +89282,10 @@ rule ELASTIC_Windows_Hacktool_Cheatengine_Fedac96D : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_CheatEngine.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_CheatEngine.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b20b339a7b61dc7dbc9a36c45492ba9654a8b8a7c8cbc202ed1dfed427cfd799" - logic_hash = "426b6d388f86dd935d8165af0fb7c8491c987542755ec4c7c53a35a9003f8680" + logic_hash = "v1_sha256_426b6d388f86dd935d8165af0fb7c8491c987542755ec4c7c53a35a9003f8680" score = 75 quality = 35 tags = "FILE" @@ -89139,7 +89301,7 @@ rule ELASTIC_Windows_Hacktool_Cheatengine_Fedac96D : FILE $subject_name = { 06 03 55 04 03 [2] 43 68 65 61 74 20 45 6E 67 69 6E 65 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Windows_Ransomware_Helloxd_0C50F01B : FILE MEMORY { @@ -89150,10 +89312,10 @@ rule ELASTIC_Windows_Ransomware_Helloxd_0C50F01B : FILE MEMORY date = "2022-06-14" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Helloxd.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Helloxd.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589" - logic_hash = "71e09fa1a00fa6f3688129ee2b2a8957b84f64ef51fcba5123a6a9df80a9c7e1" + logic_hash = "v1_sha256_71e09fa1a00fa6f3688129ee2b2a8957b84f64ef51fcba5123a6a9df80a9c7e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89175,7 +89337,7 @@ rule ELASTIC_Windows_Ransomware_Helloxd_0C50F01B : FILE MEMORY $companyname = "MicloZ0ft" ascii wide condition: - ($mutex and all of ($ransomnote*)) or (3 of ($productname,$legalcopyright,$description,$companyname)) + ($mutex and all of ( $ransomnote* ) ) or ( 3 of ( $productname , $legalcopyright , $description , $companyname ) ) } rule ELASTIC_Windows_Ransomware_Blackhunt_7B46Cb9C : FILE MEMORY { @@ -89186,10 +89348,10 @@ rule ELASTIC_Windows_Ransomware_Blackhunt_7B46Cb9C : FILE MEMORY date = "2024-03-12" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_BlackHunt.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_BlackHunt.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6c4e968c9b53906ba0e86a41eccdabe2b736238cb126852023e15850e956293d" - logic_hash = "97bb8436574fd814d8278e5a7043e011d0e4f9a7dd9df5e67605f28ac1af1e74" + logic_hash = "v1_sha256_97bb8436574fd814d8278e5a7043e011d0e4f9a7dd9df5e67605f28ac1af1e74" score = 50 quality = 75 tags = "FILE, MEMORY" @@ -89221,10 +89383,10 @@ rule ELASTIC_Linux_Exploit_Openssl_47C6Fad7 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Openssl.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Openssl.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8024af0931dff24b5444f0b06a27366a776014358aa0b7fc073030958f863ef8" - logic_hash = "4c60071ecd7b826e692710ae11b09be30e7df5833bcaa8642fea014e12b9abd7" + logic_hash = "v1_sha256_4c60071ecd7b826e692710ae11b09be30e7df5833bcaa8642fea014e12b9abd7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89250,10 +89412,10 @@ rule ELASTIC_Windows_Trojan_Lumma_693A5234 : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lumma.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lumma.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88340abcdc3cfe7574ee044aea44808446daf3bb7bf9fc60b16a2b1360c5d9c0" - logic_hash = "2b29ac9bc73f191bdbfc92601cab923aa9f2f3380c8123ee469ced3754625dd0" + logic_hash = "v1_sha256_2b29ac9bc73f191bdbfc92601cab923aa9f2f3380c8123ee469ced3754625dd0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89280,10 +89442,10 @@ rule ELASTIC_Windows_Trojan_Lumma_30608A8C : FILE MEMORY date = "2024-10-07" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lumma.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lumma.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "672e06b9729da0616b103c19d68b812bed33e3e12c788a584f13925f81d68129" - logic_hash = "1793a535db3fd7e8ad3db4b2de22efffabbcd3e91d89f36de71e95dc0fa9012f" + logic_hash = "v1_sha256_1793a535db3fd7e8ad3db4b2de22efffabbcd3e91d89f36de71e95dc0fa9012f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89310,10 +89472,10 @@ rule ELASTIC_Windows_Trojan_Lumma_4Ad749B0 : FILE MEMORY date = "2024-11-08" modified = "2024-11-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lumma.yar#L43-L61" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lumma.yar#L43-L61" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1f953271bc983b3a561b85083bc14a13d18b81a34855d0a6d9fe902934347f92" - logic_hash = "2248fe539cd0ba17073f1e1650fb93fb755ebe4bc2505e11aa7db9635a0fcb8e" + logic_hash = "v1_sha256_2248fe539cd0ba17073f1e1650fb93fb755ebe4bc2505e11aa7db9635a0fcb8e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89339,10 +89501,10 @@ rule ELASTIC_Windows_Trojan_Garble_Eae7F2F7 : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Garble.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Garble.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4820a1ec99981e03675a86c4c01acba6838f04945b5f753770b3de4e253e1b8c" - logic_hash = "5d88579b0f0f71b8b4310c141fb243f39696e158227da0a1e0140b030b783c65" + logic_hash = "v1_sha256_5d88579b0f0f71b8b4310c141fb243f39696e158227da0a1e0140b030b783c65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89368,10 +89530,10 @@ rule ELASTIC_Windows_Trojan_Lobshot_013C1B0B : FILE MEMORY date = "2023-04-18" modified = "2023-04-23" reference = "https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lobshot.yar#L1-L30" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lobshot.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6" - logic_hash = "e1fb245c3441c9bd393a47a9bed01bf7f62aa3ec36d460584d75e326e7e92ad4" + logic_hash = "v1_sha256_e1fb245c3441c9bd393a47a9bed01bf7f62aa3ec36d460584d75e326e7e92ad4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89396,7 +89558,7 @@ rule ELASTIC_Windows_Trojan_Lobshot_013C1B0B : FILE MEMORY $seq_create_guid = { 8D 48 ?? 80 F9 ?? 77 ?? 2C ?? C1 E2 ?? 46 0F B6 C8 0B D1 83 FE ?? 7C ?? 5F 8B C2 5E C3 } condition: - 2 of ($seq*) or 5 of ($str*) + 2 of ( $seq* ) or 5 of ( $str* ) } rule ELASTIC_Linux_Shellcode_Generic_5669055F : FILE MEMORY { @@ -89407,10 +89569,10 @@ rule ELASTIC_Linux_Shellcode_Generic_5669055F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "87ef4def16d956cdfecaea899cbb55ff59a6739bbb438bf44a8b5fec7fcfd85b" - logic_hash = "735b8dc7fff3c9cc96646a4eb7c5afd70be19dcc821e9e26ce906681130746be" + logic_hash = "v1_sha256_735b8dc7fff3c9cc96646a4eb7c5afd70be19dcc821e9e26ce906681130746be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89436,10 +89598,10 @@ rule ELASTIC_Linux_Shellcode_Generic_D2C96B1D : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "403d53a65bd77856f7c565307af5003b07413f2aba50869655cdd88ce15b0c82" - logic_hash = "33d964e22c8e3046f114e8264d18e8b4a0e7b55eca59151b084db7eea07aa0b1" + logic_hash = "v1_sha256_33d964e22c8e3046f114e8264d18e8b4a0e7b55eca59151b084db7eea07aa0b1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89465,10 +89627,10 @@ rule ELASTIC_Linux_Shellcode_Generic_30C70926 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a742e23f26726293b1bff3db72864471d6bb4062db1cc6e1c4241f51ec0e21b1" - logic_hash = "3594994a911e5428198c472a51de189a6be74895170581ec577c49f8dbb9167a" + logic_hash = "v1_sha256_3594994a911e5428198c472a51de189a6be74895170581ec577c49f8dbb9167a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89494,10 +89656,10 @@ rule ELASTIC_Linux_Shellcode_Generic_224Bdcc4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bd22648babbee04555cef52bfe3e0285d33852e85d254b8ebc847e4e841b447e" - logic_hash = "8c4a2bb63f0926e7373caf0a027179b4730cc589f9af66d2071e88f4165b0f73" + logic_hash = "v1_sha256_8c4a2bb63f0926e7373caf0a027179b4730cc589f9af66d2071e88f4165b0f73" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89523,10 +89685,10 @@ rule ELASTIC_Linux_Shellcode_Generic_99B991Cd : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "954b5a073ce99075b60beec72936975e48787bea936b4c5f13e254496a20d81d" - logic_hash = "664e213314fe1d6f1920de237ebea3a94f7fbc42eff089475674ccef812f0f68" + logic_hash = "v1_sha256_664e213314fe1d6f1920de237ebea3a94f7fbc42eff089475674ccef812f0f68" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89552,10 +89714,10 @@ rule ELASTIC_Linux_Shellcode_Generic_24B9Aa12 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "24b2c1ccbbbe135d40597fbd23f7951d93260d0039e0281919de60fa74eb5977" - logic_hash = "4685253eb00a21d6dd6e874ff68209f20c8668262f24767086687555ccf934aa" + logic_hash = "v1_sha256_4685253eb00a21d6dd6e874ff68209f20c8668262f24767086687555ccf934aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89581,10 +89743,10 @@ rule ELASTIC_Linux_Shellcode_Generic_8Ac37612 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c199b902fa4b0fcf54dc6bf3e25ad16c12f862b47e055863a5e9e1f98c6bd6ca" - logic_hash = "c0af751bc54dcd9cf834fa5fe9fa120be5e49a56135ebb72fd6073948e956929" + logic_hash = "v1_sha256_c0af751bc54dcd9cf834fa5fe9fa120be5e49a56135ebb72fd6073948e956929" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89610,10 +89772,10 @@ rule ELASTIC_Linux_Shellcode_Generic_932Ed0F0 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Shellcode_Generic.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Shellcode_Generic.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f357597f718f86258e7a640250f2e9cf1c3363ab5af8ddbbabb10ebfa3c91251" - logic_hash = "20ae3f1d96f8afd0900ac919eacaff3bd748a7466af5bb2b9f77cfdc4b8b829e" + logic_hash = "v1_sha256_20ae3f1d96f8afd0900ac919eacaff3bd748a7466af5bb2b9f77cfdc4b8b829e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89639,10 +89801,10 @@ rule ELASTIC_Linux_Ransomware_Sfile_9E347B52 : FILE MEMORY date = "2023-07-29" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_SFile.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_SFile.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "49473adedc4ee9b1252f120ad8a69e165dc62eabfa794370408ae055ec65db9d" - logic_hash = "394571fd5746132d15da97428c3afc149435d91d5432eadf1c838d4a6433c7c1" + logic_hash = "v1_sha256_394571fd5746132d15da97428c3afc149435d91d5432eadf1c838d4a6433c7c1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -89669,10 +89831,10 @@ rule ELASTIC_Windows_Trojan_Pikabot_8C6750B5 : FILE MEMORY date = "2023-06-05" modified = "2023-06-19" reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PikaBot.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PikaBot.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" - logic_hash = "03e36f927513625d1dd997c79843b1b14e344e8411155740213d7aff9794c5c6" + logic_hash = "v1_sha256_03e36f927513625d1dd997c79843b1b14e344e8411155740213d7aff9794c5c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89703,10 +89865,10 @@ rule ELASTIC_Windows_Trojan_Pikabot_5B220E9C : FILE MEMORY date = "2024-02-06" modified = "2024-02-08" reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PikaBot.yar#L27-L52" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PikaBot.yar#L27-L52" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d836b06b0118e6d258e318b1cfdc509cacc0859c6a6b3d7c5f4d2525e00d97b2" - logic_hash = "1d2158716b7c32734f12f8528352a3872e21fea2f9b21a36d6ac44fcd50a9f3c" + logic_hash = "v1_sha256_1d2158716b7c32734f12f8528352a3872e21fea2f9b21a36d6ac44fcd50a9f3c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89738,9 +89900,9 @@ rule ELASTIC_Windows_Trojan_Pikabot_5441F511 : FILE MEMORY date = "2024-02-15" modified = "2024-02-21" reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PikaBot.yar#L54-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fa44408874c6a007212dfc206cbecbac7a3e50df94da4ce02de2e04e9119c79f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PikaBot.yar#L54-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fa44408874c6a007212dfc206cbecbac7a3e50df94da4ce02de2e04e9119c79f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89772,9 +89934,9 @@ rule ELASTIC_Windows_Trojan_Pikabot_95Db8B5A : FILE MEMORY date = "2024-02-15" modified = "2024-02-21" reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PikaBot.yar#L80-L103" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "74073ceae1b26b953b7644d56a2ec92993b83802a30ce82c6921df5448ebab06" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PikaBot.yar#L80-L103" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_74073ceae1b26b953b7644d56a2ec92993b83802a30ce82c6921df5448ebab06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89805,10 +89967,10 @@ rule ELASTIC_Linux_Exploit_CVE_2021_4034_1C8F235D : FILE CVE_2021_4034 date = "2022-01-26" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2021_4034.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2021_4034.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b" - logic_hash = "217df6687076a715712a053672d7b02567a3ee38ce9c0ccf80d23fcfde35592a" + logic_hash = "v1_sha256_217df6687076a715712a053672d7b02567a3ee38ce9c0ccf80d23fcfde35592a" score = 75 quality = 75 tags = "FILE, CVE-2021-4034" @@ -89835,10 +89997,10 @@ rule ELASTIC_Macos_Infostealer_Mdquerytcc_142313Cb : FILE MEMORY date = "2023-04-11" modified = "2024-08-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Infostealer_MdQueryTCC.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Infostealer_MdQueryTCC.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - logic_hash = "e00015867ad0a0c440a49364945fe828d50675ecfd2039028653d97c77cff323" + logic_hash = "v1_sha256_e00015867ad0a0c440a49364945fe828d50675ecfd2039028653d97c77cff323" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89864,9 +90026,9 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_1Cab7Ea1 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ragnarok.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8bae3ea4304473209fc770673b680154bf227ce30f6299101d93fe830da0fe91" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ragnarok.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8bae3ea4304473209fc770673b680154bf227ce30f6299101d93fe830da0fe91" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -89882,7 +90044,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_1Cab7Ea1 : BETA FILE MEMORY $c1 = ".ragnarok" ascii wide fullword condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Ragnarok_7E802F95 : BETA FILE MEMORY { @@ -89893,9 +90055,9 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_7E802F95 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ragnarok.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8f293cdbdc3c395e18c304dfa43d0dcdb52b18bde5b5d084190ceec70aea6cbd" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ragnarok.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8f293cdbdc3c395e18c304dfa43d0dcdb52b18bde5b5d084190ceec70aea6cbd" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -89912,7 +90074,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_7E802F95 : BETA FILE MEMORY $d2 = { 68 90 94 42 00 FF 35 A0 77 43 00 E8 8F D6 00 00 8B 40 10 50 } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Windows_Ransomware_Ragnarok_Efafbe48 : BETA FILE MEMORY { @@ -89923,9 +90085,9 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_Efafbe48 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ragnarok.yar#L44-L71" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c9d203620e0e6e04d717595ca70a5e5efa74abfc11e4e732d729caab2d246c27" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ragnarok.yar#L44-L71" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c9d203620e0e6e04d717595ca70a5e5efa74abfc11e4e732d729caab2d246c27" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -89949,7 +90111,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_Efafbe48 : BETA FILE MEMORY $a10 = "&prv_ip=" ascii fullword condition: - 6 of ($a*) + 6 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Ragnarok_5625D3F6 : BETA FILE MEMORY { @@ -89960,9 +90122,9 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_5625D3F6 : BETA FILE MEMORY date = "2020-05-03" modified = "2021-08-23" reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ragnarok.yar#L73-L95" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8c22cf9dfbeba7391f6d2370c88129650ef4c778464e676752de1d0fd9c5b34e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ragnarok.yar#L73-L95" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8c22cf9dfbeba7391f6d2370c88129650ef4c778464e676752de1d0fd9c5b34e" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -89981,7 +90143,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_5625D3F6 : BETA FILE MEMORY $b4 = "cometosee" ascii fullword condition: - all of ($b*) + all of ( $b* ) } rule ELASTIC_Macos_Trojan_Metasploit_6Cab0Ec0 : FILE MEMORY { @@ -89992,10 +90154,10 @@ rule ELASTIC_Macos_Trojan_Metasploit_6Cab0Ec0 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "c19fe812b74b034bfb42c0e2ee552d879ed038e054c5870b85e7e610d3184198" + logic_hash = "v1_sha256_c19fe812b74b034bfb42c0e2ee552d879ed038e054c5870b85e7e610d3184198" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90021,10 +90183,10 @@ rule ELASTIC_Macos_Trojan_Metasploit_293Bfea9 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L21-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L21-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "b8bd0d034a6306f99333723d77724ae53c1a189dad3fad7417f2d2fde214c24a" + logic_hash = "v1_sha256_b8bd0d034a6306f99333723d77724ae53c1a189dad3fad7417f2d2fde214c24a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -90053,10 +90215,10 @@ rule ELASTIC_Macos_Trojan_Metasploit_448Fa81D : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L44-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L44-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "ab0608920b9f632bad99e1358f21a88bc6048f46fca21a488a1a10b7ef1e42ae" + logic_hash = "v1_sha256_ab0608920b9f632bad99e1358f21a88bc6048f46fca21a488a1a10b7ef1e42ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90084,9 +90246,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_768Df39D : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L66-L85" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "140ba93d57b27325f66b36132ecaab205663e3e582818baf377e050802c8d152" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L66-L85" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_140ba93d57b27325f66b36132ecaab205663e3e582818baf377e050802c8d152" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90113,9 +90275,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_7Ce0B709 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_bind_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L87-L106" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "56fc05ece464d562ff6e56247756454c940c07b03c4a4c783b2bae4d5807247a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L87-L106" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_56fc05ece464d562ff6e56247756454c940c07b03c4a4c783b2bae4d5807247a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90142,9 +90304,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_F11Ccdac : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_find_port.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L108-L127" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fcf578d3e98b591b33cb6f4bec1b9e92a7e1a88f0b56f3c501f9089d2094289c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L108-L127" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fcf578d3e98b591b33cb6f4bec1b9e92a7e1a88f0b56f3c501f9089d2094289c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90171,9 +90333,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_D9B16F4C : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L129-L148" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8e082878fb52f6314ec8c725dd279447ee8a0fc403c47ffd997712adb496e7c3" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L129-L148" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8e082878fb52f6314ec8c725dd279447ee8a0fc403c47ffd997712adb496e7c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90200,9 +90362,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_2992B917 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L150-L169" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "10056ffb719092f83ad236a63ef6fa1f40568e500c042bd737575997bb67a8ec" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L150-L169" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_10056ffb719092f83ad236a63ef6fa1f40568e500c042bd737575997bb67a8ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90229,9 +90391,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_27D409F1 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x64/shell_bind_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L171-L190" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b757e0ab6665a3e4846c6bbe4386e9d9a730ece00a2453933ce771aec2dd716e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L171-L190" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b757e0ab6665a3e4846c6bbe4386e9d9a730ece00a2453933ce771aec2dd716e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90258,9 +90420,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_65A2394B : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stages/osx/x86/vforkshell.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L192-L211" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f01f671b0bf9fa53aa3383c88ba871742f0e55dbdae4278f440ed29f35eb1ca1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L192-L211" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f01f671b0bf9fa53aa3383c88ba871742f0e55dbdae4278f440ed29f35eb1ca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90287,9 +90449,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_C7B7A90B : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/osx/x86/reverse_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L213-L232" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d4b1f01bf8434dd69188d2ad0b376fad3a4d9c94ebe74d40f05019baf95b5496" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L213-L232" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d4b1f01bf8434dd69188d2ad0b376fad3a4d9c94ebe74d40f05019baf95b5496" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90316,9 +90478,9 @@ rule ELASTIC_Macos_Trojan_Metasploit_4Bd6Aaca : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/osx/x86/bind_tcp.rb" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L234-L253" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a3de610ced90679f6fa0dcdf7890a64369c774839ea30018a7ef6fe9289d3d17" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L234-L253" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a3de610ced90679f6fa0dcdf7890a64369c774839ea30018a7ef6fe9289d3d17" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90345,10 +90507,10 @@ rule ELASTIC_Macos_Trojan_Metasploit_5E5B685F : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Metasploit.yar#L255-L273" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Metasploit.yar#L255-L273" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cdf0a3c07ef1479b53d49b8f22a9f93adcedeea3b869ef954cc043e54f65c3d0" - logic_hash = "003fb4f079b125f37899a2b3cb62d80edd5b3e5ccbed5bc1ea514a4a173d329d" + logic_hash = "v1_sha256_003fb4f079b125f37899a2b3cb62d80edd5b3e5ccbed5bc1ea514a4a173d329d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90374,10 +90536,10 @@ rule ELASTIC_Windows_Trojan_Beam_E41B243A : FILE MEMORY date = "2021-12-07" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Beam.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Beam.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "233a1f1dcbb679d31dab7744358b434cccabfc752baf53ba991388ced098f7c8" - logic_hash = "295837743ecfa51e1713d19cba24ff8885c8716201caac058ae8b2bc9e008e6c" + logic_hash = "v1_sha256_295837743ecfa51e1713d19cba24ff8885c8716201caac058ae8b2bc9e008e6c" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -90406,10 +90568,10 @@ rule ELASTIC_Windows_Trojan_Beam_5A951D13 : FILE MEMORY date = "2021-12-07" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Beam.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Beam.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "233a1f1dcbb679d31dab7744358b434cccabfc752baf53ba991388ced098f7c8" - logic_hash = "3419b649717b69f07334bd966f438dd0b77f03572fe14f4b88ce95a2a86cae07" + logic_hash = "v1_sha256_3419b649717b69f07334bd966f438dd0b77f03572fe14f4b88ce95a2a86cae07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90435,10 +90597,10 @@ rule ELASTIC_Windows_Trojan_Afdk_C952Fcfa : FILE MEMORY date = "2023-12-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Afdk.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Afdk.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6723a9489e7cfb5e2d37ff9160d55cda065f06907122d73764849808018eb7a0" - logic_hash = "a0589a3bf9e733e615b6e552395b3ff513e4fad7efd7d2ebea634aa91d2f60d9" + logic_hash = "v1_sha256_a0589a3bf9e733e615b6e552395b3ff513e4fad7efd7d2ebea634aa91d2f60d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90464,10 +90626,10 @@ rule ELASTIC_Windows_Trojan_Afdk_5F8Cc135 : FILE MEMORY date = "2023-12-01" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Afdk.yar#L21-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Afdk.yar#L21-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6723a9489e7cfb5e2d37ff9160d55cda065f06907122d73764849808018eb7a0" - logic_hash = "0523a0cc3a4446f2ac88c72999568313c6b40f7f8975b8e332c0c6b1e48c5d76" + logic_hash = "v1_sha256_0523a0cc3a4446f2ac88c72999568313c6b40f7f8975b8e332c0c6b1e48c5d76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90495,10 +90657,10 @@ rule ELASTIC_Windows_Ransomware_Grief_9953339A : FILE MEMORY date = "2021-08-04" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Grief.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Grief.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0" - logic_hash = "f99ea1e1f59dc2999659cbe649e76001dd7139b1438440717b60f081d1e99d70" + logic_hash = "v1_sha256_f99ea1e1f59dc2999659cbe649e76001dd7139b1438440717b60f081d1e99d70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90524,10 +90686,10 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_21B60705 : FILE MEMORY date = "2023-03-19" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Rhadamanthys.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Rhadamanthys.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ba97c51ba503fa4bdcfd5580c75436bc88794b4ae883afa1d92bb0b2a0f5efe" - logic_hash = "ef3f60689d72553111b42b27e0a1a0316288ae07fbfaf159eea8c76380d528fa" + logic_hash = "v1_sha256_ef3f60689d72553111b42b27e0a1a0316288ae07fbfaf159eea8c76380d528fa" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -90559,10 +90721,10 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_1Da1C2C2 : FILE MEMORY date = "2023-03-28" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Rhadamanthys.yar#L27-L52" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Rhadamanthys.yar#L27-L52" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9bfc4fed7afc79a167cac173bf3602f9d1f90595d4e41dab68ff54973f2cedc1" - logic_hash = "bf5d45fe79dacfc6aee5cfd788ec6ce77e99e55d5a6d294da57c126bedf75ee9" + logic_hash = "v1_sha256_bf5d45fe79dacfc6aee5cfd788ec6ce77e99e55d5a6d294da57c126bedf75ee9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90595,10 +90757,10 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_Ae00F48C : FILE MEMORY date = "2023-05-05" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Rhadamanthys.yar#L54-L74" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Rhadamanthys.yar#L54-L74" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "56b5ff5132ec1c5836223ced287d51a9ecee8d2b081f449245e136b1262a8714" - logic_hash = "423b68717a7aead3c871e7fc744e35dad1cfd7727bfba2bdaec69fb782540380" + logic_hash = "v1_sha256_423b68717a7aead3c871e7fc744e35dad1cfd7727bfba2bdaec69fb782540380" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -90626,10 +90788,10 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_Cf5Dd2E2 : FILE MEMORY date = "2024-04-03" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Rhadamanthys.yar#L76-L97" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Rhadamanthys.yar#L76-L97" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "39ccc224c2c6d89d0bce3d9e2c677465cbc7524f2d2aa903f79ad26b340dec3d" - logic_hash = "039d6de0d072be6717ba3eb90735d7b4898d3bbac83db4feb75efcdbca8fd98b" + logic_hash = "v1_sha256_039d6de0d072be6717ba3eb90735d7b4898d3bbac83db4feb75efcdbca8fd98b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90658,10 +90820,10 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_C4760266 : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Rhadamanthys.yar#L99-L117" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Rhadamanthys.yar#L99-L117" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165" - logic_hash = "b8c1c56681aac4e1b1741dfa3ea929677214873b6f1795423a80742f699249de" + logic_hash = "v1_sha256_b8c1c56681aac4e1b1741dfa3ea929677214873b6f1795423a80742f699249de" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90687,10 +90849,10 @@ rule ELASTIC_Windows_Trojan_Lokibot_1F885282 : FILE MEMORY date = "2021-06-22" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lokibot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lokibot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409" - logic_hash = "c76941a83e18f11ed5af701e89616d324ddba613a95069997ea8f1830f328307" + logic_hash = "v1_sha256_c76941a83e18f11ed5af701e89616d324ddba613a95069997ea8f1830f328307" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90716,10 +90878,10 @@ rule ELASTIC_Windows_Trojan_Lokibot_0F421617 : FILE MEMORY date = "2021-07-20" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Lokibot.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Lokibot.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080" - logic_hash = "0076ccbe43ae77e3a80164d43832643f077e659a595fff01c87694e2274c5e86" + logic_hash = "v1_sha256_0076ccbe43ae77e3a80164d43832643f077e659a595fff01c87694e2274c5e86" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90745,9 +90907,9 @@ rule ELASTIC_Windows_Trojan_P8Loader_E478A831 : FILE MEMORY date = "2023-04-13" modified = "2023-05-26" reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_P8Loader.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f1a7de6bb4477ea82c18aea1ddc4481de2fc362ce5321f4205bb3b74c1c45a7e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_P8Loader.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f1a7de6bb4477ea82c18aea1ddc4481de2fc362ce5321f4205bb3b74c1c45a7e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90780,10 +90942,10 @@ rule ELASTIC_Windows_Trojan_Stealc_B8Ab9Ab5 : FILE MEMORY date = "2024-03-13" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Stealc.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Stealc.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d1c07c84c54348db1637e21260dbed09bd6b7e675ef58e003d0fe8f017fd2c8" - logic_hash = "5fc5d5cea481d1d204d1aa6c52679a23eb59438df2fe547d14c00524772867bb" + logic_hash = "v1_sha256_5fc5d5cea481d1d204d1aa6c52679a23eb59438df2fe547d14c00524772867bb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90806,7 +90968,7 @@ rule ELASTIC_Windows_Trojan_Stealc_B8Ab9Ab5 : FILE MEMORY $str5 = "/c timeout /t 5 & del /f /q" ascii fullword condition: - (2 of ($seq*) or 4 of ($str*)) + (2 of ( $seq* ) or 4 of ( $str* ) ) } rule ELASTIC_Windows_Trojan_Stealc_A2B71Dc4 : FILE MEMORY { @@ -90817,10 +90979,10 @@ rule ELASTIC_Windows_Trojan_Stealc_A2B71Dc4 : FILE MEMORY date = "2024-03-13" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Stealc.yar#L29-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Stealc.yar#L29-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0d1c07c84c54348db1637e21260dbed09bd6b7e675ef58e003d0fe8f017fd2c8" - logic_hash = "b79ac3e65cd7d2819d6a49f59ec661241c97174f66a7c4ada91932f10fc43583" + logic_hash = "v1_sha256_b79ac3e65cd7d2819d6a49f59ec661241c97174f66a7c4ada91932f10fc43583" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90838,7 +91000,7 @@ rule ELASTIC_Windows_Trojan_Stealc_A2B71Dc4 : FILE MEMORY $seq_4 = { 6A 7C 58 66 89 45 FC 8D 45 F0 50 8D 45 FC 50 FF 75 08 C7 45 F8 01 } condition: - 2 of ($seq*) + 2 of ( $seq* ) } rule ELASTIC_Windows_Trojan_Stealc_5D3F297C : FILE MEMORY { @@ -90849,10 +91011,10 @@ rule ELASTIC_Windows_Trojan_Stealc_5D3F297C : FILE MEMORY date = "2024-03-05" modified = "2024-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Stealc.yar#L52-L70" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Stealc.yar#L52-L70" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "885c8cd8f7ad93f0fd43ba4fb7f14d94dfdee3d223715da34a6e2fbb4d25b9f4" - logic_hash = "556d3bc9374a5ec23faa410900dfc94b5534434c9733165355d281976444a42b" + logic_hash = "v1_sha256_556d3bc9374a5ec23faa410900dfc94b5534434c9733165355d281976444a42b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90878,10 +91040,10 @@ rule ELASTIC_Linux_Cryptominer_Presenoker_3Bb5533D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Presenoker.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Presenoker.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bbc155c610c7aa439f98e32f97895d7eeaef06dab7cca05a5179b0eb3ba3cc00" - logic_hash = "13bf69ea6bc7df5ba9ebffe67234657f2ecab99e28fd76d0bbedceaf9706a4dd" + logic_hash = "v1_sha256_13bf69ea6bc7df5ba9ebffe67234657f2ecab99e28fd76d0bbedceaf9706a4dd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90907,10 +91069,10 @@ rule ELASTIC_Windows_Hacktool_Sharpmove_05E28928 : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpMove.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpMove.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b" - logic_hash = "021a56dd47d9929e71b82b00d24aa8969a31945681dcf414c69b8d175fb0b6eb" + logic_hash = "v1_sha256_021a56dd47d9929e71b82b00d24aa8969a31945681dcf414c69b8d175fb0b6eb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -90929,7 +91091,7 @@ rule ELASTIC_Windows_Hacktool_Sharpmove_05E28928 : FILE MEMORY $print_str3 = "[+] Executing DCOM ExcelDDE : {0}" ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Vulndriver_Mtcbsv_7F6D642E : FILE { @@ -90940,10 +91102,10 @@ rule ELASTIC_Windows_Vulndriver_Mtcbsv_7F6D642E : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_MtcBsv.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_MtcBsv.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c" - logic_hash = "dfd53a2b97ad722307561fc5f109dcba372bf600113786bb351ed1262fdc8556" + logic_hash = "v1_sha256_dfd53a2b97ad722307561fc5f109dcba372bf600113786bb351ed1262fdc8556" score = 75 quality = 75 tags = "FILE" @@ -90960,7 +91122,7 @@ rule ELASTIC_Windows_Vulndriver_Mtcbsv_7F6D642E : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x02][\x00-\x00])([\x00-\x15][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x14][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x15][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Macos_Trojan_Genieo_5E0F8980 : FILE MEMORY { @@ -90971,10 +91133,10 @@ rule ELASTIC_Macos_Trojan_Genieo_5E0F8980 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Genieo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Genieo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6c698bac178892dfe03624905256a7d9abe468121163d7507cade48cf2131170" - logic_hash = "76b725f6ae5755bb00d384ef2ae1511789487257d8bb7cb61b893226f03a803e" + logic_hash = "v1_sha256_76b725f6ae5755bb00d384ef2ae1511789487257d8bb7cb61b893226f03a803e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91000,10 +91162,10 @@ rule ELASTIC_Macos_Trojan_Genieo_37878473 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Genieo.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Genieo.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0fadd926f8d763f7f15e64f857e77f44a492dcf5dc82ae965d3ddf80cd9c7a0d" - logic_hash = "bb04ae4e0a98e0dbd0c0708d5e767306e38edf76de2671523f4bd43cbcbfefc2" + logic_hash = "v1_sha256_bb04ae4e0a98e0dbd0c0708d5e767306e38edf76de2671523f4bd43cbcbfefc2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91029,10 +91191,10 @@ rule ELASTIC_Macos_Trojan_Genieo_0D003634 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Genieo.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Genieo.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bcd391b58338efec4769e876bd510d0c4b156a7830bab56c3b56585974435d70" - logic_hash = "0412f88408fb14d1126ef091d0a5cc0ee2b2e39aeb241bef55208b59830ca993" + logic_hash = "v1_sha256_0412f88408fb14d1126ef091d0a5cc0ee2b2e39aeb241bef55208b59830ca993" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91058,10 +91220,10 @@ rule ELASTIC_Macos_Trojan_Genieo_9E178C0B : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Genieo.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Genieo.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7760e73195c3ea8566f3ff0427d85d6f35c6eec7ee9184f3aceab06da8845d8" - logic_hash = "212f96ca964aceeb80c6d3282d488cfbb74aeffb9c0c9dd840a3a28f9bbdcbea" + logic_hash = "v1_sha256_212f96ca964aceeb80c6d3282d488cfbb74aeffb9c0c9dd840a3a28f9bbdcbea" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91087,10 +91249,10 @@ rule ELASTIC_Windows_Trojan_Njrat_30F3C220 : FILE MEMORY date = "2021-06-13" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Njrat.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Njrat.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b" - logic_hash = "76347165829415646f943bb984cd17ca138cf238d03f114c498dbcec081d5ae3" + logic_hash = "v1_sha256_76347165829415646f943bb984cd17ca138cf238d03f114c498dbcec081d5ae3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91121,10 +91283,10 @@ rule ELASTIC_Windows_Trojan_Njrat_Eb2698D2 : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Njrat.yar#L26-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Njrat.yar#L26-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d537397bc41f0a1cb964fa7be6658add5fe58d929ac91500fc7770c116d49608" - logic_hash = "c32a641f2d639f56a8137b3e0d0be3261fba30084eeba9d1205974713413af9f" + logic_hash = "v1_sha256_c32a641f2d639f56a8137b3e0d0be3261fba30084eeba9d1205974713413af9f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91150,10 +91312,10 @@ rule ELASTIC_Windows_Trojan_Blackwood_2B94Bce9 : FILE MEMORY date = "2024-03-22" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blackwood.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blackwood.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c37dd77f659059da7e12e13b063036ee69097a4d2f88c170832fff78f3788991" - logic_hash = "279e85ce3bb974ce5af541e7307cb2fd1031f36c9da013756883172a765b0e19" + logic_hash = "v1_sha256_279e85ce3bb974ce5af541e7307cb2fd1031f36c9da013756883172a765b0e19" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91175,7 +91337,7 @@ rule ELASTIC_Windows_Trojan_Blackwood_2B94Bce9 : FILE MEMORY $b5 = "AllocateAndInitializeSid Error %u" condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Macos_Virus_Vsearch_0Dd3Ec6F : FILE MEMORY { @@ -91186,9 +91348,9 @@ rule ELASTIC_Macos_Virus_Vsearch_0Dd3Ec6F : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Vsearch.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "17a467b000117ea6c39fbd40b502ac9c7d59a97408c2cdfb09c65b2bb09924e5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Vsearch.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_17a467b000117ea6c39fbd40b502ac9c7d59a97408c2cdfb09c65b2bb09924e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91214,9 +91376,9 @@ rule ELASTIC_Macos_Virus_Vsearch_2A0419F8 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Vsearch.yar#L20-L37" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fa9b811465e435bff5bc0f149ff65f57932c94f548a5ece4ec54ba775cdbb55a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Vsearch.yar#L20-L37" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fa9b811465e435bff5bc0f149ff65f57932c94f548a5ece4ec54ba775cdbb55a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91242,10 +91404,10 @@ rule ELASTIC_Windows_Wiper_Doublezero_65Ec0C50 : FILE MEMORY date = "2022-03-22" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Wiper_DoubleZero.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Wiper_DoubleZero.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe" - logic_hash = "bce33817d99f71b9d087ea079ef8db08b496315b72cf9d1cf6f0b107a604e52c" + logic_hash = "v1_sha256_bce33817d99f71b9d087ea079ef8db08b496315b72cf9d1cf6f0b107a604e52c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91275,9 +91437,9 @@ rule ELASTIC_Linux_Trojan_Ladvix_Db41F9D2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ladvix.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "81642b4ff1b6488098f019c5e992fc942916bc6eb593006cf91e878ac41509d6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ladvix.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_81642b4ff1b6488098f019c5e992fc942916bc6eb593006cf91e878ac41509d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91303,10 +91465,10 @@ rule ELASTIC_Linux_Trojan_Ladvix_77D184Fd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ladvix.yar#L20-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ladvix.yar#L20-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1bb44b567b3c82f7ee0e08b16f7326d1af57efe77d608a96b2df43aab5faa9f7" - logic_hash = "0ae9c41d3eb7964344f71b9708278a0e83776228e4455cf0ad7c08e288305203" + logic_hash = "v1_sha256_0ae9c41d3eb7964344f71b9708278a0e83776228e4455cf0ad7c08e288305203" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91332,10 +91494,10 @@ rule ELASTIC_Linux_Trojan_Ladvix_C9888Edb : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ladvix.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ladvix.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d798e9f15645de89d73e2c9d142189d2eaf81f94ecf247876b0b865be081dca" - logic_hash = "608f2340b0ee4b843933d8137aa0908583a6de477e6c472fb4bd2e5bb62dfb80" + logic_hash = "v1_sha256_608f2340b0ee4b843933d8137aa0908583a6de477e6c472fb4bd2e5bb62dfb80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91361,9 +91523,9 @@ rule ELASTIC_Linux_Trojan_Ladvix_81Fccd74 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "2a183f613fca5ec30dfd82c9abf72ab88a2c57d2dd6f6483375913f81aa1c5af" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ladvix.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "18f7ca953d22f02c1dbf03595a19b66ea582d2c1623f0042dcf15f86556ca41e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ladvix.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_18f7ca953d22f02c1dbf03595a19b66ea582d2c1623f0042dcf15f86556ca41e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91389,9 +91551,9 @@ rule ELASTIC_Windows_Trojan_Backoff_22798F00 : FILE MEMORY date = "2022-08-10" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Backoff.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "65b5aff18a4e0bc29d7cc4cfbe2d5882f99a855727fe467b2ba2e2851c43d21b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Backoff.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_65b5aff18a4e0bc29d7cc4cfbe2d5882f99a855727fe467b2ba2e2851c43d21b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91422,10 +91584,10 @@ rule ELASTIC_Windows_Vulndriver_Gvci_F5A35359 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Gvci.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Gvci.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" - logic_hash = "beb0c324358a016e708dae30a222373113a7eab8e3d90dfa1bbde6c2f7874362" + logic_hash = "v1_sha256_beb0c324358a016e708dae30a222373113a7eab8e3d90dfa1bbde6c2f7874362" score = 75 quality = 75 tags = "FILE" @@ -91440,7 +91602,7 @@ rule ELASTIC_Windows_Vulndriver_Gvci_F5A35359 : FILE $str1 = "\\GVCIDrv64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Psybnc_563Ecb11 : FILE MEMORY { @@ -91451,10 +91613,10 @@ rule ELASTIC_Linux_Trojan_Psybnc_563Ecb11 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Psybnc.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Psybnc.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f77216b169e8d12f22ef84e625159f3a51346c2b6777a1fcfb71268d17b06d39" - logic_hash = "b93e6ab097ccd4c348d228a48df098594e560e62256bfe019669ca9488221214" + logic_hash = "v1_sha256_b93e6ab097ccd4c348d228a48df098594e560e62256bfe019669ca9488221214" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91480,10 +91642,10 @@ rule ELASTIC_Linux_Trojan_Psybnc_Ab3396D5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Psybnc.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Psybnc.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c5ec84e7cc891af25d6319abb07b1cedd90b04cbb6c8656c60bcb07e60f0b620" - logic_hash = "8c083f66fc252a88395bb954a67d710d64f5b68efb9df4b60b260302874b400a" + logic_hash = "v1_sha256_8c083f66fc252a88395bb954a67d710d64f5b68efb9df4b60b260302874b400a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91509,10 +91671,10 @@ rule ELASTIC_Linux_Trojan_Psybnc_F07357F1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Psybnc.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Psybnc.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f77216b169e8d12f22ef84e625159f3a51346c2b6777a1fcfb71268d17b06d39" - logic_hash = "cfe217fe108de787600d1ef06ac6738d84aedfc46e5632143692a9f83cb62df7" + logic_hash = "v1_sha256_cfe217fe108de787600d1ef06ac6738d84aedfc46e5632143692a9f83cb62df7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91538,10 +91700,10 @@ rule ELASTIC_Linux_Exploit_Alie_E69De1Ee : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Alie.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Alie.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "882839549f062ab4cbe6df91336ed320eaf6c2300fc2ed64d1877426a0da567d" - logic_hash = "bb4625751c924b9ff5d32cc044fcff68892e82d9e94d679c4e4c8286f680a854" + logic_hash = "v1_sha256_bb4625751c924b9ff5d32cc044fcff68892e82d9e94d679c4e4c8286f680a854" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91567,10 +91729,10 @@ rule ELASTIC_Linux_Trojan_Springtail_35D5B90B : FILE MEMORY date = "2024-05-18" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Springtail.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Springtail.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213" - logic_hash = "7158e60aedfde884d9ee01457abfe6d9b6b1df9cdc1c415231d98429866eaa6c" + logic_hash = "v1_sha256_7158e60aedfde884d9ee01457abfe6d9b6b1df9cdc1c415231d98429866eaa6c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91601,11 +91763,11 @@ rule ELASTIC_Windows_Trojan_Solarmarker_D466E548 : FILE MEMORY date = "2023-12-12" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SolarMarker.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SolarMarker.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "330f5067c93041821be4e7097cf32fb569e2e1d00e952156c9aafcddb847b873" hash = "e2a620e76352fa7ac58407a711821da52093d97d12293ae93d813163c58eb84b" - logic_hash = "c0792bc3c1a2f01ff4b8d0a12c95a74491c2805c876f95a26bbeaabecdff70e9" + logic_hash = "v1_sha256_c0792bc3c1a2f01ff4b8d0a12c95a74491c2805c876f95a26bbeaabecdff70e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91631,10 +91793,10 @@ rule ELASTIC_Windows_Trojan_Solarmarker_08Bfc26B : FILE MEMORY date = "2024-05-29" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SolarMarker.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SolarMarker.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1a6d2d78cc50f080f1fe4cadc6043027bf201d194f2b73625ce3664433a3966" - logic_hash = "b31b9f8460b606426c1101eba39a41a75c7ecaafc62388a6a5ac0f24057561ed" + logic_hash = "v1_sha256_b31b9f8460b606426c1101eba39a41a75c7ecaafc62388a6a5ac0f24057561ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91662,10 +91824,10 @@ rule ELASTIC_Windows_Trojan_Nighthawk_9F3A5Abb : FILE MEMORY date = "2022-11-24" modified = "2023-06-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Nighthawk.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Nighthawk.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94" - logic_hash = "27a34e48141fe260c16c12a2652e440d2540ca5f0c84b41c9c4762dcab44ffd4" + logic_hash = "v1_sha256_27a34e48141fe260c16c12a2652e440d2540ca5f0c84b41c9c4762dcab44ffd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91687,7 +91849,7 @@ rule ELASTIC_Windows_Trojan_Nighthawk_9F3A5Abb : FILE MEMORY $seq_byte_shift = { 48 83 C3 ?? 8D 4D ?? 48 03 CF 0F B6 41 ?? 0F B6 71 ?? C1 E6 08 0B F0 0F B6 41 ?? C1 E6 08 0B F0 0F B6 01 C1 E6 ?? 0B F0 41 3B 75 ?? 76 ?? B8 ?? ?? ?? ?? EB ?? } condition: - ($loader_build_iat0 and $loader_syscall_func) or (2 of ($seq*)) + ($loader_build_iat0 and $loader_syscall_func ) or ( 2 of ( $seq* ) ) } rule ELASTIC_Windows_Trojan_Nighthawk_2A2E3B9D : FILE MEMORY { @@ -91698,10 +91860,10 @@ rule ELASTIC_Windows_Trojan_Nighthawk_2A2E3B9D : FILE MEMORY date = "2022-11-24" modified = "2023-06-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Nighthawk.yar#L28-L47" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Nighthawk.yar#L28-L47" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf" - logic_hash = "c42605ebba900fafb4ec2d34d93bb7adb69e731ce151b82a95889dd0d738da00" + logic_hash = "v1_sha256_c42605ebba900fafb4ec2d34d93bb7adb69e731ce151b82a95889dd0d738da00" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91728,10 +91890,10 @@ rule ELASTIC_Windows_Trojan_Nighthawk_23489175 : FILE MEMORY date = "2023-06-14" modified = "2023-07-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Nighthawk.yar#L49-L74" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Nighthawk.yar#L49-L74" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "697742d5dd071add40b700022fd30424cb231ffde223d21bd83a44890e06762f" - logic_hash = "be41fc53f7098ca3cf718e8066a488196423ede993466c9a24ad2af387e03b24" + logic_hash = "v1_sha256_be41fc53f7098ca3cf718e8066a488196423ede993466c9a24ad2af387e03b24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91753,7 +91915,7 @@ rule ELASTIC_Windows_Trojan_Nighthawk_23489175 : FILE MEMORY $seq_tcptable = { 41 BF 02 00 00 00 41 3B FF 74 ?? 83 FF 17 41 8B C7 75 ?? B8 08 00 00 00 } condition: - (1 of ($pdb)) or (2 of ($seq*)) + (1 of ( $pdb ) ) or ( 2 of ( $seq* ) ) } rule ELASTIC_Windows_Infostealer_Phemedronestealer_Bed8Ea8A : FILE MEMORY { @@ -91764,10 +91926,10 @@ rule ELASTIC_Windows_Infostealer_Phemedronestealer_Bed8Ea8A : FILE MEMORY date = "2024-03-21" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Infostealer_PhemedroneStealer.yar#L1-L30" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Infostealer_PhemedroneStealer.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "38279fdad25c7972be9426cadb5ad5e3ee7e9761b0a41ed617945cb9a3713702" - logic_hash = "88fc33abfe6c7a611aa0c354645b06e9e74121ffc9a5acd20b4d3a59287489d6" + logic_hash = "v1_sha256_88fc33abfe6c7a611aa0c354645b06e9e74121ffc9a5acd20b4d3a59287489d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91793,7 +91955,7 @@ rule ELASTIC_Windows_Infostealer_Phemedronestealer_Bed8Ea8A : FILE MEMORY $b6 = "Phemedrone Stealer Report" condition: - all of ($a*) or all of ($b*) + all of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Ransomware_Bitpaymer_D74273B3 : BETA FILE MEMORY { @@ -91804,9 +91966,9 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_D74273B3 : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Bitpaymer.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "126246689b28e92ed10bfa6165f06ff7d4f0e062de7c58b821eaaf5e3cae9306" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Bitpaymer.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_126246689b28e92ed10bfa6165f06ff7d4f0e062de7c58b821eaaf5e3cae9306" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -91822,7 +91984,7 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_D74273B3 : BETA FILE MEMORY $b1 = { 24 E8 00 00 00 29 F0 19 F9 89 8C 24 88 00 00 00 89 84 24 84 00 } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Bitpaymer_Bca25Ac6 : BETA FILE MEMORY { @@ -91833,9 +91995,9 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_Bca25Ac6 : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Bitpaymer.yar#L22-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7670f9dafacc8fc5998c1974af66ede388c0997545da067648fec4fd053f0001" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Bitpaymer.yar#L22-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7670f9dafacc8fc5998c1974af66ede388c0997545da067648fec4fd053f0001" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -91858,7 +92020,7 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_Bca25Ac6 : BETA FILE MEMORY $a8 = "k:\\softcare\\release\\h2O.pdb" fullword condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Macos_Infostealer_Mdquerytoken_1C52D574 : FILE MEMORY { @@ -91869,9 +92031,9 @@ rule ELASTIC_Macos_Infostealer_Mdquerytoken_1C52D574 : FILE MEMORY date = "2023-04-11" modified = "2024-08-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Infostealer_MdQueryToken.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ede29154aae99bb67075e21acb694b089f9a1b366a4e2505cb761142393994a8" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Infostealer_MdQueryToken.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ede29154aae99bb67075e21acb694b089f9a1b366a4e2505cb761142393994a8" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -91887,7 +92049,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerytoken_1C52D574 : FILE MEMORY $string2 = /kMDItemDisplayName\s{1,50}==\s{1,50}\S{1,50}token\S{1,50}/ ascii wide nocase condition: - any of ($string1,$string2) + any of ( $string1 , $string2 ) } rule ELASTIC_Macos_Virus_Pirrit_271B8Ed0 : FILE MEMORY { @@ -91898,10 +92060,10 @@ rule ELASTIC_Macos_Virus_Pirrit_271B8Ed0 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Virus_Pirrit.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Virus_Pirrit.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7feda05d41b09c06a08c167c7f4dde597ac775c54bf0d74a82aa533644035177" - logic_hash = "cb77f6df1403afbc7f45d30551559b6de7eb1c3434778b46d31754da0a1b1f10" + logic_hash = "v1_sha256_cb77f6df1403afbc7f45d30551559b6de7eb1c3434778b46d31754da0a1b1f10" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91927,10 +92089,10 @@ rule ELASTIC_Windows_Hacktool_Sharpchromium_41Ce5080 : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpChromium.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpChromium.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9dd65aa53728d51f0f3b9aaf51a24f8a2c3f84b4a4024245575975cf9ad7f2e5" - logic_hash = "50972a6e6af1d7076243320fb6559193e0c46ac1300aa62d12390fdeb2fffdcd" + logic_hash = "v1_sha256_50972a6e6af1d7076243320fb6559193e0c46ac1300aa62d12390fdeb2fffdcd" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -91949,7 +92111,7 @@ rule ELASTIC_Windows_Hacktool_Sharpchromium_41Ce5080 : FILE MEMORY $print_str3 = "[*] {0} {1} extraction." ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Pingpull_09Dd9559 : FILE MEMORY { @@ -91960,10 +92122,10 @@ rule ELASTIC_Windows_Trojan_Pingpull_09Dd9559 : FILE MEMORY date = "2022-06-16" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Pingpull.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Pingpull.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761" - logic_hash = "114674b1a9acfc7643138d3b07885343a50c9d319b8d22a6ef34e916685c4469" + logic_hash = "v1_sha256_114674b1a9acfc7643138d3b07885343a50c9d319b8d22a6ef34e916685c4469" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91995,10 +92157,10 @@ rule ELASTIC_Windows_Trojan_Privateloader_96Ac2734 : FILE MEMORY date = "2023-01-03" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PrivateLoader.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PrivateLoader.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb" - logic_hash = "9f96f1c54853866e124d0996504e6efd3d154111390617999cc10520d7f68fe6" + logic_hash = "v1_sha256_9f96f1c54853866e124d0996504e6efd3d154111390617999cc10520d7f68fe6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92016,7 +92178,7 @@ rule ELASTIC_Windows_Trojan_Privateloader_96Ac2734 : FILE MEMORY $str2 = "https://db-ip.com/" wide condition: - all of ($str*) and #xor_decrypt>3 + all of ( $str* ) and #xor_decrypt > 3 } rule ELASTIC_Linux_Virus_Thebe_1Eb5985A : FILE MEMORY { @@ -92027,10 +92189,10 @@ rule ELASTIC_Linux_Virus_Thebe_1Eb5985A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Virus_Thebe.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Virus_Thebe.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "30af289be070f4e0f8761f04fb44193a037ec1aab9cc029343a1a1f2a8d67670" - logic_hash = "7d4bc4b1615048dec1f1fac599afa667e06ccb369bb1242b25887e0ce2a5066a" + logic_hash = "v1_sha256_7d4bc4b1615048dec1f1fac599afa667e06ccb369bb1242b25887e0ce2a5066a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92056,10 +92218,10 @@ rule ELASTIC_Windows_Trojan_Onlylogger_B9E88336 : FILE MEMORY date = "2022-03-22" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_OnlyLogger.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_OnlyLogger.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "69876ee4d89ba68ee86f1a4eaf0a7cb51a012752e14c952a177cd5ffd8190986" - logic_hash = "b8d1c4c1e33fc0b54a62f82b8f53c9a1b051ad8c2f578d2a43f504158d1d9247" + logic_hash = "v1_sha256_b8d1c4c1e33fc0b54a62f82b8f53c9a1b051ad8c2f578d2a43f504158d1d9247" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92077,7 +92239,7 @@ rule ELASTIC_Windows_Trojan_Onlylogger_B9E88336 : FILE MEMORY $b3 = "WinHttpSendRequest" ascii fullword condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Trojan_Onlylogger_Ec14D5F2 : FILE MEMORY { @@ -92088,10 +92250,10 @@ rule ELASTIC_Windows_Trojan_Onlylogger_Ec14D5F2 : FILE MEMORY date = "2022-03-22" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_OnlyLogger.yar#L24-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_OnlyLogger.yar#L24-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f45adcc2aad5c0fd900df4521f404bc9ca71b01e3378a5490f5ae2f0c711912e" - logic_hash = "2838851a5e013705b64625801d2ab1d56cfc17c52f75a5fd71448cb0a4b4b683" + logic_hash = "v1_sha256_2838851a5e013705b64625801d2ab1d56cfc17c52f75a5fd71448cb0a4b4b683" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92121,10 +92283,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_01365E46 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172" - logic_hash = "4d61de2cb37e12f62326c1717f6ed44554f5d2aa7ede6033d0c988e5e64df54d" + logic_hash = "v1_sha256_4d61de2cb37e12f62326c1717f6ed44554f5d2aa7ede6033d0c988e5e64df54d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92150,9 +92312,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_06Fd4Ac4 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "bde387f1e22d1399fb99f6d41732a37635d8e90f29626f2995914a073a7cac89" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_bde387f1e22d1399fb99f6d41732a37635d8e90f29626f2995914a073a7cac89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92179,9 +92341,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_Ce4305D1 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L41-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c547114475383e5d84f6b8cb72585ddd5778ae3afa491deddeef8a5ec56be1b5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L41-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c547114475383e5d84f6b8cb72585ddd5778ae3afa491deddeef8a5ec56be1b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92207,9 +92369,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_1E56Fad7 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L60-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "815b37804f79fb4607e6b84294882d818233c3df13aececb3d341244900a2e44" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L60-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_815b37804f79fb4607e6b84294882d818233c3df13aececb3d341244900a2e44" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92235,9 +92397,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_93C9A2A4 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L79-L96" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "dadeeba6147b118b80e014ab067eac7a2c3c2990958a6c7016562d8b64fef53c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L79-L96" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_dadeeba6147b118b80e014ab067eac7a2c3c2990958a6c7016562d8b64fef53c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92263,9 +92425,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_5340Afa3 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L98-L115" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8b9d3c978f0c4a04ee5b3446b990172206b17496036bc1cc04180ea7e9b99734" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L98-L115" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8b9d3c978f0c4a04ee5b3446b990172206b17496036bc1cc04180ea7e9b99734" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92291,9 +92453,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_E7932501 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L117-L134" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f82704a408a0cf1def2a5926dc4c02fa56afea1422c88ba41af50d44c60edb07" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L117-L134" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f82704a408a0cf1def2a5926dc4c02fa56afea1422c88ba41af50d44c60edb07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92319,9 +92481,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_Cd0868D5 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L136-L153" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "053a99e5e722fd2aa1cae96266cc344954f9c3a12d0851fa9d5e95a6420651f4" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L136-L153" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_053a99e5e722fd2aa1cae96266cc344954f9c3a12d0851fa9d5e95a6420651f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92347,9 +92509,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_515504E2 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L155-L172" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5410068e09de4a1283f98f6364ddf243373e228ba060b00699db6323f1167684" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L155-L172" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5410068e09de4a1283f98f6364ddf243373e228ba060b00699db6323f1167684" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92375,9 +92537,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_A0Fc8F35 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L174-L191" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7ab2b45ddfc1d7fa409a6ea3dfd8d4940e1bdf3fc0cb6c7e8d49c60e7bda5b1b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L174-L191" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7ab2b45ddfc1d7fa409a6ea3dfd8d4940e1bdf3fc0cb6c7e8d49c60e7bda5b1b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92403,9 +92565,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_Cb95Dc06 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L193-L210" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "563b2311d37ace2d09601a70325352db3fcbf135e7ce518965f5410081b5d626" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L193-L210" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_563b2311d37ace2d09601a70325352db3fcbf135e7ce518965f5410081b5d626" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92431,9 +92593,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_9D4D3Fa4 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L212-L229" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7c3c9917a95248fd990b6947a0304ded473bf1bcceec8f4498a7955e879d348b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L212-L229" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7c3c9917a95248fd990b6947a0304ded473bf1bcceec8f4498a7955e879d348b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92459,9 +92621,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_34F00046 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L231-L248" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f9d646645d6726e3aac5cc3eaea9edf1c89c7e743aff7cfa73998a72f3446711" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L231-L248" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f9d646645d6726e3aac5cc3eaea9edf1c89c7e743aff7cfa73998a72f3446711" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92487,9 +92649,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_F2A18B09 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L250-L267" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c4c4b0b1df1e8fde87284fb27d46e917c47b479a675fec60faeca6185511907d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L250-L267" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c4c4b0b1df1e8fde87284fb27d46e917c47b479a675fec60faeca6185511907d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92515,9 +92677,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_D916Ae65 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L269-L286" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e0aafe498cd9f0e8addfef78027943a754ca797aafae0cb40f1c6425de501339" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L269-L286" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e0aafe498cd9f0e8addfef78027943a754ca797aafae0cb40f1c6425de501339" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92543,9 +92705,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_52722678 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L288-L305" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6340171fdde68b32de480f1f410aa4c491a8fffa7c1f699bf5fa72a12ecb77b8" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L288-L305" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6340171fdde68b32de480f1f410aa4c491a8fffa7c1f699bf5fa72a12ecb77b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92571,9 +92733,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_28A60148 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L307-L324" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "20a26ed3f0da3a77867597494bf0069a2093ec19b1c5e179c0e7934c1b69d4b9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L307-L324" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_20a26ed3f0da3a77867597494bf0069a2093ec19b1c5e179c0e7934c1b69d4b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92599,9 +92761,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_997B25A0 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L326-L343" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ca688086c4628c64c32a99083d620bcb5373e3100d154331451a3e9f86081aca" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L326-L343" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ca688086c4628c64c32a99083d620bcb5373e3100d154331451a3e9f86081aca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92627,9 +92789,9 @@ rule ELASTIC_Windows_Trojan_Trickbot_B17B33A1 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L345-L362" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7fa69674d1e985bafe310597f23ae80113136768141f0a1931baf88b2509e6ef" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L345-L362" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7fa69674d1e985bafe310597f23ae80113136768141f0a1931baf88b2509e6ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92655,10 +92817,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_23D77Ae5 : FILE MEMORY date = "2021-03-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L364-L396" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L364-L396" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "844974a2d3266e1f9ba275520c0e8a5d176df69a0ccd5135b99facf798a5d209" - logic_hash = "e5f5cf854ebd0e25fffbd6796217f22223a06937e1cacb33baa105ac41731256" + logic_hash = "v1_sha256_e5f5cf854ebd0e25fffbd6796217f22223a06937e1cacb33baa105ac41731256" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92687,7 +92849,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_23D77Ae5 : FILE MEMORY $a14 = "/chrome.exe {URL}" ascii fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_5574Be7D : FILE MEMORY { @@ -92698,10 +92860,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_5574Be7D : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L398-L432" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L398-L432" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c5c0d27153f60ef8aec57def2f88e3d5f9a7385b5e8b8177bab55fa7fac7b18" - logic_hash = "ed0fc98c5d628ce38b923e1410eaf7a4a65ecffea42bed35314e30c99a52219b" + logic_hash = "v1_sha256_ed0fc98c5d628ce38b923e1410eaf7a4a65ecffea42bed35314e30c99a52219b" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -92732,7 +92894,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_5574Be7D : FILE MEMORY $a16 = "" ascii fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_1473F0B4 : FILE MEMORY { @@ -92743,10 +92905,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_1473F0B4 : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L434-L459" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L434-L459" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9cfb441eb5c60ab1c90b58d4878543ee554ada2cceee98d6b867e73490d30fec" - logic_hash = "dc13625e58c029c60b8670f8e63cd7786bf3e9705c462f3cbbf5b39e7c02f9a1" + logic_hash = "v1_sha256_dc13625e58c029c60b8670f8e63cd7786bf3e9705c462f3cbbf5b39e7c02f9a1" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -92768,7 +92930,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_1473F0B4 : FILE MEMORY $a7 = "Content-Length: %d" ascii fullword condition: - 2 of ($a*) + 2 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_Dcf25Dde : FILE MEMORY { @@ -92779,10 +92941,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_Dcf25Dde : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L461-L502" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L461-L502" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787" - logic_hash = "64d15d92faf0919a8fa1ce6772750cde47eaa24b09cf4243393777334bad9712" + logic_hash = "v1_sha256_64d15d92faf0919a8fa1ce6772750cde47eaa24b09cf4243393777334bad9712" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -92820,7 +92982,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Dcf25Dde : FILE MEMORY $a23 = "Admin E-mail: %s" wide fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_46Dc12Dd : FILE MEMORY { @@ -92831,10 +92993,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_46Dc12Dd : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L504-L528" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L504-L528" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf38a787aee5afdcab00b95ccdf036bc7f91f07151b4444b54165bb70d649ce5" - logic_hash = "e01209a83f4743cbad7dda01595c053277868bd47208e48214b557ae339b5b3c" + logic_hash = "v1_sha256_e01209a83f4743cbad7dda01595c053277868bd47208e48214b557ae339b5b3c" score = 50 quality = 75 tags = "FILE, MEMORY" @@ -92855,7 +93017,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_46Dc12Dd : FILE MEMORY $a6 = "" ascii fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_78A26074 : FILE MEMORY { @@ -92866,10 +93028,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_78A26074 : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L530-L564" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L530-L564" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8cd75fa8650ebcf0a6200283e474a081cc0be57307e54909ee15f4d04621dde0" - logic_hash = "3837c22f7f9d55f03cb0bc1336798f0e2a91549c187b9f5136491cbafd26ce6e" + logic_hash = "v1_sha256_3837c22f7f9d55f03cb0bc1336798f0e2a91549c187b9f5136491cbafd26ce6e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92900,7 +93062,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_78A26074 : FILE MEMORY $a16 = "TERM found: %d" wide fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_217B9C97 : FILE MEMORY { @@ -92911,10 +93073,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_217B9C97 : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L566-L601" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L566-L601" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1e90a73793017720c9a020069ed1c87879174c19c3b619e5b78db8220a63e9b7" - logic_hash = "9b2b8a8154d4aba06029fd35d896331449f7baa961f183fb0cb47e890610ff99" + logic_hash = "v1_sha256_9b2b8a8154d4aba06029fd35d896331449f7baa961f183fb0cb47e890610ff99" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -92946,7 +93108,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_217B9C97 : FILE MEMORY $a17 = "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2" wide fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_D2110921 : FILE MEMORY { @@ -92957,10 +93119,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_D2110921 : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L603-L632" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L603-L632" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05ef40f7745db836de735ac73d6101406e1d9e58c6b5f5322254eb75b98d236a" - logic_hash = "39ef17836f29c358f596e0047d582b5f1d1af523c8f6354ac8a783eda9969554" + logic_hash = "v1_sha256_39ef17836f29c358f596e0047d582b5f1d1af523c8f6354ac8a783eda9969554" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92986,7 +93148,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_D2110921 : FILE MEMORY $a11 = "ServiceInfoControl" ascii fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_0114D469 : FILE MEMORY { @@ -92997,10 +93159,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_0114D469 : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L634-L667" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L634-L667" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "083cb35a7064aa5589efc544ac1ed1b04ec0f89f0e60383fcb1b02b63f4117e9" - logic_hash = "6ca8e73f758d3fa956fe53cc83abb43806359f93df05c42a58e2f394a1a3c117" + logic_hash = "v1_sha256_6ca8e73f758d3fa956fe53cc83abb43806359f93df05c42a58e2f394a1a3c117" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93030,7 +93192,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_0114D469 : FILE MEMORY $a15 = "SELECT * FROM Win32_ComputerSystem" wide fullword condition: - 6 of ($a*) + 6 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_07239Dad : FILE MEMORY { @@ -93041,10 +93203,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_07239Dad : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L669-L703" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L669-L703" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dbd534f2b5739f89e99782563062169289f23aa335639a9552173bedc98bb834" - logic_hash = "231592d1a45798de6d22c922626ca28ef4019bae95d552a0f2822823d8dec384" + logic_hash = "v1_sha256_231592d1a45798de6d22c922626ca28ef4019bae95d552a0f2822823d8dec384" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93075,7 +93237,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_07239Dad : FILE MEMORY $a16 = "NetServerStart" ascii fullword condition: - 6 of ($a*) + 6 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_Fd7A39Af : FILE MEMORY { @@ -93086,10 +93248,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_Fd7A39Af : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L705-L739" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L705-L739" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d5bb8d94b71d475b5eb9bb4235a428563f4104ea49f11ef02c8a08d2e859fd68" - logic_hash = "15cb286504e6167c78e194488555f565965a03e7714fe16692a115df26985a01" + logic_hash = "v1_sha256_15cb286504e6167c78e194488555f565965a03e7714fe16692a115df26985a01" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -93120,7 +93282,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Fd7A39Af : FILE MEMORY $a16 = "------MACHINE IN D-N------" wide fullword condition: - 5 of ($a*) + 5 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_2D89E9Cd : FILE MEMORY { @@ -93131,10 +93293,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_2D89E9Cd : FILE MEMORY date = "2021-03-29" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L741-L785" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L741-L785" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3963649ebfabe8f6277190be4300ecdb68d4b497ac5f81f38231d3e6c862a0a8" - logic_hash = "c15833687c2aed55aae0bb5de83c088cb66edeb4ad1964543522f5477c1f1942" + logic_hash = "v1_sha256_c15833687c2aed55aae0bb5de83c088cb66edeb4ad1964543522f5477c1f1942" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93175,7 +93337,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_2D89E9Cd : FILE MEMORY $a26 = "Enter to Control: moduleHandle 0x%08X, unknown Ctl = \"%S\"" wide fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_32930807 : FILE MEMORY { @@ -93186,10 +93348,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_32930807 : FILE MEMORY date = "2021-03-30" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L787-L808" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L787-L808" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d" - logic_hash = "e98503696bd72cab4d0d1633991bdb87c0537fd1e2d95507ccd474125328f318" + logic_hash = "v1_sha256_e98503696bd72cab4d0d1633991bdb87c0537fd1e2d95507ccd474125328f318" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93218,10 +93380,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_618B27D2 : FILE MEMORY date = "2021-03-30" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L810-L843" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L810-L843" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e" - logic_hash = "e66a9dd7efdbff8b9e30119d0e99187e3dfa4ca1c1bc1ade0f8f1003d10e2620" + logic_hash = "v1_sha256_e66a9dd7efdbff8b9e30119d0e99187e3dfa4ca1c1bc1ade0f8f1003d10e2620" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93251,7 +93413,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_618B27D2 : FILE MEMORY $a15 = "CryptApi" ascii fullword condition: - 5 of ($a*) + 5 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_6Eb31E7B : FILE MEMORY { @@ -93262,10 +93424,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_6Eb31E7B : FILE MEMORY date = "2021-03-30" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L845-L872" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L845-L872" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3e3d82ea4764b117b71119e7c2eecf46b7c2126617eafccdfc6e96e13da973b1" - logic_hash = "5b6902c8644c79bd183725f0e41bf2f7ae425bf0eb1dddea6fd1a38b77f176ba" + logic_hash = "v1_sha256_5b6902c8644c79bd183725f0e41bf2f7ae425bf0eb1dddea6fd1a38b77f176ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93289,7 +93451,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_6Eb31E7B : FILE MEMORY $a9 = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" wide fullword condition: - 5 of ($a*) + 5 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_91516Cf4 : FILE MEMORY { @@ -93300,10 +93462,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_91516Cf4 : FILE MEMORY date = "2021-03-30" modified = "2021-08-31" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L874-L896" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L874-L896" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6cd0d4666553fd7184895502d48c960294307d57be722ebb2188b004fc1a8066" - logic_hash = "6c0bdd6827bebb337c0012cdb6e931cd96ce2ad61f3764f288b96ff049b2d007" + logic_hash = "v1_sha256_6c0bdd6827bebb337c0012cdb6e931cd96ce2ad61f3764f288b96ff049b2d007" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93333,10 +93495,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_Be718Af9 : FILE MEMORY date = "2021-03-30" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L898-L921" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L898-L921" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c1f1bc58456cff7413d7234e348d47a8acfdc9d019ae7a4aba1afc1b3ed55ffa" - logic_hash = "d020f7d1637fc4ee3246e97c9acae0be1782e688154bd109f53f807211beebd7" + logic_hash = "v1_sha256_d020f7d1637fc4ee3246e97c9acae0be1782e688154bd109f53f807211beebd7" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -93356,7 +93518,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Be718Af9 : FILE MEMORY $a5 = "\"%pueuu%" ascii fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_F8Dac4Bc : FILE MEMORY { @@ -93367,10 +93529,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_F8Dac4Bc : FILE MEMORY date = "2021-03-30" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L923-L954" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L923-L954" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13d102d546b9384f944f2a520ba32fb5606182bed45a8bba681e4374d7e5e322" - logic_hash = "d4536aac0ee402abcb87826e45c892d6f39562bc1e39b72ae8880dc077f230d9" + logic_hash = "v1_sha256_d4536aac0ee402abcb87826e45c892d6f39562bc1e39b72ae8880dc077f230d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93398,7 +93560,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_F8Dac4Bc : FILE MEMORY $a13 = "rdp/mode" wide fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Trickbot_9C0Fa8Fe : FILE MEMORY { @@ -93409,10 +93571,10 @@ rule ELASTIC_Windows_Trojan_Trickbot_9C0Fa8Fe : FILE MEMORY date = "2021-07-13" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Trickbot.yar#L956-L974" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Trickbot.yar#L956-L974" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f528c3ea7138df7c661d88fafe56d118b6ee1d639868212378232ca09dc9bfad" - logic_hash = "23aebc3139c34ecd609db7920fa0d5e194173409e1862555e4c468dad6c46299" + logic_hash = "v1_sha256_23aebc3139c34ecd609db7920fa0d5e194173409e1862555e4c468dad6c46299" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93438,10 +93600,10 @@ rule ELASTIC_Linux_Exploit_Cornelgen_584A227A : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Cornelgen.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Cornelgen.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c823cb669f1d6cb9258d6f0b187609c226af23396f9c5be26eb479e5722a9d97" - logic_hash = "db3b6bbab48074449ae8b404f8fa77d93cde1ab8e57bd4ad981ac2afb8226494" + logic_hash = "v1_sha256_db3b6bbab48074449ae8b404f8fa77d93cde1ab8e57bd4ad981ac2afb8226494" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93467,10 +93629,10 @@ rule ELASTIC_Linux_Exploit_Cornelgen_Be0Bc02D : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Cornelgen.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Cornelgen.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "24c0ba8ad4f543f9b0aff0d0b66537137bc78606b47ced9b6d08039bbae78d80" - logic_hash = "67c4f2d875f233b52fcbc24d9225c51af4dc09c27ce3915f0d756202bd4e5867" + logic_hash = "v1_sha256_67c4f2d875f233b52fcbc24d9225c51af4dc09c27ce3915f0d756202bd4e5867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93496,10 +93658,10 @@ rule ELASTIC_Linux_Exploit_Cornelgen_03Ee53D3 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Cornelgen.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Cornelgen.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "711eafd09d4e5433be142d54db153993ee55b6c53779d8ec7e76ca534b4f81a5" - logic_hash = "e7d9c66621ad3c56f3bb8150c17b10495053d9485b2143750aeefd3c55ab7943" + logic_hash = "v1_sha256_e7d9c66621ad3c56f3bb8150c17b10495053d9485b2143750aeefd3c55ab7943" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93525,10 +93687,10 @@ rule ELASTIC_Windows_Trojan_Siestagraph_8C36Ddc1 : FILE MEMORY date = "2022-12-14" modified = "2022-12-15" reference = "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SiestaGraph.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SiestaGraph.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "50c2f1bb99d742d8ae0ad7c049362b0e62d2d219b610dcf25ba50c303ccfef54" - logic_hash = "17ce8090b88100f00c07df0599cd51dc7682f4c43de989ce58621df97eca42fb" + logic_hash = "v1_sha256_17ce8090b88100f00c07df0599cd51dc7682f4c43de989ce58621df97eca42fb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -93551,7 +93713,7 @@ rule ELASTIC_Windows_Trojan_Siestagraph_8C36Ddc1 : FILE MEMORY $b4 = "delMail" ascii fullword condition: - all of ($a*) and 2 of ($b*) + all of ( $a* ) and 2 of ( $b* ) } rule ELASTIC_Windows_Trojan_Siestagraph_Ad3Fe5C6 : FILE MEMORY { @@ -93562,10 +93724,10 @@ rule ELASTIC_Windows_Trojan_Siestagraph_Ad3Fe5C6 : FILE MEMORY date = "2023-09-12" modified = "2023-09-20" reference = "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SiestaGraph.yar#L30-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SiestaGraph.yar#L30-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb" - logic_hash = "b625221b77803c2c052db09c90a76666cf9e0ae34cb0d59ae303e890e646e94b" + logic_hash = "v1_sha256_b625221b77803c2c052db09c90a76666cf9e0ae34cb0d59ae303e890e646e94b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93598,10 +93760,10 @@ rule ELASTIC_Windows_Trojan_Siestagraph_D801Ce71 : FILE MEMORY date = "2023-09-12" modified = "2023-09-20" reference = "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SiestaGraph.yar#L58-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SiestaGraph.yar#L58-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb" - logic_hash = "c2d00d64d69cb5d24d76f6c551b49aa1acef1e1bab96f7ed7facc148244a8370" + logic_hash = "v1_sha256_c2d00d64d69cb5d24d76f6c551b49aa1acef1e1bab96f7ed7facc148244a8370" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93629,10 +93791,10 @@ rule ELASTIC_Windows_Hacktool_Rubeus_43F18623 : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Rubeus.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Rubeus.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235" - logic_hash = "8714f30e12c0dc61c83491a71dbf9f1e9b6bc66663a8f2c069e7a7841d52cf68" + logic_hash = "v1_sha256_8714f30e12c0dc61c83491a71dbf9f1e9b6bc66663a8f2c069e7a7841d52cf68" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93655,7 +93817,7 @@ rule ELASTIC_Windows_Hacktool_Rubeus_43F18623 : FILE MEMORY $print_str7 = "[*] Using a TGT /ticket to request service tickets" ascii wide condition: - $guid or 4 of ($print_str*) + $guid or 4 of ( $print_str* ) } rule ELASTIC_Multi_Ransomware_Luna_8614D3D7 : FILE MEMORY { @@ -93666,10 +93828,10 @@ rule ELASTIC_Multi_Ransomware_Luna_8614D3D7 : FILE MEMORY date = "2022-08-02" modified = "2022-08-16" reference = "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_Luna.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_Luna.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51" - logic_hash = "14e40c5b1a21ba31664ed31b04bfc4a8646b3e31f96d39e0928a3d6a50d79307" + logic_hash = "v1_sha256_14e40c5b1a21ba31664ed31b04bfc4a8646b3e31f96d39e0928a3d6a50d79307" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93691,7 +93853,7 @@ rule ELASTIC_Multi_Ransomware_Luna_8614D3D7 : FILE MEMORY $chunk_calculation1 = { 48 C1 EA 12 48 89 D0 48 C1 E0 05 48 29 D0 48 29 D0 48 3D C4 EA 00 00 } condition: - 5 of ($str_*) or all of ($chunk_*) + 5 of ( $str_* ) or all of ( $chunk_* ) } rule ELASTIC_Linux_Trojan_Badbee_231Cb054 : FILE MEMORY { @@ -93702,10 +93864,10 @@ rule ELASTIC_Linux_Trojan_Badbee_231Cb054 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Badbee.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Badbee.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "832ba859c3030e58b94398ff663ddfe27078946a83dcfc81a5ef88351d41f4e2" - logic_hash = "a1ed8f2da9b4f891a5c65d943424bb7c465f0d07e7756e292c617ce5ef14d182" + logic_hash = "v1_sha256_a1ed8f2da9b4f891a5c65d943424bb7c465f0d07e7756e292c617ce5ef14d182" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93731,10 +93893,10 @@ rule ELASTIC_Windows_Vulndriver_Marvinhw_37326842 : FILE date = "2022-07-21" modified = "2022-07-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_MarvinHW.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_MarvinHW.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - logic_hash = "f37290912ab7d997d718c074eef48a67a36444e9e97592b6be65855ade2ba246" + logic_hash = "v1_sha256_f37290912ab7d997d718c074eef48a67a36444e9e97592b6be65855ade2ba246" score = 50 quality = 75 tags = "FILE" @@ -93752,7 +93914,7 @@ rule ELASTIC_Windows_Vulndriver_Marvinhw_37326842 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x09][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x08][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x08][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x09][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x07][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $subject_name and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $subject_name and $original_file_name and $version } rule ELASTIC_Macos_Cryptominer_Generic_D3F68E29 : FILE MEMORY { @@ -93763,10 +93925,10 @@ rule ELASTIC_Macos_Cryptominer_Generic_D3F68E29 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Cryptominer_Generic.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Cryptominer_Generic.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d9c78c822dfd29a1d9b1909bf95cab2a9550903e8f5f178edeb7a5a80129fbdb" - logic_hash = "cc336e536e0f8dda47f9551dfabfc50c2094fffe4a69cdcec23824dd063dede0" + logic_hash = "v1_sha256_cc336e536e0f8dda47f9551dfabfc50c2094fffe4a69cdcec23824dd063dede0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93794,10 +93956,10 @@ rule ELASTIC_Macos_Cryptominer_Generic_365Ecbb9 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Cryptominer_Generic.yar#L23-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Cryptominer_Generic.yar#L23-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2562251058123f86c52437e82ea9ff32aae5f5227183638bc8aa2bc1b4fd9cf" - logic_hash = "66f16c8694c5cfde1b5e4eea03c530fa32a15022fa35acdbb676bb696e7deae2" + logic_hash = "v1_sha256_66f16c8694c5cfde1b5e4eea03c530fa32a15022fa35acdbb676bb696e7deae2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93823,10 +93985,10 @@ rule ELASTIC_Macos_Cryptominer_Generic_4E7D4488 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Cryptominer_Generic.yar#L43-L61" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Cryptominer_Generic.yar#L43-L61" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2562251058123f86c52437e82ea9ff32aae5f5227183638bc8aa2bc1b4fd9cf" - logic_hash = "708b21b687c8b853a9b5f8a50d31119e4f0a02a5b63f81ba1cac8c06acd19214" + logic_hash = "v1_sha256_708b21b687c8b853a9b5f8a50d31119e4f0a02a5b63f81ba1cac8c06acd19214" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93852,10 +94014,10 @@ rule ELASTIC_Macos_Trojan_Hloader_A3945Baf : FILE MEMORY date = "2023-10-23" modified = "2023-10-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_HLoader.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_HLoader.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1" - logic_hash = "0383485b6bbcdae210a6c949f6796023b2f7ec3f1edbd2116207fc2b75a67849" + logic_hash = "v1_sha256_0383485b6bbcdae210a6c949f6796023b2f7ec3f1edbd2116207fc2b75a67849" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93872,7 +94034,7 @@ rule ELASTIC_Macos_Trojan_Hloader_A3945Baf : FILE MEMORY $seq_rename = { 41 89 DE 84 DB 74 ?? 48 8B 7D ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? } condition: - 2 of ($seq*) + 2 of ( $seq* ) } rule ELASTIC_Linux_Trojan_Banload_D5E1C189 : FILE MEMORY { @@ -93883,10 +94045,10 @@ rule ELASTIC_Linux_Trojan_Banload_D5E1C189 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Banload.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Banload.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "48bf0403f777db5da9c6a7eada17ad4ddf471bd73ea6cf02817dd202b49204f4" - logic_hash = "3f0bee251152a8c835a3bf71dc33c2e150705713c50ca2cfdbeb69361ed91a09" + logic_hash = "v1_sha256_3f0bee251152a8c835a3bf71dc33c2e150705713c50ca2cfdbeb69361ed91a09" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93912,10 +94074,10 @@ rule ELASTIC_Linux_Exploit_Foda_F41E9Ef9 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Foda.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Foda.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6059a6dd039b5efa36ce97acbb01406128aaf6062429474e422624ee69783ca8" - logic_hash = "7b15fef304b91601a76c6fcf48a892105d6eedf5a3e2395ab7c2937a84709d9f" + logic_hash = "v1_sha256_7b15fef304b91601a76c6fcf48a892105d6eedf5a3e2395ab7c2937a84709d9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93941,10 +94103,10 @@ rule ELASTIC_Linux_Ransomware_Noescape_6De58E0C : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_NoEscape.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_NoEscape.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561" - logic_hash = "c275d0cfdadcaabe57c432956e96b4bb344d947899fa5ad55b872e02b4d44274" + logic_hash = "v1_sha256_c275d0cfdadcaabe57c432956e96b4bb344d947899fa5ad55b872e02b4d44274" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93972,10 +94134,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_83715433 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba" - logic_hash = "7a7328322c2c1e128e267e92de0964e78ad9f49b7de8ec69d7f0632c69723a7d" + logic_hash = "v1_sha256_7a7328322c2c1e128e267e92de0964e78ad9f49b7de8ec69d7f0632c69723a7d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94001,9 +94163,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_28A2Fe0C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "04bbc6c40cdd71b4185222a822d18b96ec8427006221f213a1c9e4d9c689ce5c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_04bbc6c40cdd71b4185222a822d18b96ec8427006221f213a1c9e4d9c689ce5c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94029,10 +94191,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Eb96Cc26 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L40-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L40-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "440318179ba2419cfa34ea199b49ee6bdecd076883d26329bbca6dca9d39c500" - logic_hash = "3d8740a6cca4856a73ea745877a3eb39cbf3ad4ca612daabd197f551116efa04" + logic_hash = "v1_sha256_3d8740a6cca4856a73ea745877a3eb39cbf3ad4ca612daabd197f551116efa04" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94058,10 +94220,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_5008Aee6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L60-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L60-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b32cd71fcfda0a2fcddad49d8c5ba8d4d68867b2ff2cb3b49d1a0e358346620c" - logic_hash = "538bae17dcf0298e379f656e1dba794b75af6c7448a23253a51994bde9d30524" + logic_hash = "v1_sha256_538bae17dcf0298e379f656e1dba794b75af6c7448a23253a51994bde9d30524" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94087,10 +94249,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6321B565 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L80-L98" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L80-L98" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd48addd392e7912ab15a5464c710055f696990fab564f29f13121e7a5e93730" - logic_hash = "ad5c73ab68059101acf2fd8cfb3d676fd1ff58811e1c4b9008c291361ee951b8" + logic_hash = "v1_sha256_ad5c73ab68059101acf2fd8cfb3d676fd1ff58811e1c4b9008c291361ee951b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94116,10 +94278,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A6A2Adb9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L100-L118" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L100-L118" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "8f5fc4cb1ad51178701509a44a793e119fe7e7fad97eafcac8be14fce64e3b7b" + logic_hash = "v1_sha256_8f5fc4cb1ad51178701509a44a793e119fe7e7fad97eafcac8be14fce64e3b7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94145,10 +94307,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_C573932B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L120-L138" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L120-L138" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "174a3fcebc1e17cc35ddc11fde1798164b5783fc51fdf16581a9690c3b4d6549" + logic_hash = "v1_sha256_174a3fcebc1e17cc35ddc11fde1798164b5783fc51fdf16581a9690c3b4d6549" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94174,9 +94336,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A10161Ce : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L140-L157" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "12ba13a746300d1ab1d0386b86ec224eebf4e6d0b3688495c2fee6a7eccc361d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L140-L157" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_12ba13a746300d1ab1d0386b86ec224eebf4e6d0b3688495c2fee6a7eccc361d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94202,9 +94364,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ae01D978 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L159-L176" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c6c22b11dc1f0d4996e5da92c6edf58b7d21d7be40da87ddd39ed0e2d4c84072" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L159-L176" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c6c22b11dc1f0d4996e5da92c6edf58b7d21d7be40da87ddd39ed0e2d4c84072" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94230,10 +94392,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9E9530A7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L178-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L178-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "6a5a80e58c86a80f8954e678a2cc26b258d7d7c50047a3e71f3580f1780e3454" + logic_hash = "v1_sha256_6a5a80e58c86a80f8954e678a2cc26b258d7d7c50047a3e71f3580f1780e3454" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94259,10 +94421,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_5Bf62Ce4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L198-L216" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L198-L216" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "848e0c796584cfa21afc182da5f417f5467ae84c74f52cabc13e0f5de4990232" + logic_hash = "v1_sha256_848e0c796584cfa21afc182da5f417f5467ae84c74f52cabc13e0f5de4990232" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94288,10 +94450,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F3D83A74 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L218-L236" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L218-L236" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "2db46180e66c9268a97d63cd1c4eb8439e6882b4e3277bc4848e940e4d25482f" + logic_hash = "v1_sha256_2db46180e66c9268a97d63cd1c4eb8439e6882b4e3277bc4848e940e4d25482f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94317,9 +94479,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_807911A2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L238-L255" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "66b15304d5ed22daea666bd0e2b18726b8a058361ff8d69b974bfded933a4d8c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L238-L255" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_66b15304d5ed22daea666bd0e2b18726b8a058361ff8d69b974bfded933a4d8c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94345,9 +94507,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9C18716C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L257-L274" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0e70dc82b2049a6f5efcc501e18e6f87e04a2d50efcb5143240c68c4a924de52" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L257-L274" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0e70dc82b2049a6f5efcc501e18e6f87e04a2d50efcb5143240c68c4a924de52" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94373,10 +94535,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fbed4652 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L276-L294" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L276-L294" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2ea21358205612f5dc0d5f417c498b236c070509531621650b8c215c98c49467" - logic_hash = "fc1f501123ab7421034e183186b077f65838b475f883d4ff04e8fc8a283424ef" + logic_hash = "v1_sha256_fc1f501123ab7421034e183186b077f65838b475f883d4ff04e8fc8a283424ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94402,10 +94564,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_94A44Aa5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L296-L314" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L296-L314" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a7694202f9c32a9d73a571a30a9e4a431d5dfd7032a500084756ba9a48055dba" - logic_hash = "deb46c2960dc4868b7bac1255d8753895950bc066dec03674a714860ff72ef2c" + logic_hash = "v1_sha256_deb46c2960dc4868b7bac1255d8753895950bc066dec03674a714860ff72ef2c" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -94431,10 +94593,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E0673A90 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L316-L334" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L316-L334" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "149147eedd66f9ca2dad9cb69f37abc849d44331ec1b5d2917ab3867ced0b274" + logic_hash = "v1_sha256_149147eedd66f9ca2dad9cb69f37abc849d44331ec1b5d2917ab3867ced0b274" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94460,10 +94622,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_821173Df : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L336-L354" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L336-L354" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "de7d1aff222c7d474e1a42b2368885ef16317e8da1ca3a63009bf06376026163" - logic_hash = "1c6c7666983c43176aa1a9628fb4352f8f11729e02dda13669ca2e62aed5f4ee" + logic_hash = "v1_sha256_1c6c7666983c43176aa1a9628fb4352f8f11729e02dda13669ca2e62aed5f4ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94489,10 +94651,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_31796A40 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L356-L374" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L356-L374" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "227c7f13f7bdadf6a14cc85e8d2106b9d69ab80abe6fc0056af5edef3621d4fb" - logic_hash = "0e0e901d12edd77e77a205f8547f891f483fc8676493e9b7a324e970225af3c9" + logic_hash = "v1_sha256_0e0e901d12edd77e77a205f8547f891f483fc8676493e9b7a324e970225af3c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94518,10 +94680,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_750Fe002 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L376-L394" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L376-L394" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "eb9907d8a63822c2e3ab57d43dca8ede7876610f029e2f9c10c9eeace9ea0078" + logic_hash = "v1_sha256_eb9907d8a63822c2e3ab57d43dca8ede7876610f029e2f9c10c9eeace9ea0078" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94547,9 +94709,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6122Acdf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L396-L413" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "140b32a8f2b7493b068e63a05b3d9baec6ec14c9f2062c7e760dde96335e29f1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L396-L413" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_140b32a8f2b7493b068e63a05b3d9baec6ec14c9f2062c7e760dde96335e29f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94575,10 +94737,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A0A4De11 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L415-L433" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L415-L433" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417" - logic_hash = "220c6ba82b906f070123b3bae9aafa72c0fb3bc8d5858a4f4bd65567076eb73d" + logic_hash = "v1_sha256_220c6ba82b906f070123b3bae9aafa72c0fb3bc8d5858a4f4bd65567076eb73d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94604,10 +94766,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A473Dcb6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L435-L453" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L435-L453" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7ba74e3cb0d633de0e8dbe6cfc49d4fc77dd0c02a5f1867cc4a1f1d575def97d" - logic_hash = "106ee9cd9c368674ae08b835f54dbb6918b553e3097aae9b0de88f55420f046b" + logic_hash = "v1_sha256_106ee9cd9c368674ae08b835f54dbb6918b553e3097aae9b0de88f55420f046b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94633,10 +94795,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_30444846 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L455-L473" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L455-L473" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c84b81d79d437bb9b8a6bad3646aef646f2a8e1f1554501139648d2f9de561da" - logic_hash = "26bc95efb2ea69fece52cf3ab38ce35891c77fc0dac3e26e5580ba3a88e112e9" + logic_hash = "v1_sha256_26bc95efb2ea69fece52cf3ab38ce35891c77fc0dac3e26e5580ba3a88e112e9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94662,9 +94824,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ea92Cca8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L475-L492" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5a9598b3fd37b15444063403a481df1a43894ddcbbd343961e1c770cb74180c9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L475-L492" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5a9598b3fd37b15444063403a481df1a43894ddcbbd343961e1c770cb74180c9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94690,10 +94852,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D4227Dbf : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L494-L512" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L494-L512" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "7953b8d08834315a6ca2c0c8ac1ec7b74a6ffcb71cec4fc053c24e1b59232c0c" + logic_hash = "v1_sha256_7953b8d08834315a6ca2c0c8ac1ec7b74a6ffcb71cec4fc053c24e1b59232c0c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94719,10 +94881,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_09C3070E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L514-L532" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L514-L532" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "f8f8e8883cf1e51fbaef81b8334ac5fa45a54682d285282da62c80e4aa50a48d" + logic_hash = "v1_sha256_f8f8e8883cf1e51fbaef81b8334ac5fa45a54682d285282da62c80e4aa50a48d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94748,10 +94910,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fa19B8Fc : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L534-L552" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L534-L552" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a7cfc16ec33ec633cbdcbff3c4cefeed84d7cbe9ca1f4e2a3b3e43d39291cd6b" - logic_hash = "cddf3b9948b9bc685ff7d4c00377d0f80861169707777022297e549bd166dbf0" + logic_hash = "v1_sha256_cddf3b9948b9bc685ff7d4c00377d0f80861169707777022297e549bd166dbf0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94777,10 +94939,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Eaa9A668 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L554-L572" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L554-L572" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "05e9047342a9d081a09f8514f0ec32d72bc43a286035014ada90b0243f92cfa8" + logic_hash = "v1_sha256_05e9047342a9d081a09f8514f0ec32d72bc43a286035014ada90b0243f92cfa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94806,10 +94968,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_46Eec778 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L574-L592" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L574-L592" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9526277255a8d632355bfe54d53154c9c54a4ab75e3ba24333c73ad0ed7cadb1" - logic_hash = "08e77a31005e14a06197857301e22d20334c1f2ef7fc06a4208643438377f4c4" + logic_hash = "v1_sha256_08e77a31005e14a06197857301e22d20334c1f2ef7fc06a4208643438377f4c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94835,10 +94997,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F51C5Ac3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L594-L612" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L594-L612" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "e82b5ddb760d5bdcd146e1de12ec34c4764e668543420765146e22dee6f5732b" + logic_hash = "v1_sha256_e82b5ddb760d5bdcd146e1de12ec34c4764e668543420765146e22dee6f5732b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94864,10 +95026,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_71E487Ea : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L614-L632" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L614-L632" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b8d044f2de21d20c7e4b43a2baf5d8cdb97fba95c3b99816848c0f214515295b" - logic_hash = "3de9e0e3334e9e6e5906886f95ff8ce3596f85772dc25021fb0ee148281cf81c" + logic_hash = "v1_sha256_3de9e0e3334e9e6e5906886f95ff8ce3596f85772dc25021fb0ee148281cf81c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94893,10 +95055,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6620Ec67 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L634-L652" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L634-L652" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b91eb196605c155c98f824abf8afe122f113d1fed254074117652f93d0c9d6b2" - logic_hash = "2df2c8cdc2cb545f916159d44a800708b55a2993cd54a4dcf920a6a8dc6361e7" + logic_hash = "v1_sha256_2df2c8cdc2cb545f916159d44a800708b55a2993cd54a4dcf920a6a8dc6361e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94922,10 +95084,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D996D335 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L654-L672" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L654-L672" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda" - logic_hash = "212c75ab61eac8b3ed2049966628dfc81ae5a620b4a4b38aaa0696d594910dea" + logic_hash = "v1_sha256_212c75ab61eac8b3ed2049966628dfc81ae5a620b4a4b38aaa0696d594910dea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94951,9 +95113,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D0C57A2E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L674-L691" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2ac51f0943d573fdc9a39837aeefd9158c27a4b3f35fbbb0a058a88392a53c14" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L674-L691" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2ac51f0943d573fdc9a39837aeefd9158c27a4b3f35fbbb0a058a88392a53c14" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94979,9 +95141,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_751Acb94 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L693-L710" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1963351d209168f4ae2268d245cfd5320e4442d00746d021088ffae98e5da454" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L693-L710" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1963351d209168f4ae2268d245cfd5320e4442d00746d021088ffae98e5da454" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95007,10 +95169,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_656Bf077 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L712-L730" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L712-L730" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "0c9728304e720eb2cd00afad8d16f309514473dece48fa94af6a72ca41705a36" + logic_hash = "v1_sha256_0c9728304e720eb2cd00afad8d16f309514473dece48fa94af6a72ca41705a36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95036,10 +95198,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E6D75E6F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L732-L750" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L732-L750" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "48b15093f33c18778724c48c34199a420be4beb0d794e36034097806e1521eb8" - logic_hash = "339dd33a3313a4a94d2515cd4c2100ac6b9d5e0029881494c28dc3e7c8a05798" + logic_hash = "v1_sha256_339dd33a3313a4a94d2515cd4c2100ac6b9d5e0029881494c28dc3e7c8a05798" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95065,10 +95227,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_7167D08F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L752-L770" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L752-L770" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "88c07bf06801192f38ef66229a0aa5c1ef6242caeb080ce1c7cd13ad0d540c82" + logic_hash = "v1_sha256_88c07bf06801192f38ef66229a0aa5c1ef6242caeb080ce1c7cd13ad0d540c82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95094,10 +95256,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_27De1106 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L772-L790" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L772-L790" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "4e266e1ae31d7d86866b112a04ca38c0a8185c18ebb10ac6497bbaa69f51b2fd" + logic_hash = "v1_sha256_4e266e1ae31d7d86866b112a04ca38c0a8185c18ebb10ac6497bbaa69f51b2fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95123,10 +95285,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_148B91A2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L792-L810" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L792-L810" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d5b2bde0749ff482dc2389971e2ac76c4b1e7b887208a538d5555f0fe6984825" - logic_hash = "1a974c0882c2d088c978a52e5b535807c86f117cf2f05c40c084e849b1849f5b" + logic_hash = "v1_sha256_1a974c0882c2d088c978a52e5b535807c86f117cf2f05c40c084e849b1849f5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95152,10 +95314,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_20F5E74F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L812-L830" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L812-L830" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9084b00f9bb71524987dc000fb2bc6f38e722e2be2832589ca4bb1671e852f5b" - logic_hash = "067f1c15961c1ddceecb490b338db9f5b8501d89b38e870edfa628d21527dc1c" + logic_hash = "v1_sha256_067f1c15961c1ddceecb490b338db9f5b8501d89b38e870edfa628d21527dc1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95181,10 +95343,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_1B2E2A3A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L832-L850" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L832-L850" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "6f40f868d20f0125721eb2a7934b356d69b695d4a558155a2ddcd0107d3f8c30" + logic_hash = "v1_sha256_6f40f868d20f0125721eb2a7934b356d69b695d4a558155a2ddcd0107d3f8c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95210,10 +95372,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_620087B9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L852-L870" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L852-L870" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "411451ea326498a25af8be5cd43fe0b98973af354706268c89828b88ece5e497" + logic_hash = "v1_sha256_411451ea326498a25af8be5cd43fe0b98973af354706268c89828b88ece5e497" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95239,10 +95401,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Dd0D6173 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L872-L890" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L872-L890" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "7061edef1981e2b93bcdd8be47c0f6067acc140a543eed748bf0513f182e0a59" + logic_hash = "v1_sha256_7061edef1981e2b93bcdd8be47c0f6067acc140a543eed748bf0513f182e0a59" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95268,10 +95430,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_779E142F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L892-L910" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L892-L910" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "80ba5a1cf333fafc6a1d7823ca4a8d5c30c1c07a01d6d681c22dd29e197089f1" + logic_hash = "v1_sha256_80ba5a1cf333fafc6a1d7823ca4a8d5c30c1c07a01d6d681c22dd29e197089f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95297,10 +95459,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Cf84C9F2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L912-L930" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L912-L930" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "9af164ece7e7e0f33dc32f18735a8f655593ae6cde34e05108f3221b71aa8676" + logic_hash = "v1_sha256_9af164ece7e7e0f33dc32f18735a8f655593ae6cde34e05108f3221b71aa8676" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95326,9 +95488,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0Cd591Cd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L932-L949" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4300bdd173dfb33ca34c0f2fe4fa6ee071e99d5db201262e914721aad0ad433b" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L932-L949" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4300bdd173dfb33ca34c0f2fe4fa6ee071e99d5db201262e914721aad0ad433b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95354,10 +95516,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_859042A0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L951-L969" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L951-L969" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "41615d3f3f27f04669166fdee3996d77890016304ee87851a5f90804d6d4a0b0" - logic_hash = "b8daa4a136a6511472703687fe56fbca2bd005a1373802a46c8d211b6d039d75" + logic_hash = "v1_sha256_b8daa4a136a6511472703687fe56fbca2bd005a1373802a46c8d211b6d039d75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95383,10 +95545,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_33B4111A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L971-L989" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L971-L989" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "a08c0f7be26e2e9abfaa392712895bb3ce1d12583da4060ebe41e1a9c1491b7c" + logic_hash = "v1_sha256_a08c0f7be26e2e9abfaa392712895bb3ce1d12583da4060ebe41e1a9c1491b7c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95412,10 +95574,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_4F43B164 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L991-L1009" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L991-L1009" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f0fdb3de75f85e199766bbb39722865cac578cde754afa2d2f065ef028eec788" - logic_hash = "79a17e70e9b7af6e53f62211c33355a4c46a82e7c4e80c20ffe9684e24155808" + logic_hash = "v1_sha256_79a17e70e9b7af6e53f62211c33355a4c46a82e7c4e80c20ffe9684e24155808" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95441,9 +95603,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E4A1982B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1011-L1028" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4cd7aa205b3571cffca208e315d6311fa92a5993e2a8e40d342d6184811f42f0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1011-L1028" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4cd7aa205b3571cffca208e315d6311fa92a5993e2a8e40d342d6184811f42f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95469,10 +95631,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_862C4E0E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1030-L1048" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1030-L1048" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9526277255a8d632355bfe54d53154c9c54a4ab75e3ba24333c73ad0ed7cadb1" - logic_hash = "a1dce44e76f9d2a517c4849c58dfecb07e1ef0d78fddff10af601184d636583f" + logic_hash = "v1_sha256_a1dce44e76f9d2a517c4849c58dfecb07e1ef0d78fddff10af601184d636583f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95498,10 +95660,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9127F7Be : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1050-L1068" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1050-L1068" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "2b1fa115598561e081dfb9b5f24f6728b0d52cb81ac7933728d81646f461bcae" + logic_hash = "v1_sha256_2b1fa115598561e081dfb9b5f24f6728b0d52cb81ac7933728d81646f461bcae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95527,9 +95689,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0E03B7D3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1070-L1087" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "845be03fac893f8e914aabda5206000dc07947ade0b8f46cc5d58d8458f035f6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1070-L1087" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_845be03fac893f8e914aabda5206000dc07947ade0b8f46cc5d58d8458f035f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95555,10 +95717,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_32Eb0C81 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1089-L1107" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1089-L1107" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "a06d9e1190ba79b0e19cab7468f01a49359629a6feb27b7d72f3d1d52d1483d7" + logic_hash = "v1_sha256_a06d9e1190ba79b0e19cab7468f01a49359629a6feb27b7d72f3d1d52d1483d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95584,9 +95746,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9Abf7E0C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1109-L1126" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "00276330e388d07368577c4134343cb9fc11957dba6cff5523331199f1ed04aa" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1109-L1126" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_00276330e388d07368577c4134343cb9fc11957dba6cff5523331199f1ed04aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95612,10 +95774,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_33801844 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1128-L1146" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1128-L1146" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2ceff60e88c30c02c1c7b12a224aba1895669aad7316a40b575579275b3edbb3" - logic_hash = "20b8ebce14776e48310be099afd0dca0f28778d0024318b339b75e2689f70128" + logic_hash = "v1_sha256_20b8ebce14776e48310be099afd0dca0f28778d0024318b339b75e2689f70128" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95641,9 +95803,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A33A8363 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1148-L1165" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3fe17dc43f07dacdad6ababf141983854b977e244c0af824fea0ab953ad70fee" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1148-L1165" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3fe17dc43f07dacdad6ababf141983854b977e244c0af824fea0ab953ad70fee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95669,10 +95831,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9A62845F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1167-L1185" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1167-L1185" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f67f8566beab9d7494350923aceb0e76cd28173bdf2c4256e9d45eff7fc8cb41" - logic_hash = "b3ab125c8bfb5b7a0be0e92cf5a50057e403ab3597698ec2e7a8bafa0d3a8b80" + logic_hash = "v1_sha256_b3ab125c8bfb5b7a0be0e92cf5a50057e403ab3597698ec2e7a8bafa0d3a8b80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95698,10 +95860,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_4D81Ad42 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1187-L1205" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1187-L1205" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3021a861e6f03df3e7e3919e6255bdae6e48163b9a8ba4f1a5c5dced3e3e368b" - logic_hash = "57b54eed37690949ba2d4eff713691f16f00207d7b374beb7dfa2e368588dbb0" + logic_hash = "v1_sha256_57b54eed37690949ba2d4eff713691f16f00207d7b374beb7dfa2e368588dbb0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95727,9 +95889,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6A510422 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1207-L1225" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4384536817bf5df223d4cf145892b7714f2dbd1748930b6cd43152d4e35c9e56" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1207-L1225" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4384536817bf5df223d4cf145892b7714f2dbd1748930b6cd43152d4e35c9e56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95755,9 +95917,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D2953F92 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1227-L1245" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d0af462d26f6ffe469c57d63f1f7d551e3fb9cc39c7e4c35b3e71f659c01c076" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1227-L1245" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d0af462d26f6ffe469c57d63f1f7d551e3fb9cc39c7e4c35b3e71f659c01c076" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95783,9 +95945,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6Ae4B580 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1247-L1265" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "eb0fe44df1c995c5d4e3a361c3e466f78cb70bffbc76d1b7b345ee651b313b9e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1247-L1265" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_eb0fe44df1c995c5d4e3a361c3e466f78cb70bffbc76d1b7b345ee651b313b9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95811,9 +95973,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D608Cf3B : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1267-L1285" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ad5b7d32c85adc7f778a8f4815e595b90a6f15dec048bcf97c6ab179582eb4f7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1267-L1285" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ad5b7d32c85adc7f778a8f4815e595b90a6f15dec048bcf97c6ab179582eb4f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95839,9 +96001,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_3F8Cf56E : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1878f0783085cc6beb2b81cfda304ec983374264ce54b6b98a51c09aea9f750d" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1287-L1305" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b2cf8b1913a88e6a6346f0ac8cd2e7c33b41d44bf60ff7327ae40a2d54748bd9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1287-L1305" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b2cf8b1913a88e6a6346f0ac8cd2e7c33b41d44bf60ff7327ae40a2d54748bd9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95867,9 +96029,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fb14E81F : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1307-L1325" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2efb958c269640c374485502611372f4404cf35d7ab704d20ce37b8c1f69645d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1307-L1325" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2efb958c269640c374485502611372f4404cf35d7ab704d20ce37b8c1f69645d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95895,9 +96057,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E09726Dc : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "1e64187b5e3b5fe71d34ea555ff31961404adad83f8e0bd1ce0aad056a878d73" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1327-L1345" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ebd00e593a7fcd46e36fd0ca213e1f82c0f4a94448b6fd605d35cea45a490493" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1327-L1345" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ebd00e593a7fcd46e36fd0ca213e1f82c0f4a94448b6fd605d35cea45a490493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95923,9 +96085,9 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ad12B9B6 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "f0411131acfddb40ac8069164ce2808e9c8928709898d3fb5dc88036003fe9c8" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1347-L1365" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "72a85d14eb8ab78364ea2e8b89d9409c0046b14602f4a3415d829f4985fb2de3" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1347-L1365" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_72a85d14eb8ab78364ea2e8b89d9409c0046b14602f4a3415d829f4985fb2de3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95951,10 +96113,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0535Ebf7 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1367-L1385" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1367-L1385" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "77e18bb5479b644ba01d074057c9e2bd532717f6ab3bb88ad2b7497b85d2a5de" - logic_hash = "eb574468e9d371def0da74e6aba827272181399a84388a14ffb167ec6ebd40d1" + logic_hash = "v1_sha256_eb574468e9d371def0da74e6aba827272181399a84388a14ffb167ec6ebd40d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95980,10 +96142,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_32A7Edd2 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1387-L1405" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1387-L1405" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "af26549c1cad0975735e2c233bc71e5e1b0e283d02552fdaea02656332ecd854" + logic_hash = "v1_sha256_af26549c1cad0975735e2c233bc71e5e1b0e283d02552fdaea02656332ecd854" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96009,10 +96171,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D7F35B54 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1407-L1425" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1407-L1425" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "d827e21c09b8dce65db293aa57b39f49f034537bb708471989ad64e653c479be" + logic_hash = "v1_sha256_d827e21c09b8dce65db293aa57b39f49f034537bb708471989ad64e653c479be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96038,10 +96200,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F11E98Be : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1427-L1445" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1427-L1445" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "9b9122f0897610dff6b37446b3cecbfcec3dce8dc7e1934e78cc32d5f6ac9648" + logic_hash = "v1_sha256_9b9122f0897610dff6b37446b3cecbfcec3dce8dc7e1934e78cc32d5f6ac9648" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96067,10 +96229,10 @@ rule ELASTIC_Linux_Trojan_Gafgyt_8D4E4F4A : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Gafgyt.yar#L1447-L1465" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Gafgyt.yar#L1447-L1465" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "11ee101a936f8e6949701e840ef48a0fe102099ea3b71c790b9a5128e5c59029" + logic_hash = "v1_sha256_11ee101a936f8e6949701e840ef48a0fe102099ea3b71c790b9a5128e5c59029" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96096,10 +96258,10 @@ rule ELASTIC_Linux_Exploit_Iouring_D04C1C19 : FILE MEMORY date = "2024-04-07" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_IOUring.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_IOUring.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "29e6a5f7b36e271219601528f3fd70831aacb8b9f05722779faa40afc97b3b60" - logic_hash = "b1d8d6090576b4b5bcd435eb69ee1dc1f1947115d38b62364cf1730a4f08d317" + logic_hash = "v1_sha256_b1d8d6090576b4b5bcd435eb69ee1dc1f1947115d38b62364cf1730a4f08d317" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96127,9 +96289,9 @@ rule ELASTIC_Multi_Trojan_Mythic_4Beb7E17 : FILE MEMORY date = "2023-08-01" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Mythic.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7b3b7bae1763f3c73df206f97065920fa55b973d22c967acb3d26ac8e89e60c7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Mythic.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7b3b7bae1763f3c73df206f97065920fa55b973d22c967acb3d26ac8e89e60c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96165,10 +96327,10 @@ rule ELASTIC_Multi_Trojan_Mythic_E0Ea7Ef9 : FILE MEMORY date = "2024-05-23" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Mythic.yar#L30-L61" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Mythic.yar#L30-L61" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e091d63c8e8b0a32a3d25cffdf02419fdbec714f31e4061bafd80b1971831c5f" - logic_hash = "237307d85fe7886eb2cf351a9f7872e3e5551f05535f0b6a966a960d204aee90" + logic_hash = "v1_sha256_237307d85fe7886eb2cf351a9f7872e3e5551f05535f0b6a966a960d204aee90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96196,7 +96358,7 @@ rule ELASTIC_Multi_Trojan_Mythic_E0Ea7Ef9 : FILE MEMORY $rs_misc4 = "src/getprivs.rs" condition: - all of ($profile*) and 8 of ($rs*) + all of ( $profile* ) and 8 of ( $rs* ) } rule ELASTIC_Multi_Trojan_Mythic_528324B4 : FILE MEMORY { @@ -96207,10 +96369,10 @@ rule ELASTIC_Multi_Trojan_Mythic_528324B4 : FILE MEMORY date = "2024-05-23" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Mythic.yar#L63-L89" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Mythic.yar#L63-L89" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2cd883eab722a5eacbca7fa82e0eebb5f6c30cffa955abcb1ab8cf169af97202" - logic_hash = "8c85d086b30030a24fba9f519aed3fdf3c821932d71ceaecfe354fe07cd1d631" + logic_hash = "v1_sha256_8c85d086b30030a24fba9f519aed3fdf3c821932d71ceaecfe354fe07cd1d631" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96233,7 +96395,7 @@ rule ELASTIC_Multi_Trojan_Mythic_528324B4 : FILE MEMORY $athena4 = "Athena.Profiles.HTTP.dll" condition: - (2 of ($import*)) or (2 of ($athena*)) + (2 of ( $import* ) ) or ( 2 of ( $athena* ) ) } rule ELASTIC_Windows_Trojan_Hazelcobra_6A9Fe48A : FILE MEMORY { @@ -96244,10 +96406,10 @@ rule ELASTIC_Windows_Trojan_Hazelcobra_6A9Fe48A : FILE MEMORY date = "2023-11-01" modified = "2023-11-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_HazelCobra.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_HazelCobra.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d" - logic_hash = "dc4d561497c2e3da270d305ceaf3194b48d64c0d8e212ee6f03a2d89c8e006e8" + logic_hash = "v1_sha256_dc4d561497c2e3da270d305ceaf3194b48d64c0d8e212ee6f03a2d89c8e006e8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96265,7 +96427,7 @@ rule ELASTIC_Windows_Trojan_Hazelcobra_6A9Fe48A : FILE MEMORY $s3 = "Can't read data file" fullword condition: - $a1 or all of ($s*) + $a1 or all of ( $s* ) } rule ELASTIC_Windows_Vulndriver_ATSZIO_E22Cc429 : FILE { @@ -96276,10 +96438,10 @@ rule ELASTIC_Windows_Vulndriver_ATSZIO_E22Cc429 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ATSZIO.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ATSZIO.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - logic_hash = "e3f057d5a5c47a1f3b4d50e2ad0ebb3a4ffe0efe513a0d375f827fadb3328d80" + logic_hash = "v1_sha256_e3f057d5a5c47a1f3b4d50e2ad0ebb3a4ffe0efe513a0d375f827fadb3328d80" score = 75 quality = 75 tags = "FILE" @@ -96295,7 +96457,7 @@ rule ELASTIC_Windows_Vulndriver_ATSZIO_E22Cc429 : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 41 00 54 00 53 00 5A 00 49 00 4F 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Linux_Ransomware_Quantum_8513Fb8B : FILE MEMORY { @@ -96306,10 +96468,10 @@ rule ELASTIC_Linux_Ransomware_Quantum_8513Fb8B : FILE MEMORY date = "2023-07-28" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Quantum.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Quantum.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3bcb9ad92fdca53195f390fc4d8d721b504b38deeda25c1189a909a7011406c9" - logic_hash = "7e24be541bafc2427ecd8f76b7774fb65d7421bc300503eeb068b8104e168c70" + logic_hash = "v1_sha256_7e24be541bafc2427ecd8f76b7774fb65d7421bc300503eeb068b8104e168c70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96336,10 +96498,10 @@ rule ELASTIC_Windows_Trojan_Bitsloth_05Fc3A0A : FILE MEMORY date = "2024-07-16" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BITSloth.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BITSloth.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0944b17a4330e1c97600f62717d6bae7e4a4260604043f2390a14c8d76ef1507" - logic_hash = "8210dc28cf408f7f836aad3c32868ea21dd0862070c2c37d98b089a80be9285e" + logic_hash = "v1_sha256_8210dc28cf408f7f836aad3c32868ea21dd0862070c2c37d98b089a80be9285e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96373,10 +96535,10 @@ rule ELASTIC_Windows_Hacktool_Physmem_Cc0978Df : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_PhysMem.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_PhysMem.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - logic_hash = "e2fabf5889dbdc98dc6942be4fb0de4351d64a06bab945993b2a2c4afe89984e" + logic_hash = "v1_sha256_e2fabf5889dbdc98dc6942be4fb0de4351d64a06bab945993b2a2c4afe89984e" score = 75 quality = 75 tags = "FILE" @@ -96392,7 +96554,7 @@ rule ELASTIC_Windows_Hacktool_Physmem_Cc0978Df : FILE $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 68 00 79 00 73 00 6D 00 65 00 6D 00 2E 00 73 00 79 00 73 00 00 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Windows_Hacktool_Physmem_B3Fa382B : FILE { @@ -96403,10 +96565,10 @@ rule ELASTIC_Windows_Hacktool_Physmem_B3Fa382B : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_PhysMem.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_PhysMem.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9" - logic_hash = "36a60b78de15a52721ad4830b37daffc33d7689e8b180fe148876da00562273a" + logic_hash = "v1_sha256_36a60b78de15a52721ad4830b37daffc33d7689e8b180fe148876da00562273a" score = 75 quality = 75 tags = "FILE" @@ -96421,7 +96583,7 @@ rule ELASTIC_Windows_Hacktool_Physmem_B3Fa382B : FILE $str1 = "\\Phymemx64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Asacub_D3C4Aa41 : FILE MEMORY { @@ -96432,10 +96594,10 @@ rule ELASTIC_Linux_Trojan_Asacub_D3C4Aa41 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Asacub.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Asacub.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15044273a506f825859e287689a57c6249b01bb0a848f113c946056163b7e5f1" - logic_hash = "3645e10e5ef8c50e5e82d749da07f5669c5162cb95aa5958ce45a414b870f619" + logic_hash = "v1_sha256_3645e10e5ef8c50e5e82d749da07f5669c5162cb95aa5958ce45a414b870f619" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96461,10 +96623,10 @@ rule ELASTIC_Windows_Trojan_Darkvnc_Bd803C2E : FILE MEMORY date = "2023-01-23" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DarkVNC.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DarkVNC.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0fcc1b02fdaf211c772bd4fa1abcdeb5338d95911c226a9250200ff7f8e45601" - logic_hash = "d9e8a42a424d6a186939682e1cd2ed794c8a3765824188e863b1b2829650e2d5" + logic_hash = "v1_sha256_d9e8a42a424d6a186939682e1cd2ed794c8a3765824188e863b1b2829650e2d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96494,10 +96656,10 @@ rule ELASTIC_Windows_Hacktool_Netfilter_E8243Dae : FILE date = "2022-04-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_NetFilter.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_NetFilter.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510" - logic_hash = "c551bd87e73f980d8836b13449490de5e639d768b72d9006d90969f3140b28e2" + logic_hash = "v1_sha256_c551bd87e73f980d8836b13449490de5e639d768b72d9006d90969f3140b28e2" score = 75 quality = 75 tags = "FILE" @@ -96512,7 +96674,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_E8243Dae : FILE $str1 = "[NetFlt]:CTRL NDIS ModifyARP" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Hacktool_Netfilter_Dd576D28 : FILE { @@ -96523,10 +96685,10 @@ rule ELASTIC_Windows_Hacktool_Netfilter_Dd576D28 : FILE date = "2022-04-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_NetFilter.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_NetFilter.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "88cfe6d7c81d0064045c4198d6ec7d3c50dc3ec8e36e053456ed1b50fc8c23bf" - logic_hash = "7635ed94ca77c7705df4d2a9c5546ece86bf831b5bf5355943419174e0387b86" + logic_hash = "v1_sha256_7635ed94ca77c7705df4d2a9c5546ece86bf831b5bf5355943419174e0387b86" score = 75 quality = 75 tags = "FILE" @@ -96541,7 +96703,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_Dd576D28 : FILE $str1 = "\\NetProxyDriver.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Hacktool_Netfilter_B4F2A520 : FILE { @@ -96552,10 +96714,10 @@ rule ELASTIC_Windows_Hacktool_Netfilter_B4F2A520 : FILE date = "2022-04-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_NetFilter.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_NetFilter.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a0" - logic_hash = "520d2194593f1622a3b905fe182a0773447a4eee3472e7701cce977f5bf4fbae" + logic_hash = "v1_sha256_520d2194593f1622a3b905fe182a0773447a4eee3472e7701cce977f5bf4fbae" score = 75 quality = 75 tags = "FILE" @@ -96570,7 +96732,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_B4F2A520 : FILE $str1 = "\\netfilterdrv.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Hacktool_Netfilter_1Cae6E26 : FILE { @@ -96581,10 +96743,10 @@ rule ELASTIC_Windows_Hacktool_Netfilter_1Cae6E26 : FILE date = "2022-04-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_NetFilter.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_NetFilter.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2ec3b2a93c473d88bfdf2deb1969d15ab61737acc1ee8e08234bc5513ee87ea" - logic_hash = "29c0edc03934e6e7275c3870a8808e03ec85dacb1f54e10efca3123d2257db98" + logic_hash = "v1_sha256_29c0edc03934e6e7275c3870a8808e03ec85dacb1f54e10efca3123d2257db98" score = 75 quality = 75 tags = "FILE" @@ -96599,7 +96761,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_1Cae6E26 : FILE $str1 = "\\Driver_Map.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Ransomware_Ryuk_25D3C5Ba : BETA FILE MEMORY { @@ -96610,9 +96772,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_25D3C5Ba : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "4d461ff9b87e3a17637cef89ff8a85ef22f69695d4664f6fe8f271a6a5f7b4bc" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_4d461ff9b87e3a17637cef89ff8a85ef22f69695d4664f6fe8f271a6a5f7b4bc" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96628,7 +96790,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_25D3C5Ba : BETA FILE MEMORY $g1 = { 41 8B C0 45 03 C7 99 F7 FE 48 63 C2 8A 4C 84 20 } condition: - 1 of ($g*) + 1 of ( $g* ) } rule ELASTIC_Windows_Ransomware_Ryuk_878Bae7E : BETA FILE MEMORY { @@ -96639,9 +96801,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_878Bae7E : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "94bed2220aeb41ae8069cee56cc5299b9fc56797d3b54085b8246a03d9e8bd93" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_94bed2220aeb41ae8069cee56cc5299b9fc56797d3b54085b8246a03d9e8bd93" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96658,7 +96820,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_878Bae7E : BETA FILE MEMORY $b3 = "RyukReadMe.txt" wide fullword condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Ryuk_6C726744 : BETA FILE MEMORY { @@ -96669,9 +96831,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_6C726744 : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L44-L67" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "ee7586d5cbef23d1863a4dfcc5da9b97397c993268881922c681022bf4f293f0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L44-L67" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_ee7586d5cbef23d1863a4dfcc5da9b97397c993268881922c681022bf4f293f0" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96691,7 +96853,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_6C726744 : BETA FILE MEMORY $a5 = "delete[]" ascii fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Ryuk_1A4Ad952 : BETA FILE MEMORY { @@ -96702,9 +96864,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_1A4Ad952 : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L69-L88" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "bb854f5760f41e2c103c99d8f128a2546926a614dff8753eaa1287ac583e213a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L69-L88" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_bb854f5760f41e2c103c99d8f128a2546926a614dff8753eaa1287ac583e213a" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96720,7 +96882,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_1A4Ad952 : BETA FILE MEMORY $e1 = { 8B 0A 41 8D 45 01 45 03 C1 48 8D 52 08 41 3B C9 41 0F 45 C5 44 8B E8 49 63 C0 48 3B C3 72 E1 } condition: - 1 of ($e*) + 1 of ( $e* ) } rule ELASTIC_Windows_Ransomware_Ryuk_72B5Fd9D : BETA FILE MEMORY { @@ -96731,9 +96893,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_72B5Fd9D : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L90-L109" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b2abc8f70df5d730ce6a7d0bc125bb623f27b292e7d575914368a8bfc0fb5837" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L90-L109" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b2abc8f70df5d730ce6a7d0bc125bb623f27b292e7d575914368a8bfc0fb5837" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96749,7 +96911,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_72B5Fd9D : BETA FILE MEMORY $d1 = { 48 2B C3 33 DB 66 89 1C 46 48 83 FF FF 0F } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Windows_Ransomware_Ryuk_8Ba51798 : BETA FILE MEMORY { @@ -96760,9 +96922,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_8Ba51798 : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L111-L137" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0733ae6a7e38bc2a25aa76a816284482d3ee25626559ec5af554b5f5070e534a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L111-L137" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0733ae6a7e38bc2a25aa76a816284482d3ee25626559ec5af554b5f5070e534a" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96785,7 +96947,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_8Ba51798 : BETA FILE MEMORY $c8 = "UNIQUE_ID_DO_NOT_REMOVE" wide fullword condition: - 3 of ($c*) + 3 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Ryuk_88Daaf8E : BETA FILE MEMORY { @@ -96796,9 +96958,9 @@ rule ELASTIC_Windows_Ransomware_Ryuk_88Daaf8E : BETA FILE MEMORY date = "2020-04-30" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ryuk.yar#L139-L158" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6fc463976c0fb9c3e4f25d854545d07800c63730826f3974298f0077d272cff0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ryuk.yar#L139-L158" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6fc463976c0fb9c3e4f25d854545d07800c63730826f3974298f0077d272cff0" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96814,7 +96976,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_88Daaf8E : BETA FILE MEMORY $f1 = { 48 8B CF E8 AB 25 00 00 85 C0 74 35 } condition: - 1 of ($f*) + 1 of ( $f* ) } rule ELASTIC_Multi_Hacktool_Stowaway_89F1D452 : FILE MEMORY { @@ -96825,10 +96987,10 @@ rule ELASTIC_Multi_Hacktool_Stowaway_89F1D452 : FILE MEMORY date = "2024-06-28" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_Stowaway.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_Stowaway.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c073d3be469c8eea0f007bb37c722bad30e06dc994d3a59773838ed8be154c95" - logic_hash = "c5db1335fea606ec32f7a6540ee4dee637dd2ad5aee27e092b89fa03ad085690" + logic_hash = "v1_sha256_c5db1335fea606ec32f7a6540ee4dee637dd2ad5aee27e092b89fa03ad085690" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96862,10 +97024,10 @@ rule ELASTIC_Windows_Trojan_Bandook_38497690 : FILE MEMORY date = "2022-08-10" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Bandook.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Bandook.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97" - logic_hash = "199614993f63636764808313f25199348afdf4d537c8dca06f673559e34636b8" + logic_hash = "v1_sha256_199614993f63636764808313f25199348afdf4d537c8dca06f673559e34636b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96896,10 +97058,10 @@ rule ELASTIC_Windows_Ransomware_Lockfile_74185716 : FILE MEMORY date = "2021-08-31" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Lockfile.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Lockfile.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" - logic_hash = "e922c2fc9dd52dd0238847a9d48691bea90d028cf680fc3a1a0dbdfef1d8dce3" + logic_hash = "v1_sha256_e922c2fc9dd52dd0238847a9d48691bea90d028cf680fc3a1a0dbdfef1d8dce3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96928,10 +97090,10 @@ rule ELASTIC_Linux_Ransomware_Lockbit_D248E80E : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Lockbit.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Lockbit.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4800a67ceff340d2ab4f79406a01f58e5a97d589b29b35394b2a82a299b19745" - logic_hash = "5d33d243cd7f9d9189139eb34a4dd8d81882be200223d5c8e60dfd07ca98f94b" + logic_hash = "v1_sha256_5d33d243cd7f9d9189139eb34a4dd8d81882be200223d5c8e60dfd07ca98f94b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96951,7 +97113,7 @@ rule ELASTIC_Linux_Ransomware_Lockbit_D248E80E : FILE MEMORY $b5 = "crypto_generichash_blake2b_final" fullword condition: - $a1 and 2 of ($b*) + $a1 and 2 of ( $b* ) } rule ELASTIC_Linux_Ransomware_Lockbit_5B30A04B : FILE MEMORY { @@ -96962,10 +97124,10 @@ rule ELASTIC_Linux_Ransomware_Lockbit_5B30A04B : FILE MEMORY date = "2023-07-29" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Lockbit.yar#L26-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Lockbit.yar#L26-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "41cbb7d79388eaa4d6e704bd4a8bf8f34d486d27277001c343ea3ce112f4fb0d" - logic_hash = "b89d0f25f08ffa35e075def6a29cf52a80500c6499732146426a71c741059a3b" + logic_hash = "v1_sha256_b89d0f25f08ffa35e075def6a29cf52a80500c6499732146426a71c741059a3b" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -96993,10 +97155,10 @@ rule ELASTIC_Macos_Trojan_Amcleaner_445Bb666 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Amcleaner.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Amcleaner.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c85bf71310882bc0c0cf9b74c9931fd19edad97600bc86ca51cf94ed85a78052" - logic_hash = "664829ff761186ec8f3055531b5490b7516756b0aa9d0183d4c17240a5ca44c4" + logic_hash = "v1_sha256_664829ff761186ec8f3055531b5490b7516756b0aa9d0183d4c17240a5ca44c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97022,10 +97184,10 @@ rule ELASTIC_Macos_Trojan_Amcleaner_A91D3907 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Amcleaner.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Amcleaner.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc9c700f3f6a03ecb6e3f2801d4269599c32abce7bc5e6a1b7e6a64b0e025f58" - logic_hash = "e61ceea117acf444a6b137b93d7c335c6eb8a7e13a567177ec4ea44bf64fd5c6" + logic_hash = "v1_sha256_e61ceea117acf444a6b137b93d7c335c6eb8a7e13a567177ec4ea44bf64fd5c6" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97051,10 +97213,10 @@ rule ELASTIC_Macos_Trojan_Amcleaner_8Ce3Fea8 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Amcleaner.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Amcleaner.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c85bf71310882bc0c0cf9b74c9931fd19edad97600bc86ca51cf94ed85a78052" - logic_hash = "08c4b5b4afefbf1ee207525f9b28bc7eed7b55cb07f8576fddfa0bbe95002769" + logic_hash = "v1_sha256_08c4b5b4afefbf1ee207525f9b28bc7eed7b55cb07f8576fddfa0bbe95002769" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97080,10 +97242,10 @@ rule ELASTIC_Windows_Ransomware_Nightsky_A7F19411 : FILE MEMORY date = "2022-01-11" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Nightsky.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Nightsky.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577" - logic_hash = "defc7ab43035c663302edfda60a4b57cb301b3d61662afe3ce1de2ac93cfc3e2" + logic_hash = "v1_sha256_defc7ab43035c663302edfda60a4b57cb301b3d61662afe3ce1de2ac93cfc3e2" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -97112,10 +97274,10 @@ rule ELASTIC_Windows_Ransomware_Nightsky_253C4D0D : FILE MEMORY date = "2022-03-14" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Nightsky.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Nightsky.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" - logic_hash = "ba9e6dab664e464e0fdc65bd8bdccc661846d85e7fd8fbf089e72e9e5b71fb17" + logic_hash = "v1_sha256_ba9e6dab664e464e0fdc65bd8bdccc661846d85e7fd8fbf089e72e9e5b71fb17" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97141,10 +97303,10 @@ rule ELASTIC_Linux_Exploit_Race_758A0884 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Race.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Race.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4966baaa34b05cb782071ef114a53cac164e6dece275c862fe96a2cff4a6f06" - logic_hash = "ccba0e2ddefd53939cda6b4985def2d487ac5916cbad7374ac3143f02b9f7ff5" + logic_hash = "v1_sha256_ccba0e2ddefd53939cda6b4985def2d487ac5916cbad7374ac3143f02b9f7ff5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97170,10 +97332,10 @@ rule ELASTIC_Multi_Ransomware_Akira_21842Eb3 : FILE MEMORY date = "2024-11-21" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_Akira.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_Akira.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75" - logic_hash = "1c50f4da476cef9f9818f8c0117621eae232be0245ad244babe51d493f0a5a48" + logic_hash = "v1_sha256_1c50f4da476cef9f9818f8c0117621eae232be0245ad244babe51d493f0a5a48" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97199,10 +97361,10 @@ rule ELASTIC_Linux_Rootkit_Snapekit_01205A75 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Snapekit.yar#L1-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Snapekit.yar#L1-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "58d1e56fff04affb4c8cbb5fc3ea848e88d1f05c07e6f730e1cf17100ef1b666" - logic_hash = "ba9b40481afb29a6db33fe61fe23b9f3895744da6737167788018396987bb533" + logic_hash = "v1_sha256_ba9b40481afb29a6db33fe61fe23b9f3895744da6737167788018396987bb533" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97254,7 +97416,7 @@ rule ELASTIC_Linux_Rootkit_Snapekit_01205A75 : FILE MEMORY $hook26 = "hooked_udp6_seq_show" condition: - 3 of ($str*) or 3 of ($func*) or 5 of ($hook*) + 3 of ( $str* ) or 3 of ( $func* ) or 5 of ( $hook* ) } rule ELASTIC_Windows_Hacktool_Iox_98Cd1Cd8 : FILE MEMORY { @@ -97265,10 +97427,10 @@ rule ELASTIC_Windows_Hacktool_Iox_98Cd1Cd8 : FILE MEMORY date = "2024-01-24" modified = "2024-01-29" reference = "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Iox.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Iox.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d4544a521d4e6eb07336816b1aae54f92c5c4fd2eb31dcfbdf26e4ef890e73db" - logic_hash = "d7f9e4f399410d54416e974fbd66b2caa27359ae0f2e33e01d62f1aa618daa34" + logic_hash = "v1_sha256_d7f9e4f399410d54416e974fbd66b2caa27359ae0f2e33e01d62f1aa618daa34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97297,10 +97459,10 @@ rule ELASTIC_Linux_Cryptominer_Xpaj_Fdbd614E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Xpaj.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Xpaj.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3e2b1b36981713217301dd02db33fb01458b3ff47f28dfdc795d8d1d332f13ea" - logic_hash = "70e6450f98411750361481aaad0d3ea079f58b1ae09970f04da09c20137a50fa" + logic_hash = "v1_sha256_70e6450f98411750361481aaad0d3ea079f58b1ae09970f04da09c20137a50fa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97326,10 +97488,10 @@ rule ELASTIC_Windows_Trojan_Sysjoker_1Ef19A12 : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SysJoker.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SysJoker.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc" - logic_hash = "25bd58d546549d208f9f95f4c27d1e58f86f87750dae1e293544cc92b25f8b32" + logic_hash = "v1_sha256_25bd58d546549d208f9f95f4c27d1e58f86f87750dae1e293544cc92b25f8b32" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97358,10 +97520,10 @@ rule ELASTIC_Windows_Trojan_Sysjoker_34559Bcd : FILE MEMORY date = "2022-02-21" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SysJoker.yar#L24-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SysJoker.yar#L24-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c" - logic_hash = "ebe7f6037f14e37b6efe81614c06c6d26fe0cc17d0475b8b19715f80d0d9aad3" + logic_hash = "v1_sha256_ebe7f6037f14e37b6efe81614c06c6d26fe0cc17d0475b8b19715f80d0d9aad3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97393,10 +97555,10 @@ rule ELASTIC_Linux_Ransomware_Esxiargs_75A8Ec04 : FILE MEMORY date = "2023-02-09" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Esxiargs.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Esxiargs.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66" - logic_hash = "7316cab75c1bcf41ae6c96afa41ef96c37ab1bb679f36a0cc1dd08002a357165" + logic_hash = "v1_sha256_7316cab75c1bcf41ae6c96afa41ef96c37ab1bb679f36a0cc1dd08002a357165" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97426,10 +97588,10 @@ rule ELASTIC_Windows_Trojan_Avemaria_31D2Bce9 : FILE MEMORY date = "2021-05-30" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AveMaria.yar#L1-L31" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AveMaria.yar#L1-L31" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b" - logic_hash = "7ba59c3be07e35b415719b60b14a0f629619e5729c20f50f00dbea0c2f8bd026" + logic_hash = "v1_sha256_7ba59c3be07e35b415719b60b14a0f629619e5729c20f50f00dbea0c2f8bd026" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97456,7 +97618,7 @@ rule ELASTIC_Windows_Trojan_Avemaria_31D2Bce9 : FILE MEMORY $a13 = "Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper" wide fullword condition: - 8 of ($a*) + 8 of ( $a* ) } rule ELASTIC_Linux_Exploit_Moogrey_81131B66 : FILE MEMORY { @@ -97467,10 +97629,10 @@ rule ELASTIC_Linux_Exploit_Moogrey_81131B66 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Moogrey.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Moogrey.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cc27b9755bd9feb1fb2c510f66e36c20a1503e6769cdaeee2bea7fe962d22ccc" - logic_hash = "dc2fe7caa38f665d24bbc673ff63491ebdeec8d56a420092243ce241238846cf" + logic_hash = "v1_sha256_dc2fe7caa38f665d24bbc673ff63491ebdeec8d56a420092243ce241238846cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97496,10 +97658,10 @@ rule ELASTIC_Windows_Vulndriver_Glckio_39C4Abd4 : FILE date = "2022-04-04" modified = "2022-08-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_GlckIo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_GlckIo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25" - logic_hash = "fd43503c9427a386674c06bb790e110ac23c27d8fc4adedbaa8a9b7cb0cbafd4" + logic_hash = "v1_sha256_fd43503c9427a386674c06bb790e110ac23c27d8fc4adedbaa8a9b7cb0cbafd4" score = 75 quality = 75 tags = "FILE" @@ -97514,7 +97676,7 @@ rule ELASTIC_Windows_Vulndriver_Glckio_39C4Abd4 : FILE $str1 = "\\GLCKIO2.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $str1 } rule ELASTIC_Windows_Vulndriver_Glckio_68D5Afbb : FILE { @@ -97525,10 +97687,10 @@ rule ELASTIC_Windows_Vulndriver_Glckio_68D5Afbb : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_GlckIo.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_GlckIo.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a" - logic_hash = "0b5f0d408a5c4089ef496c5f8241a34d0468cc3d21e89e41dc105a0df0855d38" + logic_hash = "v1_sha256_0b5f0d408a5c4089ef496c5f8241a34d0468cc3d21e89e41dc105a0df0855d38" score = 75 quality = 75 tags = "FILE" @@ -97543,7 +97705,7 @@ rule ELASTIC_Windows_Vulndriver_Glckio_68D5Afbb : FILE $str1 = "[GLKIO2] Cannot resolve ZwQueryInformationProcess" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $str1 } rule ELASTIC_Windows_Hacktool_Processhacker_3D01069E : FILE { @@ -97554,10 +97716,10 @@ rule ELASTIC_Windows_Hacktool_Processhacker_3D01069E : FILE date = "2022-03-30" modified = "2022-03-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_ProcessHacker.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_ProcessHacker.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - logic_hash = "bcba74aa20b62329c48060bfebaf49ab12f89f9ec3a09fc0c0cb702de5e2b940" + logic_hash = "v1_sha256_bcba74aa20b62329c48060bfebaf49ab12f89f9ec3a09fc0c0cb702de5e2b940" score = 75 quality = 75 tags = "FILE" @@ -97572,7 +97734,7 @@ rule ELASTIC_Windows_Hacktool_Processhacker_3D01069E : FILE $original_file_name = "OriginalFilename\x00kprocesshacker.sys" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name } rule ELASTIC_Linux_Hacktool_Bruteforce_Bad95Bd6 : FILE MEMORY { @@ -97583,10 +97745,10 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_Bad95Bd6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Bruteforce.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Bruteforce.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8e8be482357ebddc6ac3ea9ee60241d011063f7e558a59e6bd119e72e4862024" - logic_hash = "8001e6503baeb52c66c9b30026544913270085406a1fe4c45d14629811d36d5f" + logic_hash = "v1_sha256_8001e6503baeb52c66c9b30026544913270085406a1fe4c45d14629811d36d5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97612,10 +97774,10 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_66A14C03 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Bruteforce.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Bruteforce.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2d8e2c34ae95243477820583c0b00dfe3f475811d57ffb95a557a227f94cd55" - logic_hash = "c8b2925c2e3f95e78f117ddd52e208d143d19ee75e9283f7f15d10e930eaac5f" + logic_hash = "v1_sha256_c8b2925c2e3f95e78f117ddd52e208d143d19ee75e9283f7f15d10e930eaac5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97641,10 +97803,10 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_Eb83B6Aa : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Bruteforce.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Bruteforce.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8dec88576f61f37fbaece3c30e71d338c340c8fb9c231f9d7b1c32510d2c3167" - logic_hash = "bc79860e414d07ee8000eea3d61827272d66faa90a8bf6c65fcda90a4bd762ef" + logic_hash = "v1_sha256_bc79860e414d07ee8000eea3d61827272d66faa90a8bf6c65fcda90a4bd762ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97670,10 +97832,10 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_Ffe07C79 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_DBUtil.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_DBUtil.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3" - logic_hash = "18b1c93c395b105f446b4c968441e0a43e42b1bd7efcf6501a89eb92cbd21824" + logic_hash = "v1_sha256_18b1c93c395b105f446b4c968441e0a43e42b1bd7efcf6501a89eb92cbd21824" score = 75 quality = 75 tags = "FILE" @@ -97688,7 +97850,7 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_Ffe07C79 : FILE $str1 = "\\DBUtilDrv2_32.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Dbutil_852Ba283 : FILE { @@ -97699,10 +97861,10 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_852Ba283 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_DBUtil.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_DBUtil.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5" - logic_hash = "78acd081c2517f9c53cb311481c0cc40cc3699b222afc290da1a3698e7bf75b7" + logic_hash = "v1_sha256_78acd081c2517f9c53cb311481c0cc40cc3699b222afc290da1a3698e7bf75b7" score = 75 quality = 75 tags = "FILE" @@ -97717,7 +97879,7 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_852Ba283 : FILE $str1 = "\\DBUtilDrv2_64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Ransomware_Clop_728Cf32A : FILE MEMORY { @@ -97728,10 +97890,10 @@ rule ELASTIC_Linux_Ransomware_Clop_728Cf32A : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Clop.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Clop.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef" - logic_hash = "31c2fdfcfc46ad1dd69489536172937b9771d8505f36c7bd8dc796f40a2fe4d2" + logic_hash = "v1_sha256_31c2fdfcfc46ad1dd69489536172937b9771d8505f36c7bd8dc796f40a2fe4d2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97760,9 +97922,9 @@ rule ELASTIC_Linux_Trojan_Setag_351Eeb76 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Setag.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3519d9e4bfa18c19b49d0fa15ef78151bd13db9614406c4569720d20830f3cbb" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Setag.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3519d9e4bfa18c19b49d0fa15ef78151bd13db9614406c4569720d20830f3cbb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97788,10 +97950,10 @@ rule ELASTIC_Linux_Trojan_Setag_01E2F79B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Setag.yar#L20-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Setag.yar#L20-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc" - logic_hash = "1e0336760f364acbbe0e8aec10bc7bfb48ed7e33cde56d8914617664cb93fd9b" + logic_hash = "v1_sha256_1e0336760f364acbbe0e8aec10bc7bfb48ed7e33cde56d8914617664cb93fd9b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97817,10 +97979,10 @@ rule ELASTIC_Multi_Hacktool_Nps_C6Eb4A27 : FILE MEMORY date = "2024-01-24" modified = "2024-01-29" reference = "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_Nps.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_Nps.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4714e8ad9c625070ca0a151ffc98d87d8e5da7c8ef42037ca5f43baede6cfac1" - logic_hash = "53baf04f4ab8967761c6badb24f6632cc1bf4a448abf0049318b96855f30feea" + logic_hash = "v1_sha256_53baf04f4ab8967761c6badb24f6632cc1bf4a448abf0049318b96855f30feea" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -97851,10 +98013,10 @@ rule ELASTIC_Multi_Hacktool_Nps_F76F257D : FILE MEMORY date = "2024-01-24" modified = "2024-01-29" reference = "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_Nps.yar#L27-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_Nps.yar#L27-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "80721b20a8667536a33fca50236f5c8e0c0d07aa7805b980e40818ab92cd9f4a" - logic_hash = "0bbd7f86bfd2967dc390510c2e403d05e1b56551b965ea716b9e5330f75c9bd5" + logic_hash = "v1_sha256_0bbd7f86bfd2967dc390510c2e403d05e1b56551b965ea716b9e5330f75c9bd5" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -97884,10 +98046,10 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3490_D369D615 : FILE MEMORY CVE_2021_3490 date = "2021-11-12" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2021_3490.yar#L1-L30" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2021_3490.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e65ba616942fd1e893e10898d546fe54458debbc42e0d6826aff7a4bb4b2cf19" - logic_hash = "6fa4b36366d2c255f5ccf0e22a06c7e17df74fddd06963787dbcd713b3e8aca6" + logic_hash = "v1_sha256_6fa4b36366d2c255f5ccf0e22a06c7e17df74fddd06963787dbcd713b3e8aca6" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2021-3490" @@ -97924,10 +98086,10 @@ rule ELASTIC_Windows_Trojan_Hotpage_414F235F : FILE MEMORY date = "2024-07-18" modified = "2024-07-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_HotPage.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_HotPage.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b8464126b64c809b4ab47aa91c5f322ce2c0ae4fd668a43de738a5caa7567225" - logic_hash = "cfa0036b22a83a5396b3f9014511720071246a775053ad493791ebc1212400f2" + logic_hash = "v1_sha256_cfa0036b22a83a5396b3f9014511720071246a775053ad493791ebc1212400f2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97948,7 +98110,7 @@ rule ELASTIC_Windows_Trojan_Hotpage_414F235F : FILE MEMORY $s6 = "[%s] ADDbrowser PID ->[%d]" condition: - $SpcSpOpusInfo or 2 of ($s*) + $SpcSpOpusInfo or 2 of ( $s* ) } rule ELASTIC_Linux_Trojan_Chinaz_A2140Ca1 : FILE MEMORY { @@ -97959,10 +98121,10 @@ rule ELASTIC_Linux_Trojan_Chinaz_A2140Ca1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Chinaz.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Chinaz.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7c44c2ca77ef7a62446f6266a757817a6c9af5e010a219a43a1905e2bc5725b0" - logic_hash = "c9c63114e45b45b1c243af1f719cddc838a06a1f35d65dca6a2fb5574047eff0" + logic_hash = "v1_sha256_c9c63114e45b45b1c243af1f719cddc838a06a1f35d65dca6a2fb5574047eff0" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -97988,10 +98150,10 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_B521801B : FILE MEMORY date = "2022-03-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Matanbuchus.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Matanbuchus.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "609a0941b118d737124a5cd9c98c007e21557a239cfa3cf97cd3b4348c934f03" + logic_hash = "v1_sha256_609a0941b118d737124a5cd9c98c007e21557a239cfa3cf97cd3b4348c934f03" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -98020,10 +98182,10 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_4Ce9Affb : FILE MEMORY date = "2022-03-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Matanbuchus.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Matanbuchus.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "16441eb4617b6b3cb1e7d600959a5cbfe15c72c00361b45551b7ef4c81f78462" + logic_hash = "v1_sha256_16441eb4617b6b3cb1e7d600959a5cbfe15c72c00361b45551b7ef4c81f78462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98049,10 +98211,10 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_58A61Aaa : FILE MEMORY date = "2022-03-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Matanbuchus.yar#L44-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Matanbuchus.yar#L44-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "7226e2f61bd6f1cca15c1f3f8d8697cb277d1e214f756295ffda5bc16304cc49" + logic_hash = "v1_sha256_7226e2f61bd6f1cca15c1f3f8d8697cb277d1e214f756295ffda5bc16304cc49" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98078,10 +98240,10 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_C7811Ccc : FILE MEMORY date = "2022-03-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Matanbuchus.yar#L64-L82" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Matanbuchus.yar#L64-L82" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "e65dc05f6d9289a42c05afdc4da0ce1c18c1129dd87688a277ece925e83d7ef1" + logic_hash = "v1_sha256_e65dc05f6d9289a42c05afdc4da0ce1c18c1129dd87688a277ece925e83d7ef1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98107,10 +98269,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_17Ee6A17 : FILE MEMORY date = "2021-06-12" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382" - logic_hash = "0c868d0673c01e2c115d6822c34c877db77265251167f3a890a448a1de5c6a2d" + logic_hash = "v1_sha256_0c868d0673c01e2c115d6822c34c877db77265251167f3a890a448a1de5c6a2d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98133,7 +98295,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_17Ee6A17 : FILE MEMORY $b6 = "k__BackingField" ascii fullword condition: - 1 of ($a*) or all of ($b*) + 1 of ( $a* ) or all of ( $b* ) } rule ELASTIC_Windows_Trojan_Redlinestealer_F54632Eb : FILE MEMORY { @@ -98144,10 +98306,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_F54632Eb : FILE MEMORY date = "2021-06-12" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L29-L56" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L29-L56" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25" - logic_hash = "1779919556ee5c9a78342aabafb8408e035cb39632b25c54da6bf195894901dc" + logic_hash = "v1_sha256_1779919556ee5c9a78342aabafb8408e035cb39632b25c54da6bf195894901dc" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -98171,7 +98333,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_F54632Eb : FILE MEMORY $a10 = "DataManager.Data.Credentials" ascii fullword condition: - 6 of ($a*) + 6 of ( $a* ) } rule ELASTIC_Windows_Trojan_Redlinestealer_3D9371Fd : FILE MEMORY { @@ -98182,10 +98344,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_3D9371Fd : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L58-L82" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L58-L82" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a" - logic_hash = "1c8a64ce7615f502602ab960638dd55f4deaeea3b49d894274d64d4d0b6a1d10" + logic_hash = "v1_sha256_1c8a64ce7615f502602ab960638dd55f4deaeea3b49d894274d64d4d0b6a1d10" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -98217,10 +98379,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_63E7E006 : FILE MEMORY date = "2023-05-01" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L84-L104" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L84-L104" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e062c99dc9f3fa780ea9c6249fa4ef96bbe17fd1df38dbe11c664a10a92deece" - logic_hash = "2085eaf622b52372124e9b23d19e3e4a7fdb7a4559ad9a09216c1cbae96ca5b6" + logic_hash = "v1_sha256_2085eaf622b52372124e9b23d19e3e4a7fdb7a4559ad9a09216c1cbae96ca5b6" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98248,10 +98410,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_F07B3Cb4 : FILE MEMORY date = "2023-05-03" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L106-L125" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L106-L125" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5e491625475fc25c465fc7f6db98def189c15a133af7d0ac1ecbc8d887c4feb6" - logic_hash = "64536e3b340254554154ac1b33adfb4f3c72a2c6c0d1ef27827621b905d431c5" + logic_hash = "v1_sha256_64536e3b340254554154ac1b33adfb4f3c72a2c6c0d1ef27827621b905d431c5" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98278,10 +98440,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_4Df4Bcb6 : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L127-L145" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L127-L145" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9389475bd26c1d3fd04a083557f2797d0ee89dfdd1f7de67775fcd19e61dfbb3" - logic_hash = "d9027fa9c8d9c938159a734431bb2be67fd7cca1f898c2208f7b909157524da4" + logic_hash = "v1_sha256_d9027fa9c8d9c938159a734431bb2be67fd7cca1f898c2208f7b909157524da4" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -98307,10 +98469,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_15Ee6903 : FILE MEMORY date = "2023-05-04" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L147-L166" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L147-L166" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "46b506cafb2460ca2969f69bcb0ee0af63b6d65e6b2a6249ef7faa21bde1a6bd" - logic_hash = "22c8a1f4b5b94261cfabdbcc00e45b9437a0132d4e9d4543b734d4f303336696" + logic_hash = "v1_sha256_22c8a1f4b5b94261cfabdbcc00e45b9437a0132d4e9d4543b734d4f303336696" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98337,10 +98499,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_6Dfafd7B : FILE MEMORY date = "2024-01-05" modified = "2024-01-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L168-L186" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L168-L186" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "809e303ba26b894f006b8f2d3983ff697aef13b67c36957d98c56aae9afd8852" - logic_hash = "888bc2fdfae8673cd6bce56fc9894b3cab6d7e3c384d854d6bc8aef47fdecf1c" + logic_hash = "v1_sha256_888bc2fdfae8673cd6bce56fc9894b3cab6d7e3c384d854d6bc8aef47fdecf1c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -98366,10 +98528,10 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_983Cd7A7 : FILE MEMORY date = "2024-03-27" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_RedLineStealer.yar#L188-L208" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_RedLineStealer.yar#L188-L208" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7aa20c57b8815dd63c8ae951e1819c75b5d2deec5aae0597feec878272772f35" - logic_hash = "2104bad5ec42bc72ec611607a53086a85359bdb4bf084d7377e9a8e234b0e928" + logic_hash = "v1_sha256_2104bad5ec42bc72ec611607a53086a85359bdb4bf084d7377e9a8e234b0e928" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98388,6 +98550,41 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_983Cd7A7 : FILE MEMORY condition: all of them } +rule ELASTIC_Multi_Trojan_Gosar_31Dba745 : FILE MEMORY +{ + meta: + description = "Detects Multi Trojan Gosar (Multi.Trojan.Gosar)" + author = "Elastic Security" + id = "31dba745-8079-4161-9299-84a4c33b95c8" + date = "2024-11-05" + modified = "2024-12-04" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Gosar.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + hash = "4caf4b280e61745ce53f96f48a74dea3b69df299c3b9de78ba4731b83c76c334" + logic_hash = "v1_sha256_116fb9c44a992067d50cd95715ffa320c6141f133eb8c9dc91b2db8559a8ee2d" + score = 75 + quality = 75 + tags = "FILE, MEMORY" + fingerprint = "87e44b3050eb33edb24ad8aa8923ed91124f2e92e4eae42e94decefc49ccbf4c" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "multi" + + strings: + $a1 = "GetRecoverAccounts" + $a2 = "GetIsFirstScreen" + $a3 = "DoWebcamStop" + $a4 = "DoAskElevate" + $a5 = "vibrant/proto/pb" + $a6 = "vibrant/network/sender" + $a7 = "vibrant/pkg/helpers" + + condition: + 3 of them +} rule ELASTIC_Linux_Exploit_Local_47C64Fb6 : FILE MEMORY { meta: @@ -98397,10 +98594,10 @@ rule ELASTIC_Linux_Exploit_Local_47C64Fb6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0caa9035027ff88788e6b8e43bfc012a367a12148be809555c025942054a6360" - logic_hash = "7d977edd5fc90c6f03ed5558c690b3dd2102bbff9d7e5124403276405e15201b" + logic_hash = "v1_sha256_7d977edd5fc90c6f03ed5558c690b3dd2102bbff9d7e5124403276405e15201b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98426,10 +98623,10 @@ rule ELASTIC_Linux_Exploit_Local_76C24B62 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "330de2ca1add7e06389d94dfc541c367a484394c51663b26d27d89346b08ad1b" - logic_hash = "ff55d6a316394812cfa1108578aece91050bfb2f7e0f8c0440dcb64156f3e893" + logic_hash = "v1_sha256_ff55d6a316394812cfa1108578aece91050bfb2f7e0f8c0440dcb64156f3e893" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98455,10 +98652,10 @@ rule ELASTIC_Linux_Exploit_Local_30C21B03 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a09c81f185a4ceed134406fa7fefdfa7d8dfc10d639dd044c94fbb6d570fa029" - logic_hash = "396965c457b2e02d7d524d9d5fb3cc76852895ed9675c7b1205a94f47ba10144" + logic_hash = "v1_sha256_396965c457b2e02d7d524d9d5fb3cc76852895ed9675c7b1205a94f47ba10144" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98484,10 +98681,10 @@ rule ELASTIC_Linux_Exploit_Local_9Ace9649 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b38869605521531153cfd8077f05e0d6b52dca0fffbc627a4d5eaa84855a491c" - logic_hash = "d7a60b0cb7fcbd9e802660bda3e0456f7f4ef9db38b6dab131c160efce48909e" + logic_hash = "v1_sha256_d7a60b0cb7fcbd9e802660bda3e0456f7f4ef9db38b6dab131c160efce48909e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98513,10 +98710,10 @@ rule ELASTIC_Linux_Exploit_Local_705C9589 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "845727ea46491b46a665d4e1a3a9dbbe6cd0536d070f1c1efd533b91b75cdc88" - logic_hash = "9834d564c2acc688750d5e6c53db7c1201ef85c6fb3d1d0ea2425a5ba905ff18" + logic_hash = "v1_sha256_9834d564c2acc688750d5e6c53db7c1201ef85c6fb3d1d0ea2425a5ba905ff18" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98542,10 +98739,10 @@ rule ELASTIC_Linux_Exploit_Local_A677Fb9C : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d20b260c7485173264e3e674adc7563ea3891224a3dc98bdd342ebac4a1349e8" - logic_hash = "9b43e651f73d17dbd2143cec4c79929723689ce738924588e38c99a9554e5545" + logic_hash = "v1_sha256_9b43e651f73d17dbd2143cec4c79929723689ce738924588e38c99a9554e5545" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98571,10 +98768,10 @@ rule ELASTIC_Linux_Exploit_Local_78E50162 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "706c865257d5e1f5f434ae0f31e11dfc7e16423c4c639cb2763ec0f51bc73300" - logic_hash = "10a5bef486ec0ececfe0a9edfcad7ce053da2a97028cd1648aa27572fedd8ef6" + logic_hash = "v1_sha256_10a5bef486ec0ececfe0a9edfcad7ce053da2a97028cd1648aa27572fedd8ef6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98600,10 +98797,10 @@ rule ELASTIC_Linux_Exploit_Local_3B767A1F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e05fed9e514cccbdb775f295327d8f8838b73ad12f25e7bb0b9d607ff3d0511c" - logic_hash = "0f24a7d4e8ff0899430aa0a702000f35039b07400120b382b675825630f0ea4e" + logic_hash = "v1_sha256_0f24a7d4e8ff0899430aa0a702000f35039b07400120b382b675825630f0ea4e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98629,10 +98826,10 @@ rule ELASTIC_Linux_Exploit_Local_2535C9B6 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d0f9cc114f6a1f788f36e359e03a9bbf89c075f41aec006229b6ad20ebbfba0b" - logic_hash = "222e929d8352ed02714a59b0e1b9777b0f2d80d63cb369fa9bf33460c84efbb2" + logic_hash = "v1_sha256_222e929d8352ed02714a59b0e1b9777b0f2d80d63cb369fa9bf33460c84efbb2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98658,10 +98855,10 @@ rule ELASTIC_Linux_Exploit_Local_6A9B5D50 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "80ab71dc9ed2131b08b5b75b5a4a12719d499c6b6ee6819ad5a6626df4a1b862" - logic_hash = "99a18bfb62c195bdea89c688fed4456fee33477878ecdee8a78cd4bf18ad539b" + logic_hash = "v1_sha256_99a18bfb62c195bdea89c688fed4456fee33477878ecdee8a78cd4bf18ad539b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98687,10 +98884,10 @@ rule ELASTIC_Linux_Exploit_Local_66557224 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f58151a2f653972e744822cdc420ab1c2b8b642877d3dfa2e8b2b6915e8edf40" - logic_hash = "5583f086d594ebdf5890a8a5fbee5c04fbddfe42adcae07480532d87e474ef0c" + logic_hash = "v1_sha256_5583f086d594ebdf5890a8a5fbee5c04fbddfe42adcae07480532d87e474ef0c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98716,10 +98913,10 @@ rule ELASTIC_Linux_Exploit_Local_6229602F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Local.yar#L221-L239" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Local.yar#L221-L239" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4fdb15663a405f6fc4379aad9a5021040d7063b8bb82403bedb9578d45d428fa" - logic_hash = "c3ab6a36c0c2d430d576f7c0cfdc6d1affcd99d007e2d05596677da9bda5a19e" + logic_hash = "v1_sha256_c3ab6a36c0c2d430d576f7c0cfdc6d1affcd99d007e2d05596677da9bda5a19e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98745,9 +98942,9 @@ rule ELASTIC_Linux_Trojan_Marut_47Af730D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Marut.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "048ce8059be6697c5f507fb1912ac2adcedab87c75583dd84700984e6d0d81e6" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Marut.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_048ce8059be6697c5f507fb1912ac2adcedab87c75583dd84700984e6d0d81e6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98773,10 +98970,10 @@ rule ELASTIC_Windows_Wiper_Hermeticwiper_7206A969 : FILE MEMORY date = "2022-02-24" modified = "2022-02-24" reference = "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Wiper_HermeticWiper.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Wiper_HermeticWiper.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" - logic_hash = "84c61b8223a6ebf1ccfa4fdccee3c9091abca4553e55ac6c2492cff5503b4774" + logic_hash = "v1_sha256_84c61b8223a6ebf1ccfa4fdccee3c9091abca4553e55ac6c2492cff5503b4774" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98807,9 +99004,9 @@ rule ELASTIC_Macos_Exploit_Log4J_75A13888 : FILE MEMORY date = "2021-12-13" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Exploit_Log4j.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b09d8dd9c422e7eb8aa23f8b1204d31fd290252925099300d6d19d73e562ca5e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Exploit_Log4j.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b09d8dd9c422e7eb8aa23f8b1204d31fd290252925099300d6d19d73e562ca5e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98830,7 +99027,7 @@ rule ELASTIC_Macos_Exploit_Log4J_75A13888 : FILE MEMORY $exp4 = "Exploit.java" condition: - 2 of ($jndi*) and 1 of ($exp*) + 2 of ( $jndi* ) and 1 of ( $exp* ) } rule ELASTIC_Macos_Trojan_Sugarloader_E7E1D99C : FILE MEMORY { @@ -98841,10 +99038,10 @@ rule ELASTIC_Macos_Trojan_Sugarloader_E7E1D99C : FILE MEMORY date = "2023-10-24" modified = "2023-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_SugarLoader.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_SugarLoader.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940" - logic_hash = "0689b704add81e8e7968d9dba5f60d45c8791209330f4ee97e218f8eeb22c88f" + logic_hash = "v1_sha256_0689b704add81e8e7968d9dba5f60d45c8791209330f4ee97e218f8eeb22c88f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98863,7 +99060,7 @@ rule ELASTIC_Macos_Trojan_Sugarloader_E7E1D99C : FILE MEMORY $seq_recieve_msg = { 45 85 FF 74 ?? 45 39 EF BA ?? ?? ?? ?? 41 0F 42 D7 41 8B 3C 24 48 89 DE 31 C9 E8 ?? ?? ?? ?? 41 29 C7 48 01 C3 48 85 C0 7F ?? B8 ?? ?? ?? ?? EB ?? } condition: - 3 of ($seq*) + 3 of ( $seq* ) } rule ELASTIC_Linux_Cryptominer_Ursu_3C05F8Ab : FILE MEMORY { @@ -98874,10 +99071,10 @@ rule ELASTIC_Linux_Cryptominer_Ursu_3C05F8Ab : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Ursu.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Ursu.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d72361010184f5a48386860918052dbb8726d40e860ea0287994936702577956" - logic_hash = "8261e4ee40131cd7df61914cd7bdf154e8a2b5fa3abd9d301436f9371253f510" + logic_hash = "v1_sha256_8261e4ee40131cd7df61914cd7bdf154e8a2b5fa3abd9d301436f9371253f510" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98903,10 +99100,10 @@ rule ELASTIC_Linux_Ransomware_Limpdemon_95C748E0 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_LimpDemon.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_LimpDemon.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4200e90a821a2f2eb3056872f06cf5b057be154dcc410274955b2aaca831651" - logic_hash = "e66906725c0af657d91771642908ac0b2c72a97c4d4f651dcc907c2c1437f2da" + logic_hash = "v1_sha256_e66906725c0af657d91771642908ac0b2c72a97c4d4f651dcc907c2c1437f2da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98935,10 +99132,10 @@ rule ELASTIC_Windows_Trojan_Wikiloader_C57F3F88 : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WikiLoader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WikiLoader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0f71b1805d7feb6830b856c5a5328d3a132af4c37fcd747d82beb0f61c77f6f5" - logic_hash = "408c6d811232dbd0c87f75fd28508366151cf9f2f10f012919588db1919e406b" + logic_hash = "v1_sha256_408c6d811232dbd0c87f75fd28508366151cf9f2f10f012919588db1919e406b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98964,10 +99161,10 @@ rule ELASTIC_Windows_Trojan_Wikiloader_99681F1C : FILE MEMORY date = "2024-01-17" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_WikiLoader.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_WikiLoader.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0b02cfe16ac73f2e7dc52eaf3b93279b7d02b3d64d061782dfed0c55ab621a8e" - logic_hash = "fb293d74186e778856780377120ac2ebe9550a508a0b33e706c39f93a5509df8" + logic_hash = "v1_sha256_fb293d74186e778856780377120ac2ebe9550a508a0b33e706c39f93a5509df8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98993,10 +99190,10 @@ rule ELASTIC_Linux_Trojan_Sckit_A244328F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sckit.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sckit.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "685da66303a007322d235b7808190c3ea78a828679277e8e03e6d8d511df0a30" - logic_hash = "8001c9fcf9f8b70c3e27554156b0b26ddcd6cab36bf97cf3b89a4c43c9ad883c" + logic_hash = "v1_sha256_8001c9fcf9f8b70c3e27554156b0b26ddcd6cab36bf97cf3b89a4c43c9ad883c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99022,10 +99219,10 @@ rule ELASTIC_Windows_Trojan_Hawkeye_77C36Ace : FILE MEMORY date = "2021-08-16" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Hawkeye.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Hawkeye.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" - logic_hash = "e8c1060efde0c4a073247d03a19dedb1c0acc8506fbf6eac93ac44f00fc73be1" + logic_hash = "v1_sha256_e8c1060efde0c4a073247d03a19dedb1c0acc8506fbf6eac93ac44f00fc73be1" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -99055,10 +99252,10 @@ rule ELASTIC_Windows_Trojan_Hawkeye_975D546C : FILE MEMORY date = "2023-03-23" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Hawkeye.yar#L25-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Hawkeye.yar#L25-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "aca133bf1d72cf379101e6877871979d6e6e8bc4cc692a5ba815289735014340" - logic_hash = "cbd8ce991059f961236a4bb83ea5a78efa661199b40fca8b09550856e932198b" + logic_hash = "v1_sha256_cbd8ce991059f961236a4bb83ea5a78efa661199b40fca8b09550856e932198b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99089,10 +99286,10 @@ rule ELASTIC_Windows_Hacktool_Sharpsccm_9Bef8Dab : FILE MEMORY date = "2024-03-25" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpSCCM.yar#L1-L31" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpSCCM.yar#L1-L31" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e169c4fd16627029445bb0365a2f9ee61ab6b3757b8ad02fd210ce85dc9c97f" - logic_hash = "560c780934a63b3c857a09841c09cbc350205868c696fac958e249e1379cc865" + logic_hash = "v1_sha256_560c780934a63b3c857a09841c09cbc350205868c696fac958e249e1379cc865" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99119,7 +99316,7 @@ rule ELASTIC_Windows_Hacktool_Sharpsccm_9Bef8Dab : FILE MEMORY $s12 = "CCM_POST" wide fullword condition: - ($name and 2 of ($s*)) or 7 of ($s*) + ($name and 2 of ( $s* ) ) or 7 of ( $s* ) } rule ELASTIC_Linux_Exploit_Sorso_Ecf99F8F : FILE MEMORY { @@ -99130,10 +99327,10 @@ rule ELASTIC_Linux_Exploit_Sorso_Ecf99F8F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Sorso.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Sorso.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "c771ff109e548e37134cd76ac668f0d4abafcf262de12b00236ad94fc11a99d1" + logic_hash = "v1_sha256_c771ff109e548e37134cd76ac668f0d4abafcf262de12b00236ad94fc11a99d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99159,10 +99356,10 @@ rule ELASTIC_Linux_Exploit_Sorso_91A4D487 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Sorso.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Sorso.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "bb58c78ae3cc730aa1ef32974f65adabd63972ef181696aeb79954f904f2f405" + logic_hash = "v1_sha256_bb58c78ae3cc730aa1ef32974f65adabd63972ef181696aeb79954f904f2f405" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99188,10 +99385,10 @@ rule ELASTIC_Linux_Exploit_Sorso_61Eae7Dd : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Sorso.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Sorso.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "a8bc8a2c8405b80b160ad21898003781405a762c0e627f13b34e9362e0aa51a1" + logic_hash = "v1_sha256_a8bc8a2c8405b80b160ad21898003781405a762c0e627f13b34e9362e0aa51a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99217,10 +99414,10 @@ rule ELASTIC_Linux_Trojan_Melofee_C23D18F3 : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Melofee.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Melofee.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b0abf6691e769ead1f11cfdcd300f8cd5291f19059be6bb40d556f793b1bc21e" - logic_hash = "fd769e0eca9ee858a3773a906189c510742364722b3e5c384158b3ec4158fc68" + logic_hash = "v1_sha256_fd769e0eca9ee858a3773a906189c510742364722b3e5c384158b3ec4158fc68" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -99251,10 +99448,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_D9E6B88E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a4ac275275e7be694a200fe6c5c5746256398c109cf54f45220637fe5d9e26ba" - logic_hash = "979d2ae62efca0f719ed1db2ff832dc9a0aa0347dcd50ccede29ec35cba6d296" + logic_hash = "v1_sha256_979d2ae62efca0f719ed1db2ff832dc9a0aa0347dcd50ccede29ec35cba6d296" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99280,10 +99477,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_30C039E2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b494ca3b7bae2ab9a5197b81e928baae5b8eac77dfdc7fe1223fee8f27024772" - logic_hash = "a9dbfede68a3209b403aa40dbc5b69326c3e1c14259ed6bc6351f0f9412cfce2" + logic_hash = "v1_sha256_a9dbfede68a3209b403aa40dbc5b69326c3e1c14259ed6bc6351f0f9412cfce2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99309,10 +99506,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_C94Eec37 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "294fcdd57fc0a53e2d63b620e85fa65c00942db2163921719d052d341aa2dc30" - logic_hash = "39a49e1661ac2ca6a43a56b0bd136976f6d506c0779d862a43ba2c25d6947fee" + logic_hash = "v1_sha256_39a49e1661ac2ca6a43a56b0bd136976f6d506c0779d862a43ba2c25d6947fee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99338,10 +99535,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_F806D5D9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5259495788f730a2a3bad7478c1873c8a6296506a778f18bc68e39ce48b979da" - logic_hash = "86336f662e3abcf2fe7635155782c549fc9eef514356bf78bfbc3b65192e2d90" + logic_hash = "v1_sha256_86336f662e3abcf2fe7635155782c549fc9eef514356bf78bfbc3b65192e2d90" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99367,10 +99564,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_0Fa3A6E9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a" - logic_hash = "970062e909ffe5356b750605f2c44a6e893949bc5bc71be3ea98b16e51629d4d" + logic_hash = "v1_sha256_970062e909ffe5356b750605f2c44a6e893949bc5bc71be3ea98b16e51629d4d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99396,10 +99593,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_36A98405 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a57de6cd3468f55b4bfded5f1eed610fdb2cbffbb584660ae000c20663d5b304" - logic_hash = "a32d324d1865a7796faefbc2f209e6043008a696929fe7837afbbc770e6f4c74" + logic_hash = "v1_sha256_a32d324d1865a7796faefbc2f209e6043008a696929fe7837afbbc770e6f4c74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99425,10 +99622,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_0C6686B8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "731bb3f9957e8777040c0b7b316a818f4ee1ca9a113fb9eed24ee61bfc71e11d" + logic_hash = "v1_sha256_731bb3f9957e8777040c0b7b316a818f4ee1ca9a113fb9eed24ee61bfc71e11d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99454,10 +99651,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_9Ce5B69F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad63fbd15b7de4da0db1b38609b7481253c100e3028c19831a5d5c1926351829" - logic_hash = "b9756eb99e59ba3a9a616b391bcf26bda26a6ac0de115460f9ba52129f590764" + logic_hash = "v1_sha256_b9756eb99e59ba3a9a616b391bcf26bda26a6ac0de115460f9ba52129f590764" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99483,10 +99680,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_55A80Ab6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5259495788f730a2a3bad7478c1873c8a6296506a778f18bc68e39ce48b979da" - logic_hash = "1fc29f98e9ea2a5b67d0a88f37813a5e62b5f1d2a26aee74f90e9ead445dc713" + logic_hash = "v1_sha256_1fc29f98e9ea2a5b67d0a88f37813a5e62b5f1d2a26aee74f90e9ead445dc713" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99512,10 +99709,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_E98B83Ee : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417" - logic_hash = "8b16c0fee991ee2143a20998097066a90b1f20060bac7b42e5c3188adcdc7907" + logic_hash = "v1_sha256_8b16c0fee991ee2143a20998097066a90b1f20060bac7b42e5c3188adcdc7907" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99541,10 +99738,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_8A11F9Be : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571" - logic_hash = "f80dcb3579a76da787e9bb2bfb02ef86e464aec1bea405f02642b8c8902c7663" + logic_hash = "v1_sha256_f80dcb3579a76da787e9bb2bfb02ef86e464aec1bea405f02642b8c8902c7663" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99570,10 +99767,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_2462067E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L221-L239" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L221-L239" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3847f1c7c15ce771613079419de3d5e8adc07208e1fefa23f7dd416b532853a1" - logic_hash = "cf6c0703f9108f8193e0a9c18ba3d76263527a13fe44e194fa464d399512ae05" + logic_hash = "v1_sha256_cf6c0703f9108f8193e0a9c18ba3d76263527a13fe44e194fa464d399512ae05" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99599,10 +99796,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_0A028640 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L241-L259" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L241-L259" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e36081f0dbd6d523c9378cdd312e117642b0359b545b29a61d8f9027d8c0f2f0" - logic_hash = "663f110c7214498466759b66a83ff1844f5bf45ce706fa8ad0e8b205cc9c8f72" + logic_hash = "v1_sha256_663f110c7214498466759b66a83ff1844f5bf45ce706fa8ad0e8b205cc9c8f72" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99628,10 +99825,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_6B3974B2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L281-L299" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L281-L299" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04" - logic_hash = "7c44a0abcd51a6b775fc379b592652ebb10faf16c039ca23b20984183340cada" + logic_hash = "v1_sha256_7c44a0abcd51a6b775fc379b592652ebb10faf16c039ca23b20984183340cada" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99657,10 +99854,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_87Bcb848 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L301-L319" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L301-L319" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "575b0dc887d132aa3983e5712b8f642b03762b0685fbd5a32c104bca72871857" - logic_hash = "60e8aa7e27ea0bec665075a373ce150c21af4cddfd511b7ec771293126f0006c" + logic_hash = "v1_sha256_60e8aa7e27ea0bec665075a373ce150c21af4cddfd511b7ec771293126f0006c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99686,9 +99883,9 @@ rule ELASTIC_Linux_Trojan_Tsunami_Ad60D7E8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L321-L338" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1253a8cd1a5230f1ec1f8c7ecd07f89f28acf5c2aa92395c6cb9e635c16a1e25" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L321-L338" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1253a8cd1a5230f1ec1f8c7ecd07f89f28acf5c2aa92395c6cb9e635c16a1e25" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99714,10 +99911,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_22646C0D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L340-L358" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L340-L358" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "20439a8fc21a94c194888725fbbb7a7fbeef5faf4b0f704559d89f1cd2e57d9d" - logic_hash = "548f531429132392f6d9bccff706b56ba87d8e44763116dedca5d0baa5097b92" + logic_hash = "v1_sha256_548f531429132392f6d9bccff706b56ba87d8e44763116dedca5d0baa5097b92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99743,10 +99940,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_019F0E75 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L360-L378" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L360-L378" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "575b0dc887d132aa3983e5712b8f642b03762b0685fbd5a32c104bca72871857" - logic_hash = "7a63eb94266b04a31ba67165c512e2e060c3e344665aeed748a51943143b2219" + logic_hash = "v1_sha256_7a63eb94266b04a31ba67165c512e2e060c3e344665aeed748a51943143b2219" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99772,10 +99969,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_7C545Abf : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L380-L398" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L380-L398" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "95691c7ad1d80f7f1b5541e1d1a1dbeba30a26702a4080d256f14edb75851c5d" - logic_hash = "fa50ccc4c85417d18a84b7f117f853609c44b17c488a937cdc7495e2d32757f7" + logic_hash = "v1_sha256_fa50ccc4c85417d18a84b7f117f853609c44b17c488a937cdc7495e2d32757f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99801,10 +99998,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_32C0B950 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L400-L418" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L400-L418" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "214c1caf20ceae579476d3bf97f489484df4c5f1c0c44d37ff9b9066072cd83c" - logic_hash = "db077e5916327ca78fcc9dc35f64e5c497dbbe60c4a0c1eb7abb49c555765681" + logic_hash = "v1_sha256_db077e5916327ca78fcc9dc35f64e5c497dbbe60c4a0c1eb7abb49c555765681" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99830,10 +100027,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_Cbf50D9C : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L420-L438" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L420-L438" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b64d0cf4fc4149aa4f63900e61b6739e154d328ea1eb31f4c231016679fc4aa5" - logic_hash = "331a35fb3ecc54022b1d4d05bd64e7c5c6a7997b06dbea3a36c33ccc0a2f7086" + logic_hash = "v1_sha256_331a35fb3ecc54022b1d4d05bd64e7c5c6a7997b06dbea3a36c33ccc0a2f7086" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99859,10 +100056,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_40C25A06 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L440-L458" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L440-L458" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "61af6bb7be25465e7d469953763be5671f33c197d4b005e4a78227da11ae91e9" - logic_hash = "38976911ff9e56fae27fad8b9df01063ed703f43c8220b1fbcef7a3945b3f1ad" + logic_hash = "v1_sha256_38976911ff9e56fae27fad8b9df01063ed703f43c8220b1fbcef7a3945b3f1ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99888,10 +100085,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_35806Adc : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L460-L478" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L460-L478" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b" - logic_hash = "6e9d3e5c0a33208d1b5f4f84f8634955e70bd63395b367cd1ece67798ce5e502" + logic_hash = "v1_sha256_6e9d3e5c0a33208d1b5f4f84f8634955e70bd63395b367cd1ece67798ce5e502" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99917,10 +100114,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_D74D7F0C : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L480-L498" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L480-L498" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b0a8b2259c00d563aa387d7e1a1f1527405da19bf4741053f5822071699795e2" - logic_hash = "6f5313fc9e838bd06bd4e797ea7fb448073849dc714ecf18809f94900fa11ca2" + logic_hash = "v1_sha256_6f5313fc9e838bd06bd4e797ea7fb448073849dc714ecf18809f94900fa11ca2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99946,10 +100143,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_71D31510 : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L500-L518" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L500-L518" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "33dd6c0af99455a0ca3908c0117e16a513b39fabbf9c52ba24c7b09226ad8626" - logic_hash = "18bfe9347faf1811686a61e0ee0de5cef842beb25fb06793947309135c41de89" + logic_hash = "v1_sha256_18bfe9347faf1811686a61e0ee0de5cef842beb25fb06793947309135c41de89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99975,10 +100172,10 @@ rule ELASTIC_Linux_Trojan_Tsunami_97288Af8 : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Tsunami.yar#L520-L538" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Tsunami.yar#L520-L538" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c39eb055c5f71ebfd6881ff04e876f49495c0be5560687586fc47bf5faee0c84" - logic_hash = "c5b521cc887236a189dca419476758cee0f1513a8ad81c94b1ff42e4fe232b8e" + logic_hash = "v1_sha256_c5b521cc887236a189dca419476758cee0f1513a8ad81c94b1ff42e4fe232b8e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -100004,10 +100201,10 @@ rule ELASTIC_Windows_Trojan_Dragonbreath_B27Bc56B : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DragonBreath.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DragonBreath.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45023fd0e694d66c284dfe17f78c624fd7e246a6c36860a0d892d232a30949be" - logic_hash = "b86d5541a7e03a698ad918cdbba987474c6680353b4d2de2f8422ecd0ebcac61" + logic_hash = "v1_sha256_b86d5541a7e03a698ad918cdbba987474c6680353b4d2de2f8422ecd0ebcac61" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -100035,10 +100232,10 @@ rule ELASTIC_Multi_Hacktool_Supershell_F7486598 : FILE MEMORY date = "2024-09-12" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Hacktool_SuperShell.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Hacktool_SuperShell.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da" - logic_hash = "8c2c3f13fad03ece29f7f3fd12e22807b61ecdc16dee00b6430b915631554cff" + logic_hash = "v1_sha256_8c2c3f13fad03ece29f7f3fd12e22807b61ecdc16dee00b6430b915631554cff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100056,7 +100253,7 @@ rule ELASTIC_Multi_Hacktool_Supershell_F7486598 : FILE MEMORY $b3 = "Missing listening address" condition: - $a and 1 of ($b*) + $a and 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Naplistener_E8F16920 : FILE MEMORY { @@ -100067,10 +100264,10 @@ rule ELASTIC_Windows_Trojan_Naplistener_E8F16920 : FILE MEMORY date = "2023-02-28" modified = "2023-03-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_NapListener.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_NapListener.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4" - logic_hash = "6cb7b5051fab2b56f39b2805788b5b0838a095b41fcc623fe412b215736be5d4" + logic_hash = "v1_sha256_6cb7b5051fab2b56f39b2805788b5b0838a095b41fcc623fe412b215736be5d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100098,10 +100295,10 @@ rule ELASTIC_Windows_Trojan_Naplistener_414180A7 : FILE MEMORY date = "2023-02-28" modified = "2023-03-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_NapListener.yar#L23-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_NapListener.yar#L23-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4" - logic_hash = "52d3ddebdc1a8aa4bcb902273bd2d3b4f9b51f248d25e7ae1cc260a9550111f5" + logic_hash = "v1_sha256_52d3ddebdc1a8aa4bcb902273bd2d3b4f9b51f248d25e7ae1cc260a9550111f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100132,10 +100329,10 @@ rule ELASTIC_Windows_Trojan_Protects_9F6Eaa90 : FILE date = "2022-04-04" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_ProtectS.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_ProtectS.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" - logic_hash = "ddc8c97598b2d961dc51bdf2c7ab96abcec63824acd39b767bc175371844c1e5" + logic_hash = "v1_sha256_ddc8c97598b2d961dc51bdf2c7ab96abcec63824acd39b767bc175371844c1e5" score = 75 quality = 75 tags = "FILE" @@ -100150,7 +100347,7 @@ rule ELASTIC_Windows_Trojan_Protects_9F6Eaa90 : FILE $str1 = "\\ProtectS.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Sqlexp_1Aa5001E : FILE MEMORY { @@ -100161,10 +100358,10 @@ rule ELASTIC_Linux_Trojan_Sqlexp_1Aa5001E : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sqlexp.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sqlexp.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "714a520fc69c54bcd422e75f4c3b71ce636cfae7fcec3c5c413d1294747d2dd6" - logic_hash = "48c7331c80aa7d918f46d282c6f38b8e780f9b5222cf9304bf1a8bb39cc129ab" + logic_hash = "v1_sha256_48c7331c80aa7d918f46d282c6f38b8e780f9b5222cf9304bf1a8bb39cc129ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100190,10 +100387,10 @@ rule ELASTIC_Linux_Ransomware_Akira_02237952 : FILE MEMORY date = "2023-07-28" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Akira.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Akira.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296" - logic_hash = "a9b3cdddb3387251d7da90f32b08b9c1eedcdff1fe90d51f4732183666a6d467" + logic_hash = "v1_sha256_a9b3cdddb3387251d7da90f32b08b9c1eedcdff1fe90d51f4732183666a6d467" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100222,10 +100419,10 @@ rule ELASTIC_Linux_Ransomware_Akira_27440619 : FILE MEMORY date = "2024-11-21" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Akira.yar#L24-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Akira.yar#L24-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75" - logic_hash = "d2bb413b5919b3ed6239fbc714d025d2ddc321cb8a0b310aaae48b0869810be8" + logic_hash = "v1_sha256_d2bb413b5919b3ed6239fbc714d025d2ddc321cb8a0b310aaae48b0869810be8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100251,10 +100448,10 @@ rule ELASTIC_Linux_Hacktool_Wipelog_Daea1Aa4 : FILE MEMORY date = "2022-03-17" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Wipelog.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Wipelog.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "39b3a95928326012c3b2f64e2663663adde4b028d940c7e804ac4d3953677ea6" - logic_hash = "e2483b7719f4a1e28ec3732120770066333d8db269c9c9711813a8eeb75176d6" + logic_hash = "v1_sha256_e2483b7719f4a1e28ec3732120770066333d8db269c9c9711813a8eeb75176d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100290,10 +100487,10 @@ rule ELASTIC_Linux_Exploit_Vmsplice_Cfa94001 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Vmsplice.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Vmsplice.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0a26e67692605253819c489cd4793a57e86089d50150124394c30a8801bf33e6" - logic_hash = "b5a86a79384997f977d353371ccaa8c736f5c24af40b85a24076d4c4fb79a237" + logic_hash = "v1_sha256_b5a86a79384997f977d353371ccaa8c736f5c24af40b85a24076d4c4fb79a237" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100319,10 +100516,10 @@ rule ELASTIC_Linux_Exploit_Vmsplice_A000F267 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Vmsplice.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Vmsplice.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c85cc6768a28fb7de16f1cad8d3c69d8f0b4aa01e00c8e48759d27092747ca6f" - logic_hash = "2a8cb11bb21f2ce620a6fa1f0fb932bef60a479fac836058ec4e8c760b5d60f9" + logic_hash = "v1_sha256_2a8cb11bb21f2ce620a6fa1f0fb932bef60a479fac836058ec4e8c760b5d60f9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100348,10 +100545,10 @@ rule ELASTIC_Linux_Exploit_Vmsplice_8B9E4F9F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Vmsplice.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Vmsplice.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0230c81ba747e588cd9b6113df6e1867dcabf9d8ada0c1921d1bffa9c1b9c75d" - logic_hash = "6979a900a2532a8da36711f3ffe13f71ec4efa7771aa2feec9391bd031aaa023" + logic_hash = "v1_sha256_6979a900a2532a8da36711f3ffe13f71ec4efa7771aa2feec9391bd031aaa023" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100377,10 +100574,10 @@ rule ELASTIC_Linux_Exploit_Vmsplice_055F88B8 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Vmsplice.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Vmsplice.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "607c8c5edc8cbbd79a40ce4a0eccf46e01447985d9415d1eff6a91bf64074507" - logic_hash = "29e59bb372f0b37b507c72e5b5bcb27ba0fa2aaac71ea77f0cab85af31708c8a" + logic_hash = "v1_sha256_29e59bb372f0b37b507c72e5b5bcb27ba0fa2aaac71ea77f0cab85af31708c8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100406,9 +100603,9 @@ rule ELASTIC_Linux_Exploit_Vmsplice_431E689D : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1cbb09223f16af4cd13545d72dbeeb996900535b1e279e4bcf447670728de1e1" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Vmsplice.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5b9a7ffcd6fc6893a8224fd2b9ca59f4cff6086669a73190114db510a1ad9ff2" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Vmsplice.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5b9a7ffcd6fc6893a8224fd2b9ca59f4cff6086669a73190114db510a1ad9ff2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100434,10 +100631,10 @@ rule ELASTIC_Multi_Trojan_Sparkrat_9A21E541 : FILE MEMORY date = "2023-11-13" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_SparkRat.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_SparkRat.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "23efecc03506a9428175546a4b7d40c8a943c252110e83dec132c6a5db8c4dd6" - logic_hash = "903c5c65436bea8dd044fd5f1f6dda3d1e90ab25802d508f67ba0f7fd06e92d4" + logic_hash = "v1_sha256_903c5c65436bea8dd044fd5f1f6dda3d1e90ab25802d508f67ba0f7fd06e92d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100465,10 +100662,10 @@ rule ELASTIC_Linux_Trojan_Rbot_C69475E3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d97c69b65d2900c39ca012fe0486e6a6abceebb890cbb6d2e091bb90f6b9690" - logic_hash = "2a8629ebf6e2082ce90f1b2130ae596e4e515f3289a25899f2fc57b99c01a654" + logic_hash = "v1_sha256_2a8629ebf6e2082ce90f1b2130ae596e4e515f3289a25899f2fc57b99c01a654" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100494,10 +100691,10 @@ rule ELASTIC_Linux_Trojan_Rbot_96625C8C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rbot.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rbot.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e" - logic_hash = "5a9671e10e7b9b58ecf9fab231de18b4b6039c9d351b145fae1705297acda95e" + logic_hash = "v1_sha256_5a9671e10e7b9b58ecf9fab231de18b4b6039c9d351b145fae1705297acda95e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100523,10 +100720,10 @@ rule ELASTIC_Linux_Trojan_Rbot_366F1599 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rbot.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rbot.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5553d154a0e02e7f97415299eeae78e5bb0ecfbf5454e3933d6fd9675d78b3eb" - logic_hash = "3efe0f35efd855b415149513e8abb2210a26ef6f3b6c31275c8147fabb634fab" + logic_hash = "v1_sha256_3efe0f35efd855b415149513e8abb2210a26ef6f3b6c31275c8147fabb634fab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100552,10 +100749,10 @@ rule ELASTIC_Linux_Exploit_Ramen_01B205Eb : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Ramen.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Ramen.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" - logic_hash = "e477e93434db9e650f159995f2cb754394f3187dc341d2ea4c2466924e19a8a6" + logic_hash = "v1_sha256_e477e93434db9e650f159995f2cb754394f3187dc341d2ea4c2466924e19a8a6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100581,10 +100778,10 @@ rule ELASTIC_Linux_Rootkit_Adore_Fe3Fd09F : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Adore.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Adore.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f4e532b840e279daf3d206e9214a1b065f97deb7c1487a34ac5cbd7cbbf33e1a" - logic_hash = "cc07efb9484562cd870649a38126f08aa4e99ed5ad4662ece0488d9ffd97520e" + logic_hash = "v1_sha256_cc07efb9484562cd870649a38126f08aa4e99ed5ad4662ece0488d9ffd97520e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100610,10 +100807,10 @@ rule ELASTIC_Windows_Hacktool_Leigod_89397Ebf : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_LeiGod.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_LeiGod.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3" - logic_hash = "e887c34c624a182a3c57a55abe02784c4350d3956bcfd9f7918f08a464819e63" + logic_hash = "v1_sha256_e887c34c624a182a3c57a55abe02784c4350d3956bcfd9f7918f08a464819e63" score = 75 quality = 75 tags = "FILE" @@ -100628,7 +100825,7 @@ rule ELASTIC_Windows_Hacktool_Leigod_89397Ebf : FILE $str1 = "\\Device\\CtrlLeiGod" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Hacktool_Leigod_3F5C98C4 : FILE { @@ -100639,10 +100836,10 @@ rule ELASTIC_Windows_Hacktool_Leigod_3F5C98C4 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_LeiGod.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_LeiGod.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - logic_hash = "7570bf1a69df6b493bde41c1de27969e36a3fcb59be574ee2e24e3a61347a146" + logic_hash = "v1_sha256_7570bf1a69df6b493bde41c1de27969e36a3fcb59be574ee2e24e3a61347a146" score = 75 quality = 75 tags = "FILE" @@ -100657,7 +100854,7 @@ rule ELASTIC_Windows_Hacktool_Leigod_3F5C98C4 : FILE $str1 = "\\LgDCatcher.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Trojan_Buerloader_C8A60F46 : FILE MEMORY { @@ -100668,10 +100865,10 @@ rule ELASTIC_Windows_Trojan_Buerloader_C8A60F46 : FILE MEMORY date = "2021-08-16" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Buerloader.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Buerloader.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac" - logic_hash = "d11b117efc10547e77ce8979f8a1d42f34937101e58a0e36228baa37cd30d2aa" + logic_hash = "v1_sha256_d11b117efc10547e77ce8979f8a1d42f34937101e58a0e36228baa37cd30d2aa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -100702,10 +100899,10 @@ rule ELASTIC_Linux_Trojan_Backconnect_C6803B39 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Backconnect.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Backconnect.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a5e6b084cdabe9a4557b5ff8b2313db6c3bb4ba424d107474024030115eeaa0f" - logic_hash = "02750b2788c2912bba0fc8594f6a12c75ce1f41d1075acf7c920f6e616ab65c7" + logic_hash = "v1_sha256_02750b2788c2912bba0fc8594f6a12c75ce1f41d1075acf7c920f6e616ab65c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100731,10 +100928,10 @@ rule ELASTIC_Windows_Exploit_Ioring_1E4A8F47 : FILE MEMORY date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_IoRing.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_IoRing.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ba2bd270bf3f312dfa3f77f0716edb634c90506c87f82c04aee09445d18738eb" - logic_hash = "cbbea9a60bde13356ce88cd96aacaa02a3c99f4ae0b48c4ba84b72528a3d6b91" + logic_hash = "v1_sha256_cbbea9a60bde13356ce88cd96aacaa02a3c99f4ae0b48c4ba84b72528a3d6b91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100763,10 +100960,10 @@ rule ELASTIC_Macos_Cryptominer_Xmrig_241780A1 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Cryptominer_Xmrig.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Cryptominer_Xmrig.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f" - logic_hash = "9e091f6881a96abdc6592db385eb9026806befdda6bda4489470b4e16e1d4d87" + logic_hash = "v1_sha256_9e091f6881a96abdc6592db385eb9026806befdda6bda4489470b4e16e1d4d87" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100795,10 +100992,10 @@ rule ELASTIC_Windows_Trojan_Fabookie_024F8759 : FILE MEMORY date = "2023-06-22" modified = "2023-07-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Fabookie.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Fabookie.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6c6345c6f0a5beadc4616170c87ec8a577de185d53345581e1b00e72af24c13e" - logic_hash = "9477406b718c6489161cf4636be66c4f72df923b9c5a7ee4069ef6a9552de485" + logic_hash = "v1_sha256_9477406b718c6489161cf4636be66c4f72df923b9c5a7ee4069ef6a9552de485" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100825,10 +101022,10 @@ rule ELASTIC_Windows_Trojan_Legionloader_F91120C6 : FILE MEMORY date = "2024-06-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_LegionLoader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_LegionLoader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45670ffa9b24542ae84e3c9eb5ce609c2bcd29129215a7f37eb74b6211e32b22" - logic_hash = "760402587a9ca3d3e6602fe57d3346ea6f60ba5c8d3a902bf493233baab597b0" + logic_hash = "v1_sha256_760402587a9ca3d3e6602fe57d3346ea6f60ba5c8d3a902bf493233baab597b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100854,10 +101051,10 @@ rule ELASTIC_Macos_Hacktool_Swiftbelt_Bc62Ede6 : FILE MEMORY date = "2021-10-12" modified = "2021-10-25" reference = "https://www.elastic.co/security-labs/inital-research-of-jokerspy" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Hacktool_Swiftbelt.yar#L1-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Hacktool_Swiftbelt.yar#L1-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1" - logic_hash = "51481baa6ddb09cf8463d989637319cb26b23fef625cc1a44c96d438c77362ca" + logic_hash = "v1_sha256_51481baa6ddb09cf8463d989637319cb26b23fef625cc1a44c96d438c77362ca" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -100907,10 +101104,10 @@ rule ELASTIC_Linux_Backdoor_Generic_Babf9101 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9ea73d2c2a5f480ae343846e2b6dd791937577cb2b3d8358f5b6ede8f3696b86" - logic_hash = "40084f3bed66c1d4a1cd2ffca99fd6789c8ed2db04031e4d4a4926b41d622355" + logic_hash = "v1_sha256_40084f3bed66c1d4a1cd2ffca99fd6789c8ed2db04031e4d4a4926b41d622355" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100936,10 +101133,10 @@ rule ELASTIC_Linux_Backdoor_Generic_5776Ae49 : FILE MEMORY date = "2021-04-06" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e247a5decb5184fd5dee0d209018e402c053f4a950dae23be59b71c082eb910c" - logic_hash = "b606f12c47182d80e07f8715639c3cc73753274bd8833cb9f6380879356a2b12" + logic_hash = "v1_sha256_b606f12c47182d80e07f8715639c3cc73753274bd8833cb9f6380879356a2b12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100965,10 +101162,10 @@ rule ELASTIC_Windows_Exploit_Eternalblue_Ead33Bf8 : FILE date = "2021-01-12" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Eternalblue.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Eternalblue.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a1340e418c80be58fb6bbb48d4e363de8c6d62ea59730817d5eda6ba17b2c7a7" - logic_hash = "4d0ab8bd7ef5b20e656110ac3c78b08803539387cb4fe1425a284d39c42aa199" + logic_hash = "v1_sha256_4d0ab8bd7ef5b20e656110ac3c78b08803539387cb4fe1425a284d39c42aa199" score = 75 quality = 75 tags = "FILE" @@ -100994,10 +101191,10 @@ rule ELASTIC_Macos_Trojan_Aobokeylogger_Bd960F34 : FILE MEMORY date = "2021-10-18" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Aobokeylogger.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Aobokeylogger.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2b50146c20621741642d039f1e3218ff68e5dbfde8bb9edaa0a560ca890f0970" - logic_hash = "f89fbf1d6bf041de0ce32f7920818c34ce0eeb6779bb7fac6f223bbea1c6f6fa" + logic_hash = "v1_sha256_f89fbf1d6bf041de0ce32f7920818c34ce0eeb6779bb7fac6f223bbea1c6f6fa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101023,9 +101220,9 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_83F05Fbe : BETA FILE MEMORY date = "2020-06-18" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Sodinokibi.yar#L1-L34" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c88fc2690deae3700e605b2affb5ecac3d1ffc92435f33209f31897d28715b8c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Sodinokibi.yar#L1-L34" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c88fc2690deae3700e605b2affb5ecac3d1ffc92435f33209f31897d28715b8c" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -101065,9 +101262,9 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_182B2Cea : BETA FILE MEMORY date = "2020-06-18" modified = "2021-10-04" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Sodinokibi.yar#L36-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1c23effe5f8b35c5e03ebd5e57664c8937259d464f92dda0a9df344b982e8f8c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Sodinokibi.yar#L36-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1c23effe5f8b35c5e03ebd5e57664c8937259d464f92dda0a9df344b982e8f8c" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -101089,7 +101286,7 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_182B2Cea : BETA FILE MEMORY $b6 = ":!:(:/:6:C:\\:m:" ascii fullword condition: - ($a1 and 6 of ($b*)) + ($a1 and 6 of ( $b* ) ) } rule ELASTIC_Windows_Ransomware_Sodinokibi_A282Ba44 : BETA FILE MEMORY { @@ -101100,9 +101297,9 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_A282Ba44 : BETA FILE MEMORY date = "2020-06-18" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Sodinokibi.yar#L64-L91" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3a583069c9ab851a90f3a61c9c4fa67f8b918b8d168fcf7f25b2a3ae3465c596" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Sodinokibi.yar#L64-L91" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3a583069c9ab851a90f3a61c9c4fa67f8b918b8d168fcf7f25b2a3ae3465c596" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -101125,7 +101322,7 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_A282Ba44 : BETA FILE MEMORY $c8 = { 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B } condition: - (6 of ($c*)) + (6 of ( $c* ) ) } rule ELASTIC_Windows_Cryptominer_Generic_Dd1E4D1A : FILE { @@ -101136,10 +101333,10 @@ rule ELASTIC_Windows_Cryptominer_Generic_Dd1E4D1A : FILE date = "2021-01-12" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Cryptominer_Generic.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Cryptominer_Generic.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7ac1d7b6107307fb2442522604c8fa56010d931392d606ac74dcea6b7125954b" - logic_hash = "b7289c4688ec67d59e67755461f1f4e0c3f47ef9f8c73fc1dcc1d168baf11623" + logic_hash = "v1_sha256_b7289c4688ec67d59e67755461f1f4e0c3f47ef9f8c73fc1dcc1d168baf11623" score = 75 quality = 75 tags = "FILE" @@ -101165,10 +101362,10 @@ rule ELASTIC_Windows_Cryptominer_Generic_F53Cfb9B : FILE MEMORY date = "2024-03-05" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Cryptominer_Generic.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Cryptominer_Generic.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a9870a03ddc6543a5a12d50f95934ff49f26b60921096b2c8f2193cb411ed408" - logic_hash = "b2453862747e251afc34c57e887889b8d3a65a9cc876d4a95ff5ecfcc24e4bd3" + logic_hash = "v1_sha256_b2453862747e251afc34c57e887889b8d3a65a9cc876d4a95ff5ecfcc24e4bd3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101194,10 +101391,10 @@ rule ELASTIC_Windows_Hacktool_EDRWFP_F6D7Db7A : FILE date = "2024-06-10" modified = "2024-07-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_EDRWFP.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_EDRWFP.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a1fc2f3ded852f75e36e70ae39087e21ae5b6af10e2038d04e61bd500ba511e2" - logic_hash = "45d427e4f52346b4a18c154bb0afb636c18951fd9c7323846bf2eb7e47928ef6" + logic_hash = "v1_sha256_45d427e4f52346b4a18c154bb0afb636c18951fd9c7323846bf2eb7e47928ef6" score = 75 quality = 75 tags = "FILE" @@ -101226,10 +101423,10 @@ rule ELASTIC_Macos_Trojan_Getshell_F339D74C : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Getshell.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Getshell.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b2199c15500728a522c04320aee000938f7eb69d751a55d7e51a2806d8cd0fe7" - logic_hash = "77a409f1a0ab5f87a77a6b2ffa2d4ff7bd6d86c0f685c524e2083585bb3fb764" + logic_hash = "v1_sha256_77a409f1a0ab5f87a77a6b2ffa2d4ff7bd6d86c0f685c524e2083585bb3fb764" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101255,10 +101452,10 @@ rule ELASTIC_Windows_Trojan_Carberp_D6De82Ae : FILE MEMORY date = "2021-02-07" modified = "2021-08-23" reference = "https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Carberp.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Carberp.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f98fadb6feab71930bd5c08e85153898d686cc96c84fe349c00bf6d482de9b53" - logic_hash = "085020755c77b299b2bfd18b34af6c68450c29de67b8ae32ddf2b26299b923ae" + logic_hash = "v1_sha256_085020755c77b299b2bfd18b34af6c68450c29de67b8ae32ddf2b26299b923ae" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101286,10 +101483,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_03C81Bd9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3fc701a2caab0297112501f55eaeb05264c5e4099c411dcadc7095627e19837a" - logic_hash = "dc2dfa128f509221cae8bae9864190e8316bb7a5ae081da1076081b5f4fdc870" + logic_hash = "v1_sha256_dc2dfa128f509221cae8bae9864190e8316bb7a5ae081da1076081b5f4fdc870" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101315,10 +101512,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_757637D9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7" - logic_hash = "b1f1784aae5958740d03ca50d0b9731e8db7d86d918d16e82cf6fc1e1bf663a9" + logic_hash = "v1_sha256_b1f1784aae5958740d03ca50d0b9731e8db7d86d918d16e82cf6fc1e1bf663a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101344,10 +101541,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_78543893 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ff5b02d2b4dfa9c3d53e7218533f3c57e82315be8f62aa17e26eda55a3b53479" - logic_hash = "4bb6a6e063fd00569b04f4514ec1731357aa8e8ce4cfee354fdd86773a4358da" + logic_hash = "v1_sha256_4bb6a6e063fd00569b04f4514ec1731357aa8e8ce4cfee354fdd86773a4358da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101373,10 +101570,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_4F8D83D2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d78128eca706557eeab8a454cf875362a097459347ddc32118f71bd6c73d5bbd" - logic_hash = "6fee488d97fe1d4be558b6886c603010c6d1423a750783b38a65d2fb3eeb76f4" + logic_hash = "v1_sha256_6fee488d97fe1d4be558b6886c603010c6d1423a750783b38a65d2fb3eeb76f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101402,10 +101599,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_F4Afd230 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "805e900ffc9edb9f550dcbc938a3b06d28e9e7d3fb604ff68a311a0accbcd2b1" - logic_hash = "9aba4ebbf946f07071bfb94fa50c6981ae8c659aca9ee6e05c7ef214432d7466" + logic_hash = "v1_sha256_9aba4ebbf946f07071bfb94fa50c6981ae8c659aca9ee6e05c7ef214432d7466" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101431,10 +101628,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_Bb384Bc9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ecc6635117b99419255af5d292a7af3887b06d5f3b0f59d158281eebfe606445" - logic_hash = "1e9faba4f245d8b0d6944430286a5fc3e11cd7e036a4151b29fc2c5f037894fb" + logic_hash = "v1_sha256_1e9faba4f245d8b0d6944430286a5fc3e11cd7e036a4151b29fc2c5f037894fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101460,10 +101657,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_B293F6Ec : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "0e310082714f5283f9b4ccde5a8e17994e3bc4acf3d744b22734c136dde7cebb" + logic_hash = "v1_sha256_0e310082714f5283f9b4ccde5a8e17994e3bc4acf3d744b22734c136dde7cebb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101489,10 +101686,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_C5983669 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d08be92a484991afae3567256b6cec60a53400e0e9b6f6b4d5c416a22ccca1cf" - logic_hash = "ff673070969f1ededf8ff2c7cadfc251c7d2e52da58906b15cfc04593a755d55" + logic_hash = "v1_sha256_ff673070969f1ededf8ff2c7cadfc251c7d2e52da58906b15cfc04593a755d55" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101518,10 +101715,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_Fbff22Da : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7" - logic_hash = "d3e3037593f5714dfb49c6e19631fd46331e2702c8bf6d6099bb5b34158321a9" + logic_hash = "v1_sha256_d3e3037593f5714dfb49c6e19631fd46331e2702c8bf6d6099bb5b34158321a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101547,10 +101744,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_E2D5Fad8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7e54e57db3de32555c15e529c04b35f52d75af630e45b5f8d6c21149866b6929" - logic_hash = "b294ce1c4d928d73342bb6260456d850f9c59f3c48c7c4ffbce32ea9238f6eee" + logic_hash = "v1_sha256_b294ce1c4d928d73342bb6260456d850f9c59f3c48c7c4ffbce32ea9238f6eee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101576,10 +101773,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_F2F8Eb6B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01721b9c024ca943f42c402a57f45bd4c77203a604c5c2cd26e5670df76a95b2" - logic_hash = "b6555e69b663591550976fd44352ecbdf0a0aef1e07a64396a576125a4fe4ba6" + logic_hash = "v1_sha256_b6555e69b663591550976fd44352ecbdf0a0aef1e07a64396a576125a4fe4ba6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101605,10 +101802,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_89671B03 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L241-L259" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L241-L259" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "001098473574cfac1edaca9f1180ab2005569e094be63186c45b48c18f880cf8" - logic_hash = "dfa7027c4fa0cbde33df87063fea4ecf51a085f3cc1805123c62747882d0a07e" + logic_hash = "v1_sha256_dfa7027c4fa0cbde33df87063fea4ecf51a085f3cc1805123c62747882d0a07e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101634,10 +101831,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_Dbc73Db0 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L261-L279" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L261-L279" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9fe78e4dd7975856a74d8dfd83e69793a769143e0fe6994cbc3ef28ea37d6cf8" - logic_hash = "4a7453342fd72dacb781919d3fac3bab02e7ef7c882d5938a2e0e1274c704705" + logic_hash = "v1_sha256_4a7453342fd72dacb781919d3fac3bab02e7ef7c882d5938a2e0e1274c704705" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101663,10 +101860,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_Ec339160 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L281-L299" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L281-L299" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0002b469972f5c77a29e2a2719186059a3e96a6f4b1ef2d18a68fee3205ea0ba" - logic_hash = "9c1d1254093b172798024c42a6d78f5e6720d20b8c2a8ad4ca26c8e88e42f0e8" + logic_hash = "v1_sha256_9c1d1254093b172798024c42a6d78f5e6720d20b8c2a8ad4ca26c8e88e42f0e8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101692,10 +101889,10 @@ rule ELASTIC_Linux_Exploit_Lotoor_7Cd57E18 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Lotoor.yar#L301-L319" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Lotoor.yar#L301-L319" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1eecf16dae302ae788d1bc81278139cd9f6af52d7bed48b8677b35ba5eb14e30" - logic_hash = "97604cdc9daa9993b9a18dc5df7ab105a5e6001129bcfcfeeb86640bee26f59d" + logic_hash = "v1_sha256_97604cdc9daa9993b9a18dc5df7ab105a5e6001129bcfcfeeb86640bee26f59d" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101721,10 +101918,10 @@ rule ELASTIC_Windows_Trojan_Danabot_6F3Dadb2 : FILE MEMORY date = "2021-08-15" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Danabot.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Danabot.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "716e5a3d29ff525aed30c18061daff4b496f3f828ba2ac763efd857062a42e96" - logic_hash = "b9c895be9eab775726abd2c13256d598c5b79bceb2d652c30b1df4cfc37e4b93" + logic_hash = "v1_sha256_b9c895be9eab775726abd2c13256d598c5b79bceb2d652c30b1df4cfc37e4b93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101757,10 +101954,10 @@ rule ELASTIC_Linux_Rootkit_Kovid_B77Dc7F4 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Kovid.yar#L1-L47" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Kovid.yar#L1-L47" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "933273ff95a57dfe0162175dc6143395e23c69e36d8ca366481b795deaab4fd0" - logic_hash = "090c92e108f78a6d7ba9d0ed796c32226f253b81cf0ad8a138736d073761856c" + logic_hash = "v1_sha256_090c92e108f78a6d7ba9d0ed796c32226f253b81cf0ad8a138736d073761856c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101803,7 +102000,7 @@ rule ELASTIC_Linux_Rootkit_Kovid_B77Dc7F4 : FILE MEMORY $func9 = "kv_util_random_AZ_string" condition: - 4 of ($str*) or 4 of ($func*) + 4 of ( $str* ) or 4 of ( $func* ) } rule ELASTIC_Windows_Ransomware_Generic_99F5A632 : FILE MEMORY { @@ -101814,10 +102011,10 @@ rule ELASTIC_Windows_Ransomware_Generic_99F5A632 : FILE MEMORY date = "2022-02-24" modified = "2022-02-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Generic.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Generic.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382" - logic_hash = "2284cfc91d17816f1733e8fe319af52bc66af467364d27f84e213082c216ae8b" + logic_hash = "v1_sha256_2284cfc91d17816f1733e8fe319af52bc66af467364d27f84e213082c216ae8b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101846,10 +102043,10 @@ rule ELASTIC_Windows_Vulndriver_Sandra_5D112Feb : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Sandra.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Sandra.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de" - logic_hash = "d234a1e74234400f51c2aa7a9fb1549be1bc422bdf585db7d2ec9ad1ec75e490" + logic_hash = "v1_sha256_d234a1e74234400f51c2aa7a9fb1549be1bc422bdf585db7d2ec9ad1ec75e490" score = 75 quality = 75 tags = "FILE" @@ -101866,7 +102063,7 @@ rule ELASTIC_Windows_Vulndriver_Sandra_5D112Feb : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x0c][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x09][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x0b][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Vulndriver_Sandra_612A7A16 : FILE { @@ -101877,9 +102074,9 @@ rule ELASTIC_Windows_Vulndriver_Sandra_612A7A16 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Sandra.yar#L23-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8fda0e1775d903b73836d4103f6e8b0e2f052026b3acdb07bd345b9ddb3c873a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Sandra.yar#L23-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8fda0e1775d903b73836d4103f6e8b0e2f052026b3acdb07bd345b9ddb3c873a" score = 75 quality = 75 tags = "FILE" @@ -101896,7 +102093,7 @@ rule ELASTIC_Windows_Vulndriver_Sandra_612A7A16 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x0c][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x09][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x0b][\x00-\x00])([\x00-\x0a][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Trojan_Agenttesla_D3Ac2B2F : FILE MEMORY { @@ -101907,10 +102104,10 @@ rule ELASTIC_Windows_Trojan_Agenttesla_D3Ac2B2F : FILE MEMORY date = "2021-03-22" modified = "2022-06-20" reference = "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AgentTesla.yar#L1-L58" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AgentTesla.yar#L1-L58" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4" - logic_hash = "9c13a99107593d476de1522ced10aa43d34535b844e8c3ae871b22358137c926" + logic_hash = "v1_sha256_9c13a99107593d476de1522ced10aa43d34535b844e8c3ae871b22358137c926" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101963,7 +102160,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_D3Ac2B2F : FILE MEMORY $a39 = "get_DefaultCredentials" ascii fullword condition: - 8 of ($a*) + 8 of ( $a* ) } rule ELASTIC_Windows_Trojan_Agenttesla_E577E17E : FILE MEMORY { @@ -101974,10 +102171,10 @@ rule ELASTIC_Windows_Trojan_Agenttesla_E577E17E : FILE MEMORY date = "2022-03-11" modified = "2022-04-12" reference = "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AgentTesla.yar#L60-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AgentTesla.yar#L60-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6" - logic_hash = "84c5f1096735cee0f0f4ad41a81286c0a60dc17c276f23568b855271d996c8a2" + logic_hash = "v1_sha256_84c5f1096735cee0f0f4ad41a81286c0a60dc17c276f23568b855271d996c8a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102003,10 +102200,10 @@ rule ELASTIC_Windows_Trojan_Agenttesla_F2A90D14 : FILE MEMORY date = "2022-03-11" modified = "2022-04-12" reference = "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AgentTesla.yar#L81-L100" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AgentTesla.yar#L81-L100" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6" - logic_hash = "3f39b773f2b1524b05d3c1d9aa1fb54594ec9003d2e9da342b6d17ba885f5a03" + logic_hash = "v1_sha256_3f39b773f2b1524b05d3c1d9aa1fb54594ec9003d2e9da342b6d17ba885f5a03" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102032,10 +102229,10 @@ rule ELASTIC_Windows_Trojan_Agenttesla_A2D69E48 : FILE MEMORY date = "2023-05-01" modified = "2023-06-13" reference = "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AgentTesla.yar#L102-L122" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AgentTesla.yar#L102-L122" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "edef51e59d10993155104d90fcd80175daa5ade63fec260e3272f17b237a6f44" - logic_hash = "1f90be86b7afa7f518a3dcec55028bfc915cf6d4fed1350a56e351946cc55f41" + logic_hash = "v1_sha256_1f90be86b7afa7f518a3dcec55028bfc915cf6d4fed1350a56e351946cc55f41" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102062,10 +102259,10 @@ rule ELASTIC_Windows_Trojan_Agenttesla_Ebf431A8 : FILE MEMORY date = "2023-12-01" modified = "2024-01-12" reference = "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_AgentTesla.yar#L124-L148" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_AgentTesla.yar#L124-L148" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0cb3051a80a0515ce715b71fdf64abebfb8c71b9814903cb9abcf16c0403f62b" - logic_hash = "b02d6e2d68b336aaa37336e0c0c3ffa6c7a126bfcdb6cb6ad5a3432004c6030c" + logic_hash = "v1_sha256_b02d6e2d68b336aaa37336e0c0c3ffa6c7a126bfcdb6cb6ad5a3432004c6030c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102096,9 +102293,9 @@ rule ELASTIC_Windows_Ransomware_Dharma_Aa5Eefed : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Dharma.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "bbafc2eac17562f315b09fa42eb601d0140152917d7962429df3a378abe67732" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Dharma.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_bbafc2eac17562f315b09fa42eb601d0140152917d7962429df3a378abe67732" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102115,7 +102312,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_Aa5Eefed : BETA FILE MEMORY $c2 = { 21 0C 7D 01 02 04 08 10 20 40 80 1B 36 6C D8 AB 4D 9A 2F 5E BC 63 C6 97 35 6A D4 B3 7D FA EF C5 91 00 00 A5 63 63 C6 84 7C 7C F8 99 77 77 EE 8D 7B 7B F6 0D F2 F2 FF BD 6B 6B D6 B1 6F 6F DE 54 C5 C5 91 50 30 30 60 03 01 01 02 A9 67 67 CE 7D 2B 2B 56 } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Dharma_B31Cac3F : BETA FILE MEMORY { @@ -102126,9 +102323,9 @@ rule ELASTIC_Windows_Ransomware_Dharma_B31Cac3F : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Dharma.yar#L23-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "30500e35721e9db3d63cafa5ca10818557fa9f4e0bda9c0d02283183508cf7b5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Dharma.yar#L23-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_30500e35721e9db3d63cafa5ca10818557fa9f4e0bda9c0d02283183508cf7b5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102146,7 +102343,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_B31Cac3F : BETA FILE MEMORY $b3 = "RSDS%~m" ascii fullword condition: - 3 of ($b*) + 3 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Dharma_E9319E4A : BETA FILE MEMORY { @@ -102157,9 +102354,9 @@ rule ELASTIC_Windows_Ransomware_Dharma_E9319E4A : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Dharma.yar#L46-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "182ed508d645a0b1fab80fb6f975a05d33b64c43005bd3656df6470934cd71f4" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Dharma.yar#L46-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_182ed508d645a0b1fab80fb6f975a05d33b64c43005bd3656df6470934cd71f4" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102175,7 +102372,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_E9319E4A : BETA FILE MEMORY $d = { 08 8B 51 24 8B 45 08 8B 48 18 0F B7 14 51 85 D2 74 47 8B 45 08 8B } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Windows_Ransomware_Dharma_942142E3 : BETA FILE MEMORY { @@ -102186,9 +102383,9 @@ rule ELASTIC_Windows_Ransomware_Dharma_942142E3 : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Dharma.yar#L67-L86" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "af5068ef3442964e4d1c5e27090fb84eaf762ff23463b7a0c2902e523ae601c1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Dharma.yar#L67-L86" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_af5068ef3442964e4d1c5e27090fb84eaf762ff23463b7a0c2902e523ae601c1" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102204,7 +102401,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_942142E3 : BETA FILE MEMORY $a1 = "C:\\crysis\\Release\\PDB\\payload.pdb" ascii fullword condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Linux_Exploit_CVE_2017_16995_0C81A317 : FILE MEMORY CVE_2017_16995 { @@ -102215,10 +102412,10 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_0C81A317 : FILE MEMORY CVE_2017_16995 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "48d927b4b18a03dfbce54bb5f4518869773737e449301ba2477eb797afbb9972" - logic_hash = "cdd6b309a1e802f1251d726b0ea74e3d11fdd10d1d0bfa4c6f3d802f819368ec" + logic_hash = "v1_sha256_cdd6b309a1e802f1251d726b0ea74e3d11fdd10d1d0bfa4c6f3d802f819368ec" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102244,10 +102441,10 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_82816Caa : FILE MEMORY CVE_2017_16995 date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "14e6b788db0db57067d9885ab5ff3d3a5749639549d82abd98fa4fcf27000f34" - logic_hash = "3ae00290073d41ff5dba2f677510bf9a9c0ebaed221901eb8b1a8dda08157a46" + logic_hash = "v1_sha256_3ae00290073d41ff5dba2f677510bf9a9c0ebaed221901eb8b1a8dda08157a46" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102273,10 +102470,10 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_5Edb0181 : FILE MEMORY CVE_2017_16995 date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e4df84e1dffbad217d07222314a7e13fd74771a9111d07adc467a89d8ba81127" - logic_hash = "f6eb19329db765938b48021039baaf1b5aeb3240c405ba20ed81863a0fb4b583" + logic_hash = "v1_sha256_f6eb19329db765938b48021039baaf1b5aeb3240c405ba20ed81863a0fb4b583" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102302,10 +102499,10 @@ rule ELASTIC_Macos_Backdoor_Kagent_64Ca1865 : FILE MEMORY date = "2021-11-11" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Backdoor_Kagent.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Backdoor_Kagent.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" - logic_hash = "dea0a1bbe8c3065b395de50b5ffc2fbdf479ed35ce284fa33298d6ed55e960c6" + logic_hash = "v1_sha256_dea0a1bbe8c3065b395de50b5ffc2fbdf479ed35ce284fa33298d6ed55e960c6" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -102337,10 +102534,10 @@ rule ELASTIC_Windows_Wiper_Isaacwiper_239Cd2Dc : FILE MEMORY date = "2022-03-04" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Wiper_IsaacWiper.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Wiper_IsaacWiper.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - logic_hash = "102ffe215b1e1c39e1225cb39dfeb10a20a08c5b10f836490fc1501c6eb9e930" + logic_hash = "v1_sha256_102ffe215b1e1c39e1225cb39dfeb10a20a08c5b10f836490fc1501c6eb9e930" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102371,10 +102568,10 @@ rule ELASTIC_Windows_Trojan_Sliver_46525B49 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Sliver.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Sliver.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ecce5071c28940a1098aca3124b3f82e0630c4453f4f32e1b91576aac357ac9c" - logic_hash = "6e61d82b191a740882bcfeac2f2cf337e19ace7b05784ff041b6af2f79ed8809" + logic_hash = "v1_sha256_6e61d82b191a740882bcfeac2f2cf337e19ace7b05784ff041b6af2f79ed8809" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102401,10 +102598,10 @@ rule ELASTIC_Windows_Trojan_Sliver_C9Cae357 : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Sliver.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Sliver.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "27210d8d6e16c492c2ee61a59d39c461312f5563221ad4a0917d4e93b699418e" - logic_hash = "fea862352981787055961b1171de9b69a9c13d246f434809c8f4416d5c49a0ff" + logic_hash = "v1_sha256_fea862352981787055961b1171de9b69a9c13d246f434809c8f4416d5c49a0ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102430,10 +102627,10 @@ rule ELASTIC_Windows_Trojan_Sliver_1Dd6D9C2 : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Sliver.yar#L42-L61" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Sliver.yar#L42-L61" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc508a3e9ea093200acfc1ceebebb2b56686f4764fd8c94ab8c58eec7ee85c8b" - logic_hash = "5ef70322a6ee3dec609d2881b7624d25bc0297a2e6f43ac60834745e6a258cf3" + logic_hash = "v1_sha256_5ef70322a6ee3dec609d2881b7624d25bc0297a2e6f43ac60834745e6a258cf3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102460,10 +102657,10 @@ rule ELASTIC_Linux_Rootkit_Suterusu_94667Bf2 : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Suterusu.yar#L1-L60" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Suterusu.yar#L1-L60" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "753fd579a684e09a70ae0fd147441c45d24a5acae94a78a92e393058c3b69506" - logic_hash = "a02e2d05bc3bee902829087e21dcc7ed19320336c7d66d3938b0b9fd4c298bcb" + logic_hash = "v1_sha256_a02e2d05bc3bee902829087e21dcc7ed19320336c7d66d3938b0b9fd4c298bcb" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -102519,7 +102716,7 @@ rule ELASTIC_Linux_Rootkit_Suterusu_94667Bf2 : FILE MEMORY $menu12 = "Unhide file/directory named [ARG]" condition: - 4 of ($str*) or 6 of ($func*) or 4 of ($menu*) + 4 of ( $str* ) or 6 of ( $func* ) or 4 of ( $menu* ) } rule ELASTIC_Windows_Infostealer_Generic_Acde9261 : FILE MEMORY { @@ -102530,10 +102727,10 @@ rule ELASTIC_Windows_Infostealer_Generic_Acde9261 : FILE MEMORY date = "2024-10-21" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Infostealer_Generic.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Infostealer_Generic.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b46239c47a835757bba49078728f693b7273b0e3755e2968deac4aa92e90364d" - logic_hash = "86897117295bdcf79fad9f2ad939fabe89e3770309122ba142c7a26c926148c5" + logic_hash = "v1_sha256_86897117295bdcf79fad9f2ad939fabe89e3770309122ba142c7a26c926148c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102563,10 +102760,10 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_C42Fd06D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Uwamson.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Uwamson.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "4ff7aad11adaae8fccb23d36fc96937ba48a5517895a742f2864ba1973f3db3a" + logic_hash = "v1_sha256_4ff7aad11adaae8fccb23d36fc96937ba48a5517895a742f2864ba1973f3db3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102592,10 +102789,10 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_D08B1D2E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Uwamson.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Uwamson.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4f7ad24b53b8e255710e4080d55f797564aa8c270bf100129bdbe52a29906b78" - logic_hash = "8f489bb020397beae91f7bce82bc1b47912deab1b79224158f79c53f1d7c7fd3" + logic_hash = "v1_sha256_8f489bb020397beae91f7bce82bc1b47912deab1b79224158f79c53f1d7c7fd3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102621,10 +102818,10 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_0797De34 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Uwamson.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Uwamson.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e4699e35ce8091f97decbeebff63d7fa8c868172a79f9d9d52b6778c3faab8f2" - logic_hash = "7ab5dd99d8bbef61ec764900df5bebf39ed90833a8f9481c427cbb46faf2c521" + logic_hash = "v1_sha256_7ab5dd99d8bbef61ec764900df5bebf39ed90833a8f9481c427cbb46faf2c521" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102650,10 +102847,10 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_41E36585 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Uwamson.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Uwamson.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "e176523afe8c3394ddda41a5ef11f825fed1e149476709a7c1ea26b8af72d4fc" + logic_hash = "v1_sha256_e176523afe8c3394ddda41a5ef11f825fed1e149476709a7c1ea26b8af72d4fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102679,10 +102876,10 @@ rule ELASTIC_Windows_Hacktool_Chromekatz_Fa232Bba : FILE MEMORY date = "2024-03-27" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_ChromeKatz.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_ChromeKatz.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3f6922049422df14f1a1777001fea54b18fbfb0a4b03c4ee27786bfbc3b8ab87" - logic_hash = "c86291fadd51845cbd7428b159e401d78ac77090e14e34d06bf7bf2018f4502a" + logic_hash = "v1_sha256_c86291fadd51845cbd7428b159e401d78ac77090e14e34d06bf7bf2018f4502a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102717,10 +102914,10 @@ rule ELASTIC_Linux_Cryptominer_Minertr_9901E275 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Minertr.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Minertr.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f77246a93782fd8ee40f12659f41fccc5012a429a8600f332c67a7c2669e4e8f" - logic_hash = "a18e0763fe9aec6d89b39cefb872b1751727e2d88ec4733b9c8b443b83219763" + logic_hash = "v1_sha256_a18e0763fe9aec6d89b39cefb872b1751727e2d88ec4733b9c8b443b83219763" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102746,10 +102943,10 @@ rule ELASTIC_Windows_Trojan_Poshc2_E2D3881E : FILE MEMORY date = "2023-03-29" modified = "2023-04-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PoshC2.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PoshC2.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7a718a4f74656346bd9a2e29e008705fc2b1c4d167a52bd4f6ff10b3f2cd9395" - logic_hash = "4f3e2a9f22826a155a3007193a0f75a5fde6e423734a60f30628ea3bb33d3457" + logic_hash = "v1_sha256_4f3e2a9f22826a155a3007193a0f75a5fde6e423734a60f30628ea3bb33d3457" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102771,7 +102968,7 @@ rule ELASTIC_Windows_Trojan_Poshc2_E2D3881E : FILE MEMORY $b4 = "TVqQAAMAAAAEAAAA" condition: - 1 of ($a*) and 1 of ($b*) + 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Crytox_29859242 : FILE MEMORY { @@ -102782,10 +102979,10 @@ rule ELASTIC_Windows_Ransomware_Crytox_29859242 : FILE MEMORY date = "2024-01-18" modified = "2024-02-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Crytox.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Crytox.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "55a27cb6280f31c077987d338151b13e9dc0cc1c14d47a32e64de6d6c1a6a742" - logic_hash = "47ca96e14b2b56bc6ef1ed22b42adac7aa557170632c2dc085fae3baf6198f40" + logic_hash = "v1_sha256_47ca96e14b2b56bc6ef1ed22b42adac7aa557170632c2dc085fae3baf6198f40" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102811,10 +103008,10 @@ rule ELASTIC_Linux_Rootkit_Jynx_C470Eaff : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Jynx.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Jynx.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79c2ae1a95b44f3df42d669cb44db606d2088c5c393e7de5af875f255865ecb4" - logic_hash = "02d1ec1670089a3d9743e57a8dd504f57cea897eca0f896c129fd4f30f24e700" + logic_hash = "v1_sha256_02d1ec1670089a3d9743e57a8dd504f57cea897eca0f896c129fd4f30f24e700" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102839,7 +103036,7 @@ rule ELASTIC_Linux_Rootkit_Jynx_C470Eaff : FILE MEMORY $hook11 = "forge_proc_cpu" condition: - 4 of ($hook*) + 4 of ( $hook* ) } rule ELASTIC_Windows_Hacktool_Sharpview_2C7603Ad : FILE MEMORY { @@ -102850,10 +103047,10 @@ rule ELASTIC_Windows_Hacktool_Sharpview_2C7603Ad : FILE MEMORY date = "2022-10-20" modified = "2022-11-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpView.yar#L1-L34" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpView.yar#L1-L34" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93" - logic_hash = "1f80b2fd6121c2b36742c819a56626af2e1450dac0f62c67d93f09e4e140b75f" + logic_hash = "v1_sha256_1f80b2fd6121c2b36742c819a56626af2e1450dac0f62c67d93f09e4e140b75f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102883,7 +103080,7 @@ rule ELASTIC_Windows_Hacktool_Sharpview_2C7603Ad : FILE MEMORY $str9 = "^S-1-5-.*-[1-9]\\d{3,}$" ascii wide condition: - $guid or ( all of ($str*) and 1 of ($print_str*)) + $guid or ( all of ( $str* ) and 1 of ( $print_str* ) ) } rule ELASTIC_Windows_Trojan_Microbackdoor_903E33C3 : FILE MEMORY { @@ -102894,10 +103091,10 @@ rule ELASTIC_Windows_Trojan_Microbackdoor_903E33C3 : FILE MEMORY date = "2022-03-07" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MicroBackdoor.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MicroBackdoor.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21" - logic_hash = "5f96f68df442eb1da21d87c3ae954c4e36cf87db583cbef1775f8ca9e76b776e" + logic_hash = "v1_sha256_5f96f68df442eb1da21d87c3ae954c4e36cf87db583cbef1775f8ca9e76b776e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102923,10 +103120,10 @@ rule ELASTIC_Windows_Trojan_Microbackdoor_46F2E5Fd : FILE MEMORY date = "2022-03-07" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_MicroBackdoor.yar#L21-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_MicroBackdoor.yar#L21-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21" - logic_hash = "580be4c5b058916c2bc67a7964522a7c369bb254394e3cedbf0da025105231c4" + logic_hash = "v1_sha256_580be4c5b058916c2bc67a7964522a7c369bb254394e3cedbf0da025105231c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102957,10 +103154,10 @@ rule ELASTIC_Linux_Hacktool_Tcpscan_334D0Ca5 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Tcpscan.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Tcpscan.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "62de04185c2e3c22af349479a68ad53c31b3874794e7c4f0f33e8d125c37f6b0" - logic_hash = "94ee723c660294e35caec5a2b66eeea64896265cfebc839ed3f55cf8f8c67d7e" + logic_hash = "v1_sha256_94ee723c660294e35caec5a2b66eeea64896265cfebc839ed3f55cf8f8c67d7e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102986,10 +103183,10 @@ rule ELASTIC_Linux_Trojan_Lady_75F6392C : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Lady.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Lady.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c257ac7bd3a9639e0d67a7db603d5bc8d8505f6f2107a26c2615c5838cf11826" - logic_hash = "5160b6ab4800c72b48b501787f3164c2ba1061a2abe21c63180e02d6791a4c12" + logic_hash = "v1_sha256_5160b6ab4800c72b48b501787f3164c2ba1061a2abe21c63180e02d6791a4c12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103015,9 +103212,9 @@ rule ELASTIC_Linux_Trojan_Meterpreter_A82F5D21 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Meterpreter.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d76886222de7292e8a76717f6d49452f52aaffb957bb0326bcfc7a35c3fdfc6a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Meterpreter.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d76886222de7292e8a76717f6d49452f52aaffb957bb0326bcfc7a35c3fdfc6a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103043,10 +103240,10 @@ rule ELASTIC_Linux_Trojan_Meterpreter_383C6708 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Meterpreter.yar#L20-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Meterpreter.yar#L20-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d9d607f0bbc101f7f6dc0f16328bdd8f6ddb8ae83107b7eee34e1cc02072cb15" - logic_hash = "b0fd479722ab0808a4709cbacbb874282c48a425f4dbdaec9f74bc7f839c82e4" + logic_hash = "v1_sha256_b0fd479722ab0808a4709cbacbb874282c48a425f4dbdaec9f74bc7f839c82e4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103072,9 +103269,9 @@ rule ELASTIC_Linux_Trojan_Meterpreter_621054Fe : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Meterpreter.yar#L40-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "18f22bb0aa66ec2ecdaa9ca0e0d00ee59a2c9a3f231bd71915140e4464a4ea78" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Meterpreter.yar#L40-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_18f22bb0aa66ec2ecdaa9ca0e0d00ee59a2c9a3f231bd71915140e4464a4ea78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103100,9 +103297,9 @@ rule ELASTIC_Linux_Trojan_Meterpreter_1Bda891E : FILE MEMORY date = "2021-12-13" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Meterpreter.yar#L59-L76" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "74e7547472117de20159f5b158cee0ccacc02a9aba5e5ad64a52c552c966d539" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Meterpreter.yar#L59-L76" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_74e7547472117de20159f5b158cee0ccacc02a9aba5e5ad64a52c552c966d539" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103128,9 +103325,9 @@ rule ELASTIC_Macos_Creddump_Keychainaccess_535C1511 : FILE MEMORY date = "2023-04-11" modified = "2024-08-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Creddump_KeychainAccess.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "c2995263622d62b11db93f7d163a7595e316ec24b51099f434bc5dbd0afefbfe" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Creddump_KeychainAccess.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_c2995263622d62b11db93f7d163a7595e316ec24b51099f434bc5dbd0afefbfe" score = 75 quality = 49 tags = "FILE, MEMORY" @@ -103152,7 +103349,7 @@ rule ELASTIC_Macos_Creddump_Keychainaccess_535C1511 : FILE MEMORY $strings8 = "Failed to get password" ascii wide nocase condition: - all of ($strings1,$strings2) or $strings4 or all of ($strings3,$strings5) or all of ($strings6,$strings7,$strings8) + all of ( $strings1 , $strings2 ) or $strings4 or all of ( $strings3 , $strings5 ) or all of ( $strings6 , $strings7 , $strings8 ) } rule ELASTIC_Windows_Trojan_Jesterstealer_B35C6F4B : FILE MEMORY { @@ -103163,10 +103360,10 @@ rule ELASTIC_Windows_Trojan_Jesterstealer_B35C6F4B : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_JesterStealer.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_JesterStealer.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b" - logic_hash = "acc49348267e963af9ff6ba7afa053d4056d4068b4386a872e33e025790ba759" + logic_hash = "v1_sha256_acc49348267e963af9ff6ba7afa053d4056d4068b4386a872e33e025790ba759" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103198,10 +103395,10 @@ rule ELASTIC_Windows_Trojan_Jesterstealer_8F657F58 : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_JesterStealer.yar#L27-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_JesterStealer.yar#L27-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b" - logic_hash = "20a0d8be9c25d50d4dddd455ecb9739f772f57e988855c7fc2df597b2f67585b" + logic_hash = "v1_sha256_20a0d8be9c25d50d4dddd455ecb9739f772f57e988855c7fc2df597b2f67585b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103227,10 +103424,10 @@ rule ELASTIC_Linux_Trojan_Ircbot_Bb204B81 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ircbot.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ircbot.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6147481d083c707dc98905a1286827a6e7009e08490e7d7c280ed5a6356527ad" - logic_hash = "90d211c11281f5f8832210f3fc087fe5ff5a519b9b38628835e8b5fcc560bd9b" + logic_hash = "v1_sha256_90d211c11281f5f8832210f3fc087fe5ff5a519b9b38628835e8b5fcc560bd9b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103256,10 +103453,10 @@ rule ELASTIC_Linux_Trojan_Ircbot_7C60454D : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ircbot.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ircbot.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "14eeff3516de6d2cb11d6ada4026e3dcee1402940e3a0fb4fa224a5c030049d8" - logic_hash = "90dcd0a3d3f6345e66db0a4f8465e3830eb4e3bcb675db16c60a89e20f935aec" + logic_hash = "v1_sha256_90dcd0a3d3f6345e66db0a4f8465e3830eb4e3bcb675db16c60a89e20f935aec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103285,10 +103482,10 @@ rule ELASTIC_Windows_Trojan_Blister_Cb99A1Df : FILE MEMORY date = "2021-12-21" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blister.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blister.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00" - logic_hash = "deb1be5300d8af12dda868dd5f4ccdbb3ec653bd97c33a09e567c13ecafb9e8a" + logic_hash = "v1_sha256_deb1be5300d8af12dda868dd5f4ccdbb3ec653bd97c33a09e567c13ecafb9e8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103316,10 +103513,10 @@ rule ELASTIC_Windows_Trojan_Blister_9D757838 : FILE MEMORY date = "2022-04-26" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blister.yar#L24-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blister.yar#L24-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "863de84a39c9f741d8103db83b076695d0d10a7384e4e3ba319c05a6018d9737" - logic_hash = "4d9ce1622d77b2ac8b20b2dfb60ac672752dabab315221a5449ebd3c73a3edca" + logic_hash = "v1_sha256_4d9ce1622d77b2ac8b20b2dfb60ac672752dabab315221a5449ebd3c73a3edca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103346,10 +103543,10 @@ rule ELASTIC_Windows_Trojan_Blister_68B53E1B : FILE MEMORY date = "2023-08-02" modified = "2023-08-08" reference = "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blister.yar#L46-L66" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blister.yar#L46-L66" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db" - logic_hash = "6d935461406a6b9b39867d52aa5ecb088945ae0f8c56895a67e8565e5a2a3699" + logic_hash = "v1_sha256_6d935461406a6b9b39867d52aa5ecb088945ae0f8c56895a67e8565e5a2a3699" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103376,10 +103573,10 @@ rule ELASTIC_Windows_Trojan_Blister_487B0966 : FILE MEMORY date = "2023-09-11" modified = "2023-09-20" reference = "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blister.yar#L68-L89" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blister.yar#L68-L89" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db" - logic_hash = "521409d03335205507cc6894e0de3ca627eb966a95a2f8e7b931e552ad78bbb7" + logic_hash = "v1_sha256_521409d03335205507cc6894e0de3ca627eb966a95a2f8e7b931e552ad78bbb7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103407,10 +103604,10 @@ rule ELASTIC_Windows_Trojan_Blister_26F8C5F2 : FILE MEMORY date = "2024-09-25" modified = "2024-10-24" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Blister.yar#L91-L110" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Blister.yar#L91-L110" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cba30fb1731e165acc256d99d32f3c9e5abfa27d152419d24a91d8b79c5c5cb0" - logic_hash = "dc87a3ae4edf0b8ee18cb7c34f9b4a0305c504b7ef66cb3232c91dc364d3563c" + logic_hash = "v1_sha256_dc87a3ae4edf0b8ee18cb7c34f9b4a0305c504b7ef66cb3232c91dc364d3563c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103437,10 +103634,10 @@ rule ELASTIC_Linux_Trojan_Ipstorm_3C43D4A7 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ipstorm.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ipstorm.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7" - logic_hash = "c7e9191312197f8925d7231d0b8badf8b5ca35685df909c0d1feb301b4385d7b" + logic_hash = "v1_sha256_c7e9191312197f8925d7231d0b8badf8b5ca35685df909c0d1feb301b4385d7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103466,10 +103663,10 @@ rule ELASTIC_Linux_Trojan_Ipstorm_F9269F00 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ipstorm.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ipstorm.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7" - logic_hash = "5914d222b49aaf6c1040e48ffd93c04bd5df25f1d97bde79b034862fca6555f6" + logic_hash = "v1_sha256_5914d222b49aaf6c1040e48ffd93c04bd5df25f1d97bde79b034862fca6555f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103495,10 +103692,10 @@ rule ELASTIC_Linux_Trojan_Ipstorm_08Bcf61C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Ipstorm.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Ipstorm.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "503f293d84de4f2c826f81a68180ad869e0d1448ea6c0dbf09a7b23801e1a9b9" - logic_hash = "fb2755c04b61d19788a92b8c9c1c9eb2552b62b27011e302840fdcf689b3d9b4" + logic_hash = "v1_sha256_fb2755c04b61d19788a92b8c9c1c9eb2552b62b27011e302840fdcf689b3d9b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103524,9 +103721,9 @@ rule ELASTIC_Windows_PUP_Generic_198B73Aa : FILE MEMORY date = "2023-07-27" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_PUP_Generic.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a584c34b9dfc2d78bf8a1e594a2ed519d20088184ce1df09e679b2400aa396d3" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_PUP_Generic.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a584c34b9dfc2d78bf8a1e594a2ed519d20088184ce1df09e679b2400aa396d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103554,10 +103751,10 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_79D52Efd : FILE MEMORY CVE_2010_3301 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "53a2163ad17a414d9db95f5287d9981c9410e7eaeea096610ba622eb763a6970" - logic_hash = "1d4eb14042f552aa1577d0fe452e92c25bda66d0ad1a66e824677bee65908578" + logic_hash = "v1_sha256_1d4eb14042f552aa1577d0fe452e92c25bda66d0ad1a66e824677bee65908578" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103583,10 +103780,10 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_D0Eb0924 : FILE MEMORY CVE_2010_3301 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "907995e90a80d3ace862f2ffdf13fd361762b5acc5397e14135d85ca6a61619b" - logic_hash = "5229be3d1997ee4d05846d6804ffafd36c088dd8607a1fba39a0a43950e448c1" + logic_hash = "v1_sha256_5229be3d1997ee4d05846d6804ffafd36c088dd8607a1fba39a0a43950e448c1" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103612,10 +103809,10 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_A5828970 : FILE MEMORY CVE_2010_3301 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4fc781f765a65b714ec27080f25c03f20e06830216506e06325240068ba62d83" - logic_hash = "61b0cb38a6e14efee157547e811450d2ed4674f79ac86656a8d984084f71a665" + logic_hash = "v1_sha256_61b0cb38a6e14efee157547e811450d2ed4674f79ac86656a8d984084f71a665" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103641,10 +103838,10 @@ rule ELASTIC_Multi_Trojan_Coreimpact_37703Dc3 : FILE MEMORY date = "2022-08-10" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Coreimpact.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Coreimpact.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7" - logic_hash = "0695f22d6eb8c1b335c43213087539db419562bebd6f5b948cbb168c454bd37c" + logic_hash = "v1_sha256_0695f22d6eb8c1b335c43213087539db419562bebd6f5b948cbb168c454bd37c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103674,9 +103871,9 @@ rule ELASTIC_Windows_Attacksimulation_Hovercraft_F5C7178F : FILE MEMORY date = "2022-05-23" modified = "2022-07-18" reference = "046645b2a646c83b4434a893a0876ea9bd51ae05e70d4e72f2ccc648b0f18cb6" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_AttackSimulation_Hovercraft.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e707e89904a5fa4d30f94bfc625b736a411df6bb055c0e40df18ae65025a3740" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_AttackSimulation_Hovercraft.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e707e89904a5fa4d30f94bfc625b736a411df6bb055c0e40df18ae65025a3740" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103703,9 +103900,9 @@ rule ELASTIC_Linux_Cryptominer_Camelot_9Ac1654B : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L1-L18" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5de1f43803f3d3b94149ea39ed961e7b9a1ad86c15c5085e2e0a5f9c314e98ff" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L1-L18" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5de1f43803f3d3b94149ea39ed961e7b9a1ad86c15c5085e2e0a5f9c314e98ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103731,9 +103928,9 @@ rule ELASTIC_Linux_Cryptominer_Camelot_Dd167Aa0 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L20-L37" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "88be4fbb337fa866e126021b40a01d86a33029071af7efc289a8c5490d21ea8a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L20-L37" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_88be4fbb337fa866e126021b40a01d86a33029071af7efc289a8c5490d21ea8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103759,10 +103956,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_B25398Dd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L39-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L39-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6fb3b77be0a66a10124a82f9ec6ad22247d7865a4d26aa49c5d602320318ce3c" - logic_hash = "e7fdb3c573909e8f197417278a6d333cc3743b05257d81fed46769b185354183" + logic_hash = "v1_sha256_e7fdb3c573909e8f197417278a6d333cc3743b05257d81fed46769b185354183" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103788,10 +103985,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_6A279F19 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L59-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L59-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b01f72b2c53db9b8f253bb98c6584581ebd1af1b1aaee62659f54193c269fca" - logic_hash = "91e3c0d96fe5ab9c61b38f01d39639020ec459bec6348b1f87a2c5b1a874e24a" + logic_hash = "v1_sha256_91e3c0d96fe5ab9c61b38f01d39639020ec459bec6348b1f87a2c5b1a874e24a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103817,10 +104014,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_4E7945A4 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L79-L97" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L79-L97" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b7504ce57787956e486d951b4ff78d73807fcc2a7958b172febc6d914e7a23a7" - logic_hash = "aebc544076954fcce917e026467a8828b18446ce7c690b4c748562e311b7d491" + logic_hash = "v1_sha256_aebc544076954fcce917e026467a8828b18446ce7c690b4c748562e311b7d491" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103846,10 +104043,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_29C1C386 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L99-L117" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L99-L117" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc73bbfb12c64d2f20efa22a6d8d8c5782ef57cb0ca6d844669b262e80db2444" - logic_hash = "1a3a9065cbb59658c06dfbfc622ccd2e577e988370ffe47848a5859f96db4e24" + logic_hash = "v1_sha256_1a3a9065cbb59658c06dfbfc622ccd2e577e988370ffe47848a5859f96db4e24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103875,9 +104072,9 @@ rule ELASTIC_Linux_Cryptominer_Camelot_25B63F54 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L119-L136" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "640ffe2040e382ad536c1b6947e05f8c25ff82897ef7ac673a7676815856a346" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L119-L136" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_640ffe2040e382ad536c1b6947e05f8c25ff82897ef7ac673a7676815856a346" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103903,10 +104100,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_73E2373E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L138-L156" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L138-L156" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc73bbfb12c64d2f20efa22a6d8d8c5782ef57cb0ca6d844669b262e80db2444" - logic_hash = "2377da6667860dc7204760ee64213cba95909c9181bd1a3ea96c3ad29988c9f7" + logic_hash = "v1_sha256_2377da6667860dc7204760ee64213cba95909c9181bd1a3ea96c3ad29988c9f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103932,10 +104129,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_B8552Fff : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L158-L176" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L158-L176" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "476b800422b6d98405d8bde727bb589c5cae36723436b269beaa65381b3d0abe" + logic_hash = "v1_sha256_476b800422b6d98405d8bde727bb589c5cae36723436b269beaa65381b3d0abe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103961,10 +104158,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_83550472 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L178-L196" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L178-L196" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d2d8421ffdcebb7fed00edcf306ec5e86fc30ad3e87d55e85b05bea5dc1f7d63" - logic_hash = "f62d4a2a7dfb312b2e362844bfa29bd4453a05f31b4f72550ef29ff40ed6fb9d" + logic_hash = "v1_sha256_f62d4a2a7dfb312b2e362844bfa29bd4453a05f31b4f72550ef29ff40ed6fb9d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103990,10 +104187,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_8799D8D6 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L198-L216" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L198-L216" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4a6d98eae8951e5b9e0a226f1197732d6d14ed45c1b1534d3cdb4413261eb352" - logic_hash = "4bcd7931aeed09069d5dd248a66f119a2bdf628e03b9abed9ee2de59a149c2bc" + logic_hash = "v1_sha256_4bcd7931aeed09069d5dd248a66f119a2bdf628e03b9abed9ee2de59a149c2bc" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104019,10 +104216,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_0F7C5375 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L218-L236" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L218-L236" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e75be5377ad65abdc69e6c7f9fe17429a98188a217d0ca3a6f40e75c4f0c07e8" - logic_hash = "05f4b16a7e4c7ffbc6b8a2f60050a4ac1d05d9efbe948e2da689055f6383cf82" + logic_hash = "v1_sha256_05f4b16a7e4c7ffbc6b8a2f60050a4ac1d05d9efbe948e2da689055f6383cf82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104048,10 +104245,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_87639Dbd : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L238-L256" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L238-L256" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d2d8421ffdcebb7fed00edcf306ec5e86fc30ad3e87d55e85b05bea5dc1f7d63" - logic_hash = "b81af8c9baee999b91e63f97d5a46451d9960487b25b04079df5539f857be466" + logic_hash = "v1_sha256_b81af8c9baee999b91e63f97d5a46451d9960487b25b04079df5539f857be466" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104077,10 +104274,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_Cdd631C1 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L258-L276" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L258-L276" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897" - logic_hash = "5e4b26a74fc3737c068917c7c1228048f885ac30fc326a2844611f7e707d1300" + logic_hash = "v1_sha256_5e4b26a74fc3737c068917c7c1228048f885ac30fc326a2844611f7e707d1300" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104106,10 +104303,10 @@ rule ELASTIC_Linux_Cryptominer_Camelot_209B02Dd : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Camelot.yar#L278-L296" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Camelot.yar#L278-L296" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "60d33d1fdabc6b10f7bb304f4937051a53d63f39613853836e6c4d095343092e" - logic_hash = "5cadc955242d4b7d5fd4365a0b425051d89c905e3d49ea03967150de0020225c" + logic_hash = "v1_sha256_5cadc955242d4b7d5fd4365a0b425051d89c905e3d49ea03967150de0020225c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104135,10 +104332,10 @@ rule ELASTIC_Windows_Vulndriver_Microstar_D72B85B2 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_MicroStar.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_MicroStar.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59" - logic_hash = "04e9c1f318acae5544cdc826938383bf8f6c6b838cb5828a7097383ac564f404" + logic_hash = "v1_sha256_04e9c1f318acae5544cdc826938383bf8f6c6b838cb5828a7097383ac564f404" score = 75 quality = 75 tags = "FILE" @@ -104155,7 +104352,7 @@ rule ELASTIC_Windows_Vulndriver_Microstar_D72B85B2 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Macos_Hacktool_Bifrost_39Bcbdf8 : FILE MEMORY { @@ -104166,10 +104363,10 @@ rule ELASTIC_Macos_Hacktool_Bifrost_39Bcbdf8 : FILE MEMORY date = "2021-10-12" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Hacktool_Bifrost.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Hacktool_Bifrost.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e2b64df0add316240b010db7d34d83fc9ac7001233259193e5a72b6e04aece46" - logic_hash = "a2ff4f1aca51e80f2b277e9171e99a80a75177d1d17d487de2eb8872832cb0d5" + logic_hash = "v1_sha256_a2ff4f1aca51e80f2b277e9171e99a80a75177d1d17d487de2eb8872832cb0d5" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -104203,10 +104400,10 @@ rule ELASTIC_Linux_Cryptominer_Zexaf_B90E7683 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Zexaf.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Zexaf.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "98650ebb7e463a06e737bcea4fd2b0f9036fafb0638ba8f002e6fe141b9fecfe" - logic_hash = "d8485d8fbf00d5c828d7c6c80fef61f228f308e3d27a762514cfb3f00053b30b" + logic_hash = "v1_sha256_d8485d8fbf00d5c828d7c6c80fef61f228f308e3d27a762514cfb3f00053b30b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104232,10 +104429,10 @@ rule ELASTIC_Windows_Vulndriver_Directio_7Bea6C8F : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_DirectIo.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_DirectIo.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea" - logic_hash = "3b148fed9c52af1d2d1eb18b6c4b191fb80e547f2da1beccdaf3d3e0237ecc1b" + logic_hash = "v1_sha256_3b148fed9c52af1d2d1eb18b6c4b191fb80e547f2da1beccdaf3d3e0237ecc1b" score = 75 quality = 75 tags = "FILE" @@ -104251,7 +104448,7 @@ rule ELASTIC_Windows_Vulndriver_Directio_7Bea6C8F : FILE $str2 = { 9B 49 18 FC CD 5C EA D2 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 and not $str2 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 and not $str2 } rule ELASTIC_Windows_Vulndriver_Directio_Abe8Bfa6 : FILE { @@ -104262,10 +104459,10 @@ rule ELASTIC_Windows_Vulndriver_Directio_Abe8Bfa6 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_DirectIo.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_DirectIo.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5" - logic_hash = "5224938b0381943a171b1db00249e71c43ce2c179ef4bbe14b46cc0787e35cb2" + logic_hash = "v1_sha256_5224938b0381943a171b1db00249e71c43ce2c179ef4bbe14b46cc0787e35cb2" score = 75 quality = 75 tags = "FILE" @@ -104281,7 +104478,7 @@ rule ELASTIC_Windows_Vulndriver_Directio_Abe8Bfa6 : FILE $str2 = { 9B 49 18 FC CD 5C EA D2 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 and not $str2 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 and not $str2 } rule ELASTIC_Windows_Vulndriver_Vbox_3315863F : FILE { @@ -104292,10 +104489,10 @@ rule ELASTIC_Windows_Vulndriver_Vbox_3315863F : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_VBox.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_VBox.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498" - logic_hash = "ba4e6a94516e36dcd6140b6732d959703e2c58a79add705b9260001ea26db738" + logic_hash = "v1_sha256_ba4e6a94516e36dcd6140b6732d959703e2c58a79add705b9260001ea26db738" score = 75 quality = 75 tags = "FILE" @@ -104311,7 +104508,7 @@ rule ELASTIC_Windows_Vulndriver_Vbox_3315863F : FILE $subject_name = { 06 03 55 04 03 [2] 69 6E 6E 6F 74 65 6B 20 47 6D 62 48 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $subject_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $subject_name } rule ELASTIC_Windows_Vulndriver_Vbox_1B1C5Cd5 : FILE { @@ -104322,10 +104519,10 @@ rule ELASTIC_Windows_Vulndriver_Vbox_1B1C5Cd5 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_VBox.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_VBox.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22" - logic_hash = "5fcfffea021aee8d18172383df0e65f8c618fab545c800f1a7b659e8112c6c0f" + logic_hash = "v1_sha256_5fcfffea021aee8d18172383df0e65f8c618fab545c800f1a7b659e8112c6c0f" score = 75 quality = 75 tags = "FILE" @@ -104342,7 +104539,7 @@ rule ELASTIC_Windows_Vulndriver_Vbox_1B1C5Cd5 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Trojan_Pornoasset_927F314F : FILE MEMORY { @@ -104353,10 +104550,10 @@ rule ELASTIC_Linux_Trojan_Pornoasset_927F314F : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Pornoasset.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Pornoasset.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93" - logic_hash = "7267375346c1628e04c8272c24bde04a5d6ae2b420f64dfe58657cfc3eecc0e7" + logic_hash = "v1_sha256_7267375346c1628e04c8272c24bde04a5d6ae2b420f64dfe58657cfc3eecc0e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104382,10 +104579,10 @@ rule ELASTIC_Windows_Virus_Floxif_493D1897 : FILE MEMORY date = "2023-09-26" modified = "2023-11-02" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Virus_Floxif.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Virus_Floxif.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e628b7973ee25fdfd8f849fdf5923c6fba48141de802b0b4ce3e9ad2e40fe470" - logic_hash = "d3f516966bd4423c49771251075a1ea2f725aec91615f7f44dd098da2a4f3574" + logic_hash = "v1_sha256_d3f516966bd4423c49771251075a1ea2f725aec91615f7f44dd098da2a4f3574" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104411,10 +104608,10 @@ rule ELASTIC_Linux_Packer_Patched_UPX_62E11C64 : FILE date = "2021-06-08" modified = "2021-07-28" reference = "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Packer_Patched_UPX.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Packer_Patched_UPX.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669" - logic_hash = "cb576fdd59c255234a96397460b81cbb2deeb38befaed101749b7bb515624028" + logic_hash = "v1_sha256_cb576fdd59c255234a96397460b81cbb2deeb38befaed101749b7bb515624028" score = 75 quality = 75 tags = "FILE" @@ -104429,7 +104626,7 @@ rule ELASTIC_Linux_Packer_Patched_UPX_62E11C64 : FILE $a = { 55 50 58 21 [4] 00 00 00 00 00 00 00 00 00 00 00 00 } condition: - all of them and $a in (0..255) + all of them and $a in ( 0 .. 255 ) } rule ELASTIC_Windows_Vulndriver_Truesight_7429Ac81 : FILE MEMORY { @@ -104440,10 +104637,10 @@ rule ELASTIC_Windows_Vulndriver_Truesight_7429Ac81 : FILE MEMORY date = "2024-06-21" modified = "2024-09-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_TrueSight.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_TrueSight.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" - logic_hash = "8490947a632ca32822231631e19e52380b8b1a26c74c697d36898b0facbfcc9c" + logic_hash = "v1_sha256_8490947a632ca32822231631e19e52380b8b1a26c74c697d36898b0facbfcc9c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104459,7 +104656,7 @@ rule ELASTIC_Windows_Vulndriver_Truesight_7429Ac81 : FILE MEMORY $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x03][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x02][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $original_file_name and $version } rule ELASTIC_Windows_Hacktool_Edrrecon_69453Aff : FILE MEMORY { @@ -104470,10 +104667,10 @@ rule ELASTIC_Windows_Hacktool_Edrrecon_69453Aff : FILE MEMORY date = "2024-03-07" modified = "2024-06-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_EDRrecon.yar#L1-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_EDRrecon.yar#L1-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f62e51b2405c0d42c53ff1f560376ef0530ba2eea1c97e18f2a3cf148346bcd1" - logic_hash = "3d0f6dc5d47a3c0957a7aa8d2918fee113d079d7d74f37a1c17c5429034ba41f" + logic_hash = "v1_sha256_3d0f6dc5d47a3c0957a7aa8d2918fee113d079d7d74f37a1c17c5429034ba41f" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -104539,10 +104736,10 @@ rule ELASTIC_Windows_Hacktool_Edrrecon_Ca314Aa1 : FILE MEMORY date = "2024-03-07" modified = "2024-06-10" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_EDRrecon.yar#L61-L115" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_EDRrecon.yar#L61-L115" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f62e51b2405c0d42c53ff1f560376ef0530ba2eea1c97e18f2a3cf148346bcd1" - logic_hash = "04b8681b0b6f8fa51eb90488edf35638da3334886c7db5fc22218712b0d23007" + logic_hash = "v1_sha256_04b8681b0b6f8fa51eb90488edf35638da3334886c7db5fc22218712b0d23007" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104604,10 +104801,10 @@ rule ELASTIC_Windows_Vulndriver_Segwin_04A3962E : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Segwin.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Segwin.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - logic_hash = "1e9ba5fc78f2b4eeee56314c9e8cf3071817d726b44cb8510f8d7069e85ab7bf" + logic_hash = "v1_sha256_1e9ba5fc78f2b4eeee56314c9e8cf3071817d726b44cb8510f8d7069e85ab7bf" score = 75 quality = 75 tags = "FILE" @@ -104624,7 +104821,7 @@ rule ELASTIC_Windows_Vulndriver_Segwin_04A3962E : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x64][\x00-\x00])([\x00-\x02][\x00-\x00])([\x00-\x07][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x63][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x64][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x06][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Trojan_Cryptbot_489A6562 : FILE MEMORY { @@ -104635,10 +104832,10 @@ rule ELASTIC_Windows_Trojan_Cryptbot_489A6562 : FILE MEMORY date = "2021-08-18" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Cryptbot.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Cryptbot.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110" - logic_hash = "7fee3cc67419e66de790ba2ad8c3102425b3a45bdfe31801758dd38021a8439b" + logic_hash = "v1_sha256_7fee3cc67419e66de790ba2ad8c3102425b3a45bdfe31801758dd38021a8439b" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -104668,10 +104865,10 @@ rule ELASTIC_Linux_Trojan_Adlibrary_2E908E5F : FILE MEMORY date = "2022-08-23" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Adlibrary.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Adlibrary.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "acb22b88ecfb31664dc07b2cb3490b78d949cd35a67f3fdcd65b1a4335f728f1" - logic_hash = "0d0df636876adf0268b7a409bfc9d8bfad298793d11297596ef91aeba86889da" + logic_hash = "v1_sha256_0d0df636876adf0268b7a409bfc9d8bfad298793d11297596ef91aeba86889da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104697,10 +104894,10 @@ rule ELASTIC_Windows_Vulndriver_Toshibabios_2891972A : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ToshibaBios.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ToshibaBios.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - logic_hash = "c253181a754f421ee36ced994412672770497756848d78d557907957486e711b" + logic_hash = "v1_sha256_c253181a754f421ee36ced994412672770497756848d78d557907957486e711b" score = 75 quality = 75 tags = "FILE" @@ -104717,7 +104914,7 @@ rule ELASTIC_Windows_Vulndriver_Toshibabios_2891972A : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x02][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x04][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x03][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x02][\x00-\x00])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x03][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Trojan_Pizzapotion_D334C613 : FILE MEMORY { @@ -104728,10 +104925,10 @@ rule ELASTIC_Windows_Trojan_Pizzapotion_D334C613 : FILE MEMORY date = "2023-09-13" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_PizzaPotion.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_PizzaPotion.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "37bee101cf34a84cba49adb67a555c6ebd3b8ac7c25d50247b0a014c82630003" - logic_hash = "de7d395c8a993abf9858858e56ba0ec4acbf0fa1c8bfe4a34ae95be2205967fc" + logic_hash = "v1_sha256_de7d395c8a993abf9858858e56ba0ec4acbf0fa1c8bfe4a34ae95be2205967fc" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104762,10 +104959,10 @@ rule ELASTIC_Windows_Ransomware_Mespinoza_3Adb59F5 : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Mespinoza.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Mespinoza.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" - logic_hash = "28c8ad42a3af70fed274edc9105dae5cef13749d71510561a50428c822464934" + logic_hash = "v1_sha256_28c8ad42a3af70fed274edc9105dae5cef13749d71510561a50428c822464934" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104793,10 +104990,10 @@ rule ELASTIC_Windows_Trojan_Gh0St_Ee6De6Bc : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Gh0st.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Gh0st.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" - logic_hash = "3619df974c9f4ec76899afbafdfd6839070714862c7361be476cf8f83e766e2f" + logic_hash = "v1_sha256_3619df974c9f4ec76899afbafdfd6839070714862c7361be476cf8f83e766e2f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104826,10 +105023,10 @@ rule ELASTIC_Windows_Ransomware_Agenda_D7B1Af3F : FILE MEMORY date = "2024-09-10" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Agenda.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Agenda.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464" - logic_hash = "a68330bf98ae200ff2d0da51836436f2bdff5c10eb4e0145502f688055980493" + logic_hash = "v1_sha256_a68330bf98ae200ff2d0da51836436f2bdff5c10eb4e0145502f688055980493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104858,10 +105055,10 @@ rule ELASTIC_Windows_Vulndriver_Gdrv_5368078B : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_GDrv.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_GDrv.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - logic_hash = "f4d43ac4a4b6d879ffb5ba637b38ec75c8b57f531db644015c1a71c2cdea45d5" + logic_hash = "v1_sha256_f4d43ac4a4b6d879ffb5ba637b38ec75c8b57f531db644015c1a71c2cdea45d5" score = 75 quality = 75 tags = "FILE" @@ -104878,7 +105075,7 @@ rule ELASTIC_Windows_Vulndriver_Gdrv_5368078B : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x02][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\x26][\x00-\x07]|[\x00-\xff][\x00-\x06])([\x00-\xce][\x00-\x0e]|[\x00-\xff][\x00-\x0d])|([\x00-\xff][\x00-\xff])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x01][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x02][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xcd][\x00-\x0e]|[\x00-\xff][\x00-\x0d]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Windows_Ransomware_Whispergate_C80F3B4B : FILE MEMORY { @@ -104889,10 +105086,10 @@ rule ELASTIC_Windows_Ransomware_Whispergate_C80F3B4B : FILE MEMORY date = "2022-01-17" modified = "2022-01-17" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_WhisperGate.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_WhisperGate.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92" - logic_hash = "04452141a867d4f6fce618c21795cc142a1265b56c62ecb9e579003d36b4b2b9" + logic_hash = "v1_sha256_04452141a867d4f6fce618c21795cc142a1265b56c62ecb9e579003d36b4b2b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104919,10 +105116,10 @@ rule ELASTIC_Windows_Ransomware_Whispergate_3476008E : FILE MEMORY date = "2022-01-18" modified = "2022-01-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_WhisperGate.yar#L22-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_WhisperGate.yar#L22-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d" - logic_hash = "729818df1b6b82fc00eba0fe1c9139ec4746e1775146ab7fdea9e25dec1cddea" + logic_hash = "v1_sha256_729818df1b6b82fc00eba0fe1c9139ec4746e1775146ab7fdea9e25dec1cddea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104951,10 +105148,10 @@ rule ELASTIC_Windows_Vulndriver_BSMI_65223B8D : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_BSMI.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_BSMI.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - logic_hash = "c4fa65bbd9d374092137b65209f29744caeb8b04fbd364b1acc67b73c45604e8" + logic_hash = "v1_sha256_c4fa65bbd9d374092137b65209f29744caeb8b04fbd364b1acc67b73c45604e8" score = 75 quality = 75 tags = "FILE" @@ -104971,7 +105168,7 @@ rule ELASTIC_Windows_Vulndriver_BSMI_65223B8D : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x01][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x00][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Rootkit_Brokepkg_7B7D4581 : FILE MEMORY { @@ -104982,10 +105179,10 @@ rule ELASTIC_Linux_Rootkit_Brokepkg_7B7D4581 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_BrokePKG.yar#L1-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_BrokePKG.yar#L1-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "97c5e011c7315a05c470eef4032030e461ec2a596513703beedeec0b0c6ed2da" - logic_hash = "a4e5916fa0ca6b07fcbb6f970abb0212a970cf723b906e605c18e620efc501dc" + logic_hash = "v1_sha256_a4e5916fa0ca6b07fcbb6f970abb0212a970cf723b906e605c18e620efc501dc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105019,7 +105216,7 @@ rule ELASTIC_Linux_Rootkit_Brokepkg_7B7D4581 : FILE MEMORY $hook10 = "orig_getdents" condition: - 3 of ($license*) or 2 of ($str*) or 4 of ($hook*) + 3 of ( $license* ) or 2 of ( $str* ) or 4 of ( $hook* ) } rule ELASTIC_Windows_Hacktool_Dcsyncer_425579C5 : FILE MEMORY { @@ -105030,10 +105227,10 @@ rule ELASTIC_Windows_Hacktool_Dcsyncer_425579C5 : FILE MEMORY date = "2021-09-15" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Dcsyncer.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Dcsyncer.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "af7dbc84efeb186006d75d095f54a266f59e6b2348d0c20591da16ae7b7d509a" - logic_hash = "b0330adf1d4420ddf1f302974d2e4179f52ab1c8dc2f294ddf52286d714e0463" + logic_hash = "v1_sha256_b0330adf1d4420ddf1f302974d2e4179f52ab1c8dc2f294ddf52286d714e0463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105063,10 +105260,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_66197D54 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "7bccf37960e2f197bb0021ecb12872f0f715b674d9774d02ec4e396f18963029" + logic_hash = "v1_sha256_7bccf37960e2f197bb0021ecb12872f0f715b674d9774d02ec4e396f18963029" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105100,10 +105297,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_E8Ed269C : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L29-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L29-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "c56b6dfb2c3ae657615c825a4d5d5640c2204fa4217262e1ccb4359d5a914a63" + logic_hash = "v1_sha256_c56b6dfb2c3ae657615c825a4d5d5640c2204fa4217262e1ccb4359d5a914a63" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105139,10 +105336,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_413Caa6B : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L59-L87" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L59-L87" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "4f2417d61be5e68630408a151cd73372aef9e7f4638acf4e80bfa5b2811119a7" + logic_hash = "v1_sha256_4f2417d61be5e68630408a151cd73372aef9e7f4638acf4e80bfa5b2811119a7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105178,10 +105375,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_23Fee092 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L89-L115" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L89-L115" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "ed019c9198b5d9ff8392bfd7e0b23a7b1383eabce4c71c665a3ca4a943c8b6ee" + logic_hash = "v1_sha256_ed019c9198b5d9ff8392bfd7e0b23a7b1383eabce4c71c665a3ca4a943c8b6ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105215,10 +105412,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_861D3264 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L117-L145" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L117-L145" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "e6a0a0a24c70d69c0aa56063d2db0f5a0fedcda5b96d945ac14520524b1d00fd" + logic_hash = "v1_sha256_e6a0a0a24c70d69c0aa56063d2db0f5a0fedcda5b96d945ac14520524b1d00fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105254,10 +105451,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_57587F8C : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L147-L175" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L147-L175" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "175b8b6f9fca189f2fc41f1029ad512db2c8b0e52ea04bfbc3d410d355928ab9" + logic_hash = "v1_sha256_175b8b6f9fca189f2fc41f1029ad512db2c8b0e52ea04bfbc3d410d355928ab9" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -105293,10 +105490,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_Cae025B1 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L177-L203" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L177-L203" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "9c34443cffed43513242321e2170484dbb0d41b251aee8ea640d44da76918122" + logic_hash = "v1_sha256_9c34443cffed43513242321e2170484dbb0d41b251aee8ea640d44da76918122" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105330,10 +105527,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_4A9B9603 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L205-L231" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L205-L231" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "8d78483b54d3be6988b1f5df826b8709b7aa2045ff3a3e754c359365d053bb27" + logic_hash = "v1_sha256_8d78483b54d3be6988b1f5df826b8709b7aa2045ff3a3e754c359365d053bb27" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105367,10 +105564,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_4Db2C852 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L233-L261" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L233-L261" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "88c88103a055d25ba97f08e2f47881001ad8a2200a33ac04246494963dfe6638" + logic_hash = "v1_sha256_88c88103a055d25ba97f08e2f47881001ad8a2200a33ac04246494963dfe6638" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105406,10 +105603,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_Bcedc8B2 : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L263-L291" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L263-L291" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "7f0a6a9168b5ff7cc02ccadd211cc8096307651be65c2b3e7cc9fdbbde08ab9f" + logic_hash = "v1_sha256_7f0a6a9168b5ff7cc02ccadd211cc8096307651be65c2b3e7cc9fdbbde08ab9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105445,10 +105642,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_B6Bb3E7C : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L293-L321" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L293-L321" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "e2eaf91b9c5d3616fb2f6f6bc4b44841b1efa3b4efe7ac72afe225728523af75" + logic_hash = "v1_sha256_e2eaf91b9c5d3616fb2f6f6bc4b44841b1efa3b4efe7ac72afe225728523af75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105484,10 +105681,10 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_94474B0B : FILE MEMORY date = "2022-12-21" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L323-L351" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L323-L351" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "e209c9ce1f4b11c5fdeade3298329d62f5cf561403c87077d94b6921e81ffaea" + logic_hash = "v1_sha256_e209c9ce1f4b11c5fdeade3298329d62f5cf561403c87077d94b6921e81ffaea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105523,10 +105720,10 @@ rule ELASTIC_Linux_Trojan_Cerbu_69D5657E : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Cerbu.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Cerbu.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f10bf3cf2fdfbd365d3c2d8dedb2d01b85236eaa97d15370dbcb5166149d70e9" - logic_hash = "644e8d5a1b5c8618e71497f21b0244215924e293e274b9164692dd927cd74ba8" + logic_hash = "v1_sha256_644e8d5a1b5c8618e71497f21b0244215924e293e274b9164692dd927cd74ba8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105552,10 +105749,10 @@ rule ELASTIC_Windows_Trojan_Guloader_8F10Fa66 : FILE MEMORY date = "2021-08-17" modified = "2021-10-04" reference = "https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Guloader.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Guloader.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e" - logic_hash = "f2cd08f6a32c075dc0294a0e26c51e686babc54ced4faa1873368c8821f0bfef" + logic_hash = "v1_sha256_f2cd08f6a32c075dc0294a0e26c51e686babc54ced4faa1873368c8821f0bfef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105585,10 +105782,10 @@ rule ELASTIC_Windows_Trojan_Guloader_C4D9Dd33 : FILE MEMORY date = "2021-08-17" modified = "2021-10-04" reference = "https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Guloader.yar#L26-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Guloader.yar#L26-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e" - logic_hash = "623ea751fc32648720bda40598024d4d5b6a9a11b3cce3c9427310ba17745643" + logic_hash = "v1_sha256_623ea751fc32648720bda40598024d4d5b6a9a11b3cce3c9427310ba17745643" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105614,10 +105811,10 @@ rule ELASTIC_Windows_Trojan_Guloader_2F1E44C8 : FILE MEMORY date = "2023-10-30" modified = "2023-11-02" reference = "https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Guloader.yar#L47-L70" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Guloader.yar#L47-L70" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6ae7089aa6beaa09b1c3aa3ecf28a884d8ca84f780aab39902223721493b1f99" - logic_hash = "434b33c3fdc6bf4b0f59cd4aba66327d0b7ab524be603b256494d46b609cecd5" + logic_hash = "v1_sha256_434b33c3fdc6bf4b0f59cd4aba66327d0b7ab524be603b256494d46b609cecd5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105647,10 +105844,10 @@ rule ELASTIC_Linux_Ransomware_Hive_Bdc7De59 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Hive.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Hive.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771" - logic_hash = "33908128258843d63c5dfe5acf15cfd68463f5cbdf08b88ef1bba394058a5a92" + logic_hash = "v1_sha256_33908128258843d63c5dfe5acf15cfd68463f5cbdf08b88ef1bba394058a5a92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105676,10 +105873,10 @@ rule ELASTIC_Windows_Trojan_Glupteba_70557305 : FILE MEMORY date = "2021-08-08" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Glupteba.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Glupteba.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ad13fd7968f9574d2c822e579291c77a0c525991cfb785cbe6cdd500b737218" - logic_hash = "f3eee9808a1e8a2080116dda7ce795815e1179143c756ea8fdd26070f1f8f74a" + logic_hash = "v1_sha256_f3eee9808a1e8a2080116dda7ce795815e1179143c756ea8fdd26070f1f8f74a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105710,10 +105907,10 @@ rule ELASTIC_Windows_Trojan_Glupteba_4669Dcd6 : FILE MEMORY date = "2021-08-08" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Glupteba.yar#L26-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Glupteba.yar#L26-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1b55042e06f218546db5ddc52d140be4303153d592dcfc1ce90e6077c05e77f7" - logic_hash = "64b2099f40f94b17bc5860b41773c41322420500696d320399ff1c016cb56e15" + logic_hash = "v1_sha256_64b2099f40f94b17bc5860b41773c41322420500696d320399ff1c016cb56e15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105739,10 +105936,10 @@ rule ELASTIC_Windows_Ransomware_Hive_55619Cd0 : FILE MEMORY date = "2021-08-26" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hive.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hive.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "51e2b03a9f9b92819bbf05ecbb33a23662a40e7d51f9812aa8243c4506057f1f" + logic_hash = "v1_sha256_51e2b03a9f9b92819bbf05ecbb33a23662a40e7d51f9812aa8243c4506057f1f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105770,10 +105967,10 @@ rule ELASTIC_Windows_Ransomware_Hive_3Ed67Fe6 : FILE MEMORY date = "2021-08-26" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hive.yar#L23-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hive.yar#L23-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "a599f0d528bdbec00afa7e9a5cddec5e799ee755a7f30af70dde7d2459b70155" + logic_hash = "v1_sha256_a599f0d528bdbec00afa7e9a5cddec5e799ee755a7f30af70dde7d2459b70155" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105803,10 +106000,10 @@ rule ELASTIC_Windows_Ransomware_Hive_B97Ec33B : FILE MEMORY date = "2021-08-26" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Hive.yar#L47-L65" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Hive.yar#L47-L65" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "10034d9f53fd5099a423269e0c42c01eac18318f5d11599e1390912c8fd7af25" + logic_hash = "v1_sha256_10034d9f53fd5099a423269e0c42c01eac18318f5d11599e1390912c8fd7af25" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105832,9 +106029,9 @@ rule ELASTIC_Linux_Trojan_Bluez_50E87Fa9 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "1e526b6e3be273489afa8f0a3d50be233b97dc07f85815cc2231a87f5a651ef1" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Bluez.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "53754c538a7dea6f06e37980901350feddc3517821ea42544cb96e371709752f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Bluez.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_53754c538a7dea6f06e37980901350feddc3517821ea42544cb96e371709752f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105860,9 +106057,9 @@ rule ELASTIC_Windows_Ransomware_Maze_61254061 : BETA FILE MEMORY date = "2020-04-18" modified = "2021-08-23" reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Maze.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "b8537add953cdd7bc6adbff97f7f5a94de028709f0bd71102ee96d26d55f4f20" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Maze.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_b8537add953cdd7bc6adbff97f7f5a94de028709f0bd71102ee96d26d55f4f20" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -105879,7 +106076,7 @@ rule ELASTIC_Windows_Ransomware_Maze_61254061 : BETA FILE MEMORY $c2 = { 72 F0 0C 66 0F 72 D4 14 66 0F EB C4 66 0F 70 E0 39 66 0F FE E6 66 0F 70 } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Maze_46F40C40 : BETA FILE MEMORY { @@ -105890,9 +106087,9 @@ rule ELASTIC_Windows_Ransomware_Maze_46F40C40 : BETA FILE MEMORY date = "2020-04-18" modified = "2021-10-04" reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Maze.yar#L23-L44" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "99180f41aaaf1dfb0a8a40709dcc392fdbc2b2d3a4d4b4a1ab160dd5f2b4c703" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Maze.yar#L23-L44" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_99180f41aaaf1dfb0a8a40709dcc392fdbc2b2d3a4d4b4a1ab160dd5f2b4c703" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -105910,7 +106107,7 @@ rule ELASTIC_Windows_Ransomware_Maze_46F40C40 : BETA FILE MEMORY $b3 = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" wide fullword condition: - 2 of ($b*) + 2 of ( $b* ) } rule ELASTIC_Windows_Ransomware_Maze_20Caee5B : BETA FILE MEMORY { @@ -105921,9 +106118,9 @@ rule ELASTIC_Windows_Ransomware_Maze_20Caee5B : BETA FILE MEMORY date = "2020-04-18" modified = "2021-08-23" reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Maze.yar#L46-L71" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e09c059b285d2176aeba1a1f70d39f13cef4e05dc023c7db25fb9d92bd9a67d9" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Maze.yar#L46-L71" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e09c059b285d2176aeba1a1f70d39f13cef4e05dc023c7db25fb9d92bd9a67d9" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -105945,7 +106142,7 @@ rule ELASTIC_Windows_Ransomware_Maze_20Caee5B : BETA FILE MEMORY $a7 = "process call create \"cmd /c start %s\"" wide fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Maze_F88F136F : BETA FILE MEMORY { @@ -105956,9 +106153,9 @@ rule ELASTIC_Windows_Ransomware_Maze_F88F136F : BETA FILE MEMORY date = "2020-04-18" modified = "2021-08-23" reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Maze.yar#L73-L94" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5587f332a076650f6ad7b1e3b464ef6085d960e6dacf53607cf75c9f9ad07628" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Maze.yar#L73-L94" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5587f332a076650f6ad7b1e3b464ef6085d960e6dacf53607cf75c9f9ad07628" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -105976,7 +106173,7 @@ rule ELASTIC_Windows_Ransomware_Maze_F88F136F : BETA FILE MEMORY $d3 = { 77 B3 50 3C B1 9B 5D D4 87 F5 17 DB E1 C7 42 D8 53 24 C2 E2 6A A8 9B 1E FB E5 48 EB 10 48 44 28 64 F8 B6 A1 41 44 D0 42 FA 85 6F 17 57 09 C4 66 93 D2 21 C5 19 71 3A A1 C5 68 2E 67 B1 02 DC D1 } condition: - 1 of ($d*) + 1 of ( $d* ) } rule ELASTIC_Linux_Trojan_Winnti_61215D98 : FILE MEMORY { @@ -105987,10 +106184,10 @@ rule ELASTIC_Linux_Trojan_Winnti_61215D98 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Winnti.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Winnti.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cc1455e3a479602581c1c7dc86a0e02605a3c14916b86817960397d5a2f41c31" - logic_hash = "051cc157f189094d25d45e66e410bdfd61ed7649a4c935d076cec1597c5debf5" + logic_hash = "v1_sha256_051cc157f189094d25d45e66e410bdfd61ed7649a4c935d076cec1597c5debf5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106016,9 +106213,9 @@ rule ELASTIC_Linux_Trojan_Winnti_4C5A1865 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "0d963a713093fc8e5928141f5747640c9b43f3aadc8a5478c949f7ec364b28ad" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Winnti.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "69f6dcba59ec8cd7f4dfe853495a35601e35d74476fad9e18bef7685a68ece51" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Winnti.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_69f6dcba59ec8cd7f4dfe853495a35601e35d74476fad9e18bef7685a68ece51" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106044,9 +106241,9 @@ rule ELASTIC_Linux_Trojan_Winnti_6F4Ca425 : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "161af780209aa24845863f7a8120aa982aa811f16ec04bcd797ed165955a09c1" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Winnti.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a1ffc0e3d27c4bb9fd10f14d45b649b4f059c654b31449013ac06d0981ed25ed" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Winnti.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a1ffc0e3d27c4bb9fd10f14d45b649b4f059c654b31449013ac06d0981ed25ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106072,9 +106269,9 @@ rule ELASTIC_Linux_Trojan_Winnti_De4B0F6E : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "a6b9b3ea19eaddd4d90e58c372c10bbe37dbfced638d167182be2c940e615710" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Winnti.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fb7b0ff4757dfc1ba2ca8585d5ddf14aae03063e10bdc2565443362c6ba37c30" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Winnti.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fb7b0ff4757dfc1ba2ca8585d5ddf14aae03063e10bdc2565443362c6ba37c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106100,10 +106297,10 @@ rule ELASTIC_Windows_Hacktool_Safetykatz_072B7370 : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SafetyKatz.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SafetyKatz.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9" - logic_hash = "cedd3ede487371a8e0d29804f2b81ae808c7ad01bd803fa39dc2c50e472cff43" + logic_hash = "v1_sha256_cedd3ede487371a8e0d29804f2b81ae808c7ad01bd803fa39dc2c50e472cff43" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -106122,7 +106319,7 @@ rule ELASTIC_Windows_Hacktool_Safetykatz_072B7370 : FILE MEMORY $print_str3 = "[+] Dump successful!" ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Jupyter_56152E31 : FILE MEMORY { @@ -106133,10 +106330,10 @@ rule ELASTIC_Windows_Trojan_Jupyter_56152E31 : FILE MEMORY date = "2021-07-22" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Jupyter.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Jupyter.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" - logic_hash = "7b32e9caca744f4f6b48aefa5fda111e6b7ac81a62dd1fb8873d2c800ac3c42b" + logic_hash = "v1_sha256_7b32e9caca744f4f6b48aefa5fda111e6b7ac81a62dd1fb8873d2c800ac3c42b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106154,7 +106351,7 @@ rule ELASTIC_Windows_Trojan_Jupyter_56152E31 : FILE MEMORY $b2 = "jupyter" ascii fullword condition: - 1 of ($a*) or 2 of ($b*) + 1 of ( $a* ) or 2 of ( $b* ) } rule ELASTIC_Windows_Trojan_Farfli_85D1Bcc9 : FILE MEMORY { @@ -106165,10 +106362,10 @@ rule ELASTIC_Windows_Trojan_Farfli_85D1Bcc9 : FILE MEMORY date = "2022-02-17" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Farfli.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Farfli.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" - logic_hash = "746eb5a2583077189d82d1a96b499ff383f31220845bd8a6df5b7a7ceb11e6fb" + logic_hash = "v1_sha256_746eb5a2583077189d82d1a96b499ff383f31220845bd8a6df5b7a7ceb11e6fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106194,11 +106391,11 @@ rule ELASTIC_Windows_Vulndriver_Agent64_8Ef48Aeb : FILE date = "2022-07-19" modified = "2022-07-19" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Agent64.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Agent64.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - logic_hash = "a35f82202507e582e3cbc7018656545fcee1244ec1638a696f0b7c970fd5023c" + logic_hash = "v1_sha256_a35f82202507e582e3cbc7018656545fcee1244ec1638a696f0b7c970fd5023c" score = 75 quality = 75 tags = "FILE" @@ -106218,7 +106415,7 @@ rule ELASTIC_Windows_Vulndriver_Agent64_8Ef48Aeb : FILE $product_name = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 [1-8] 44 00 72 00 69 00 76 00 65 00 72 00 41 00 67 00 65 00 6E 00 74 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and any of ($subject_name*) and $original_file_name and $product_version and $product_name + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and any of ( $subject_name* ) and $original_file_name and $product_version and $product_name } rule ELASTIC_Windows_Trojan_Formbook_1112E116 : FILE MEMORY { @@ -106229,10 +106426,10 @@ rule ELASTIC_Windows_Trojan_Formbook_1112E116 : FILE MEMORY date = "2021-06-14" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Formbook.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Formbook.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a" - logic_hash = "ec307a8681fa01fc0c7c0579b0e3eff10e7f373159ad58dae0a358ff16fbc10b" + logic_hash = "v1_sha256_ec307a8681fa01fc0c7c0579b0e3eff10e7f373159ad58dae0a358ff16fbc10b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106261,9 +106458,9 @@ rule ELASTIC_Windows_Trojan_Formbook_772Cc62D : FILE MEMORY date = "2022-05-23" modified = "2022-07-18" reference = "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Formbook.yar#L25-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "db9ab8df029856fc1c210499ed8e1b92c9722f7aa2264363670c47b51ec8fa83" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Formbook.yar#L25-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_db9ab8df029856fc1c210499ed8e1b92c9722f7aa2264363670c47b51ec8fa83" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106281,7 +106478,7 @@ rule ELASTIC_Windows_Trojan_Formbook_772Cc62D : FILE MEMORY $r1 = /.\:\\Users\\[^\\]{1,50}\\AppData\\Roaming\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{3}log\.ini/ wide condition: - 2 of ($a*) and $r1 + 2 of ( $a* ) and $r1 } rule ELASTIC_Windows_Trojan_Formbook_5799D1F2 : FILE MEMORY { @@ -106292,10 +106489,10 @@ rule ELASTIC_Windows_Trojan_Formbook_5799D1F2 : FILE MEMORY date = "2022-06-08" modified = "2022-09-29" reference = "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Formbook.yar#L48-L67" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Formbook.yar#L48-L67" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8555a6d313cb17f958fc2e08d6c042aaff9ceda967f8598ac65ab6333d14efd9" - logic_hash = "8e61eabd11beb9fb35c016983cfb3085f5ceddfc8268522f3b48d20be5b5df6a" + logic_hash = "v1_sha256_8e61eabd11beb9fb35c016983cfb3085f5ceddfc8268522f3b48d20be5b5df6a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106321,10 +106518,10 @@ rule ELASTIC_Linux_Ransomware_Blackbasta_96Eb3F20 : FILE MEMORY date = "2022-08-06" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_BlackBasta.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_BlackBasta.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be" - logic_hash = "a5e0b60ba51490f70af53c9fba91e3349c712bebb10574eb4bed028ab961ae74" + logic_hash = "v1_sha256_a5e0b60ba51490f70af53c9fba91e3349c712bebb10574eb4bed028ab961ae74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106345,7 +106542,7 @@ rule ELASTIC_Linux_Ransomware_Blackbasta_96Eb3F20 : FILE MEMORY $seq_encrypt_thread = { 4C 8B 74 24 ?? 31 DB 45 31 FF 4D 8B 6E ?? 49 83 FD ?? 0F 87 ?? ?? ?? ?? 31 C0 4D 39 EF 0F 82 ?? ?? ?? ?? 48 01 C3 4C 39 EB 0F 83 ?? ?? ?? ?? } condition: - 3 of ($a*) and 1 of ($seq*) + 3 of ( $a* ) and 1 of ( $seq* ) } rule ELASTIC_Multi_Ransomware_Blackcat_Aaf312C3 : FILE MEMORY { @@ -106356,10 +106553,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_Aaf312C3 : FILE MEMORY date = "2022-02-02" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "0771ab5a795af164a568bda036cccf08afeb33458f2cd5a7240349fca9b60ead" + logic_hash = "v1_sha256_0771ab5a795af164a568bda036cccf08afeb33458f2cd5a7240349fca9b60ead" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106386,10 +106583,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_00E525D7 : FILE MEMORY date = "2022-02-02" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L22-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L22-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "e44625d0fa8308b9d4d63a9e6920b4da4a2ce124437f122b2c8fe5cf0ab85a6b" + logic_hash = "v1_sha256_e44625d0fa8308b9d4d63a9e6920b4da4a2ce124437f122b2c8fe5cf0ab85a6b" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -106418,10 +106615,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_C4B043E6 : FILE MEMORY date = "2022-09-12" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L45-L63" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L45-L63" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" - logic_hash = "1262ca76581920f08a6482ead68023fdfff08a9ddd19e00230054e3167dc184c" + logic_hash = "v1_sha256_1262ca76581920f08a6482ead68023fdfff08a9ddd19e00230054e3167dc184c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106447,10 +106644,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_70171625 : FILE MEMORY date = "2023-01-05" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L65-L91" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L65-L91" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "fd07acd7c8627754f000c44827848bf65bcaa96f2dfb46e41542f3c9b40eee78" + logic_hash = "v1_sha256_fd07acd7c8627754f000c44827848bf65bcaa96f2dfb46e41542f3c9b40eee78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106484,10 +106681,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_E066D802 : FILE MEMORY date = "2023-07-27" modified = "2023-09-20" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L93-L113" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L93-L113" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "00360830bf5886288f23784b8df82804bf6f22258e410740db481df8a7701525" - logic_hash = "00fbb8013faf26c35b6cd8a72ebc246444c37c5ec7a0df2295830e96c01c8720" + logic_hash = "v1_sha256_00fbb8013faf26c35b6cd8a72ebc246444c37c5ec7a0df2295830e96c01c8720" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106515,10 +106712,10 @@ rule ELASTIC_Multi_Ransomware_Blackcat_0Ffb0A37 : FILE MEMORY date = "2023-07-29" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_BlackCat.yar#L115-L134" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_BlackCat.yar#L115-L134" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "57136b118a0d6d3c71e522ea53e3305dae58b51f06c29cd01c0c28fa0fa34287" - logic_hash = "4f28281e4b23868c63438d4800b9e5978426e7c98b6142ef8082cfd251cafe57" + logic_hash = "v1_sha256_4f28281e4b23868c63438d4800b9e5978426e7c98b6142ef8082cfd251cafe57" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -106545,10 +106742,10 @@ rule ELASTIC_Linux_Trojan_Zerobot_185E2396 : FILE MEMORY date = "2022-12-16" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Zerobot.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Zerobot.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f" - logic_hash = "caa21cc019d8e4549d976f8b4f98d930ef7acf4c39c41956ae35fa78c975e016" + logic_hash = "v1_sha256_caa21cc019d8e4549d976f8b4f98d930ef7acf4c39c41956ae35fa78c975e016" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106570,7 +106767,7 @@ rule ELASTIC_Linux_Trojan_Zerobot_185E2396 : FILE MEMORY $start_service_1 = "systemctl enable sshf" condition: - ( all of ($startup_method_1_*) or all of ($startup_method_2_*)) and 1 of ($start_service_*) + ( all of ( $startup_method_1_* ) or all of ( $startup_method_2_* ) ) and 1 of ( $start_service_* ) } rule ELASTIC_Linux_Trojan_Zerobot_3A5B56Dd : FILE MEMORY { @@ -106581,10 +106778,10 @@ rule ELASTIC_Linux_Trojan_Zerobot_3A5B56Dd : FILE MEMORY date = "2022-12-16" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Zerobot.yar#L28-L51" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Zerobot.yar#L28-L51" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f" - logic_hash = "2491fff4ad0327e0440d842f221fb6623c8efd97e2991bf2090abceaef9c2ccf" + logic_hash = "v1_sha256_2491fff4ad0327e0440d842f221fb6623c8efd97e2991bf2090abceaef9c2ccf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106615,10 +106812,10 @@ rule ELASTIC_Linux_Trojan_Bedevil_A1A72C39 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Bedevil.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Bedevil.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "017a9d7290cf327444d23227518ab612111ca148da7225e64a9f6ebd253449ab" - logic_hash = "227adcc340c38cebf56ea2f39b483c965dd46827d83afe5f866ca844c932da76" + logic_hash = "v1_sha256_227adcc340c38cebf56ea2f39b483c965dd46827d83afe5f866ca844c932da76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106644,10 +106841,10 @@ rule ELASTIC_Windows_Trojan_Stormkitty_6256031A : FILE MEMORY date = "2022-03-21" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_StormKitty.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_StormKitty.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0c69015f534d1da3770dbc14183474a643c4332de6a599278832abd2b15ba027" - logic_hash = "a797e87eaf5b173da9dd43fcff03b3d26198dcafa29c3f2ca369773c73001234" + logic_hash = "v1_sha256_a797e87eaf5b173da9dd43fcff03b3d26198dcafa29c3f2ca369773c73001234" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106678,10 +106875,10 @@ rule ELASTIC_Windows_Trojan_Doorme_246Eda61 : FILE MEMORY date = "2022-12-09" modified = "2022-12-15" reference = "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_DoorMe.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_DoorMe.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f" - logic_hash = "01240f2e23904498c34ec805cc8bc3e9ac7b76c6519685ef6b367066f1a0bc5b" + logic_hash = "v1_sha256_01240f2e23904498c34ec805cc8bc3e9ac7b76c6519685ef6b367066f1a0bc5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106701,7 +106898,7 @@ rule ELASTIC_Windows_Trojan_Doorme_246Eda61 : FILE MEMORY $str_0 = ".?AVDoorme@@" ascii fullword condition: - 3 of ($seq*) or 1 of ($str*) + 3 of ( $seq* ) or 1 of ( $str* ) } rule ELASTIC_Linux_Hacktool_Lightning_D9A9173A : FILE MEMORY { @@ -106712,10 +106909,10 @@ rule ELASTIC_Linux_Hacktool_Lightning_D9A9173A : FILE MEMORY date = "2022-11-08" modified = "2024-02-13" reference = "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Lightning.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Lightning.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7" - logic_hash = "93961d9771aa4e828e15923064a848291c7814ad4e15e30cd252fc41523d789e" + logic_hash = "v1_sha256_93961d9771aa4e828e15923064a848291c7814ad4e15e30cd252fc41523d789e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106744,10 +106941,10 @@ rule ELASTIC_Linux_Hacktool_Lightning_E87C9D50 : FILE MEMORY date = "2022-11-08" modified = "2024-02-13" reference = "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Lightning.yar#L25-L48" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Lightning.yar#L25-L48" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e" - logic_hash = "455ecf97e7becaf9c40843f8a3f60ec233d35e0061c6994f168428a8835c1b20" + logic_hash = "v1_sha256_455ecf97e7becaf9c40843f8a3f60ec233d35e0061c6994f168428a8835c1b20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106777,10 +106974,10 @@ rule ELASTIC_Linux_Hacktool_Lightning_3Bcac358 : FILE MEMORY date = "2022-11-08" modified = "2024-02-13" reference = "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Lightning.yar#L50-L72" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Lightning.yar#L50-L72" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" - logic_hash = "f260372b9f2ea32f93ff7a30dc8239766e713a1e177a483444b14538741c24af" + logic_hash = "v1_sha256_f260372b9f2ea32f93ff7a30dc8239766e713a1e177a483444b14538741c24af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106809,10 +107006,10 @@ rule ELASTIC_Windows_Trojan_Qbot_D91C1384 : FILE MEMORY date = "2021-07-08" modified = "2021-08-23" reference = "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Qbot.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Qbot.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "18ac3870aaa9aaaf6f4a5c0118daa4b43ad93d71c38bf42cb600db3d786c6dda" - logic_hash = "8fd8249a2af236c92ccbc20b2a8380f69ca75976bd64bad167828e9ab4c6ed90" + logic_hash = "v1_sha256_8fd8249a2af236c92ccbc20b2a8380f69ca75976bd64bad167828e9ab4c6ed90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106838,10 +107035,10 @@ rule ELASTIC_Windows_Trojan_Qbot_7D5Dc64A : FILE MEMORY date = "2021-10-04" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Qbot.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Qbot.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56" - logic_hash = "5c8858502050494ab20a230f04c2c1cb4bfcd80f4a248dad82787d7ce67c741d" + logic_hash = "v1_sha256_5c8858502050494ab20a230f04c2c1cb4bfcd80f4a248dad82787d7ce67c741d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106868,10 +107065,10 @@ rule ELASTIC_Windows_Trojan_Qbot_6Fd34691 : FILE MEMORY date = "2022-03-07" modified = "2022-04-12" reference = "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Qbot.yar#L44-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Qbot.yar#L44-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0838cd11d6f504203ea98f78cac8f066eb2096a2af16d27fb9903484e7e6a689" - logic_hash = "9422d9f276f0c8c2990ece3282d918abc6fcce7eeb6809d46ae6b768a501a877" + logic_hash = "v1_sha256_9422d9f276f0c8c2990ece3282d918abc6fcce7eeb6809d46ae6b768a501a877" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106898,10 +107095,10 @@ rule ELASTIC_Windows_Trojan_Qbot_3074A8D4 : FILE MEMORY date = "2022-06-07" modified = "2022-07-18" reference = "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Qbot.yar#L66-L97" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Qbot.yar#L66-L97" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a" - logic_hash = "90c06bd09fe640bb5a6be8e4f2384fb15c7501674d57db005e790ed336740c99" + logic_hash = "v1_sha256_90c06bd09fe640bb5a6be8e4f2384fb15c7501674d57db005e790ed336740c99" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106939,10 +107136,10 @@ rule ELASTIC_Windows_Trojan_Qbot_1Ac22A26 : FILE MEMORY date = "2022-12-29" modified = "2023-02-01" reference = "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Qbot.yar#L99-L136" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Qbot.yar#L99-L136" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a" - logic_hash = "d9beaf4a8c28a0b3c38dda6bf22a96b8c96ef715bd36de880504a9f970338fe2" + logic_hash = "v1_sha256_d9beaf4a8c28a0b3c38dda6bf22a96b8c96ef715bd36de880504a9f970338fe2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106986,10 +107183,10 @@ rule ELASTIC_Windows_Vulndriver_Elby_65B09743 : FILE date = "2022-04-07" modified = "2022-04-07" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Elby.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Elby.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - logic_hash = "7c7438520b238daf38d4ac91cbdee48bbfa9c85bd76208a436ce59edcfcecb80" + logic_hash = "v1_sha256_7c7438520b238daf38d4ac91cbdee48bbfa9c85bd76208a436ce59edcfcecb80" score = 75 quality = 75 tags = "FILE" @@ -107006,7 +107203,7 @@ rule ELASTIC_Windows_Vulndriver_Elby_65B09743 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x06][\x00-\x00])([\x00-\x02][\x00-\x00])([\x00-\x03][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x00][\x00-\x00])([\x00-\x06][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Multi_Trojan_Merlin_32643F4C : FILE MEMORY { @@ -107017,10 +107214,10 @@ rule ELASTIC_Multi_Trojan_Merlin_32643F4C : FILE MEMORY date = "2024-03-01" modified = "2024-05-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Trojan_Merlin.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Trojan_Merlin.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "84b988c4656677bc021e23df2a81258212d9ceba13be204867ac1d9d706404e2" - logic_hash = "7de2deec0e2c7fd3ce2b42762f88bfe87cb4ffb02b697953aa1716425d6f1612" + logic_hash = "v1_sha256_7de2deec0e2c7fd3ce2b42762f88bfe87cb4ffb02b697953aa1716425d6f1612" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107044,7 +107241,7 @@ rule ELASTIC_Multi_Trojan_Merlin_32643F4C : FILE MEMORY $b3 = "github.com/Ne0nd0g/merlin" condition: - all of ($a*) or all of ($b*) + all of ( $a* ) or all of ( $b* ) } rule ELASTIC_Linux_Proxy_Frp_4213778F : FILE MEMORY { @@ -107055,10 +107252,10 @@ rule ELASTIC_Linux_Proxy_Frp_4213778F : FILE MEMORY date = "2021-10-20" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Proxy_Frp.yar#L1-L28" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Proxy_Frp.yar#L1-L28" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2" - logic_hash = "83eeb632026c38ac08357c27d971da31fbc9a0500ecf489e8332ac5862a77b85" + logic_hash = "v1_sha256_83eeb632026c38ac08357c27d971da31fbc9a0500ecf489e8332ac5862a77b85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107082,7 +107279,7 @@ rule ELASTIC_Linux_Proxy_Frp_4213778F : FILE MEMORY $p4 = "range section [%s] local_port and remote_port is necessary[ERR]" condition: - 2 of ($s*) and 2 of ($p*) + 2 of ( $s* ) and 2 of ( $p* ) } rule ELASTIC_Macos_Trojan_Bundlore_28B13E67 : FILE MEMORY { @@ -107093,10 +107290,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_28B13E67 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0b50a38749ea8faf571169ebcfce3dfd668eaefeb9a91d25a96e6b3881e4a3e8" - logic_hash = "586ae19e570c51805afd3727b2e570cdb1c48344aa699e54774a708f02bc3a6f" + logic_hash = "v1_sha256_586ae19e570c51805afd3727b2e570cdb1c48344aa699e54774a708f02bc3a6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107122,10 +107319,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_75C8Cb4E : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3d69912e19758958e1ebdef5e12c70c705d7911c3b9df03348c5d02dd06ebe4e" - logic_hash = "527fecb8460c0325c009beddd6992e0abbf8c5a05843e4cedf3b17deb4b19a1c" + logic_hash = "v1_sha256_527fecb8460c0325c009beddd6992e0abbf8c5a05843e4cedf3b17deb4b19a1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107151,10 +107348,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_17B564B4 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "94f6e5ee6eb3a191faaf332ea948301bbb919f4ec6725b258e4f8e07b6a7881d" - logic_hash = "40cd2a793c8ed51a8191ecb9b358f50dc2035d997d0f773f6049f9c272291607" + logic_hash = "v1_sha256_40cd2a793c8ed51a8191ecb9b358f50dc2035d997d0f773f6049f9c272291607" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107180,10 +107377,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_C90C088A : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "875513f4ebeb63b9e4d82fb5bff2b2dc75b69c0bfa5dd8d2895f22eaa783f372" - logic_hash = "c82c5c8d1e38e0d2631c5611e384eb49b58c64daeafe0cc642682e5c64686b60" + logic_hash = "v1_sha256_c82c5c8d1e38e0d2631c5611e384eb49b58c64daeafe0cc642682e5c64686b60" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107209,10 +107406,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_3965578D : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d72543505e36db40e0ccbf14f4ce3853b1022a8aeadd96d173d84e068b4f68fa" - logic_hash = "6bd24640e0a3aa152fcd90b6975ee4fb7e99ab5f2d48d3a861bc804c526c90b6" + logic_hash = "v1_sha256_6bd24640e0a3aa152fcd90b6975ee4fb7e99ab5f2d48d3a861bc804c526c90b6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107238,10 +107435,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_00D9D0E9 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "73069b34e513ff1b742b03fed427dc947c22681f30cf46288a08ca545fc7d7dd" - logic_hash = "535831872408caa27984190d1b1b1a5954e502265925d50457e934219598dbfd" + logic_hash = "v1_sha256_535831872408caa27984190d1b1b1a5954e502265925d50457e934219598dbfd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107267,10 +107464,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_650B8Ff4 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L121-L139" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L121-L139" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "78fd2c4afd7e810d93d91811888172c4788a0a2af0b88008573ce8b6b819ae5a" - logic_hash = "e8a706db010e9c3d9714d5e7a376e9b2189af382a7b01db9a9e7ee947e9637bb" + logic_hash = "v1_sha256_e8a706db010e9c3d9714d5e7a376e9b2189af382a7b01db9a9e7ee947e9637bb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107296,10 +107493,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_C8Ad7Edd : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L141-L159" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L141-L159" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d4915473e1096a82afdaee405189a0d0ae961bd11a9e5e9adc420dd64cb48c24" - logic_hash = "be09b4bd612bb499044fe91ca4e1ab62405cf1e4d75b8e1da90e326d1c66e04f" + logic_hash = "v1_sha256_be09b4bd612bb499044fe91ca4e1ab62405cf1e4d75b8e1da90e326d1c66e04f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107325,10 +107522,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_Cb7344Eb : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L161-L179" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L161-L179" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "53373668d8c5dc17f58768bf59fb5ab6d261a62d0950037f0605f289102e3e56" - logic_hash = "6b5e868dfd14e9b1cdf3caeb1216764361b28c1dd38849526baf5dbdb1020d8d" + logic_hash = "v1_sha256_6b5e868dfd14e9b1cdf3caeb1216764361b28c1dd38849526baf5dbdb1020d8d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107354,10 +107551,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_753E5738 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L181-L199" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L181-L199" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "42aeea232b28724d1fa6e30b1aeb8f8b8c22e1bc8afd1bbb4f90e445e31bdfe9" - logic_hash = "7a6907b51c793e4182c1606eab6f2bcb71f0350a34aef93fa3f3a9f1a49961ba" + logic_hash = "v1_sha256_7a6907b51c793e4182c1606eab6f2bcb71f0350a34aef93fa3f3a9f1a49961ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107383,10 +107580,10 @@ rule ELASTIC_Macos_Trojan_Bundlore_7B9F0C28 : FILE MEMORY date = "2021-10-05" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Bundlore.yar#L201-L219" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Bundlore.yar#L201-L219" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fc4da125fed359d3e1740dafaa06f4db1ffc91dbf22fd5e7993acf8597c4c283" - logic_hash = "32abbb76c866e3a555ee6a9c39f62a0712f641959b66068abfb4379baa9a9da9" + logic_hash = "v1_sha256_32abbb76c866e3a555ee6a9c39f62a0712f641959b66068abfb4379baa9a9da9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107412,10 +107609,10 @@ rule ELASTIC_Windows_Hacktool_Sharprdp_80895Fcb : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpRDP.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpRDP.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876" - logic_hash = "ef9a92f2ed29f508dca591e9c65a6ce0013ccdfd0c62770e8840be2f3ee5982e" + logic_hash = "v1_sha256_ef9a92f2ed29f508dca591e9c65a6ce0013ccdfd0c62770e8840be2f3ee5982e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -107434,7 +107631,7 @@ rule ELASTIC_Windows_Hacktool_Sharprdp_80895Fcb : FILE MEMORY $print_str3 = "[X] Error: A password is required" ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Windows_Trojan_Diceloader_B32C6B99 : FILE MEMORY { @@ -107445,10 +107642,10 @@ rule ELASTIC_Windows_Trojan_Diceloader_B32C6B99 : FILE MEMORY date = "2021-04-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Diceloader.yar#L1-L25" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Diceloader.yar#L1-L25" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54" - logic_hash = "f9e023f340edc4c46b2926e750c2ad3a3798e34415e43c0ea2d83073e3dc526a" + logic_hash = "v1_sha256_f9e023f340edc4c46b2926e750c2ad3a3798e34415e43c0ea2d83073e3dc526a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107480,10 +107677,10 @@ rule ELASTIC_Windows_Trojan_Diceloader_15Eeb7B9 : FILE MEMORY date = "2021-04-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Diceloader.yar#L27-L46" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Diceloader.yar#L27-L46" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746" - logic_hash = "f1ab9ad69f9ea75343c7404b82a3f7a4976a442b980a98fe5b95c55d4f9cb34e" + logic_hash = "v1_sha256_f1ab9ad69f9ea75343c7404b82a3f7a4976a442b980a98fe5b95c55d4f9cb34e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107510,10 +107707,10 @@ rule ELASTIC_Windows_Trojan_Gozi_Fd494041 : FILE MEMORY date = "2021-03-22" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Gozi.yar#L1-L32" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Gozi.yar#L1-L32" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237" - logic_hash = "fdd18817e7377f1b4006d3bf135d924b8ead62a461ea56f57157b2856ba6846b" + logic_hash = "v1_sha256_fdd18817e7377f1b4006d3bf135d924b8ead62a461ea56f57157b2856ba6846b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107541,7 +107738,7 @@ rule ELASTIC_Windows_Trojan_Gozi_Fd494041 : FILE MEMORY $a14 = "IE10RunOnceLastShown_TIMESTAMP" ascii fullword condition: - 8 of ($a*) + 8 of ( $a* ) } rule ELASTIC_Windows_Trojan_Gozi_261F5Ac5 : FILE MEMORY { @@ -107552,10 +107749,10 @@ rule ELASTIC_Windows_Trojan_Gozi_261F5Ac5 : FILE MEMORY date = "2019-08-02" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Gozi.yar#L34-L60" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Gozi.yar#L34-L60" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f" - logic_hash = "23a7427e162e2f77ee0a281fe4bc54eab29a3bdca8e51015147e8eb223e7e2f7" + logic_hash = "v1_sha256_23a7427e162e2f77ee0a281fe4bc54eab29a3bdca8e51015147e8eb223e7e2f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107578,7 +107775,7 @@ rule ELASTIC_Windows_Trojan_Gozi_261F5Ac5 : FILE MEMORY $a9 = "Software\\AppDataLow\\Software\\Microsoft\\" condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_C851687A : FILE MEMORY { @@ -107589,9 +107786,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_C851687A : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L1-L37" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7fac6fb24ac18bd69dd9f8f4090c4a77d1cc6554b6ae5c846e32d7666e5a1971" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L1-L37" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7fac6fb24ac18bd69dd9f8f4090c4a77d1cc6554b6ae5c846e32d7666e5a1971" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -107625,7 +107822,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_C851687A : FILE MEMORY $b16 = "[+] Privileged file copy success! %S" ascii fullword condition: - 2 of ($a*) or 10 of ($b*) + 2 of ( $a* ) or 10 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_0B58325E : FILE MEMORY { @@ -107636,9 +107833,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_0B58325E : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L39-L77" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "3822431e946fcc38c700cc8ce213e95f33a155d7f38b6ab2a24cb998d42c8521" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L39-L77" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_3822431e946fcc38c700cc8ce213e95f33a155d7f38b6ab2a24cb998d42c8521" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -107674,7 +107871,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_0B58325E : FILE MEMORY $b16 = "[clear]" ascii fullword condition: - 1 of ($a*) and 14 of ($b*) + 1 of ( $a* ) and 14 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_2B8Cddf8 : FILE MEMORY { @@ -107685,9 +107882,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_2B8Cddf8 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L79-L114" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "5502c06d33b93bae3bc25ba7dd6a5a9a3b0b2b43bb7e867e601ecb206bf503ed" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L79-L114" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_5502c06d33b93bae3bc25ba7dd6a5a9a3b0b2b43bb7e867e601ecb206bf503ed" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -107720,7 +107917,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_2B8Cddf8 : FILE MEMORY $c8 = "__imp__KERNEL32$VirtualAllocEx" ascii fullword condition: - 1 of ($a*) or 5 of ($b*) or 5 of ($c*) + 1 of ( $a* ) or 5 of ( $b* ) or 5 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_59B44767 : FILE MEMORY { @@ -107731,9 +107928,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59B44767 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L116-L142" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7027d0dcbdb1961d2604f29392a923957d298a047c268553599ea8c881f76a98" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L116-L142" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7027d0dcbdb1961d2604f29392a923957d298a047c268553599ea8c881f76a98" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -107757,7 +107954,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59B44767 : FILE MEMORY $c4 = "__imp_NTDLL$NtQuerySystemInformation" ascii fullword condition: - 1 of ($a*) or 3 of ($b*) or 3 of ($c*) + 1 of ( $a* ) or 3 of ( $b* ) or 3 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_7Efd3C3F : FILE MEMORY { @@ -107768,9 +107965,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Efd3C3F : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L144-L168" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "45a0aaba6c1be016fc5f4051680ee7e3aa62e8a5d9730b7adab08c14ae37da24" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L144-L168" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_45a0aaba6c1be016fc5f4051680ee7e3aa62e8a5d9730b7adab08c14ae37da24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107792,7 +107989,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Efd3C3F : FILE MEMORY $a7 = "[-] no results." ascii fullword condition: - 4 of ($a*) + 4 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_6E971281 : FILE MEMORY { @@ -107803,9 +108000,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E971281 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L170-L201" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "f204965c0118dbdfe7e134d319c92b30d22585e888609ff31df90643116a2c38" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L170-L201" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_f204965c0118dbdfe7e134d319c92b30d22585e888609ff31df90643116a2c38" score = 75 quality = 51 tags = "FILE, MEMORY" @@ -107834,7 +108031,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E971281 : FILE MEMORY $c6 = "__imp__LoadLibraryA" ascii fullword condition: - 1 of ($a*) or 4 of ($b*) or 4 of ($c*) + 1 of ( $a* ) or 4 of ( $b* ) or 4 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_09B79Efa : FILE MEMORY { @@ -107845,9 +108042,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_09B79Efa : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L203-L232" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "75fd003b9adf03aff8479b1b10da9c94955870b5fa4f1958f870e14acb2793c7" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L203-L232" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_75fd003b9adf03aff8479b1b10da9c94955870b5fa4f1958f870e14acb2793c7" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -107874,7 +108071,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_09B79Efa : FILE MEMORY $c1 = { FF 57 0C 85 C0 78 40 8B 45 F8 8D 55 F4 8B 08 52 50 } condition: - 1 of ($a*) or 3 of ($b*) or 1 of ($c*) + 1 of ( $a* ) or 3 of ( $b* ) or 1 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_6E77233E : FILE MEMORY { @@ -107885,9 +108082,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E77233E : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L234-L269" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "93aa11523b794402b257d02d4f9edc5ad320bfdb5b8b0f671ff08f399ef9e674" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L234-L269" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_93aa11523b794402b257d02d4f9edc5ad320bfdb5b8b0f671ff08f399ef9e674" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -107920,7 +108117,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E77233E : FILE MEMORY $b7 = "_LsaCallKerberosPackage" ascii fullword condition: - 5 of ($a*) or 3 of ($b*) + 5 of ( $a* ) or 3 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_De42495A : FILE MEMORY { @@ -107931,9 +108128,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_De42495A : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L271-L301" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "2a13c73d221d80d25a432f9e0a1387153a78f58719066586e9d80d17613293ef" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L271-L301" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_2a13c73d221d80d25a432f9e0a1387153a78f58719066586e9d80d17613293ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107961,7 +108158,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_De42495A : FILE MEMORY $b12 = "mimikatz_x64.compressed" wide condition: - 1 of ($a*) and 7 of ($b*) + 1 of ( $a* ) and 7 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_72F68375 : FILE MEMORY { @@ -107972,9 +108169,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_72F68375 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L303-L328" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "912e37829a9f99e00326745343c9e4593cd7cfb8d4dfafc66027cddcb4d883be" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L303-L328" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_912e37829a9f99e00326745343c9e4593cd7cfb8d4dfafc66027cddcb4d883be" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -107997,7 +108194,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_72F68375 : FILE MEMORY $c3 = "__imp__NETAPI32$DsGetDcNameA" ascii fullword condition: - 1 of ($a*) or 2 of ($b*) or 2 of ($c*) + 1 of ( $a* ) or 2 of ( $b* ) or 2 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_15F680Fb : FILE MEMORY { @@ -108008,9 +108205,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_15F680Fb : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L330-L360" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "0efe368ad82f5b0f6301121bfda9fd049b008ac246368bfa22bd976fa2c56b79" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L330-L360" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_0efe368ad82f5b0f6301121bfda9fd049b008ac246368bfa22bd976fa2c56b79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108038,7 +108235,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_15F680Fb : FILE MEMORY $b10 = "Logged on users at \\\\%s:" ascii fullword condition: - 2 of ($a*) or 6 of ($b*) + 2 of ( $a* ) or 6 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_5B4383Ec : FILE MEMORY { @@ -108049,9 +108246,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_5B4383Ec : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L362-L392" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "033bd831209958674f6309739d65c58d05acb9d17e53cede1cf171c6d6e84efa" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L362-L392" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_033bd831209958674f6309739d65c58d05acb9d17e53cede1cf171c6d6e84efa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108079,7 +108276,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_5B4383Ec : FILE MEMORY $b10 = "PREFERENCES!12345" ascii fullword condition: - 2 of ($a*) or 6 of ($b*) + 2 of ( $a* ) or 6 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_91E08059 : FILE MEMORY { @@ -108090,9 +108287,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_91E08059 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L394-L421" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d5a8c1a0baa5e915cff29bcac33e30a7d7260f938ecaa6171d3aa88425a69266" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L394-L421" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d5a8c1a0baa5e915cff29bcac33e30a7d7260f938ecaa6171d3aa88425a69266" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108117,7 +108314,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_91E08059 : FILE MEMORY $b6 = "NetDomain" ascii fullword condition: - 2 of ($a*) or 4 of ($b*) + 2 of ( $a* ) or 4 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_Ee756Db7 : FILE MEMORY { @@ -108128,9 +108325,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_Ee756Db7 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L423-L491" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "8d594aa1b889e80000cfcedbfc470a1b768bdcc2a9c436cd449b495c91011918" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L423-L491" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_8d594aa1b889e80000cfcedbfc470a1b768bdcc2a9c436cd449b495c91011918" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -108196,7 +108393,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_Ee756Db7 : FILE MEMORY $a51 = "Content-Length: %d" ascii fullword condition: - 6 of ($a*) + 6 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_9C0D5561 : FILE MEMORY { @@ -108207,9 +108404,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_9C0D5561 : FILE MEMORY date = "2021-03-23" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L493-L523" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a8929266950e0f540a68c4fedf708e8ddc27f208f9f2866245ad7bb7f6d87913" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L493-L523" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a8929266950e0f540a68c4fedf708e8ddc27f208f9f2866245ad7bb7f6d87913" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108237,7 +108434,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_9C0D5561 : FILE MEMORY $c2 = "z:\\devcenter\\aggressor\\external\\PowerShellRunner\\obj\\Release\\PowerShellRunner.pdb" ascii fullword condition: - (1 of ($a*) and 4 of ($b*)) or 1 of ($c*) + (1 of ( $a* ) and 4 of ( $b* ) ) or 1 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_59Ed9124 : FILE MEMORY { @@ -108248,9 +108445,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59Ed9124 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L525-L560" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "a50fd291f5f1bf7ec41b1938a32473a23c3c082018b86eab87aff0d95b26ba06" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L525-L560" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_a50fd291f5f1bf7ec41b1938a32473a23c3c082018b86eab87aff0d95b26ba06" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108283,7 +108480,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59Ed9124 : FILE MEMORY $c8 = "__imp__ADVAPI32$CloseServiceHandle" ascii fullword condition: - 1 of ($a*) or 5 of ($b*) or 5 of ($c*) + 1 of ( $a* ) or 5 of ( $b* ) or 5 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_8A791Eb7 : FILE MEMORY { @@ -108294,9 +108491,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8A791Eb7 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L562-L597" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "d1765e6cac9b1560d6484baa1fa5a1bc0b768a72b389c7c6a60e34115669933e" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L562-L597" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_d1765e6cac9b1560d6484baa1fa5a1bc0b768a72b389c7c6a60e34115669933e" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108329,7 +108526,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8A791Eb7 : FILE MEMORY $c8 = "__imp__BeaconDataPtr" ascii fullword condition: - 1 of ($a*) or 5 of ($b*) or 5 of ($c*) + 1 of ( $a* ) or 5 of ( $b* ) or 5 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_D00573A3 : FILE MEMORY { @@ -108340,9 +108537,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_D00573A3 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L599-L625" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e458d41d28b76c989af6385f183f33aa9e11b93e529f032e95bd75433b80bd69" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L599-L625" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e458d41d28b76c989af6385f183f33aa9e11b93e529f032e95bd75433b80bd69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108366,7 +108563,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_D00573A3 : FILE MEMORY $b6 = "Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d" ascii fullword condition: - 2 of ($a*) or 5 of ($b*) + 2 of ( $a* ) or 5 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_7Bcd759C : FILE MEMORY { @@ -108377,9 +108574,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Bcd759C : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L627-L648" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "bfbb8e8009182e87c49242ec3da6e98b23447b646f5c7ea5f97196ae929d7c5f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L627-L648" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_bfbb8e8009182e87c49242ec3da6e98b23447b646f5c7ea5f97196ae929d7c5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108398,7 +108595,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Bcd759C : FILE MEMORY $b2 = "\\\\.\\pipe\\PIPEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii fullword condition: - 1 of ($a*) and 1 of ($b*) + 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_A56B820F : FILE MEMORY { @@ -108409,9 +108606,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A56B820F : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L650-L685" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "52de8110727c29b0f5c75cd470ce6b80ba7821d0ba78ad074536323e2e80b460" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L650-L685" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_52de8110727c29b0f5c75cd470ce6b80ba7821d0ba78ad074536323e2e80b460" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108444,7 +108641,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A56B820F : FILE MEMORY $c8 = "__imp__BeaconDataExtract" ascii fullword condition: - 1 of ($a*) or 5 of ($b*) or 5 of ($c*) + 1 of ( $a* ) or 5 of ( $b* ) or 5 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_92F05172 : FILE MEMORY { @@ -108455,9 +108652,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_92F05172 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L687-L716" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "7f0ff4ee14a043d72810826ab9d2b90b0f66724550ba9d3cdd2abe749f4874d0" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L687-L716" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_7f0ff4ee14a043d72810826ab9d2b90b0f66724550ba9d3cdd2abe749f4874d0" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -108484,7 +108681,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_92F05172 : FILE MEMORY $c7 = "_willAutoElevate" ascii fullword condition: - 1 of ($a*) or 3 of ($b*) or 4 of ($c*) + 1 of ( $a* ) or 3 of ( $b* ) or 4 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_417239B5 : FILE MEMORY { @@ -108495,9 +108692,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_417239B5 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L718-L764" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fda252747359e677459d82d65c4c9c8f2ff80bc8fd6a38712f858039f3cb8dd1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L718-L764" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fda252747359e677459d82d65c4c9c8f2ff80bc8fd6a38712f858039f3cb8dd1" score = 75 quality = 51 tags = "FILE, MEMORY" @@ -108541,7 +108738,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_417239B5 : FILE MEMORY $c12 = "_SpawnAsAdminX64" ascii fullword condition: - 1 of ($a*) or 9 of ($b*) or 7 of ($c*) + 1 of ( $a* ) or 9 of ( $b* ) or 7 of ( $c* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_29374056 : FILE MEMORY { @@ -108552,9 +108749,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_29374056 : FILE MEMORY date = "2021-03-23" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L766-L785" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "09755b23a7057c70f3ea242ec48549de65ebc6f13bdc38cbe22d6d758c3718cf" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L766-L785" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_09755b23a7057c70f3ea242ec48549de65ebc6f13bdc38cbe22d6d758c3718cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108571,7 +108768,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_29374056 : FILE MEMORY $a2 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 } condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_949F10E3 : FILE MEMORY { @@ -108582,9 +108779,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_949F10E3 : FILE MEMORY date = "2021-03-25" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L787-L806" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e4b726c83013f4b9c9d61683f78a4a91935225e9ed3de0ce164b96b5a6719579" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L787-L806" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e4b726c83013f4b9c9d61683f78a4a91935225e9ed3de0ce164b96b5a6719579" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108612,9 +108809,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8751Cdf9 : FILE MEMORY date = "2021-03-25" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L808-L827" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "64fae95fd89ad46a50a00c943cf98a997a0842a83be64b3728b25151867b75a8" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L808-L827" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_64fae95fd89ad46a50a00c943cf98a997a0842a83be64b3728b25151867b75a8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108642,9 +108839,9 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_663Fc95D : FILE MEMORY date = "2021-04-01" modified = "2021-12-17" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L829-L847" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "842a0a372cfb2316293f4a08e1690194fa98368a9f6ffe9c63222b2c4ab6532c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L829-L847" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_842a0a372cfb2316293f4a08e1690194fa98368a9f6ffe9c63222b2c4ab6532c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108671,10 +108868,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_B54B94Ac : FILE MEMORY date = "2021-10-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L849-L872" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L849-L872" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "6f63e4c31e55da2008f95e9d05391e40d44e2757c511e666032563ab798e274c" + logic_hash = "v1_sha256_6f63e4c31e55da2008f95e9d05391e40d44e2757c511e666032563ab798e274c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108705,10 +108902,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_F0B627Fc : FILE MEMORY date = "2021-10-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L874-L897" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L874-L897" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b" - logic_hash = "1087294af3a9ef59c00098f5fd7adfe0b335525e135d95e45ac30e44c6739a72" + logic_hash = "v1_sha256_1087294af3a9ef59c00098f5fd7adfe0b335525e135d95e45ac30e44c6739a72" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108739,10 +108936,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_Dcdcdd8C : FILE MEMORY date = "2021-10-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L899-L923" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L899-L923" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "f3ae07282b763d3720e45a84878cc457f65041f381951cdc9affd5e3ce67e6cc" + logic_hash = "v1_sha256_f3ae07282b763d3720e45a84878cc457f65041f381951cdc9affd5e3ce67e6cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108774,10 +108971,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A3Fb2616 : FILE MEMORY date = "2021-10-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L925-L947" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L925-L947" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "a3c36326ccc2bc828f6654ccaba507a283f92146fdc52f71d7d934f6908793e2" + logic_hash = "v1_sha256_a3c36326ccc2bc828f6654ccaba507a283f92146fdc52f71d7d934f6908793e2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108796,7 +108993,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A3Fb2616 : FILE MEMORY $b2 = "COBALTSTRIKE" ascii fullword condition: - 1 of ($a*) and 2 of ($b*) + 1 of ( $a* ) and 2 of ( $b* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_8Ee55Ee5 : FILE MEMORY { @@ -108807,10 +109004,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8Ee55Ee5 : FILE MEMORY date = "2021-10-21" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L949-L969" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L949-L969" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "d0cc321e15660311ae0b8e3261abe716a50a2455f82635c1b02d0a5444c8a89a" + logic_hash = "v1_sha256_d0cc321e15660311ae0b8e3261abe716a50a2455f82635c1b02d0a5444c8a89a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108827,7 +109024,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8Ee55Ee5 : FILE MEMORY $a2 = "z:\\devcenter\\aggressor\\external\\pxlib\\bin\\wmiexec.x86.o" ascii fullword condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_8D5963A2 : FILE MEMORY { @@ -108838,10 +109035,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8D5963A2 : FILE MEMORY date = "2022-08-10" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L971-L989" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L971-L989" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9fe43996a5c4e99aff6e2a1be743fedec35e96d1e6670579beb4f7e7ad591af9" - logic_hash = "f4f8fba807256bd885ccf4946eec8c2fb76eb04f86ed76d015178fe512a3c091" + logic_hash = "v1_sha256_f4f8fba807256bd885ccf4946eec8c2fb76eb04f86ed76d015178fe512a3c091" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108867,10 +109064,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_1787Eef5 : FILE MEMORY date = "2022-08-29" modified = "2022-09-29" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L991-L1014" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L991-L1014" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "0b70c61e986dee3126fec6eea127e01fce4b647aff8e2d2d5072eb8328549225" + logic_hash = "v1_sha256_0b70c61e986dee3126fec6eea127e01fce4b647aff8e2d2d5072eb8328549225" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108890,7 +109087,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_1787Eef5 : FILE MEMORY $a5 = { 4D 5A 41 52 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 8D 1D ?? ?? ?? ?? 48 89 DF 48 81 C3 ?? ?? ?? ?? } condition: - 1 of ($a*) + 1 of ( $a* ) } rule ELASTIC_Windows_Trojan_Cobaltstrike_4106070A : FILE MEMORY { @@ -108901,10 +109098,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_4106070A : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L1016-L1035" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L1016-L1035" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "98789a11c06c1dfff7e02f66146afca597233c17e0d4900d6a683a150f16b3a4" - logic_hash = "90f0209a55ca381ca58264664e04c007c799cf558f143d0c02983d4caf47bfb8" + logic_hash = "v1_sha256_90f0209a55ca381ca58264664e04c007c799cf558f143d0c02983d4caf47bfb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108931,10 +109128,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_3Dc22D14 : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L1037-L1056" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L1037-L1056" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7898194ae0244611117ec948eb0b0a5acbc15cd1419b1ecc553404e63bc519f9" - logic_hash = "2f52cd5f3b782c28e372c3daa9b7ddc4d2b9f68832f5250983412c2e7a755e73" + logic_hash = "v1_sha256_2f52cd5f3b782c28e372c3daa9b7ddc4d2b9f68832f5250983412c2e7a755e73" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108961,10 +109158,10 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7F8Da98A : FILE MEMORY date = "2023-05-09" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_CobaltStrike.yar#L1058-L1076" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_CobaltStrike.yar#L1058-L1076" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d" - logic_hash = "6c8698d65cbbf893f79ca1de5273535891418c87c234a2542f5f8079e56d9507" + logic_hash = "v1_sha256_6c8698d65cbbf893f79ca1de5273535891418c87c234a2542f5f8079e56d9507" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -108990,10 +109187,10 @@ rule ELASTIC_Windows_Exploit_Perfusion_5Ab5Ddee : FILE MEMORY date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Perfusion.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Perfusion.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7fdef25acb0d1447203b9768ae58a8e21db24816c602b160d105dab86ae34728" - logic_hash = "490f3fc89cf78dbe82f1feb012a147a8d187612720efb6e1eb4e97720b26ee59" + logic_hash = "v1_sha256_490f3fc89cf78dbe82f1feb012a147a8d187612720efb6e1eb4e97720b26ee59" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109022,10 +109219,10 @@ rule ELASTIC_Linux_Exploit_Courier_190258Dd : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Courier.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Courier.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "349866d0fb81d07a35b53eac6f11176721629bbd692526851e483eaa83d690c3" - logic_hash = "c318d78a11a021334c84a21db2be6d7df57440a1f3ad6feaaff9cc95ebf6f716" + logic_hash = "v1_sha256_c318d78a11a021334c84a21db2be6d7df57440a1f3ad6feaaff9cc95ebf6f716" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109051,10 +109248,10 @@ rule ELASTIC_Linux_Trojan_Kaiji_253C44De : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kaiji.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kaiji.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e31eb8880bb084b4c642eba127e64ce99435ea8299a98c183a63a2e6a139d926" - logic_hash = "81a07f60765f50c58b2c0f0153367ee570f36c579e9f88fb2f0e49ae5c08773f" + logic_hash = "v1_sha256_81a07f60765f50c58b2c0f0153367ee570f36c579e9f88fb2f0e49ae5c08773f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109080,10 +109277,10 @@ rule ELASTIC_Linux_Trojan_Kaiji_535F07Ac : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kaiji.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kaiji.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "28b2993d7c8c1d8dfce9cd2206b4a3971d0705fd797b9fde05211686297f6bb0" - logic_hash = "539977c1076b71873135cfe02153da87c0e9ac17122f04570977a22c92d2694f" + logic_hash = "v1_sha256_539977c1076b71873135cfe02153da87c0e9ac17122f04570977a22c92d2694f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109109,10 +109306,10 @@ rule ELASTIC_Linux_Trojan_Kaiji_Dcf6565E : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kaiji.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kaiji.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "49f3086105bdc160248e66334db00ce37cdc9167a98faac98800b2c97515b6e7" - logic_hash = "2bc943e100548e9aacd97930b3230353be760c8a292dbbbd1d0b5646f647c4fe" + logic_hash = "v1_sha256_2bc943e100548e9aacd97930b3230353be760c8a292dbbbd1d0b5646f647c4fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109138,10 +109335,10 @@ rule ELASTIC_Linux_Trojan_Kaiji_91091Be3 : FILE MEMORY date = "2022-09-12" modified = "2022-10-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Kaiji.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Kaiji.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dca574d13fcbd7d244d434fcbca68136e0097fefc5f131bec36e329448f9a202" - logic_hash = "3b55cb3be5775311af4dc90f9624448d30cc58ef1a42729f6ca4eb3b36ad8b06" + logic_hash = "v1_sha256_3b55cb3be5775311af4dc90f9624448d30cc58ef1a42729f6ca4eb3b36ad8b06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109167,10 +109364,10 @@ rule ELASTIC_Windows_Trojan_Svcready_Af498D39 : FILE MEMORY date = "2022-06-12" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_SVCReady.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_SVCReady.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273" - logic_hash = "e3520103064cf82cd1747f8889667929d23466c9febfda7e4968a3679db97d71" + logic_hash = "v1_sha256_e3520103064cf82cd1747f8889667929d23466c9febfda7e4968a3679db97d71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109200,10 +109397,10 @@ rule ELASTIC_Windows_Exploit_Dcom_7A1Bcec7 : FILE date = "2021-01-12" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_Dcom.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_Dcom.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5" - logic_hash = "484576ab5369f99dc7086d724ead12d464f2bedaf84c93b74e137ddd98600b06" + logic_hash = "v1_sha256_484576ab5369f99dc7086d724ead12d464f2bedaf84c93b74e137ddd98600b06" score = 75 quality = 73 tags = "FILE" @@ -109229,10 +109426,10 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_716C7Ffa : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Diamorphine.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Diamorphine.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01fb490fbe2c2b5368cc227abd97e011e83b5e99bb80945ef599fc80e85f8545" - logic_hash = "29ae87a563085ff0e4821a994ede16fa3f6fec693418c2e92ac90b839fcfa7cf" + logic_hash = "v1_sha256_29ae87a563085ff0e4821a994ede16fa3f6fec693418c2e92ac90b839fcfa7cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109251,7 +109448,7 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_716C7Ffa : FILE MEMORY $license2 = "license=GPL" condition: - 2 of ($str*) and 1 of ($license*) + 2 of ( $str* ) and 1 of ( $license* ) } rule ELASTIC_Linux_Rootkit_Diamorphine_66Eb93C7 : FILE MEMORY { @@ -109262,10 +109459,10 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_66Eb93C7 : FILE MEMORY date = "2024-11-13" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Diamorphine.yar#L25-L54" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Diamorphine.yar#L25-L54" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "01fb490fbe2c2b5368cc227abd97e011e83b5e99bb80945ef599fc80e85f8545" - logic_hash = "26063aacb585825f5d6b56d0d671e94efb273605175f4164d271c8edfdbc150a" + logic_hash = "v1_sha256_26063aacb585825f5d6b56d0d671e94efb273605175f4164d271c8edfdbc150a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109291,7 +109488,7 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_66Eb93C7 : FILE MEMORY $func9 = "write_cr0_forced" condition: - 1 of ($rk*) and 3 of ($func*) + 1 of ( $rk* ) and 3 of ( $func* ) } rule ELASTIC_Windows_Ransomware_Phobos_A5420148 : BETA FILE MEMORY { @@ -109302,9 +109499,9 @@ rule ELASTIC_Windows_Ransomware_Phobos_A5420148 : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Phobos.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "9fcfe41102bee4f8ecf19f30d0bbb2de50e1a1aff4e17c587b5d9adb417527c5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Phobos.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_9fcfe41102bee4f8ecf19f30d0bbb2de50e1a1aff4e17c587b5d9adb417527c5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109322,7 +109519,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_A5420148 : BETA FILE MEMORY $a3 = { 31 00 63 00 64 00 00 00 33 00 64 00 73 00 00 00 33 00 66 00 72 00 00 00 33 00 67 00 32 00 00 00 33 00 67 00 70 00 00 00 37 00 7A 00 00 00 61 00 63 00 63 00 64 00 61 00 00 00 61 00 63 00 63 00 64 00 62 00 00 00 61 00 63 00 63 00 64 00 63 00 00 00 61 00 63 00 63 00 64 00 65 00 00 00 61 00 63 00 63 00 64 00 74 00 00 00 61 00 63 00 63 00 64 00 77 00 00 00 61 00 64 00 62 00 00 00 61 00 64 00 70 00 00 00 61 00 69 00 00 00 61 00 69 00 33 00 00 00 61 00 69 00 34 00 00 00 61 00 69 00 35 00 00 00 61 00 69 00 36 00 00 00 61 00 69 00 37 00 00 00 61 00 69 00 38 00 00 00 61 00 6E 00 69 00 6D 00 00 00 61 00 72 00 77 00 00 00 61 00 73 00 00 00 61 00 73 00 61 00 00 00 61 00 73 00 63 00 00 00 61 00 73 00 63 00 78 00 00 00 61 00 73 00 6D 00 00 00 61 00 73 00 6D 00 78 00 00 00 61 00 73 00 70 00 00 00 61 00 73 00 70 00 78 00 00 00 61 00 73 00 72 00 00 00 61 00 73 00 78 00 00 00 61 00 76 00 69 00 00 00 61 00 76 00 73 00 00 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 00 62 00 61 00 6B 00 00 00 62 00 61 00 79 00 00 00 62 00 64 00 00 00 62 00 69 00 6E 00 00 00 62 00 6D 00 70 00 00 00 } condition: - 2 of ($a*) + 2 of ( $a* ) } rule ELASTIC_Windows_Ransomware_Phobos_Ff55774D : BETA FILE MEMORY { @@ -109333,9 +109530,9 @@ rule ELASTIC_Windows_Ransomware_Phobos_Ff55774D : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Phobos.yar#L24-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "9ee41b9638a8cc1d9f9b254878c935c531b2f599be59550b3617b1de8cba2ba5" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Phobos.yar#L24-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_9ee41b9638a8cc1d9f9b254878c935c531b2f599be59550b3617b1de8cba2ba5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109351,7 +109548,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_Ff55774D : BETA FILE MEMORY $c1 = { 24 18 83 C4 0C 8B 4F 0C 03 C6 50 8D 54 24 18 52 51 6A 00 6A 00 89 44 } condition: - 1 of ($c*) + 1 of ( $c* ) } rule ELASTIC_Windows_Ransomware_Phobos_11Ea7Be5 : BETA FILE MEMORY { @@ -109362,9 +109559,9 @@ rule ELASTIC_Windows_Ransomware_Phobos_11Ea7Be5 : BETA FILE MEMORY date = "2020-06-25" modified = "2021-08-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Phobos.yar#L45-L64" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "1f86695f316200c92d0d02f5f3ba9f68854978f98db5d4291a81c06c9f0b8d28" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Phobos.yar#L45-L64" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_1f86695f316200c92d0d02f5f3ba9f68854978f98db5d4291a81c06c9f0b8d28" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109380,7 +109577,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_11Ea7Be5 : BETA FILE MEMORY $b1 = { C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89 } condition: - 1 of ($b*) + 1 of ( $b* ) } rule ELASTIC_Linux_Exploit_CVE_2012_0056_06B2Dff5 : FILE MEMORY CVE_2012_0056 { @@ -109391,10 +109588,10 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_06B2Dff5 : FILE MEMORY CVE_2012_0056 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "168b3fb1c675ab76224c641e228434495160502a738b64172c679e8ce791ac17" - logic_hash = "4361e6e74d6678d9e0823b23a7a2e4ae84119142cad319950154f806115845d5" + logic_hash = "v1_sha256_4361e6e74d6678d9e0823b23a7a2e4ae84119142cad319950154f806115845d5" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109420,10 +109617,10 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_B39839F4 : FILE MEMORY CVE_2012_0056 date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc" - logic_hash = "553111c64d8abfc3688a88dd95088de0ea7e92f68592e9a778f8041b40071e84" + logic_hash = "v1_sha256_553111c64d8abfc3688a88dd95088de0ea7e92f68592e9a778f8041b40071e84" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109449,10 +109646,10 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_A1E53450 : FILE MEMORY CVE_2012_0056 date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "15a4d149e935758199f6df946ff889e12097f5fec4ef450e9cbd554d1efbd5e6" - logic_hash = "f2ab5de83c36a9a834e41c8f6fdccd0dffdeb384adf7b1e1098e86a2ac52df18" + logic_hash = "v1_sha256_f2ab5de83c36a9a834e41c8f6fdccd0dffdeb384adf7b1e1098e86a2ac52df18" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109478,10 +109675,10 @@ rule ELASTIC_Windows_Hacktool_Sharpapplocker_9645Cf22 : FILE MEMORY date = "2022-11-20" modified = "2023-01-11" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_SharpAppLocker.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_SharpAppLocker.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0f7390905abc132889f7b9a6d5b42701173aafbff5b8f8882397af35d8c10965" - logic_hash = "cb72ecf7715b288acddac51dab091d84c64e3bd30276cba38a0d773e6693875c" + logic_hash = "v1_sha256_cb72ecf7715b288acddac51dab091d84c64e3bd30276cba38a0d773e6693875c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -109499,7 +109696,7 @@ rule ELASTIC_Windows_Hacktool_Sharpapplocker_9645Cf22 : FILE MEMORY $print_str2 = "SharpAppLocker.exe --effective --allow --rules=\"FileHashRule,FilePathRule\" --outfile=\"C:\\Windows\\Tasks\\Rules.json\"" ascii wide fullword condition: - $guid or all of ($print_str*) + $guid or all of ( $print_str* ) } rule ELASTIC_Linux_Exploit_CVE_2021_3156_F3Fb10Cd : FILE CVE_2021_3156 { @@ -109510,10 +109707,10 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3156_F3Fb10Cd : FILE CVE_2021_3156 date = "2021-09-15" modified = "2021-09-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "65fb8baa5ec3bfb4473e4b2f565b461dd59989d43c72b1c5ec2e1a68baa8b51a" - logic_hash = "cc80e0b2355877cd9ceecae19d4dcebb641d90a24c0751bf706134b31bf26750" + logic_hash = "v1_sha256_cc80e0b2355877cd9ceecae19d4dcebb641d90a24c0751bf706134b31bf26750" score = 75 quality = 75 tags = "FILE, CVE-2021-3156" @@ -109540,10 +109737,10 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3156_7F5672D0 : FILE CVE_2021_3156 date = "2021-09-15" modified = "2021-09-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L22-L45" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L22-L45" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1a4517d2582ac97b88ae568c23e75beba93daf8518bd3971985d6a798049fd61" - logic_hash = "e25907f11a2f292441a96e19834ad89636593a3f8998ec0010e43830f5aa0c64" + logic_hash = "v1_sha256_e25907f11a2f292441a96e19834ad89636593a3f8998ec0010e43830f5aa0c64" score = 75 quality = 75 tags = "FILE, CVE-2021-3156" @@ -109563,7 +109760,7 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3156_7F5672D0 : FILE CVE_2021_3156 $msg3 = "symlink 2nd time success at: %d" fullword condition: - ( any of ($a*)) or ($sudo and 2 of ($msg*)) + ( any of ( $a* ) ) or ( $sudo and 2 of ( $msg* ) ) } rule ELASTIC_Windows_Vulndriver_Procid_86605Fa9 : FILE { @@ -109574,10 +109771,10 @@ rule ELASTIC_Windows_Vulndriver_Procid_86605Fa9 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_ProcId.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_ProcId.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" - logic_hash = "882cdbd267d812e77e68e7080f1fca0ca3d7e75ab84c583c3ec148894b1cf644" + logic_hash = "v1_sha256_882cdbd267d812e77e68e7080f1fca0ca3d7e75ab84c583c3ec148894b1cf644" score = 75 quality = 75 tags = "FILE" @@ -109592,7 +109789,47 @@ rule ELASTIC_Windows_Vulndriver_Procid_86605Fa9 : FILE $str1 = "\\piddrv64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 +} +rule ELASTIC_Linux_Trojan_Pumakit_B86138C3 : FILE MEMORY +{ + meta: + description = "Detects Linux Trojan Pumakit (Linux.Trojan.Pumakit)" + author = "Elastic Security" + id = "b86138c3-c7b3-4f86-a695-bf8195f2458c" + date = "2024-12-09" + modified = "2024-12-11" + reference = "https://github.com/elastic/protections-artifacts/" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Pumakit.yar#L1-L30" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + hash = "30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f" + logic_hash = "v1_sha256_fc486aafee5cd4156ef7027ed6bf596c62397601787833d9173c198d5d919cde" + score = 75 + quality = 75 + tags = "FILE, MEMORY" + fingerprint = "c5cba5975be26ebcb14871527533d1f8f082b37f2d8b509904b608569fdb8b24" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "linux" + + strings: + $str1 = "PUMA %s" + $str2 = "Kitsune PID %ld" + $str3 = "/usr/share/zov_f" + $str4 = "zarya" + $str5 = ".puma-config" + $str6 = "ping_interval_s" + $str7 = "session_timeout_s" + $str8 = "c2_timeout_s" + $str9 = "LD_PRELOAD=/lib64/libs.so" + $str10 = "kit_so_len" + $str11 = "opsecurity1.art" + $str12 = "89.23.113.204" + + condition: + 4 of them } rule ELASTIC_Windows_Vulndriver_Winflash_881758Da : FILE { @@ -109603,10 +109840,10 @@ rule ELASTIC_Windows_Vulndriver_Winflash_881758Da : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_WinFlash.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_WinFlash.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026" - logic_hash = "a46ac1f19ba5d9543c88434575870b61fbb935cd4c4e28cb80a077502af7d2db" + logic_hash = "v1_sha256_a46ac1f19ba5d9543c88434575870b61fbb935cd4c4e28cb80a077502af7d2db" score = 75 quality = 75 tags = "FILE" @@ -109621,7 +109858,7 @@ rule ELASTIC_Windows_Vulndriver_Winflash_881758Da : FILE $str1 = "\\WinFlash64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Ransomware_Sodinokibi_2883D7Cd : FILE MEMORY { @@ -109632,10 +109869,10 @@ rule ELASTIC_Linux_Ransomware_Sodinokibi_2883D7Cd : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Sodinokibi.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Sodinokibi.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd" - logic_hash = "97d6b1b641c4b5b596b67a809e8e70bb0bccb9219282cd6c41bc905e2ea44c84" + logic_hash = "v1_sha256_97d6b1b641c4b5b596b67a809e8e70bb0bccb9219282cd6c41bc905e2ea44c84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109661,10 +109898,10 @@ rule ELASTIC_Linux_Rootkit_Dakkatoni_010D3Ac2 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Dakkatoni.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Dakkatoni.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "38b2d033eb5ce87faa4faa7fcac943d9373e432e0d45e741a0c01d714ee9d4d3" - logic_hash = "51119321f29aed695e09da22d3234eae96db93e8029d4525d018e56c7131f7b8" + logic_hash = "v1_sha256_51119321f29aed695e09da22d3234eae96db93e8029d4525d018e56c7131f7b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109690,10 +109927,10 @@ rule ELASTIC_Windows_Trojan_Ghostengine_8Ea2Aa65 : FILE MEMORY date = "2024-05-07" modified = "2024-05-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_GhostEngine.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_GhostEngine.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753" - logic_hash = "3bddd2ac79d92d34df5d2df4a11cf96cc44ca39c3baece1b5c67b75a682778ff" + logic_hash = "v1_sha256_3bddd2ac79d92d34df5d2df4a11cf96cc44ca39c3baece1b5c67b75a682778ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109715,7 +109952,7 @@ rule ELASTIC_Windows_Trojan_Ghostengine_8Ea2Aa65 : FILE MEMORY $binary1 = { 83 F9 06 0F ?? ?? ?? ?? ?? 8B 10 81 FA 78 38 36 5F 0F 85 ?? ?? ?? ?? 0F B7 50 04 66 81 FA 36 34 74 ?? E9 ?? ?? 00 00 C7 04 24 00 E4 0B 54 C7 44 24 04 02 00 00 00 } condition: - 3 of ($str*) or 1 of ($binary*) + 3 of ( $str* ) or 1 of ( $binary* ) } rule ELASTIC_Macos_Trojan_Eggshell_Ddacf7B9 : FILE MEMORY { @@ -109726,10 +109963,10 @@ rule ELASTIC_Macos_Trojan_Eggshell_Ddacf7B9 : FILE MEMORY date = "2021-09-30" modified = "2021-10-25" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Trojan_Eggshell.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Trojan_Eggshell.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b" - logic_hash = "f986f7d1e3a68e27f82048017c6d6381a0354ffad2cd10f3eee69bbbfa940abd" + logic_hash = "v1_sha256_f986f7d1e3a68e27f82048017c6d6381a0354ffad2cd10f3eee69bbbfa940abd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -109759,10 +109996,10 @@ rule ELASTIC_Windows_Trojan_Azorult_38Fce9Ea : FILE MEMORY date = "2021-08-05" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Azorult.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Azorult.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491" - logic_hash = "e23b21992b7ff577d4521c733929638522f4bf57b54c72e5e46196d028d6be26" + logic_hash = "v1_sha256_e23b21992b7ff577d4521c733929638522f4bf57b54c72e5e46196d028d6be26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109792,10 +110029,10 @@ rule ELASTIC_Windows_Exploit_Fakepipe_6Bc93551 : FILE MEMORY date = "2024-02-28" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Exploit_FakePipe.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Exploit_FakePipe.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "545a41ccfcd0a4f09c1c62bef2dde61b52fa92abada71ab72b3f4febb9265f75" - logic_hash = "daf78c4a2db337f51054e108b5b54c8aa32300eae3bd39c5fc2d4769221c8aea" + logic_hash = "v1_sha256_daf78c4a2db337f51054e108b5b54c8aa32300eae3bd39c5fc2d4769221c8aea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109813,7 +110050,7 @@ rule ELASTIC_Windows_Exploit_Fakepipe_6Bc93551 : FILE MEMORY $s3 = { 5C 00 5C 00 2E 00 5C 00 70 00 69 00 70 00 65 00 5C 00 00 19 5C 00 70 00 69 00 70 00 65 00 5C } condition: - $api and any of ($s*) + $api and any of ( $s* ) } rule ELASTIC_Windows_Vulndriver_Fileseclab_4A21229A : FILE { @@ -109824,10 +110061,10 @@ rule ELASTIC_Windows_Vulndriver_Fileseclab_4A21229A : FILE date = "2024-03-05" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Fileseclab.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Fileseclab.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" - logic_hash = "bac78186f3d46c6765bacaf6a324ff94e449261cefe2594cb38c4cc25db1f0de" + logic_hash = "v1_sha256_bac78186f3d46c6765bacaf6a324ff94e449261cefe2594cb38c4cc25db1f0de" score = 75 quality = 75 tags = "FILE" @@ -109847,7 +110084,7 @@ rule ELASTIC_Windows_Vulndriver_Fileseclab_4A21229A : FILE $b2 = { 32 00 2C 00 20 00 30 00 2C 00 20 00 30 00 2C 00 20 00 } condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and 1 of ($a*) and 1 of ($b*) + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Linux_Rootkit_Bedevil_2Af79Cea : FILE MEMORY { @@ -109858,10 +110095,10 @@ rule ELASTIC_Linux_Rootkit_Bedevil_2Af79Cea : FILE MEMORY date = "2024-11-14" modified = "2024-11-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Rootkit_Bedevil.yar#L1-L29" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Rootkit_Bedevil.yar#L1-L29" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8f8c598350632b32e72cd6af3a0ca93c05b4d9100fd03e2ae1aec97a946eb347" - logic_hash = "3acded46df45f88cf2cdd0eab424810d3dab51cac90845574a1361301e72be23" + logic_hash = "v1_sha256_3acded46df45f88cf2cdd0eab424810d3dab51cac90845574a1361301e72be23" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109886,7 +110123,7 @@ rule ELASTIC_Linux_Rootkit_Bedevil_2Af79Cea : FILE MEMORY $str11 = "dropshell" condition: - 4 of ($str*) + 4 of ( $str* ) } rule ELASTIC_Macos_Backdoor_Fakeflashlxk_06Fd8071 : FILE MEMORY { @@ -109897,10 +110134,10 @@ rule ELASTIC_Macos_Backdoor_Fakeflashlxk_06Fd8071 : FILE MEMORY date = "2021-11-11" modified = "2022-07-22" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/MacOS_Backdoor_Fakeflashlxk.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/MacOS_Backdoor_Fakeflashlxk.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "107f844f19e638866d8249e6f735daf650168a48a322d39e39d5e36cfc1c8659" - logic_hash = "853d44465a472786bb48bbe1009e0ff925f79e4fd72f0eac537dd271c1ec3703" + logic_hash = "v1_sha256_853d44465a472786bb48bbe1009e0ff925f79e4fd72f0eac537dd271c1ec3703" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109928,10 +110165,10 @@ rule ELASTIC_Windows_Ransomware_Cicada3301_99Fee259 : FILE MEMORY date = "2024-09-05" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Cicada3301.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Cicada3301.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e" - logic_hash = "18996d70192b0e997eba70c22ed70a2611a7e038a8825308f4d3d002b681939b" + logic_hash = "v1_sha256_18996d70192b0e997eba70c22ed70a2611a7e038a8825308f4d3d002b681939b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109961,10 +110198,10 @@ rule ELASTIC_Windows_Ransomware_Blackbasta_494D3C54 : FILE MEMORY date = "2022-08-06" modified = "2022-08-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_BlackBasta.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_BlackBasta.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "357fe8c56e246ffacd54d12f4deb9f1adb25cb772b5cd2436246da3f2d01c222" - logic_hash = "1ecb3c95a2d3f91d267f0b625fffc8477612fde9de3942eff8eb13115c0af6b8" + logic_hash = "v1_sha256_1ecb3c95a2d3f91d267f0b625fffc8477612fde9de3942eff8eb13115c0af6b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109998,10 +110235,10 @@ rule ELASTIC_Linux_Cryptominer_Pgminer_Ccf88A37 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Pgminer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Pgminer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3afc8d2d85aca61108d21f82355ad813eba7a189e81dde263d318988c5ea50bd" - logic_hash = "77833cdb319bc8e22db2503478677d5992774105f659fe7520177a691c83aa91" + logic_hash = "v1_sha256_77833cdb319bc8e22db2503478677d5992774105f659fe7520177a691c83aa91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110027,10 +110264,10 @@ rule ELASTIC_Linux_Cryptominer_Pgminer_5Fb2Efd5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Pgminer.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Pgminer.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6d296648fdbc693e604f6375eaf7e28b87a73b8405dc8cd3147663b5e8b96ff0" - logic_hash = "4c247f40c9781332f04f82a244f6e8e22c9c744963f736937eddecf769b40a54" + logic_hash = "v1_sha256_4c247f40c9781332f04f82a244f6e8e22c9c744963f736937eddecf769b40a54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110056,9 +110293,9 @@ rule ELASTIC_Windows_Trojan_Parallax_D72Ec0E2 : FILE MEMORY date = "2022-09-05" modified = "2022-09-29" reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Parallax.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "6c2c84624912f3b612ae435cf3e8000192a1b168b30205ed4a93b7fab7e336ad" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Parallax.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_6c2c84624912f3b612ae435cf3e8000192a1b168b30205ed4a93b7fab7e336ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110087,9 +110324,9 @@ rule ELASTIC_Windows_Trojan_Parallax_B4Ea4F1A : FILE MEMORY date = "2022-09-08" modified = "2022-09-29" reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Parallax.yar#L24-L55" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "731fe7bd339ec6b0372b4809004a21f53537bd82f084960b8d018f994dcdc06a" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Parallax.yar#L24-L55" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_731fe7bd339ec6b0372b4809004a21f53537bd82f084960b8d018f994dcdc06a" score = 75 quality = 42 tags = "FILE, MEMORY" @@ -110117,7 +110354,7 @@ rule ELASTIC_Windows_Trojan_Parallax_B4Ea4F1A : FILE MEMORY $parallax_payload_strings_13 = ".FileExists" ascii wide fullword condition: - 7 of ($parallax_payload_strings_*) + 7 of ( $parallax_payload_strings_* ) } rule ELASTIC_Linux_Ransomware_Hellokitty_35731270 : FILE MEMORY { @@ -110128,10 +110365,10 @@ rule ELASTIC_Linux_Ransomware_Hellokitty_35731270 : FILE MEMORY date = "2023-07-27" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Ransomware_Hellokitty.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Ransomware_Hellokitty.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed" - logic_hash = "40cb632d6b8561de56f2010a082a24b0c50d4cabed21e073168b5302ddff7044" + logic_hash = "v1_sha256_40cb632d6b8561de56f2010a082a24b0c50d4cabed21e073168b5302ddff7044" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110159,10 +110396,10 @@ rule ELASTIC_Windows_Packer_Scrubcrypt_6A75A4Bb : FILE MEMORY date = "2023-04-18" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Packer_ScrubCrypt.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Packer_ScrubCrypt.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "05c1eea2ff8c31aa5baf1dfd8015988f7e737753275ed1c8c29013a3a7414b50" - logic_hash = "edcaa6f1cc85ef084ae5bf2524f39869a90b008dce85e72bca4835565f067ca7" + logic_hash = "v1_sha256_edcaa6f1cc85ef084ae5bf2524f39869a90b008dce85e72bca4835565f067ca7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110189,10 +110426,10 @@ rule ELASTIC_Windows_Trojan_Clipbanker_7Efaef9F : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Clipbanker.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Clipbanker.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "02b06acb113c31f5a2ac9c99f9614e0fab0f78afc5ae872e46bae139c2c9b1f6" - logic_hash = "fa547d7c1623b332ef306672dd2293b44016d9974c1a3ec4b15e5ae0483ff879" + logic_hash = "v1_sha256_fa547d7c1623b332ef306672dd2293b44016d9974c1a3ec4b15e5ae0483ff879" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110222,10 +110459,10 @@ rule ELASTIC_Windows_Trojan_Clipbanker_B60A50B8 : FILE MEMORY date = "2022-02-28" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Clipbanker.yar#L25-L43" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Clipbanker.yar#L25-L43" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "02b06acb113c31f5a2ac9c99f9614e0fab0f78afc5ae872e46bae139c2c9b1f6" - logic_hash = "fe585ab7efbc3b500ea23d1c164bc79ded658001e53fc71721e435ed7579182a" + logic_hash = "v1_sha256_fe585ab7efbc3b500ea23d1c164bc79ded658001e53fc71721e435ed7579182a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110251,10 +110488,10 @@ rule ELASTIC_Windows_Trojan_Clipbanker_F9F9E79D : FILE MEMORY date = "2022-04-23" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Clipbanker.yar#L45-L63" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Clipbanker.yar#L45-L63" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c" - logic_hash = "a71d75719133e8b84956ec002cb31f82386ef711fa2af79d204d176492cd354b" + logic_hash = "v1_sha256_a71d75719133e8b84956ec002cb31f82386ef711fa2af79d204d176492cd354b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110280,10 +110517,10 @@ rule ELASTIC_Windows_Trojan_Clipbanker_787B130B : FILE MEMORY date = "2022-04-24" modified = "2022-06-09" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Clipbanker.yar#L65-L87" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Clipbanker.yar#L65-L87" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c" - logic_hash = "88783bde7014853f6556c6e7ee2dfd5cd5fcbfb4523ed158b4287e2bfba409f1" + logic_hash = "v1_sha256_88783bde7014853f6556c6e7ee2dfd5cd5fcbfb4523ed158b4287e2bfba409f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110313,10 +110550,10 @@ rule ELASTIC_Windows_Trojan_Revengerat_Db91Bcc6 : FILE MEMORY date = "2021-09-02" modified = "2022-01-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Revengerat.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Revengerat.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" - logic_hash = "1e33cb1d614aae0b2181ebaca694c69e7fc849b3a3b7ffff7059e8c43553f8cc" + logic_hash = "v1_sha256_1e33cb1d614aae0b2181ebaca694c69e7fc849b3a3b7ffff7059e8c43553f8cc" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -110345,10 +110582,10 @@ rule ELASTIC_Linux_Cryptominer_Flystudio_579A3A4D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Flystudio.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Flystudio.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "84afc47554cf42e76ef8d28f2d29c28f3d35c2876cec2fb1581b0ac7cfe719dd" - logic_hash = "6579630a4fb6cf5bc8ccb2e4f93f5d549baa6ea9b742b2ee83a52f07352c4741" + logic_hash = "v1_sha256_6579630a4fb6cf5bc8ccb2e4f93f5d549baa6ea9b742b2ee83a52f07352c4741" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110374,9 +110611,9 @@ rule ELASTIC_Linux_Cryptominer_Flystudio_0A370634 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Flystudio.yar#L21-L38" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "cf924ba45a7dba19fe571bb9da8c4896690c3ad02f732b759a10174b9f61883f" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Flystudio.yar#L21-L38" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_cf924ba45a7dba19fe571bb9da8c4896690c3ad02f732b759a10174b9f61883f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110402,10 +110639,10 @@ rule ELASTIC_Linux_Hacktool_Exploitscan_4327F817 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Exploitscan.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Exploitscan.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "66c6d0e58916d863a1a973b4f5cb7d691fbd01d26b408dbc8c74f0f1e4088dfb" - logic_hash = "7797d9bd75dff355e1ee84b856e77cf9e886dfe727fb8ce7a6fdbe5ed1eb0985" + logic_hash = "v1_sha256_7797d9bd75dff355e1ee84b856e77cf9e886dfe727fb8ce7a6fdbe5ed1eb0985" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110431,10 +110668,10 @@ rule ELASTIC_Linux_Backdoor_Tinyshell_67Ee6Fae : FILE MEMORY date = "2021-10-12" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Backdoor_Tinyshell.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Backdoor_Tinyshell.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d" - logic_hash = "200d4267e21b8934deecc48273294f2e34464fcb412e39f3f5a006278631b9f1" + logic_hash = "v1_sha256_200d4267e21b8934deecc48273294f2e34464fcb412e39f3f5a006278631b9f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110452,7 +110689,7 @@ rule ELASTIC_Linux_Backdoor_Tinyshell_67Ee6Fae : FILE MEMORY $b2 = " get " fullword condition: - ( all of ($a*)) or ( all of ($b*)) + ( all of ( $a* ) ) or ( all of ( $b* ) ) } rule ELASTIC_Linux_Exploit_CVE_2022_0847_E831C285 : FILE MEMORY CVE_2022_0847 { @@ -110463,10 +110700,10 @@ rule ELASTIC_Linux_Exploit_CVE_2022_0847_E831C285 : FILE MEMORY CVE_2022_0847 date = "2022-03-10" modified = "2022-03-14" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_CVE_2022_0847.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_CVE_2022_0847.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c6b2cef2f2bc04e3ae33e0d368eb39eb5ea38d1bca390df47f7096117c1aecca" - logic_hash = "e15daf5de9bf66060e373a6e772669eade543ed56bef6b6924a0ee44e59522e1" + logic_hash = "v1_sha256_e15daf5de9bf66060e373a6e772669eade543ed56bef6b6924a0ee44e59522e1" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2022-0847" @@ -110489,7 +110726,7 @@ rule ELASTIC_Linux_Exploit_CVE_2022_0847_E831C285 : FILE MEMORY CVE_2022_0847 $bs2 = { B8 00 10 00 00 81 7D F0 00 10 00 00 0F 46 45 F0 89 45 F8 8B 55 F8 48 8B 45 D8 8B 00 48 } condition: - ($pp and 2 of ($s*)) or ( all of ($bs*)) + ($pp and 2 of ( $s* ) ) or ( all of ( $bs* ) ) } rule ELASTIC_Windows_Vulndriver_Atillk_18316Dd9 : FILE { @@ -110500,10 +110737,10 @@ rule ELASTIC_Windows_Vulndriver_Atillk_18316Dd9 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Atillk.yar#L1-L21" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Atillk.yar#L1-L21" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - logic_hash = "02d218d0a0ea447e4ad0b03bff50c307ca5f36b8ed268787cd73c88a05aa4214" + logic_hash = "v1_sha256_02d218d0a0ea447e4ad0b03bff50c307ca5f36b8ed268787cd73c88a05aa4214" score = 75 quality = 75 tags = "FILE" @@ -110520,7 +110757,7 @@ rule ELASTIC_Windows_Vulndriver_Atillk_18316Dd9 : FILE $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x0b][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x09][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x04][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x0a][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff])|([\x00-\x0b][\x00-\x00])([\x00-\x05][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\x08][\x00-\x00]))/ condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $original_file_name and $version + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $original_file_name and $version } rule ELASTIC_Linux_Trojan_Patpooty_E2E0Dff1 : FILE MEMORY { @@ -110531,10 +110768,10 @@ rule ELASTIC_Linux_Trojan_Patpooty_E2E0Dff1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Patpooty.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Patpooty.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d38b9e76cbc863f69b29fc47262ceafd26ac476b0ae6283d3fa50985f93bedf3" - logic_hash = "ec7d12296383ca0ed20e3221fb96b9dbdaf6cc7f07f5c8383e43489a9fd6fcfe" + logic_hash = "v1_sha256_ec7d12296383ca0ed20e3221fb96b9dbdaf6cc7f07f5c8383e43489a9fd6fcfe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110560,10 +110797,10 @@ rule ELASTIC_Linux_Trojan_Patpooty_F90C7E43 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Patpooty.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Patpooty.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "79475a66be8741d9884bc60f593c81a44bdb212592cd1a7b6130166a724cb3d3" - logic_hash = "2d995722b06ce51a5378e395896764421f84afcf6b13855a87ed43d9b9e38982" + logic_hash = "v1_sha256_2d995722b06ce51a5378e395896764421f84afcf6b13855a87ed43d9b9e38982" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110589,10 +110826,10 @@ rule ELASTIC_Multi_Ransomware_Ransomhub_4A8A07Cd : FILE MEMORY date = "2024-09-05" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Multi_Ransomware_RansomHub.yar#L1-L26" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Multi_Ransomware_RansomHub.yar#L1-L26" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c" - logic_hash = "8e2d062e890cf66418c18ce8988c0ac4744c9f00fdc296e8dd91df39ec240abe" + logic_hash = "v1_sha256_8e2d062e890cf66418c18ce8988c0ac4744c9f00fdc296e8dd91df39ec240abe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110625,9 +110862,9 @@ rule ELASTIC_Windows_Trojan_Bruteratel_1916686D : FILE MEMORY date = "2022-06-23" modified = "2022-12-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L1-L31" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "e0e7b8ba2865fc76845b21aa3e075ceab98888635a60bd722c0c81e0f4fcf58c" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L1-L31" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_e0e7b8ba2865fc76845b21aa3e075ceab98888635a60bd722c0c81e0f4fcf58c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110655,7 +110892,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_1916686D : FILE MEMORY $b1 = { 48 83 EC ?? 48 8D 35 ?? ?? ?? ?? 4C 63 E2 31 D2 48 8D 7C 24 ?? 48 89 CB 4D 89 E0 4C 89 E5 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 A4 31 F6 BF ?? ?? ?? ?? 39 F5 7E ?? E8 ?? ?? ?? ?? 99 F7 FF 48 63 D2 8A 44 14 ?? 88 04 33 48 FF C6 EB ?? } condition: - 4 of ($a*) or 1 of ($b*) + 4 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Bruteratel_9B267F96 : FILE MEMORY { @@ -110666,9 +110903,9 @@ rule ELASTIC_Windows_Trojan_Bruteratel_9B267F96 : FILE MEMORY date = "2022-06-23" modified = "2022-07-18" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L33-L57" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "fbaaf4bf2462119b39a5df90b91fb831be3e602b926cd893374a5dddf48f029d" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L33-L57" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_fbaaf4bf2462119b39a5df90b91fb831be3e602b926cd893374a5dddf48f029d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110690,7 +110927,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_9B267F96 : FILE MEMORY $b1 = { 50 48 B8 E2 6A 15 64 56 22 0D 7E 50 48 B8 18 2C 05 7F BB 78 D7 27 50 48 B8 C9 EC BC 3D 84 54 9A 62 50 48 B8 A1 E1 3C 4E AF 2B F6 B1 50 48 B8 2E E6 7B A0 94 CA 9D F0 50 48 B8 61 52 80 AA 1A B6 4B 0E 50 48 B8 B2 13 11 5A 28 81 ED 60 50 48 B8 20 DE A9 34 89 08 C8 32 50 48 B8 9B DC C1 FF 79 CE 5B F5 50 48 B8 FD 57 3F 4C C7 D3 7A 21 50 48 B8 70 B8 63 0F AB 19 BF 1C 50 48 B8 48 F2 1B 72 1E 2A C6 8A 50 48 B8 E3 FA 38 E9 1D 76 E0 6F 50 48 B8 97 AD 75 } condition: - 3 of ($a*) or 1 of ($b*) + 3 of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Bruteratel_684A39F2 : FILE MEMORY { @@ -110701,10 +110938,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_684A39F2 : FILE MEMORY date = "2023-01-24" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L59-L84" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L59-L84" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c" - logic_hash = "7cb74176e1dbdd248295649568d29c9d88841fcd0c16479b6b7efc71c4a1d706" + logic_hash = "v1_sha256_7cb74176e1dbdd248295649568d29c9d88841fcd0c16479b6b7efc71c4a1d706" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110726,7 +110963,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_684A39F2 : FILE MEMORY $cfg4 = { 22 00 7D 00 2C 00 22 00 6D 00 74 00 64 00 74 00 22 00 3A 00 7B 00 22 00 68 00 5F 00 6E 00 61 00 6D 00 65 00 22 00 3A 00 22 00 } condition: - any of ($seq*) and all of ($cfg*) + any of ( $seq* ) and all of ( $cfg* ) } rule ELASTIC_Windows_Trojan_Bruteratel_Ade6C9D5 : FILE MEMORY { @@ -110737,10 +110974,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_Ade6C9D5 : FILE MEMORY date = "2023-01-24" modified = "2023-02-01" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L86-L109" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L86-L109" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4" - logic_hash = "8ff8ed1e2b909606fe6aae3f43ad02898d7b3906c3d329a508f6d40490ec75a0" + logic_hash = "v1_sha256_8ff8ed1e2b909606fe6aae3f43ad02898d7b3906c3d329a508f6d40490ec75a0" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -110771,10 +111008,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_4110D879 : FILE MEMORY date = "2023-05-10" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L111-L130" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L111-L130" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e0fbbc548fdb9da83a72ddc1040463e37ab6b8b544bf0d2b206bfff352175afe" - logic_hash = "22c27523ddd8183c41da40f7ff908ae5bdee3b482c8a3f70aaa63a4c419e515b" + logic_hash = "v1_sha256_22c27523ddd8183c41da40f7ff908ae5bdee3b482c8a3f70aaa63a4c419e515b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110801,10 +111038,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_5B12Cbab : FILE MEMORY date = "2024-02-21" modified = "2024-03-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L132-L150" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L132-L150" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8165798fec8294523f25aedfc6699faad0c5d75f60bc7cefcbb2fa13dbc656e3" - logic_hash = "b86296dafaef1dfa0a41704cafa351694abb0e453e104dfe06836ed599338f38" + logic_hash = "v1_sha256_b86296dafaef1dfa0a41704cafa351694abb0e453e104dfe06836ed599338f38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110830,10 +111067,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_5E383Ae0 : FILE MEMORY date = "2024-03-27" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L152-L184" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L152-L184" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "0b506ef32f58ee2b1e5701ca8e13c67584739ab1d00ee4a0c2f532c09a15836f" - logic_hash = "5d87ada1c609e23742c389f8153a9266c4db95be4a5e10b50979aebc993a45e0" + logic_hash = "v1_sha256_5d87ada1c609e23742c389f8153a9266c4db95be4a5e10b50979aebc993a45e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110862,7 +111099,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_5E383Ae0 : FILE MEMORY $b4 = "__imp_NETAPI32$" condition: - 1 of ($a*) and 1 of ($b*) + 1 of ( $a* ) and 1 of ( $b* ) } rule ELASTIC_Windows_Trojan_Bruteratel_644Ac114 : FILE MEMORY { @@ -110873,10 +111110,10 @@ rule ELASTIC_Windows_Trojan_Bruteratel_644Ac114 : FILE MEMORY date = "2024-04-17" modified = "2024-05-08" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_BruteRatel.yar#L186-L205" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_BruteRatel.yar#L186-L205" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ace6a99d95ef859d4ab74db6900753e754273a12a34721f1aa8f1a9df3d8ec35" - logic_hash = "06ffea16a0348f2276f379db150b5f9d2dbdffbcb2eee83c55c27c837ecb1e69" + logic_hash = "v1_sha256_06ffea16a0348f2276f379db150b5f9d2dbdffbcb2eee83c55c27c837ecb1e69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110903,10 +111140,10 @@ rule ELASTIC_Windows_Ransomware_Avoslocker_7Ae4D4F2 : FILE MEMORY date = "2021-07-28" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Avoslocker.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Avoslocker.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856" - logic_hash = "c87faf6f128fd6a8cabd68ec8de72fb10e6be42bdbe23ece374dd8f3cf0c1b15" + logic_hash = "v1_sha256_c87faf6f128fd6a8cabd68ec8de72fb10e6be42bdbe23ece374dd8f3cf0c1b15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110936,10 +111173,10 @@ rule ELASTIC_Windows_Trojan_Kronos_Cdd2E2C5 : FILE MEMORY date = "2021-02-07" modified = "2021-08-23" reference = "https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Kronos.yar#L1-L27" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Kronos.yar#L1-L27" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "baa9cedbbe0f5689be8f8028a6537c39e9ea8b0815ad76cb98f365ca5a41653f" - logic_hash = "a8943c5ef166446629cb46517d35db39c97a1e3efa3a7a0b5cb3d3ee9d1e6e9c" + logic_hash = "v1_sha256_a8943c5ef166446629cb46517d35db39c97a1e3efa3a7a0b5cb3d3ee9d1e6e9c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110972,10 +111209,10 @@ rule ELASTIC_Windows_Vulndriver_Winio_C9Cc6D00 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_WinIo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_WinIo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf" - logic_hash = "4b6a78c2c807cf1f569ae9bc275d42d9c895efba7a2d64fec0652e3cb163d553" + logic_hash = "v1_sha256_4b6a78c2c807cf1f569ae9bc275d42d9c895efba7a2d64fec0652e3cb163d553" score = 75 quality = 75 tags = "FILE" @@ -110990,7 +111227,7 @@ rule ELASTIC_Windows_Vulndriver_Winio_C9Cc6D00 : FILE $str1 = "\\WinioSys.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Vulndriver_Winio_B0F21A70 : FILE { @@ -111001,10 +111238,10 @@ rule ELASTIC_Windows_Vulndriver_Winio_B0F21A70 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_WinIo.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_WinIo.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374" - logic_hash = "c82d95e805898f9a9a1ffccb483e506df0a53dc420068314e7c724e4947f3572" + logic_hash = "v1_sha256_c82d95e805898f9a9a1ffccb483e506df0a53dc420068314e7c724e4947f3572" score = 75 quality = 75 tags = "FILE" @@ -111019,7 +111256,7 @@ rule ELASTIC_Windows_Vulndriver_Winio_B0F21A70 : FILE $str1 = "IOCTL_WINIO_WRITEMSR" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Ransomware_Mountlocker_126A76E2 : FILE MEMORY { @@ -111030,10 +111267,10 @@ rule ELASTIC_Windows_Ransomware_Mountlocker_126A76E2 : FILE MEMORY date = "2021-06-10" modified = "2021-08-23" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Mountlocker.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Mountlocker.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1" - logic_hash = "5a5e157a245a75033abbe6bc7aa66fe6af6d91dc30abe1fdadce85f8f3905b1e" + logic_hash = "v1_sha256_5a5e157a245a75033abbe6bc7aa66fe6af6d91dc30abe1fdadce85f8f3905b1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111063,10 +111300,10 @@ rule ELASTIC_Linux_Cryptominer_Roboto_0B6807F8 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Roboto.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Roboto.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "c2542e399f865b5c490ee66b882f5ff246786b3f004abb7489ec433c11007dda" - logic_hash = "d945c7a23b9f435851f3c998231da615e220c259051cf213186c28f3279be1dd" + logic_hash = "v1_sha256_d945c7a23b9f435851f3c998231da615e220c259051cf213186c28f3279be1dd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111092,10 +111329,10 @@ rule ELASTIC_Linux_Cryptominer_Roboto_1F1Cfe9A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Roboto.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Roboto.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "497a6d426ff93d5cd18cea623074fb209d4f407a02ef8f382f089f1ed3f108c5" - logic_hash = "2171284991b0019379c8d271013a35237c37bc2e13d807caed86f8fb9d2ba418" + logic_hash = "v1_sha256_2171284991b0019379c8d271013a35237c37bc2e13d807caed86f8fb9d2ba418" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111121,10 +111358,10 @@ rule ELASTIC_Windows_Vulndriver_Zam_928812A7 : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Zam.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Zam.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - logic_hash = "82ca874d60d8a0ee04aca39f59415f22797e7e0337314c88dd8ebad1a823d200" + logic_hash = "v1_sha256_82ca874d60d8a0ee04aca39f59415f22797e7e0337314c88dd8ebad1a823d200" score = 75 quality = 75 tags = "FILE" @@ -111140,7 +111377,7 @@ rule ELASTIC_Windows_Vulndriver_Zam_928812A7 : FILE $pdb_32 = "AntiMalware\\bin\\zam32.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and any of ($pdb_*) + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and any of ( $pdb_* ) } rule ELASTIC_Windows_Vulndriver_Zam_7C86D260 : FILE MEMORY { @@ -111151,10 +111388,10 @@ rule ELASTIC_Windows_Vulndriver_Zam_7C86D260 : FILE MEMORY date = "2024-07-16" modified = "2024-09-30" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Zam.yar#L22-L42" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Zam.yar#L22-L42" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - logic_hash = "cc29f26c222825eb5262d91065a00243bc913fe2071d8ad6b0dc61dd22798f1e" + logic_hash = "v1_sha256_cc29f26c222825eb5262d91065a00243bc913fe2071d8ad6b0dc61dd22798f1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111171,7 +111408,7 @@ rule ELASTIC_Windows_Vulndriver_Zam_7C86D260 : FILE MEMORY $s1 = "Advanced Malware Protection" wide fullword condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and int16 ( uint32(0x3C)+0x18)==0x020b and $original_file_name and $version and $s1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and int16 ( uint32( 0x3C ) + 0x18 ) == 0x020b and $original_file_name and $version and $s1 } rule ELASTIC_Linux_Trojan_Bpfdoor_59E029C3 : FILE MEMORY { @@ -111182,10 +111419,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_59E029C3 : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L1-L24" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L1-L24" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3" - logic_hash = "64620a3404b331855d0b8018c1626c88cb28380785beac1a391613ae8dc1b1bf" + logic_hash = "v1_sha256_64620a3404b331855d0b8018c1626c88cb28380785beac1a391613ae8dc1b1bf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111215,10 +111452,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_0F768F60 : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L26-L50" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L26-L50" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155" - logic_hash = "1aaa74c2d8fbb230cbfc0e08fd6865b5f7e90e4abcdb97121e52afb7569b2dbc" + logic_hash = "v1_sha256_1aaa74c2d8fbb230cbfc0e08fd6865b5f7e90e4abcdb97121e52afb7569b2dbc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111249,10 +111486,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_8453771B : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L52-L78" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L52-L78" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" - logic_hash = "546e5c56ceb6b99db14dc225a2ec4872cb54859a0f2f6ad520d4f446793e031e" + logic_hash = "v1_sha256_546e5c56ceb6b99db14dc225a2ec4872cb54859a0f2f6ad520d4f446793e031e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111285,10 +111522,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_F690Fe3B : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L80-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L80-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" - logic_hash = "35c6be75348a30f415a1a4bb94ae7e3a2f49f54a0fb3ddc4bae1aa3e03c1a909" + logic_hash = "v1_sha256_35c6be75348a30f415a1a4bb94ae7e3a2f49f54a0fb3ddc4bae1aa3e03c1a909" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111314,10 +111551,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_1A7D804B : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L101-L127" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L101-L127" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925" - logic_hash = "b0c4b168d92947e599e8c74d0ae6a91766c8a034c34e9c07e2472620c9b61037" + logic_hash = "v1_sha256_b0c4b168d92947e599e8c74d0ae6a91766c8a034c34e9c07e2472620c9b61037" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111339,7 +111576,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_1A7D804B : FILE MEMORY $b1 = { D0 48 89 45 F8 48 8B 45 F8 0F B6 40 0C C0 E8 04 0F B6 C0 C1 } condition: - all of ($a*) or 1 of ($b*) + all of ( $a* ) or 1 of ( $b* ) } rule ELASTIC_Linux_Trojan_Bpfdoor_E14B0B79 : FILE MEMORY { @@ -111350,10 +111587,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_E14B0B79 : FILE MEMORY date = "2022-05-10" modified = "2022-05-10" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L129-L152" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L129-L152" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" - logic_hash = "7cdf111ae253bffef7243ad3722f1a79f81f45d80f938f9542af8e056f75d3fc" + logic_hash = "v1_sha256_7cdf111ae253bffef7243ad3722f1a79f81f45d80f938f9542af8e056f75d3fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111383,10 +111620,10 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_F1Cd26Ad : FILE MEMORY date = "2023-05-11" modified = "2023-05-16" reference = "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_BPFDoor.yar#L154-L175" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_BPFDoor.yar#L154-L175" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7" - logic_hash = "ad3e130d5a1203c55b5c8d369c7d9989f66f76c9bd57e2314a30f4c931e4b98d" + logic_hash = "v1_sha256_ad3e130d5a1203c55b5c8d369c7d9989f66f76c9bd57e2314a30f4c931e4b98d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111403,7 +111640,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_F1Cd26Ad : FILE MEMORY $signals_setup = { BE 01 00 00 00 BF 02 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 01 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 03 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 0D 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 16 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 15 00 00 00 ?? ?? ?? ?? ?? BE 01 00 00 00 BF 11 00 00 00 ?? ?? ?? ?? ?? BF 0A 00 00 00 } condition: - ($magic_bytes_check and $seq_binary) or $signals_setup + ($magic_bytes_check and $seq_binary ) or $signals_setup } rule ELASTIC_Linux_Trojan_Bish_974B4B47 : FILE MEMORY { @@ -111414,10 +111651,10 @@ rule ELASTIC_Linux_Trojan_Bish_974B4B47 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Bish.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Bish.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9171fd2bbe182f0a3cd35937f3ee0076c9358f52f5bc047498dd9e233ae11757" - logic_hash = "c5a7d036c89fe50626da51486d19ee731ad28cbc8d36def075d8f33a7b68961f" + logic_hash = "v1_sha256_c5a7d036c89fe50626da51486d19ee731ad28cbc8d36def075d8f33a7b68961f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111443,10 +111680,10 @@ rule ELASTIC_Windows_Vulndriver_Eneio_6E01882F : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_EneIo.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_EneIo.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" - logic_hash = "144ac5375cb637b6301a2275f2412fbd0d0c5fb23105c7cce5aa7912cf68fa2c" + logic_hash = "v1_sha256_144ac5375cb637b6301a2275f2412fbd0d0c5fb23105c7cce5aa7912cf68fa2c" score = 75 quality = 75 tags = "FILE" @@ -111461,7 +111698,7 @@ rule ELASTIC_Windows_Vulndriver_Eneio_6E01882F : FILE $str1 = "\\Release\\EneIo.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Linux_Trojan_Sysrv_85097F24 : FILE MEMORY { @@ -111472,9 +111709,9 @@ rule ELASTIC_Linux_Trojan_Sysrv_85097F24 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "17fbc8e10dea69b29093fcf2aa018be4d58fe5462c5a0363a0adde60f448fb26" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Sysrv.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "96bee8b9b0e9c2afd684582301f9e110fd08fcabaea798bfb6259a4216f69be1" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Sysrv.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_96bee8b9b0e9c2afd684582301f9e110fd08fcabaea798bfb6259a4216f69be1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111500,10 +111737,10 @@ rule ELASTIC_Linux_Trojan_Mech_D30Ec0A0 : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mech.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mech.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "710d1a0a8c7eecc6d793933c8a97cec66d284b3687efee7655a2dc31d15c0593" - logic_hash = "268aeb25d6468412d8123bab5eb2c8bd7704828d0ef3c3d771aa036e374127d7" + logic_hash = "v1_sha256_268aeb25d6468412d8123bab5eb2c8bd7704828d0ef3c3d771aa036e374127d7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -111529,10 +111766,10 @@ rule ELASTIC_Linux_Trojan_Godropper_Bae099Bd : FILE MEMORY date = "2021-04-06" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Godropper.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Godropper.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "704643f3fd11cda1d52260285bf2a03bccafe59cfba4466427646c1baf93881e" - logic_hash = "ef6274928f7cfc0312122ac3e4153fb0a78dc7d5fb2d68db6cbe4974f5497210" + logic_hash = "v1_sha256_ef6274928f7cfc0312122ac3e4153fb0a78dc7d5fb2d68db6cbe4974f5497210" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111558,10 +111795,10 @@ rule ELASTIC_Windows_Trojan_Emotet_18379A8D : FILE MEMORY date = "2021-11-17" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827" - logic_hash = "2ad72ce2a352b91a4fa597ee9e796035298cfcee6fdc13dd3f64579d8da96b97" + logic_hash = "v1_sha256_2ad72ce2a352b91a4fa597ee9e796035298cfcee6fdc13dd3f64579d8da96b97" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111587,10 +111824,10 @@ rule ELASTIC_Windows_Trojan_Emotet_5528B3B0 : FILE MEMORY date = "2021-11-17" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L22-L41" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L22-L41" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827" - logic_hash = "bb784ab0e064bafa8450b6bb15ef534af38254ea3c096807571c2c27f7cdfd76" + logic_hash = "v1_sha256_bb784ab0e064bafa8450b6bb15ef534af38254ea3c096807571c2c27f7cdfd76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111616,10 +111853,10 @@ rule ELASTIC_Windows_Trojan_Emotet_1943Bbf2 : FILE MEMORY date = "2021-11-18" modified = "2022-01-13" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L43-L62" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L43-L62" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5abec3cd6aa066b1ddc0149a911645049ea1da66b656c563f9a384e821c5db38" - logic_hash = "41838e335b9314b8759922f23ec8709f46e6a26633f3685ac98ada5828191d35" + logic_hash = "v1_sha256_41838e335b9314b8759922f23ec8709f46e6a26633f3685ac98ada5828191d35" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111645,10 +111882,10 @@ rule ELASTIC_Windows_Trojan_Emotet_Db7D33Fa : FILE MEMORY date = "2022-05-09" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L64-L90" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L64-L90" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc" - logic_hash = "e220c112c15f384fde6fc2286b01c7eb9bedcf4817d02645d0fa7afb05e7b593" + logic_hash = "v1_sha256_e220c112c15f384fde6fc2286b01c7eb9bedcf4817d02645d0fa7afb05e7b593" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111681,10 +111918,10 @@ rule ELASTIC_Windows_Trojan_Emotet_D6Ac1Ea4 : FILE MEMORY date = "2022-05-24" modified = "2022-06-09" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L92-L114" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L92-L114" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71" - logic_hash = "9b37940ea8752c6db52d4f09225de0389438c41468a11a7cda8f28b191192ef9" + logic_hash = "v1_sha256_9b37940ea8752c6db52d4f09225de0389438c41468a11a7cda8f28b191192ef9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111702,7 +111939,7 @@ rule ELASTIC_Windows_Trojan_Emotet_D6Ac1Ea4 : FILE MEMORY $post = { 8B 44 24 ?? 89 44 24 ?? 48 83 C4 18 C3 } condition: - #calc1>=10 and #pre>=5 and #setup>=5 and #post>=5 + #calc1>= 10 and #pre >= 5 and #setup >= 5 and #post >= 5 } rule ELASTIC_Windows_Trojan_Emotet_77C667B9 : FILE MEMORY { @@ -111713,10 +111950,10 @@ rule ELASTIC_Windows_Trojan_Emotet_77C667B9 : FILE MEMORY date = "2022-11-07" modified = "2022-12-20" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L116-L144" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L116-L144" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ffac0120c3ae022b807559e8ed7902fde0fa5f7cb9c5c8d612754fa498288572" - logic_hash = "f11769fe5e9789b451e8826c5fd22bde5b3eb9f7af1d5fec7eec71700fc1f482" + logic_hash = "v1_sha256_f11769fe5e9789b451e8826c5fd22bde5b3eb9f7af1d5fec7eec71700fc1f482" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111740,7 +111977,7 @@ rule ELASTIC_Windows_Trojan_Emotet_77C667B9 : FILE MEMORY $key_1 = { 45 33 C9 4C 8B D0 48 85 C0 74 ?? 48 8D ?? ?? 4C 8B ?? 48 8B ?? 48 2B ?? 48 83 ?? ?? 48 C1 ?? ?? 48 3B ?? 49 0F 47 ?? 48 85 ?? 74 ?? 48 2B D8 42 8B 04 03 } condition: - (1 of ($string_*)) and (($key_1 or (1 of ($c2_list*))) or (1 of ($c2_list*))) + (1 of ( $string_* ) ) and ( ( $key_1 or ( 1 of ( $c2_list* ) ) ) or ( 1 of ( $c2_list* ) ) ) } rule ELASTIC_Windows_Trojan_Emotet_8B9449C1 : FILE MEMORY { @@ -111751,10 +111988,10 @@ rule ELASTIC_Windows_Trojan_Emotet_8B9449C1 : FILE MEMORY date = "2022-11-09" modified = "2022-12-20" reference = "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Emotet.yar#L146-L166" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Emotet.yar#L146-L166" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ffac0120c3ae022b807559e8ed7902fde0fa5f7cb9c5c8d612754fa498288572" - logic_hash = "5501354ebc1d97fe5ce894d5907adb29440f557f2dd235e1e983ae2d109199a2" + logic_hash = "v1_sha256_5501354ebc1d97fe5ce894d5907adb29440f557f2dd235e1e983ae2d109199a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111781,10 +112018,10 @@ rule ELASTIC_Windows_Vulndriver_Amifldrv_E387D5Ad : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_VulnDriver_Amifldrv.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_VulnDriver_Amifldrv.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330" - logic_hash = "14d75b5aff2c82d69b041c654cdc0840f6b6e37a197f5c0c1c2698c9e8eba3e2" + logic_hash = "v1_sha256_14d75b5aff2c82d69b041c654cdc0840f6b6e37a197f5c0c1c2698c9e8eba3e2" score = 60 quality = 55 tags = "FILE" @@ -111799,7 +112036,7 @@ rule ELASTIC_Windows_Vulndriver_Amifldrv_E387D5Ad : FILE $str1 = "\\amifldrv64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Hacktool_Gmer_8Aabdd5E : FILE { @@ -111810,10 +112047,10 @@ rule ELASTIC_Windows_Hacktool_Gmer_8Aabdd5E : FILE date = "2022-04-04" modified = "2022-04-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Hacktool_Gmer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Hacktool_Gmer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - logic_hash = "acdab89a7703a743927cec60fbc84af2fd469403bee6f211c865fb96e9c92498" + logic_hash = "v1_sha256_acdab89a7703a743927cec60fbc84af2fd469403bee6f211c865fb96e9c92498" score = 75 quality = 75 tags = "FILE" @@ -111828,7 +112065,7 @@ rule ELASTIC_Windows_Hacktool_Gmer_8Aabdd5E : FILE $str1 = "\\gmer64.pdb" condition: - int16 ( uint32(0x3C)+0x5c)==0x0001 and $str1 + int16 ( uint32( 0x3C ) + 0x5c ) == 0x0001 and $str1 } rule ELASTIC_Windows_Ransomware_Ransomexx_Fabff49C : FILE MEMORY { @@ -111839,10 +112076,10 @@ rule ELASTIC_Windows_Ransomware_Ransomexx_Fabff49C : FILE MEMORY date = "2021-08-07" modified = "2021-10-04" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Ransomware_Ransomexx.yar#L1-L22" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Ransomware_Ransomexx.yar#L1-L22" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" - logic_hash = "67d5123b706685ea5ab939aec31cb1549297778d91dd38b14e109945c52da71a" + logic_hash = "v1_sha256_67d5123b706685ea5ab939aec31cb1549297778d91dd38b14e109945c52da71a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111871,9 +112108,9 @@ rule ELASTIC_Linux_Trojan_Rotajakiro_Fb24F399 : FILE MEMORY date = "2021-06-28" modified = "2021-09-16" reference = "023a7f9ed082d9dd7be6eba5942bfa77f8e618c2d15a8bc384d85223c5b91a0c" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Rotajakiro.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" - logic_hash = "be33fdda50ef0ea1a0cf45835cc2b7a805cecb3fff371ed6d93e01c2d477d867" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Rotajakiro.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" + logic_hash = "v1_sha256_be33fdda50ef0ea1a0cf45835cc2b7a805cecb3fff371ed6d93e01c2d477d867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111899,10 +112136,10 @@ rule ELASTIC_Windows_Trojan_Zloader_5Dd0A0Bf : FILE MEMORY date = "2022-03-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Zloader.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Zloader.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "1446a4147e1b06fa66907de857011079c55a8e6bf84276eb8518d33468ba1f83" + logic_hash = "v1_sha256_1446a4147e1b06fa66907de857011079c55a8e6bf84276eb8518d33468ba1f83" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111928,10 +112165,10 @@ rule ELASTIC_Windows_Trojan_Zloader_4Fe0F7F1 : FILE MEMORY date = "2022-03-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Zloader.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Zloader.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "b20fafc9db08c7668b49e18f45632594c3a69ec65fe865e79379c544fc424f8d" + logic_hash = "v1_sha256_b20fafc9db08c7668b49e18f45632594c3a69ec65fe865e79379c544fc424f8d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111957,10 +112194,10 @@ rule ELASTIC_Windows_Trojan_Zloader_363C65Ed : FILE MEMORY date = "2022-03-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Zloader.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Zloader.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "d3c530f9929db709067a9e1cc59b9cda9dcd8e19352c79ddaf7af6c91b242afd" + logic_hash = "v1_sha256_d3c530f9929db709067a9e1cc59b9cda9dcd8e19352c79ddaf7af6c91b242afd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111986,10 +112223,10 @@ rule ELASTIC_Windows_Trojan_Zloader_79535191 : FILE MEMORY date = "2022-03-03" modified = "2022-04-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Zloader.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Zloader.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "c398a8ca46c6fe3e59481a092867be77a94809b1568cea918aa6450374063857" + logic_hash = "v1_sha256_c398a8ca46c6fe3e59481a092867be77a94809b1568cea918aa6450374063857" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112015,10 +112252,10 @@ rule ELASTIC_Linux_Cryptominer_Ccminer_18Fc60E5 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Ccminer.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Ccminer.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dbb403a00c75ef2a74b41b8b58d08a6749f37f922de6cc19127a8f244d901c60" - logic_hash = "75db45ccbeb558409ee9398065591472d4aee0382be5980adb9d0fb41e557789" + logic_hash = "v1_sha256_75db45ccbeb558409ee9398065591472d4aee0382be5980adb9d0fb41e557789" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112044,10 +112281,10 @@ rule ELASTIC_Linux_Cryptominer_Ccminer_3C593Bc3 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Cryptominer_Ccminer.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Cryptominer_Ccminer.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dbb403a00c75ef2a74b41b8b58d08a6749f37f922de6cc19127a8f244d901c60" - logic_hash = "94a0d33b474b3c60e926eaf06147eb0fdc56beac525f25326448bf2a5177d9c0" + logic_hash = "v1_sha256_94a0d33b474b3c60e926eaf06147eb0fdc56beac525f25326448bf2a5177d9c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112073,10 +112310,10 @@ rule ELASTIC_Linux_Trojan_Mettle_E8Fdbcbd : FILE MEMORY date = "2024-05-06" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mettle.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mettle.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "864eae4f27648b8a9d9b0eb1894169aa739311cdd02b1435a34881acf7059d58" - logic_hash = "d13c1e7fb815ebbefa78922e9b85a1ced015c03b8f1b2cf1885a9c483b8e0ab3" + logic_hash = "v1_sha256_d13c1e7fb815ebbefa78922e9b85a1ced015c03b8f1b2cf1885a9c483b8e0ab3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112095,7 +112332,7 @@ rule ELASTIC_Linux_Trojan_Mettle_E8Fdbcbd : FILE MEMORY $mettle5 = "mettle_get_machine_id" condition: - 2 of ($mettle*) + 2 of ( $mettle* ) } rule ELASTIC_Linux_Trojan_Mettle_813B9B6C : FILE MEMORY { @@ -112106,10 +112343,10 @@ rule ELASTIC_Linux_Trojan_Mettle_813B9B6C : FILE MEMORY date = "2024-05-06" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mettle.yar#L25-L52" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mettle.yar#L25-L52" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "bb651d974ca3f349858db7b5a86f03a8d47d668294f27e709a823fa11e6963d7" - logic_hash = "a6a9cf424bf1ca7985e1c4b14123ed236208ffa3f7c9ffebbdd85765a90bfa54" + logic_hash = "v1_sha256_a6a9cf424bf1ca7985e1c4b14123ed236208ffa3f7c9ffebbdd85765a90bfa54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112133,7 +112370,7 @@ rule ELASTIC_Linux_Trojan_Mettle_813B9B6C : FILE MEMORY $func_c2_new_struct = { C7 46 14 00 00 00 00 C7 46 10 00 00 00 00 C7 46 18 00 00 00 00 8D 83 ?? ?? ?? ?? 89 46 20 C7 46 24 00 00 00 00 C7 46 28 00 00 00 00 C7 46 2C 00 00 00 00 C7 46 30 00 00 F0 3F 89 76 1C 83 EC 0C 56 E8 } condition: - 2 of ($process*) and 2 of ($file*) and 2 of ($func*) + 2 of ( $process* ) and 2 of ( $file* ) and 2 of ( $func* ) } rule ELASTIC_Linux_Trojan_Mettle_78Aead1C : FILE MEMORY { @@ -112144,10 +112381,10 @@ rule ELASTIC_Linux_Trojan_Mettle_78Aead1C : FILE MEMORY date = "2024-05-06" modified = "2024-05-21" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Trojan_Mettle.yar#L54-L81" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Trojan_Mettle.yar#L54-L81" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "864eae4f27648b8a9d9b0eb1894169aa739311cdd02b1435a34881acf7059d58" - logic_hash = "d68d37379b8a3a2d242030fd14884781488e9785823aa25fedfdd406748f8039" + logic_hash = "v1_sha256_d68d37379b8a3a2d242030fd14884781488e9785823aa25fedfdd406748f8039" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112171,7 +112408,7 @@ rule ELASTIC_Linux_Trojan_Mettle_78Aead1C : FILE MEMORY $func_c2_new_struct = { 48 89 DF 48 C7 43 20 00 00 00 00 C7 43 28 00 00 00 00 48 C7 43 40 00 00 00 00 48 89 43 38 48 8B 05 D1 BE 09 00 48 89 5B 30 48 89 43 48 E8 } condition: - 2 of ($process*) and 2 of ($file*) and 2 of ($func*) + 2 of ( $process* ) and 2 of ( $file* ) and 2 of ( $func* ) } rule ELASTIC_Windows_Trojan_Grandoreiro_51236Ba2 : FILE MEMORY { @@ -112182,10 +112419,10 @@ rule ELASTIC_Windows_Trojan_Grandoreiro_51236Ba2 : FILE MEMORY date = "2022-08-23" modified = "2023-06-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Windows_Trojan_Grandoreiro.yar#L1-L23" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Windows_Trojan_Grandoreiro.yar#L1-L23" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1bdf381e7080d9bed3f52f4b3db1991a80d3e58120a5790c3d1609617d1f439e" - logic_hash = "9a8549a1dd82f56458ea8aee5c30243ac073d15c820de28d78a58d2c067b10d6" + logic_hash = "v1_sha256_9a8549a1dd82f56458ea8aee5c30243ac073d15c820de28d78a58d2c067b10d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112215,10 +112452,10 @@ rule ELASTIC_Linux_Exploit_Enoket_79B52A4C : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ae8f7e7df62316400d0c5fe0139d7a48c9f184e92706b552aad3d827d3dbbbf" - logic_hash = "204082a3be602b3f6aebb013a46e6f9c98b5dad2476350afa60c1954b13598fe" + logic_hash = "v1_sha256_204082a3be602b3f6aebb013a46e6f9c98b5dad2476350afa60c1954b13598fe" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112244,10 +112481,10 @@ rule ELASTIC_Linux_Exploit_Enoket_5969A348 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L21-L39" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L21-L39" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4b4d7ca9e1ffa2c46cb097d4a014c59b1a9feb93b3adcb5936ef6a1dfef9b0ae" - logic_hash = "e47af0fba86c9152d17911b984070a8419b98da8916538ebb1065a5348da6e31" + logic_hash = "v1_sha256_e47af0fba86c9152d17911b984070a8419b98da8916538ebb1065a5348da6e31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112273,10 +112510,10 @@ rule ELASTIC_Linux_Exploit_Enoket_80Fac3E9 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L41-L59" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L41-L59" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3355ad81c566914a7d7734b40c46ded0cfa53aa22c6e834d42e185bf8bbe6128" - logic_hash = "19cb7f02ca80095293c4a09f7ea616c31364af1e4189a9211aaba54aaa2db14e" + logic_hash = "v1_sha256_19cb7f02ca80095293c4a09f7ea616c31364af1e4189a9211aaba54aaa2db14e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112302,10 +112539,10 @@ rule ELASTIC_Linux_Exploit_Enoket_7Da5F86A : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L61-L79" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L61-L79" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "406b003978d79d453d3e2c21b991b113bf2fc53ffbf3a1724c5b97a4903ef550" - logic_hash = "df5769a87230f5e563849302f32673b5f5de2595e12de72c27921d45edc58928" + logic_hash = "v1_sha256_df5769a87230f5e563849302f32673b5f5de2595e12de72c27921d45edc58928" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112331,10 +112568,10 @@ rule ELASTIC_Linux_Exploit_Enoket_C77C0D6D : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L81-L99" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L81-L99" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ae8f7e7df62316400d0c5fe0139d7a48c9f184e92706b552aad3d827d3dbbbf" - logic_hash = "504d61715bd5dba7f777fcb2d62eb53d8d54dad2dcf93f2fc2d7dcd359c4b994" + logic_hash = "v1_sha256_504d61715bd5dba7f777fcb2d62eb53d8d54dad2dcf93f2fc2d7dcd359c4b994" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112360,10 +112597,10 @@ rule ELASTIC_Linux_Exploit_Enoket_Fbf508E1 : FILE MEMORY date = "2021-01-12" modified = "2021-09-16" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Exploit_Enoket.yar#L101-L119" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Exploit_Enoket.yar#L101-L119" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "21b1d69677c3fddb210dcf5947e8321abccd5a1ebbde8438a83fee5d4b29443d" + logic_hash = "v1_sha256_21b1d69677c3fddb210dcf5947e8321abccd5a1ebbde8438a83fee5d4b29443d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112389,10 +112626,10 @@ rule ELASTIC_Linux_Generic_Threat_A658B75F : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1-L20" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1-L20" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "df430ab9f5084a3e62a6c97c6c6279f2461618f038832305057c51b441c648d9" - logic_hash = "1ef7267438b8d15ed770f0784a7d428cbc2680144b0ef179337875d5b4038d08" + logic_hash = "v1_sha256_1ef7267438b8d15ed770f0784a7d428cbc2680144b0ef179337875d5b4038d08" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112419,10 +112656,10 @@ rule ELASTIC_Linux_Generic_Threat_Ea5Ade9A : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L22-L40" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L22-L40" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d75189d883b739d9fe558637b1fab7f41e414937a8bae7a9d58347c223a1fcaa" - logic_hash = "12a9b5e54d6d528ecb559b6e2ea3aa72effa7f0efbf2c33581a4efedc292e4c1" + logic_hash = "v1_sha256_12a9b5e54d6d528ecb559b6e2ea3aa72effa7f0efbf2c33581a4efedc292e4c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112448,10 +112685,10 @@ rule ELASTIC_Linux_Generic_Threat_80Aea077 : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L42-L60" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L42-L60" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "002827c41bc93772cd2832bc08dfc413302b1a29008adbb6822343861b9818f0" - logic_hash = "cab860ad5f0c49555adb845504acb4dbeabb94dbc287202be35020e055e6f27b" + logic_hash = "v1_sha256_cab860ad5f0c49555adb845504acb4dbeabb94dbc287202be35020e055e6f27b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112477,10 +112714,10 @@ rule ELASTIC_Linux_Generic_Threat_2E214A04 : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L62-L81" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L62-L81" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cad65816cc1a83c131fad63a545a4bd0bdaa45ea8cf039cbc6191e3c9f19dead" - logic_hash = "0d29aa6214b0a05f9af10cdc080ffa33452156e13c057f31997630cebcda294a" + logic_hash = "v1_sha256_0d29aa6214b0a05f9af10cdc080ffa33452156e13c057f31997630cebcda294a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112507,10 +112744,10 @@ rule ELASTIC_Linux_Generic_Threat_0B770605 : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L83-L102" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L83-L102" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "99418cbe1496d5cd4177a341e6121411bc1fab600d192a3c9772e8e6cd3c4e88" - logic_hash = "d4aae755870765a119ee7ae648d4388e0786e8ab6f7f196d81c6356be7d0ddfb" + logic_hash = "v1_sha256_d4aae755870765a119ee7ae648d4388e0786e8ab6f7f196d81c6356be7d0ddfb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112537,10 +112774,10 @@ rule ELASTIC_Linux_Generic_Threat_92064B27 : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L104-L122" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L104-L122" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8e5cfcda52656a98105a48783b9362bad22f61bcb6a12a27207a08de826432d9" - logic_hash = "adb9ed7280065f77440bd1e106bc800ebe6251119151cd54b76dc2917b013f65" + logic_hash = "v1_sha256_adb9ed7280065f77440bd1e106bc800ebe6251119151cd54b76dc2917b013f65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112566,10 +112803,10 @@ rule ELASTIC_Linux_Generic_Threat_De6Be095 : FILE MEMORY date = "2024-01-17" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L124-L143" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L124-L143" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2431239d6e60ca24a5440e6c92da62b723a7e35c805f04db6b80f96c8cf9fee6" - logic_hash = "cbd7578830169703b047adb1785b05d226f2507a65c203ee344d8e2b3a24f6c9" + logic_hash = "v1_sha256_cbd7578830169703b047adb1785b05d226f2507a65c203ee344d8e2b3a24f6c9" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112596,10 +112833,10 @@ rule ELASTIC_Linux_Generic_Threat_898D9308 : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L145-L164" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L145-L164" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ce89863a16787a6f39c25fd15ee48c4d196223668a264217f5d1cea31f8dc8ef" - logic_hash = "8b5deedf18d660d0b76dc987843ff5cc01432536a04ab4925e9b08269fd847e4" + logic_hash = "v1_sha256_8b5deedf18d660d0b76dc987843ff5cc01432536a04ab4925e9b08269fd847e4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112626,10 +112863,10 @@ rule ELASTIC_Linux_Generic_Threat_23D54A0E : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L166-L185" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L166-L185" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "7e52eaf9c49bd6cbdb89b0c525b448864e1ea55d00bc052898613174fe5956cc" + logic_hash = "v1_sha256_7e52eaf9c49bd6cbdb89b0c525b448864e1ea55d00bc052898613174fe5956cc" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112656,10 +112893,10 @@ rule ELASTIC_Linux_Generic_Threat_D7802B0A : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L187-L205" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L187-L205" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "3e1452204fef11d63870af5f143ae73f4b8e5a4db83a53851444fbf8a0ea6a26" + logic_hash = "v1_sha256_3e1452204fef11d63870af5f143ae73f4b8e5a4db83a53851444fbf8a0ea6a26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112685,10 +112922,10 @@ rule ELASTIC_Linux_Generic_Threat_08E4Ee8C : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L207-L225" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L207-L225" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "35eeba173fb481ac30c40c1659ccc129eae2d4d922e27cf071047698e8d95aea" - logic_hash = "a927415afbab32adee49a583fc35bc3d44764f87bbbb3497b38af6feb92cd9a8" + logic_hash = "v1_sha256_a927415afbab32adee49a583fc35bc3d44764f87bbbb3497b38af6feb92cd9a8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112714,10 +112951,10 @@ rule ELASTIC_Linux_Generic_Threat_D60E5924 : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L227-L246" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L227-L246" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fdcc2366033541053a7c2994e1789f049e9e6579226478e2b420ebe8a7cebcd3" - logic_hash = "012111e4a38c1f901dcd830cc26ef8dcfbde7986fcc8b8eebddb8d8b7a0cec6a" + logic_hash = "v1_sha256_012111e4a38c1f901dcd830cc26ef8dcfbde7986fcc8b8eebddb8d8b7a0cec6a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112744,10 +112981,10 @@ rule ELASTIC_Linux_Generic_Threat_6Bed4416 : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L248-L266" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L248-L266" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "c098e27a12d5d10af67d1b78572bc7daeb500504527428366e1d9a4e55e0f4d7" + logic_hash = "v1_sha256_c098e27a12d5d10af67d1b78572bc7daeb500504527428366e1d9a4e55e0f4d7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112773,10 +113010,10 @@ rule ELASTIC_Linux_Generic_Threat_Fc5B5B86 : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L268-L286" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L268-L286" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "134b063d9b5faed11c6db6848f800b63748ca81aeca46caa0a7c447d07a9cd9b" - logic_hash = "a11ed323df7283188cf99ca89abbd18673fef88660df1150d4dc72de04a836a8" + logic_hash = "v1_sha256_a11ed323df7283188cf99ca89abbd18673fef88660df1150d4dc72de04a836a8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112802,10 +113039,10 @@ rule ELASTIC_Linux_Generic_Threat_2C8D824C : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L288-L306" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L288-L306" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9106bdd27e67d6eebfaec5b1482069285949de10afb28a538804ce64add88890" - logic_hash = "c8fc90ec5e93ff39443f513e83f34140819a30b737da2a412ba97a7b221ca9dc" + logic_hash = "v1_sha256_c8fc90ec5e93ff39443f513e83f34140819a30b737da2a412ba97a7b221ca9dc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112831,10 +113068,10 @@ rule ELASTIC_Linux_Generic_Threat_936B24D5 : FILE MEMORY date = "2024-01-18" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L308-L326" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L308-L326" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "fb8eb0c876148a4199cc873b84fd9c1c6abc1341e02d118f72ffb0dae37592a4" - logic_hash = "972bbc4950c49ff7bc880b1d24b586072eb8541584b97a00ac501fac133a3157" + logic_hash = "v1_sha256_972bbc4950c49ff7bc880b1d24b586072eb8541584b97a00ac501fac133a3157" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112860,10 +113097,10 @@ rule ELASTIC_Linux_Generic_Threat_98Bbca63 : FILE MEMORY date = "2024-01-22" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L328-L347" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L328-L347" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1d4d3d8e089dcca348bb4a5115ee2991575c70584dce674da13b738dd0d6ff98" - logic_hash = "1728d47b3f364cff02ae61ccf381ecab0c1fe46a5c76d832731fdf7acc1caf55" + logic_hash = "v1_sha256_1728d47b3f364cff02ae61ccf381ecab0c1fe46a5c76d832731fdf7acc1caf55" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112890,10 +113127,10 @@ rule ELASTIC_Linux_Generic_Threat_9Aaf894F : FILE MEMORY date = "2024-01-22" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L349-L367" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L349-L367" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "467ac05956eec6c74217112721b3008186b2802af2cafed6d2038c79621bcb08" - logic_hash = "b28d6a8c23aba4371e2e5f48861d2bcc8bdfa7212738eda7b1b4a3059d159cf2" + logic_hash = "v1_sha256_b28d6a8c23aba4371e2e5f48861d2bcc8bdfa7212738eda7b1b4a3059d159cf2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112919,10 +113156,10 @@ rule ELASTIC_Linux_Generic_Threat_Ba3A047D : FILE MEMORY date = "2024-01-22" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L369-L388" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L369-L388" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3064e89f3585f7f5b69852f1502e34a8423edf5b7da89b93fb8bd0bef0a28b8b" - logic_hash = "ffcfb90c0c796b7b343adbd2142193759ececddd0700c0bb4e2898947464b1a2" + logic_hash = "v1_sha256_ffcfb90c0c796b7b343adbd2142193759ececddd0700c0bb4e2898947464b1a2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112949,10 +113186,10 @@ rule ELASTIC_Linux_Generic_Threat_902Cfdc5 : FILE MEMORY date = "2024-01-23" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L390-L408" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L390-L408" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3fa5057e1be1cfeb73f6ebcdf84e00c37e9e09f1bec347d5424dd730a2124fa8" - logic_hash = "0f86914cb598262744660e65048f75d071307ae47d069971bfcd049a7d4b36e5" + logic_hash = "v1_sha256_0f86914cb598262744660e65048f75d071307ae47d069971bfcd049a7d4b36e5" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112978,10 +113215,10 @@ rule ELASTIC_Linux_Generic_Threat_094C1238 : FILE MEMORY date = "2024-01-23" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L410-L428" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L410-L428" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2bfe7d51d59901af345ef06dafd8f0e950dcf8461922999670182bfc7082befd" - logic_hash = "fb82e16bf153c88377cc8655557bc1f021af6e04e1160129ce9555e078d00a0d" + logic_hash = "v1_sha256_fb82e16bf153c88377cc8655557bc1f021af6e04e1160129ce9555e078d00a0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113007,10 +113244,10 @@ rule ELASTIC_Linux_Generic_Threat_A8Faf785 : FILE MEMORY date = "2024-01-23" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L430-L448" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L430-L448" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6028562baf0a7dd27329c8926585007ba3e0648da25088204ebab2ac8f723e70" - logic_hash = "3ab5d9ba39be2553173f6eb4d2a1ca22bfb9f1bd537fed247f273eba1eabd782" + logic_hash = "v1_sha256_3ab5d9ba39be2553173f6eb4d2a1ca22bfb9f1bd537fed247f273eba1eabd782" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113036,10 +113273,10 @@ rule ELASTIC_Linux_Generic_Threat_04E8E4A5 : FILE MEMORY date = "2024-01-23" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L450-L468" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L450-L468" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "248f010f18962c8d1cc4587e6c8b683a120a1e838d091284ba141566a8a01b92" - logic_hash = "9b04725bf0a75340c011028b201ed08eb9de305a5b4630cc79156c0a847cdc9e" + logic_hash = "v1_sha256_9b04725bf0a75340c011028b201ed08eb9de305a5b4630cc79156c0a847cdc9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113065,10 +113302,10 @@ rule ELASTIC_Linux_Generic_Threat_47B147Ec : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L470-L488" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L470-L488" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cc7734a10998a4878b8f0c362971243ea051ce6c1689444ba6e71aea297fb70d" - logic_hash = "84c68f2ed76d644122daf81d41d4eb0be9aa8b1c82993464d3138ae30992110f" + logic_hash = "v1_sha256_84c68f2ed76d644122daf81d41d4eb0be9aa8b1c82993464d3138ae30992110f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113094,10 +113331,10 @@ rule ELASTIC_Linux_Generic_Threat_887671E9 : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L490-L508" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L490-L508" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "701c7c75ed6a7aaf59f5a1f04192a1f7d49d73c1bd36453aed703ad5560606dc" - logic_hash = "eefe9391a9ce716dbe16f11b8ccea89d032fdad42fcabd84ffe584409c550847" + logic_hash = "v1_sha256_eefe9391a9ce716dbe16f11b8ccea89d032fdad42fcabd84ffe584409c550847" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113123,10 +113360,10 @@ rule ELASTIC_Linux_Generic_Threat_9Cf10F10 : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L510-L528" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L510-L528" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d07c9be37dc37f43a54c8249fe887dbc4058708f238ff3d95ed21f874cbb84e8" - logic_hash = "ca4ae64b73fb7013008e8049d17479032d904a3faf5ad0f2ad079971a231a3b8" + logic_hash = "v1_sha256_ca4ae64b73fb7013008e8049d17479032d904a3faf5ad0f2ad079971a231a3b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113152,10 +113389,10 @@ rule ELASTIC_Linux_Generic_Threat_75813Ab2 : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L530-L549" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L530-L549" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5819eb73254fd2a698eb71bd738cf3df7beb65e8fb5e866151e8135865e3fd9a" - logic_hash = "06e5daed278273137e416ef3ee6ac8496b144a9c3ce213ec92881ba61d7db6cb" + logic_hash = "v1_sha256_06e5daed278273137e416ef3ee6ac8496b144a9c3ce213ec92881ba61d7db6cb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113182,10 +113419,10 @@ rule ELASTIC_Linux_Generic_Threat_11041685 : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L551-L570" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L551-L570" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "296440107afb1c8c03e5efaf862f2e8cc6b5d2cf979f2c73ccac859d4b78865a" - logic_hash = "19f4109e73981424527ece8c375274f97fd3042427b7875071451a8081a9aae7" + logic_hash = "v1_sha256_19f4109e73981424527ece8c375274f97fd3042427b7875071451a8081a9aae7" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113212,10 +113449,10 @@ rule ELASTIC_Linux_Generic_Threat_0D22F19C : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L572-L591" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L572-L591" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "da5a204af600e73184455d44aa6e01d82be8b480aa787b28a1df88bb281eb4db" - logic_hash = "ee43796b0717717cb012385d5bb3aece433c11780f1a293d280c39411f9fed98" + logic_hash = "v1_sha256_ee43796b0717717cb012385d5bb3aece433c11780f1a293d280c39411f9fed98" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113242,10 +113479,10 @@ rule ELASTIC_Linux_Generic_Threat_4A46B0E1 : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L593-L612" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L593-L612" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "3ba47ba830ab8deebd9bb906ea45c7df1f7a281277b44d43c588c55c11eba34a" - logic_hash = "e3f6804f502fad8c893fb4c3c27506b6ef17d7e0d0a01399c6d185bad92e895a" + logic_hash = "v1_sha256_e3f6804f502fad8c893fb4c3c27506b6ef17d7e0d0a01399c6d185bad92e895a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113272,10 +113509,10 @@ rule ELASTIC_Linux_Generic_Threat_0A02156C : FILE MEMORY date = "2024-02-01" modified = "2024-02-13" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L614-L633" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L614-L633" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "f23d4b1fd10e3cdd5499a12f426e72cdf0a098617e6b178401441f249836371e" - logic_hash = "3ceea812f0252ec703a92482ce7a3ef0aa65bad149df2aa0107e07a45490b8f1" + logic_hash = "v1_sha256_3ceea812f0252ec703a92482ce7a3ef0aa65bad149df2aa0107e07a45490b8f1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113302,10 +113539,10 @@ rule ELASTIC_Linux_Generic_Threat_6D7Ec30A : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L635-L654" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L635-L654" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "1cad1ddad84cdd8788478c529ed4a5f25911fb98d0a6241dcf5f32b0cdfc3eb0" - logic_hash = "33c705b89a82989c25fc67f50b06aa3a613cae567ec652d86ae64bad4b253c28" + logic_hash = "v1_sha256_33c705b89a82989c25fc67f50b06aa3a613cae567ec652d86ae64bad4b253c28" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113332,10 +113569,10 @@ rule ELASTIC_Linux_Generic_Threat_900Ffdd4 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L656-L674" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L656-L674" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "a3e1a1f22f6d32931d3f72c35a5ee50092b5492b3874e9e6309d015d82bddc5d" - logic_hash = "eb69bfc146b32e790fffdf4588b583335d2006182070b53fec43bb6e4971d779" + logic_hash = "v1_sha256_eb69bfc146b32e790fffdf4588b583335d2006182070b53fec43bb6e4971d779" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113361,10 +113598,10 @@ rule ELASTIC_Linux_Generic_Threat_Cb825102 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L676-L694" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L676-L694" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4e24b72b24026e3dfbd65ddab9194bd03d09446f9ff0b3bcec76efbb5c096584" - logic_hash = "ac48f32ec82aac6df0697729d14aaee65fba82d91173332cd13c6ccccd63b1be" + logic_hash = "v1_sha256_ac48f32ec82aac6df0697729d14aaee65fba82d91173332cd13c6ccccd63b1be" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113390,10 +113627,10 @@ rule ELASTIC_Linux_Generic_Threat_3Bcc1630 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L696-L716" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L696-L716" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "62a6866e924af2e2f5c8c1f5009ce64000acf700bb5351a47c7cfce6a4b2ffeb" - logic_hash = "6f602aac6db46ac3f5b7716a1dac53b5dbd2c583505644bfc617d69be0a2d4de" + logic_hash = "v1_sha256_6f602aac6db46ac3f5b7716a1dac53b5dbd2c583505644bfc617d69be0a2d4de" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113421,10 +113658,10 @@ rule ELASTIC_Linux_Generic_Threat_5D5Fd28E : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L718-L738" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L718-L738" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5b179a117e946ce639e99ff42ab70616ed9f3953ff90b131b4b3063f970fa955" - logic_hash = "b29ca34b98ee87151496f900fa3558190127957539afac3fd99db2dc51980213" + logic_hash = "v1_sha256_b29ca34b98ee87151496f900fa3558190127957539afac3fd99db2dc51980213" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113452,10 +113689,10 @@ rule ELASTIC_Linux_Generic_Threat_B0B891Fb : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L740-L759" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L740-L759" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d666bc0600075f01d8139f8b09c5f4e4da17fa06a86ebb3fa0dc478562e541ae" - logic_hash = "9ec82691a230f3240b1253f99a45cd0baa3238b6fd533004a22a6152b6ac9a12" + logic_hash = "v1_sha256_9ec82691a230f3240b1253f99a45cd0baa3238b6fd533004a22a6152b6ac9a12" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113482,10 +113719,10 @@ rule ELASTIC_Linux_Generic_Threat_Cd9Ce063 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L761-L779" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L761-L779" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "485581520dd73429b662b73083d504aa8118e01c5d37c1c08b21a5db0341a19d" - logic_hash = "ba070c2147028cad4be1c139b16a770c9d9854456d073373a93ed0b213f7b34c" + logic_hash = "v1_sha256_ba070c2147028cad4be1c139b16a770c9d9854456d073373a93ed0b213f7b34c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113511,10 +113748,10 @@ rule ELASTIC_Linux_Generic_Threat_B8B076F4 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L781-L799" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L781-L799" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "4496e77ff00ad49a32e090750cb10c55e773752f4a50be05e3c7faacc97d2677" - logic_hash = "37f3be4cbda4a93136d66e32d7245d4c962a9fe1c98fb0325f42a1d16d6d9415" + logic_hash = "v1_sha256_37f3be4cbda4a93136d66e32d7245d4c962a9fe1c98fb0325f42a1d16d6d9415" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113540,10 +113777,10 @@ rule ELASTIC_Linux_Generic_Threat_1Ac392Ca : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L801-L819" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L801-L819" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "dca2d035b1f7191f7876eb727b13c308f63fe8f899cab643526f9492ec0fa16f" - logic_hash = "6ffa5099c0d18644cd11a0511db542d2f809e4cba974eccca814fedf5a2b0a5b" + logic_hash = "v1_sha256_6ffa5099c0d18644cd11a0511db542d2f809e4cba974eccca814fedf5a2b0a5b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113569,10 +113806,10 @@ rule ELASTIC_Linux_Generic_Threat_949Bf68C : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L821-L839" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L821-L839" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cc1b339ff6b33912a8713c192e8743d1207917825b62b6f585ab7c8d6ab4c044" - logic_hash = "aaae0a8a2827786513891bc8c3e3418823ae3f3291d891e80e82113b929f7513" + logic_hash = "v1_sha256_aaae0a8a2827786513891bc8c3e3418823ae3f3291d891e80e82113b929f7513" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113598,10 +113835,10 @@ rule ELASTIC_Linux_Generic_Threat_Bd35454B : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L841-L860" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L841-L860" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "cd729507d2e17aea23a56a56e0c593214dbda4197e8a353abe4ed0c5fbc4799c" - logic_hash = "d3619cdb002b4ac7167716234058f949623c42a64614f5eb7956866b68fff5e4" + logic_hash = "v1_sha256_d3619cdb002b4ac7167716234058f949623c42a64614f5eb7956866b68fff5e4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113628,10 +113865,10 @@ rule ELASTIC_Linux_Generic_Threat_1E047045 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L862-L880" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L862-L880" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "2c49772d89bcc4ad4ed0cc130f91ed0ce1e625262762a4e9279058f36f4f5841" - logic_hash = "0d28df53e030664e7225f1170888b51e94e64833537c5add3e10cfdb4f029a3a" + logic_hash = "v1_sha256_0d28df53e030664e7225f1170888b51e94e64833537c5add3e10cfdb4f029a3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113657,10 +113894,10 @@ rule ELASTIC_Linux_Generic_Threat_1973391F : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L882-L901" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L882-L901" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "7bd76010f18061aeaf612ad96d7c03341519d85f6a1683fc4b2c74ea0508fe1f" - logic_hash = "632a43b68e498f463ff5dfa78212646b8bd108ea47ff11164c8c1a69e830c1ac" + logic_hash = "v1_sha256_632a43b68e498f463ff5dfa78212646b8bd108ea47ff11164c8c1a69e830c1ac" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113687,10 +113924,10 @@ rule ELASTIC_Linux_Generic_Threat_66D00A84 : FILE MEMORY date = "2024-02-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L903-L921" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L903-L921" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "464e144bcbb54fc34262b4d81143f4e69e350fb526c803ebea1fdcfc8e57bf33" - logic_hash = "a1d60619d72b3309bfaaf8b4085dd5ed90142ff3e9ebfe80fcd7beba5f14a62e" + logic_hash = "v1_sha256_a1d60619d72b3309bfaaf8b4085dd5ed90142ff3e9ebfe80fcd7beba5f14a62e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113716,10 +113953,10 @@ rule ELASTIC_Linux_Generic_Threat_D2Dca9E7 : FILE MEMORY date = "2024-05-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L923-L941" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L923-L941" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9b10bb3773011c4da44bf3a0f05b83079e4ad30f0b1eb2636a6025b927e03c7f" - logic_hash = "175b9a80314cf280b995a012f13e65bd4ce7e27faebf02ae5abe978dbd14447c" + logic_hash = "v1_sha256_175b9a80314cf280b995a012f13e65bd4ce7e27faebf02ae5abe978dbd14447c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113745,10 +113982,10 @@ rule ELASTIC_Linux_Generic_Threat_1F5D056B : FILE MEMORY date = "2024-05-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L943-L962" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L943-L962" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "99d982701b156fe3523b359498c2d03899ea9805d6349416c9702b1067293471" - logic_hash = "8ad23b593880dc1bebc95c92d0efc3a90e6b1e143c350e30b1a4258502ce7fc7" + logic_hash = "v1_sha256_8ad23b593880dc1bebc95c92d0efc3a90e6b1e143c350e30b1a4258502ce7fc7" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113775,10 +114012,10 @@ rule ELASTIC_Linux_Generic_Threat_D94E1020 : FILE MEMORY date = "2024-05-20" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L964-L982" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L964-L982" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "96a2bfbb55250b784e94b1006391cc51e4adecbdde1fe450eab53353186f6ff0" - logic_hash = "e4b4e588588080c66076aec02f56b4764a5f72059922db9651461c0287fe0351" + logic_hash = "v1_sha256_e4b4e588588080c66076aec02f56b4764a5f72059922db9651461c0287fe0351" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113804,10 +114041,10 @@ rule ELASTIC_Linux_Generic_Threat_Aa0C23D5 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L984-L1004" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L984-L1004" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8314290b81b827e1a1d157c41916a41a1c033e4f74876acc6806ed79ebbcc13d" - logic_hash = "092f0ece2dfca3e02493c00afffe48ca4feccf56ab6f22d952a7ba5f115f3765" + logic_hash = "v1_sha256_092f0ece2dfca3e02493c00afffe48ca4feccf56ab6f22d952a7ba5f115f3765" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113835,10 +114072,10 @@ rule ELASTIC_Linux_Generic_Threat_8299C877 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1006-L1024" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1006-L1024" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "60c486049ec82b4fa2e0a53293ae6476216b76e2c23238ef1c723ac0a2ae070c" - logic_hash = "3e0653a02517faa3037fc5f3f01f6fb11164fecafc6eca457a122ef2d1a99010" + logic_hash = "v1_sha256_3e0653a02517faa3037fc5f3f01f6fb11164fecafc6eca457a122ef2d1a99010" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113864,10 +114101,10 @@ rule ELASTIC_Linux_Generic_Threat_81Aa5579 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1026-L1044" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1026-L1044" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6be0e2c98ba5255b76c31f689432a9de83a0d76a898c28dbed0ba11354fec6c2" - logic_hash = "c94d590daf61217335a72f3e1bc24b09084cf0a5a174c013c5aa97c01707c2bc" + logic_hash = "v1_sha256_c94d590daf61217335a72f3e1bc24b09084cf0a5a174c013c5aa97c01707c2bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113893,10 +114130,10 @@ rule ELASTIC_Linux_Generic_Threat_F2452362 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1046-L1065" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1046-L1065" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5ff46c27b5823e55f25c9567d687529a24a0d52dea5bc2423b36345782e6b8f6" - logic_hash = "95d51077cb7c0f4b089a2e2ee8fcbab204264ade7ddd64fc1ee0176183dc84e0" + logic_hash = "v1_sha256_95d51077cb7c0f4b089a2e2ee8fcbab204264ade7ddd64fc1ee0176183dc84e0" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113923,10 +114160,10 @@ rule ELASTIC_Linux_Generic_Threat_Da28Eb8B : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1067-L1086" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1067-L1086" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "b3b4fcd19d71814d3b4899528ee9c3c2188e4a7a4d8ddb88859b1a6868e8433f" - logic_hash = "8b0892d0dd8a012a1f9cd87a0ad3321ae751dd17a96205c12e6648946cf2afe2" + logic_hash = "v1_sha256_8b0892d0dd8a012a1f9cd87a0ad3321ae751dd17a96205c12e6648946cf2afe2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113953,10 +114190,10 @@ rule ELASTIC_Linux_Generic_Threat_A40Aaa96 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1088-L1108" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1088-L1108" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "6f965252141084524f85d94169b13938721bce24cc986bf870473566b7cfd81b" - logic_hash = "ab05cbf494b3b78083fd3e71703effed797d803b0203f8a413eb69b746656b1d" + logic_hash = "v1_sha256_ab05cbf494b3b78083fd3e71703effed797d803b0203f8a413eb69b746656b1d" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113984,10 +114221,10 @@ rule ELASTIC_Linux_Generic_Threat_E24558E1 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1110-L1130" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1110-L1130" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "9f483ddd8971cad4b25bb36a5a0cfb95c35a12c7d5cb9124ef0cfd020da63e99" - logic_hash = "f1f33c719a4b41968c137ed43aa0591f97b4558d4dd9bd160df519dfbbc49205" + logic_hash = "v1_sha256_f1f33c719a4b41968c137ed43aa0591f97b4558d4dd9bd160df519dfbbc49205" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114015,10 +114252,10 @@ rule ELASTIC_Linux_Generic_Threat_Ace836F1 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1132-L1150" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1132-L1150" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "116aaba80e2f303206d0ba84c8c58a4e3e34b70a8ca2717fa9cf1aa414d5ffcc" - logic_hash = "c80af9d6f3e4d92cfa53429abbda944069d335fc89421a89e04089d236f5dddf" + logic_hash = "v1_sha256_c80af9d6f3e4d92cfa53429abbda944069d335fc89421a89e04089d236f5dddf" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -114044,10 +114281,10 @@ rule ELASTIC_Linux_Generic_Threat_E9Aef030 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1152-L1170" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1152-L1170" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "5ab72be12cca8275d95a90188a1584d67f95d43a7903987e734002983b5a3925" - logic_hash = "1d458e147d6667e2e0740d6d26fee05ac02f49e9eba30002852e723308b1b462" + logic_hash = "v1_sha256_1d458e147d6667e2e0740d6d26fee05ac02f49e9eba30002852e723308b1b462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114073,10 +114310,10 @@ rule ELASTIC_Linux_Generic_Threat_A3C5F3Bd : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1172-L1192" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1172-L1192" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "8c093bcf3d83545ec442519637c956d2af62193ea6fd2769925cacda54e672b6" - logic_hash = "41e66d1f47e7197662aa661ef49ee1f3191fee07a49538dd631ce9cc6fdd56be" + logic_hash = "v1_sha256_41e66d1f47e7197662aa661ef49ee1f3191fee07a49538dd631ce9cc6fdd56be" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114104,10 +114341,10 @@ rule ELASTIC_Linux_Generic_Threat_3Fa2Df51 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1194-L1213" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1194-L1213" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "89ec224db6b63936e8bc772415d785ef063bfd9343319892e832034696ff6f15" - logic_hash = "f43b659dd093a635d9723b2443366763132217aaf28c582ed43f180725f92f19" + logic_hash = "v1_sha256_f43b659dd093a635d9723b2443366763132217aaf28c582ed43f180725f92f19" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -114134,10 +114371,10 @@ rule ELASTIC_Linux_Generic_Threat_Be02B1C9 : FILE MEMORY date = "2024-05-21" modified = "2024-06-12" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Generic_Threat.yar#L1215-L1233" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Generic_Threat.yar#L1215-L1233" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "ef6d47ed26f9ac96836f112f1085656cf73fc445c8bacdb737b8be34d8e3bcd2" - logic_hash = "a278c3a8033139d84c99a53901526895b154b5ef363fbeed47095889a5fb8d31" + logic_hash = "v1_sha256_a278c3a8033139d84c99a53901526895b154b5ef363fbeed47095889a5fb8d31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114163,10 +114400,10 @@ rule ELASTIC_Linux_Hacktool_Infectionmonkey_6C84537B : FILE MEMORY date = "2022-01-05" modified = "2022-01-26" reference = "https://github.com/elastic/protections-artifacts/" - source_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/yara/rules/Linux_Hacktool_Infectionmonkey.yar#L1-L19" - license_url = "https://github.com/elastic/protections-artifacts//blob/8824c8f250f189be8f7caf30dac0d045b7fb8651/LICENSE.txt" + source_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/yara/rules/Linux_Hacktool_Infectionmonkey.yar#L1-L19" + license_url = "https://github.com/elastic/protections-artifacts//blob/401b9f547292bee56d26a35f5f9d313b0c513e89/LICENSE.txt" hash = "d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3" - logic_hash = "24cb368040fffe2743d0361a955d45a62a95a31c1744f3de15089169e365bb89" + logic_hash = "v1_sha256_24cb368040fffe2743d0361a955d45a62a95a31c1744f3de15089169e365bb89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114187,7 +114424,7 @@ rule ELASTIC_Linux_Hacktool_Infectionmonkey_6C84537B : FILE MEMORY * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -114202,13 +114439,13 @@ rule R3C0NST_ATM_Malware_Xfscashncr : FILE meta: description = "Detects ATM Malware XFSCashNCR" author = "Frank Boldewin (@r3c0nst)" - id = "8886cd00-4f4a-5f25-99e0-0806f5e1b4b4" + id = "83ed9f7a-a7f3-595d-b3cf-6e841c8d2e85" date = "2019-08-28" modified = "2019-08-28" reference = "https://twitter.com/r3c0nst/status/1166773324548063232" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFSCashNCR.yar#L1-L21" license_url = "N/A" - logic_hash = "87f197058d4b515cb4829b5e403a96b88eb95cda81e53a9e1484df8c743d8c4a" + logic_hash = "v1_sha256_87f197058d4b515cb4829b5e403a96b88eb95cda81e53a9e1484df8c743d8c4a" score = 75 quality = 90 tags = "FILE" @@ -114225,7 +114462,7 @@ rule R3C0NST_ATM_Malware_Xfscashncr : FILE $LogFile = "XfsLog.txt" nocase ascii condition: - uint16(0)==0x5A4D and filesize <1500KB and 4 of them + uint16( 0 ) == 0x5A4D and filesize < 1500KB and 4 of them } import "pe" @@ -114234,13 +114471,13 @@ rule R3C0NST_Nighthawk_RAT : FILE meta: description = "Detects Nighthawk RAT" author = "Frank Boldewin (@r3c0nst)" - id = "7a58b8bf-fb14-5758-bc2a-ad2c6fff1216" + id = "1918c4cb-ca5b-5610-9afc-8dc8dd956a2a" date = "2022-11-30" modified = "2022-11-30" reference = "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/nighthawk.yar#L3-L28" license_url = "N/A" - logic_hash = "5124f7c0186f40cf0a7706e17afe6ba791ca82ac4f4ee940f6fbae5223771a95" + logic_hash = "v1_sha256_5124f7c0186f40cf0a7706e17afe6ba791ca82ac4f4ee940f6fbae5223771a95" score = 75 quality = 90 tags = "FILE" @@ -114259,20 +114496,20 @@ rule R3C0NST_Nighthawk_RAT : FILE $pattern6 = { 65 48 8B 04 25 30 00 00 00 48 8B 80 } condition: - uint16(0)==0x5A4D and filesize <2MB and (3 of ($pattern*) or (pe.section_index(".profile") and pe.section_index(".detourc") and pe.section_index(".detourd"))) + uint16( 0 ) == 0x5A4D and filesize < 2MB and ( 3 of ( $pattern* ) or ( pe.section_index ( ".profile" ) and pe.section_index ( ".detourc" ) and pe.section_index ( ".detourd" ) ) ) } rule R3C0NST_ATM_Malware_XFS_ALICE : FILE { meta: description = "Detects ATM Malware ALICE" author = "Frank Boldewin (@r3c0nst)" - id = "6132730c-4684-517a-b90d-98ed250e2cba" + id = "4f2a179d-acb7-5598-a30e-e8ca091d48ad" date = "2020-01-09" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1215265889844637696" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ALICE.yar#L1-L22" license_url = "N/A" - logic_hash = "7dca049f024f09c2e778b0693a1015d1fc5a006fc564de914e85231cb5d73da3" + logic_hash = "v1_sha256_7dca049f024f09c2e778b0693a1015d1fc5a006fc564de914e85231cb5d73da3" score = 75 quality = 90 tags = "FILE" @@ -114290,20 +114527,20 @@ rule R3C0NST_ATM_Malware_XFS_ALICE : FILE $Code3 = {68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 0B C0 75 29 6A} condition: - uint16(0)==0x5A4D and filesize <200KB and 4 of ($String*) and all of ($Code*) + uint16( 0 ) == 0x5A4D and filesize < 200KB and 4 of ( $String* ) and all of ( $Code* ) } rule R3C0NST_UNC2891_Steelcorgi : FILE { meta: description = "Detects UNC2891 Steelcorgi packed ELF binaries" author = "Frank Boldewin (@r3c0nst)" - id = "94da7da5-5fc3-5221-97d6-1854aa7b1959" + id = "cad44f28-4757-5844-a2b1-15ac84a202e8" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Steelcorgi.yar#L1-L17" license_url = "N/A" - logic_hash = "4f956b9eaec66bc606ffd0afa2fe9303194e9a8c12d4c3de6ab2334c9856dd99" + logic_hash = "v1_sha256_4f956b9eaec66bc606ffd0afa2fe9303194e9a8c12d4c3de6ab2334c9856dd99" score = 75 quality = 90 tags = "FILE" @@ -114316,20 +114553,20 @@ rule R3C0NST_UNC2891_Steelcorgi : FILE $pattern2 = {FF 72 FF 6F FF 63 FF 2F FF 73 FF 65 FF 6C FF 66 FF 2F FF 65 FF 78 FF 65} condition: - uint32(0)==0x464c457f and all of them + uint32( 0 ) == 0x464c457f and all of them } rule R3C0NST_ATM_Malware_Javadispcash : FILE { meta: description = "Detects ATM Malware JavaDispCash" author = "Frank Boldewin (@r3c0nst)" - id = "606d1cb6-7879-569e-ac36-1e2f6a446dc1" + id = "aaf0bb83-6760-5060-b80d-79bd9d619da1" date = "2019-03-28" modified = "2019-03-28" reference = "https://twitter.com/r3c0nst/status/1111254169623674882" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Mal.JavaDispCash.yar#L1-L20" license_url = "N/A" - logic_hash = "dd7c2ccc85038f3ba563f7f814c03668448b292fde36bcf9d06bf20fd341526f" + logic_hash = "v1_sha256_dd7c2ccc85038f3ba563f7f814c03668448b292fde36bcf9d06bf20fd341526f" score = 75 quality = 74 tags = "FILE" @@ -114345,7 +114582,7 @@ rule R3C0NST_ATM_Malware_Javadispcash : FILE $log2 = ".loginside" nocase ascii wide condition: - uint16(0)==0x4B50 and filesize <500KB and all of them + uint16( 0 ) == 0x4B50 and filesize < 500KB and all of them } import "pe" @@ -114354,13 +114591,13 @@ rule R3C0NST_ATM_Malware_ATMITCH : FILE meta: description = "Detects ATM Malware ATMItch" author = "Frank Boldewin (@r3c0nst)" - id = "4d7e9615-9db6-5fc7-b95e-b8c7b2c034a8" + id = "7036ee7d-e608-588d-abda-12c831c7ebfd" date = "2019-03-18" modified = "2019-03-18" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ATMItch.yar#L3-L14" license_url = "N/A" - logic_hash = "4278cbcd8c465ba57b65a166e0bd48dcc73eae8660972478d3116bc0d73cf3c4" + logic_hash = "v1_sha256_4278cbcd8c465ba57b65a166e0bd48dcc73eae8660972478d3116bc0d73cf3c4" score = 75 quality = 82 tags = "FILE" @@ -114372,7 +114609,7 @@ rule R3C0NST_ATM_Malware_ATMITCH : FILE $STRING4 = "Catch some money, bitch!" nocase ascii wide condition: - ( uint16(0)==0x5A4D and 1 of them ) or (pe.imphash()=="655ad5439db0832c5a3f86d0a68ddaac") + ( uint16( 0 ) == 0x5A4D and 1 of them ) or ( pe.imphash ( ) == "655ad5439db0832c5a3f86d0a68ddaac" ) } import "hash" @@ -114381,13 +114618,13 @@ rule R3C0NST_ATM_Malware_Dispenserxfs : FILE meta: description = "No description has been set in the source file - R3c0nst" author = "Frank Boldewin" - id = "52b1aa57-283b-54d7-bd1b-fb5da5f8d269" + id = "2cf94883-2fdc-5acc-bb90-fe5981ddc709" date = "2019-02-28" modified = "2019-02-28" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.DispenserXFS.yar#L3-L13" license_url = "N/A" - logic_hash = "0e588e2ba03d5eb750183600cce278e791a71f86fbf933ba9d7fda352bd37e2f" + logic_hash = "v1_sha256_0e588e2ba03d5eb750183600cce278e791a71f86fbf933ba9d7fda352bd37e2f" score = 75 quality = 59 tags = "FILE" @@ -114398,20 +114635,20 @@ rule R3C0NST_ATM_Malware_Dispenserxfs : FILE $PDB = "C:\\_bkittest\\dispenser\\Release_noToken\\dispenserXFS.pdb" nocase ascii wide condition: - (hash.sha256(0, filesize )=="867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a") or ( uint16(0)==0x5A4D and 1 of them ) + (hash.sha256 ( 0 , filesize ) == "867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a" ) or ( uint16( 0 ) == 0x5A4D and 1 of them ) } rule R3C0NST_Prolock_Malware : FILE { meta: description = "Detects Prolock malware in encrypted and decrypted mode" author = "Frank Boldewin (@r3c0nst)" - id = "1440b5f5-f1e7-522e-8852-84c326858bb9" + id = "4bc35837-dada-586c-a152-11ede6268c71" date = "2020-05-17" modified = "2020-05-20" reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Prolock.Malware.yar#L1-L20" license_url = "N/A" - logic_hash = "7502011eba1e36c8ec699f1b627c4980cc3009bb43c5aa5a58571330e93211ea" + logic_hash = "v1_sha256_7502011eba1e36c8ec699f1b627c4980cc3009bb43c5aa5a58571330e93211ea" score = 75 quality = 90 tags = "FILE" @@ -114427,20 +114664,20 @@ rule R3C0NST_Prolock_Malware : FILE $CryptoCode = {B8 63 51 E1 B7 31 D2 8D BE ?? ?? ?? ?? B9 63 51 E1 B7 81 C1 B9 79 37 9E} condition: - (( uint16(0)==0x5A4D) or ( uint16(0)==0x4D42)) and filesize <100KB and all of ($DecryptionRoutine*) or (1 of ($DecryptedString*) and $CryptoCode) + (( uint16( 0 ) == 0x5A4D ) or ( uint16( 0 ) == 0x4D42 ) ) and filesize < 100KB and all of ( $DecryptionRoutine* ) or ( 1 of ( $DecryptedString* ) and $CryptoCode ) } rule R3C0NST_Stealbit : FILE { meta: description = "Detects Stealbit used by Lockbit 2.0 Ransomware Gang" author = "Frank Boldewin (@r3c0nst)" - id = "07b466cb-92b3-51f2-a702-2930bb7038c6" + id = "c24b0fac-2279-5b4e-9f0e-3e506d040081" date = "2021-08-12" modified = "2021-08-12" reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Lockbit2.Stealbit.yar#L1-L15" license_url = "N/A" - logic_hash = "e5f770cc5887f09af0c5550073d51b9e5ffa9dcfa4db6b77bb28643f0f6224fb" + logic_hash = "v1_sha256_e5f770cc5887f09af0c5550073d51b9e5ffa9dcfa4db6b77bb28643f0f6224fb" score = 75 quality = 90 tags = "FILE" @@ -114451,7 +114688,7 @@ rule R3C0NST_Stealbit : FILE $C2Decryption = {33 C9 8B C1 83 E0 0F 8A 80 ?? ?? ?? ?? 30 81 ?? ?? ?? ?? 41 83 F9 7C 72 E9 E8} condition: - uint16(0)==0x5A4D and filesize <100KB and $C2Decryption + uint16( 0 ) == 0x5A4D and filesize < 100KB and $C2Decryption } import "hash" @@ -114460,14 +114697,14 @@ rule R3C0NST_ATM_Malware_Atmspitter : FILE meta: description = "Detects ATM Malware ATMSpitter" author = "Frank Boldewin (@r3c0nst)" - id = "4497f304-6f04-5f5d-91ba-9124e5262078" + id = "f9085803-ed52-5bc6-a7e0-931ea006e85d" date = "2016-07-20" modified = "2019-03-29" reference = "https://topics.amcham.com.tw/2017/02/looking-back-at-the-first-banks-atm-heist/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ATMSpitter.yar#L3-L21" license_url = "N/A" hash = "658b0502b53f718bd0611a638dfd5969" - logic_hash = "684820ed29c50a41bd262862cb97c70c0cbb8554e7e4be300986519423249c50" + logic_hash = "v1_sha256_684820ed29c50a41bd262862cb97c70c0cbb8554e7e4be300986519423249c50" score = 75 quality = 65 tags = "FILE" @@ -114477,20 +114714,20 @@ rule R3C0NST_ATM_Malware_Atmspitter : FILE $Service = "Congratulations! You are very skilled in reverse engineering!" nocase ascii condition: - (hash.sha256(0, filesize )=="4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958") or ($Code_Bytes and $Service) + (hash.sha256 ( 0 , filesize ) == "4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958" ) or ( $Code_Bytes and $Service ) } rule R3C0NST_Exploit_Outlook_CVE_2023_23397 : CVE_2023_23397 FILE { meta: description = "Detects Outlook appointments exploiting CVE-2023-23397" author = "Frank Boldewin" - id = "7e355e5f-93ca-561d-9a12-f73f1d429e4d" + id = "126d94fe-b26d-5237-a1f6-af87cd60bbef" date = "2023-03-19" modified = "2023-03-25" reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Exploit_Outlook_CVE_2023_23397.yar#L1-L30" license_url = "N/A" - logic_hash = "1847e8223b2f6d3ec5108e15ee46ef031ee1e26d3a5e8ed4a70c77b031f6a5b6" + logic_hash = "v1_sha256_1847e8223b2f6d3ec5108e15ee46ef031ee1e26d3a5e8ed4a70c77b031f6a5b6" score = 75 quality = 86 tags = "CVE-2023-23397, FILE" @@ -114513,20 +114750,20 @@ rule R3C0NST_Exploit_Outlook_CVE_2023_23397 : CVE_2023_23397 FILE $mail2 = "received:" ascii wide nocase condition: - (( uint32be(0)==0xD0CF11E0 or uint32be(0)==0x789F3E22) or ( all of ($mail*))) and (($ipmtask or $ipmappointment) or ($ipmtaskb64 or $ipmappointmentb64)) and (($unc_path1 or $unc_path2) or ($unc_a or $unc_w)) + (( uint32be( 0 ) == 0xD0CF11E0 or uint32be( 0 ) == 0x789F3E22 ) or ( all of ( $mail* ) ) ) and ( ( $ipmtask or $ipmappointment ) or ( $ipmtaskb64 or $ipmappointmentb64 ) ) and ( ( $unc_path1 or $unc_path2 ) or ( $unc_a or $unc_w ) ) } rule R3C0NST_Aplib_Decompression : FILE { meta: description = "Detects aPLib decompression code often used in malware" author = "@r3c0nst" - id = "f45c73f5-d316-5fea-a8c4-fd930733415f" + id = "03d87988-1fa8-5eee-b48a-083162f37d59" date = "2021-03-24" modified = "2021-03-25" reference = "https://ibsensoftware.com/files/aPLib-1.1.1.zip" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/aPLib_decompression.yar#L1-L16" license_url = "N/A" - logic_hash = "1150701724fdb487ebe8fb959afd12fff37a8e9137cb94e78e976a2566ec5fa4" + logic_hash = "v1_sha256_1150701724fdb487ebe8fb959afd12fff37a8e9137cb94e78e976a2566ec5fa4" score = 75 quality = 90 tags = "FILE" @@ -114537,20 +114774,20 @@ rule R3C0NST_Aplib_Decompression : FILE $pattern3 = { 73 0A 80 FC 05 73 ?? 83 F8 7F 77 } condition: - filesize <10MB and all of them + filesize < 10MB and all of them } rule R3C0NST_UNC2891_Caketap { meta: description = "Detects UNC2891 Rootkit Caketap" author = "Frank Boldewin (@r3c0nst)" - id = "9c2ffe3d-69ca-5f93-bdb1-40e449139dec" + id = "418ee3b1-1091-5567-90dc-1f85845f0869" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Caketap.yar#L1-L16" license_url = "N/A" - logic_hash = "530a7d062a218217d2c05460428b2576c3fe2a6099c93940aabde73c513a8914" + logic_hash = "v1_sha256_530a7d062a218217d2c05460428b2576c3fe2a6099c93940aabde73c513a8914" score = 75 quality = 88 tags = "" @@ -114562,20 +114799,20 @@ rule R3C0NST_UNC2891_Caketap $code2 = {41 C6 46 01 3D 41 C6 46 08 32} condition: - uint32(0)==0x464c457f and ( all of ($code*) or ( all of ($str*) and #str2==2)) + uint32( 0 ) == 0x464c457f and ( all of ( $code* ) or ( all of ( $str* ) and #str2 == 2 ) ) } rule R3C0NST_Gamaredon_Getimportbyhash : FILE { meta: description = "Detects Gamaredon APIHashing" author = "Frank Boldewin (@r3c0nst)" - id = "8f28273e-e8ca-52cb-8dbc-a235598b1975" + id = "c10d6a44-e990-5559-a541-ce0d938592aa" date = "2021-05-12" modified = "2021-05-12" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/APT.Gamaredon.GetImportByHash.yar#L1-L16" license_url = "N/A" - logic_hash = "b3baebfb745ebc7b9e6df746bfa9622f925b8e8130932e44a148881e7d1fc162" + logic_hash = "v1_sha256_b3baebfb745ebc7b9e6df746bfa9622f925b8e8130932e44a148881e7d1fc162" score = 75 quality = 90 tags = "FILE" @@ -114588,20 +114825,20 @@ rule R3C0NST_Gamaredon_Getimportbyhash : FILE $djb2Hashing = { 8B 75 08 BA 05 15 00 00 8B C2 C1 E2 05 03 D0 33 DB 8A 1E 03 D3 46 33 DB 8A 1E 85 DB 75 } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } rule R3C0NST_ATM_Malware_Ripper : ATMRIPPER MALWARE FILE { meta: description = "Rule detects Thailand ATM Jackpot malware RIPPER (unpacked)" author = "Frank Boldewin" - id = "38dfda5b-45cc-55d4-b619-91fa31c09a09" + id = "6e57c86c-e89d-5bfe-80fd-60140c723704" date = "2016-08-01" modified = "2019-02-27" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Ripper.yar#L1-L22" license_url = "N/A" - logic_hash = "bb7b474330defe6d071b9595687d4510961055fa243a26306698c1e029a935f1" + logic_hash = "v1_sha256_bb7b474330defe6d071b9595687d4510961055fa243a26306698c1e029a935f1" score = 75 quality = 90 tags = "ATMRIPPER, MALWARE, FILE" @@ -114617,7 +114854,7 @@ rule R3C0NST_ATM_Malware_Ripper : ATMRIPPER MALWARE FILE $Service = "DBACKUP SERVICE" nocase wide condition: - uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and 2 of ($Card_Hash*) and all of ($Code_Bytes*) and filesize <400KB and ($Service in (0x2f000..0x30000)) + uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and 2 of ( $Card_Hash* ) and all of ( $Code_Bytes* ) and filesize < 400KB and ( $Service in ( 0x2f000 .. 0x30000 ) ) } import "pe" @@ -114626,13 +114863,13 @@ rule R3C0NST_ATM_CINEO4060_Blackbox : FILE meta: description = "Detects Malware samples for Diebold Nixdorf CINEO 4060 ATMs used in blackboxing attacks across Europe since May 2021" author = "Frank Boldewin (@r3c0nst)" - id = "8fa26e1c-2931-59c8-9cec-20dc6684b8d6" + id = "9a22c671-a442-5ba2-85b5-24fe5669baa6" date = "2021-05-25" modified = "2022-06-21" reference = "https://twitter.com/r3c0nst/status/1539036442516660224" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM_CINEO4060_Blackbox.yar#L3-L27" license_url = "N/A" - logic_hash = "80b919d03c1b9a198611994eaf2fafaf8254c73a6f0edb53b2b3eb90ea70d915" + logic_hash = "v1_sha256_80b919d03c1b9a198611994eaf2fafaf8254c73a6f0edb53b2b3eb90ea70d915" score = 75 quality = 90 tags = "FILE" @@ -114651,20 +114888,20 @@ rule R3C0NST_ATM_CINEO4060_Blackbox : FILE $TRICK3 = {6A 06 8B 45 FC 8B 00 B1 4F BA 1C 00 00 00} condition: - ( uint16(0)==0x4b50 and filesize <50KB and all of ($MyAgent*)) or ( uint16(0)==0x5A4D and (pe.characteristics&pe.DLL) and $Hook and $Delphi and all of ($WMIHOOK*) or all of ($TRICK*)) + ( uint16( 0 ) == 0x4b50 and filesize < 50KB and all of ( $MyAgent* ) ) or ( uint16( 0 ) == 0x5A4D and ( pe.characteristics & pe.DLL ) and $Hook and $Delphi and all of ( $WMIHOOK* ) or all of ( $TRICK* ) ) } rule R3C0NST_UNC2891_Winghook : FILE { meta: description = "Detects UNC2891 Winghook Keylogger" author = "Frank Boldewin (@r3c0nst)" - id = "e5955fa0-8204-58e3-88a6-de4b47756ede" + id = "5c45f2d6-d04c-5ea2-b5c5-d0a4cdc38158" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Winghook.yar#L1-L17" license_url = "N/A" - logic_hash = "b821d0809a91c54d06764f5a04c458ec7190b41823b2fe65d198342715f22050" + logic_hash = "v1_sha256_b821d0809a91c54d06764f5a04c458ec7190b41823b2fe65d198342715f22050" score = 75 quality = 90 tags = "FILE" @@ -114677,21 +114914,21 @@ rule R3C0NST_UNC2891_Winghook : FILE $str2 = "read" ascii condition: - uint32(0)==0x464c457f and filesize <100KB and 1 of ($code*) and all of ($str*) + uint32( 0 ) == 0x464c457f and filesize < 100KB and 1 of ( $code* ) and all of ( $str* ) } rule R3C0NST_ATM_Malware_Loup : FILE { meta: description = "Detects ATM Malware Loup" author = "Frank Boldewin (@r3c0nst)" - id = "4786362f-b2c5-5b69-8b06-9216561286e6" + id = "61ff98bb-b8c4-5437-b9c7-54d920245413" date = "2020-08-17" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1295275546780327936" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Loup.yar#L1-L16" license_url = "N/A" hash = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196" - logic_hash = "39efced4ee3a6147acf5732e4be3a5e9859268b35b79f5e8e87d7c4d77a588c0" + logic_hash = "v1_sha256_39efced4ee3a6147acf5732e4be3a5e9859268b35b79f5e8e87d7c4d77a588c0" score = 75 quality = 90 tags = "FILE" @@ -114702,20 +114939,20 @@ rule R3C0NST_ATM_Malware_Loup : FILE $Code = {50 68 C0 D4 01 00 8D 4D E8 51 68 2E 01 00 00 0F B7 55 08 52 E8} condition: - uint16(0)==0x5A4D and filesize <100KB and all of ($String*) and $Code + uint16( 0 ) == 0x5A4D and filesize < 100KB and all of ( $String* ) and $Code } rule R3C0NST_Shellcode_Apihashing_FIN8 { meta: description = "Detects FIN8 Shellcode APIHashing" author = "Frank Boldewin (@r3c0nst)" - id = "a5b4a925-c4cc-5d3a-a2f1-3372f77ceea2" + id = "ddd4bc7c-f71a-54f4-a4c5-fe8157519dd2" date = "2021-03-16" modified = "2021-03-25" reference = "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Shellcode.APIHashing.FIN8.yar#L1-L74" license_url = "N/A" - logic_hash = "958d6a3c0c78ad22fb56896d6a97b9fe79c56813dc36a37385f3ce5621008624" + logic_hash = "v1_sha256_958d6a3c0c78ad22fb56896d6a97b9fe79c56813dc36a37385f3ce5621008624" score = 75 quality = 90 tags = "" @@ -114726,23 +114963,21 @@ rule R3C0NST_Shellcode_Apihashing_FIN8 $APIHashing64bit = {49 BF 65 19 6D 1E F2 55 03 88 49 BE 37 5C 32 F4 9B 59 27 21} condition: - all of ($APIHashing32bit*) or $APIHashing64bit + all of ( $APIHashing32bit* ) or $APIHashing64bit } -import "hash" - rule R3C0NST_ATM_Malware_NVISOSPIT : FILE { meta: description = "Detects ATM Malware NVISOSPIT" author = "Frank Boldewin (@r3c0nst)" - id = "faf9e78e-9d7a-5c9b-a08e-90b895333d5c" + id = "c98eb677-32cd-5cc6-b401-9dcc7b3484f2" date = "2019-05-31" modified = "2019-05-31" reference = "https://twitter.com/r3c0nst/status/1134403094157115392" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.NVISOSPIT.yar#L3-L18" license_url = "N/A" hash = "d7ce7b152f0da49e96fa32a9336b35253905d9940b001288d0df55d8f8b3951f" - logic_hash = "11c1fea74b72a7821ce76a95846a2caff7354e71906496d9530cb44339a49a98" + logic_hash = "v1_sha256_11c1fea74b72a7821ce76a95846a2caff7354e71906496d9530cb44339a49a98" score = 75 quality = 90 tags = "FILE" @@ -114753,20 +114988,20 @@ rule R3C0NST_ATM_Malware_NVISOSPIT : FILE $Code = {C6 85 7D F9 FF FF 4D C6 85 7E F9 FF FF 4D C6 85 7F F9 FF FF 4B} condition: - uint16(0)==0x5A4D and filesize <100KB and 2 of them + uint16( 0 ) == 0x5A4D and filesize < 100KB and 2 of them } rule R3C0NST_Ransomware_Germanwiper : FILE { meta: description = "Detects RansomWare GermanWiper in Memory or in unpacked state" author = "Frank Boldewin (@r3c0nst)" - id = "ea71849e-62a1-5b4d-9cf7-0728192361cc" + id = "9027a17f-0e5c-5b14-8588-e1914fe95ecd" date = "2019-08-05" modified = "2019-08-05" reference = "https://twitter.com/r3c0nst/status/1158326526766657538" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Ransomware.Germanwiper.yar#L1-L25" license_url = "N/A" - logic_hash = "563ad59abd09d9a5fcfcf5ed48dc1e3c48b4bb198c20721d5af531da20d2b0d3" + logic_hash = "v1_sha256_563ad59abd09d9a5fcfcf5ed48dc1e3c48b4bb198c20721d5af531da20d2b0d3" score = 75 quality = 90 tags = "FILE" @@ -114787,20 +115022,20 @@ rule R3C0NST_Ransomware_Germanwiper : FILE $RansomNote = "Entschluesselungs_Anleitung.html" nocase ascii condition: - uint16(0)==0x5A4D and filesize <1000KB and 5 of them + uint16( 0 ) == 0x5A4D and filesize < 1000KB and 5 of them } rule R3C0NST_UNC2891_Slapstick : FILE { meta: description = "Detects UNC2891 Slapstick pam backdoor" author = "Frank Boldewin (@r3c0nst)" - id = "a731acff-f657-5877-859e-7447230576df" + id = "c7774a73-3eee-5bc9-bc9c-aead8151e7bb" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Slapstick.yar#L1-L19" license_url = "N/A" - logic_hash = "7777c3b850f5b7ee326be5461ebc3bf37fb201b67ada78b50575fb31f50adf9a" + logic_hash = "v1_sha256_7777c3b850f5b7ee326be5461ebc3bf37fb201b67ada78b50575fb31f50adf9a" score = 75 quality = 90 tags = "FILE" @@ -114815,20 +115050,20 @@ rule R3C0NST_UNC2891_Slapstick : FILE $str4 = "ACCESS GRANTED & WELCOME" xor condition: - uint32(0)==0x464c457f and filesize <100KB and ( all of ($code*) or all of ($str*)) + uint32( 0 ) == 0x464c457f and filesize < 100KB and ( all of ( $code* ) or all of ( $str* ) ) } rule R3C0NST_ATM_Malware_XFS_DIRECT : FILE { meta: description = "Detects ATM Malware XFS_DIRECT" author = "Frank Boldewin (@r3c0nst)" - id = "d1551c50-d3d2-56fd-a6b7-198d3a26ac72" + id = "93684e56-642e-5826-897b-bcd32beec4a5" date = "2019-10-18" modified = "2019-10-19" reference = "https://twitter.com/r3c0nst/status/1185237040583106560" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFS_DIRECT.yar#L1-L37" license_url = "N/A" - logic_hash = "844a334d0eb8516c0ef3780e48e3dbc8e23d41c80bdff10f01407b775e72709e" + logic_hash = "v1_sha256_844a334d0eb8516c0ef3780e48e3dbc8e23d41c80bdff10f01407b775e72709e" score = 75 quality = 90 tags = "FILE" @@ -114857,7 +115092,7 @@ rule R3C0NST_ATM_Malware_XFS_DIRECT : FILE $Code2 = {8B ?? ?? ?? 68 2E 01 00 00 52 C7 ?? 06 01 00 00 00} condition: - uint16(0)==0x5A4D and ( filesize <1500KB and all of ($EncLayer*)) or ( filesize <300KB and 4 of ($String*) and all of ($Code*)) + uint16( 0 ) == 0x5A4D and ( filesize < 1500KB and all of ( $EncLayer* ) ) or ( filesize < 300KB and 4 of ( $String* ) and all of ( $Code* ) ) } import "pe" @@ -114866,13 +115101,13 @@ rule R3C0NST_ATM_Malware_Ploutusi : FILE meta: description = "Detects Ploutus I .NET samples based on MetabaseQ report" author = "Frank Boldewin (@r3c0nst)" - id = "02104112-6f81-5d19-935d-45cfcd2fa41c" + id = "cdd6a63c-b961-5f01-84a1-27cfc6f59a4c" date = "2021-03-03" modified = "2021-03-04" reference = "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Ploutus-I.yar#L3-L26" license_url = "N/A" - logic_hash = "77100d300a40219187f5c4b8270f599a91652b69980fe450b791181b8c30b5a4" + logic_hash = "v1_sha256_77100d300a40219187f5c4b8270f599a91652b69980fe450b791181b8c30b5a4" score = 75 quality = 90 tags = "FILE" @@ -114885,20 +115120,20 @@ rule R3C0NST_ATM_Malware_Ploutusi : FILE $Code = {28 ?? 02 00 06 2a} condition: - filesize <300KB and $Code and pe.pdb_path contains "Diebold.pdb" and pe.imports("mscoree.dll","_CorExeMain") and ( for any i in (0..pe.number_of_resources-1) : (pe.resources[i].type==pe.RESOURCE_TYPE_VERSION and (pe.version_info["InternalName"] contains "Diebold.exe"))) + filesize < 300KB and $Code and pe.pdb_path contains "Diebold.pdb" and pe.imports ( "mscoree.dll" , "_CorExeMain" ) and ( for any i in ( 0 .. pe.number_of_resources - 1 ) : ( pe.resources [ i ] . type == pe.RESOURCE_TYPE_VERSION and ( pe.version_info [ "InternalName" ] contains "Diebold.exe" ) ) ) } rule R3C0NST_ATM_Malware_XFSADM : FILE { meta: description = "Detects ATM Malware XFSADM" author = "Frank Boldewin (@r3c0nst)" - id = "57124fef-73a1-5978-b165-b1b7d7c1196e" + id = "97fcc566-a0a9-5d3e-a142-90bd57280eae" date = "2019-06-21" modified = "2019-07-11" reference = "https://twitter.com/r3c0nst/status/1149043362244308992" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFSADM.yar#L1-L24" license_url = "N/A" - logic_hash = "2dd0b9e0a2dd18725c9342a234520c96c6b30cf3ce7196562b2380a39f5f8673" + logic_hash = "v1_sha256_2dd0b9e0a2dd18725c9342a234520c96c6b30cf3ce7196562b2380a39f5f8673" score = 75 quality = 84 tags = "FILE" @@ -114918,20 +115153,20 @@ rule R3C0NST_ATM_Malware_XFSADM : FILE $TmpFile = "~pipe.tmp" nocase ascii condition: - uint16(0)==0x5A4D and filesize <500KB and 4 of them + uint16( 0 ) == 0x5A4D and filesize < 500KB and 4 of them } rule R3C0NST_ATM_Malware_Dispcashbr : FILE { meta: description = "Detects ATM Malware DispCashBR" author = "Frank Boldewin (@r3c0nst)" - id = "17d22120-0ca2-5b27-9816-21ab4a6fb20c" + id = "b1d93e57-a37a-54b3-b8c6-0ccddc451d0b" date = "2020-02-27" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1232944566208286720" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.DispCashBR.yar#L1-L21" license_url = "N/A" - logic_hash = "3fb5d62cb779ddc13e9b938290dfa9d2a3353d7969e639a662c1bcaca945de4d" + logic_hash = "v1_sha256_3fb5d62cb779ddc13e9b938290dfa9d2a3353d7969e639a662c1bcaca945de4d" score = 75 quality = 90 tags = "FILE" @@ -114948,16 +115183,16 @@ rule R3C0NST_ATM_Malware_Dispcashbr : FILE $Code3 = {89 4C 24 08 C7 44 24 04 2E 01 00 00 89 04 24 E8} condition: - uint16(0)==0x5A4D and filesize <100KB and 2 of ($String*) and 1 of ($DbgStr*) and all of ($Code*) + uint16( 0 ) == 0x5A4D and filesize < 100KB and 2 of ( $String* ) and 1 of ( $DbgStr* ) and all of ( $Code* ) } /* * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2024-12-08 - * Git Commit: ca46353c771fd52356f83576df5b5c783af00d48 + * Retrieval Date: 2024-12-15 + * Git Commit: 7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43 * Number of Rules: 165 - * Skipped: 0 (age), 14 (quality), 3 (score), 0 (importance) + * Skipped: 0 (age), 13 (quality), 3 (score), 0 (importance) * * * LICENSE @@ -115633,13 +115868,13 @@ rule CAPE_Themida : FILE meta: description = "Themida Packer" author = "kevoreilly" - id = "cd5c8b08-4864-57f7-b218-1bcb6892bea8" + id = "aa71ae58-2673-5c86-9c05-153c7d112f45" date = "2024-09-11" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/binaries/Themida.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/binaries/Themida.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 tags = "FILE" @@ -115649,20 +115884,20 @@ rule CAPE_Themida : FILE $code = {FC 31 C9 49 89 CA 31 C0 31 DB AC 30 C8 88 E9 88 D5 88 F2 B6 08 66 D1 EB 66 D1 D8 73 09} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Megacortex : FILE { meta: description = "MegaCortex Payload" author = "kevoreilly" - id = "ea3dd937-2cb1-5b0f-98b8-154aacaf8650" + id = "e7b56c55-dd08-53cf-9a20-3d15c524318f" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 tags = "FILE" @@ -115674,20 +115909,20 @@ rule CAPE_Megacortex : FILE $sha256 = {98 2F 8A 42 91 44 37 71 CF FB C0 B5 A5 DB B5 E9} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Sedreco : FILE { meta: description = "Sedreco encrypt function entry" author = "kevoreilly" - id = "5b9ee4af-50a4-597c-8fa5-f2094c312d23" + id = "1802d857-dfc9-59fe-b678-5eb28685a697" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Sedreco.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Sedreco.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" score = 75 quality = 70 tags = "FILE" @@ -115699,20 +115934,20 @@ rule CAPE_Sedreco : FILE $encrypt64_1 = {48 89 4C 24 08 53 55 56 57 41 54 41 56 48 83 EC 18 45 8D 34 10 48 8B E9 B8 AB AA AA AA 4D 8B E1 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA} condition: - uint16(0)==0x5A4D and $encrypt1 or $encrypt2 or $encrypt64_1 + uint16( 0 ) == 0x5A4D and $encrypt1 or $encrypt2 or $encrypt64_1 } rule CAPE_Kronos : FILE { meta: description = "Kronos Payload" author = "kevoreilly" - id = "921a939b-a037-5973-bd8e-f9f55fce7f0f" + id = "b6a3b572-bc95-5787-8e22-4f84ce0356d0" date = "2020-07-02" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 tags = "FILE" @@ -115725,20 +115960,20 @@ rule CAPE_Kronos : FILE $a4 = "Kronos" fullword ascii wide condition: - uint16(0)==0x5A4D and (2 of ($a*)) + uint16( 0 ) == 0x5A4D and ( 2 of ( $a* ) ) } rule CAPE_Varenyky : FILE { meta: description = "Varenyky Payload" author = "kevoreilly" - id = "e01695fa-72a0-5d8e-86ab-8c909d28b8ec" + id = "40d4c34c-3afe-5681-b894-b133ac4c944e" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 tags = "FILE" @@ -115748,21 +115983,21 @@ rule CAPE_Varenyky : FILE $onion = "jg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd.onion" condition: - uint16(0)==0x5A4D and ($onion) + uint16( 0 ) == 0x5A4D and ( $onion ) } rule CAPE_Amadey : FILE { meta: description = "Amadey Payload" author = "kevoreilly" - id = "b9d81aa8-5504-5b71-86c7-8c00d75479ad" + id = "e01382a4-3380-57c9-b495-c1b644897e28" date = "2023-09-04" modified = "2023-09-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Amadey.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Amadey.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" - logic_hash = "38f710b422a3644c9f0f3e80ad9ff28ef02050368c651a6cc2ce8b152b67bf48" + logic_hash = "v1_sha256_38f710b422a3644c9f0f3e80ad9ff28ef02050368c651a6cc2ce8b152b67bf48" score = 75 quality = 70 tags = "FILE" @@ -115774,20 +116009,20 @@ rule CAPE_Amadey : FILE $decode3 = {8A 04 02 88 04 0F 41 8B 7D ?? 8D 42 01 3B CB 7C} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Rokrat : FILE { meta: description = "RokRat Payload" author = "kevoreilly" - id = "12e05b90-9771-5901-ae82-9fd2ea6263e7" + id = "59353f62-2563-55c8-bce1-e217c21eae04" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 tags = "FILE" @@ -115798,20 +116033,20 @@ rule CAPE_Rokrat : FILE $string1 = "/pho_%s_%d.jpg" wide condition: - uint16(0)==0x5A4D and ( any of ($code*)) and ( any of ($string*)) + uint16( 0 ) == 0x5A4D and ( any of ( $code* ) ) and ( any of ( $string* ) ) } rule CAPE_Eternalromance : FILE { meta: description = "EternalRomance Exploit" author = "kevoreilly" - id = "34035076-9dda-5e32-bd0b-d0257a96329b" + id = "b8510e8b-fd5a-5934-8d97-39910f8a8b1e" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 tags = "FILE" @@ -115843,20 +116078,20 @@ rule CAPE_Eternalromance : FILE $pipe12 = "wkssvc" condition: - uint16(0)==0x5A4D and ( all of ($SMB*)) and $ipc and ( any of ($session*)) and ( any of ($pipe*)) + uint16( 0 ) == 0x5A4D and ( all of ( $SMB* ) ) and $ipc and ( any of ( $session* ) ) and ( any of ( $pipe* ) ) } rule CAPE_Vidar : FILE { meta: description = "Vidar Payload" author = "kevoreilly,rony" - id = "9e4e797f-880e-54eb-ad44-caad0ec5683c" + id = "0759ea8a-2be5-5402-9cc9-3477c1483924" date = "2023-04-21" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 tags = "FILE" @@ -115877,20 +116112,20 @@ rule CAPE_Vidar : FILE $s8 = "Downloads\\%s_%s.txt" fullword ascii wide condition: - uint16be(0)==0x4d5a and 6 of them + uint16be( 0 ) == 0x4d5a and 6 of them } rule CAPE_Zeuspanda : FILE { meta: description = "ZeusPanda Payload" author = "kevoreilly" - id = "7891c021-6687-5457-b9e1-0beb0472647c" + id = "ad0f23bd-9622-567f-89e2-277a6d63b4e8" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 tags = "FILE" @@ -115901,20 +116136,20 @@ rule CAPE_Zeuspanda : FILE $code2 = {8D 85 B0 FD FF FF 50 68 ?? ?? ?? ?? 8D 85 90 FA FF FF 68 0E 01 00 00 50 E8 ?? ?? ?? ?? 83 C4 10 83 F8 FF 7E ?? 68 04 01 00 00 8D 85 B0 FD FF FF} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Nettraveler : FILE { meta: description = "NetTraveler Payload" author = "kevoreilly" - id = "242e1c3f-5460-5393-9c07-cfab25860796" + id = "70c62d7c-38df-5162-8891-830363008a27" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/NetTraveler.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "bf5026f1a1cb3d6986a29d22657a9f1904b362391a6715d7468f8f8aca351233" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/NetTraveler.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_bf5026f1a1cb3d6986a29d22657a9f1904b362391a6715d7468f8f8aca351233" score = 75 quality = 70 tags = "FILE" @@ -115926,20 +116161,20 @@ rule CAPE_Nettraveler : FILE $string3 = "Memory: Total:%dMB,Left:%dMB (for %.2f%s)" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Buerloader : FILE { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly & Rony (@r0ny_123)" - id = "95a9b4d7-db1e-50cd-bc08-01e4e4fd6dc4" + id = "ae102f11-4258-59e8-ac06-084707d809b4" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 tags = "FILE" @@ -115951,20 +116186,20 @@ rule CAPE_Buerloader : FILE $op = {33 C0 85 D2 7E 1? 3B C7 7D [0-15] 40 3B C2 7C ?? EB 02} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Petya : FILE { meta: description = "Petya Payload" author = "kevoreilly" - id = "e581747c-c40f-5689-84b4-d55134b532f7" + id = "5f036bc7-a580-5c27-bc5a-955db340102c" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 tags = "FILE" @@ -115976,21 +116211,21 @@ rule CAPE_Petya : FILE $a3 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" wide condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Oyster { meta: description = "Oyster Payload" author = "enzok" - id = "29443d00-e3de-53fd-b617-df470a30e805" + id = "0b785600-5165-5e76-b991-f6e1885884eb" date = "2024-05-30" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" - logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" + logic_hash = "v1_sha256_23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 quality = 70 tags = "" @@ -116014,13 +116249,13 @@ rule CAPE_Zerot : FILE meta: description = "ZeroT Payload" author = "kevoreilly" - id = "dc5dc18c-2ec6-541d-905c-42543f17b16d" + id = "73d5355d-7133-5a8a-aeac-0a42194a2603" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 tags = "FILE" @@ -116034,20 +116269,20 @@ rule CAPE_Zerot : FILE $string4 = "open" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Quasarrat : FILE { meta: description = "QuasarRAT payload" author = "ditekshen" - id = "f256b88f-eee6-5f8c-afd6-32ed10ea908d" + id = "f2b5ea2f-bfed-5c69-8771-20e610eeb1b5" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/QuasarRAT.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/QuasarRAT.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 tags = "FILE" @@ -116069,20 +116304,20 @@ rule CAPE_Quasarrat : FILE $us2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" fullword wide condition: - uint16(0)==0x5a4d and ($mutex or ( all of ($ua*) and 2 of them ) or 6 of ($s*)) + uint16( 0 ) == 0x5a4d and ( $mutex or ( all of ( $ua* ) and 2 of them ) or 6 of ( $s* ) ) } rule CAPE_Quasarrat_Kingrat { meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "dc0139e1-9f69-51da-b28f-212358b2f68b" + id = "bc63e504-9508-50a1-80de-635ccd5ea275" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/QuasarRAT.yar#L24-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/QuasarRAT.yar#L24-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 tags = "" @@ -116102,20 +116337,20 @@ rule CAPE_Quasarrat_Kingrat $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } condition: - 6 of them and #patt_config>=10 + 6 of them and #patt_config >= 10 } rule CAPE_Ursnif : FILE { meta: description = "Ursnif Payload" author = "kevoreilly & enzo" - id = "200c2227-0d34-5e4a-b5aa-ab63a077d141" + id = "d6392693-7bcb-52eb-b7ce-5e714a2728d1" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 tags = "FILE" @@ -116132,20 +116367,20 @@ rule CAPE_Ursnif : FILE $decrypt_config32 = {8B ?? 08 5? 33 F? 3B [1-2] 74 14 A1 0? ?? ?? ?? 35 ?? ?? ?? ?? 50 8B D? E8 ?? D? 00 00 EB 02 33 C0 ?B ?? ?? ?? ?? ?? ?? ?? 74 14 8D 4D ?? ?? ?? 50 FF D? 85 C0 74 08} condition: - uint16(0)==0x5A4D and ($decrypt_config64 and any of ($crypto64*)) or ($decrypt_config32 and any of ($crypto32*)) + uint16( 0 ) == 0x5A4D and ( $decrypt_config64 and any of ( $crypto64* ) ) or ( $decrypt_config32 and any of ( $crypto32* ) ) } rule CAPE_Tscookie : FILE { meta: description = "TSCookie Payload" author = "kevoreilly" - id = "e1efd356-7170-5454-bf40-68927c71816c" + id = "7ecf4235-c03b-5abf-83cd-72e1cf6694f7" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 tags = "FILE" @@ -116157,20 +116392,20 @@ rule CAPE_Tscookie : FILE $string3 = "\\wship6" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Dridexv4 : FILE { meta: description = "Dridex v4 Payload" author = "kevoreilly" - id = "c396f664-9f0d-50ac-bce8-33fd8712645a" + id = "0ec7095b-fad7-51f7-9d99-ad1b47bfcf24" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 tags = "FILE" @@ -116184,20 +116419,20 @@ rule CAPE_Dridexv4 : FILE $bot_stub_64 = {8B 44 24 ?? 89 C1 89 CA 4C 8B 05 [4] 4C 8B 4C 24 ?? 45 8A 14 11 83 E0 1F 89 C0 41 89 C3 47 2A 14 18 44 88 54 14} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Seduploader : FILE { meta: description = "Seduploader decrypt function" author = "kevoreilly" - id = "a7152d8c-a197-5784-8a6d-453d41585df1" + id = "16204882-e060-5271-b15e-cb02694f22f6" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 tags = "FILE" @@ -116207,20 +116442,20 @@ rule CAPE_Seduploader : FILE $decrypt1 = {8D 0C 30 C7 45 FC 0A 00 00 00 33 D2 F7 75 FC 8A 82 ?? ?? ?? ?? 32 04 0F 88 01 8B 45 0C 40 89 45 0C 3B C3 7C DB} condition: - uint16(0)==0x5A4D and any of ($decrypt*) + uint16( 0 ) == 0x5A4D and any of ( $decrypt* ) } rule CAPE_Wanacry : FILE { meta: description = "WanaCry Payload" author = "kevoreilly" - id = "a6525e0f-fccd-5542-9be8-e42d708fe502" + id = "5018de3a-dde6-5a49-867b-2ae3629da70e" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 tags = "FILE" @@ -116234,20 +116469,20 @@ rule CAPE_Wanacry : FILE $taskstart = {8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Bazar : FILE { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "e042f180-2a82-5c93-9858-77281557dd10" + id = "c07c7874-de46-5875-9fa2-b1ca70c563d7" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 tags = "FILE" @@ -116258,20 +116493,20 @@ rule CAPE_Bazar : FILE $rsa = {C7 00 52 53 41 33 48 8D 48 09 C7 40 04 00 08 00 00 4C 8D 05 [3] 00 C6 40 08 03 B8 09 00 00 00 [0-3] 48 8D 89 80 00 00 00 41 0F 10 00} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Remcos : FILE { meta: description = "Remcos Payload" author = "kevoreilly" - id = "f77295ca-02d5-5b2c-80b8-b6566610bff8" + id = "10ad5554-bfc6-5fad-9be3-0da507b8e5df" date = "2022-05-10" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 tags = "FILE" @@ -116284,20 +116519,20 @@ rule CAPE_Remcos : FILE $crypto2 = {0F B6 [1-7] 8B 45 08 [0-2] 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 ?? ?? FF FF 30 06 47 3B 7D 0C 72} condition: - uint16(0)==0x5A4D and ($name) and ($time) and any of ($crypto*) + uint16( 0 ) == 0x5A4D and ( $name ) and ( $time ) and any of ( $crypto* ) } rule CAPE_Cerber : FILE { meta: description = "Cerber Payload" author = "kevoreilly" - id = "edf08795-cf54-5822-8bc4-35cfba0fe8e8" + id = "ba155915-545e-5806-ba25-54b5ed42019b" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 tags = "FILE" @@ -116307,7 +116542,7 @@ rule CAPE_Cerber : FILE $code1 = {33 C0 66 89 45 8? 8D 7D 8? AB AB AB AB AB [0-2] 66 AB 8D 45 8? [0-3] E8 ?? ?? 00 00} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } import "pe" @@ -116316,13 +116551,13 @@ rule CAPE_Nighthawk meta: description = "NightHawk C2" author = "Nikhil Ashok Hegde <@ka1do9>" - id = "096b9d13-6aa7-5b6e-aaeb-e25aa7c8c53f" + id = "e0a97066-f2cc-5888-984a-c54a6a016754" date = "2022-12-05" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 tags = "" @@ -116334,21 +116569,21 @@ rule CAPE_Nighthawk $aes_inv_sbox = { 52 09 6A D5 30 36 A5 38 BF } condition: - pe.is_pe and for any s in pe.sections : (s.name==".profile") and all of them + pe.is_pe and for any s in pe.sections : ( s.name == ".profile" ) and all of them } rule CAPE_Qakbot5 : FILE { meta: description = "QakBot v5 Payload" author = "kevoreilly, enzok" - id = "48866cdd-f60e-50b8-85f9-573710934b0b" + id = "af510223-ed0d-5d2c-abe1-7cec43de61ad" date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" - logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" + logic_hash = "v1_sha256_cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 quality = 70 tags = "FILE" @@ -116361,20 +116596,20 @@ rule CAPE_Qakbot5 : FILE $campaign = {0F B7 1D [4] B? [2] 00 00 E8 [4] 8B D3 4? 89 44 24 ?? 4? 33 C9 4? 8D 0D [4] 4? 8B C0 4? 8B F8 E8} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Qakbot4 : FILE { meta: description = "QakBot v4 Payload" author = "kevoreilly" - id = "d2c5316c-22cc-5b6d-b6a2-b1d23a06d16b" + id = "478dd460-a6c7-5491-92a0-d3997d6bed67" date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 tags = "FILE" @@ -116392,20 +116627,20 @@ rule CAPE_Qakbot4 : FILE $call_decrypt = {83 7D ?? 00 56 74 0B FF 75 10 8B F3 E8 [4] 59 8B 45 0C 83 F8 28 72 19 8B 55 08 8B 37 8D 48 EC 6A 14 8D 42 14 52 E8} condition: - uint16(0)==0x5A4D and any of ($*) + uint16( 0 ) == 0x5A4D and any of ( $* ) } rule CAPE_Rozena { meta: description = "No description has been set in the source file - CAPE" author = "Kevin O'Reilly" - id = "38ca9da3-2a0e-500f-8eb8-9de69a7f2da5" + id = "6d92bdd0-f8de-578d-a554-1946611911aa" date = "2024-03-15" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 tags = "" @@ -116423,14 +116658,14 @@ rule CAPE_Zloader : FILE meta: description = "Zloader Payload" author = "kevoreilly, enzok" - id = "ce0662b4-c615-5b87-b5c1-173f90a97db2" + id = "d467fbee-08e8-584f-818a-fd1a48ce1ebb" date = "2024-05-06" modified = "2024-05-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" - logic_hash = "a94efd87c69146cf5771341974e5abe789445d67dde3e045e1b87d3131539ff9" + logic_hash = "v1_sha256_a94efd87c69146cf5771341974e5abe789445d67dde3e045e1b87d3131539ff9" score = 75 quality = 70 tags = "FILE" @@ -116446,20 +116681,20 @@ rule CAPE_Zloader : FILE $decrypt_key_3 = {48 8d 0d [3] 00 e8 [4] 66 89 [3] b? [4] e8 [4] 66 8b} condition: - uint16(0)==0x5A4D and 1 of ($decrypt_conf*) and (1 of ($decrypt_key*) or $rc4_init) + uint16( 0 ) == 0x5A4D and 1 of ( $decrypt_conf* ) and ( 1 of ( $decrypt_key* ) or $rc4_init ) } rule CAPE_Doomedloader : FILE { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "88436e71-360e-5719-989f-24e71591ebe0" + id = "4743e58b-45ae-5e7e-95c9-c139c243489c" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 tags = "FILE" @@ -116471,20 +116706,20 @@ rule CAPE_Doomedloader : FILE $syscall = {49 89 CA 8B 44 24 08 FF 64 24 10} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedid { meta: description = "IcedID Payload" author = "kevoreilly, threathive" - id = "439342be-a1e6-5656-8813-5cebb0e88e98" + id = "ae23b8e3-d994-5dbb-959f-18bed53b54ea" date = "2021-12-16" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 tags = "" @@ -116501,20 +116736,20 @@ rule CAPE_Icedid $stage_2_request_img = ".png" condition: - any of ($crypt*,$download*,$major_ver) and all of ($stage_2_request_*) + any of ( $crypt* , $download* , $major_ver ) and all of ( $stage_2_request_* ) } rule CAPE_Gandcrab : FILE { meta: description = "Gandcrab Payload" author = "kevoreilly" - id = "0082e8c9-952e-508c-a438-4e17b8031864" + id = "62b88cc6-d1da-543d-9c2d-02bbf86a77e2" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 tags = "FILE" @@ -116527,20 +116762,20 @@ rule CAPE_Gandcrab : FILE $string4 = "KRAB-DECRYPT.txt" wide condition: - uint16(0)==0x5A4D and any of ($string*) + uint16( 0 ) == 0x5A4D and any of ( $string* ) } rule CAPE_Rcsession { meta: description = "RCSession Payload" author = "kevoreilly" - id = "841e6bd1-4f09-54dc-8dec-2e9423a34003" + id = "d481c5be-dc3e-5d87-bca7-db9d03590e01" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 tags = "" @@ -116551,20 +116786,20 @@ rule CAPE_Rcsession $a2 = {83 C4 10 85 C0 74 ?? BE ?? ?? ?? ?? 89 74 24 10 E8 ?? ?? ?? ?? 6A 03 68 48 0B 00 00 56 53 57 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 18 85 C0 74 18 E8 ?? ?? ?? ?? 6A 03 68 48} condition: - ( any of ($a*)) + ( any of ( $a* ) ) } rule CAPE_Ursnifv3 : FILE { meta: description = "UrsnifV3 Payload" author = "kevoreilly" - id = "9dd32f80-b535-52a3-91e1-4db005362fd4" + id = "ee5df264-9375-5542-ada3-05895335c509" date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 tags = "FILE" @@ -116581,20 +116816,20 @@ rule CAPE_Ursnifv3 : FILE $cape_string = "cape_options" condition: - uint16(0)==0x5A4D and 1 of ($crypto32_*) and $cpuid and not $cape_string + uint16( 0 ) == 0x5A4D and 1 of ( $crypto32_* ) and $cpuid and not $cape_string } rule CAPE_Formbook { meta: description = "Formbook Payload" author = "kevoreilly" - id = "3389c0a7-eb86-5465-8a14-63f812d257db" + id = "9c31ac6d-3569-5c7a-b3d9-7c3b6f4895b8" date = "2023-10-13" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 tags = "" @@ -116618,13 +116853,13 @@ rule CAPE_Hermes : FILE meta: description = "Hermes Payload" author = "kevoreilly" - id = "0ff44422-9c14-517b-9e71-8e9e19694f06" + id = "7f5f3476-4211-55a3-acac-d87edd001ba7" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 tags = "FILE" @@ -116636,20 +116871,20 @@ rule CAPE_Hermes : FILE $email = "supportdecrypt@firemail.cc" wide condition: - uint16(0)==0x5A4D and all of ($*) + uint16( 0 ) == 0x5A4D and all of ( $* ) } rule CAPE_Dcrat : FILE { meta: description = "DCRat payload" author = "ditekSHen" - id = "16c81fe0-2c18-55e9-aa17-cfd4213d6a17" + id = "e4ee0c29-3c5d-53b1-b841-e34326584a31" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DCRat.yar#L1-L66" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DCRat.yar#L1-L66" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 quality = 45 tags = "FILE" @@ -116710,20 +116945,20 @@ rule CAPE_Dcrat : FILE $px14 = "[Other] Saving system information" wide condition: - uint16(0)==0x5a4d and ( all of ($dc*) or all of ($string*) or 2 of ($x*) or 6 of ($v*) or 5 of ($px*)) or ($plugin and (4 of ($av*) or 5 of ($pl*))) + uint16( 0 ) == 0x5a4d and ( all of ( $dc* ) or all of ( $string* ) or 2 of ( $x* ) or 6 of ( $v* ) or 5 of ( $px* ) ) or ( $plugin and ( 4 of ( $av* ) or 5 of ( $pl* ) ) ) } rule CAPE_Dcrat_Kingrat { meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "9b63e361-6678-5c95-be32-777feecd194b" + id = "850f416e-cac3-5137-a791-1e5bf6f07d1c" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DCRat.yar#L68-L87" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DCRat.yar#L68-L87" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 tags = "" @@ -116743,20 +116978,20 @@ rule CAPE_Dcrat_Kingrat $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } condition: - ( not any of ($venom*)) and 5 of them and #patt_config>=10 + ( not any of ( $venom* ) ) and 5 of them and #patt_config >= 10 } rule CAPE_Kpot : FILE { meta: description = "Kpot Stealer" author = "kevoreilly" - id = "724fd6ac-e734-5952-b459-01cbaffdb89d" + id = "80abac11-020b-5bc3-8fc6-53e7a61b61c8" date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 tags = "FILE" @@ -116768,20 +117003,20 @@ rule CAPE_Kpot : FILE $os = "OS: %S x%d" condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Emotetloader : FILE { meta: description = "Emotet Loader" author = "kevoreilly" - id = "aea8ff2e-bdf7-5417-a41c-93566d1dd019" + id = "b77afddc-0296-55e3-96fa-779f34fcda1b" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 tags = "FILE" @@ -116791,20 +117026,20 @@ rule CAPE_Emotetloader : FILE $antihook = {8B 15 ?? ?? ?? ?? 03 15 ?? ?? ?? ?? 89 95 28 FF FF FF A1 ?? ?? ?? ?? 2D 4D 01 00 00 A3 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 3B 0D ?? ?? ?? ?? 76 26 8B 95 18 FF FF FF 8B 42 38} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Gootkit : FILE { meta: description = "Gootkit Payload" author = "kevoreilly" - id = "8935fd10-ac79-5196-80c2-fc8f2fe185b5" + id = "cb6409f4-307a-5b27-a3ef-b29a91055413" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 tags = "FILE" @@ -116814,20 +117049,20 @@ rule CAPE_Gootkit : FILE $code1 = {C7 45 ?? ?? ?? 4? 00 C7 45 ?? ?? 10 40 00 C7 45 E? D8 ?? ?? 00 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 [1-2] 00 10 40 00 89 [5-6] 43 00 89 ?? ?? 68 E8 80 00 00 FF 15} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Kovter : FILE { meta: description = "Kovter Payload" author = "kevoreilly" - id = "3dec3c4b-4678-5ed1-a4c3-c3d9abb58b1c" + id = "893f6090-ffa8-5b76-b64e-d49bb5fbca2e" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 tags = "FILE" @@ -116840,20 +117075,20 @@ rule CAPE_Kovter : FILE $a4 = "Win Server 2008 R2" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Pikabotloader : FILE { meta: description = "Pikabot Loader" author = "kevoreilly" - id = "e2c89cdd-0cdb-5367-8aae-2fe685eff972" + id = "6662e023-4085-5852-ad18-703d1fbb99d4" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 tags = "FILE" @@ -116865,20 +117100,20 @@ rule CAPE_Pikabotloader : FILE $sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Pikabot : FILE { meta: description = "Pikabot Payload" author = "kevoreilly" - id = "140a3e20-9837-5f66-85dc-af278d75e074" + id = "ae7ad8f5-e27b-5da1-9464-e1c7eb6c192d" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 tags = "FILE" @@ -116891,21 +117126,21 @@ rule CAPE_Pikabot : FILE $config = {C7 44 24 [3] 00 00 C7 44 24 [4] 00 89 [1-4] ?? E8 [4] 31 C0 C7 44 24 [3] 00 00 89 44 24 ?? C7 04 24 [4] E8} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Pik23 : FILE { meta: description = "PikaBot Payload February 2023" author = "kevoreilly" - id = "fc804c63-fc6c-5b26-92b1-aa5d2fbc4917" + id = "09a74105-77ef-5054-9b24-fa47a45715c3" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" - logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" + logic_hash = "v1_sha256_71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 quality = 70 tags = "FILE" @@ -116918,20 +117153,20 @@ rule CAPE_Pik23 : FILE $rijndael = {EB 0F 0F B6 04 3? FE C? 8A 80 [4] 88 04 3? 0F B6 [3] 7C EA 5? 5? C9 C3} condition: - uint16(0)==0x5A4D and 3 of them + uint16( 0 ) == 0x5A4D and 3 of them } rule CAPE_Hancitor : FILE { meta: description = "Hancitor Payload" author = "threathive" - id = "b4e9a26a-db00-5553-acc2-f35148b0ffd5" + id = "68013b43-8cb2-5d51-bcb1-a5f3c9ce7d96" date = "2020-10-20" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 tags = "FILE" @@ -116944,20 +117179,20 @@ rule CAPE_Hancitor : FILE $user_agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Bruteratel { meta: description = "BruteRatel Payload" author = "kevoreilly" - id = "61b951e4-0c27-59c0-8ea2-715b673fdcee" + id = "cdae6558-3430-59cb-b1c5-79c66cfd72b1" date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 tags = "" @@ -116977,13 +117212,13 @@ rule CAPE_Lokibot : FILE meta: description = "LokiBot Payload" author = "kevoreilly" - id = "8cdf69e2-ecac-5241-adba-c458cce0610f" + id = "8c7da7b6-0f26-55ee-9fee-1dd355de3027" date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 tags = "FILE" @@ -116994,20 +117229,20 @@ rule CAPE_Lokibot : FILE $a2 = "last_compatible_version" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Tclient : FILE { meta: description = "TClient Payload" author = "kevoreilly" - id = "38c9ea20-9d91-5fb0-8b3b-170538ad7ea8" + id = "1be68238-75ea-5b4e-9cee-12f10bc81aac" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 tags = "FILE" @@ -117017,20 +117252,20 @@ rule CAPE_Tclient : FILE $code1 = {41 0F B6 00 4D 8D 40 01 34 01 8B D7 83 E2 07 0F BE C8 FF C7 41 0F BE 04 91 0F AF C1 41 88 40 FF 81 FF 80 03 00 00 7C D8} condition: - uint16(0)==0x5A4D and any of ($code*) + uint16( 0 ) == 0x5A4D and any of ( $code* ) } rule CAPE_Rhadamanthys { meta: description = "Rhadamanthys Loader" author = "kevoreilly" - id = "4683ef43-7397-5546-ae54-b4c000518182" + id = "ca3578d3-954a-5787-b236-235127563cee" date = "2023-09-18" modified = "2023-09-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Rhadamanthys.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Rhadamanthys.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" score = 75 quality = 70 tags = "" @@ -117050,13 +117285,13 @@ rule CAPE_Mole : FILE meta: description = "Mole Payload" author = "kevoreilly" - id = "1185170f-4a5b-5347-807b-ef2af98a1a09" + id = "5bc8532c-5c03-5e72-b878-881201404c84" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 tags = "FILE" @@ -117068,20 +117303,20 @@ rule CAPE_Mole : FILE $a3 = "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Magniber : FILE { meta: description = "Magniber Payload" author = "kevoreilly" - id = "a704914f-2aa2-537d-975d-f8c23427951f" + id = "9d32f3ea-ad4a-53b2-bf93-eb5df496fcb5" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 tags = "FILE" @@ -117091,20 +117326,20 @@ rule CAPE_Magniber : FILE $a1 = {8B 55 FC 83 C2 01 89 55 FC 8B 45 FC 3B 45 08 7D 45 6A 01 6A 00 E8 26 FF FF FF 83 C4 08 89 45 F4 83 7D F4 00 75 18 6A 7A 6A 61 E8 11 FF FF FF 83 C4 08 8B 4D FC 8B 55 F8 66 89 04 4A EB 16} condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Nanolocker : FILE { meta: description = "NanoLocker Payload" author = "kevoreilly" - id = "6fff6a27-a153-5461-9a75-2253c2f7d408" + id = "157b15e7-e089-5af8-b744-b5cbdb0f334a" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 tags = "FILE" @@ -117116,20 +117351,20 @@ rule CAPE_Nanolocker : FILE $a3 = "Decryptor.lnk" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Squirrelwaffle : FILE { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly & R3MRUM" - id = "0ae75f24-7a2a-57d3-8c6f-a61ac6cc08e7" + id = "8a07fb62-834e-564d-8cdd-f9380892cdf1" date = "2021-10-13" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 tags = "FILE" @@ -117140,20 +117375,20 @@ rule CAPE_Squirrelwaffle : FILE $decode = {F7 75 ?? 83 7D ?? 10 8D 4D ?? 8D 45 ?? C6 45 ?? 00 0F 43 4D ?? 83 7D ?? 10 0F 43 45 ?? 8A 04 10 32 04 39} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Doppelpaymer : FILE { meta: description = "DoppelPaymer Payload" author = "kevoreilly" - id = "c8178906-1722-5908-9ad4-7ee1eef39138" + id = "a4c8adac-6fb6-56b2-8e3b-da39279ef72d" date = "2022-06-27" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 tags = "FILE" @@ -117164,20 +117399,20 @@ rule CAPE_Doppelpaymer : FILE $cmd_string = "Setup run\\n" wide condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Ramnit : FILE { meta: description = "Ramnit Payload" author = "kevoreilly" - id = "6df92055-05f6-5985-9268-b9c85e143567" + id = "39de0011-dad7-5def-9c34-12e995d1ca8a" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 tags = "FILE" @@ -117189,20 +117424,20 @@ rule CAPE_Ramnit : FILE $id_string = "{%08X-%04X-%04X-%04X-%08X%04X}" condition: - uint16(0)==0x5A4D and all of ($*) + uint16( 0 ) == 0x5A4D and all of ( $* ) } rule CAPE_Agent_Tesla { meta: description = "Detecting HTML strings used by Agent Tesla malware" author = "Stormshield" - id = "5383994b-357d-539b-89b1-53be238f759d" + id = "040bc4fc-d1ed-5ca5-96d6-8901d1f57bbe" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 tags = "" @@ -117223,13 +117458,13 @@ rule CAPE_Agenttesla : FILE meta: description = "AgentTesla Payload" author = "kevoreilly" - id = "f7b930f1-cecb-5d80-809b-9503f282247a" + id = "0e5dc336-75d3-5634-8b40-c8909d0b6c36" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 tags = "FILE" @@ -117249,20 +117484,20 @@ rule CAPE_Agenttesla : FILE $agt4 = "GetSavedCookies" ascii condition: - uint16(0)==0x5A4D and ( all of ($string*) or 3 of ($agt*)) + uint16( 0 ) == 0x5A4D and ( all of ( $string* ) or 3 of ( $agt* ) ) } rule CAPE_Agentteslav2 : FILE { meta: description = "AgenetTesla Type 2 Keylogger payload" author = "ditekshen" - id = "e60ecee4-0a97-56a1-b21e-47190f8cd1f8" + id = "3db36094-1ab9-5f9a-b395-7b2ab1ea7bad" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 tags = "FILE" @@ -117286,20 +117521,20 @@ rule CAPE_Agentteslav2 : FILE $cl6 = "Thunderbird" fullword ascii condition: - ( uint16(0)==0x5a4d and 6 of ($s*)) or (6 of ($s*) and 2 of ($cl*)) + ( uint16( 0 ) == 0x5a4d and 6 of ( $s* ) ) or ( 6 of ( $s* ) and 2 of ( $cl* ) ) } rule CAPE_Agentteslav3 : FILE { meta: description = "AgentTeslaV3 infostealer payload" author = "ditekshen" - id = "cfe00382-8663-54a4-a7c4-b932ec7ad5e3" + id = "aa88b79d-cca2-5b7f-8f01-85e227aebcb7" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L69-L111" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L69-L111" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" score = 75 quality = 68 tags = "FILE" @@ -117340,20 +117575,20 @@ rule CAPE_Agentteslav3 : FILE $m5 = "\\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera" ascii condition: - ( uint16(0)==0x5a4d and (8 of ($s*) or (6 of ($s*) and 4 of ($g*)))) or (2 of ($m*)) + ( uint16( 0 ) == 0x5a4d and ( 8 of ( $s* ) or ( 6 of ( $s* ) and 4 of ( $g* ) ) ) ) or ( 2 of ( $m* ) ) } rule CAPE_Agentteslaxor : FILE { meta: description = "AgentTesla xor-based config decoding" author = "kevoreilly" - id = "81eeb62f-578f-5c75-bc96-091d5727a20a" + id = "29ae5b7c-dd17-5350-9e45-121272990dd7" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L113-L123" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L113-L123" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 20 tags = "FILE" @@ -117363,20 +117598,20 @@ rule CAPE_Agentteslaxor : FILE $decode = {06 91 06 61 20 [4] 61 D2 9C 06 17 58 0A 06 7E [4] 8E 69 FE 04 2D ?? 2A} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Agentteslav4 : FILE { meta: description = "AgentTesla Payload" author = "kevoreilly" - id = "a39109ca-84cb-527d-b9c2-d8763fa6e496" + id = "dfe23345-beda-5619-83fc-1362c1a97366" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L125-L138" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L125-L138" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 tags = "FILE" @@ -117389,20 +117624,20 @@ rule CAPE_Agentteslav4 : FILE $decode3 = {(07|FE 0C 01 00) (11 07|FE 0C 07 00) 8F ?? 00 00 01 25 47 (07|FE 0C 01 00) (08|FE 0C 02 00) 91 61 D2 52} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Agentteslav4Jit { meta: description = "AgentTesla JIT-compiled native code" author = "kevoreilly" - id = "a87dca44-4974-543c-9565-487ed99be2a6" + id = "3c8fa735-8773-5478-bc84-9fdb3cc2834b" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AgentTesla.yar#L140-L153" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AgentTesla.yar#L140-L153" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 tags = "" @@ -117422,13 +117657,13 @@ rule CAPE_Asyncrat : FILE meta: description = "AsyncRAT Payload" author = "kevoreilly, JPCERT/CC Incident Response Group" - id = "478557fa-2418-5b13-99d9-2395ce83b9a2" + id = "75b7df5f-3ce9-5703-9817-2cf4c70b1ccb" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AsyncRAT.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "8f960131bb86e1c09127324bd5877364ab25e0cb37f5f9755230c7fed9094de3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AsyncRAT.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_8f960131bb86e1c09127324bd5877364ab25e0cb37f5f9755230c7fed9094de3" score = 75 quality = 66 tags = "FILE" @@ -117444,20 +117679,20 @@ rule CAPE_Asyncrat : FILE $kitty = "StormKitty" ascii condition: - uint16(0)==0x5A4D and not $kitty and ($salt and (2 of ($str*) or 1 of ($b*))) or ( all of ($b*) and 2 of ($str*)) + uint16( 0 ) == 0x5A4D and not $kitty and ( $salt and ( 2 of ( $str* ) or 1 of ( $b* ) ) ) or ( all of ( $b* ) and 2 of ( $str* ) ) } rule CAPE_Asyncrat_Kingrat { meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "8fbab9a0-5736-543e-ba7b-c7598190c9e0" + id = "4339465b-7a74-56b5-85c7-762ae69b9a49" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AsyncRAT.yar#L19-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "2699ef93ae10b205b79025098afc1d1cfe7dbdf192f4d98a6e34a8f3de154810" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AsyncRAT.yar#L19-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_2699ef93ae10b205b79025098afc1d1cfe7dbdf192f4d98a6e34a8f3de154810" score = 75 quality = 62 tags = "" @@ -117478,20 +117713,20 @@ rule CAPE_Asyncrat_Kingrat $patt_config = { 72 [3] 70 80 [3] 04 } condition: - ( not any of ($dcrat*)) and 6 of them and #patt_config>=10 + ( not any of ( $dcrat* ) ) and 6 of them and #patt_config >= 10 } rule CAPE_Locky : FILE { meta: description = "Locky Payload" author = "kevoreilly" - id = "664d0365-af49-5222-a4ed-9260332f6940" + id = "28f16221-97dd-588b-8325-91f25fb840c2" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 tags = "FILE" @@ -117503,20 +117738,20 @@ rule CAPE_Locky : FILE $string3 = "opt321" wide condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Cryptoshield : FILE { meta: description = "Cryptoshield Payload" author = "kevoreilly" - id = "a7b60a0d-7d46-59c9-8273-ee23bae3fbbc" + id = "54efd2dd-484b-507d-8361-d53217ba85bb" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 tags = "FILE" @@ -117528,20 +117763,20 @@ rule CAPE_Cryptoshield : FILE $a3 = "r_sp@india.com - SUPPORT" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Darkgate { meta: description = "DarkGate Payload" author = "enzok" - id = "ce81f452-4096-51d6-97cc-624f9fbefa86" + id = "278bd88a-9c5f-52f1-b7cd-bc71b85e71ce" date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DarkGate.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DarkGate.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 quality = 70 tags = "" @@ -117556,21 +117791,21 @@ rule CAPE_Darkgate $config2 = {8B 55 ?? 8D 45 ?? E8 [4] 8D 45 ?? 5? B? 06 00 00 00 B? 01 00 00 00 8B 45 ?? E8 [4] 8B 45 ?? B? [4] E8 [4] 75} condition: - ($alphabet) and ( any of ($part*) or all of ($config*)) + ($alphabet ) and ( any of ( $part* ) or all of ( $config* ) ) } rule CAPE_Carbanak : FILE { meta: description = "Carnbanak Payload" author = "enzok" - id = "e6d395d5-65ba-5efb-bcbc-c6d56a96f0c1" + id = "71c410c8-93ba-58f2-9f03-b5c71558cce1" date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" - logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" + logic_hash = "v1_sha256_8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 quality = 70 tags = "FILE" @@ -117582,22 +117817,22 @@ rule CAPE_Carbanak : FILE $constants = {0F B7 05 [3] 00 0F B7 1D [3] 00 83 25 [3] 00 00 89 05 [3] 00 0F B7 05 [3] 00 89 1D [3] 00 89 05 [3] 00 33 C0 4? 8D 4D} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Blister : FILE { meta: description = "Blister Loader" author = "kevoreilly" - id = "525fc600-2afc-5cf6-bf55-4ce0ea264dca" + id = "04ed1762-7201-58cd-a3c0-8dc1311a34fc" date = "2023-09-20" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" - logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" + logic_hash = "v1_sha256_f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" score = 75 quality = 70 tags = "FILE" @@ -117611,20 +117846,20 @@ rule CAPE_Blister : FILE $decode = {0F BE C0 49 03 CC 41 33 C1 44 69 C8 [4] 41 8B C1 C1 E8 0F 44 33 C8 8A 01 84 C0 75 E1 41 81 F9 [4] 74} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Jaff : FILE { meta: description = "Jaff Payload" author = "kevoreilly" - id = "6681c1fe-6c88-5a49-bdfa-54ce08ea6707" + id = "7dfa9276-9a50-5b91-a56c-a555cf939eec" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 tags = "FILE" @@ -117637,20 +117872,20 @@ rule CAPE_Jaff : FILE $b2 = "2~1c0q4t7" condition: - uint16(0)==0x5A4D and ( any of ($a*)) and (1 of ($b*)) + uint16( 0 ) == 0x5A4D and ( any of ( $a* ) ) and ( 1 of ( $b* ) ) } rule CAPE_Ryuk : FILE { meta: description = "Ryuk Payload" author = "kevoreilly" - id = "594bbb8d-1f85-5a01-a864-ac2d95c45bf9" + id = "71d3850b-66a1-5b33-b56d-f33f2c8dfa93" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 tags = "FILE" @@ -117663,20 +117898,20 @@ rule CAPE_Ryuk : FILE $code = {48 8B 4D 10 48 8B 03 48 C1 E8 07 C1 E0 04 F7 D0 33 41 08 83 E0 10 31 41 08 48 8B 4D 10 48 8B 03 48 C1 E8 09 C1 E0 03 F7 D0 33 41 08 83 E0 08 31 41 08} condition: - uint16(0)==0x5A4D and 3 of ($*) + uint16( 0 ) == 0x5A4D and 3 of ( $* ) } rule CAPE_Smokeloader { meta: description = "SmokeLoader Payload" author = "kevoreilly" - id = "d3ca7c8a-01dc-5174-9928-ee278b6cb107" + id = "ff903365-b0a7-5d3a-86d1-707776939938" date = "2024-11-12" modified = "2024-11-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/SmokeLoader.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/SmokeLoader.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" score = 75 quality = 70 tags = "" @@ -117696,13 +117931,13 @@ rule CAPE_Xworm : FILE meta: description = "Detects XWorm" author = "ditekSHen" - id = "bf9115a7-850a-5326-860c-a9a71bc7e50c" + id = "cf15944b-2740-5680-ae0f-3dae4ddcc032" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/XWorm.yar#L1-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/XWorm.yar#L1-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 quality = 68 tags = "FILE" @@ -117729,20 +117964,20 @@ rule CAPE_Xworm : FILE $v2_8 = "UACFunc" fullword ascii wide condition: - uint16(0)==0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v2*))) or 6 of them ) + uint16( 0 ) == 0x5a4d and ( ( 1 of ( $x* ) and ( 3 of ( $s* ) or 3 of ( $v2* ) ) ) or 6 of them ) } rule CAPE_Xworm_Kingrat { meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "76332a42-97c9-52fe-83dc-04ceb367f692" + id = "2051f6e5-3450-5aa8-81a7-98f827391d2e" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/XWorm.yar#L29-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/XWorm.yar#L29-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 tags = "" @@ -117761,21 +117996,21 @@ rule CAPE_Xworm_Kingrat $patt_config = { 72 [3] 70 80 [3] 04 } condition: - 5 of them and #patt_config>=7 + 5 of them and #patt_config >= 7 } rule CAPE_Stealc : FILE { meta: description = "Stealc Payload" author = "kevoreilly" - id = "77567584-7c84-5351-938b-d29d612a042d" + id = "cee4d906-ca28-59ae-ba83-5c6739eb66e5" date = "2024-09-10" modified = "2024-09-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" - logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" + logic_hash = "v1_sha256_a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 quality = 70 tags = "FILE" @@ -117786,21 +118021,21 @@ rule CAPE_Stealc : FILE $nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Blackdropper { meta: description = "BlackDropper" author = "enzok" - id = "5cb92b67-d12c-5946-84b1-a9fce4a6d242" + id = "4b238de0-1a2e-5a40-98b2-1f79311ca5f8" date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BlackDropper.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BlackDropper.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" - logic_hash = "c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" + logic_hash = "v1_sha256_c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" score = 75 quality = 70 tags = "" @@ -117815,20 +118050,20 @@ rule CAPE_Blackdropper $crypt3 = {E8 [4] 0F B6 4C 24 ?? 88 08 E9} condition: - 2 of ($string*) or 2 of ($crypt*) + 2 of ( $string* ) or 2 of ( $crypt* ) } rule CAPE_Cobaltstrikestager { meta: description = "Cobalt Strike Stager Payload" author = "@dan__mayer " - id = "eedf71b1-9f27-5a6f-afe8-3ddae47f9a06" + id = "fc11fa30-8b4f-5e52-9cd9-f8a4200ba6e1" date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 tags = "" @@ -117848,13 +118083,13 @@ rule CAPE_Atlas : FILE meta: description = "Atlas Payload" author = "kevoreilly" - id = "22322e5c-ded6-56df-8a39-a8f5cbc18239" + id = "7998bc32-9299-5d76-bdc8-db4be98b01cf" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 tags = "FILE" @@ -117866,21 +118101,21 @@ rule CAPE_Atlas : FILE $a3 = "process call create \"cmd /c start vssadmin delete shadows /all /q" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Latrodectus { meta: description = "Latrodectus Payload" author = "enzok" - id = "5fe6ddad-3252-5f49-9359-bd647b974fe6" + id = "fbf6b00e-77e5-5c35-9f95-a6b361a32971" date = "2024-09-03" modified = "2024-09-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" - logic_hash = "2f98d570bf9a490eecd2807599b93023ccacab86f3b7674f0118bbebd4dd2776" + logic_hash = "v1_sha256_2f98d570bf9a490eecd2807599b93023ccacab86f3b7674f0118bbebd4dd2776" score = 75 quality = 70 tags = "" @@ -117901,14 +118136,14 @@ rule CAPE_Latrodectus_AES meta: description = "Latrodectus Payload" author = "enzok" - id = "8a3dd88c-7840-54a3-8844-4e1a38f51df5" + id = "c26cb72f-1541-5e3e-b46b-efa289469d19" date = "2024-09-03" modified = "2024-09-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" - logic_hash = "1f00f6f187f15d39a30e15ffd14dae07707141999271ad4ac6a75ff4d93dd54d" + logic_hash = "v1_sha256_1f00f6f187f15d39a30e15ffd14dae07707141999271ad4ac6a75ff4d93dd54d" score = 75 quality = 70 tags = "" @@ -117930,13 +118165,13 @@ rule CAPE_Codoso : FILE meta: description = "Codoso Payload" author = "kevoreilly" - id = "4c3d8d77-ffa9-576d-bf88-7b5a1bfd1811" + id = "ebe80cb4-888a-5f94-b213-a04f7877b1fa" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 tags = "FILE" @@ -117948,20 +118183,20 @@ rule CAPE_Codoso : FILE $a3 = "USERMODECMD" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Xenorat { meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "9708158d-06fc-5991-a084-df2bfe1d5c96" + id = "7944393b-cb0e-5721-8bd5-a85c653a0b25" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 tags = "" @@ -117976,20 +118211,20 @@ rule CAPE_Xenorat $patt_config = { 72 [3] 70 80 [3] 04 } condition: - 4 of them and #patt_config>=5 + 4 of them and #patt_config >= 5 } rule CAPE_Arkei : FILE { meta: description = "Arkei Payload" author = "kevoreilly" - id = "22ebe194-19a9-5bf2-9cfc-ea27b7724572" + id = "c3426976-58c0-5721-b638-efa5f3204ccf" date = "2020-02-11" modified = "2020-02-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Arkei.yar#L1-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "03980827db1c53d4090ab196ba820ca34b5d83dc7140b11ead9182cb5d28c7d3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Arkei.yar#L1-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_03980827db1c53d4090ab196ba820ca34b5d83dc7140b11ead9182cb5d28c7d3" score = 75 quality = 70 tags = "FILE" @@ -118011,20 +118246,20 @@ rule CAPE_Arkei : FILE $v9 = "files\\cookies_" ascii wide condition: - uint16(0)==0x5A4D and ( all of ($string*) or 7 of ($v*)) + uint16( 0 ) == 0x5A4D and ( all of ( $string* ) or 7 of ( $v* ) ) } rule CAPE_Scarab : FILE { meta: description = "Scarab Payload" author = "kevoreilly" - id = "2ba8ae50-1e56-5773-aaea-058161b59c78" + id = "d83f0494-9bc9-5a3d-a054-8916f061fe99" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 tags = "FILE" @@ -118036,20 +118271,20 @@ rule CAPE_Scarab : FILE $crypt3 = {8B 13 8B CA 81 E1 80 80 80 80 8B C1 C1 E8 07 50 8B C1 59 2B C1 25 1B 1B 1B 1B 8B CA 81 E1 7F 7F 7F 7F 03 C9 33 C1 8B C8 81 E1 80 80 80 80 8B F1 C1 EE 07} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Azorult : FILE { meta: description = "Azorult Payload" author = "kevoreilly" - id = "ca76ec00-001f-56d0-bdbc-9dfd3239fba8" + id = "f7b8980e-9e81-5089-a577-73608a48086e" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 tags = "FILE" @@ -118060,20 +118295,20 @@ rule CAPE_Azorult : FILE $string1 = "SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),\"unixepoch\")" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Bumblebee : FILE { meta: description = "BumbleBee Payload" author = "enzo & kevoreilly" - id = "b3a4dd53-014c-5e16-8ac1-7f3800ae017d" + id = "af79e592-7044-5da3-8ef3-f5c446232277" date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BumbleBee.yar#L35-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "bc7c2ce9d3cd598c9510dc64d78048999f2f89ee5a84cd0d6046dbdfabe260ee" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BumbleBee.yar#L35-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_bc7c2ce9d3cd598c9510dc64d78048999f2f89ee5a84cd0d6046dbdfabe260ee" score = 75 quality = 70 tags = "FILE" @@ -118088,20 +118323,20 @@ rule CAPE_Bumblebee : FILE $str_gate = "/gate" condition: - uint16(0)==0x5A4D and ( any of ($antivm*) or all of ($str_*)) + uint16( 0 ) == 0x5A4D and ( any of ( $antivm* ) or all of ( $str_* ) ) } rule CAPE_Bumblebee2024 { meta: description = "BumbleBee 2024" author = "enzok" - id = "ba92b894-912d-593c-acf9-99cb6ad6d61f" + id = "40e25684-e23c-570b-a1fe-a4e9fbeb88ef" date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 tags = "" @@ -118117,20 +118352,20 @@ rule CAPE_Bumblebee2024 $dga2 = {48 8D 0D [4] E8 [4] 8B F0 4C 89 6D ?? 4C 89 6D ?? 4C 89 75 ?? 4C 89 6D ?? 44 88 6D ?? 48 8D 15 [4] 44 38 2D [4] 75} condition: - $rc4key and all of ($botid*) and 2 of ($port,$port,$dga1,$dga2) + $rc4key and all of ( $botid* ) and 2 of ( $port , $port , $dga1 , $dga2 ) } rule CAPE_Nitrogenloader { meta: description = "Nitrogen Loader" author = "enzok" - id = "45628576-3fbf-593d-a113-0bbfb12bd808" + id = "5b6843f1-0a3d-5448-80bb-2dc298a62f5c" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/NitrogenLoader.yar#L1-L23" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "24117d6e04bc964c17c08c9918502410890d7ccdc2e9971f2d01f6f0b41d3836" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/NitrogenLoader.yar#L1-L23" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_24117d6e04bc964c17c08c9918502410890d7ccdc2e9971f2d01f6f0b41d3836" score = 75 quality = 70 tags = "" @@ -118152,20 +118387,20 @@ rule CAPE_Nitrogenloader $decryptrsc2 = {8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} condition: - ( all of ($string*) or all of ($decrypt*)) and any of ($syscall*) + ( all of ( $string* ) or all of ( $decrypt* ) ) and any of ( $syscall* ) } rule CAPE_Badrabbit : FILE { meta: description = "BadRabbit Payload" author = "kevoreilly" - id = "c7204772-6f14-57b7-88c1-e9156f9897d5" + id = "4f74db4c-7d11-5e1c-a78d-d083a3853531" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 tags = "FILE" @@ -118177,20 +118412,20 @@ rule CAPE_Badrabbit : FILE $a3 = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal" wide condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Dreambot : FILE { meta: description = "Dreambot Payload" author = "kevoreilly" - id = "675c2fea-fe48-5afd-9fa1-de919134892f" + id = "e5cc7449-9192-5ad0-8475-36dbe7fb2969" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 tags = "FILE" @@ -118203,20 +118438,20 @@ rule CAPE_Dreambot : FILE $b2 = ".bss" condition: - uint16(0)==0x5A4D and (1 of ($a*)) and ( all of ($b*)) + uint16( 0 ) == 0x5A4D and ( 1 of ( $a* ) ) and ( all of ( $b* ) ) } rule CAPE_Fareit : FILE { meta: description = "Fareit Payload" author = "kevoreilly" - id = "b3c4eb86-d104-5f31-afa4-5bf5f370f64e" + id = "62d33487-1d1c-5c78-94ea-f93209438f76" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 tags = "FILE" @@ -118226,20 +118461,20 @@ rule CAPE_Fareit : FILE $string1 = {0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 31 20 20 09 20 20 67 6F 74 6F 20 09 0D 20 6B 74 6B 0D 0A 20 64 65 6C 20 09 20 20 25 30 20 00} condition: - uint16(0)==0x5A4D and any of ($string*) + uint16( 0 ) == 0x5A4D and any of ( $string* ) } rule CAPE_Masslogger : FILE { meta: description = "MassLogger" author = "kevoreilly" - id = "0743421a-36f7-5b7c-859f-b461511151cb" + id = "1b7fbd5b-1b45-5e66-ae80-198c8917c4b7" date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 tags = "FILE" @@ -118250,20 +118485,20 @@ rule CAPE_Masslogger : FILE $fody = "Costura" condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Lumma : FILE { meta: description = "Lumma Payload" author = "kevoreilly" - id = "6ec1e0dc-028b-5135-9d0a-462718d90fe3" + id = "08b47410-0392-514e-bf6a-5bc40f45c4e8" date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Lumma.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "44408ffa7870dbc1a8a31567dd743f46542da01ed8083e5413392920b9d1bafe" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Lumma.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_44408ffa7870dbc1a8a31567dd743f46542da01ed8083e5413392920b9d1bafe" score = 75 quality = 70 tags = "FILE" @@ -118277,20 +118512,20 @@ rule CAPE_Lumma : FILE $decode3 = {B0 40 C3 B0 3F C3 80 F9 30 72 ?? 80 F9 39 77 06 80 C1 04 89 C8 C3} condition: - uint16(0)==0x5a4d and any of them + uint16( 0 ) == 0x5a4d and any of them } rule CAPE_Lockbit : FILE { meta: description = "Lockbit Payload" author = "kevoreilly" - id = "ec9b4fec-0233-5277-b922-07057c2b4b34" + id = "6ad4325b-8ac8-53ae-8c8d-ef5aa84b6068" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 tags = "FILE" @@ -118304,20 +118539,20 @@ rule CAPE_Lockbit : FILE $decode2 = {8A 44 24 ?? 30 44 0C ?? 41 83 F9 ?? 72 F2} condition: - uint16(0)==0x5A4D and (2 of them ) + uint16( 0 ) == 0x5A4D and ( 2 of them ) } rule CAPE_Aurorastealer : FILE { meta: description = "detects Aurora Stealer samples" author = "Johannes Bader @viql" - id = "07779318-3e5d-5e67-8c04-f3f70d7e48b7" + id = "b8b3663e-4ec1-550e-b2b8-9ede3d88128f" date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 tags = "FILE" @@ -118384,21 +118619,21 @@ rule CAPE_Aurorastealer : FILE $varia_10 = "Crypto" condition: - uint16(0)==0x5A4D and (32 of ($str_*) or 9 of ($varia_*)) + uint16( 0 ) == 0x5A4D and ( 32 of ( $str_* ) or 9 of ( $varia_* ) ) } rule CAPE_Koiloader { meta: description = "KoiLoader" author = "YungBinary" - id = "258e8857-7ea6-5098-9949-06d9d83853d4" + id = "12b1c1f6-766a-52b8-ae4a-c87fbea05984" date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" - logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" + logic_hash = "v1_sha256_264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 quality = 70 tags = "" @@ -118436,14 +118671,14 @@ rule CAPE_Cargobayloader : FILE meta: description = "CargoBay Loader" author = "kevoreilly" - id = "5b347863-0bea-55d2-aaf3-b3d6e604be89" + id = "0135d03b-4a3d-5a60-9610-06e607f021d5" date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" - logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" + logic_hash = "v1_sha256_1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 quality = 70 tags = "FILE" @@ -118454,20 +118689,20 @@ rule CAPE_Cargobayloader : FILE $jmp2 = {84 DB 0F 85 [2] 00 00 48 8D 15 [4] 41 BE 03 00 00 00 41 B8 03 00 00 00 4C 8D 7C [2] 4C 89 F9 E8} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Socks5Systemz : FILE { meta: description = "Socks5Systemz Payload" author = "kevoreilly" - id = "75831382-bb43-554e-93b1-f54a2255d8b9" + id = "3c98bc77-b311-5a58-a569-e66f0b3722dc" date = "2024-05-22" modified = "2024-05-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Socks5Systemz.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "44b83b6d2ab39b4258ae0d97d00d02afdbb62a3973fd788584e4dea9db69cc1b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Socks5Systemz.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_44b83b6d2ab39b4258ae0d97d00d02afdbb62a3973fd788584e4dea9db69cc1b" score = 75 quality = 70 tags = "FILE" @@ -118484,20 +118719,20 @@ rule CAPE_Socks5Systemz : FILE $chunk7 = {83 FA 04 E9 [3] (00|FF)} condition: - uint16(0)==0x5A4D and 6 of them + uint16( 0 ) == 0x5A4D and 6 of them } rule CAPE_Conti : FILE { meta: description = "Conti Ransomware" author = "kevoreilly" - id = "c94aed07-0eaf-5b51-a81e-e1992543673a" + id = "9b7bb3b8-9321-51ca-8887-430e94f80925" date = "2021-03-15" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 tags = "FILE" @@ -118509,20 +118744,20 @@ rule CAPE_Conti : FILE $website2 = "https://contirecovery.best" ascii wide condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Petrwrap : FILE { meta: description = "PetrWrap Payload" author = "kevoreilly" - id = "83762c87-6e96-50fe-b297-e1a5f893be43" + id = "e52dc8d1-d838-5d4c-a094-b13d729dfbc6" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 tags = "FILE" @@ -118535,20 +118770,20 @@ rule CAPE_Petrwrap : FILE $b2 = "http://mischa5xyix2mrhd.onion/" condition: - uint16(0)==0x5A4D and ( any of ($a*)) and ( any of ($b*)) + uint16( 0 ) == 0x5A4D and ( any of ( $a* ) ) and ( any of ( $b* ) ) } rule CAPE_Bitpaymer : FILE { meta: description = "BitPaymer Payload" author = "kevoreilly" - id = "c139b514-a1ba-5d47-8f4d-8e60cddfe2ba" + id = "98980216-a817-59f6-9e77-5c7b69427df6" date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 tags = "FILE" @@ -118559,20 +118794,20 @@ rule CAPE_Bitpaymer : FILE $antidefender = "TouchMeNot" wide condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Azer : FILE { meta: description = "Azer Payload" author = "kevoreilly" - id = "4bda70c2-3cd9-543f-92f4-886b7dd899a1" + id = "8e9aa32f-38d5-5135-ab72-c8b6c8d4bbd9" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 tags = "FILE" @@ -118584,20 +118819,20 @@ rule CAPE_Azer : FILE $a3 = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ" condition: - uint16(0)==0x5A4D and ( all of ($a*)) + uint16( 0 ) == 0x5A4D and ( all of ( $a* ) ) } rule CAPE_Nemty : FILE { meta: description = "Nemty Ransomware Payload" author = "kevoreilly" - id = "3aa8e1d7-f9cb-5b04-923d-7bed15ab8c3f" + id = "ecfe4eab-58f5-5d63-aa78-d66670ab1165" date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 tags = "FILE" @@ -118609,20 +118844,20 @@ rule CAPE_Nemty : FILE $nemty = "NEMTY" condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Trickbot { meta: description = "TrickBot Payload" author = "sysopfb & kevoreilly" - id = "dc88eadd-7b84-5bd0-96d1-aad480632bee" + id = "f8135db0-c0d6-5269-8743-590c5503823e" date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 tags = "" @@ -118641,21 +118876,21 @@ rule CAPE_Trickbot $code7 = {B8 ?? ?? 00 00 85 C9 74 32 BE ?? ?? ?? ?? BA ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 03 F2 8B 2B 83 C3 04 33 2F 83 C7 04 89 29 83 C1 04 3B DE 0F 43 DA} condition: - all of ($str*) or any of ($code*) + all of ( $str* ) or any of ( $code* ) } rule CAPE_Trickbot_Permadll_UEFI_Module { meta: description = "Detects TrickBot Banking module permaDll" author = "@VK_Intel | Advanced Intelligence" - id = "ba104164-0a1a-5a4c-8312-7653f7818e96" + id = "6157aceb-0626-584b-a67c-e63e4984c1ce" date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "491115422a6b94dc952982e6914adc39" - logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" + logic_hash = "v1_sha256_564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 quality = 70 tags = "" @@ -118677,13 +118912,13 @@ rule CAPE_Dridexloader : FILE meta: description = "Dridex v4 dropper C2 parsing function" author = "kevoreilly" - id = "43bd9631-4611-567c-bee5-d926e060b977" + id = "dc3ef02d-b423-50c1-a4ef-1cd4504e983e" date = "2021-03-10" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 tags = "FILE" @@ -118698,20 +118933,20 @@ rule CAPE_Dridexloader : FILE $c2parse_6 = {0F B7 53 ?? 89 10 0F B6 4B ?? 83 F9 0A 7F 03 8A 53 ?? 0F B6 53 ?? 85 D2 7E B9} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Singlestepantihook { meta: description = "Single-step anti-hook Bypass" author = "kevoreilly" - id = "f7aca40b-d231-543b-81f3-5f4524abab78" + id = "86e80370-58c3-5d03-b2de-4c3838283bc4" date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 tags = "" @@ -118728,13 +118963,13 @@ rule CAPE_Heavenssyscall : FILE meta: description = "Bypass variants of heaven's gate direct syscalls" author = "kevoreilly" - id = "7c60102a-ac8b-5e28-8dbb-4b6c3f4cddff" + id = "97211e1a-76a6-5fdf-a745-03772f62eb86" date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 tags = "FILE" @@ -118746,24 +118981,24 @@ rule CAPE_Heavenssyscall : FILE $sysenter = {68 [4] E8 [4] E8 [4] C2 ?? 00 CC CC CC CC CC CC CC CC} condition: - uint16(0)==0x8B55 and all of them + uint16( 0 ) == 0x8B55 and all of them } rule CAPE_Gettickcountantivm { meta: description = "GetTickCountAntiVM bypass" author = "kevoreilly" - id = "d90b9768-0525-5963-9817-e3a53b1d4cf3" + id = "2c118a5c-95d1-5cb6-a7aa-c618b559aff3" date = "2022-02-25" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" hash = "90c29a66209be554dfbd2740f6a54d12616da35d0e5e4af97eb2376b9d053457" - logic_hash = "9cdb0b2d2e058e1858c2f2baad67005a2019fbbdcb7ca54571c8d20dfbf33471" + logic_hash = "v1_sha256_9cdb0b2d2e058e1858c2f2baad67005a2019fbbdcb7ca54571c8d20dfbf33471" score = 75 quality = 70 tags = "" @@ -118785,13 +119020,13 @@ rule CAPE_Buerloader_1 : FILE meta: description = "BuerLoader RDTSC Trap Bypass" author = "kevoreilly" - id = "38f01199-6bd2-5519-b570-8c0f46e74286" + id = "a8b922ef-45d4-54ac-95ad-d0ccb71c8ab6" date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 tags = "FILE" @@ -118801,20 +119036,20 @@ rule CAPE_Buerloader_1 : FILE $trap = {0F 31 89 45 ?? 6A 00 8D 45 ?? 8B CB 50 E8 [4] 0F 31} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Modiloader : FILE { meta: description = "ModiLoader detonation shim" author = "ditekSHen" - id = "2b3fd8ec-b672-574b-9b50-1a9ca9f43299" + id = "b7735d58-09bd-5a5e-b5bb-bd860a0d1abe" date = "2023-10-19" modified = "2023-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/ModiLoader.yar#L1-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/ModiLoader.yar#L1-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 tags = "FILE" @@ -118846,21 +119081,21 @@ rule CAPE_Modiloader : FILE $g6 = "rmdir \"" ascii nocase condition: - uint16(0)==0x5a4d and ((2 of ($x*) and ( all of ($g*) or (2 of ($s*) and 2 of ($c*)))) or ( all of ($s*) and (2 of ($c*) or all of ($g*))) or (4 of ($c*) and (1 of ($x*) or 2 of ($s*))) or ( all of ($g*) and 4 of ($c*)) or 13 of them ) + uint16( 0 ) == 0x5a4d and ( ( 2 of ( $x* ) and ( all of ( $g* ) or ( 2 of ( $s* ) and 2 of ( $c* ) ) ) ) or ( all of ( $s* ) and ( 2 of ( $c* ) or all of ( $g* ) ) ) or ( 4 of ( $c* ) and ( 1 of ( $x* ) or 2 of ( $s* ) ) ) or ( all of ( $g* ) and 4 of ( $c* ) ) or 13 of them ) } rule CAPE_Risepro : FILE { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "63d9cb19-0688-5632-8477-ce9b7e986a55" + id = "fba64cd7-307a-5de1-97d8-551c22accacc" date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" - logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" + logic_hash = "v1_sha256_055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 quality = 70 tags = "FILE" @@ -118872,20 +119107,20 @@ rule CAPE_Risepro : FILE $c2 = {FF 75 30 83 3D [4] 10 BA [4] B9 [4] 0F 43 15 [4] 83 3D [4] 10 0F 43 0D [4] E8 [4] A3} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Privateloader { meta: description = "PrivateLoader indirect syscall capture" author = "kevoreilly" - id = "3a0b16da-ec84-5761-bcf2-106362c5667d" + id = "5fd7457b-c49e-5011-b2e1-0af2bb446765" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 tags = "" @@ -118903,13 +119138,13 @@ rule CAPE_Qakbot5_1 : FILE meta: description = "QakBot WMI anti-anti-vm" author = "kevoreilly" - id = "d287b043-15df-5865-ad4c-9eb64ceec04c" + id = "8801195f-5a13-556b-8ae7-068e3ee835c1" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 tags = "FILE" @@ -118921,20 +119156,20 @@ rule CAPE_Qakbot5_1 : FILE $conf = {0F B7 1D [4] B9 [2] 00 00 E8 [4] 8B D3 48 89 45 ?? 45 33 C9 48 8D 0D [4] 4C 8B C0 48 8B F8 E8} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Qakbot4_1 : FILE { meta: description = "QakBot Config Extraction" author = "kevoreilly" - id = "401184cf-bbd7-5afe-9589-470f54721af1" + id = "1a39a06c-da71-56b1-a6c9-86cacb05aa0d" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 tags = "FILE" @@ -118948,21 +119183,21 @@ rule CAPE_Qakbot4_1 : FILE $conf = {5F 5E 5B C9 C3 51 6A 00 E8 [4] 59 59 85 C0 75 01 C3} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Qakbotloader : FILE { meta: description = "QakBot Export Selection" author = "kevoreilly" - id = "b2d5ef1c-0651-5249-9c4b-7e83235d4a30" + id = "8bae4c72-4e99-5406-ad40-e73417033fed" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" - logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" + logic_hash = "v1_sha256_00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 quality = 70 tags = "FILE" @@ -118976,21 +119211,21 @@ rule CAPE_Qakbotloader : FILE $getteb = {EB 00 55 8B EC 66 3B E4 74 ?? [1-5] 64 A1 18 00 00 00 5D EB} condition: - uint16(0)==0x5A4D and ( any of ($export*)) and ($wind or $getteb) + uint16( 0 ) == 0x5A4D and ( any of ( $export* ) ) and ( $wind or $getteb ) } rule CAPE_Qakbotantivm { meta: description = "QakBot AntiVM bypass" author = "kevoreilly" - id = "7446522a-788a-512d-ad68-2fcc56169f5a" + id = "6ea67e18-79a3-5489-a00a-3fcb53ebef87" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" - logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" + logic_hash = "v1_sha256_20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 quality = 70 tags = "" @@ -119007,13 +119242,13 @@ rule CAPE_Zloader_1 : FILE meta: description = "Zloader API Spam Bypass" author = "kevoreilly" - id = "8a8e7102-1138-59e7-95a6-8647d41d8521" + id = "ece349f1-f123-52e3-a32e-f447a34a8b56" date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 tags = "FILE" @@ -119024,20 +119259,20 @@ rule CAPE_Zloader_1 : FILE $traps = {6A 44 53 E8 [2] FF FF 83 C4 08 8D 85 ?? FF FF FF C7 85 ?? FF FF FF 44 00 00 00 50} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Zloader_2024 : FILE { meta: description = "Zloader Registry and Modulename Bypass" author = "enzok" - id = "7100c27e-021f-552c-9a75-84b07a2f837e" + id = "b4e5dc9c-f994-5f10-86b2-f33dac27eab8" date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 tags = "FILE" @@ -119049,20 +119284,20 @@ rule CAPE_Zloader_2024 : FILE $name_1 = {56 5? 5? 4? 81 EC [4] C7 44 24 ?? 00 00 00 00 4? 8D 0D [4] E8 [4] 4? 89 [3] 4? 83 [3] 00 75} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Guloaderprecursor : FILE { meta: description = "Guloader precursor" author = "kevoreilly" - id = "663f89d7-a18b-5b03-a7cb-52444a887fa4" + id = "8289ae16-bce3-58b9-8799-8045d79d648d" date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 tags = "FILE" @@ -119073,20 +119308,20 @@ rule CAPE_Guloaderprecursor : FILE $except = {8B 45 08 [0-3] 8B 00 [0-3] 8B 58 18 [0-20] 81 38 05 00 00 C0 0F 85 [4-7] 83 FB 00 (0F 84|74)} condition: - 2 of them and not uint16(0)==0x5A4D + 2 of them and not uint16( 0 ) == 0x5A4D } rule CAPE_Rdtscpantivm { meta: description = "RdtscpAntiVM bypass" author = "kevoreilly" - id = "11dc634b-1e2f-55b4-be60-98e51de42d43" + id = "6c0ec43a-2e82-5ffb-b8b2-9879806ddf98" date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 tags = "" @@ -119103,13 +119338,13 @@ rule CAPE_Icedidsyscallwritemem : FILE meta: description = "IcedID 'syscall' packer bypass - direct write variant" author = "kevoreilly" - id = "67935058-4191-587f-ad19-497defd0eef1" + id = "d220d853-3236-56c8-be39-9724580aef7f" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 tags = "FILE" @@ -119121,20 +119356,20 @@ rule CAPE_Icedidsyscallwritemem : FILE $tokencheck = {39 5D ?? 75 06 83 7D ?? 03 74 05 BB 01 00 00 00 41 89 1C ?? 48 8B 4D ?? 41 FF D?} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedidhook { meta: description = "IcedID hook fix" author = "kevoreilly" - id = "011c9cb7-8080-5f8a-9dca-6397e9bf7bf6" + id = "994af780-d272-5dbc-8b60-6b5365220eae" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 tags = "" @@ -119151,14 +119386,14 @@ rule CAPE_Icedidpackera : FILE meta: description = "IcedID export selection" author = "kevoreilly" - id = "d793d8a1-0e17-56ad-933c-470e2290867b" + id = "d7bb4051-8fd2-5cc3-9872-5bd4f732d1d2" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" - logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" + logic_hash = "v1_sha256_aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 quality = 70 tags = "FILE" @@ -119170,21 +119405,21 @@ rule CAPE_Icedidpackera : FILE $alloc = {8B 50 50 33 C9 44 8D 49 40 41 B8 00 30 00 00 FF 15 [4] 48 89 44 24 28 [0-3] 48 89 84 24 ?? 00 00 00 E9} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedidpackerb : FILE { meta: description = "IcedID export selection" author = "kevoreilly" - id = "6bd0e64d-e60e-5cd2-af79-946a7f6dc9f5" + id = "fa6544d6-7e2f-54ed-a5e4-bf0483af339b" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" - logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" + logic_hash = "v1_sha256_fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 quality = 70 tags = "FILE" @@ -119196,22 +119431,22 @@ rule CAPE_Icedidpackerb : FILE $loop = {8B C2 48 8D 49 01 83 E0 07 FF C2 0F B6 44 30 ?? 30 41 FF 3B D5 72} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedidpackerc : FILE { meta: description = "IcedID export selection" author = "kevoreilly" - id = "fddfd0d2-1bc0-56bb-b983-5850e17a3d0f" + id = "aab3a0bb-064c-5d33-a14f-0c588b19800d" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" - logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" + logic_hash = "v1_sha256_f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" score = 75 quality = 70 tags = "FILE" @@ -119222,21 +119457,21 @@ rule CAPE_Icedidpackerc : FILE $alloc = {41 B8 00 10 00 00 8B D0 33 C9 66 3B ?? (74|0F 84)} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedidpackerd : FILE { meta: description = "IcedID export selection" author = "kevoreilly" - id = "df0ca4bd-1ea6-57ef-b85a-7ed0e2a20831" + id = "44707ca8-6a1d-5911-9ab1-9a3334a357f4" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" - logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" + logic_hash = "v1_sha256_6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 quality = 70 tags = "FILE" @@ -119248,20 +119483,20 @@ rule CAPE_Icedidpackerd : FILE $load = {41 B8 00 80 00 00 33 D2 48 8B 4C [2] EB ?? B9 69 04 00 00 E8 [4] 48 89 84 [2] 00 00 00 66 3B ED 74} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Icedsleep : FILE { meta: description = "IcedID sleep bypass" author = "kevoreilly" - id = "d6bd708b-47bc-5620-b40e-8fe5f1a67ba4" + id = "251a448b-7e79-5d56-92bb-0abdbe8a4dfe" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 tags = "FILE" @@ -119272,20 +119507,20 @@ rule CAPE_Icedsleep : FILE $sleep = {89 4C 24 08 48 83 EC 38 8B 44 24 40 48 69 C0 10 27 00 00 48 F7 D8 48 89 44 24 20 48 8D 54 24 20 33 C9 FF 15 [4] 48 83 C4 38 C3} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Ursnifv3_1 { meta: description = "Ursnif Config Extraction" author = "kevoreilly" - id = "4170b638-e51b-59c6-956a-50ff82f629ba" + id = "70a151d0-b5d6-56d8-b023-e166daa06ecf" date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 tags = "" @@ -119300,20 +119535,20 @@ rule CAPE_Ursnifv3_1 $cpuid = {8B C4 FF 18 8B F0 33 C0 0F A2 66 8C D8 66 8E D0 8B E5 8B C6 5E 5B 5D C3} condition: - any of ($crypto32*) and $cpuid + any of ( $crypto32* ) and $cpuid } rule CAPE_Formhooka { meta: description = "Formbook Anti-hook Bypass" author = "kevoreilly" - id = "6369de74-99eb-57ae-a315-c15f22effc73" + id = "c4cf6811-a337-5862-b141-296a73f0acff" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 tags = "" @@ -119333,13 +119568,13 @@ rule CAPE_Formhookb meta: description = "Formbook Anti-hook Bypass" author = "kevoreilly" - id = "479afd45-8e59-5b31-8315-faf8284f0de4" + id = "193ac99b-df61-5488-ac16-8d8632b95b23" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L16-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b8b677ca239c6c5faf44f7a46c1e3e231f5708fb13aac724fd3ac9f865b965d8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L16-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b8b677ca239c6c5faf44f7a46c1e3e231f5708fb13aac724fd3ac9f865b965d8" score = 75 quality = 70 tags = "" @@ -119359,13 +119594,13 @@ rule CAPE_Formconfa meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "f9c3fc92-e2c8-5968-b0f4-80bd8199b7ca" + id = "e9b6c12d-1bc0-525f-9842-a7528d4b934d" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L31-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L31-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 tags = "" @@ -119384,13 +119619,13 @@ rule CAPE_Formhelper meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "88ff1354-1ae7-5380-a586-ef95212d59df" + id = "d7bf5b36-3489-5f84-a6c4-41c902683133" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L45-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L45-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" score = 75 quality = 70 tags = "" @@ -119409,13 +119644,13 @@ rule CAPE_Formconfb meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "4c8c7939-07e8-5a1e-92a3-b62e322fb9b6" + id = "9f1770b9-2457-599e-a48e-f83884af35ce" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L59-L73" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "8a96ef5c6cebb51186acd099b795066e8e8b2c2adbed4dcc66b81228f70e5c4f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L59-L73" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_8a96ef5c6cebb51186acd099b795066e8e8b2c2adbed4dcc66b81228f70e5c4f" score = 75 quality = 70 tags = "" @@ -119436,13 +119671,13 @@ rule CAPE_Formconfc meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "cf155b6e-0821-5044-a84e-e4a101e55edd" + id = "0ba73bf6-0a30-56d4-aab7-b4b9a7bbc156" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Formbook.yar#L75-L87" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f52bce00d2ec88682115a8720f0a182b7ef7fe7b9b9fc466bb8ddc1779341509" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Formbook.yar#L75-L87" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f52bce00d2ec88682115a8720f0a182b7ef7fe7b9b9fc466bb8ddc1779341509" score = 75 quality = 70 tags = "" @@ -119461,14 +119696,14 @@ rule CAPE_Emotetpacker : FILE meta: description = "Emotet bypass" author = "kevoreilly" - id = "67b8e14c-5fa8-52af-bb9a-1663b084fbf0" + id = "5f054906-4531-50fc-9cad-ef65817788d6" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" - logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" + logic_hash = "v1_sha256_5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 quality = 70 tags = "FILE" @@ -119479,20 +119714,20 @@ rule CAPE_Emotetpacker : FILE $trap2 = {F2 0F 10 15 [4] BE 01 00 00 00 0F 01 F9 C7 44 24 60 00 00 00 00 89 4C 24 60 0F 01 F9 C7 44 24 5C 00 00 00 00 89 4C 24 5C 0F 1F 84 00 00 00 00 00} condition: - uint16(0)==0x5A4D and any of ($trap*) + uint16( 0 ) == 0x5A4D and any of ( $trap* ) } rule CAPE_Mysterysnail { meta: description = "MysterySnail anti-sandbox bypass" author = "kevoreilly" - id = "dfeb820a-3101-5588-8348-3b62a6900538" + id = "57cf8fd9-6719-5171-acba-49fca9de8365" date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 tags = "" @@ -119509,13 +119744,13 @@ rule CAPE_Bruteratelsyscall meta: description = "BruteRatel Syscall Bypass" author = "kevoreilly" - id = "0ddc3e0a-c4ca-5342-b029-107ce1f2751e" + id = "aaaa50d1-4d02-5348-990a-bf1192b65196" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 tags = "" @@ -119533,13 +119768,13 @@ rule CAPE_Bruteratelpacker meta: description = "BruteRatel Outer Encryption Layer" author = "kevoreilly" - id = "631083be-7058-590a-a394-984545f42ad7" + id = "6dc17b53-42db-5dd9-906e-2a55b51bef8b" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 tags = "" @@ -119551,20 +119786,20 @@ rule CAPE_Bruteratelpacker $date = {48 8B 17 48 85 D2 0F 85 [2] 00 00 8B 47 08 85 C0 0F 85 [2] 00 00} condition: - ($outer) and not ($inner) and not ($date) + ($outer ) and not ( $inner ) and not ( $date ) } rule CAPE_Bruterateldate { meta: description = "BruteRatel Date Check Bypass" author = "kevoreilly" - id = "94dd5cf3-ed59-51d6-92c8-aee73fe2926b" + id = "f7f40466-e17e-5de2-aa1c-db6158e875b7" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 tags = "" @@ -119582,13 +119817,13 @@ rule CAPE_Bruteratelconfig meta: description = "BruteRatel Config Extraction" author = "kevoreilly" - id = "5ae680b0-5ad2-5e82-87f8-b0af4fec18de" + id = "fafd8e2d-b712-5f66-9e7f-bff0aa347271" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 tags = "" @@ -119605,13 +119840,13 @@ rule CAPE_Darkgateloader meta: description = "DarkGate Loader" author = "enzok" - id = "ca39f39d-aa89-5018-bb07-008a6ea86c42" + id = "d765a863-c52b-5497-9a09-e91605da7735" date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "56069f38edb7d50b0d5680a847d85b1aabc97e432a37911ac9d28aee3b12f526" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_56069f38edb7d50b0d5680a847d85b1aabc97e432a37911ac9d28aee3b12f526" score = 75 quality = 68 tags = "" @@ -119625,20 +119860,20 @@ rule CAPE_Darkgateloader $decrypt3 = {89 85 [4] 8B 85 [4] 8B F0 8D BD [4] B? 10 [3] F3 A5 8B 85 [4] 33 D2 [2] 8B 85 [4] 99} condition: - $loader and any of ($decrypt*) + $loader and any of ( $decrypt* ) } rule CAPE_Rhadamanthys_1 { meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "d9d387e1-76b3-55f6-a40f-a8c9cb9e9bea" + id = "f0c3586c-5cec-5ee3-88b3-19120f8129a3" date = "2023-04-18" modified = "2023-04-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 tags = "" @@ -119658,13 +119893,13 @@ rule CAPE_Agentteslav3Jit meta: description = "AgentTesla V3 JIT native string decryption" author = "ClaudioWayne" - id = "590c5058-c1db-5366-8db5-57449a178999" + id = "2f83838c-c5bf-590e-a636-f2db52e5cfba" date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 tags = "" @@ -119681,13 +119916,13 @@ rule CAPE_Blister_1 : FILE meta: description = "Blister Sleep Bypass" author = "kevoreilly" - id = "34657bab-f100-5ea8-9111-da2806f46b79" + id = "b7c5be3f-50a8-5bed-b556-4394855f03e9" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 tags = "FILE" @@ -119703,20 +119938,20 @@ rule CAPE_Blister_1 : FILE $comp = {6A 04 59 A1 [4] 8B 78 04 8B 75 08 33 C0 F3 A7 75 0B 8B 45 0C 83 20 00 33 C0 40 EB 02 33 C0} condition: - uint16(0)==0x5A4D and 2 of ($protect,$lock,$comp) and all of ($sleep*) + uint16( 0 ) == 0x5A4D and 2 of ( $protect , $lock , $comp ) and all of ( $sleep* ) } rule CAPE_Pikahook : FILE { meta: description = "Pikabot anti-hook bypass" author = "kevoreilly" - id = "e1b7a807-135f-52d7-bc36-c0419e82b424" + id = "c1da74b4-c806-522d-b815-92ab6ac24abc" date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 tags = "FILE" @@ -119729,21 +119964,21 @@ rule CAPE_Pikahook : FILE $sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8} condition: - uint16(0)==0x5A4D and 2 of them + uint16( 0 ) == 0x5A4D and 2 of them } rule CAPE_Pikexport : FILE { meta: description = "Pikabot export selection" author = "kevoreilly" - id = "7d2432f2-90ae-5ad0-b579-5789a1c14a08" + id = "e59f8eae-6f57-5bc4-bdd1-2715b1408426" date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" - logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" + logic_hash = "v1_sha256_33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 quality = 70 tags = "FILE" @@ -119754,20 +119989,20 @@ rule CAPE_Pikexport : FILE $pe = {B8 08 00 00 00 6B C8 00 8B 55 ?? 8B 45 ?? 03 44 0A 78 89 45 ?? 8B 4D ?? 8B 51 18 89 55 E8 C7 45 F8 00 00 00 00} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Vbcrypter { meta: description = "VBCrypter anti-hook Bypass" author = "kevoreilly" - id = "2e010dfd-5096-5e81-af9b-174322a47d87" + id = "a65a987a-f6c0-5be4-ad98-9a411a7596d0" date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 tags = "" @@ -119784,13 +120019,13 @@ rule CAPE_Smokeloader_1 : FILE meta: description = "SmokeLoader Payload" author = "kevoreilly" - id = "9df0eca1-009f-5e7e-af9f-9529581fb4b4" + id = "af8f85de-4992-5e1b-8564-69cbf83ce275" date = "2023-02-06" modified = "2023-02-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" score = 75 quality = 70 tags = "FILE" @@ -119800,20 +120035,20 @@ rule CAPE_Smokeloader_1 : FILE $gate = {68 [2] 00 00 50 E8 [4] 8B 45 ?? 89 F1 8B 55 ?? 9A [2] 40 00 33 00 89 F9 89 FA 81 C1 [2] 00 00 81 C2 [2] 00 00 89 0A 8B 46 ?? 03 45 ?? 8B 4D ?? 8B 55 ?? 9A [2] 40 00 33 00} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Xworm_1 { meta: description = "XWorm Config Extractor" author = "kevoreilly" - id = "0f55dbfb-c239-53f2-a1e0-bfa494558d6e" + id = "7764eb2b-ab0b-5214-82ef-221060a895d9" date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 tags = "" @@ -119830,14 +120065,14 @@ rule CAPE_Stealcanti : FILE meta: description = "Stealc detonation bypass" author = "kevoreilly" - id = "32e5c1cf-ef57-58eb-9deb-fab0064cc676" + id = "05e35b14-0465-55f6-bdfa-9a8495aaae64" date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" - logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" + logic_hash = "v1_sha256_4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 quality = 70 tags = "FILE" @@ -119848,20 +120083,20 @@ rule CAPE_Stealcanti : FILE $decode = {6A 03 33 D2 8B F8 59 F7 F1 8B C7 85 D2 74 04 2B C2 03 C1 6A 06 C1 E0 03 33 D2 59 F7 F1} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Stealcstrings : FILE { meta: description = "Stealc string decryption" author = "kevoreilly" - id = "087b5532-e1e7-5df9-adb2-bf758c8ba352" + id = "0a685017-e4ee-5aed-a9f3-aa1458c6acee" date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 tags = "FILE" @@ -119872,21 +120107,21 @@ rule CAPE_Stealcstrings : FILE $decode = {51 8B 15 [4] 52 8B 45 ?? 50 E8 [4] 83 C4 0C 6A 04 6A 00 8D 4D ?? 51 FF 15 [4] 83 C4 0C 8B 45 ?? 8B E5 5D C3} condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule CAPE_Latrodectus_1 : FILE { meta: description = "Latrodectus export selection" author = "kevoreilly" - id = "7c6f167a-6b76-5509-b164-306d1cd19b0f" + id = "c688d6fa-610c-5c94-817c-e6e78bf03688" date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" - logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" + logic_hash = "v1_sha256_c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 quality = 70 tags = "FILE" @@ -119896,21 +120131,21 @@ rule CAPE_Latrodectus_1 : FILE $export = {48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 EC 30 4C 8B 05 [4] 33 D2 C7 40 [5] 88 50 ?? 49 63 40 3C 42 8B 8C 00 88 00 00 00 85 C9 0F 84} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Anticuckoo : FILE { meta: description = "AntiCuckoo bypass: https://github.com/therealdreg/anticuckoo" author = "kevoreilly" - id = "e221e57b-313e-5998-a3fc-5b4e9671b989" + id = "b93d79b5-96f7-573a-982c-d2654e651df4" date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" - logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" + logic_hash = "v1_sha256_a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 quality = 70 tags = "FILE" @@ -119920,20 +120155,20 @@ rule CAPE_Anticuckoo : FILE $HKActivOldStackCrash = {5B 81 FB FA FA FA FA 74 01 41 3B E0 75 ?? 83 E9 0B 83 F9 04 7F 04 C6 45 ?? 00 89 4D ?? 89 65 ?? 80 7D ?? 00 74} condition: - uint16(0)==0x5A4D and all of them + uint16( 0 ) == 0x5A4D and all of them } rule CAPE_Bumblebeeshellcode_1 { meta: description = "BumbleBee Loader 2023" author = "kevoreilly" - id = "20dd4668-497d-5f37-a61e-c154209503b8" + id = "7221ce0f-d848-5cda-b300-173db839f01a" date = "2023-02-08" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "865510868ee7c089c2ada0645098e851ca2bb9084a74315ce16296eb19c93ab4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_865510868ee7c089c2ada0645098e851ca2bb9084a74315ce16296eb19c93ab4" score = 75 quality = 70 tags = "" @@ -119954,13 +120189,13 @@ rule CAPE_Loadersyscall meta: description = "Loader Syscall" author = "enzok" - id = "45193b38-938e-55cf-9ea0-7bd48f0d77e4" + id = "5dc50e02-3085-5d19-a77e-6f9e03405912" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 tags = "" @@ -119979,13 +120214,13 @@ rule CAPE_Nitrogenloaderaes meta: description = "NitrogenLoader AES and IV" author = "enzok" - id = "c79a00af-52f9-5f07-9c58-e8964e70986f" + id = "359f7461-e468-5ef4-98cb-298ac6b7018b" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 tags = "" @@ -120004,13 +120239,13 @@ rule CAPE_Nitrogenloaderbypass meta: description = "Nitrogen Loader Exit Bypass" author = "enzok" - id = "397b0b79-d569-5a71-bcac-ce0d64f706e6" + id = "6a089a05-cf15-5b7e-8af8-9ec6faca49b7" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 tags = "" @@ -120029,13 +120264,13 @@ rule CAPE_Nitrogenloaderconfig meta: description = "NitrogenLoader Config Extraction" author = "enzok" - id = "a23d7012-b7b2-5313-9974-d65c1364c630" + id = "b8bd4624-f50e-5657-bfe4-b6586dc5f9d2" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L54" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "a1f9e95b8039b16e3926b7288c036e81cf72b2dbb91ab9e69125f18d89fa1a03" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L54" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_a1f9e95b8039b16e3926b7288c036e81cf72b2dbb91ab9e69125f18d89fa1a03" score = 75 quality = 70 tags = "" @@ -120053,13 +120288,13 @@ rule CAPE_Lumma_1 : FILE meta: description = "Lumma config extraction" author = "kevoreilly" - id = "b2166620-3070-5727-b189-e6959cc5b698" + id = "07d5bdbc-4c50-5208-89a9-486d88868264" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 tags = "FILE" @@ -120072,20 +120307,20 @@ rule CAPE_Lumma_1 : FILE $patch = {66 C7 0? 00 00 8B 46 1? C6 00 01 8B} condition: - uint16(0)==0x5a4d and 2 of them + uint16( 0 ) == 0x5a4d and 2 of them } rule CAPE_Lummaremap { meta: description = "Lumma ntdll-remap bypass" author = "kevoreilly" - id = "93ae37d1-a38a-5f96-8bb3-cc648a49b588" + id = "54393835-eef6-52ca-b292-89da953cff80" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 tags = "" @@ -120103,13 +120338,13 @@ rule CAPE_Slowloader meta: description = "SlowLoader detonation aide for slow cpus (thread race)" author = "kevoreilly" - id = "05724bf4-b767-542d-a2dd-a9ae3e5ea5cc" + id = "cc9d7f48-4e78-5752-bf85-0fddba3a6740" date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 tags = "" @@ -120127,13 +120362,13 @@ rule CAPE_Dridexloader_1 : FILE meta: description = "DridexLoader API Spam Bypass" author = "kevoreilly" - id = "a8b62f64-87a0-58d3-8876-9b0f6a7deb97" + id = "3f8955e9-f9bb-5930-be9d-a7402ac3fc48" date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/ca46353c771fd52356f83576df5b5c783af00d48/LICENSE" - logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/7aae5b71ad4a1bbb4912792a8a857b33e1ab3f43/LICENSE" + logic_hash = "v1_sha256_00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 tags = "FILE" @@ -120143,13 +120378,13 @@ rule CAPE_Dridexloader_1 : FILE $trap = {6A 50 6A 14 6A 03 5A 8D 4C 24 ?? E8 [4] 68 [4] 68 [4] E8 [4] 85 C0 74 05} condition: - uint16(0)==0x5A4D and $trap + uint16( 0 ) == 0x5A4D and $trap } /* * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 78 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -120365,32 +120600,32 @@ private rule BINARYALERT_Macho_PRIVATE : FILE meta: description = "Mach-O binaries" author = "Airbnb" - id = "04e14811-38be-54eb-8ec0-649d5469078a" + id = "40526d0e-dede-5001-996c-b12f668a7f53" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/airbnb/binaryalert/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/MachO.yara#L1-L7" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "2e992eb7d4ea47c9f61f3a7d8b0b6e37d0423fb08a626eaf2ddea51bfd928dfc" + logic_hash = "v1_sha256_2e992eb7d4ea47c9f61f3a7d8b0b6e37d0423fb08a626eaf2ddea51bfd928dfc" score = 75 quality = 80 tags = "FILE" condition: - uint32(0)==0xfeedface or uint32(0)==0xcefaedfe or uint32(0)==0xfeedfacf or uint32(0)==0xcffaedfe or uint32(0)==0xcafebabe or uint32(0)==0xbebafeca + uint32( 0 ) == 0xfeedface or uint32( 0 ) == 0xcefaedfe or uint32( 0 ) == 0xfeedfacf or uint32( 0 ) == 0xcffaedfe or uint32( 0 ) == 0xcafebabe or uint32( 0 ) == 0xbebafeca } rule BINARYALERT_Eicar_Av_Test { meta: description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly." author = "Austin Byers | Airbnb CSIRT" - id = "4dbb9d9d-9a8b-56f0-878a-a4a362a2c4f8" + id = "74ff23ad-17f4-5a5f-bdd8-45fb756bcb90" date = "2018-04-17" modified = "2018-04-17" reference = "http://www.eicar.org/86-0-Intended-use.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/eicar.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "870db233ca083fae19a88a109e13d086c76df2340b709eb2da565c08574a42bd" + logic_hash = "v1_sha256_870db233ca083fae19a88a109e13d086c76df2340b709eb2da565c08574a42bd" score = 50 quality = 80 tags = "" @@ -120406,13 +120641,13 @@ rule BINARYALERT_Eicar_Substring_Test meta: description = "Standard AV test, checking for an EICAR substring" author = "Austin Byers | Airbnb CSIRT" - id = "43af8d40-16be-5948-839e-b58cb36c4155" + id = "4fab4178-a047-5700-9d31-5a8a8bdafb59" date = "2018-04-17" modified = "2018-04-17" reference = "https://github.com/airbnb/binaryalert/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/eicar.yara#L20-L34" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "9dc46b273d12d4431b833d4380235b387de4b3aab1f6211b868ada1d1339383a" + logic_hash = "v1_sha256_9dc46b273d12d4431b833d4380235b387de4b3aab1f6211b868ada1d1339383a" score = 50 quality = 40 tags = "" @@ -120428,14 +120663,14 @@ rule BINARYALERT_Malware_Macos_Proton_Rat_Generic meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "75cfaaff-e8d7-5cd4-953b-7d2011139725" + id = "be649af5-398a-53ab-9379-9482a8f20bae" date = "2017-08-11" modified = "2017-08-11" reference = "https://objective-see.com/blog/blog_0x1D.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_proton_rat_generic.yara#L3-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "6a2d0c8b20efc3fa283176a4bc76d6fd" - logic_hash = "b7d8660320564cba1d8e2d53d1fdc75509140c7e87a572b27931c62201df2d22" + logic_hash = "v1_sha256_b7d8660320564cba1d8e2d53d1fdc75509140c7e87a572b27931c62201df2d22" score = 75 quality = 64 tags = "" @@ -120449,20 +120684,20 @@ rule BINARYALERT_Malware_Macos_Proton_Rat_Generic $b4 = "Entering interactive session." nocase wide ascii condition: - BINARYALERT_Macho_PRIVATE and any of ($a*) and any of ($b*) + BINARYALERT_Macho_PRIVATE and any of ( $a* ) and any of ( $b* ) } rule BINARYALERT_Malware_Macos_Bella { meta: description = "Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS." author = "@mimeframe" - id = "ca4ab508-8c97-5307-9aaf-db10cfd6ab35" + id = "818dfc39-5f64-501d-82a6-aad09f81e0b6" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/Trietptm-on-Security/Bella" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_bella.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "b9c063b5ec8604958d3417ec8640da4314ebcf60ee55413a2f6fa8d138311614" + logic_hash = "v1_sha256_b9c063b5ec8604958d3417ec8640da4314ebcf60ee55413a2f6fa8d138311614" score = 75 quality = 80 tags = "" @@ -120479,21 +120714,21 @@ rule BINARYALERT_Malware_Macos_Bella $c2 = "What port should Bella connect on [Default is 4545]:" wide ascii condition: - any of ($a*) or all of ($b*) or all of ($c*) + any of ( $a* ) or all of ( $b* ) or all of ( $c* ) } rule BINARYALERT_Malware_Macos_Apt_Sofacy_Xagent { meta: description = "sofacy xagent for macOS" author = "@mimeframe" - id = "91bef771-2ef1-58f6-ae01-3bdde4cc003c" + id = "acacca78-bd3a-53d3-8b91-ab9e8e6eb855" date = "2017-09-12" modified = "2017-09-12" reference = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_apt_sofacy_xagent.yara#L3-L62" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "4fe4b9560e99e33dabca553e2eeee510" - logic_hash = "d4b1096e4aeb8382e5abf93d3ecf71cd6ae2ed7afbc9a38549a2fc2739539674" + logic_hash = "v1_sha256_d4b1096e4aeb8382e5abf93d3ecf71cd6ae2ed7afbc9a38549a2fc2739539674" score = 75 quality = 55 tags = "" @@ -120544,20 +120779,20 @@ rule BINARYALERT_Malware_Macos_Apt_Sofacy_Xagent $e10 = "channel=" fullword ascii wide condition: - BINARYALERT_Macho_PRIVATE and (5 of ($a*) or any of ($b*) or any of ($c*) or 4 of ($d*) or 5 of ($e*)) + BINARYALERT_Macho_PRIVATE and ( 5 of ( $a* ) or any of ( $b* ) or any of ( $c* ) or 4 of ( $d* ) or 5 of ( $e* ) ) } rule BINARYALERT_Malware_Macos_Neoneggplant_Eggshell { meta: description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python." author = "@mimeframe" - id = "274a34cc-9403-50e6-aa64-683a41bc30e6" + id = "a82fea1e-85c8-53b1-bfe5-3b42ebb555b4" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/neoneggplant/EggShell" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_neoneggplant_eggshell.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "34906db9398313ccb84e67bd98e94324c628aefe3efa6ba3cca2df042b42cbe7" + logic_hash = "v1_sha256_34906db9398313ccb84e67bd98e94324c628aefe3efa6ba3cca2df042b42cbe7" score = 50 quality = 80 tags = "" @@ -120576,23 +120811,21 @@ rule BINARYALERT_Malware_Macos_Neoneggplant_Eggshell $c4 = "rmpersistence" wide ascii condition: - all of ($a*) or 3 of ($b*) or 3 of ($c*) + all of ( $a* ) or 3 of ( $b* ) or 3 of ( $c* ) } -import "pe" - rule BINARYALERT_Malware_Macos_Macspy : FILE { meta: description = "macSpy is a malware-as-a-service (MaaS) product advertised as the most sophisticated Mac spyware ever" author = "AlienVault Labs" - id = "5f9a5ed5-a982-552c-a6df-326228eaf459" + id = "0ec647b9-6a78-5cb8-ba29-a2571679ebfd" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_macspy.yara#L3-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "6c03e4a9bcb9afaedb7451a33c214ae4" - logic_hash = "f04648860c9602e43516113000908008847dacfbe189d79e13737bcd034b68a0" + logic_hash = "v1_sha256_f04648860c9602e43516113000908008847dacfbe189d79e13737bcd034b68a0" score = 75 quality = 80 tags = "FILE" @@ -120604,20 +120837,20 @@ rule BINARYALERT_Malware_Macos_Macspy : FILE $c1 = { 76 31 09 00 76 32 09 00 76 33 09 00 69 31 09 00 69 32 09 00 69 33 09 00 69 34 09 00 66 31 09 00 66 32 09 00 66 33 09 00 66 34 09 00 74 63 3A 00 } condition: - ($header0 at 0 or $header1 at 0 or $header2 at 0) and $c1 + ($header0 at 0 or $header1 at 0 or $header2 at 0 ) and $c1 } rule BINARYALERT_Malware_Macos_Marten4N6_Evilosx { meta: description = "EvilOSX is a pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX." author = "@mimeframe" - id = "2b2e62ca-f95c-55c5-aaf6-985aab49dfbb" + id = "91459c8f-4829-54bb-adb5-9814e655ba09" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/Marten4n6/EvilOSX" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_marten4n6_evilosx.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "3402ebf34fd507d0c317416bf77bb3d51b67c8b0f099ce68d15ade6a6a2e302a" + logic_hash = "v1_sha256_3402ebf34fd507d0c317416bf77bb3d51b67c8b0f099ce68d15ade6a6a2e302a" score = 75 quality = 80 tags = "" @@ -120630,20 +120863,20 @@ rule BINARYALERT_Malware_Macos_Marten4N6_Evilosx $a5 = "Starting EvilOSX..." wide ascii condition: - 4 of ($a*) + 4 of ( $a* ) } rule BINARYALERT_Malware_Multi_Vesche_Basicrat { meta: description = "cross-platform Python 2.x Remote Access Trojan (RAT)" author = "@mimeframe" - id = "e07a684c-3a3d-5dd3-a540-2cc9a5a170dd" + id = "82792b2c-96c1-5216-a26f-3988ee8f7193" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/vesche/basicRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/multi/malware_multi_vesche_basicrat.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "1503ce9de4e721903058c77b305ba057052d654ff1875ea880f4319c3e525a29" + logic_hash = "v1_sha256_1503ce9de4e721903058c77b305ba057052d654ff1875ea880f4319c3e525a29" score = 75 quality = 80 tags = "" @@ -120656,20 +120889,20 @@ rule BINARYALERT_Malware_Multi_Vesche_Basicrat $a5 = "Persistence unsuccessful," wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Malware_Multi_Pupy_Rat { meta: description = "pupy - opensource cross platform rat and post-exploitation tool" author = "@mimeframe" - id = "b26deb19-85b2-5d39-9ff2-0ab9017f3263" + id = "5878190c-36dd-5060-816b-c9316500b8e8" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/n1nj4sec/pupy" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/multi/malware_multi_pupy_rat.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "bb5d1e7f2aea94dc41efe75690ae31409e8f6305aa6c4ec0cd46922ee8fb7241" + logic_hash = "v1_sha256_bb5d1e7f2aea94dc41efe75690ae31409e8f6305aa6c4ec0cd46922ee8fb7241" score = 75 quality = 74 tags = "" @@ -120683,21 +120916,21 @@ rule BINARYALERT_Malware_Multi_Pupy_Rat $a6 = "-PUPY_CONFIG_COMES_HERE-" wide ascii condition: - 3 of ($a*) + 3 of ( $a* ) } rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_1 { meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "6b5709fd-a923-56b6-98ab-ae036f9d04c3" + id = "3e59cac6-43ae-517d-b4d0-d9e85e31f7b3" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_1.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "b099b82acb860d9a9a571515024b35f0" - logic_hash = "f6706c66a378b80d3cedf118a812d8add60e12b44402a30d941d08ff30c7ab1c" + logic_hash = "v1_sha256_f6706c66a378b80d3cedf118a812d8add60e12b44402a30d941d08ff30c7ab1c" score = 75 quality = 80 tags = "" @@ -120715,21 +120948,21 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_1 $a10 = "### LOCAL TRANSPORT MANAGER ###" wide ascii condition: - 6 of ($a*) + 6 of ( $a* ) } rule BINARYALERT_Malware_Windows_Remcos_Rat { meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "420c135f-3150-5cb9-9c1c-105cd260d713" + id = "d471a7f8-b7b3-531b-9ef2-5aeda6b9e875" date = "2017-08-11" modified = "2017-08-11" reference = "https://breaking-security.net/remcos/remcos-changelog/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_remcos_rat.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "c8dafe143fe1d81ae6a3c0cd4724b272" - logic_hash = "ec1ec69f628111235bafad8177482256ed571c064a81f01b6ec2643dccc926ad" + logic_hash = "v1_sha256_ec1ec69f628111235bafad8177482256ed571c064a81f01b6ec2643dccc926ad" score = 75 quality = 80 tags = "" @@ -120746,20 +120979,20 @@ rule BINARYALERT_Malware_Windows_Remcos_Rat $c2 = "REMCOS v" wide ascii condition: - any of ($a*) or 3 of ($b*) or all of ($c*) + any of ( $a* ) or 3 of ( $b* ) or all of ( $c* ) } rule BINARYALERT_Ccleaner_Backdoor { meta: description = "Ccleaner 5.33 backdoor with a possible APT17/Group72 connection." author = "@fusionrace" - id = "769e4fcb-9638-5a5b-8b73-a1cda3bc286a" + id = "4a5ad694-0367-5957-857e-70456adaf6b5" date = "2017-12-14" modified = "2017-12-14" reference = "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_ccleaner_backdoor.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "ce3fc54d58e337ab17e6f1ba7745c593210483c02ed3969059a8fe6682d87218" + logic_hash = "v1_sha256_ce3fc54d58e337ab17e6f1ba7745c593210483c02ed3969059a8fe6682d87218" score = 75 quality = 80 tags = "" @@ -120774,21 +121007,19 @@ rule BINARYALERT_Ccleaner_Backdoor condition: $s1 } -import "pe" - rule BINARYALERT_Malware_Windows_Moonlightmaze_Wipe : FILE { meta: description = "Rule to detect log cleaner based on wipe.c" author = "Kaspersky Lab" - id = "35060c3d-b805-54a6-a241-eb6e99168fa8" + id = "cfa2cd74-bf28-508f-99ed-782e893802bc" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.afn.org/~afn28925/wipe.c" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_wipe.yara#L3-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "e69efc504934551c6a77b525d5343241" - logic_hash = "0241d1ca9f5a4d066f7ed2e80bc18ebae3723c6a2364422e31909e8f0e576675" + logic_hash = "v1_sha256_0241d1ca9f5a4d066f7ed2e80bc18ebae3723c6a2364422e31909e8f0e576675" score = 75 quality = 80 tags = "FILE" @@ -120800,20 +121031,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Wipe : FILE $a4 = "Alter lastlog entry : wipe l [username] [tty] [time] [host]" condition: - ( uint32(0)==0x464c457f) and (2 of them ) + ( uint32( 0 ) == 0x464c457f ) and ( 2 of them ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_De_Tool { meta: description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool" author = "Kaspersky Lab" - id = "8b943c21-eac7-521d-8dc6-90d611aa4d92" + id = "58ac43de-2205-5b5b-91a2-0982a87e2dbf" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_de_tool.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "836331856200fde9792d3bf97d3a18b7f4497ceaae1cfceb0de7c2949e315b9c" + logic_hash = "v1_sha256_836331856200fde9792d3bf97d3a18b7f4497ceaae1cfceb0de7c2949e315b9c" score = 75 quality = 80 tags = "" @@ -120826,22 +121057,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_De_Tool $a3 = {25 73 0A 25 73 0A 25 73 0A 25 73 0A} condition: - 2 of ($a*) + 2 of ( $a* ) } -import "pe" - rule BINARYALERT_Malware_Windows_Moonlightmaze_IRIX_Exploit_GEN : FILE { meta: description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers" author = "Kaspersky Lab" - id = "4f9ab7b0-4fb9-5311-ae23-01d0a9e2e104" + id = "84e347ea-ce69-5197-a4bd-456b839d0c8d" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.exploit-db.com/exploits/19274/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_IRIX_exploit_GEN.yara#L3-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "9d55d780c84f2aa4e64c19842b2055ef4bf7c8844ebe622c3942445b06ab8344" + logic_hash = "v1_sha256_9d55d780c84f2aa4e64c19842b2055ef4bf7c8844ebe622c3942445b06ab8344" score = 75 quality = 80 tags = "FILE" @@ -120856,21 +121085,21 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_IRIX_Exploit_GEN : FILE $a2 = "execl failed" condition: - ( uint32(0)==0x464c457f) and ( all of them ) + ( uint32( 0 ) == 0x464c457f ) and ( all of them ) } rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_2 { meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "d97b7fe1-7ff3-5cc0-9085-140ed523421f" + id = "9cd5a7d9-16aa-5969-a5b5-ee71fafb2d28" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_2.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "06bd89448a10aa5c2f4ca46b4709a879" - logic_hash = "9bb7fc3b3bf7f91efbba128895bb61b5a1bbdb6625d84836956de5e884ae3fe1" + logic_hash = "v1_sha256_9bb7fc3b3bf7f91efbba128895bb61b5a1bbdb6625d84836956de5e884ae3fe1" score = 75 quality = 80 tags = "" @@ -120883,21 +121112,21 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_2 $b5 = "CMessageProcessingSystem::Receive_TAKE_CAN_NOT_WORK" wide ascii condition: - 3 of ($b*) + 3 of ( $b* ) } rule BINARYALERT_Malware_Windows_Apt_Red_Leaves_Generic { meta: description = "Red Leaves malware, related to APT10" author = "David Cannings" - id = "e0067b05-eb4a-52ec-8f35-9336a631f03b" + id = "9db152ef-db42-5546-9c6c-7d69343beee0" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Source/Red%20Leaves%20technical%20note%20v1.0.md" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_red_leaves_generic.yara#L1-L27" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "81df89d6fa0b26cadd4e50ef5350f341" - logic_hash = "be03bba9d01e6584b5849514656fd7de866c478f343c0bc618d7dbeda1771696" + logic_hash = "v1_sha256_be03bba9d01e6584b5849514656fd7de866c478f343c0bc618d7dbeda1771696" score = 75 quality = 80 tags = "" @@ -120920,20 +121149,20 @@ rule BINARYALERT_Malware_Windows_Apt_Red_Leaves_Generic $a15 = "__msgid" wide condition: - 7 of ($a*) + 7 of ( $a* ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_Xk_Keylogger { meta: description = "Rule to detect Moonlight Maze 'xk' keylogger" author = "Kaspersky Lab" - id = "5623021d-0d70-59b3-ae30-522e81552da0" + id = "72b453e3-7dfa-5f6d-beae-a828ef1f8872" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_xk_keylogger.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "430027b41aeda9a11dadec2e4d3dd2474852ff3a7656ed7128711a1574e66b8f" + logic_hash = "v1_sha256_430027b41aeda9a11dadec2e4d3dd2474852ff3a7656ed7128711a1574e66b8f" score = 75 quality = 30 tags = "" @@ -120953,20 +121182,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Xk_Keylogger $a12 = "mygid=-%d-" fullword condition: - 3 of ($a*) + 3 of ( $a* ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_Encrypted_Keyloger { meta: description = "Rule to detect Moonlight Maze encrypted keylogger logs" author = "Kaspersky Lab" - id = "4f290d77-5cb5-5f07-98fd-1829e2f00e63" + id = "35232b40-ea5f-51ae-acc9-41bc4cedaf85" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_encrypted_keyloger.yara#L1-L11" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "cdcbe112ae394ce0922647904f70cfae626d413d1770b0e20d2ba49e1f4e2d2d" + logic_hash = "v1_sha256_cdcbe112ae394ce0922647904f70cfae626d413d1770b0e20d2ba49e1f4e2d2d" score = 75 quality = 80 tags = "" @@ -120975,20 +121204,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Encrypted_Keyloger $a1 = {47 01 22 2A 6D 3E 39 2C} condition: - ($a1 at 0) + ($a1 at 0 ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_Custom_Sniffer { meta: description = "Rule to detect Moonlight Maze sniffer tools" author = "Kaspersky Lab" - id = "a9f005e0-8d73-58ff-b010-d3ce08ffdb64" + id = "5a120f8a-3845-52b7-a55d-404d5ec867dd" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_custom_sniffer.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "466be027f567fe0afc88c82d94e4e0171b4b7d8f38d27a4c4a18cec4ca2b8b2f" + logic_hash = "v1_sha256_466be027f567fe0afc88c82d94e4e0171b4b7d8f38d27a4c4a18cec4ca2b8b2f" score = 75 quality = 80 tags = "" @@ -121004,20 +121233,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Custom_Sniffer $a6 = "mydevname= |%s|" fullword condition: - any of ($a*) + any of ( $a* ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_Loki2Crypto { meta: description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */" author = "Costin Raiu, Kaspersky Lab" - id = "eb5fc283-4994-5db5-965d-e90caad95f4c" + id = "359943ab-dbc1-54b8-839a-7ea550bc1bf1" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_loki2crypto.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "abb2093844af1b854a9deed5baab3f4d67bd1189a4520f697aa69b7441d9488c" + logic_hash = "v1_sha256_abb2093844af1b854a9deed5baab3f4d67bd1189a4520f697aa69b7441d9488c" score = 75 quality = 80 tags = "" @@ -121038,14 +121267,14 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Cle_Tool meta: description = "Rule to detect Moonlight Maze 'cle' log cleaning tool" author = "Kaspersky Lab" - id = "d875a3cf-cad1-509f-bb9f-27f0a3a9b79d" + id = "a42b449d-e167-5805-88da-fc9bd102e52d" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_cle_tool.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "647d7b711f7b4434145ea30d0ef207b0" - logic_hash = "8f75df1240b9e5e905492106265a7e1342db4140d715529933af4ba5c8ec6331" + logic_hash = "v1_sha256_8f75df1240b9e5e905492106265a7e1342db4140d715529933af4ba5c8ec6331" score = 75 quality = 80 tags = "" @@ -121059,20 +121288,20 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Cle_Tool $a6 = "No good line" condition: - 3 of ($a*) + 3 of ( $a* ) } rule BINARYALERT_Malware_Windows_Xrat_Quasarrat { meta: description = "xRAT is a derivative of QuasarRAT; this catches both RATs." author = "@mimeframe" - id = "f4db2402-3653-5525-a137-de2de29cef28" + id = "b876fe20-bf97-5383-a6ac-a3b8c72734b8" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/quasar/QuasarRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_xrat_quasarrat.yara#L1-L31" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "92533157a62ccae5d1bdc9d0bb7511817422c6b5d75d013a15173cd1121d099e" + logic_hash = "v1_sha256_92533157a62ccae5d1bdc9d0bb7511817422c6b5d75d013a15173cd1121d099e" score = 75 quality = 30 tags = "" @@ -121098,22 +121327,20 @@ rule BINARYALERT_Malware_Windows_Xrat_Quasarrat $c6 = "Process already elevated." wide ascii condition: - 5 of ($a*) or 5 of ($b*) or 5 of ($c*) + 5 of ( $a* ) or 5 of ( $b* ) or 5 of ( $c* ) } -import "pe" - rule BINARYALERT_Malware_Windows_Moonlightmaze_U_Logcleaner : FILE { meta: description = "Rule to detect log cleaners based on utclean.c" author = "Kaspersky Lab" - id = "2dc1b796-c8fe-5a87-9d6b-3a322f4a43ab" + id = "34f7808d-ff4e-562b-b638-1351bc1338cc" date = "2017-08-11" modified = "2017-08-11" reference = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_u_logcleaner.yara#L3-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "65fe29075294dfad06f4cca631d5d2f1283c439e9a5913f503fe6e4bb1f5f70a" + logic_hash = "v1_sha256_65fe29075294dfad06f4cca631d5d2f1283c439e9a5913f503fe6e4bb1f5f70a" score = 75 quality = 80 tags = "FILE" @@ -121126,21 +121353,21 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_U_Logcleaner : FILE $a3 = "ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp" condition: - ( uint32(0)==0x464c457f) and ( any of them ) + ( uint32( 0 ) == 0x464c457f ) and ( any of them ) } rule BINARYALERT_Malware_Windows_Winnti_Loadperf_Dll_Loader { meta: description = "Winnti APT group; gzwrite64 imported from loadoerf.ini" author = "@mimeframe" - id = "41444dd5-41b9-550c-9124-bc7f41326baa" + id = "ec681aca-add9-5f00-a139-3f9df569061f" date = "2017-08-11" modified = "2017-08-11" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_winnti_loadperf_dll_loader.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "879ce99e253e598a3c156258a9e81457" - logic_hash = "b1035174edfff2e142026f3482fc53407af59f5215a6030c0d2a85501152c3db" + logic_hash = "v1_sha256_b1035174edfff2e142026f3482fc53407af59f5215a6030c0d2a85501152c3db" score = 75 quality = 80 tags = "" @@ -121150,20 +121377,20 @@ rule BINARYALERT_Malware_Windows_Winnti_Loadperf_Dll_Loader $s2 = "gzwrite64" fullword ascii wide condition: - all of ($s*) + all of ( $s* ) } rule BINARYALERT_Malware_Windows_T3Ntman_Crunchrat { meta: description = "HTTPS-based Remote Administration Tool (RAT)" author = "@mimeframe" - id = "c5b0d183-8822-505a-a1ff-7d6f75a3f174" + id = "63011719-c97a-5503-b0cc-0cc0978184dd" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/t3ntman/CrunchRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara#L1-L19" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "b5216b2b30d22f3d3848e1fb6e4245c558366fb8cd35b70f10fa4e605e211204" + logic_hash = "v1_sha256_b5216b2b30d22f3d3848e1fb6e4245c558366fb8cd35b70f10fa4e605e211204" score = 75 quality = 80 tags = "" @@ -121180,21 +121407,21 @@ rule BINARYALERT_Malware_Windows_T3Ntman_Crunchrat $a9 = "" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_3 { meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "bdcc0c30-3aa7-5c92-8205-9b360d10ac59" + id = "4f47a9d1-63a4-5ee2-b516-f4c5c056deaf" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_3.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "b099b82acb860d9a9a571515024b35f0" - logic_hash = "955aad2d72407baa7fb71e04b51557649a6f91633f5bdb1a8792e328a1587d23" + logic_hash = "v1_sha256_955aad2d72407baa7fb71e04b51557649a6f91633f5bdb1a8792e328a1587d23" score = 75 quality = 80 tags = "" @@ -121206,20 +121433,20 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_3 $c4 = "\\\\.\\pipe\\Winsock2\\CatalogChangeListener-%02x%02x-%01x" wide ascii condition: - all of ($c*) + all of ( $c* ) } rule BINARYALERT_Malware_Windows_Moonlightmaze_Loki { meta: description = "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings" author = "Kaspersky Lab" - id = "06eeb6a4-540f-51eb-86f9-4ab49543f645" + id = "32bad2dd-3ea6-5548-b9cf-55cc22f27741" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_loki.yara#L1-L27" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "9a403695ded6ff3626820ba0d4abde7ccd6f3fa6bfd8aa4ceaf0cc009d34c97f" + logic_hash = "v1_sha256_9a403695ded6ff3626820ba0d4abde7ccd6f3fa6bfd8aa4ceaf0cc009d34c97f" score = 75 quality = 80 tags = "" @@ -121243,21 +121470,21 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Loki $a11 = "ork error" ascii fullword condition: - 2 of ($a*) + 2 of ( $a* ) } rule BINARYALERT_Malware_Windows_Pony_Stealer { meta: description = "Pony stealer malware" author = "@mimeframe" - id = "77af81cb-36c7-56a7-bd89-14d79628e5c4" + id = "f7fb074b-ad74-50b9-9c26-2e3892c3659c" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.knowbe4.com/pony-stealer" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_pony_stealer.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "5e52ce394c3be2a685dbb8f435e2f64f" - logic_hash = "4d4e28e0d4d97412a9129a4abfadc130a464a2ababf46ca8f366a2a30b262261" + logic_hash = "v1_sha256_4d4e28e0d4d97412a9129a4abfadc130a464a2ababf46ca8f366a2a30b262261" score = 75 quality = 50 tags = "" @@ -121275,21 +121502,21 @@ rule BINARYALERT_Malware_Windows_Pony_Stealer $a10 = "CuteFTP" nocase wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Ransomware_Windows_Petya_Variant_1 { meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "bf56c0e4-585c-509b-a182-a93c74be7524" + id = "ad4c8999-ddfa-5a61-96a7-662909932800" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "3733834ee2271a483739b09c4222d222aa4899cab48fd8fc558bdbd9a66bf2d6" + logic_hash = "v1_sha256_3733834ee2271a483739b09c4222d222aa4899cab48fd8fc558bdbd9a66bf2d6" score = 75 quality = 80 tags = "" @@ -121310,14 +121537,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_3 meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "cbf06e62-abe8-54af-b4f4-624ba9233e4b" + id = "7904c9d7-8d39-52b7-9482-db5f305bf057" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "4f21b394eb2dd0ebf416b018f438934fdc89cb896701d95b593477fc19abfe48" + logic_hash = "v1_sha256_4f21b394eb2dd0ebf416b018f438934fdc89cb896701d95b593477fc19abfe48" score = 75 quality = 80 tags = "" @@ -121334,14 +121561,14 @@ rule BINARYALERT_Ransomware_Windows_Cryptolocker meta: description = "The CryptoLocker malware propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts files stored on local and mounted network drives" author = "@fusionrace" - id = "be205f4b-d078-5437-bacc-203c816db2fa" + id = "0759d912-5c03-59ef-8699-701c659f0dba" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.secureworks.com/research/cryptolocker-ransomware" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_cryptolocker.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "012d9088558072bc3103ab5da39ddd54" - logic_hash = "317cbc01b4c329befeb5b25478f7827298a26d21b872ae232c519febd9c547fc" + logic_hash = "v1_sha256_317cbc01b4c329befeb5b25478f7827298a26d21b872ae232c519febd9c547fc" score = 75 quality = 80 tags = "" @@ -121366,14 +121593,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_2 meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "6401fd7e-5ef7-58b5-b8d3-a63c70e8daa3" + id = "ffae8969-c899-5687-9bf7-6b0b89ac8cb8" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_2.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "7e04ffd0423cd1288af5c045bb06930abb732c0ea059e329cafc05faecb4f982" + logic_hash = "v1_sha256_7e04ffd0423cd1288af5c045bb06930abb732c0ea059e329cafc05faecb4f982" score = 75 quality = 78 tags = "" @@ -121393,14 +121620,14 @@ rule BINARYALERT_Ransomware_Windows_Zcrypt meta: description = "Zcrypt will encrypt data and append the .zcrypt extension to the filenames" author = "@fusionrace" - id = "d79cd266-4e77-562c-975c-8bf72efe7242" + id = "dca86d99-d23b-524b-957d-8113d016a0c5" date = "2017-08-11" modified = "2017-08-11" reference = "https://blog.malwarebytes.com/threat-analysis/2016/06/zcrypt-ransomware/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "d1e75b274211a78d9c5d38c8ff2e1778" - logic_hash = "df4073363da162e69f29493b5bfb4cb3f3d342357335c13ba6a3ac868607cb25" + logic_hash = "v1_sha256_df4073363da162e69f29493b5bfb4cb3f3d342357335c13ba6a3ac868607cb25" score = 75 quality = 78 tags = "" @@ -121418,21 +121645,21 @@ rule BINARYALERT_Ransomware_Windows_Zcrypt $g6 = "How to decrypt files.html" fullword ascii wide condition: - any of ($u*) or all of ($g*) + any of ( $u* ) or all of ( $g* ) } rule BINARYALERT_Ransomware_Windows_Petya_Variant_Bitcoin { meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE: Bitcoin" author = "@fusionrace" - id = "82d6ecc5-7c90-5d50-90ff-f54f8d87685d" + id = "b0ef902c-38e9-5ba8-a246-1c91e18bcf57" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "9a5e183aa8e1387e76d5df4e967943b730ba780b6758af3ef23e21bb9e4ce3a6" + logic_hash = "v1_sha256_9a5e183aa8e1387e76d5df4e967943b730ba780b6758af3ef23e21bb9e4ce3a6" score = 75 quality = 80 tags = "" @@ -121443,20 +121670,18 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_Bitcoin condition: $s1 } -import "pe" - rule BINARYALERT_Ransomware_Windows_Lazarus_Wannacry : FILE { meta: description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta" author = "Costin G. Raiu, Kaspersky Lab" - id = "6335bd03-0625-5856-891c-9a5decd7e00f" + id = "7edbb117-42c4-50d1-8b89-ac8c07d020ac" date = "2017-08-11" modified = "2017-08-11" reference = "https://twitter.com/neelmehta/status/864164081116225536" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_lazarus_wannacry.yara#L3-L32" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "dddff5f74bf3f11baf1d3853d6cb5e5b1e0c5e75445c421d4d5145f7a496fc4b" + logic_hash = "v1_sha256_dddff5f74bf3f11baf1d3853d6cb5e5b1e0c5e75445c421d4d5145f7a496fc4b" score = 75 quality = 80 tags = "FILE" @@ -121483,21 +121708,21 @@ rule BINARYALERT_Ransomware_Windows_Lazarus_Wannacry : FILE } condition: - (( uint16(0)==0x5A4D)) and all of them + (( uint16( 0 ) == 0x5A4D ) ) and all of them } rule BINARYALERT_Ransomware_Windows_Hddcryptora { meta: description = "The HDDCryptor ransomware encrypts local harddisks as well as resources in network shares via Server Message Block (SMB)" author = "@fusionrace" - id = "56d7f1f5-811d-58c9-9e1d-d2f48c01e167" + id = "0abf4448-48ae-573d-8d0a-1d7b9906af70" date = "2017-08-11" modified = "2017-08-11" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_HDDCryptorA.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "498bdcfb93d13fecaf92e96f77063abf" - logic_hash = "24c113be31c3df7b544a5789bf055f77471d450c07f0a6729a715e2a82b4d1f0" + logic_hash = "v1_sha256_24c113be31c3df7b544a5789bf055f77471d450c07f0a6729a715e2a82b4d1f0" score = 75 quality = 78 tags = "" @@ -121515,21 +121740,21 @@ rule BINARYALERT_Ransomware_Windows_Hddcryptora $g6 = "you can only use AES to encrypt the boot partition!" ascii wide condition: - 2 of ($u*) or 4 of ($g*) + 2 of ( $u* ) or 4 of ( $g* ) } rule BINARYALERT_Ransomware_Windows_Cerber_Evasion { meta: description = "Cerber Ransomware: Evades detection by machine learning applications" author = "@fusionrace" - id = "6e2f44a9-bc0f-5071-9d80-ddfb778cfe5d" + id = "3919c122-b9b0-524f-b0df-d6a19d2e6a6e" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.darkreading.com/vulnerabilities---threats/cerber-ransomware-now-evades-machine-learning/d/d-id/1328506" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "bc62b557d48f3501c383f25d014f22df" - logic_hash = "43b3b8be5a23b57f6c671abd8491cdc51af1cf3a3fe8a7be308150697cdb92ea" + logic_hash = "v1_sha256_43b3b8be5a23b57f6c671abd8491cdc51af1cf3a3fe8a7be308150697cdb92ea" score = 75 quality = 80 tags = "" @@ -121547,14 +121772,14 @@ rule BINARYALERT_Ransomware_Windows_Hydracrypt meta: description = "HydraCrypt encrypts a victim’s files and appends the filenames with the extension “hydracrypt_ID_*" author = "@fusionrace" - id = "9ebf205e-b6a9-55a3-b0c3-9b088790dc9a" + id = "954d9dfd-4f29-5d16-b5d3-70918e2be564" date = "2017-08-11" modified = "2017-08-11" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/hydracrypt-variant-of-ransomware-distributed-by-angler-exploit-kit/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "08b304d01220f9de63244b4666621bba" - logic_hash = "3ecb3e6c269f4145e60b0e7bb0e896120ceb2db2123f847bf4bdf5d4490467d5" + logic_hash = "v1_sha256_3ecb3e6c269f4145e60b0e7bb0e896120ceb2db2123f847bf4bdf5d4490467d5" score = 75 quality = 80 tags = "" @@ -121574,14 +121799,14 @@ rule BINARYALERT_Ransomware_Windows_Wannacry meta: description = "wannacry ransomware for windows" author = "@fusionrace" - id = "0269b6f4-a47d-5683-aaaa-2141ca7f04dc" + id = "b6cea810-af47-5616-9bcf-7cb7ca36519c" date = "2017-08-11" modified = "2017-08-11" reference = "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_wannacry.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "4fef5e34143e646dbf9907c4374276f5" - logic_hash = "c01f460c0f5e39cde5f553c966553fe693e5203cb020b8f571eac6fc193fa91b" + logic_hash = "v1_sha256_c01f460c0f5e39cde5f553c966553fe693e5203cb020b8f571eac6fc193fa91b" score = 75 quality = 50 tags = "" @@ -121597,21 +121822,21 @@ rule BINARYALERT_Ransomware_Windows_Wannacry $b5 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" wide ascii condition: - all of ($a*) or any of ($b*) + all of ( $a* ) or any of ( $b* ) } rule BINARYALERT_Ransomware_Windows_Powerware_Locky { meta: description = "PowerWare Ransomware" author = "@fusionrace" - id = "8a1a56af-7a9d-54ed-90b9-daf33735ee1e" + id = "065b8f4e-2bed-5419-b8db-b84b11e9e0f5" date = "2017-08-11" modified = "2017-08-11" reference = "https://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "3433a4da9d8794709630eb06afd2b8c1" - logic_hash = "64de34755f706a9fd4c876c473eed4f8922a4450c7ef135b0ab5e49c67363baf" + logic_hash = "v1_sha256_64de34755f706a9fd4c876c473eed4f8922a4450c7ef135b0ab5e49c67363baf" score = 75 quality = 78 tags = "" @@ -121629,13 +121854,13 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Mmetokendecrypt meta: description = "This program decrypts / extracts all authorization tokens on macOS / OS X / OSX." author = "@mimeframe" - id = "2dc01ff3-4c4a-548d-b2f0-b36897ad6a5c" + id = "8792bf45-9c92-53cf-a288-e38fe2a19642" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/MMeTokenDecrypt" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_mmetokendecrypt.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "ccfedfbff0c6eefe41e80fe488d4cae928a33e7b86019c6ec54d1c9005b35147" + logic_hash = "v1_sha256_ccfedfbff0c6eefe41e80fe488d4cae928a33e7b86019c6ec54d1c9005b35147" score = 75 quality = 80 tags = "" @@ -121648,20 +121873,20 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Mmetokendecrypt $a5 = "Successfully decrypted token plist!" wide ascii condition: - 3 of ($a*) + 3 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Skreweverything_Swift { meta: description = "It is a simple and easy to use keylogger for macOS written in Swift." author = "@mimeframe" - id = "a4918bc3-d3f0-59f4-894f-fd34ee944fac" + id = "eed3b9bb-e8e4-53b6-8d17-8aa989d8a2fc" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/SkrewEverything/Swift-Keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_skreweverything_swift.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "f400b8ec392417e7443e82a2c2a9adfc868b9795aa1fb29f91d228f6f94efd13" + logic_hash = "v1_sha256_f400b8ec392417e7443e82a2c2a9adfc868b9795aa1fb29f91d228f6f94efd13" score = 75 quality = 80 tags = "" @@ -121674,20 +121899,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Skreweverything_Swift $a5 = "LEFTARROW" wide ascii condition: - 4 of ($a*) + 4 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Logkext { meta: description = "LogKext is an open source keylogger for Mac OS X, a product of FSB software." author = "@mimeframe" - id = "2e4ad9d0-5780-5a28-a76d-baac401b0648" + id = "849cbd43-288b-55de-b031-09322e49784c" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/SlEePlEs5/logKext" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_logkext.yara#L1-L25" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "f0e3a7ea8ec4568c319e44f00d71fb368948b6fe08bdf86de4b33f0d2bafbb44" + logic_hash = "v1_sha256_f0e3a7ea8ec4568c319e44f00d71fb368948b6fe08bdf86de4b33f0d2bafbb44" score = 75 quality = 80 tags = "" @@ -121706,20 +121931,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Logkext $d3 = "Added notification for keyboard" wide ascii condition: - 3 of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) + 3 of ( $a* ) or all of ( $b* ) or all of ( $c* ) or all of ( $d* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Eldeveloper_Keystats { meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "7fddb502-ae2d-5e14-95f5-115498fa5926" + id = "468bf492-2fab-5658-9744-8967a52457e3" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/ElDeveloper/keystats" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_eldeveloper_keystats.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "c73f5ca2ba0a1bde7c1f9b96173938e40511e12f875c4d850d6d498c63e89385" + logic_hash = "v1_sha256_c73f5ca2ba0a1bde7c1f9b96173938e40511e12f875c4d850d6d498c63e89385" score = 75 quality = 80 tags = "" @@ -121730,20 +121955,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Eldeveloper_Keystats $a3 = "YVBKeyLoggerPerishedByUserChangeNotification" wide ascii condition: - 2 of ($a*) + 2 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Roxlu_Ofxkeylogger { meta: description = "ofxKeylogger keylogger." author = "@mimeframe" - id = "c0e00b76-9623-5709-b64b-0afe006eba60" + id = "622d7da4-25da-56a4-9e60-a225c2eaf0a1" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/roxlu/ofxKeylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_roxlu_ofxkeylogger.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "6e2579a10327cc8f1799848b3bcbcd95733a31098faeb849df6ebf99f1ffe808" + logic_hash = "v1_sha256_6e2579a10327cc8f1799848b3bcbcd95733a31098faeb849df6ebf99f1ffe808" score = 75 quality = 80 tags = "" @@ -121754,20 +121979,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Roxlu_Ofxkeylogger $a3 = "keylogger_set_callback" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Exploit_Cve_5889 { meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "ea70d31c-1b70-5927-ba8d-e13d2114e74e" + id = "fbc2c577-6954-51aa-a79f-974f856faf42" date = "2017-09-12" modified = "2017-09-12" reference = "https://www.exploit-db.com/exploits/38371/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_exploit_cve_2015_5889.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "b455759ea369cdcf2f05a2735a38000179ebe644667016cd635dfad9beda4459" + logic_hash = "v1_sha256_b455759ea369cdcf2f05a2735a38000179ebe644667016cd635dfad9beda4459" score = 75 quality = 80 tags = "" @@ -121781,20 +122006,20 @@ rule BINARYALERT_Hacktool_Macos_Exploit_Cve_5889 $a6 = "localhost" fullword wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Manwhoami_Osxchromedecrypt { meta: description = "Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X." author = "@mimeframe" - id = "874cc999-d9c2-5017-83ec-e4be8a659476" + id = "1cae37d5-2995-55f6-b821-d89334f11b9a" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/OSXChromeDecrypt" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_osxchromedecrypt.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "0974c6a5e7875e20380df0f58bf22a589b9a5c718e635ec77b42060abcf99473" + logic_hash = "v1_sha256_0974c6a5e7875e20380df0f58bf22a589b9a5c718e635ec77b42060abcf99473" score = 75 quality = 80 tags = "" @@ -121808,20 +122033,20 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Osxchromedecrypt $b2 = "select username_value, password_value, origin_url, submit_element from logins" wide ascii condition: - 3 of ($a*) or all of ($b*) + 3 of ( $a* ) or all of ( $b* ) } rule BINARYALERT_Hacktool_Macos_Ptoomey3_Keychain_Dumper { meta: description = "Keychain dumping utility." author = "@mimeframe" - id = "c45abbbe-f5fe-5a87-acd4-dcdb99ceec28" + id = "7be4b137-619d-5d19-ac31-5c0148a3a77a" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/ptoomey3/Keychain-Dumper" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_ptoomey3_keychain_dumper.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "f2ef979e4682ce617b37f7503ec2ca520e657b4f6d15a75afad59b62191a1a43" + logic_hash = "v1_sha256_f2ef979e4682ce617b37f7503ec2ca520e657b4f6d15a75afad59b62191a1a43" score = 75 quality = 80 tags = "" @@ -121834,20 +122059,20 @@ rule BINARYALERT_Hacktool_Macos_Ptoomey3_Keychain_Dumper $a5 = "dumpEntitlements" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Caseyscarborough { meta: description = "A simple and easy to use keylogger for macOS." author = "@mimeframe" - id = "82d9ff7e-b475-5888-82e1-f65c286a9cde" + id = "191efd22-3f9e-57da-992f-3cc2ab6ecdfa" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/caseyscarborough/keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_caseyscarborough.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "d97fbfefe027a26ec998743b811734e62423e8a5ba4e11d516dcfc9e4831d296" + logic_hash = "v1_sha256_d97fbfefe027a26ec998743b811734e62423e8a5ba4e11d516dcfc9e4831d296" score = 75 quality = 80 tags = "" @@ -121859,20 +122084,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Caseyscarborough $a4 = "ERROR: Unable to open log file. Ensure that you have the proper permissions." wide ascii condition: - 2 of ($a*) + 2 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Manwhoami_Icloudcontacts { meta: description = "Pulls iCloud Contacts for an account. No dependencies. No user notification." author = "@mimeframe" - id = "b6595540-7f89-5764-b34e-d32c1a377b6c" + id = "7c1f218e-c790-50ce-9408-d20747abde2e" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/iCloudContacts" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_icloudcontacts.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "0c5b81454b26de91f5ad126b24f10397e1da5d8561b0bf22c5df128753df0ac2" + logic_hash = "v1_sha256_0c5b81454b26de91f5ad126b24f10397e1da5d8561b0bf22c5df128753df0ac2" score = 75 quality = 80 tags = "" @@ -121884,20 +122109,20 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Icloudcontacts $a4 = "HTTP Error 404: URL not found. Did you enter a username?" wide ascii condition: - 3 of ($a*) + 3 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Dannvix { meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "598d6dbc-540d-5f96-8bd1-c15e6194012e" + id = "175e0f9f-fd57-5306-807f-911031d7537d" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/dannvix/keylogger-osx" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_dannvix.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "95d0540b1308caf3e7287c70a759954650220192800c0154d225bcb01ed55766" + logic_hash = "v1_sha256_95d0540b1308caf3e7287c70a759954650220192800c0154d225bcb01ed55766" score = 75 quality = 80 tags = "" @@ -121908,20 +122133,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Dannvix $a3 = "" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Juuso_Keychaindump { meta: description = "For reading OS X keychain passwords as root." author = "@mimeframe" - id = "10ee6c24-db35-5178-9a40-92f5231948aa" + id = "196c6132-b538-5055-a4cb-e2d46723d06e" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/juuso/keychaindump" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_juuso_keychaindump.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "dd2fb6249fe4b7381e734ea3a308158159f7e79b39ba5c970241dcd66436d669" + logic_hash = "v1_sha256_dd2fb6249fe4b7381e734ea3a308158159f7e79b39ba5c970241dcd66436d669" score = 75 quality = 80 tags = "" @@ -121935,20 +122160,20 @@ rule BINARYALERT_Hacktool_Macos_Juuso_Keychaindump $a6 = "[-] No root privileges, please run with sudo" wide ascii condition: - 4 of ($a*) + 4 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_N0Fate_Chainbreaker { meta: description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner." author = "@mimeframe" - id = "565d31c6-8d80-534d-8acc-c01d7af4f8b3" + id = "6b04050d-006d-56c0-91b4-8dda1c1ff3fa" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/n0fate/chainbreaker" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_n0fate_chainbreaker.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "7aedf952756ed2375ff171329179f14a8cdc37ada69e1f003def1f1de5bc1691" + logic_hash = "v1_sha256_7aedf952756ed2375ff171329179f14a8cdc37ada69e1f003def1f1de5bc1691" score = 75 quality = 80 tags = "" @@ -121959,20 +122184,20 @@ rule BINARYALERT_Hacktool_Macos_N0Fate_Chainbreaker $a3 = "[-] Decrypted Private Key" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_B4Rsby_Swiftlog { meta: description = "Dirty user level command line keylogger hacked together in Swift." author = "@mimeframe" - id = "b1ae8284-04a0-5818-9997-0e31eb51ed2b" + id = "7f42e787-a723-5e20-99a3-54e1ffa6ccda" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/b4rsby/SwiftLog" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_b4rsby_swiftlog.yara#L1-L11" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "c66dcab2da0e543198f97ca104c13533c8950d10b6f7cbd3f906348d0f8c45ff" + logic_hash = "v1_sha256_c66dcab2da0e543198f97ca104c13533c8950d10b6f7cbd3f906348d0f8c45ff" score = 75 quality = 80 tags = "" @@ -121981,20 +122206,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_B4Rsby_Swiftlog $a1 = "You need to enable the keylogger in the System Prefrences" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Exploit_Tpwn { meta: description = "tpwn exploits a null pointer dereference in XNU to escalate privileges to root." author = "@mimeframe" - id = "b69c4e1c-554e-5553-9b21-6cdf33aff24e" + id = "bfd4765a-2358-5de7-91e6-9c2e1b70780f" date = "2017-09-14" modified = "2017-09-14" reference = "https://www.rapid7.com/db/modules/exploit/osx/local/tpwn" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_exploit_tpwn.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "f864d8c137746edd50526b1d3d95a7335f776cf1473d2d2ea28856dbc515dd9f" + logic_hash = "v1_sha256_f864d8c137746edd50526b1d3d95a7335f776cf1473d2d2ea28856dbc515dd9f" score = 75 quality = 80 tags = "" @@ -122006,20 +122231,20 @@ rule BINARYALERT_Hacktool_Macos_Exploit_Tpwn $a4 = "Escalating privileges! -qwertyoruiop" wide ascii condition: - 2 of ($a*) + 2 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Keylogger_Giacomolaw { meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "81fcf792-a0a9-5b97-a71c-4c517a7b910c" + id = "4a9e4fe6-5f28-5f42-9726-ced687055038" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/GiacomoLaw/Keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_giacomolaw.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "45ca583c07b8593ed716306ae6f80eef1c3fc5652aed739454fa8007fae929b4" + logic_hash = "v1_sha256_45ca583c07b8593ed716306ae6f80eef1c3fc5652aed739454fa8007fae929b4" score = 75 quality = 80 tags = "" @@ -122030,20 +122255,20 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Giacomolaw $a3 = "Keystrokes are now being recorded" wide ascii condition: - 2 of ($a*) + 2 of ( $a* ) } rule BINARYALERT_Hacktool_Macos_Macpmem { meta: description = "MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers." author = "@mimeframe" - id = "4890598e-936c-5a4d-9004-88ff4fe57c49" + id = "26ee217b-a3f3-5742-801e-cdc0684dfd99" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/google/rekall/tree/master/tools/osx/MacPmem" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_macpmem.yara#L3-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "d64b5a5423932211e3b72d949028f3f0ed1f1435e9584cffa947f2bd4846c29b" + logic_hash = "v1_sha256_d64b5a5423932211e3b72d949028f3f0ed1f1435e9584cffa947f2bd4846c29b" score = 75 quality = 80 tags = "" @@ -122059,20 +122284,20 @@ rule BINARYALERT_Hacktool_Macos_Macpmem $b2 = "MacPmem load tag is" wide ascii condition: - BINARYALERT_Macho_PRIVATE and 2 of ($a*) or all of ($b*) + BINARYALERT_Macho_PRIVATE and 2 of ( $a* ) or all of ( $b* ) } rule BINARYALERT_Hacktool_Multi_Jtesta_Ssh_Mitm { meta: description = "intercepts ssh connections to capture credentials" author = "@fusionrace" - id = "fa8362e2-83d3-5830-8952-502684ad66f9" + id = "c44ca655-71f8-50d6-b0ec-9a85434d780f" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/jtesta/ssh-mitm" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_jtesta_ssh_mitm.yara#L1-L12" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "1d19c83f7d648a0d30074debcd76ff0faf72afa6722251661f8640abdc12a2a9" + logic_hash = "v1_sha256_1d19c83f7d648a0d30074debcd76ff0faf72afa6722251661f8640abdc12a2a9" score = 50 quality = 80 tags = "" @@ -122082,20 +122307,20 @@ rule BINARYALERT_Hacktool_Multi_Jtesta_Ssh_Mitm $a2 = "more sshbuf problems." wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Multi_Masscan { meta: description = "masscan is a performant port scanner, it produces results similar to nmap" author = "@mimeframe" - id = "adb2bb07-2a1a-5eb5-8049-b3f8e6cba48a" + id = "7eac2470-b3e3-530a-a123-594776eb1c77" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/robertdavidgraham/masscan" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_masscan.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "b35e481f73b1c1722056157f8348e2e06bb109c094b948fc6be2d9a7df070a7f" + logic_hash = "v1_sha256_b35e481f73b1c1722056157f8348e2e06bb109c094b948fc6be2d9a7df070a7f" score = 75 quality = 80 tags = "" @@ -122110,20 +122335,20 @@ rule BINARYALERT_Hacktool_Multi_Masscan $b4 = "[hint] VMware on Macintosh doesn't support masscan" wide ascii condition: - all of ($a*) or any of ($b*) + all of ( $a* ) or any of ( $b* ) } rule BINARYALERT_Hacktool_Multi_Ncc_ABPTTS { meta: description = "Allows for TCP tunneling over HTTP" author = "@mimeframe" - id = "dd5f6316-9e51-5cc8-b293-dc33b09cc801" + id = "c1efad63-0b43-5314-8cbb-08b8b04a3365" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nccgroup/ABPTTS" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_ncc_ABPTTS.yara#L1-L19" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "09874b1d997ac193ad1afa0226f6fb22836c8720c0599d773b18072b92a3acc4" + logic_hash = "v1_sha256_09874b1d997ac193ad1afa0226f6fb22836c8720c0599d773b18072b92a3acc4" score = 75 quality = 80 tags = "" @@ -122144,13 +122369,13 @@ rule BINARYALERT_Hacktool_Multi_Pyrasite_Py meta: description = "A tool for injecting arbitrary code into running Python processes." author = "@fusionrace" - id = "0acd0044-a41c-5e9e-bb94-301cd704cf9d" + id = "92cef916-5919-562f-ae5a-06a1e79a8197" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/lmacken/pyrasite" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_pyrasite_py.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "7f3f3df5bd5c1bee2d85ff97878ad36223ab743926a5f8f1c079b039f724abc9" + logic_hash = "v1_sha256_7f3f3df5bd5c1bee2d85ff97878ad36223ab743926a5f8f1c079b039f724abc9" score = 75 quality = 80 tags = "" @@ -122179,13 +122404,13 @@ rule BINARYALERT_Hacktool_Multi_Bloodhound_Owned meta: description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains" author = "@fusionrace" - id = "4d458339-6589-5094-8c23-1ad2baee19f1" + id = "cffa3b8a-cf55-531b-aa67-ca8a8841bdec" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/porterhau5/BloodHound-Owned/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_bloodhound_owned.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "01ef15a3cd606c46dacb0f22477fe97f94e212a38af1cd5bdd7eb11efe8144dd" + logic_hash = "v1_sha256_01ef15a3cd606c46dacb0f22477fe97f94e212a38af1cd5bdd7eb11efe8144dd" score = 75 quality = 80 tags = "" @@ -122210,13 +122435,13 @@ rule BINARYALERT_Hacktool_Multi_Ntlmrelayx meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "7e0bc28f-9cb7-5c09-aedc-d95af23454aa" + id = "e638e9d0-404d-5b48-910c-6b3cd0845b78" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_ntlmrelayx.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "0d5d2d38866eb243e1803c456944e887d9d3920c54b15fd658bf90831fd87bfa" + logic_hash = "v1_sha256_0d5d2d38866eb243e1803c456944e887d9d3920c54b15fd658bf90831fd87bfa" score = 75 quality = 80 tags = "" @@ -122229,20 +122454,20 @@ rule BINARYALERT_Hacktool_Multi_Ntlmrelayx $a5 = "Domain info dumped into lootdir!" wide ascii condition: - any of ($a*) + any of ( $a* ) } rule BINARYALERT_Hacktool_Multi_Responder_Py { meta: description = "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server" author = "@fusionrace" - id = "82699a67-8ba1-5535-9183-3c857e60134c" + id = "dbe2f8e0-21fa-55f4-90e1-c6bc2b5403f2" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.c0d3xpl0it.com/2017/02/compromising-domain-admin-in-internal-pentest.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_responder_py.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "a99a806b7c578af1f2163583f957db13fa7269c7426666189d85bec2ac87ad4b" + logic_hash = "v1_sha256_a99a806b7c578af1f2163583f957db13fa7269c7426666189d85bec2ac87ad4b" score = 75 quality = 80 tags = "" @@ -122264,13 +122489,13 @@ rule BINARYALERT_Hacktool_Windows_Wmi_Implant meta: description = "A PowerShell based tool that is designed to act like a RAT" author = "@fusionrace" - id = "cd90ef31-6e15-5518-8278-98e99e379916" + id = "b32996b2-1706-5af5-ad81-f73d5899c70c" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_wmi_implant.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "8b02fd265b04b9675a99b9638fdd179c8a86ed3afd7506195f3d3dcb2417d74d" + logic_hash = "v1_sha256_8b02fd265b04b9675a99b9638fdd179c8a86ed3afd7506195f3d3dcb2417d74d" score = 75 quality = 80 tags = "" @@ -122296,13 +122521,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Sekurlsa meta: description = "Mimikatz credential dump tool" author = "@fusionrace" - id = "08fe62c5-f7a4-5985-a298-1d3c2c1744d4" + id = "a7eb069a-1f6f-5e54-9f34-83aa65fa345e" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_sekurlsa.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "24e958c3cbda8e01dc2d84b3059114ea23f4b38db1676f7b72e5eabfa52b7335" + logic_hash = "v1_sha256_24e958c3cbda8e01dc2d84b3059114ea23f4b38db1676f7b72e5eabfa52b7335" score = 75 quality = 80 tags = "" @@ -122325,13 +122550,13 @@ rule BINARYALERT_Hacktool_Windows_Rdp_Cmd_Delivery meta: description = "Delivers a text payload via RDP (rubber ducky)" author = "@fusionrace" - id = "8d035721-34ee-566f-8851-1c9501de2704" + id = "1b00805a-9ea5-5af8-95f8-fd0db0d6cc9f" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_rdp_cmd_delivery.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "98bc02bb651fba069828b5960ee47542828f0d530e5e280b15abb0573b8e0168" + logic_hash = "v1_sha256_98bc02bb651fba069828b5960ee47542828f0d530e5e280b15abb0573b8e0168" score = 75 quality = 80 tags = "" @@ -122350,13 +122575,13 @@ rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Postexploitation : FILE meta: description = "Detection of strings in the post-exploitation modules of Cobalt Strike" author = "@javutin, @mimeframe" - id = "76c2a5ae-bc7c-50c7-8731-94c75912574f" + id = "fc50422a-6362-5604-a7ab-7a5f589a90eb" date = "2017-12-14" modified = "2017-12-14" reference = "https://www.cobaltstrike.com/support" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_cobaltstrike_postexploitation.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "1a89128a0f5774d1333be440d38128e29cb36f9818fa44e60482ef078078aca8" + logic_hash = "v1_sha256_1a89128a0f5774d1333be440d38128e29cb36f9818fa44e60482ef078078aca8" score = 75 quality = 80 tags = "FILE" @@ -122365,20 +122590,20 @@ rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Postexploitation : FILE $s1 = "\\devcenter\\aggressor\\external\\" condition: - filesize >10KB and filesize <1000KB and all of ($s*) + filesize > 10KB and filesize < 1000KB and all of ( $s* ) } rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Powershell : FILE { meta: description = "Detection of the PowerShell payloads from Cobalt Strike" author = "@javutin, @joseselvi" - id = "155f181a-56cb-5295-a903-744f79012733" + id = "20f17dc5-1785-5199-88d8-b166e8ae6ea5" date = "2017-12-14" modified = "2017-12-14" reference = "https://www.cobaltstrike.com/help-payload-generator" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_cobaltstrike_powershell.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "39dd0aaa84d02aae5766d764c3d371f03f9df33acf5f6ae4ab4a8c73dd827213" + logic_hash = "v1_sha256_39dd0aaa84d02aae5766d764c3d371f03f9df33acf5f6ae4ab4a8c73dd827213" score = 75 quality = 80 tags = "FILE" @@ -122394,20 +122619,20 @@ rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Powershell : FILE $ps8 = "var_hthread" condition: - $ps1 at 0 and filesize <1000KB and all of ($ps*) + $ps1 at 0 and filesize < 1000KB and all of ( $ps* ) } rule BINARYALERT_Hacktool_Windows_Mimikatz_Errors { meta: description = "Mimikatz credential dump tool: Error messages" author = "@fusionrace" - id = "94d50739-fc84-5bfe-821d-5e2851f681e3" + id = "5b0c12f0-b182-5c24-bde5-2bb3bc2a5a8f" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_errors.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "60fb94b9465b19af3b2df1b26490d4ac19a31a39f2f8c52f1059d37843769b36" + logic_hash = "v1_sha256_60fb94b9465b19af3b2df1b26490d4ac19a31a39f2f8c52f1059d37843769b36" score = 75 quality = 80 tags = "" @@ -122428,13 +122653,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Copywrite meta: description = "Mimikatz credential dump tool: Author copywrite" author = "@fusionrace" - id = "bf7a52b5-c0af-5805-a2da-41ae3842e0c6" + id = "6e7ce709-a546-5725-b7c9-4330f97118d0" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_copywrite.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "f0e8a8b0c7398e7af06bd074eec0433265ba0e675bdbff354e59432c246b0b36" + logic_hash = "v1_sha256_f0e8a8b0c7398e7af06bd074eec0433265ba0e675bdbff354e59432c246b0b36" score = 75 quality = 80 tags = "" @@ -122463,13 +122688,13 @@ rule BINARYALERT_Hacktool_Windows_Hot_Potato meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "dee13640-b4a9-5a39-af01-338c0197c995" + id = "68799fd0-0aac-5c4e-a76c-594d48a5765d" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/foxglovesec/Potato" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_hot_potato.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "1ccee61660b3478294a5a4e1ca2b16c91156f6c877d0f83848cccd18a3f753f7" + logic_hash = "v1_sha256_1ccee61660b3478294a5a4e1ca2b16c91156f6c877d0f83848cccd18a3f753f7" score = 75 quality = 80 tags = "" @@ -122482,20 +122707,20 @@ rule BINARYALERT_Hacktool_Windows_Hot_Potato $a5 = "Usage: potato.exe -ip" wide ascii condition: - any of ($a*) + any of ( $a* ) } rule BINARYALERT_Hacktool_Windows_Mimikatz_Files { meta: description = "Mimikatz credential dump tool: Files" author = "@fusionrace" - id = "ea4fd443-64dd-5466-8525-40c3a023e229" + id = "0a489eab-0cd3-53e3-a644-4ffb29a51a7b" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_files.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "50d23cda49ca559da2e504e53b46b58679ea8bc07c501ff7764a3d142598adc8" + logic_hash = "v1_sha256_50d23cda49ca559da2e504e53b46b58679ea8bc07c501ff7764a3d142598adc8" score = 75 quality = 80 tags = "" @@ -122515,13 +122740,13 @@ rule BINARYALERT_Hacktool_Windows_Moyix_Creddump meta: description = "creddump is a python tool to extract credentials and secrets from Windows registry hives." author = "@mimeframe" - id = "46df781a-abab-5593-99f9-1a6b993904cb" + id = "b3147c06-a1a5-53f2-b1f8-78d6474f9bbe" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/moyix/creddump" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_moyix_creddump.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "3f2f4c5069fcb3d3b1d293a471bcf9489f058f27cd385885ab2bb4f719a3bd9d" + logic_hash = "v1_sha256_3f2f4c5069fcb3d3b1d293a471bcf9489f058f27cd385885ab2bb4f719a3bd9d" score = 75 quality = 80 tags = "" @@ -122535,20 +122760,20 @@ rule BINARYALERT_Hacktool_Windows_Moyix_Creddump $a6 = "31d6cfe0d16ae931b73c59d7e0c089c0" wide ascii condition: - all of ($a*) + all of ( $a* ) } rule BINARYALERT_Hacktool_Windows_Ncc_Wmicmd { meta: description = "Command shell wrapper for WMI" author = "@mimeframe" - id = "18bc36f7-b97a-5bce-a68b-c349713e9468" + id = "16f616e2-120c-5067-b083-957f49cb0baa" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nccgroup/WMIcmd" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_ncc_wmicmd.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "bef6828a706dcfc3b573523fccd391a5ef3fa505235b1621a82527d64d32aaf0" + logic_hash = "v1_sha256_bef6828a706dcfc3b573523fccd391a5ef3fa505235b1621a82527d64d32aaf0" score = 75 quality = 80 tags = "" @@ -122564,13 +122789,13 @@ rule BINARYALERT_Hacktool_Windows_Ncc_Wmicmd $b3 = "cimv2" wide ascii condition: - any of ($a*) or all of ($b*) + any of ( $a* ) or all of ( $b* ) } /* * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 * Number of Rules: 19 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -122585,13 +122810,13 @@ rule DEADBITS_Dacls_Trojan_Windows : FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "424b2c0d-2373-5a72-9a97-52b4bfc5cdcf" + id = "e5902d25-413b-545e-931c-bf3620894fc6" date = "2020-01-07" modified = "2020-01-07" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/Dacls_Windows.yara#L1-L30" license_url = "N/A" - logic_hash = "b77df7e3be9c264d6a63d40dbf49c41e9dd55b4e570c063b5710b849c36cc166" + logic_hash = "v1_sha256_b77df7e3be9c264d6a63d40dbf49c41e9dd55b4e570c063b5710b849c36cc166" score = 75 quality = 80 tags = "FILE" @@ -122611,20 +122836,20 @@ rule DEADBITS_Dacls_Trojan_Windows : FILE $cls01 = "k_3872.cls" ascii fullword condition: - ( uint16(0)==0x5a4d) and (( all of ($cls*)) or ( all of ($fext*) and all of ($str*))) + ( uint16( 0 ) == 0x5a4d ) and ( ( all of ( $cls* ) ) or ( all of ( $fext* ) and all of ( $str* ) ) ) } rule DEADBITS_Dacls_Trojan_Linux { meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "bb83ba2b-70a3-5a0f-9588-d93b7f07f67f" + id = "e72e7759-5815-504f-84df-c0c0756f1ede" date = "2020-01-07" modified = "2020-01-07" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/Dacls_Linux.yara#L1-L32" license_url = "N/A" - logic_hash = "752d7daf9178e4fa20f2ce781c6ff70f83758f01479696f0808e1588da9a3d78" + logic_hash = "v1_sha256_752d7daf9178e4fa20f2ce781c6ff70f83758f01479696f0808e1588da9a3d78" score = 75 quality = 80 tags = "" @@ -122644,20 +122869,20 @@ rule DEADBITS_Dacls_Trojan_Linux $str09 = "session_id" ascii fullword condition: - uint32be(0x0)==0x7f454c46 and (( all of ($cls*)) or ( all of ($str*))) + uint32be( 0x0 ) == 0x7f454c46 and ( ( all of ( $cls* ) ) or ( all of ( $str* ) ) ) } rule DEADBITS_Silenttrinity_Delivery_Document : FILE { meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "be8cf8b7-d7f8-587d-b7bd-ad10796cda7c" + id = "8230a28d-55b6-5947-a39d-a59c26f2eb41" date = "2019-07-19" modified = "2019-07-19" reference = "https://countercept.com/blog/hunting-for-silenttrinity/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/SilentTrinity_Delivery.yara#L1-L30" license_url = "N/A" - logic_hash = "1efaa317dd250fa127b134ff8e6e6ac48d1056059256f790925d2315a6865033" + logic_hash = "v1_sha256_1efaa317dd250fa127b134ff8e6e6ac48d1056059256f790925d2315a6865033" score = 75 quality = 80 tags = "FILE" @@ -122679,20 +122904,20 @@ rule DEADBITS_Silenttrinity_Delivery_Document : FILE $s11 = "2. Da biste pogledali dokument, molimo kliknite \"OMOGU" fullword wide condition: - uint16(0)==0xcfd0 and filesize <200KB and (8 of ($s*) or all of them ) + uint16( 0 ) == 0xcfd0 and filesize < 200KB and ( 8 of ( $s* ) or all of them ) } rule DEADBITS_Godlua_Linux : LINUXMALWARE FILE { meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "1a05c88a-8199-5c6d-9352-9ef60df40078" + id = "614eeb4a-ff2b-552e-b711-d791ed80c75c" date = "2019-07-18" modified = "2019-07-22" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/godlua_linux.yara#L1-L57" license_url = "N/A" - logic_hash = "70a8078f261648f050807e82009493e39fa32c0748576b3df76d8aaaa117103e" + logic_hash = "v1_sha256_70a8078f261648f050807e82009493e39fa32c0748576b3df76d8aaaa117103e" score = 75 quality = 51 tags = "LINUXMALWARE, FILE" @@ -122724,20 +122949,20 @@ rule DEADBITS_Godlua_Linux : LINUXMALWARE FILE $identifier3 = "God 5.1" condition: - uint16(0)==0x457f and ( all of them or ( any of ($identifier*) and $resolvers and any of ($tmp*) and 4 of ($str*)) or ( any of ($identifier*) and any of ($tmp*) and 4 of ($str*))) + uint16( 0 ) == 0x457f and ( all of them or ( any of ( $identifier* ) and $resolvers and any of ( $tmp* ) and 4 of ( $str* ) ) or ( any of ( $identifier* ) and any of ( $tmp* ) and 4 of ( $str* ) ) ) } rule DEADBITS_Jsworm : MALWARE FILE { meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "6d452d04-b475-5241-890c-68119a7a8691" + id = "35e88f6c-5193-5a2a-b28a-0bd054a5c8a9" date = "2019-09-06" modified = "2019-09-06" reference = "https://github.com/deadbits/yara-rules/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/JSWorm.yara#L1-L38" license_url = "N/A" - logic_hash = "99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" + logic_hash = "v1_sha256_99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" score = 75 quality = 78 tags = "MALWARE, FILE" @@ -122760,20 +122985,20 @@ rule DEADBITS_Jsworm : MALWARE FILE $uniq03 = "(#fdso*4) + filesize < 5MB and ( $one at 0 ) and $fdso and #fref > ( #fdso * 4 ) } rule DELIVRTO_SUSP_CONCAT_ZIP_Nov24 : FILE { meta: description = "Zip archives concatenated together, based on the presence of more than one End of Central Directory record signature" author = "delivr.to" - id = "1b865dfb-380a-531d-97cf-c62a1a37f4a9" + id = "ebfb6d21-3d61-5d74-96f6-36135bd18904" date = "2024-11-13" modified = "2024-11-13" reference = "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/concatenated_zip.yar#L1-L15" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/concatenated_zip.yar#L1-L15" license_url = "N/A" - logic_hash = "7a102d677f06fb01b2a23ec61ec0844147f8789e9f2742928869f209e067805b" + logic_hash = "v1_sha256_7a102d677f06fb01b2a23ec61ec0844147f8789e9f2742928869f209e067805b" score = 40 quality = 80 tags = "FILE" @@ -123501,20 +123726,20 @@ rule DELIVRTO_SUSP_CONCAT_ZIP_Nov24 : FILE $eocd = { 50 4B 05 06 } condition: - $fh at 0 and #fh>1 and #eocd==#fh + $fh at 0 and #fh > 1 and #eocd == #fh } rule DELIVRTO_SUSP_Onenote_Win_Script_Encoding_Feb23 : FILE { meta: description = "Presence of Windows Script Encoding Header in a OneNote file with embedded files" author = "delivr.to" - id = "95cd5ce0-07b3-5503-ad6f-944206bd4fb6" + id = "7fa8e0ab-fab9-5ac9-9699-15e3b6b94ccb" date = "2023-02-19" modified = "2023-02-19" reference = "https://github.com/delivr-to/detections" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/onenote_windows_script_encoding_file.yar#L1-L22" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/onenote_windows_script_encoding_file.yar#L1-L22" license_url = "N/A" - logic_hash = "b7068f551b3665358f461a076c2d46c82db558d7fa4acb7d3c9c5c2afce31253" + logic_hash = "v1_sha256_b7068f551b3665358f461a076c2d46c82db558d7fa4acb7d3c9c5c2afce31253" score = 60 quality = 78 tags = "FILE" @@ -123525,20 +123750,20 @@ rule DELIVRTO_SUSP_Onenote_Win_Script_Encoding_Feb23 : FILE $wse = { 23 40 7E 5E } condition: - filesize <5MB and ($one at 0) and $fdso and $wse + filesize < 5MB and ( $one at 0 ) and $fdso and $wse } rule DELIVRTO_SUSP_ZPAQ_Archive_Nov23 : FILE { meta: description = "ZPAQ file archive with expected file and block headers" author = "delivr.to" - id = "28b6ffbe-be95-5ac8-ad3e-f9713a204d98" + id = "e5d69864-244b-5399-800c-a888a4cb4786" date = "2023-11-26" modified = "2023-11-27" reference = "https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/zpaq_archives.yar#L1-L14" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/zpaq_archives.yar#L1-L14" license_url = "N/A" - logic_hash = "348144ee7137def00b37e074507e8148e51d34c484802a56bcd6e090d4628f18" + logic_hash = "v1_sha256_348144ee7137def00b37e074507e8148e51d34c484802a56bcd6e090d4628f18" score = 40 quality = 80 tags = "FILE" @@ -123555,13 +123780,13 @@ rule DELIVRTO_SUSP_PDF_MHT_Activemime_Sept23 : FILE meta: description = "Presence of MHT ActiveMime within PDF for polyglot file" author = "delivr.to" - id = "fbac1371-bad4-5751-a5c4-ce6c270fb83e" + id = "c8658db3-0794-5e83-bdfd-545da54e0485" date = "2023-09-04" modified = "2023-09-04" reference = "https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/pdf_mht_activemime.yar#L1-L19" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/pdf_mht_activemime.yar#L1-L19" license_url = "N/A" - logic_hash = "af1450f649de6daec242f11e3b3c35305d3127fac4ef719a4ddb4edab3ae3651" + logic_hash = "v1_sha256_af1450f649de6daec242f11e3b3c35305d3127fac4ef719a4ddb4edab3ae3651" score = 70 quality = 78 tags = "FILE" @@ -123573,20 +123798,20 @@ rule DELIVRTO_SUSP_PDF_MHT_Activemime_Sept23 : FILE $act = "edit-time-data" ascii nocase condition: - uint32(0)==0x46445025 and all of ($mht*) and $act + uint32( 0 ) == 0x46445025 and all of ( $mht* ) and $act } rule DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23 : CVE_2023_23397 FILE { meta: description = "MSG file with a PidLidReminderFileParameter property, potentially exploiting CVE-2023-23397" author = "delivr.to" - id = "a0ede2d3-7789-5662-9575-5d0a5cf4457c" + id = "45950a93-eccb-5677-a6cf-5a5d9f617a4c" date = "2023-03-15" modified = "2023-03-15" reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/msg_cve_2023_23397.yar#L1-L20" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/msg_cve_2023_23397.yar#L1-L20" license_url = "N/A" - logic_hash = "0476cf7f93c4f6cc48c19933f31360b62fe5e339f6a2a31dee8ad95f83ce67d7" + logic_hash = "v1_sha256_0476cf7f93c4f6cc48c19933f31360b62fe5e339f6a2a31dee8ad95f83ce67d7" score = 60 quality = 80 tags = "CVE-2023-23397, FILE" @@ -123596,20 +123821,20 @@ rule DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23 : CVE_2023_23397 FILE $rfp = { 1F 85 00 00 } condition: - uint32be(0)==0xD0CF11E0 and uint32be(4)==0xA1B11AE1 and $app and $rfp + uint32be( 0 ) == 0xD0CF11E0 and uint32be( 4 ) == 0xA1B11AE1 and $app and $rfp } rule DELIVRTO_SUSP_Onenote_RTLO_Character_Feb23 : FILE { meta: description = "Presence of RTLO Unicode Character in a OneNote file with embedded files" author = "delivr.to" - id = "03d86391-1392-5734-af5f-8a2c7b99167a" + id = "1ff9f30e-73b0-52fb-a917-79205eb13b78" date = "2023-02-17" modified = "2023-02-17" reference = "https://github.com/delivr-to/detections" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/onenote_rtlo_filename.yar#L1-L22" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/onenote_rtlo_filename.yar#L1-L22" license_url = "N/A" - logic_hash = "286bc1ab1f5df0d64634f53cc82357187306c40b063b156f36b602e131262c7a" + logic_hash = "v1_sha256_286bc1ab1f5df0d64634f53cc82357187306c40b063b156f36b602e131262c7a" score = 60 quality = 55 tags = "FILE" @@ -123620,20 +123845,20 @@ rule DELIVRTO_SUSP_Onenote_RTLO_Character_Feb23 : FILE $rtlo = { 00 2E 20 } condition: - filesize <5MB and ($one at 0) and $fdso and $rtlo + filesize < 5MB and ( $one at 0 ) and $fdso and $rtlo } rule DELIVRTO_SUSP_HTML_WASM_Smuggling { meta: description = "Presence of Base64 JavaScript blob loading WASM" author = "delivr.to" - id = "fc83bb4f-ba8a-52d2-b9ce-632da5341f77" + id = "b107215f-9c15-5fbb-8b35-2e83b35478aa" date = "2024-02-28" modified = "2024-05-24" reference = "https://github.com/delivr-to/detections" - source_url = "https://github.com/delivr-to/detections/blob/29cddf297f5eaff884b0e1c201bd9b7447022cf8/yara-rules/html_wasm.yar#L1-L13" + source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/html_wasm.yar#L1-L13" license_url = "N/A" - logic_hash = "4bca88862c28db947c04c40e40fdecc682223d1eb90c98350fbd6c5d8c6c4636" + logic_hash = "v1_sha256_4bca88862c28db947c04c40e40fdecc682223d1eb90c98350fbd6c5d8c6c4636" score = 70 quality = 80 tags = "" @@ -123650,7 +123875,7 @@ rule DELIVRTO_SUSP_HTML_WASM_Smuggling * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: 9431ee8ccf63b1c014bfaa5f1a28dc747772d28d * Number of Rules: 103 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -123688,13 +123913,13 @@ private rule ESET_Is_Elf_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "6389dc72-ac97-5366-83f2-2e9bcf618ae4" + id = "e8bc6a11-8980-537a-aebd-226ddc9c3c6a" date = "2016-11-01" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L32-L39" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "2a3c9a875852cd3ce86d43b9e4a6ba786ecbae1f18bba73a3bef5b7e8ba67a3b" + logic_hash = "v1_sha256_2a3c9a875852cd3ce86d43b9e4a6ba786ecbae1f18bba73a3bef5b7e8ba67a3b" score = 75 quality = 80 tags = "" @@ -123712,19 +123937,19 @@ private rule ESET_Not_Ms_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "7edb96a1-a63a-580e-ac26-66fa14ae97d1" + id = "25ebdce5-44fd-59c4-81c9-fee8c60f3865" date = "2018-09-05" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L34-L40" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "71f492eaa80bee5e8cc5bec67b2a7fd6f5f71ee2594d9f531043747533c80443" + logic_hash = "v1_sha256_71f492eaa80bee5e8cc5bec67b2a7fd6f5f71ee2594d9f531043747533c80443" score = 75 quality = 80 tags = "" condition: - not for any i in (0..pe.number_of_signatures-1) : (pe.signatures[i].issuer contains "Microsoft Corporation") + not for any i in ( 0 .. pe.number_of_signatures - 1 ) : ( pe.signatures [ i ] . issuer contains "Microsoft Corporation" ) } import "elf" @@ -123733,14 +123958,14 @@ private rule ESET_Apachemodule_PRIVATE meta: description = "Apache 2.4 module ELF shared library" author = "ESET, spol. s r.o." - id = "2082e50e-1726-5540-a962-e0aeca1ebaaf" + id = "3aa2dbc7-f11a-5ad2-a75d-1eaf8735e8b7" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L3-L30" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "213fe381aa0bf9f148e488f7af74ac63073776c2868e42d2dcca7fdbca55fabb" + logic_hash = "v1_sha256_213fe381aa0bf9f148e488f7af74ac63073776c2868e42d2dcca7fdbca55fabb" score = 75 quality = 80 tags = "" @@ -123751,22 +123976,20 @@ private rule ESET_Apachemodule_PRIVATE $magic = "42PA" condition: - for any s in elf.dynsym : (s.type==elf.STT_OBJECT and for any seg in elf.segments : (seg.type==elf.PT_LOAD and s.value>=seg.virtual_address and s.value<(seg.virtual_address+seg.file_size) and $magic at (s.value-seg.virtual_address+seg.offset)+0x28)) + for any s in elf.dynsym : ( s.type == elf.STT_OBJECT and for any seg in elf.segments : ( seg.type == elf.PT_LOAD and s.value >= seg.virtual_address and s.value < ( seg.virtual_address + seg.file_size ) and $magic at ( s.value - seg.virtual_address + seg.offset ) + 0x28 ) ) } -import "pe" - private rule ESET_Invisimole_Blob_PRIVATE { meta: description = "Detects InvisiMole blobs by magic values" author = "ESET Research" - id = "6a179d91-50f1-5400-b141-0f162efd2431" + id = "374dcca3-edb2-5644-b4a0-c02b85f594f5" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L34-L52" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8bddaf874da58fbe6362498f8979b511f39531fe2b98d4be8c099bdafb6d0067" + logic_hash = "v1_sha256_8bddaf874da58fbe6362498f8979b511f39531fe2b98d4be8c099bdafb6d0067" score = 75 quality = 80 tags = "" @@ -123780,7 +124003,7 @@ private rule ESET_Invisimole_Blob_PRIVATE $magic_new_64 = {64 DA 11 CE} condition: - ($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0) + ($magic_old_32 at 0 ) or ( $magic_old_64 at 0 ) or ( $magic_new_32 at 0 ) or ( $magic_new_64 at 0 ) } import "pe" @@ -123789,13 +124012,13 @@ private rule ESET_IIS_Native_Module_PRIVATE : FILE meta: description = "Signature to match an IIS native module (clean or malicious)" author = "ESET Research" - id = "e3bacdc8-fde1-5e83-ac94-79fc345e888d" + id = "6e9c8ceb-773e-5168-8f22-e3040fa64eb1" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L34-L92" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "5a388dc3253df606e2648d1f9c018e6dde373bbddce66dba69b7aecdd95bac18" + logic_hash = "v1_sha256_5a388dc3253df606e2648d1f9c018e6dde373bbddce66dba69b7aecdd95bac18" score = 75 quality = 55 tags = "FILE" @@ -123849,20 +124072,20 @@ private rule ESET_IIS_Native_Module_PRIVATE : FILE $e44 = "CGlobalModule::OnGlobalApplicationPreload" condition: - uint16(0)==0x5A4D and pe.exports("RegisterModule") and any of ($e*) + uint16( 0 ) == 0x5A4D and pe.exports ( "RegisterModule" ) and any of ( $e* ) } private rule ESET_Prikormkaearlyversion_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "f10e6477-c4bb-50be-8827-66de35a9aea8" + id = "b21cb5b7-7b20-5c0b-973e-d777bb996595" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L112-L128" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "681c7fb322953da162c10b76e453aa8ace6673720012383e3cd5528b59b42de3" + logic_hash = "v1_sha256_681c7fb322953da162c10b76e453aa8ace6673720012383e3cd5528b59b42de3" score = 75 quality = 28 tags = "" @@ -123880,20 +124103,20 @@ private rule ESET_Prikormkaearlyversion_PRIVATE $str08 = "KDLLRUNDRV" wide fullword condition: - ($mz at 0) and (2 of ($str*)) + ($mz at 0 ) and ( 2 of ( $str* ) ) } private rule ESET_Prikormkamodule_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "f99ed5f7-9ccc-5543-9224-6f865578f81e" + id = "88d245a7-6d1d-5bc7-8b1f-0e870a10249f" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L53-L110" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d5d7f1a46cbf9ff545c0fa840228d19ee7d45307078b4ae0b5a2fdf1c94d2978" + logic_hash = "v1_sha256_d5d7f1a46cbf9ff545c0fa840228d19ee7d45307078b4ae0b5a2fdf1c94d2978" score = 75 quality = 26 tags = "" @@ -123936,20 +124159,20 @@ private rule ESET_Prikormkamodule_PRIVATE $str33 = "\\TOOLS PZZ\\Bezzahod\\" ascii condition: - ($mz at 0) and ( any of ($str*)) + ($mz at 0 ) and ( any of ( $str* ) ) } private rule ESET_Prikormkadropper_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "d333693d-5386-5c34-a1c1-7a17e5bde849" + id = "2fe8d1ac-a012-5cad-9463-15ad1a4f7fa5" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L33-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "cf524cdf4ffeb5c9280c5c8e7fca524c41e1ce4f9bc46b1fc8cb8b50ea68ec39" + logic_hash = "v1_sha256_cf524cdf4ffeb5c9280c5c8e7fca524c41e1ce4f9bc46b1fc8cb8b50ea68ec39" score = 75 quality = 28 tags = "" @@ -123967,20 +124190,20 @@ private rule ESET_Prikormkadropper_PRIVATE $inj01 = "?AVCinj2008App@@" ascii condition: - ($mz at 0) and (( any of ($bin*)) or (3 of ($kd*)) or ( all of ($inj*))) + ($mz at 0 ) and ( ( any of ( $bin* ) ) or ( 3 of ( $kd* ) ) or ( all of ( $inj* ) ) ) } private rule ESET_Potaosecondstage_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "c1baace9-f481-533a-aa85-df5ba14069f2" + id = "03c22650-8a38-572b-bfbf-7227b4cfd073" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L81-L95" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "55f9fc2da09aa9c2e76725985c836f7b8ba5e0b69a9327fb911e8265b340b88c" + logic_hash = "v1_sha256_55f9fc2da09aa9c2e76725985c836f7b8ba5e0b69a9327fb911e8265b340b88c" score = 75 quality = 28 tags = "" @@ -123994,20 +124217,20 @@ private rule ESET_Potaosecondstage_PRIVATE $str2 = "%.5llx" condition: - ($mz at 0) and any of ($binary*) and any of ($str*) + ($mz at 0 ) and any of ( $binary* ) and any of ( $str* ) } private rule ESET_Potaousb_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "98fd84cb-d8e8-5aed-a1ac-f1099be5a5db" + id = "59c7bea2-d82b-50d8-b5e9-2f25b3cd6f34" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L71-L80" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8f72afbf3b123ea3914b3eade267bd21f7435fbf9fbde4049ca2600513bb31d9" + logic_hash = "v1_sha256_8f72afbf3b123ea3914b3eade267bd21f7435fbf9fbde4049ca2600513bb31d9" score = 75 quality = 28 tags = "" @@ -124018,20 +124241,20 @@ private rule ESET_Potaousb_PRIVATE $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} condition: - ($mz at 0) and any of ($binary*) + ($mz at 0 ) and any of ( $binary* ) } private rule ESET_Potaodll_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "a53ff170-ed3a-5ee9-a262-bb2f77aba092" + id = "4cc637ae-e1b9-50ad-9742-15cd39c290ba" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L46-L70" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "1d1154eb10cc70b3252e3ca4a85789e8605f2f3b7044f03ec960fd56ab81886a" + logic_hash = "v1_sha256_1d1154eb10cc70b3252e3ca4a85789e8605f2f3b7044f03ec960fd56ab81886a" score = 75 quality = 28 tags = "" @@ -124056,20 +124279,20 @@ private rule ESET_Potaodll_PRIVATE $dllname10 = "FilePathStealer.dll" condition: - ($mz at 0) and ( any of ($dllstr*) and any of ($dllname*)) + ($mz at 0 ) and ( any of ( $dllstr* ) and any of ( $dllname* ) ) } private rule ESET_Potaodecoy_PRIVATE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "215f1821-f70d-547e-b261-335dc1300bf2" + id = "54ddf4bb-172d-5dac-8c22-05648e18bef0" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L32-L45" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "93cbe1d1545d1fb85b3218b68619e67a1dda80d5888d2685a04915b861dfce01" + logic_hash = "v1_sha256_93cbe1d1545d1fb85b3218b68619e67a1dda80d5888d2685a04915b861dfce01" score = 75 quality = 28 tags = "" @@ -124084,20 +124307,20 @@ private rule ESET_Potaodecoy_PRIVATE $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} condition: - ($mz at 0) and (( all of ($str*)) or any of ($old_ver*) or $wiki_str) + ($mz at 0 ) and ( ( all of ( $str* ) ) or any of ( $old_ver* ) or $wiki_str ) } rule ESET_Potao { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "9c755cb8-9e3f-5118-a8e0-4ded9a075cbd" + id = "09759e4a-0d53-5b67-9158-8a1a59d9cd8d" date = "2015-07-29" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L96-L108" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "c68addb14f7c22cec0c4d58bfffd373b2e3eb5c53a5b65532c84574e073fcbba" + logic_hash = "v1_sha256_c68addb14f7c22cec0c4d58bfffd373b2e3eb5c53a5b65532c84574e073fcbba" score = 75 quality = 80 tags = "" @@ -124114,13 +124337,13 @@ rule ESET_Dino meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "77d0a039-f60c-59ea-bad6-5b4b630007bb" + id = "41fc9dd7-0580-538f-a6eb-a3b8815dfb6c" date = "2015-07-14" modified = "2015-08-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/animalfarm/animalfarm.yar#L73-L96" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "898e527eb8b05050135dee7cbe974100710a1a3a6a5cb8eb03563ee1c0aca01f" + logic_hash = "v1_sha256_898e527eb8b05050135dee7cbe974100710a1a3a6a5cb8eb03563ee1c0aca01f" score = 75 quality = 80 tags = "" @@ -124149,7 +124372,7 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 meta: description = "Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12" author = "ESET Research" - id = "5c815d14-8a3e-5c6a-9dc3-988e0f31c094" + id = "df0ed9b0-243b-5966-9771-6b8acc4c2a18" date = "2023-03-31" modified = "2023-04-19" reference = "https://github.com/eset/malware-ioc" @@ -124159,26 +124382,26 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 hash = "cad1120d91b812acafef7175f949dd1b09c6c21a" hash = "5b03294b72c0caa5fb20e7817002c600645eb475" hash = "7491bd61ed15298ce5ee5ffd01c8c82a2cdb40ec" - logic_hash = "f11a1db798bfcc534982bdf6afaae154b095b6a1e0896e75e2791c01e51a1c16" + logic_hash = "v1_sha256_f11a1db798bfcc534982bdf6afaae154b095b6a1e0896e75e2791c01e51a1c16" score = 75 quality = 80 tags = "" condition: - pe.rich_signature.toolid(259,30818)==9 and pe.rich_signature.toolid(256,31329)==1 and pe.rich_signature.toolid(261,30818)>=30 and pe.rich_signature.toolid(261,30818)<=38 and pe.rich_signature.toolid(261,29395)>=134 and pe.rich_signature.toolid(261,29395)<=164 and pe.rich_signature.toolid(257,29395)>=6 and pe.rich_signature.toolid(257,29395)<=14 + pe.rich_signature.toolid( 259 , 30818 ) == 9 and pe.rich_signature.toolid ( 256 , 31329 ) == 1 and pe.rich_signature.toolid ( 261 , 30818 ) >= 30 and pe.rich_signature.toolid ( 261 , 30818 ) <= 38 and pe.rich_signature.toolid ( 261 , 29395 ) >= 134 and pe.rich_signature.toolid ( 261 , 29395 ) <= 164 and pe.rich_signature.toolid ( 257 , 29395 ) >= 6 and pe.rich_signature.toolid ( 257 , 29395 ) <= 14 } rule ESET_Prikormka { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "6073aa34-d385-5ae8-b97d-9b3d61015aae" + id = "02aab8fa-f296-59f2-a7b2-1177486dc9ae" date = "2016-05-10" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L130-L141" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "f64195e680fbaefedba248aa15b37ed30ba72f42958cc48963a140165e951bff" + logic_hash = "v1_sha256_f64195e680fbaefedba248aa15b37ed30ba72f42958cc48963a140165e951bff" score = 75 quality = 80 tags = "" @@ -124195,14 +124418,14 @@ rule ESET_Cw_Windows_Redline_Panel_Tab_Headers : FILE meta: description = "Matches view headers in Redline Panel" author = "ESET Research" - id = "44a95845-b0a3-59c1-8188-86d415eff0bf" + id = "00b7e7d1-67fd-508d-af9f-40b646a98840" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L32-L55" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "3198aa9df2814a5f1d5568c6eed5f3189b2f72b3928cc97645f9bf57eebab9ac" + logic_hash = "v1_sha256_3198aa9df2814a5f1d5568c6eed5f3189b2f72b3928cc97645f9bf57eebab9ac" score = 75 quality = 80 tags = "FILE" @@ -124220,21 +124443,21 @@ rule ESET_Cw_Windows_Redline_Panel_Tab_Headers : FILE $ = "RedLine | System Info Viewer" condition: - uint16(0)==0x5A4D and 6 of them + uint16( 0 ) == 0x5A4D and 6 of them } rule ESET_Cw_Windows_Redline_Panel_Distinctive_Strings : FILE { meta: description = "Matches rare strings found in Redline panel" author = "ESET Research" - id = "d40ccb6b-e777-5c05-b97c-ead910047649" + id = "8d60b07a-c5da-5d78-aa0c-79da103e21d4" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L57-L77" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "7ff0239426c4c3b46a269fad71232295c038c09f276cdc3c7f1142c830260a6d" + logic_hash = "v1_sha256_7ff0239426c4c3b46a269fad71232295c038c09f276cdc3c7f1142c830260a6d" score = 75 quality = 80 tags = "FILE" @@ -124248,21 +124471,21 @@ rule ESET_Cw_Windows_Redline_Panel_Distinctive_Strings : FILE $telegram1 = "https://t.me/REDLINESUPPORT" condition: - uint16(0)==0x5A4D and any of them + uint16( 0 ) == 0x5A4D and any of them } rule ESET_Cw_Windows_Redline_Panel_Prompts : FILE { meta: description = "Matches prompt messages in Redline panel" author = "ESET Research" - id = "3481586b-ed4b-5a27-82a0-0bbb3eea279e" + id = "20f9268e-92c3-5f6d-ad2e-8211f8e96a22" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L79-L113" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "0dfab05a9383ba13b3c610f1ab0c81e95804470002f27171ab39706f7723983a" + logic_hash = "v1_sha256_0dfab05a9383ba13b3c610f1ab0c81e95804470002f27171ab39706f7723983a" score = 75 quality = 80 tags = "FILE" @@ -124291,21 +124514,21 @@ rule ESET_Cw_Windows_Redline_Panel_Prompts : FILE $ = "Disconnected. Reboot your panel" condition: - uint16(0)==0x5A4D and 10 of them + uint16( 0 ) == 0x5A4D and 10 of them } rule ESET_Cw_Windows_Redline_Panel_Status_Message_Strings : FILE { meta: description = "Matches error/success messages in Redline panel" author = "ESET Research" - id = "70bdff10-9c86-57e3-b839-e86173a44855" + id = "47fe03ed-7290-5797-aeca-4e03f5c90bdc" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L115-L142" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "c60fabc81967b083be72ff564af744ab60441de5d563ea6d88d873c0a99bfbdd" + logic_hash = "v1_sha256_c60fabc81967b083be72ff564af744ab60441de5d563ea6d88d873c0a99bfbdd" score = 75 quality = 80 tags = "FILE" @@ -124327,21 +124550,21 @@ rule ESET_Cw_Windows_Redline_Panel_Status_Message_Strings : FILE $ = "Files not found" condition: - uint16(0)==0x5A4D and 8 of them + uint16( 0 ) == 0x5A4D and 8 of them } rule ESET_Cw_Windows_Redline_Panel_Commands : FILE { meta: description = "Matches commands and functionalities in Redline panel" author = "ESET Research" - id = "b479dc47-53a0-5ead-a4c3-bcdfcaf82ef8" + id = "d4c8fb0f-f3c6-5001-8bb4-929a6350200d" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L144-L172" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "724516101264aa89259e847e4703d4eb993f330f82bd2df2433176b11d0c8974" + logic_hash = "v1_sha256_724516101264aa89259e847e4703d4eb993f330f82bd2df2433176b11d0c8974" score = 75 quality = 55 tags = "FILE" @@ -124364,7 +124587,7 @@ rule ESET_Cw_Windows_Redline_Panel_Commands : FILE $action7 = "antiDuplicate" condition: - uint16(0)==0x5A4D and all of ($cmd*) and 4 of ($action*) + uint16( 0 ) == 0x5A4D and all of ( $cmd* ) and 4 of ( $action* ) } import "pe" @@ -124373,13 +124596,13 @@ rule ESET_Beds_Plugin meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "7c038e92-1064-503e-9d63-2d2c10f1759e" + id = "63e9bb61-9a08-523a-bb74-95615e71e89f" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L34-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "024cb91288f133e4cdf5993ac0477de6de76d38fa06f7affa348c6a28a4600da" + logic_hash = "v1_sha256_024cb91288f133e4cdf5993ac0477de6de76d38fa06f7affa348c6a28a4600da" score = 75 quality = 80 tags = "" @@ -124389,7 +124612,7 @@ rule ESET_Beds_Plugin License = "BSD 2-Clause" condition: - pe.exports("CheckDLLStatus") and pe.exports("GetPluginData") and pe.exports("InitializePlugin") and pe.exports("IsReleased") and pe.exports("ReleaseDLL") + pe.exports( "CheckDLLStatus" ) and pe.exports ( "GetPluginData" ) and pe.exports ( "InitializePlugin" ) and pe.exports ( "IsReleased" ) and pe.exports ( "ReleaseDLL" ) } import "pe" @@ -124398,13 +124621,13 @@ rule ESET_Beds_Dropper meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "47ccab59-253f-55d4-b38a-4441802626fc" + id = "790b0748-5e98-554b-8ba9-39c0aa02cabb" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L53-L67" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "4b5d121e182e3fddd766a7a1227c5de273995e9336156e7a6e8a17faad681bea" + logic_hash = "v1_sha256_4b5d121e182e3fddd766a7a1227c5de273995e9336156e7a6e8a17faad681bea" score = 75 quality = 80 tags = "" @@ -124414,22 +124637,20 @@ rule ESET_Beds_Dropper License = "BSD 2-Clause" condition: - pe.imphash()=="a7ead4ef90d9981e25728e824a1ba3ef" + pe.imphash( ) == "a7ead4ef90d9981e25728e824a1ba3ef" } -import "pe" - rule ESET_Facebook_Bot : FILE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "643b137f-af79-584c-8266-f2335a79f1ba" + id = "c2ea56f7-4741-5834-90d8-d7a0f4f31773" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L69-L100" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8ea779f90fa6080398403e3e6f9d342360c35e93c756ed43cb699f090106504e" + logic_hash = "v1_sha256_8ea779f90fa6080398403e3e6f9d342360c35e93c756ed43cb699f090106504e" score = 75 quality = 55 tags = "FILE" @@ -124456,22 +124677,20 @@ rule ESET_Facebook_Bot : FILE $x9 = "profile.login" fullword ascii condition: - ( uint16(0)==0x5a4d and filesize <1000KB and (1 of ($s*) or 3 of ($x*))) or ( all of them ) + ( uint16( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $s* ) or 3 of ( $x* ) ) ) or ( all of them ) } -import "pe" - rule ESET_Pds_Plugins : FILE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "dfa75db5-f21c-5b5e-84ba-3bfdcc3efdcd" + id = "f2ca0f8f-1aa7-52cf-bc03-fa25ee595027" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L102-L130" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "26bbd380b72fb45206178639d67c8737b9984b140ba1048432949e159946c847" + logic_hash = "v1_sha256_26bbd380b72fb45206178639d67c8737b9984b140ba1048432949e159946c847" score = 75 quality = 80 tags = "FILE" @@ -124496,22 +124715,20 @@ rule ESET_Pds_Plugins : FILE $s13 = "CCookieManager *" fullword ascii condition: - ( uint16(0)==0x5a4d and filesize <1000KB and (2 of ($s*))) + ( uint16( 0 ) == 0x5a4d and filesize < 1000KB and ( 2 of ( $s* ) ) ) } -import "pe" - rule ESET_Stantinko_Pdb { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "24694e53-b89e-5cd3-ad53-e738bbd7d69d" + id = "c5c69747-c27f-5fa8-8752-32b7d218067e" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L132-L148" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "902c0ee086ce1a8def831d2f30c868165198c6c304faac3a93116a524f8e2fbf" + logic_hash = "v1_sha256_902c0ee086ce1a8def831d2f30c868165198c6c304faac3a93116a524f8e2fbf" score = 75 quality = 80 tags = "" @@ -124526,20 +124743,18 @@ rule ESET_Stantinko_Pdb condition: all of them } -import "pe" - rule ESET_Stantinko_Droppers : FILE { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "fe2e6987-929a-59e3-a9ec-01a9f55fe589" + id = "e1bae22e-748a-594d-a287-95ca25bbafa3" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L150-L170" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "c56fc85834a3e1bb1c14da37fb509c7de3009bf81d52800fe0093dc489f6deaa" + logic_hash = "v1_sha256_c56fc85834a3e1bb1c14da37fb509c7de3009bf81d52800fe0093dc489f6deaa" score = 75 quality = 80 tags = "FILE" @@ -124553,7 +124768,7 @@ rule ESET_Stantinko_Droppers : FILE $s2 = {7E 5E 7F 8C 08 46 00 00 AB 57 1A BB 91 5C 00 00 FA CC FD 76 90 3A 00 00} condition: - uint16(0)==0x5A4D and 1 of them + uint16( 0 ) == 0x5A4D and 1 of them } import "pe" @@ -124562,13 +124777,13 @@ rule ESET_Stantinko_D3D meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "6652e55c-96a0-55a7-9941-7f32bbf984e5" + id = "d886199c-d8eb-5203-a2fe-79dbf45e3ba6" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L172-L187" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "4e8da3f11df15e4aa469db62961ae390c4c4df2a5335eec0bdab19b14cc8343d" + logic_hash = "v1_sha256_4e8da3f11df15e4aa469db62961ae390c4c4df2a5335eec0bdab19b14cc8343d" score = 75 quality = 80 tags = "" @@ -124578,22 +124793,20 @@ rule ESET_Stantinko_D3D License = "BSD 2-Clause" condition: - pe.exports("EntryPoint") and pe.exports("ServiceMain") and pe.imports("WININET.DLL","HttpAddRequestHeadersA") + pe.exports( "EntryPoint" ) and pe.exports ( "ServiceMain" ) and pe.imports ( "WININET.DLL" , "HttpAddRequestHeadersA" ) } -import "pe" - rule ESET_Stantinko_Ihctrl32 { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "e8ab9f78-f438-5d9b-8407-e6c7e241da2c" + id = "289c7939-5207-564a-8575-815e50cd1c5b" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L189-L209" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "1829e08fb2289f738d0e75ad9977169e9a94379da764b1766f23fa47e8bc2543" + logic_hash = "v1_sha256_1829e08fb2289f738d0e75ad9977169e9a94379da764b1766f23fa47e8bc2543" score = 75 quality = 80 tags = "" @@ -124612,20 +124825,18 @@ rule ESET_Stantinko_Ihctrl32 condition: 2 of them } -import "pe" - rule ESET_Stantinko_Wsaudio { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "623f4ac7-03ec-52df-b7bf-0a2055453c52" + id = "77054970-2964-524a-9730-71b0ff3b90f7" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L211-L233" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "45d92f1475f316ba50a9a4a3dd519d1186ed16c68bd2debe326736a1e3154562" + logic_hash = "v1_sha256_45d92f1475f316ba50a9a4a3dd519d1186ed16c68bd2debe326736a1e3154562" score = 75 quality = 80 tags = "" @@ -124643,20 +124854,18 @@ rule ESET_Stantinko_Wsaudio condition: 2 of them } -import "pe" - rule ESET_Stantinko_Ghstore { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "ef9f0c27-35ea-5dd5-925f-09b6e043569d" + id = "76da8b52-20ad-51a6-acf3-3e176a9ddb3b" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L235-L255" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "e5628d6ffb2d3684264b3a88c4d7b5d2ce8983aa22badf5839ccb8ba2e3ef2d4" + logic_hash = "v1_sha256_e5628d6ffb2d3684264b3a88c4d7b5d2ce8983aa22badf5839ccb8ba2e3ef2d4" score = 75 quality = 80 tags = "" @@ -124675,20 +124884,18 @@ rule ESET_Stantinko_Ghstore condition: 3 of them } -import "pe" - rule ESET_IIS_Group02 { meta: description = "Detects Group 2 native IIS malware family" author = "ESET Research" - id = "945e3748-1072-55f3-abaa-903dfc250294" + id = "bfdd1bb1-08e4-55ab-80c5-bc36180e4b57" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L134-L155" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3fa2b8fed3c580f446b55412a920a5cfed2317b06aa93d059e9f89fdbec8f683" + logic_hash = "v1_sha256_3fa2b8fed3c580f446b55412a920a5cfed2317b06aa93d059e9f89fdbec8f683" score = 75 quality = 76 tags = "" @@ -124704,22 +124911,20 @@ rule ESET_IIS_Group02 $s6 = "AVRSAFunction" condition: - ESET_IIS_Native_Module_PRIVATE and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group03 { meta: description = "Detects Group 3 native IIS malware family" author = "ESET Research" - id = "9caf9b3e-611e-5e0e-a7ee-9e7515679022" + id = "8d8c5692-56ce-501e-8bf3-c0fa006fdf7a" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L157-L176" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d811c2ac610780bf968e86e8fd302cffc9434902e547399d06fdeb30d1719f51" + logic_hash = "v1_sha256_d811c2ac610780bf968e86e8fd302cffc9434902e547399d06fdeb30d1719f51" score = 75 quality = 80 tags = "" @@ -124733,22 +124938,20 @@ rule ESET_IIS_Group03 $s4 = "X-Cookie" condition: - ESET_IIS_Native_Module_PRIVATE and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group04_Rgdoor { meta: description = "Detects Group 4 native IIS malware family (RGDoor)" author = "ESET Research" - id = "64a0e664-a4d9-555b-a11b-5f7d9d0678b1" + id = "8dedeaf8-640a-551f-b930-a049a77aacee" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L178-L199" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "be615dc0cc8bf0fd52cc5a88a3759c1cb1cd18703de74d16f5cce3eabccf91c6" + logic_hash = "v1_sha256_be615dc0cc8bf0fd52cc5a88a3759c1cb1cd18703de74d16f5cce3eabccf91c6" score = 75 quality = 80 tags = "" @@ -124763,22 +124966,20 @@ rule ESET_IIS_Group04_Rgdoor $s5 = "cmd.exe" condition: - ESET_IIS_Native_Module_PRIVATE and ($i1 or all of ($s*)) + ESET_IIS_Native_Module_PRIVATE and ( $i1 or all of ( $s* ) ) } -import "pe" - rule ESET_IIS_Group05_Iistealer { meta: description = "Detects Group 5 native IIS malware family (IIStealer)" author = "ESET Research" - id = "598ec6b2-0349-5da7-acad-72ef2468b927" + id = "f0f5b3ff-0f13-5faa-94dd-19e060656dc5" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L201-L232" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "5dff445121fda59df805d6fcb5db3f8f8e52a6e63e2da2a6875f8c9ad9cafc72" + logic_hash = "v1_sha256_5dff445121fda59df805d6fcb5db3f8f8e52a6e63e2da2a6875f8c9ad9cafc72" score = 75 quality = 80 tags = "" @@ -124800,22 +125001,20 @@ rule ESET_IIS_Group05_Iistealer $s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00} condition: - ESET_IIS_Native_Module_PRIVATE and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group06_ISN { meta: description = "Detects Group 6 native IIS malware family (ISN)" author = "ESET Research" - id = "1f68fc42-61a3-5a7d-9daa-31ae3b561837" + id = "b8cba1c3-9df8-544a-80f3-32d4b3fcb333" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L234-L259" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "2f59034a642a9b92fc88922433cd5923be02332159cba5e16d99d9523ed43205" + logic_hash = "v1_sha256_2f59034a642a9b92fc88922433cd5923be02332159cba5e16d99d9523ed43205" score = 75 quality = 80 tags = "" @@ -124834,22 +125033,20 @@ rule ESET_IIS_Group06_ISN $s9 = "isn7.dll" condition: - ESET_IIS_Native_Module_PRIVATE and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group07_Iispy { meta: description = "Detects Group 7 native IIS malware family (IISpy)" author = "ESET Research" - id = "64ed0189-a0be-5592-b9c6-1622700a7ed7" + id = "17bccdc6-e280-544e-a42e-cdfe48d55000" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L261-L296" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "ec5db5f36d06f9b0bdfe598fc72431da35afc1473dcc29f437a0f48ea9835a03" + logic_hash = "v1_sha256_ec5db5f36d06f9b0bdfe598fc72431da35afc1473dcc29f437a0f48ea9835a03" score = 75 quality = 80 tags = "" @@ -124874,22 +125071,20 @@ rule ESET_IIS_Group07_Iispy $t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52} condition: - ESET_IIS_Native_Module_PRIVATE and 2 of ($s*) and any of ($t*) + ESET_IIS_Native_Module_PRIVATE and 2 of ( $s* ) and any of ( $t* ) } -import "pe" - rule ESET_IIS_Group08 { meta: description = "Detects Group 8 native IIS malware family" author = "ESET Research" - id = "d0e9a5ec-b7f0-5d3f-93b4-d048503eb210" + id = "ce5e5ac3-99d8-5009-aca9-3e204bbd99e9" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L298-L337" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d5826d454d25ecbbb5da464da974023a247517d873cf10dc0eafa91e185451da" + logic_hash = "v1_sha256_d5826d454d25ecbbb5da464da974023a247517d873cf10dc0eafa91e185451da" score = 75 quality = 53 tags = "" @@ -124922,22 +125117,20 @@ rule ESET_IIS_Group08 $s20 = "101fb9d9e86d9e6c" condition: - ESET_IIS_Native_Module_PRIVATE and 1 of ($i*) and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 1 of ( $i* ) and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group09 { meta: description = "Detects Group 9 native IIS malware family" author = "ESET Research" - id = "69d176bc-73b1-5c4d-bb7e-463d26e8e6a9" + id = "9e31e907-b305-5ccd-8112-4305ff1900a0" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L339-L387" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "5f89f9488221b8db8d493b3c23b7f5edd957c15511148eca890558886c128192" + logic_hash = "v1_sha256_5f89f9488221b8db8d493b3c23b7f5edd957c15511148eca890558886c128192" score = 75 quality = 76 tags = "" @@ -124978,22 +125171,20 @@ rule ESET_IIS_Group09 $s25 = "http://xsc.b1174.c" xor condition: - ESET_IIS_Native_Module_PRIVATE and any of ($i*) and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and any of ( $i* ) and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group10 { meta: description = "Detects Group 10 native IIS malware family" author = "ESET Research" - id = "31368b38-9128-594d-888d-e97d3edc7a1f" + id = "a0cf4e20-ca9c-5421-a080-a8906c1b09e2" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L389-L423" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "48701168d7da726222227ef757f1a4005a49c0bf300123319ce03db09445b3ef" + logic_hash = "v1_sha256_48701168d7da726222227ef757f1a4005a49c0bf300123319ce03db09445b3ef" score = 75 quality = 80 tags = "" @@ -125021,22 +125212,20 @@ rule ESET_IIS_Group10 $e10 = "sm.cn" condition: - ESET_IIS_Native_Module_PRIVATE and 2 of ($e*) and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 2 of ( $e* ) and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group11 { meta: description = "Detects Group 11 native IIS malware family" author = "ESET Research" - id = "e9dac67a-1675-5198-ad26-d555696844f9" + id = "d14c7c0b-3c56-588e-8632-33d5c567f99c" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L425-L455" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "a67b6b49b5fc2c7f260c06201c59478f5472de63091c510af82d526c410abb0c" + logic_hash = "v1_sha256_a67b6b49b5fc2c7f260c06201c59478f5472de63091c510af82d526c410abb0c" score = 75 quality = 80 tags = "" @@ -125053,22 +125242,20 @@ rule ESET_IIS_Group11 $s7 = "jvvr<11yyy0cnnuqwnw0eqo130rjrAeofqwv?" condition: - ESET_IIS_Native_Module_PRIVATE and 3 of ($s*) + ESET_IIS_Native_Module_PRIVATE and 3 of ( $s* ) } -import "pe" - rule ESET_IIS_Group12 { meta: description = "Detects Group 12 native IIS malware family" author = "ESET Research" - id = "7278f2df-d18a-5d95-9c21-37906629a7f0" + id = "125ff157-3a1b-5f77-b08d-5f90a94c73e1" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L457-L495" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8da03328e3702aff8ea5de77fc220f326030c31972d27c0bd9b5918dca550aba" + logic_hash = "v1_sha256_8da03328e3702aff8ea5de77fc220f326030c31972d27c0bd9b5918dca550aba" score = 75 quality = 78 tags = "" @@ -125101,20 +125288,18 @@ rule ESET_IIS_Group12 condition: ESET_IIS_Native_Module_PRIVATE and 5 of them } -import "pe" - rule ESET_IIS_Group13_Iiserpent { meta: description = "Detects Group 13 native IIS malware family (IISerpent)" author = "ESET Research" - id = "f22dffb1-466f-5a7b-b9aa-de7ba991db1a" + id = "019d33b8-2a11-5184-8cf1-35776c79fd7b" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L497-L523" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "7077b842c53ee1581ad4150cdfaac3502bfc0fbd3b823190ad648e09f36e442d" + logic_hash = "v1_sha256_7077b842c53ee1581ad4150cdfaac3502bfc0fbd3b823190ad648e09f36e442d" score = 75 quality = 80 tags = "" @@ -125137,20 +125322,18 @@ rule ESET_IIS_Group13_Iiserpent condition: ESET_IIS_Native_Module_PRIVATE and 5 of them } -import "pe" - rule ESET_IIS_Group14 { meta: description = "Detects Group 14 native IIS malware family" author = "ESET Research" - id = "c773b09e-9f24-5e75-ba80-4be69af70b06" + id = "7165e279-af54-584e-bc99-b5071100e32f" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L525-L552" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "ef10a4dfb1a9164533677416a7c9ada715ce10bfc1e5f92b56cf54bd890d4575" + logic_hash = "v1_sha256_ef10a4dfb1a9164533677416a7c9ada715ce10bfc1e5f92b56cf54bd890d4575" score = 75 quality = 80 tags = "" @@ -125170,22 +125353,20 @@ rule ESET_IIS_Group14 $s6 = "HTTP_X_FORWARDED_FOR" condition: - ESET_IIS_Native_Module_PRIVATE and 2 of ($i*) or 5 of them + ESET_IIS_Native_Module_PRIVATE and 2 of ( $i* ) or 5 of them } -import "pe" - rule ESET_Apt_Windows_TA410_Tendyron_Dropper { meta: description = "TA410 Tendyron Dropper" author = "ESET Research" - id = "8d1e16d9-b5c2-5427-a0b4-7dd00a9df5ec" + id = "5ad87699-5e6e-5a3f-8206-ce269d85ae26" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L34-L53" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "45f7300a4b85624ad3fda5c73a24f53f53cb7990def4d84e04dcd8e5747f4f2e" + logic_hash = "v1_sha256_45f7300a4b85624ad3fda5c73a24f53f53cb7990def4d84e04dcd8e5747f4f2e" score = 75 quality = 80 tags = "" @@ -125201,22 +125382,20 @@ rule ESET_Apt_Windows_TA410_Tendyron_Dropper $s6 = "ALPC Port" wide condition: - int16 (0)==0x5A4D and 4 of them + int16 ( 0 ) == 0x5A4D and 4 of them } -import "pe" - rule ESET_Apt_Windows_TA410_Tendyron_Installer { meta: description = "TA410 Tendyron Installer" author = "ESET Research" - id = "95ccad1c-99fb-5d38-aec0-650db3e06b35" + id = "53991487-825b-5e00-8d38-488186ded2c3" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L55-L73" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "9c3afb924747614f27c31cf2c3d98f4932a9d11597a3ac94263bf93be02801da" + logic_hash = "v1_sha256_9c3afb924747614f27c31cf2c3d98f4932a9d11597a3ac94263bf93be02801da" score = 75 quality = 80 tags = "" @@ -125231,22 +125410,20 @@ rule ESET_Apt_Windows_TA410_Tendyron_Installer $s5 = "\\RTFExploit\\" condition: - int16 (0)==0x5A4D and 3 of them + int16 ( 0 ) == 0x5A4D and 3 of them } -import "pe" - rule ESET_Apt_Windows_TA410_Tendyron_Downloader { meta: description = "TA410 Tendyron Downloader" author = "ESET Research" - id = "afd8a2a7-8d58-5a96-b9e0-6f8b859e83c5" + id = "0a0e66fb-368f-5840-8bac-be1ba9986a1a" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L75-L107" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "16030a78ae9af8783f5913644294ceff861c8264ead8ca99435032be6d7949ef" + logic_hash = "v1_sha256_16030a78ae9af8783f5913644294ceff861c8264ead8ca99435032be6d7949ef" score = 75 quality = 80 tags = "" @@ -125266,22 +125443,20 @@ rule ESET_Apt_Windows_TA410_Tendyron_Downloader $s1 = "startModule" fullword condition: - int16 (0)==0x5A4D and all of them + int16 ( 0 ) == 0x5A4D and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_X4_Strings { meta: description = "Matches various strings found in TA410 X4" author = "ESET Research" - id = "e6af4516-8b79-5182-8571-7dd530632ddc" + id = "7b920fe9-016d-5ba7-8ea7-589d566901a6" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L109-L125" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d4b2321a6d0eb0ca8d7c47596af2a45c22b3aef15d1832d64d6588a62cab312a" + logic_hash = "v1_sha256_d4b2321a6d0eb0ca8d7c47596af2a45c22b3aef15d1832d64d6588a62cab312a" score = 75 quality = 74 tags = "" @@ -125296,20 +125471,18 @@ rule ESET_Apt_Windows_TA410_X4_Strings condition: any of them } -import "pe" - rule ESET_Apt_Windows_TA410_X4_Hash_Values : FILE { meta: description = "Matches X4 hash function found in TA410 X4" author = "ESET Research" - id = "859bb977-82d0-5314-b1a8-fb3bb06a1b28" + id = "bac69062-aedf-5a66-84d7-c9165017471a" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L127-L149" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "bcf3891ff888ca99af9aa0e239b29241ae819022607fb829c5731267add308ea" + logic_hash = "v1_sha256_bcf3891ff888ca99af9aa0e239b29241ae819022607fb829c5731267add308ea" score = 75 quality = 80 tags = "FILE" @@ -125327,22 +125500,20 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Values : FILE $s8 = {15 60 1E FB F5 03} condition: - uint16(0)==0x5a4d and 4 of them + uint16( 0 ) == 0x5a4d and 4 of them } -import "pe" - rule ESET_Apt_Windows_TA410_X4_Hash_Fct : FILE { meta: description = "Matches X4 hash function found in TA410 X4" author = "ESET Research" - id = "5ca435a4-7c6e-594d-8c4d-d577735884e6" + id = "0fe8de40-8fc9-527b-aacb-18eeca8963ea" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L151-L187" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3b2d44cb7685a99e9aeb08f886f6876d43ee99d1e52e40705c3fa97ce3bfa9a0" + logic_hash = "v1_sha256_3b2d44cb7685a99e9aeb08f886f6876d43ee99d1e52e40705c3fa97ce3bfa9a0" score = 75 quality = 80 tags = "FILE" @@ -125362,22 +125533,20 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Fct : FILE } condition: - uint16(0)==0x5a4d and any of them + uint16( 0 ) == 0x5a4d and any of them } -import "pe" - rule ESET_Apt_Windows_TA410_Lookback_Decryption : FILE { meta: description = "Matches encryption/decryption function used by LookBack." author = "ESET Research" - id = "91947c6b-f357-5cf8-8522-4dcd517d01cb" + id = "cde7c0cc-7dbd-5ec5-8245-c319cbde7056" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L189-L254" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "016dca6be654fcd193acc481e6a998efbb77e7ebd09b26614422be1136dd02c0" + logic_hash = "v1_sha256_016dca6be654fcd193acc481e6a998efbb77e7ebd09b26614422be1136dd02c0" score = 75 quality = 80 tags = "FILE" @@ -125439,22 +125608,20 @@ rule ESET_Apt_Windows_TA410_Lookback_Decryption : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_Lookback_Loader : FILE { meta: description = "Matches the modified function in LookBack libcurl loader." author = "ESET Research" - id = "d0aac4f6-f72f-5adf-8f8f-9251bad70131" + id = "13c0bcdd-4704-5e05-bea7-4c778fcb8723" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L256-L309" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "98390dd664227ad747e5572771d12e7ebd2475d26db27e85508347ac6f44f3bf" + logic_hash = "v1_sha256_98390dd664227ad747e5572771d12e7ebd2475d26db27e85508347ac6f44f3bf" score = 75 quality = 80 tags = "FILE" @@ -125504,7 +125671,7 @@ rule ESET_Apt_Windows_TA410_Lookback_Loader : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } import "pe" @@ -125513,13 +125680,13 @@ rule ESET_Apt_Windows_TA410_Lookback_Strings : FILE meta: description = "Matches multiple strings and export names in TA410 LookBack." author = "ESET Research" - id = "b693c468-5abf-579d-bc03-67f67339feb9" + id = "95cbbbcf-abf5-5512-bd23-b13dbf5d02b6" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L311-L331" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d17ed604e3691c20fe489f95197b7b802ec951ed13d538fa6643449485b326b2" + logic_hash = "v1_sha256_d17ed604e3691c20fe489f95197b7b802ec951ed13d538fa6643449485b326b2" score = 75 quality = 80 tags = "FILE" @@ -125535,22 +125702,20 @@ rule ESET_Apt_Windows_TA410_Lookback_Strings : FILE $s6 = "SodomMainProc" ascii wide condition: - uint16(0)==0x5a4d and (2 of them or pe.exports("SodomBodyLoad") or pe.exports("SodomBodyLoadTest")) + uint16( 0 ) == 0x5a4d and ( 2 of them or pe.exports ( "SodomBodyLoad" ) or pe.exports ( "SodomBodyLoadTest" ) ) } -import "pe" - rule ESET_Apt_Windows_TA410_Lookback_HTTP : FILE { meta: description = "Matches LookBack's hardcoded HTTP request" author = "ESET Research" - id = "ca4ee437-5ac9-5715-90fb-e0e74a817bb5" + id = "d58fec9b-de9f-560f-8055-e6ea3c4b4180" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L333-L349" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "0e777f56136cd11d62abdf4f120410d5fe9cd522cfc06afbf085414a96279bf7" + logic_hash = "v1_sha256_0e777f56136cd11d62abdf4f120410d5fe9cd522cfc06afbf085414a96279bf7" score = 75 quality = 80 tags = "FILE" @@ -125562,22 +125727,20 @@ rule ESET_Apt_Windows_TA410_Lookback_HTTP : FILE $s2 = "id=1&op=report&status=" condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_Lookback_Magic : FILE { meta: description = "Matches message header creation in LookBack." author = "ESET Research" - id = "5a40a307-772b-5600-9e58-f4bc6dfe6711" + id = "9cfdb68d-6e9c-5176-a45b-958717c07431" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L351-L377" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "442a08a77fd2db03e507c0d5a32b17ab4e5936a209f7af23ef3c33a4b9f3d0d5" + logic_hash = "v1_sha256_442a08a77fd2db03e507c0d5a32b17ab4e5936a209f7af23ef3c33a4b9f3d0d5" score = 75 quality = 80 tags = "FILE" @@ -125599,22 +125762,20 @@ rule ESET_Apt_Windows_TA410_Lookback_Magic : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Loader_Strings : FILE { meta: description = "Matches various strings found in TA410 FlowCloud first stage." author = "ESET Research" - id = "a3fb894f-8e26-5cbd-a1f2-8a9ab1db0901" + id = "012c6333-6e52-5181-b9b1-66f11e576ef9" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L379-L415" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3c90723e009ffe2603910566ac52a324256676ee3ff128d94427681010e10e8b" + logic_hash = "v1_sha256_3c90723e009ffe2603910566ac52a324256676ee3ff128d94427681010e10e8b" score = 75 quality = 78 tags = "FILE" @@ -125646,22 +125807,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Loader_Strings : FILE $s23 = "invalid encrypto hdr while decrypting" condition: - uint16(0)==0x5a4d and ($key or $event or 5 of ($s*)) + uint16( 0 ) == 0x5a4d and ( $key or $event or 5 of ( $s* ) ) } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE { meta: description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" - id = "403c1845-bc25-5a49-8553-8a0be18d6970" - date = "2024-01-08" + id = "dad09e87-9e5b-59b7-8eed-b37c2b9e9b35" + date = "2024-01-15" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L417-L496" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "74b6c42bf2de159b2b0a15637e6bd94069367e3000c887714d6e3b50aa3646be" + logic_hash = "v1_sha256_74b6c42bf2de159b2b0a15637e6bd94069367e3000c887714d6e3b50aa3646be" score = 75 quality = 80 tags = "FILE" @@ -125703,22 +125862,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Dll_Hijacking_Strings : FILE { meta: description = "Matches filenames inside TA410 FlowCloud malicious DLL." author = "ESET Research" - id = "6636d4d0-0a7f-5971-a7f4-58803042d874" + id = "914e3f3d-7aa8-5888-a5c7-d83ffad5e350" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L498-L517" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "e8082d4216364a12ba395f772b5caed94b3068d26a2b3a97ef711d61a82f65b3" + logic_hash = "v1_sha256_e8082d4216364a12ba395f772b5caed94b3068d26a2b3a97ef711d61a82f65b3" score = 75 quality = 80 tags = "FILE" @@ -125734,22 +125891,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Dll_Hijacking_Strings : FILE $dll3 = "setlangloc.dll" wide condition: - uint16(0)==0x5a4d and ( all of ($dat*) or all of ($dll*)) + uint16( 0 ) == 0x5a4d and ( all of ( $dat* ) or all of ( $dll* ) ) } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Malicious_Dll_Antianalysis : FILE { meta: description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL." author = "ESET Research" - id = "b38a1d4d-5053-5a6d-be8c-c00261936417" + id = "0ee5cb54-cca6-52dd-a7da-8fbf5bf66478" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L519-L552" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8f14352118d32a43c17f70bd753acc48bd314965f10ab97818e8a434bbda96d9" + logic_hash = "v1_sha256_8f14352118d32a43c17f70bd753acc48bd314965f10ab97818e8a434bbda96d9" score = 75 quality = 80 tags = "FILE" @@ -125769,7 +125924,7 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Malicious_Dll_Antianalysis : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } import "pe" @@ -125778,13 +125933,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Pdb : FILE meta: description = "Matches PDB paths found in TA410 FlowCloud." author = "ESET Research" - id = "8bf25768-941e-55c6-bd21-f6b614c9d75d" + id = "a2566a1b-c09a-54f4-b0dd-c2d636b394e7" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L554-L567" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "ff95ab0f8e68efe612a6e0d70cebd8bf815d6b5e3877c098ac0761382dc310d6" + logic_hash = "v1_sha256_ff95ab0f8e68efe612a6e0d70cebd8bf815d6b5e3877c098ac0761382dc310d6" score = 75 quality = 80 tags = "FILE" @@ -125792,22 +125947,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Pdb : FILE version = "1" condition: - uint16(0)==0x5a4d and (pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\") + uint16( 0 ) == 0x5a4d and ( pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\" ) } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Shellcode_Decryption : FILE { meta: description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL" author = "ESET Research" - id = "8af7b2fa-be40-5ec8-8413-1c982a463a9a" + id = "aa03d3ad-c2ac-5b0d-84a0-2f353684b234" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L569-L615" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "939ffe6a41c957aa5d6c012484b2deab49a5e71a4b7e203a41c180f872803921" + logic_hash = "v1_sha256_939ffe6a41c957aa5d6c012484b2deab49a5e71a4b7e203a41c180f872803921" score = 75 quality = 80 tags = "FILE" @@ -125833,22 +125986,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Shellcode_Decryption : FILE } condition: - uint16(0)==0x5a4d and all of them + uint16( 0 ) == 0x5a4d and all of them } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Fcclient_Strings : FILE { meta: description = "Strings found in fcClient/rescure.dat module." author = "ESET Research" - id = "876bae0b-2612-559b-9ead-b633a3789663" + id = "6f2dfde7-d8d0-5fc1-8bc0-1cf1a02f7903" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L617-L639" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "c05b7031a5aec1bcf29eca06c010c402edeb24a093a2043dbc21781dff22c7fe" + logic_hash = "v1_sha256_c05b7031a5aec1bcf29eca06c010c402edeb24a093a2043dbc21781dff22c7fe" score = 75 quality = 80 tags = "FILE" @@ -125866,22 +126017,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclient_Strings : FILE $driver2 = "\\drivers\\hidusb.sys" wide fullword condition: - uint16(0)==0x5a4d and ( any of ($s*) or all of ($driver*)) + uint16( 0 ) == 0x5a4d and ( any of ( $s* ) or all of ( $driver* ) ) } -import "pe" - rule ESET_Apt_Windows_TA410_Flowcloud_Fcclientdll_Strings : FILE { meta: description = "Strings found in fcClientDll/responsor.dat module." author = "ESET Research" - id = "80ecaf51-406f-590c-8f9c-59672683de02" + id = "ff02d23f-8957-5f73-94a5-e4d6980f8180" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L641-L669" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3a93f58cf14b57a96157077ec14aa6fb181e3da80f4ba46c0379a58b67c08a0e" + logic_hash = "v1_sha256_3a93f58cf14b57a96157077ec14aa6fb181e3da80f4ba46c0379a58b67c08a0e" score = 75 quality = 80 tags = "FILE" @@ -125905,22 +126054,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclientdll_Strings : FILE $sql7 = "insert into file_data(file_id, ofs, data, status)" condition: - uint16(0)==0x5a4d and ( any of ($s*) or #fc_msg>=8 or 4 of ($sql*)) + uint16( 0 ) == 0x5a4d and ( any of ( $s* ) or #fc_msg >= 8 or 4 of ( $sql* ) ) } -import "pe" - rule ESET_Apt_Windows_TA410_Rootkit_Strings : FILE { meta: description = "Strings found in TA410's Rootkit" author = "ESET Research" - id = "a6a97721-571e-5414-9b00-5789d7bcd078" + id = "c6af81b7-76e6-5715-93b7-7ac1db8b2cd3" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L671-L697" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "1d3ad63508c5e4bca32b9a44b738cb4a7384ccfa5704ce329260adb342ea4e60" + logic_hash = "v1_sha256_1d3ad63508c5e4bca32b9a44b738cb4a7384ccfa5704ce329260adb342ea4e60" score = 75 quality = 80 tags = "FILE" @@ -125942,7 +126089,7 @@ rule ESET_Apt_Windows_TA410_Rootkit_Strings : FILE $s1 = "\\SystemRoot\\System32\\drivers\\hidmouse.sys" wide condition: - uint16(0)==0x5a4d and all of ($s1,$reg*) and ( all of ($driver*) or all of ($device*)) + uint16( 0 ) == 0x5a4d and all of ( $s1 , $reg* ) and ( all of ( $driver* ) or all of ( $device* ) ) } import "pe" @@ -125951,13 +126098,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V5_Resources : FILE meta: description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2" author = "ESET Research" - id = "05a233f0-a823-5154-a47d-cede722d4710" + id = "56f07f5d-93a7-5c25-b0f1-c3f4d8af1ac8" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L699-L720" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "58f75dda53c6d4b3d88f464c452d855ac6dc88add5f4fba2641f52e7a1ae00ed" + logic_hash = "v1_sha256_58f75dda53c6d4b3d88f464c452d855ac6dc88add5f4fba2641f52e7a1ae00ed" score = 75 quality = 80 tags = "FILE" @@ -125965,7 +126112,7 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V5_Resources : FILE version = "1" condition: - uint16(0)==0x5a4d and pe.number_of_resources>=13 and for 12resource in pe.resources : (resource.type==10 and resource.language==1033 and (resource.name_string=="1\x000\x000\x00" or resource.name_string=="1\x000\x000\x000\x00" or resource.name_string=="1\x000\x000\x000\x000\x00" or resource.name_string=="1\x000\x000\x001\x00" or resource.name_string=="1\x000\x001\x00" or resource.name_string=="1\x000\x002\x00" or resource.name_string=="1\x000\x003\x00" or resource.name_string=="1\x000\x004\x00" or resource.name_string=="1\x000\x005\x00" or resource.name_string=="1\x000\x006\x00" or resource.name_string=="1\x000\x007\x00" or resource.name_string=="1\x000\x008\x00" or resource.name_string=="1\x000\x009\x00" or resource.name_string=="1\x001\x000\x00" or resource.name_string=="2\x000\x000\x000\x00" or resource.name_string=="2\x000\x000\x001\x00")) + uint16( 0 ) == 0x5a4d and pe.number_of_resources >= 13 and for 12 resource in pe.resources : ( resource.type == 10 and resource.language == 1033 and ( resource.name_string == "1\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x001\x00" or resource.name_string == "1\x000\x001\x00" or resource.name_string == "1\x000\x002\x00" or resource.name_string == "1\x000\x003\x00" or resource.name_string == "1\x000\x004\x00" or resource.name_string == "1\x000\x005\x00" or resource.name_string == "1\x000\x006\x00" or resource.name_string == "1\x000\x007\x00" or resource.name_string == "1\x000\x008\x00" or resource.name_string == "1\x000\x009\x00" or resource.name_string == "1\x001\x000\x00" or resource.name_string == "2\x000\x000\x000\x00" or resource.name_string == "2\x000\x000\x001\x00" ) ) } import "pe" @@ -125974,13 +126121,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V4_Resources : FILE meta: description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3" author = "ESET Research" - id = "57b98823-439f-5a2c-a8cb-ac5e98953b06" + id = "08265212-5eec-5f6b-806f-133b75c0c16d" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L722-L741" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "7b475cfddb5f995f7e8e3293b8e6ae59a9e36143998bc444499b5dce467f8e9d" + logic_hash = "v1_sha256_7b475cfddb5f995f7e8e3293b8e6ae59a9e36143998bc444499b5dce467f8e9d" score = 75 quality = 80 tags = "FILE" @@ -125988,22 +126135,20 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V4_Resources : FILE version = "1" condition: - uint16(0)==0x5a4d and pe.number_of_resources>=6 and for 5resource in pe.resources : (resource.type==10 and resource.language==1033 and (resource.name_string=="1\x000\x000\x000\x000\x00" or resource.name_string=="1\x000\x000\x000\x001\x00" or resource.name_string=="1\x000\x000\x000\x002\x00" or resource.name_string=="1\x000\x000\x000\x003\x00" or resource.name_string=="1\x000\x000\x000\x004\x00" or resource.name_string=="1\x000\x000\x000\x005\x00" or resource.name_string=="1\x000\x001\x000\x000\x00")) + uint16( 0 ) == 0x5a4d and pe.number_of_resources >= 6 and for 5 resource in pe.resources : ( resource.type == 10 and resource.language == 1033 and ( resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x001\x00" or resource.name_string == "1\x000\x000\x000\x002\x00" or resource.name_string == "1\x000\x000\x000\x003\x00" or resource.name_string == "1\x000\x000\x000\x004\x00" or resource.name_string == "1\x000\x000\x000\x005\x00" or resource.name_string == "1\x000\x001\x000\x000\x00" ) ) } -import "pe" - rule ESET_Apt_Windows_Invisimole_Logs : FILE { meta: description = "Detects log files with collected created by InvisiMole's RC2CL backdoor" author = "ESET Research" - id = "151883ad-1f44-55b4-b12a-f0d399527189" + id = "1510c337-79f9-5011-ac18-c2eb24429b4e" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L54-L77" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "d42423ccc768f1823c76d5cb2aec26434c796fc35bd4e2fbf435fcf7997d3ff0" + logic_hash = "v1_sha256_d42423ccc768f1823c76d5cb2aec26434c796fc35bd4e2fbf435fcf7997d3ff0" score = 75 quality = 80 tags = "FILE" @@ -126011,22 +126156,20 @@ rule ESET_Apt_Windows_Invisimole_Logs : FILE version = "1" condition: - uint32(0)==0x08F1CAA1 or uint32(0)==0x08F1CAA2 or uint32(0)==0x08F1CCC0 or uint32(0)==0x08F2AFC0 or uint32(0)==0x083AE4DF or uint32(0)==0x18F2CBB1 or uint32(0)==0x1900ABBA or uint32(0)==0x24F2CEA1 or uint32(0)==0xDA012193 or uint32(0)==0xDA018993 or uint32(0)==0xDA018995 or uint32(0)==0xDD018991 + uint32( 0 ) == 0x08F1CAA1 or uint32( 0 ) == 0x08F1CAA2 or uint32( 0 ) == 0x08F1CCC0 or uint32( 0 ) == 0x08F2AFC0 or uint32( 0 ) == 0x083AE4DF or uint32( 0 ) == 0x18F2CBB1 or uint32( 0 ) == 0x1900ABBA or uint32( 0 ) == 0x24F2CEA1 or uint32( 0 ) == 0xDA012193 or uint32( 0 ) == 0xDA018993 or uint32( 0 ) == 0xDA018995 or uint32( 0 ) == 0xDD018991 } -import "pe" - rule ESET_Apt_Windows_Invisimole_SFX_Dropper : FILE { meta: description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)" author = "ESET Research" - id = "08490bcd-3139-5fac-9c6c-5a32acb7217a" + id = "8318efe0-aa80-5985-8d54-654af3e46fc4" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L79-L95" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "6ca248d42c1e889988e5931d80df071cb20e623fb0c4a208044cabe073f71ce4" + logic_hash = "v1_sha256_6ca248d42c1e889988e5931d80df071cb20e623fb0c4a208044cabe073f71ce4" score = 75 quality = 80 tags = "FILE" @@ -126037,22 +126180,20 @@ rule ESET_Apt_Windows_Invisimole_SFX_Dropper : FILE $encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B} condition: - uint16(0)==0x5A4D and $encrypted_config + uint16( 0 ) == 0x5A4D and $encrypted_config } -import "pe" - rule ESET_Apt_Windows_Invisimole_CPL_Loader : FILE { meta: description = "CPL loader" author = "ESET Research" - id = "feff8627-6085-5835-ac1b-d4522245f7db" + id = "23d9ca52-f274-57ac-83f6-4d3b0a857e29" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L97-L118" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "cd5c19e14faa7fd3758b30193ccf2bed3692ad29d8216466523ca25d2abcfe88" + logic_hash = "v1_sha256_cd5c19e14faa7fd3758b30193ccf2bed3692ad29d8216466523ca25d2abcfe88" score = 75 quality = 80 tags = "FILE" @@ -126069,7 +126210,7 @@ rule ESET_Apt_Windows_Invisimole_CPL_Loader : FILE $s7 = "wkssvmtx" condition: - uint16(0)==0x5A4D and (3 of them ) + uint16( 0 ) == 0x5A4D and ( 3 of them ) } import "pe" @@ -126078,13 +126219,13 @@ rule ESET_Apt_Windows_Invisimole_Wrapper_DLL meta: description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names" author = "ESET Research" - id = "b9609b09-3ef5-5793-a3aa-4692cec367d9" + id = "5dec4d9a-97bd-5f22-9ae7-9e7d2bc4cd98" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L120-L138" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "156bc5bc7b0ed5c77a5a15e7799a3077d40150896476a60935cf21a9afe36856" + logic_hash = "v1_sha256_156bc5bc7b0ed5c77a5a15e7799a3077d40150896476a60935cf21a9afe36856" score = 75 quality = 80 tags = "" @@ -126092,22 +126233,20 @@ rule ESET_Apt_Windows_Invisimole_Wrapper_DLL version = "1" condition: - pe.exports("GetDataLength") and for any y in (0..pe.number_of_resources-1) : (pe.resources[y].type==pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string=="R\x00C\x002\x00C\x00L\x00") and for any y in (0..pe.number_of_resources-1) : (pe.resources[y].type==pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string=="R\x00C\x002\x00F\x00M\x00") + pe.exports( "GetDataLength" ) and for any y in ( 0 .. pe.number_of_resources - 1 ) : ( pe.resources [ y ] . type == pe.RESOURCE_TYPE_RCDATA and pe.resources [ y ] . name_string == "R\x00C\x002\x00C\x00L\x00" ) and for any y in ( 0 .. pe.number_of_resources - 1 ) : ( pe.resources [ y ] . type == pe.RESOURCE_TYPE_RCDATA and pe.resources [ y ] . name_string == "R\x00C\x002\x00F\x00M\x00" ) } -import "pe" - rule ESET_Apt_Windows_Invisimole_DNS_Downloader : FILE { meta: description = "InvisiMole DNS downloader" author = "ESET Research" - id = "1caa6c8b-3798-556e-835e-885b7f3f4511" + id = "73835013-57dc-5668-9472-afdf0f26bce4" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L140-L170" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "88d6ed7ec1331153d19afc18473a4be2b214ad8af29fcf7051a2a8e40e088231" + logic_hash = "v1_sha256_88d6ed7ec1331153d19afc18473a4be2b214ad8af29fcf7051a2a8e40e088231" score = 75 quality = 80 tags = "FILE" @@ -126131,22 +126270,20 @@ rule ESET_Apt_Windows_Invisimole_DNS_Downloader : FILE $s13 = "rundll32.exe \"%s\",StartUI" condition: - (( uint16(0)==0x5A4D) or ESET_Invisimole_Blob_PRIVATE) and $d and 5 of ($s*) + (( uint16( 0 ) == 0x5A4D ) or ESET_Invisimole_Blob_PRIVATE ) and $d and 5 of ( $s* ) } -import "pe" - rule ESET_Apt_Windows_Invisimole_RC2CL_Backdoor : FILE { meta: description = "InvisiMole RC2CL backdoor" author = "ESET Research" - id = "0228b8ee-bf03-504e-8cdf-8a1c9a79d54e" + id = "f9b56c6a-bd6b-5290-a06b-d115d3f92d34" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L172-L213" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "c38550023515d33eaaf0669cc8b874bcfd09653a07c7edbf72e3344d1cf31541" + logic_hash = "v1_sha256_c38550023515d33eaaf0669cc8b874bcfd09653a07c7edbf72e3344d1cf31541" score = 75 quality = 78 tags = "FILE" @@ -126178,22 +126315,20 @@ rule ESET_Apt_Windows_Invisimole_RC2CL_Backdoor : FILE $s22 = "SettingsSR2" wide condition: - (( uint16(0)==0x5A4D) or ESET_Invisimole_Blob_PRIVATE) and 5 of ($s*) + (( uint16( 0 ) == 0x5A4D ) or ESET_Invisimole_Blob_PRIVATE ) and 5 of ( $s* ) } -import "pe" - rule ESET_Apt_Windows_Invisimole : FILE { meta: description = "InvisiMole magic values, keys and strings" author = "ESET Research" - id = "4d48996b-9792-57ba-a302-349220323712" + id = "86e6be27-2a38-5791-9e2d-2be518609c18" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L215-L255" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "7a2cff9febe77d718089ba4e1a33f3487594588892e418cec685bf22b156fa2b" + logic_hash = "v1_sha256_7a2cff9febe77d718089ba4e1a33f3487594588892e418cec685bf22b156fa2b" score = 75 quality = 80 tags = "FILE" @@ -126212,22 +126347,20 @@ rule ESET_Apt_Windows_Invisimole : FILE $check_magic_new_64 = {81 3? 64 DA 11 CE} condition: - (( uint16(0)==0x5A4D) or ESET_Invisimole_Blob_PRIVATE) and ( any of ($check_magic*)) and (2 of ($s*)) + (( uint16( 0 ) == 0x5A4D ) or ESET_Invisimole_Blob_PRIVATE ) and ( any of ( $check_magic* ) ) and ( 2 of ( $s* ) ) } -import "pe" - rule ESET_Apt_Windows_Invisimole_C2 : FILE { meta: description = "InvisiMole C&C servers" author = "ESET Research" - id = "9279c8cd-2c16-5f90-a7f5-e668d57c805b" + id = "840d849f-c23e-5f56-a078-4647199533a2" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L257-L297" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "aff8456ce7a9ebe875c02e51c09b77ee7b1fddfc11d4ad236e12c8c5240a01a8" + logic_hash = "v1_sha256_aff8456ce7a9ebe875c02e51c09b77ee7b1fddfc11d4ad236e12c8c5240a01a8" score = 75 quality = 78 tags = "FILE" @@ -126262,20 +126395,20 @@ rule ESET_Apt_Windows_Invisimole_C2 : FILE $s25 = "update.xn--6frz82g" ascii wide condition: - (( uint16(0)==0x5A4D) or ESET_Invisimole_Blob_PRIVATE) and $s21 and any of them + (( uint16( 0 ) == 0x5A4D ) or ESET_Invisimole_Blob_PRIVATE ) and $s21 and any of them } rule ESET_Onimiki : LINUX_ONIMIKI { meta: description = "Linux/Onimiki malicious DNS server" author = "Olivier Bilodeau " - id = "3a99799f-fbb4-5fee-a796-3310acd10e17" + id = "c005baad-5bec-5136-ba66-d3344ae2a564" date = "2014-02-06" modified = "2014-04-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/windigo-onimiki.yar#L32-L59" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "eac30f5c9a9606d1d0e14c55e0532c54976fbb0d2e4f5cd2d9f719b77e07161a" + logic_hash = "v1_sha256_eac30f5c9a9606d1d0e14c55e0532c54976fbb0d2e4f5cd2d9f719b77e07161a" score = 75 quality = 80 tags = "LINUX/ONIMIKI" @@ -126298,21 +126431,19 @@ rule ESET_Onimiki : LINUX_ONIMIKI condition: all of them } -import "elf" - rule ESET_Helimodproxy { meta: description = "HelimodProxy malicious Apache module" author = "ESET, spol. s r.o." - id = "8c05bd0b-9645-580c-ac80-58e45b2a8884" + id = "ebf3f1f6-8790-53ca-bca5-70d7b2075516" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L32-L54" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "9e3d57add1042eff41b42f0c8d46ed37af4092d5af4d4b2088b07992a4649bc2" + logic_hash = "v1_sha256_9e3d57add1042eff41b42f0c8d46ed37af4092d5af4d4b2088b07992a4649bc2" score = 75 quality = 80 tags = "" @@ -126327,23 +126458,21 @@ rule ESET_Helimodproxy $5 = "pmtad" condition: - ESET_Apachemodule_PRIVATE and ($1 or ($2 and $3) or ($4 and $5)) + ESET_Apachemodule_PRIVATE and ( $1 or ( $2 and $3 ) or ( $4 and $5 ) ) } -import "elf" - rule ESET_Helimodredirect { meta: description = "HelimodRedirect malicious Apache module" author = "ESET, spol. s r.o." - id = "d8fe674d-8895-5501-b2e3-f74c386e10f0" + id = "c19619a0-b541-5ebe-ab92-bc7f07bbf7ac" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L56-L79" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "1a85cae7ee354e5d96e88781b4e0a49757016d8b64dfb80c07a13b36bf9091e2" + logic_hash = "v1_sha256_1a85cae7ee354e5d96e88781b4e0a49757016d8b64dfb80c07a13b36bf9091e2" score = 75 quality = 80 tags = "" @@ -126358,23 +126487,21 @@ rule ESET_Helimodredirect $r2 = "REDIRECT_URL" condition: - ESET_Apachemodule_PRIVATE and any of ($h*) and any of ($r*) + ESET_Apachemodule_PRIVATE and any of ( $h* ) and any of ( $r* ) } -import "elf" - rule ESET_Helimodsteal { meta: description = "HelimodSteal malicious Apache module" author = "ESET, spol. s r.o." - id = "7b080f21-d6e3-5dda-bfd9-fb9d82fbb98e" + id = "686daa28-449a-5fe0-8f80-e2345e5f6f65" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L81-L105" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "9c0a5842dc986fec667fc7d7ad9d0c63b89b4a5ec87c9c9b72574ca5b15df928" + logic_hash = "v1_sha256_9c0a5842dc986fec667fc7d7ad9d0c63b89b4a5ec87c9c9b72574ca5b15df928" score = 75 quality = 80 tags = "" @@ -126390,7 +126517,7 @@ rule ESET_Helimodsteal $s3 = "POST /" condition: - ESET_Apachemodule_PRIVATE and any of ($h*) and any of ($s*) + ESET_Apachemodule_PRIVATE and any of ( $h* ) and any of ( $s* ) } import "elf" @@ -126399,14 +126526,14 @@ rule ESET_Libkeyutils_With_Ctor meta: description = "This rule detects if a libkeyutils.so shared library has a potentially malicious function to be called when loaded, either via a glibc constructor (DT_INIT + .ctors) or an initializer function in DT_INIT_ARRAY." author = "ESET, spol. s r.o." - id = "7b466bf7-f895-569d-99b0-eca95a6ebc83" + id = "edd3daae-1d1e-5684-8fc7-18a8030728f9" date = "2024-02-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/ebury.yar#L3-L54" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" - logic_hash = "c6172aebc67a05fb044b0450aafcc71c7d1fd2831985587d1a9ad53f59e14214" + logic_hash = "v1_sha256_c6172aebc67a05fb044b0450aafcc71c7d1fd2831985587d1a9ad53f59e14214" score = 75 quality = 80 tags = "" @@ -126417,23 +126544,21 @@ rule ESET_Libkeyutils_With_Ctor $libname = "libkeyutils.so.1" condition: - for any ptr_size in (4,8) : (((ptr_size==4 and elf.machine==elf.EM_386) or (ptr_size==8 and elf.machine==elf.EM_X86_64)) and for any d in elf.dynamic : (d.type==elf.DT_SONAME and ( for any s in elf.sections : (s.name==".dynstr" and $libname at (s.offset+d.val)) or for any s in elf.dynamic : (s.type==elf.DT_STRTAB and $libname at (s.val+d.val)))) and ( for any s in elf.sections : (s.name==".ctors" and s.size>2*ptr_size) or for any d in elf.dynamic : (d.type==elf.DT_INIT_ARRAYSZ and d.val>ptr_size))) + for any ptr_size in ( 4 , 8 ) : ( ( ( ptr_size == 4 and elf.machine == elf.EM_386 ) or ( ptr_size == 8 and elf.machine == elf.EM_X86_64 ) ) and for any d in elf.dynamic : ( d.type == elf.DT_SONAME and ( for any s in elf.sections : ( s.name == ".dynstr" and $libname at ( s.offset + d.val ) ) or for any s in elf.dynamic : ( s.type == elf.DT_STRTAB and $libname at ( s.val + d.val ) ) ) ) and ( for any s in elf.sections : ( s.name == ".ctors" and s.size > 2 * ptr_size ) or for any d in elf.dynamic : ( d.type == elf.DT_INIT_ARRAYSZ and d.val > ptr_size ) ) ) } -import "elf" - rule ESET_Ebury_V1_7_Crypto { meta: description = "This rule detects the strings decryption routine in Ebury v1.7 and v1.8" author = "ESET, spol. s r.o." - id = "93dadf5f-b572-5217-8c82-4957c6d24955" + id = "df629161-4051-56cd-9273-3dc669265b7c" date = "2023-08-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/ebury.yar#L56-L97" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" - logic_hash = "41908951069a472d7528f2f228f3681f008d16a0436e341d339909efc4933e66" + logic_hash = "v1_sha256_41908951069a472d7528f2f228f3681f008d16a0436e341d339909efc4933e66" score = 75 quality = 80 tags = "" @@ -126472,13 +126597,13 @@ rule ESET_Mozi_Killswitch : FILE meta: description = "Mozi botnet kill switch" author = "Ivan Besina" - id = "e3d34ae0-de06-5ff4-b44b-44d264b6dd29" + id = "13bc2685-367c-5176-a71a-db3081cf9d5e" date = "2023-09-29" modified = "2023-10-31" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/mozi/mozi.yar#L32-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "90eaed2f7f5595b145b2678a46ef6179082192215369fa9235024b0ce1574a49" + logic_hash = "v1_sha256_90eaed2f7f5595b145b2678a46ef6179082192215369fa9235024b0ce1574a49" score = 75 quality = 80 tags = "FILE" @@ -126492,20 +126617,20 @@ rule ESET_Mozi_Killswitch : FILE $networks = "/usr/networks" condition: - all of them and filesize <500KB + all of them and filesize < 500KB } rule ESET_Keydnap_Downloader { meta: description = "OSX/Keydnap Downloader" author = "Marc-Etienne M.Léveillé" - id = "2b21007a-b143-5538-8777-ba35448d00aa" + id = "34485838-a8c7-5f84-83dc-3b5fe2962dae" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L33-L49" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "71c8885193a92fa9c71055c37e629a54d50070cf6820b9216a824ecc4db2ce3c" + logic_hash = "v1_sha256_71c8885193a92fa9c71055c37e629a54d50070cf6820b9216a824ecc4db2ce3c" score = 75 quality = 80 tags = "" @@ -126524,13 +126649,13 @@ rule ESET_Keydnap_Backdoor_Packer meta: description = "OSX/Keydnap packed backdoor" author = "Marc-Etienne M.Léveillé" - id = "f29ad5af-bc86-5764-9451-5a8363788c4e" + id = "6ea75f11-d2a8-5771-b1b3-5da958746078" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L51-L67" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "b1740bf38376be81d3b42306c2ce81f578c0b5c9db804f063836bf98f57ed147" + logic_hash = "v1_sha256_b1740bf38376be81d3b42306c2ce81f578c0b5c9db804f063836bf98f57ed147" score = 75 quality = 80 tags = "" @@ -126549,13 +126674,13 @@ rule ESET_Keydnap_Backdoor meta: description = "Unpacked OSX/Keydnap backdoor" author = "Marc-Etienne M.Léveillé" - id = "099c1796-6237-5ec1-ba25-cd5feca79865" + id = "ca0cb509-24bf-5d45-a9ee-fd5ac5746a9d" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L69-L86" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "fa209577a562ef9088d3ad3df3fbc0edda96f09d19177842f0ddea42c658f530" + logic_hash = "v1_sha256_fa209577a562ef9088d3ad3df3fbc0edda96f09d19177842f0ddea42c658f530" score = 75 quality = 80 tags = "" @@ -126576,13 +126701,13 @@ rule ESET_Linux_Rakos meta: description = "Linux/Rakos.A executable" author = "Peter Kálnai" - id = "3c15401a-22c1-59e2-a979-1f9a6a990ae0" + id = "05ccf096-cd01-5d82-8a8a-86ce09677e48" date = "2016-12-13" modified = "2016-12-19" reference = "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/rakos/rakos.yar#L33-L53" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "79a02ada56bf75c5f178b58822eb905977cace3483453ea8cf4dfc32f6b6c30d" + logic_hash = "v1_sha256_79a02ada56bf75c5f178b58822eb905977cace3483453ea8cf4dfc32f6b6c30d" score = 75 quality = 80 tags = "" @@ -126604,13 +126729,13 @@ rule ESET_Mumblehard_Packer meta: description = "Mumblehard i386 assembly code responsible for decrypting Perl code" author = "Marc-Etienne M.Léveillé" - id = "981c18e3-ac28-54f5-97ab-44b1d12a1389" + id = "ec3d1200-9e00-5d1b-8135-904eea70ecbc" date = "2015-04-07" modified = "2015-05-01" reference = "http://www.welivesecurity.com" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/mumblehard/mumblehard_packer.yar#L32-L47" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "a04f50a7054c4ce8ad9be4e7f3373ad4f36eb9443e223601974e852c25603f5f" + logic_hash = "v1_sha256_a04f50a7054c4ce8ad9be4e7f3373ad4f36eb9443e223601974e852c25603f5f" score = 75 quality = 80 tags = "" @@ -126629,13 +126754,13 @@ rule ESET_Kobalos meta: description = "Kobalos malware" author = "Marc-Etienne M.Léveillé" - id = "cdffbe3d-c19d-53a8-9051-48affae00c8a" + id = "dfc3a318-690f-5ed2-86a1-57b7dc428e32" date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/kobalos/kobalos.yar#L32-L56" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "9161d22f9fbb1700dc3121e32104240e34512cb280aaf950aec61513f89061ef" + logic_hash = "v1_sha256_9161d22f9fbb1700dc3121e32104240e34512cb280aaf950aec61513f89061ef" score = 75 quality = 80 tags = "" @@ -126661,13 +126786,13 @@ rule ESET_Kobalos_Ssh_Credential_Stealer meta: description = "Kobalos SSH credential stealer seen in OpenSSH client" author = "Marc-Etienne M.Léveillé" - id = "b1fc5163-de48-57fc-8ae7-1f2be6c64d8a" + id = "dd64875b-5ef8-54c6-8b82-c4fad7bf95f0" date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/kobalos/kobalos.yar#L58-L73" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "be238f5c2cc976a5638584a8c0fc580f2076735aadfe374e8d4162ba723bce10" + logic_hash = "v1_sha256_be238f5c2cc976a5638584a8c0fc580f2076735aadfe374e8d4162ba723bce10" score = 75 quality = 80 tags = "" @@ -126680,20 +126805,18 @@ rule ESET_Kobalos_Ssh_Credential_Stealer condition: any of them } -import "pe" - rule ESET_Generic_Carbon : FILE { meta: description = "Turla Carbon malware" author = "ESET Research" - id = "efdc0d16-a974-5c00-a401-391d60f3081e" + id = "d5a31151-84f8-5ad4-b61f-608c185b6c85" date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/carbon.yar#L33-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "6481ccafb7c7c78bc52d01881cb96f3aa6209fdd35e090bdc9d5f5105b4e38ea" + logic_hash = "v1_sha256_6481ccafb7c7c78bc52d01881cb96f3aa6209fdd35e090bdc9d5f5105b4e38ea" score = 75 quality = 80 tags = "FILE" @@ -126706,7 +126829,7 @@ rule ESET_Generic_Carbon : FILE $t2 = "STOP|KILL" condition: - ( uint16(0)==0x5a4d) and (1 of ($s*)) and (1 of ($t*)) + ( uint16( 0 ) == 0x5a4d ) and ( 1 of ( $s* ) ) and ( 1 of ( $t* ) ) } import "pe" @@ -126715,13 +126838,13 @@ rule ESET_Carbon_Metadata meta: description = "Turla Carbon malware" author = "ESET Research" - id = "976b6a7d-00bf-5d0f-baf9-84fc5dbd21a2" + id = "fcad3fdb-e0ef-52ca-838c-117abe6e7e41" date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/carbon.yar#L53-L69" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "81b59e9566f3b3356acf12dadb80abdcbee28e0b1a9efead66fcb95bf6fc1aa5" + logic_hash = "v1_sha256_81b59e9566f3b3356acf12dadb80abdcbee28e0b1a9efead66fcb95bf6fc1aa5" score = 75 quality = 80 tags = "" @@ -126729,22 +126852,20 @@ rule ESET_Carbon_Metadata license = "BSD 2-Clause" condition: - (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" + (pe.version_info [ "InternalName" ] contains "SERVICE.EXE" or pe.version_info [ "InternalName" ] contains "MSIMGHLP.DLL" or pe.version_info [ "InternalName" ] contains "MSXIML.DLL" ) and pe.version_info [ "CompanyName" ] contains "Microsoft Corporation" } -import "pe" - rule ESET_Turla_Outlook_Gen { meta: description = "Turla Outlook malware" author = "ESET Research" - id = "efef2443-c941-54c2-abfa-bbe29c53d930" + id = "f7c7b0e5-e741-535f-93d2-66b5ff1121c2" date = "2018-05-09" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L42-L74" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "f709e517e9d957775601670c426cc9def1c4104cb1ff647d269800d2af4372c7" + logic_hash = "v1_sha256_f709e517e9d957775601670c426cc9def1c4104cb1ff647d269800d2af4372c7" score = 75 quality = 78 tags = "" @@ -126776,20 +126897,18 @@ rule ESET_Turla_Outlook_Gen condition: ESET_Not_Ms_PRIVATE and 5 of them } -import "pe" - rule ESET_Turla_Outlook_Filenames { meta: description = "Turla Outlook filenames" author = "ESET Research" - id = "3a08003d-50d6-5fdf-9f74-222335ebfa3e" + id = "66a31c76-aa67-5040-be48-75beb47fbc61" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L76-L91" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3be86c9325de6634c032321beed131fdf1e1952afcb43258fb202d0097610501" + logic_hash = "v1_sha256_3be86c9325de6634c032321beed131fdf1e1952afcb43258fb202d0097610501" score = 75 quality = 80 tags = "" @@ -126804,20 +126923,18 @@ rule ESET_Turla_Outlook_Filenames condition: any of them } -import "pe" - rule ESET_Turla_Outlook_Log { meta: description = "First bytes of the encrypted Turla Outlook logs" author = "ESET Research" - id = "b0031c08-8418-5a02-8a2c-daa7236f46f0" + id = "8dfa0ef7-59d2-5e28-9bc8-6b17d972ef67" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L93-L107" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "e7dc00c33a643c0940aaea2096d099192b27df3c81c518f1dc2b3d45a0a74312" + logic_hash = "v1_sha256_e7dc00c33a643c0940aaea2096d099192b27df3c81c518f1dc2b3d45a0a74312" score = 75 quality = 80 tags = "" @@ -126837,13 +126954,13 @@ rule ESET_Turla_Outlook_Exports meta: description = "Export names of Turla Outlook Malware" author = "ESET Research" - id = "6df4f75e-711a-539d-94bf-9e4e2063ecd4" + id = "a45588d9-5280-5194-949a-857aa4467a60" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L109-L125" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "a961fdb43ea1e99b308f55b8f5e264b1f3fa817eaf463d512e2ad8b98a18ee99" + logic_hash = "v1_sha256_a961fdb43ea1e99b308f55b8f5e264b1f3fa817eaf463d512e2ad8b98a18ee99" score = 75 quality = 80 tags = "" @@ -126851,7 +126968,7 @@ rule ESET_Turla_Outlook_Exports license = "BSD 2-Clause" condition: - (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") + (pe.exports ( "install" ) or pe.exports ( "Install" ) ) and pe.exports ( "TBP_Initialize" ) and pe.exports ( "TBP_Finalize" ) and pe.exports ( "TBP_GetName" ) and pe.exports ( "DllRegisterServer" ) and pe.exports ( "DllGetClassObject" ) } import "pe" @@ -126860,13 +126977,13 @@ rule ESET_Gazer_Certificate_Subject meta: description = "Turla Gazer malware" author = "ESET Research" - id = "a7719333-b341-538c-a8ed-5c50b653a765" + id = "b3bd1c45-c002-5ec6-b238-b2c01602501a" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L33-L46" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "6e870c9cdcee33769162de62ea143ff401af50b22a63d2f212c44d06f5771dec" + logic_hash = "v1_sha256_6e870c9cdcee33769162de62ea143ff401af50b22a63d2f212c44d06f5771dec" score = 75 quality = 80 tags = "" @@ -126874,22 +126991,20 @@ rule ESET_Gazer_Certificate_Subject license = "BSD 2-Clause" condition: - for any i in (0..pe.number_of_signatures-1) : (pe.signatures[i].subject contains "Solid Loop" or pe.signatures[i].subject contains "Ultimate Computer Support") + for any i in ( 0 .. pe.number_of_signatures - 1 ) : ( pe.signatures [ i ] . subject contains "Solid Loop" or pe.signatures [ i ] . subject contains "Ultimate Computer Support" ) } -import "pe" - rule ESET_Gazer_Certificate : FILE { meta: description = "Turla Gazer malware" author = "ESET Research" - id = "e90bbe53-4e7f-59c4-a505-4893150bf824" + id = "9f9e4e3c-f495-51f6-b9de-59040fad66af" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L48-L65" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "eb3afbaefd23d4fc6ded494d3378dc910a0832b160e733ab79c590128dd74cea" + logic_hash = "v1_sha256_eb3afbaefd23d4fc6ded494d3378dc910a0832b160e733ab79c590128dd74cea" score = 75 quality = 80 tags = "FILE" @@ -126901,22 +127016,20 @@ rule ESET_Gazer_Certificate : FILE $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c} condition: - ( uint16(0)==0x5a4d) and 1 of them and filesize <2MB + ( uint16( 0 ) == 0x5a4d ) and 1 of them and filesize < 2MB } -import "pe" - rule ESET_Gazer_Logfile_Name : FILE { meta: description = "Turla Gazer malware" author = "ESET Research" - id = "3e1454e9-dddf-5197-b486-b96d725fdb58" + id = "c049ecd5-91ee-5342-83fd-bc6ae022818e" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L67-L85" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "b50553f4b4b07f124e5bd390e7dc8ac6b60a8ef185f3bc227894f957d6483478" + logic_hash = "v1_sha256_b50553f4b4b07f124e5bd390e7dc8ac6b60a8ef185f3bc227894f957d6483478" score = 75 quality = 80 tags = "FILE" @@ -126929,20 +127042,20 @@ rule ESET_Gazer_Logfile_Name : FILE $s3 = "CVRG38D9.tmp.cvr" condition: - ( uint16(0)==0x5a4d) and 1 of them + ( uint16( 0 ) == 0x5a4d ) and 1 of them } rule ESET_Moose_1 { meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "4d228de6-ddbf-57c0-a330-5840c4d40dfc" + id = "3b0dba8a-984c-5c2c-80c7-c285baa45207" date = "2015-04-21" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L41-L76" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "8bedac80a1f754ce56294ba9786b62a002aacd074f756724401efc61def127e6" + logic_hash = "v1_sha256_8bedac80a1f754ce56294ba9786b62a002aacd074f756724401efc61def127e6" score = 75 quality = 30 tags = "" @@ -126981,13 +127094,13 @@ rule ESET_Moose_2 meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "74372984-dace-5665-a5d0-39b8d1002fa1" + id = "827f0e54-94ff-57fd-a5b4-2718197b2169" date = "2016-10-02" modified = "2016-11-01" reference = "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L78-L110" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "3f50d2d81d4c27e44d93804adcf93971017767ed0e020447cdb343931c2fbc43" + logic_hash = "v1_sha256_3f50d2d81d4c27e44d93804adcf93971017767ed0e020447cdb343931c2fbc43" score = 75 quality = 80 tags = "" @@ -127026,7 +127139,7 @@ rule ESET_Sparklinggoblin_Chacha20Loader_Richheader meta: description = "Rule matching ChaCha20 loaders rich header" author = "ESET Research" - id = "e1dac369-f25e-5cb3-aafa-b0c45f05b295" + id = "a9e164e9-7295-5ea0-b807-71d4a8d374d2" date = "2021-03-30" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127039,23 +127152,21 @@ rule ESET_Sparklinggoblin_Chacha20Loader_Richheader hash = "4cec7cdc78d95c70555a153963064f216dae8799" hash = "4d4c1a062a0390b20732ba4d65317827f2339b80" hash = "4f6949a4906b834e83ff951e135e0850fe49d5e4" - logic_hash = "a5c9595036dec0e0aef0a030c590189752217d15d3f53bf3dc537f5b43fae63e" + logic_hash = "v1_sha256_a5c9595036dec0e0aef0a030c590189752217d15d3f53bf3dc537f5b43fae63e" score = 75 quality = 80 tags = "" license = "BSD 2-Clause" condition: - pe.rich_signature.length>=104 and pe.rich_signature.length<=112 and pe.rich_signature.toolid(241,40116)>=5 and pe.rich_signature.toolid(241,40116)<=10 and pe.rich_signature.toolid(147,30729)==11 and pe.rich_signature.toolid(264,24215)>=15 and pe.rich_signature.toolid(264,24215)<=16 + pe.rich_signature.length>= 104 and pe.rich_signature.length <= 112 and pe.rich_signature.toolid ( 241 , 40116 ) >= 5 and pe.rich_signature.toolid ( 241 , 40116 ) <= 10 and pe.rich_signature.toolid ( 147 , 30729 ) == 11 and pe.rich_signature.toolid ( 264 , 24215 ) >= 15 and pe.rich_signature.toolid ( 264 , 24215 ) <= 16 } -import "pe" - rule ESET_Sparklinggoblin_Chacha20 : FILE { meta: description = "SparklingGoblin ChaCha20 implementations" author = "ESET Research" - id = "c0caceca-f685-5786-82f6-3ab7435f8061" + id = "ad70c9c3-2b57-53e8-ae7d-913e8f574f6a" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127068,7 +127179,7 @@ rule ESET_Sparklinggoblin_Chacha20 : FILE hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" hash = "91b32e030a1f286e7d502ca17e107d4bfbd7394a" - logic_hash = "b742bc22e0ebbce40607cb109b4d6fb03a40c1fb223c8092d93346dd3dd22789" + logic_hash = "v1_sha256_b742bc22e0ebbce40607cb109b4d6fb03a40c1fb223c8092d93346dd3dd22789" score = 75 quality = 80 tags = "FILE" @@ -127359,16 +127470,14 @@ rule ESET_Sparklinggoblin_Chacha20 : FILE } condition: - any of them and filesize <450KB + any of them and filesize < 450KB } -import "pe" - rule ESET_Sparklinggoblin_Etweventwrite { meta: description = "SparklingGoblin EtwEventWrite patching" author = "ESET Research" - id = "27b36ee1-a98c-5174-a156-8e0b0d0a58cd" + id = "a1c5685a-f41f-5258-82cf-962e446d93ae" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127380,7 +127489,7 @@ rule ESET_Sparklinggoblin_Etweventwrite hash = "4668302969fe122874fb2447a80378dcb671c86b" hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" - logic_hash = "45615dcc5302392c18052818071623a9d1a1008c460bdb24a4acfb4300356c6b" + logic_hash = "v1_sha256_45615dcc5302392c18052818071623a9d1a1008c460bdb24a4acfb4300356c6b" score = 75 quality = 80 tags = "" @@ -127459,14 +127568,12 @@ rule ESET_Sparklinggoblin_Etweventwrite condition: any of them } -import "pe" - rule ESET_Sparklinggoblin_Mutex { meta: description = "SparklingGoblin ChaCha20 loaders mutexes" author = "ESET Research" - id = "e33d2bc1-29d6-5117-8e0f-31f8bced0979" + id = "bf6e1bd3-90c2-5a78-a06f-eefb2a07b333" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127478,7 +127585,7 @@ rule ESET_Sparklinggoblin_Mutex hash = "4668302969fe122874fb2447a80378dcb671c86b" hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" - logic_hash = "00fbd514c8e2d6dea3b0f175e857a613e158b64caf1f970e814d62f1ebe9d35c" + logic_hash = "v1_sha256_00fbd514c8e2d6dea3b0f175e857a613e158b64caf1f970e814d62f1ebe9d35c" score = 75 quality = 80 tags = "" @@ -127495,9 +127602,9 @@ rule ESET_Sparklinggoblin_Mutex * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2024-12-08 + * Retrieval Date: 2024-12-15 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b - * Number of Rules: 168 + * Number of Rules: 167 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) * * @@ -127534,14 +127641,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Keefarce_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project." author = "FireEye" - id = "c17add0c-e09f-5ced-a4e1-bf60afad4725" + id = "01772245-e359-58b7-9628-e72e56a2d614" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/KEEFARCE/production/yara/HackTool_MSIL_KeeFarce_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "8db86230849137608880dbe448737fc70068d308772e294cc69301b18ae10908" + logic_hash = "v1_sha256_8db86230849137608880dbe448737fc70068d308772e294cc69301b18ae10908" score = 75 quality = 73 tags = "FILE" @@ -127551,21 +127658,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Keefarce_1 : FILE $typelibguid0 = "17589ea6-fcc9-44bb-92ad-d5b3eea6af03" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Hacktool_MSIL_DTRIM_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'dtrim' project, which is a modified version of SharpSploit." author = "FireEye" - id = "9be695a1-6d18-5952-974c-96a30f035e7a" + id = "17e3f523-e055-5178-a605-93b34566773e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DTRIM/production/yara/APT_HackTool_MSIL_DTRIM_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "357c1f76631ec9ee342995cd12369fd9ff18c541bffe6f5464b1e8db45057196" + logic_hash = "v1_sha256_357c1f76631ec9ee342995cd12369fd9ff18c541bffe6f5464b1e8db45057196" score = 75 quality = 73 tags = "FILE" @@ -127575,14 +127682,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_DTRIM_1 : FILE $typelibguid0 = "7760248f-9247-4206-be42-a6952aa46da2" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 { meta: description = "smbexec" author = "FireEye" - id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5" + id = "77ee7007-3208-587b-b111-8890185af1e1" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -127590,7 +127697,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/IMPACKETOBF (Smbexec)/production/yara/HackTool_PY_ImpacketObfuscation_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "0b1e512afe24c31531d6db6b47bac8ee" - logic_hash = "45a4c0426b29b8c8bede9c4e8292131da7e756d48fc3ac4a07d08fd52383d21e" + logic_hash = "v1_sha256_45a4c0426b29b8c8bede9c4e8292131da7e756d48fc3ac4a07d08fd52383d21e" score = 75 quality = 75 tags = "" @@ -127612,14 +127719,14 @@ rule FIREEYE_RT_Tool_MSIL_Sharpgrep_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project." author = "FireEye" - id = "c7569d33-f57d-5f9c-aa2a-78866c680b5b" + id = "685be367-29e6-5597-8bc5-0596cfccaad2" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPPGREP/production/yara/Tool_MSIL_SharpGrep_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "c22bfc50b3ab3c4082006aad3c3c89684cffe1e429b001b0bb08758856a47d04" + logic_hash = "v1_sha256_c22bfc50b3ab3c4082006aad3c3c89684cffe1e429b001b0bb08758856a47d04" score = 75 quality = 73 tags = "FILE" @@ -127629,21 +127736,21 @@ rule FIREEYE_RT_Tool_MSIL_Sharpgrep_1 : FILE $typelibguid0 = "f65d75b5-a2a6-488f-b745-e67fc075f445" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Builder_MSIL_Sharpgenerator_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGenerator' project." author = "FireEye" - id = "ab661cba-f695-59d2-9071-9b9a90233457" + id = "848bcf14-f7b8-50e3-aa3b-76bd4550e016" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPGENERATOR/production/yara/Builder_MSIL_SharpGenerator_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "6dc0780e54d33df733aadc8a89077232baa63bf1cbe47c5d164c57ce3185dd71" + logic_hash = "v1_sha256_6dc0780e54d33df733aadc8a89077232baa63bf1cbe47c5d164c57ce3185dd71" score = 75 quality = 73 tags = "FILE" @@ -127653,21 +127760,21 @@ rule FIREEYE_RT_Builder_MSIL_Sharpgenerator_1 : FILE $typelibguid0 = "3f450977-d796-4016-bb78-c9e91c6a0f08" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Hacktool_MSIL_INVEIGHZERO_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project." author = "FireEye" - id = "f46fe365-ea50-5597-828e-61a7225e4c6e" + id = "30d562f5-04a7-5b2e-9900-30c32ce7b5cd" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/INVEIGHZERO/production/yara/HackTool_MSIL_INVEIGHZERO_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "5d10557a83dae9508469fe87f4c0c91beec4d2812856eee461a82d5dbb89aa35" + logic_hash = "v1_sha256_5d10557a83dae9508469fe87f4c0c91beec4d2812856eee461a82d5dbb89aa35" score = 75 quality = 73 tags = "FILE" @@ -127677,21 +127784,21 @@ rule FIREEYE_RT_Hacktool_MSIL_INVEIGHZERO_1 : FILE $typelibguid0 = "113ae281-d1e5-42e7-9cc2-12d30757baf1" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Hacktool_MSIL_Rubeus_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project." author = "FireEye" - id = "0ca140ea-2b9f-5904-a4c0-8615229626f0" + id = "c769be4d-c991-59a4-9a4a-17c0fb72d7bd" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/RUBEUS/production/yara/HackTool_MSIL_Rubeus_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "66e0681a500c726ed52e5ea9423d2654" - logic_hash = "ad954f9922ab564d68cb4515b080f6ee69476a8d87f0038e2ae4c222f0e182d7" + logic_hash = "v1_sha256_ad954f9922ab564d68cb4515b080f6ee69476a8d87f0038e2ae4c222f0e182d7" score = 75 quality = 73 tags = "FILE" @@ -127701,21 +127808,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Rubeus_1 : FILE $typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide condition: - uint16(0)==0x5A4D and $typelibguid + uint16( 0 ) == 0x5A4D and $typelibguid } rule FIREEYE_RT_APT_Loader_Win_PGF_1 : FILE { meta: description = "PDB string used in some PGF DLL samples" author = "FireEye" - id = "14e2102c-3572-5314-999c-ff3f6c94de03" + id = "b552aaef-216d-5d4e-9864-fada36d5ffd6" date = "2024-03-04" modified = "2024-03-04" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win_PGF_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "013c7708f1343d684e3571453261b586" - logic_hash = "9dede268d33a38e980026917bd01bc47a72bfe60ba4a999c91eb727a2f377462" + logic_hash = "v1_sha256_9dede268d33a38e980026917bd01bc47a72bfe60ba4a999c91eb727a2f377462" score = 75 quality = 73 tags = "FILE" @@ -127727,14 +127834,14 @@ rule FIREEYE_RT_APT_Loader_Win_PGF_1 : FILE $pdb3 = /RSDS[\x00-\xFF]{20}q:\\objchk_win7_amd64\\amd64\\init\.pdb\x00/ nocase condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and filesize <15MB and any of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and filesize < 15MB and any of them } rule FIREEYE_RT_APT_Loader_MSIL_PGF_1 : FILE { meta: description = "base.cs" author = "FireEye" - id = "39d9821f-86e8-528a-a0a9-287dbe325484" + id = "8ab84f6f-a356-5328-9bb7-45e955d62542" date = "2020-11-24" date = "2020-11-24" modified = "2020-12-09" @@ -127742,7 +127849,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_MSIL_PGF_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a495c6d11ff3f525915345fb762f8047" - logic_hash = "4174ed53336f3951d26282dc81b99b2044ac6350d4b4c0074194a9b4acecefee" + logic_hash = "v1_sha256_4174ed53336f3951d26282dc81b99b2044ac6350d4b4c0074194a9b4acecefee" score = 75 quality = 75 tags = "FILE" @@ -127752,14 +127859,14 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_1 : FILE $sb1 = { 72 [4] 6F [2] 00 0A 26 [0-16] 0? 6F [2] 00 0A [1-3] 0? 28 [2] 00 0A [0-1] 0? 72 [4-5] 0? 28 [2] 00 0A [0-1] 0? 6F [2] 00 0A 13 ?? 1? 13 ?? 38 [8-16] 91 [3-6] 8E 6? 5D 91 61 D2 9C 11 ?? 1? 58 13 [3-5] 8E 6? 3F } condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Win64_PGF_1 : FILE { meta: description = "base dlls: /lib/payload/techniques/unmanaged_exports/" author = "FireEye" - id = "1f2280c0-0fdd-5930-947a-931274bccd6f" + id = "b0a37b7e-3375-5859-81fd-7064a72bbbf5" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127767,7 +127874,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "2b686a8b83f8e1d8b455976ae70dab6e" - logic_hash = "2e84d614c34b0b7f93fa70fa3312f22e3ff23f2abd33b2e19c00dd6cba7dcfdc" + logic_hash = "v1_sha256_2e84d614c34b0b7f93fa70fa3312f22e3ff23f2abd33b2e19c00dd6cba7dcfdc" score = 75 quality = 75 tags = "FILE" @@ -127779,21 +127886,21 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_1 : FILE $sb3 = { 48 89 4C 24 08 [4-64] 48 63 48 3C [0-32] 48 03 C1 [0-64] 0F B7 48 14 [0-64] 48 8D 44 08 18 [8-64] 0F B7 40 06 [2-32] 48 6B C0 28 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_APT_Loader_Win32_PGF_5 : FILE { meta: description = "PGF payload, generated rule based on symfunc/a86b004b5005c0bcdbd48177b5bac7b8" author = "FireEye" - id = "376875f3-00f2-58d0-ae22-7f52ea566da2" + id = "2e1c119b-be25-540c-8d41-0addd949762e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_5.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "8c91a27bbdbe9fb0877daccd28bd7bb5" - logic_hash = "dfff615a1d329cf181294f7b0a32c11a21d66ff8a6aa6b9fcd183c9738369623" + logic_hash = "v1_sha256_dfff615a1d329cf181294f7b0a32c11a21d66ff8a6aa6b9fcd183c9738369623" score = 75 quality = 75 tags = "FILE" @@ -127806,21 +127913,21 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_5 : FILE $cond4 = { 8B FF 55 8B EC 81 EC 3? ?1 ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 E0 56 C7 45 F8 ?? ?? ?? ?? C6 85 D8 FE FF FF ?? 68 ?? ?? ?? ?? 6A ?? 8D 85 D9 FE FF FF 50 E8 ?? ?? ?? ?? 83 C4 0C C7 45 F4 ?? ?? ?? ?? C6 45 E7 ?? C7 45 E8 ?? ?? ?? ?? C7 45 EC ?? ?? ?? ?? C7 45 FC ?? ?? ?? ?? C7 45 F? ?? ?? ?? ?0 6A ?? 6A ?? 8D 8D D8 FE FF FF 51 6A ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 89 45 F8 6A ?? FF ?? ?? ?? ?? ?? 83 C4 04 89 45 E8 8B 45 F8 8A 48 04 88 4D E7 8B 55 F8 83 ?? ?? 8B 45 E8 8B 0A 89 08 8B 4A 04 89 48 04 8B 4A 08 89 48 08 8B 4A 0C 89 48 0C 8B 52 10 89 50 10 C7 85 D4 FE FF FF ?? ?? ?? ?? EB ?? 8B 85 D4 FE FF FF 83 C? ?1 89 85 D4 FE FF FF 83 BD D4 FE FF FF 14 7D ?? 8B 4D E8 03 8D D4 FE FF FF 0F B6 11 0F B6 45 E7 33 D0 8B 4D E8 03 8D D4 FE FF FF 88 11 EB ?? 8B 55 F8 8B 42 08 89 45 FC 6A ?? 68 ?? ?? ?? ?? 8B 4D FC 51 6A ?? FF ?? ?? ?? ?? ?? 89 45 EC 8B 55 FC 52 8B 45 F8 83 ?? ?? 50 8B 4D EC 51 E8 ?? ?? ?? ?? 83 C4 0C C7 85 D0 FE FF FF ?? ?? ?? ?? EB ?? 8B 95 D0 FE FF FF 83 C2 01 89 95 D0 FE FF FF 8B 85 D0 FE FF FF 3B 45 FC 73 ?? 8B 4D EC 03 8D D0 FE FF FF 0F B6 09 8B 85 D0 FE FF FF 99 BE ?? ?? ?? ?? F7 FE 8B 45 E8 0F B6 14 10 33 CA 8B 45 EC 03 85 D0 FE FF FF 88 08 EB ?? 8B 4D EC 89 4D F0 FF ?? ?? 5E 8B 4D E0 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and any of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and any of them } rule FIREEYE_RT_APT_Loader_Win64_PGF_3 : FILE { meta: description = "PGF payload, generated rule based on symfunc/8a2f2236fdfaa3583ab89076025c6269. Identifies dllmain_hook x64 payloads." author = "FireEye" - id = "340ea6d4-7111-520c-9bd4-0465a43ea235" + id = "76735d69-8d71-5fa1-91c6-1f7d6ee5a2b3" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_3.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3bb34ebd93b8ab5799f4843e8cc829fa" - logic_hash = "fd82bdec54a76eed12cc8820ef39899f31ea6df21d905530a0d53770b3d9901b" + logic_hash = "v1_sha256_fd82bdec54a76eed12cc8820ef39899f31ea6df21d905530a0d53770b3d9901b" score = 75 quality = 75 tags = "FILE" @@ -127833,14 +127940,14 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_3 : FILE $cond4 = { 55 53 48 89 E5 48 81 EC 28 07 00 00 48 8B 05 D3 8B 06 00 FF D0 48 89 C1 48 8D 85 98 FD FF FF 41 B8 04 01 00 00 48 89 C2 E8 65 B4 00 00 85 C0 0F 94 C0 84 C0 0F 85 16 03 00 00 48 8D 45 AF 48 89 C1 E8 EC FE 00 00 48 8D 4D AF 48 8D 95 98 FD FF FF 48 8D 85 78 FD FF FF 49 89 C8 48 89 C1 E8 AF 96 01 00 48 8D 45 AF 48 89 C1 E8 F3 FE 00 00 48 8B 05 78 8B 06 00 FF D0 89 C2 B9 08 00 00 00 E8 6E B4 00 00 48 89 45 D0 48 83 7D D0 00 75 0A BB 00 00 00 00 E9 6C 02 00 00 48 C7 45 F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 85 38 F9 FF FF 38 04 00 00 48 8D 95 38 F9 FF FF 48 8B 45 D0 48 89 C1 E8 B5 B3 00 00 89 45 E8 83 7D E8 00 74 57 48 8D 85 38 F9 FF FF 48 8D 50 30 48 8D 85 78 FD FF FF 41 B8 00 00 00 00 48 89 C1 E8 64 F3 00 00 48 83 F8 FF 0F 95 C0 84 C0 74 14 48 8B 85 50 F9 FF FF 48 89 45 F0 8B 85 58 F9 FF FF 89 45 EC 48 8D 95 38 F9 FF FF 48 8B 45 D0 48 89 C1 E8 5A B3 00 00 89 45 E8 EB A3 48 8B 45 D0 48 89 C1 48 8B 05 73 8A 06 00 FF D0 48 83 7D F0 00 74 06 83 7D EC 00 75 0A BB 00 00 00 00 E9 B9 01 00 00 48 8D 0D 45 C8 05 00 48 8B 05 B4 8A 06 00 FF D0 48 8D 15 41 C8 05 00 48 89 C1 48 8B 05 A9 8A 06 00 FF D0 48 89 45 C8 48 89 E8 48 89 45 E0 48 8D 95 28 F9 FF FF 48 8D 85 30 F9 FF FF 48 89 C1 48 8B 05 6C 8A 06 00 FF D0 C7 45 DC 00 00 00 00 48 8B 55 E0 48 8B 85 28 F9 FF FF 48 39 C2 0F 83 0D 01 00 00 48 8B 45 E0 48 8B 00 48 3D FF 0F 00 00 0F 86 EC 00 00 00 48 8B 45 E0 48 8B 00 48 39 45 C8 73 1E 48 8B 45 E0 48 8B 00 48 8B 55 C8 48 81 C2 00 10 00 00 48 39 D0 73 07 C7 45 DC 01 00 00 00 83 7D DC 00 0F 84 BB 00 00 00 48 8B 45 E0 48 8B 00 48 39 45 F0 0F 83 AA 00 00 00 48 8B 45 E0 48 8B 00 8B 4D EC 48 8B 55 F0 48 01 CA 48 39 D0 0F 83 90 00 00 00 48 C7 85 F8 F8 FF FF 00 00 00 00 48 C7 85 00 F9 FF FF 00 00 00 00 48 C7 85 08 F9 FF FF 00 00 00 00 48 C7 85 10 F9 FF FF 00 00 00 00 48 C7 85 18 F9 FF FF 00 00 00 00 48 C7 85 20 F9 FF FF 00 00 00 00 48 8B 45 E0 48 8B 00 48 8D 95 F8 F8 FF FF 41 B8 30 00 00 00 48 89 C1 48 8B 05 54 8A 06 00 FF D0 8B 85 1C F9 FF FF 83 E0 20 85 C0 74 20 48 8B 45 E0 48 8B 00 48 8D 15 33 FA FF FF 48 89 C1 E8 D5 FC FF FF BB 00 00 00 00 EB 57 90 EB 01 90 48 83 45 E0 08 E9 DF FE FF FF 48 8B 45 F0 48 89 45 C0 48 8B 45 C0 8B 40 3C 48 63 D0 48 8B 45 F0 48 01 D0 48 89 45 B8 48 8B 45 B8 8B 40 28 89 C2 48 8B 45 F0 48 01 D0 48 89 45 B0 48 8B 45 B0 48 8D 15 DA F9 FF FF 48 89 C1 E8 7C FC FF FF BB 01 00 00 00 48 8D 85 78 FD FF FF 48 89 C1 E8 CE 9C 01 00 83 FB 01 EB 38 48 89 C3 48 8D 45 AF 48 89 C1 E8 3A FC 00 00 48 89 D8 48 89 C1 E8 4F AA 00 00 48 89 C3 48 8D 85 78 FD FF FF 48 89 C1 E8 9D 9C 01 00 48 89 D8 48 89 C1 E8 32 AA 00 00 90 48 81 C4 28 07 00 00 5B 5D C3 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and any of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and any of them } rule FIREEYE_RT_APT_Loader_Win32_PGF_1 : FILE { meta: description = "base dlls: /lib/payload/techniques/unmanaged_exports/" author = "FireEye" - id = "1af4f2ce-c540-5836-a749-43a0b08609b1" + id = "889ec46c-ff14-589a-90e3-9e0b024660e1" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127848,7 +127955,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "383161e4deaf7eb2ebeda2c5e9c3204c" - logic_hash = "d3fb0bd7b678b19ee2e0e846f4e13e4ce7e2629ecda123f34ef52f2af42d2a8e" + logic_hash = "v1_sha256_d3fb0bd7b678b19ee2e0e846f4e13e4ce7e2629ecda123f34ef52f2af42d2a8e" score = 75 quality = 75 tags = "FILE" @@ -127860,14 +127967,14 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_1 : FILE $sb3 = { 8B ?? 08 03 ?? 3C [2-32] 0F B? ?? 14 [0-32] 8D [2] 18 [2-64] 0F B? ?? 06 [3-64] 6B ?? 28 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Loader_Win64_PGF_2 : FILE { meta: description = "base dlls: /lib/payload/techniques/dllmain/" author = "FireEye" - id = "5253cb2a-28fd-57ab-be3d-f11cf2ea24cf" + id = "2904f561-3181-52e2-a4da-f5d67bbfbf7c" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127875,7 +127982,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4326a7e863928ffbb5f6bdf63bb9126e" - logic_hash = "074f6d9ad78ecd4dd8e3d0b5c8b0f61a48374f3935b85c4222305b207b447ec7" + logic_hash = "v1_sha256_074f6d9ad78ecd4dd8e3d0b5c8b0f61a48374f3935b85c4222305b207b447ec7" score = 75 quality = 75 tags = "FILE" @@ -127887,14 +127994,14 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_2 : FILE $sb3 = { 63 ?? 3C [0-16] 03 [1-32] 0F B? ?? 14 [0-16] 8D ?? 18 [0-16] 03 [1-16] 66 ?? 3B ?? 06 7? [1-64] 48 8D 15 [4-32] FF 15 [4-16] 85 C0 [2-32] 41 0F B? ?? 06 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_APT_Loader_MSIL_PGF_2 : FILE { meta: description = "base.js, ./lib/payload/techniques/jscriptdotnet/jscriptdotnet_payload.py" author = "FireEye" - id = "c5f2ec90-cd9b-53ce-893b-e44192fcd507" + id = "c66357f8-0508-5f3c-b3cb-ea61d3a378ef" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127902,7 +128009,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_MSIL_PGF_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7c2a06ceb29cdb25f24c06f2a8892fba" - logic_hash = "b962ea30c063009c0383e25edda3a65202bea4496d0d6228549dcea82bba0d03" + logic_hash = "v1_sha256_b962ea30c063009c0383e25edda3a65202bea4496d0d6228549dcea82bba0d03" score = 75 quality = 75 tags = "FILE" @@ -127915,14 +128022,14 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_2 : FILE $ss3 = "\x00Microsoft.JScript\x00" condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Win32_PGF_2 : FILE { meta: description = "base dlls: /lib/payload/techniques/dllmain/" author = "FireEye" - id = "e11a626b-ce91-5f6c-a514-9a8a02a29cbd" + id = "b727f6b9-6e76-5560-b346-9b033850123a" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127930,7 +128037,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "04eb45f8546e052fe348fda2425b058c" - logic_hash = "d69f3f31c4964fe933295563e08bdbb36abadd6611541b9ffa55b6829ced1d21" + logic_hash = "v1_sha256_d69f3f31c4964fe933295563e08bdbb36abadd6611541b9ffa55b6829ced1d21" score = 75 quality = 75 tags = "FILE" @@ -127942,21 +128049,21 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_2 : FILE $sb3 = { 8B ?? 3C [0-16] 03 [1-64] 0F B? ?? 14 [0-32] 83 ?? 18 [0-32] 66 3? ?? 06 [4-32] 68 [4] 5? FF 15 [4-16] 85 C0 [2-32] 83 ?? 28 0F B? ?? 06 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Loader_Win64_PGF_5 : FILE { meta: description = "PGF payload, generated rule based on symfunc/8167a6d94baca72bac554299d7c7f83c" author = "FireEye" - id = "4fa4a1d6-cb63-582d-801c-b4c89c44d9ca" + id = "bf7dd05c-9a1b-5688-86e7-6b21014e7e85" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_5.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "150224a0ccabce79f963795bf29ec75b" - logic_hash = "16495ad1e5ce4d4a79f4067f3d687911a1a0a3bfe4c6409ff9de4d111b1ddca6" + logic_hash = "v1_sha256_16495ad1e5ce4d4a79f4067f3d687911a1a0a3bfe4c6409ff9de4d111b1ddca6" score = 75 quality = 75 tags = "FILE" @@ -127969,21 +128076,21 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_5 : FILE $cond4 = { 4C 89 44 24 ?? 89 54 24 ?? 48 89 4C 24 ?? 48 83 EC 38 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 83 7C 24 ?? 01 74 ?? EB ?? 48 8B 44 24 ?? 48 89 05 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 48 83 C4 38 C3 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and any of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and any of them } rule FIREEYE_RT_APT_Loader_Win32_PGF_3 : FILE { meta: description = "PGF payload, generated rule based on symfunc/c02594972dbab6d489b46c5dee059e66. Identifies dllmain_hook x86 payloads." author = "FireEye" - id = "adf91482-6e04-5d11-bc00-4b1c7a802c49" + id = "2cae5aff-fdae-543b-9973-9758212471f5" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_3.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4414953fa397a41156f6fa4f9462d207" - logic_hash = "24d2caad1d740ccbff0cf111a05ecad20ed06f311d530d8de86050d916da32ce" + logic_hash = "v1_sha256_24d2caad1d740ccbff0cf111a05ecad20ed06f311d530d8de86050d916da32ce" score = 75 quality = 75 tags = "FILE" @@ -127998,14 +128105,14 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_3 : FILE $cond6 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? F0 EF D5 63 C7 85 ?? ?? ?? ?? CC FF D5 63 8D 85 ?? ?? ?? ?? 89 28 BA 28 1B D4 63 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 7E 40 D9 63 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 8A 40 D9 63 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 D4 63 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 D4 63 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and any of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and any of them } rule FIREEYE_RT_APT_Loader_Win32_PGF_4 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d46d9ae9-cb7d-5a25-9ee2-766097c14af6" + id = "4c2eeca2-9535-52a7-9361-dfd336ba35bb" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -128013,7 +128120,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_4.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4414953fa397a41156f6fa4f9462d207" - logic_hash = "4256bfd3713f330d76cad9d1ddbba91e588dbca2e2b6842e9482525805ddc1e8" + logic_hash = "v1_sha256_4256bfd3713f330d76cad9d1ddbba91e588dbca2e2b6842e9482525805ddc1e8" score = 75 quality = 75 tags = "FILE" @@ -128024,21 +128131,21 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_4 : FILE $sb2 = { C? 45 ?? B8 [0-4] C? 45 ?? 00 [0-64] FF [0-32] E0 [0-32] C7 44 24 08 40 00 00 00 [0-32] C7 44 24 04 07 00 00 00 [0-32] FF [1-64] 89 ?? 0F B? [2-3] 89 ?? 04 0F B? [2] 88 ?? 06 8B ?? 08 8D ?? 01 8B 45 0C } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Loader_Win_PGF_2 : FILE { meta: description = "PE rich header matches PGF backdoor" author = "FireEye" - id = "595c9e2a-3d9d-5366-9449-de1bcf333f78" + id = "e76f2d7c-5d2b-5d90-8fb5-2fdd24e265de" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win_PGF_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "226b1ac427eb5a4dc2a00cc72c163214" - logic_hash = "b8c024c6b4c3ce9915700b62da8a1f12440215b46f3a56078707f5257e575811" + logic_hash = "v1_sha256_b8c024c6b4c3ce9915700b62da8a1f12440215b46f3a56078707f5257e575811" score = 75 quality = 75 tags = "FILE" @@ -128054,14 +128161,14 @@ rule FIREEYE_RT_APT_Loader_Win_PGF_2 : FILE $rich4 = { 41 36 64 33 05 57 0A 60 05 57 0A 60 05 57 0A 60 73 CA 71 60 01 57 0A 60 0C 2F 9F 60 04 57 0A 60 0C 2F 89 60 3D 57 0A 60 0C 2F 8E 60 0A 57 0A 60 05 57 0B 60 4A 57 0A 60 0C 2F 99 60 06 57 0A 60 73 CA 67 60 04 57 0A 60 0C 2F 98 60 04 57 0A 60 0C 2F 80 60 04 57 0A 60 22 91 74 60 04 57 0A 60 0C 2F 9B 60 04 57 0A 60 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and filesize <15MB and (($rich1 at 128) or ($rich2 at 128) or ($rich3 at 128) or ($rich4 at 128)) + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and filesize < 15MB and ( ( $rich1 at 128 ) or ( $rich2 at 128 ) or ( $rich3 at 128 ) or ( $rich4 at 128 ) ) } rule FIREEYE_RT_APT_Loader_Win64_PGF_4 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "4c93ba76-d3a5-568d-88b8-79a6ebc2edbb" + id = "f6fae86c-36ed-5cac-b2a1-a4bdfd411e31" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -128069,7 +128176,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_4.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3bb34ebd93b8ab5799f4843e8cc829fa" - logic_hash = "fcc92674e58ec6418d7c709e3f3bc2e1ec859fe0cb444412964a978fb69f5234" + logic_hash = "v1_sha256_fcc92674e58ec6418d7c709e3f3bc2e1ec859fe0cb444412964a978fb69f5234" score = 75 quality = 75 tags = "FILE" @@ -128080,21 +128187,21 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_4 : FILE $sb2 = { C? 45 ?? 48 [0-32] B8 [0-64] FF [0-32] E0 [0-32] 41 B8 40 00 00 00 BA 0C 00 00 00 48 8B [2] 48 8B [2-32] FF [1-16] 48 89 10 8B 55 ?? 89 ?? 08 48 8B [2] 48 8D ?? 02 48 8B 45 18 48 89 02 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_Hacktool_MSIL_SHARPZEROLOGON_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'sharpzerologon' project." author = "FireEye" - id = "51f22eee-fb96-55b0-8c02-1a0e9910a93e" + id = "82543a6e-1d68-52db-aa4e-58965d891c56" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPZEROLOGON/production/yara/HackTool_MSIL_SHARPZEROLOGON_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "ed6a9bef5c6ee03aff969b8765b284ace517f2e6a1ef114acb04cf094c69cfa5" + logic_hash = "v1_sha256_ed6a9bef5c6ee03aff969b8765b284ace517f2e6a1ef114acb04cf094c69cfa5" score = 75 quality = 73 tags = "FILE" @@ -128104,14 +128211,14 @@ rule FIREEYE_RT_Hacktool_MSIL_SHARPZEROLOGON_1 : FILE $typelibguid0 = "15ce9a3c-4609-4184-87b2-e29fc5e2b770" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c2834bd6-efb0-5dac-adcd-a9450090fc28" + id = "c8833af3-335c-5af4-9b27-455b74ab68e7" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -128119,7 +128226,7 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "1c71b9641e30c9764f3503e49f8f85472d7e62384c8dd2b420c4fa2b2fccda4f" + logic_hash = "v1_sha256_1c71b9641e30c9764f3503e49f8f85472d7e62384c8dd2b420c4fa2b2fccda4f" score = 75 quality = 75 tags = "FILE" @@ -128131,21 +128238,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_1 : FILE $s4 = "costura" condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_3 : FILE { meta: description = "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code." author = "FireEye" - id = "616333fc-4075-5f04-823a-1164717a2b87" + id = "16e13c98-2b09-5323-98ae-f2ba92a0f513" date = "2020-12-10" modified = "2020-12-10" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_3.yar#L4-L31" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "ecf13e47e409efd68b508735a84be6a1627f5b0c0cea6b90434fc9ba5b1d8cf5" + logic_hash = "v1_sha256_ecf13e47e409efd68b508735a84be6a1627f5b0c0cea6b90434fc9ba5b1d8cf5" score = 75 quality = 75 tags = "FILE" @@ -128171,21 +128278,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_3 : FILE $str16 = "Schtask" ascii wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and $msil and all of ($str*) + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and $msil and all of ( $str* ) } rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_4 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project." author = "FireEye" - id = "c1bd64da-6a54-5bc6-8a89-9c8a93dd965c" + id = "d82beb6f-7452-53c4-aabd-0be84516bf7a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_4.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "7ef883148926d5786861e5e81b1e645aa2e3ca06bd663f2b5f32e04b5852a218" + logic_hash = "v1_sha256_7ef883148926d5786861e5e81b1e645aa2e3ca06bd663f2b5f32e04b5852a218" score = 75 quality = 73 tags = "FILE" @@ -128195,21 +128302,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_4 : FILE $typelibguid1 = "44B83A69-349F-4A3E-8328-A45132A70D62" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and $typelibguid1 + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and $typelibguid1 } rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_2 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "8d6d28ce-de3a-5a38-b654-ba1372d47568" + id = "c0beeb2e-2ab5-55c2-97de-e26a4e7ae9a6" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "14e4a29a32e8441a6f7f322e09cd9bb9822ae47eaa1fdf8e09c90998b03658f5" + logic_hash = "v1_sha256_14e4a29a32e8441a6f7f322e09cd9bb9822ae47eaa1fdf8e09c90998b03658f5" score = 75 quality = 75 tags = "FILE" @@ -128225,21 +128332,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_2 : FILE $s7 = "poisonhandler" wide condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_Loader_MSIL_Wmirunner_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project." author = "FireEye" - id = "04c6acfc-859f-5e4a-8c59-9adf08f21657" + id = "b77239e5-6282-50aa-88cd-2477a2282722" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMIRUNNER/production/yara/Loader_MSIL_WMIRunner_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "49d21756a4f0b29909c4b0fa9f3a98dd0480f9401923032de4b3920814b85f29" + logic_hash = "v1_sha256_49d21756a4f0b29909c4b0fa9f3a98dd0480f9401923032de4b3920814b85f29" score = 75 quality = 73 tags = "FILE" @@ -128249,21 +128356,21 @@ rule FIREEYE_RT_Loader_MSIL_Wmirunner_1 : FILE $typelibguid0 = "6cc61995-9fd5-4649-b3cc-6f001d60ceda" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Hacktool_MSIL_NOAMCI_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'noamci' project." author = "FireEye" - id = "48066258-528f-5a70-81e1-15d6dfd9ff4f" + id = "e0c6af71-c6db-53b7-b6f7-24debe7fb5f1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/NOAMCI/production/yara/APT_HackTool_MSIL_NOAMCI_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "6278cfb4e9af20bbe943f4b99227c7fba276315a9f0059575b3ed4ef96a848c4" + logic_hash = "v1_sha256_6278cfb4e9af20bbe943f4b99227c7fba276315a9f0059575b3ed4ef96a848c4" score = 75 quality = 71 tags = "FILE" @@ -128274,21 +128381,21 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_NOAMCI_1 : FILE $typelibguid1 = "ef86214e-54de-41c3-b27f-efc61d0accc3" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Loader_MSIL_Allthethings_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'AllTheThings' project." author = "FireEye" - id = "1805b406-2531-56bf-8e08-e63a59ffcc84" + id = "2a433ced-5ad5-5fec-b535-3af8cd00ef1d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ALLTHETHINGS/production/yara/Loader_MSIL_AllTheThings_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "e3058095f2a49f8c0f78cb392024795367609b04c1da80210ab8d72c6613ee71" + logic_hash = "v1_sha256_e3058095f2a49f8c0f78cb392024795367609b04c1da80210ab8d72c6613ee71" score = 75 quality = 73 tags = "FILE" @@ -128298,22 +128405,20 @@ rule FIREEYE_RT_Loader_MSIL_Allthethings_1 : FILE $typelibguid0 = "542ccc64-c4c3-4c03-abcd-199a11b26754" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } -import "pe" - rule FIREEYE_RT_APT_Backdoor_PS1_BASICPIPESHELL_1 { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "8f85d6cc-fd1e-5bf3-8052-440cbeda0ac9" + id = "0d188ec5-1be1-516e-9499-59b72dc15990" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BASICPIPESHELL/production/yara/APT_Backdoor_PS1_BASICPIPESHELL_1.yar#L5-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "7a9f0002055ffe826562cab3d02d8babd14c5fcd6d0b528a2988e2649034279d" + logic_hash = "v1_sha256_7a9f0002055ffe826562cab3d02d8babd14c5fcd6d0b528a2988e2649034279d" score = 75 quality = 63 tags = "" @@ -128334,14 +128439,14 @@ rule FIREEYE_RT_Loader_MSIL_Sharpy_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project." author = "FireEye" - id = "7c7bda22-bacc-5901-a650-a30c9cfcdee7" + id = "1e0c2742-5548-5216-932b-20879f2f0ba5" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPY/production/yara/Loader_MSIL_SharPy_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "0f73fab3905b4961b8dbeb120d45a34a2383ecdaae0296f38e34f8b7ab4aeee8" + logic_hash = "v1_sha256_0f73fab3905b4961b8dbeb120d45a34a2383ecdaae0296f38e34f8b7ab4aeee8" score = 75 quality = 73 tags = "FILE" @@ -128351,14 +128456,14 @@ rule FIREEYE_RT_Loader_MSIL_Sharpy_1 : FILE $typelibguid0 = "f6cf1d3b-3e43-4ecf-bb6d-6731610b4866" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Trojan_Linux_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "220302bc-4ed3-5e10-9bd2-a8ed2bdaef73" + id = "90ca3ab4-6110-5427-95d7-927208ba0881" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128366,7 +128471,7 @@ rule FIREEYE_RT_APT_Trojan_Linux_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/supplemental/yara/APT_Trojan_Linux_REDFLARE_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" - logic_hash = "282f11c4c86d88d05f11e92f5483701d9a54c2dd39f21316cd271aa78a338d0f" + logic_hash = "v1_sha256_282f11c4c86d88d05f11e92f5483701d9a54c2dd39f21316cd271aa78a338d0f" score = 75 quality = 75 tags = "FILE" @@ -128380,14 +128485,14 @@ rule FIREEYE_RT_APT_Trojan_Linux_REDFLARE_1 : FILE $s5 = "initialize" fullword condition: - ( uint32(0)==0x464c457f) and all of them + ( uint32( 0 ) == 0x464c457f ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_6 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "5875a9ec-c3ee-57f0-a430-4443db585def" + id = "b3616f8d-7f9e-5b6c-9caa-505a68035ac5" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128395,7 +128500,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_6 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/supplemental/yara/APT_Trojan_Win_REDFLARE_6.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "294b1e229c3b1efce29b162e7b3be0ab, 6902862bd81da402e7ac70856afbe6a2" - logic_hash = "1e6f8320e0c0b601fc72fa4d9c61e46adfbcd84638c97da5988ca848e036312a" + logic_hash = "v1_sha256_1e6f8320e0c0b601fc72fa4d9c61e46adfbcd84638c97da5988ca848e036312a" score = 75 quality = 75 tags = "FILE" @@ -128409,14 +128514,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_6 : FILE $s5 = "initialize" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Downloader_Win32_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e8d7ee31-568e-58ac-98ad-49baa2eb37ea" + id = "0ef7a449-d215-59ff-9556-f79b3a5d1b61" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128424,7 +128529,7 @@ rule FIREEYE_RT_APT_Downloader_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Downloader_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "05b99d438dac63a5a993cea37c036673" - logic_hash = "a340a2a732a9b1aa74ca9d84009a88d1b14b6a03140a859384c0d6e745e4a90a" + logic_hash = "v1_sha256_a340a2a732a9b1aa74ca9d84009a88d1b14b6a03140a859384c0d6e745e4a90a" score = 75 quality = 75 tags = "FILE" @@ -128435,14 +128540,14 @@ rule FIREEYE_RT_APT_Downloader_Win32_REDFLARE_1 : FILE $http_req = { 00 00 08 80 81 3D [4] BB 01 00 00 75 [1-10] 00 00 80 00 [1-4] 00 10 00 00 [1-4] 00 20 00 00 89 [1-10] 6A 00 8B [1-8] 5? 6A 00 6A 00 6A 00 8B [1-8] 5? 68 [4] 8B [1-8] 5? FF 15 [4-40] 6A 14 E8 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_7 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "f891e477-9ff2-57be-9ca5-dd87d9baee29" + id = "3043e608-0ea9-51d3-adf3-81f525bf8939" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128450,7 +128555,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_7 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_7.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b" - logic_hash = "6d7822256ac1bef05304d3396df773e2b20a397311ad820d6ec5fe4cb6bdfbbc" + logic_hash = "v1_sha256_6d7822256ac1bef05304d3396df773e2b20a397311ad820d6ec5fe4cb6bdfbbc" score = 75 quality = 75 tags = "FILE" @@ -128465,41 +128570,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_7 : FILE $named_pipe = { 88 13 00 00 [1-8] E8 03 00 00 [20-60] 00 00 00 00 [1-8] 00 00 00 00 [1-40] ( 6A 00 6A 00 6A 03 6A 00 6A 00 68 | 00 00 00 00 [1-6] 00 00 00 00 [1-6] 03 00 00 00 45 33 C? 45 33 C? BA ) 00 00 00 C0 [2-10] FF 15 [4-30] FF 15 [4-7] E7 00 00 00 [4-40] FF 15 [4] 85 C0 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them -} -rule FIREEYE_RT_APT_Builder_PY_REDFLARE_2 -{ - meta: - description = "No description has been set in the source file - FireEye-RT" - author = "FireEye" - id = "1af407f5-6eb7-5be9-a3d9-cd0f7a5f2503" - date = "2020-12-01" - date = "2020-12-01" - modified = "2020-12-09" - reference = "https://github.com/mandiant/red_team_tool_countermeasures/" - source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_2.yar#L4-L18" - license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - hash = "4410e95de247d7f1ab649aa640ee86fb" - logic_hash = "675390e944a95156ad33ca783c90fdea9610cdc2e8c5c53e0c0fa213149b4714" - score = 75 - quality = 75 - tags = "" - rev = 1 - - strings: - $1 = "<510sxxII" - $2 = "0x43,0x00,0x3a,0x00,0x5c,0x00,0x57,0x00,0x69,0x00,0x6e,0x00,0x64,0x00,0x6f,0x00," - $3 = "parsePluginOutput" - - condition: - all of them and #2==2 + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Keylogger_Win32_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "ad14db66-d640-5712-b2c8-a3d42d5a90f3" + id = "13f1b0db-6daf-5b15-a940-1ca38f15f353" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128507,7 +128585,7 @@ rule FIREEYE_RT_APT_Keylogger_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Keylogger_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "d7cfb9fbcf19ce881180f757aeec77dd" - logic_hash = "aebbaa050bee3775ffac4214ea4ab58284384e7eb41e66ee4838b9359e72821e" + logic_hash = "v1_sha256_aebbaa050bee3775ffac4214ea4ab58284384e7eb41e66ee4838b9359e72821e" score = 75 quality = 75 tags = "FILE" @@ -128518,14 +128596,14 @@ rule FIREEYE_RT_APT_Keylogger_Win32_REDFLARE_1 : FILE $keys_check = { 6A 14 [0-5] FF [1-5] 6A 10 [0-5] FF [1-5] B9 00 80 FF FF 66 85 C1 75 ?? 68 A0 00 00 00 FF [1-5] B9 00 80 FF FF 66 85 C1 75 ?? 68 A1 00 00 00 FF [1-5] B9 00 80 FF FF 66 85 C1 74 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_8 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b090df60-8f4e-51ca-944c-6f9ce2d9c913" + id = "ee114b65-4350-59c0-8acb-9bc37c4e1138" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128533,7 +128611,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_8 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_8.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c" - logic_hash = "5b8a0402886daebefb995e7df0877d51727c5b8dc58eeb8ff16ceec5e7811a20" + logic_hash = "v1_sha256_5b8a0402886daebefb995e7df0877d51727c5b8dc58eeb8ff16ceec5e7811a20" score = 75 quality = 75 tags = "FILE" @@ -128549,14 +128627,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_8 : FILE $trap = { 03 40 00 80 E8 [4] CC } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "dc162f26-66d3-5359-b1d7-ef2208b359e2" + id = "a821344a-1c0a-5a51-9ed9-739eea2c6f94" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128564,7 +128642,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f20824fa6e5c81e3804419f108445368" - logic_hash = "2cae245a6aa36dccc2228cccefdc4ca0eb278901f063e072a369000f67d73a55" + logic_hash = "v1_sha256_2cae245a6aa36dccc2228cccefdc4ca0eb278901f063e072a369000f67d73a55" score = 75 quality = 75 tags = "FILE" @@ -128575,14 +128653,14 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_1 : FILE $const_values = { 0F B6 ?? 83 C? 20 83 F? 6D [2-20] 83 C? 20 83 F? 7A } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_4 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "6e8621b0-a0ee-5fc7-a2b8-1973a42d6e37" + id = "78f4f2a7-9a11-59f7-a452-d9b37f1c620c" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128590,7 +128668,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_4.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa" - logic_hash = "d027e98ad8fa6d03a49ceffd81fba6a621173e2dbabae652bee2f4e8489bb378" + logic_hash = "v1_sha256_d027e98ad8fa6d03a49ceffd81fba6a621173e2dbabae652bee2f4e8489bb378" score = 75 quality = 75 tags = "FILE" @@ -128603,14 +128681,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_4 : FILE $user_logon = { 22 02 00 00 [1-10] 02 02 00 00 [0-4] E8 [4-40] ( 09 00 00 00 [1-10] 03 00 00 00 | 6A 03 6A 09 ) [4-30] FF 15 [4] 85 C0 7? } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Raw64_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "8e937f6a-404f-53bd-9de2-ed63b1cf48b2" + id = "ee1beadf-49ab-577e-8155-00e597c2a68e" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128618,7 +128696,7 @@ rule FIREEYE_RT_APT_Loader_Raw64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Raw64_REDFLARE_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "5e14f77f85fd9a5be46e7f04b8a144f5" - logic_hash = "dac122ccece8a6dd35a5fe9d37860a612aa50ab469b79f4375dbe776f60c7b57" + logic_hash = "v1_sha256_dac122ccece8a6dd35a5fe9d37860a612aa50ab469b79f4375dbe776f60c7b57" score = 75 quality = 75 tags = "FILE" @@ -128628,14 +128706,14 @@ rule FIREEYE_RT_APT_Loader_Raw64_REDFLARE_1 : FILE $load = { EB ?? 58 48 8B 10 4C 8B 48 ?? 48 8B C8 [1-10] 48 83 C1 ?? 48 03 D1 FF } condition: - ( uint16(0)!=0x5A4D) and all of them + ( uint16( 0 ) != 0x5A4D ) and all of them } rule FIREEYE_RT_APT_Builder_PY_REDFLARE_1 { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "3b5ad25d-ce66-572e-9a91-40a73b8fd447" + id = "7135ee51-5d2a-5ecb-b386-b795d1dcddb1" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128643,7 +128721,7 @@ rule FIREEYE_RT_APT_Builder_PY_REDFLARE_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "d0a830403e56ebaa4bfbe87dbfdee44f" - logic_hash = "1948cadb7242eb69bffbc222802ce9c1af38d7a846da09b6343b1449fe054e42" + logic_hash = "v1_sha256_1948cadb7242eb69bffbc222802ce9c1af38d7a846da09b6343b1449fe054e42" score = 75 quality = 75 tags = "" @@ -128659,14 +128737,14 @@ rule FIREEYE_RT_APT_Builder_PY_REDFLARE_1 $7 = "_x64.dll" condition: - all of them and @1[1]<@2[1] and @2[1]<@3[1] and @3[1]<@4[1] and @4[1]<@5[1] + all of them and @1 [ 1 ] < @2 [ 1 ] and @2 [ 1 ] < @3 [ 1 ] and @3 [ 1 ] < @4 [ 1 ] and @4 [ 1 ] < @5 [ 1 ] } rule FIREEYE_RT_APT_Controller_Linux_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "79a69740-7209-5c56-ad6f-eb4d0b29beaf" + id = "17728af3-d6a7-587b-aecd-4e45262a0f20" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128674,7 +128752,7 @@ rule FIREEYE_RT_APT_Controller_Linux_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Controller_Linux_REDFLARE_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" - logic_hash = "d6b0cc5f386da9bff8a8293f2b3857406044ab42f7c1bb23d5096052a3c42ce4" + logic_hash = "v1_sha256_d6b0cc5f386da9bff8a8293f2b3857406044ab42f7c1bb23d5096052a3c42ce4" score = 75 quality = 75 tags = "FILE" @@ -128687,14 +128765,14 @@ rule FIREEYE_RT_APT_Controller_Linux_REDFLARE_1 : FILE $4 = "goratsvr.CommandRequest" fullword condition: - ( uint32(0)==0x464c457f) and all of them + ( uint32( 0 ) == 0x464c457f ) and all of them } rule FIREEYE_RT_APT_Keylogger_Win64_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "3c980f5a-c775-5c25-ba28-91a93a1b9a85" + id = "d4dde414-69af-5ee4-be5a-52a3d986574e" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128702,7 +128780,7 @@ rule FIREEYE_RT_APT_Keylogger_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Keylogger_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "fbefb4074f1672a3c29c1a47595ea261" - logic_hash = "26fe577ba637c484d9a8ccc2173b5892a76328a90a39a2bebbae6bd2a6329485" + logic_hash = "v1_sha256_26fe577ba637c484d9a8ccc2173b5892a76328a90a39a2bebbae6bd2a6329485" score = 75 quality = 75 tags = "FILE" @@ -128713,14 +128791,14 @@ rule FIREEYE_RT_APT_Keylogger_Win64_REDFLARE_1 : FILE $keys_check = { B9 14 00 00 00 FF 15 [4-8] B9 10 00 00 00 FF 15 [4] BE 00 80 FF FF 66 85 C6 75 ?? B9 A0 00 00 00 FF 15 [4] 66 85 C6 75 ?? B9 A1 00 00 00 FF 15 [4] 66 85 C6 74 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b8a2c388-3b27-5075-b0ee-2773ae0c67ad" + id = "d1ecdf28-e657-53d2-9ab1-d5daafd1d5e1" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128728,7 +128806,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "01d68343ac46db6065f888a094edfe4f" - logic_hash = "f9165aabe4bad215211cf98559099030ddb8a76175fbfcfee3c6f25d7614bdad" + logic_hash = "v1_sha256_f9165aabe4bad215211cf98559099030ddb8a76175fbfcfee3c6f25d7614bdad" score = 75 quality = 75 tags = "FILE" @@ -128739,14 +128817,14 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_1 : FILE $const_values = { 0F B6 ?? 83 C? 20 83 F? 6D [2-20] 83 C? 20 83 F? 7A } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_5 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "892981d6-f310-5ee8-95b5-dd4bd720a86c" + id = "39a75367-cc48-51cf-a28f-232306f3d81f" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128754,7 +128832,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_5 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_5.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d" - logic_hash = "ab38e5ebded026829672941709797b40f8e13fb244b6a8ed3545de4358f727b8" + logic_hash = "v1_sha256_ab38e5ebded026829672941709797b40f8e13fb244b6a8ed3545de4358f727b8" score = 75 quality = 75 tags = "FILE" @@ -128768,14 +128846,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_5 : FILE $steal_token = { FF 15 [4] 85 C0 [1-40] C7 44 24 ?? 01 00 00 00 [0-20] C7 44 24 ?? 02 00 00 00 [0-20] FF 15 [4] FF [1-5] 85 C0 [4-40] 00 04 00 00 FF 15 [4-5] 85 C0 [2-20] ( BA 0F 00 00 00 | 6A 0F ) [1-4] FF 15 [4] 85 C0 74 [1-20] FF 15 [4] 85 C0 74 [1-20] ( 6A 0B | B9 0B 00 00 00 ) E8 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_3 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "2f6785c4-f4d0-52ff-8c46-da953e2ca92a" + id = "9ca62954-2d46-5182-b595-0a36d6977f6f" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128783,7 +128861,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_3 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_3.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9ccda4d7511009d5572ef2f8597fba4e,ece07daca53dd0a7c23dacabf50f56f1" - logic_hash = "ee104bc145686a134e4d6d620dae7d1dacff7645d47f1a8d7a212327352b8e87" + logic_hash = "v1_sha256_ee104bc145686a134e4d6d620dae7d1dacff7645d47f1a8d7a212327352b8e87" score = 75 quality = 75 tags = "FILE" @@ -128796,14 +128874,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_3 : FILE $str3 = "runCommand" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Downloader_Win64_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "15a5e22b-84b0-5b36-8772-1d496ac447b2" + id = "11797c6d-ba58-55e2-972d-753d93da1131" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128811,7 +128889,7 @@ rule FIREEYE_RT_APT_Downloader_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Downloader_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9529c4c9773392893a8a0ab8ce8f8ce1" - logic_hash = "1b9bece6083403615841c752eac48fd20095e918d6e175563dd122be2885d875" + logic_hash = "v1_sha256_1b9bece6083403615841c752eac48fd20095e918d6e175563dd122be2885d875" score = 75 quality = 75 tags = "FILE" @@ -128822,14 +128900,14 @@ rule FIREEYE_RT_APT_Downloader_Win64_REDFLARE_1 : FILE $http_req = { 00 00 08 80 81 3D [4] BB 01 00 00 75 [1-10] 00 00 80 00 [1-4] 00 10 00 00 [1-4] 00 20 00 00 89 [6-20] 00 00 00 00 [6-20] 00 00 00 00 [2-10] 00 00 00 00 45 33 C9 [4-20] 48 8D 15 [4] 48 8B 0D [4] FF 15 [4-50] B9 14 00 00 00 E8 } condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c3054680-9c87-5d90-b78e-b260904340df" + id = "fd33d611-b690-5124-abc3-29d0e706e53b" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128837,7 +128915,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_1.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492" - logic_hash = "08ea2151418f7f75a8b138146c393a5ea85647320cc8e9fe1930d75871ab94bb" + logic_hash = "v1_sha256_08ea2151418f7f75a8b138146c393a5ea85647320cc8e9fe1930d75871ab94bb" score = 75 quality = 75 tags = "FILE" @@ -128852,14 +128930,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_1 : FILE $6 = "WriteProcessMemory" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Raw32_REDFLARE_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "8f8ec27f-afac-5da5-b76f-b984e14e0066" + id = "a1dc6b80-149e-50f1-8228-fa3d9f2efef3" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128867,7 +128945,7 @@ rule FIREEYE_RT_APT_Loader_Raw32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Raw32_REDFLARE_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4022baddfda3858a57c9cbb0d49f6f86" - logic_hash = "05ed89bd82600b4d5ef01ece2e0a9bd84e968988fd2bda1bab4ec316a9a9906b" + logic_hash = "v1_sha256_05ed89bd82600b4d5ef01ece2e0a9bd84e968988fd2bda1bab4ec316a9a9906b" score = 75 quality = 75 tags = "FILE" @@ -128877,14 +128955,14 @@ rule FIREEYE_RT_APT_Loader_Raw32_REDFLARE_1 : FILE $load = { EB ?? 58 [0-4] 8B 10 8B 48 [1-3] 8B C8 83 C1 ?? 03 D1 83 E9 [1-3] 83 C1 [1-4] FF D? } condition: - ( uint16(0)!=0x5A4D) and all of them + ( uint16( 0 ) != 0x5A4D ) and all of them } rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_2 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "6a585401-bfd3-5aad-b484-09b6a30d9af5" + id = "c8e0617d-97a9-568a-8cb6-174c4de52160" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128892,7 +128970,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_2.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4e7e90c7147ee8aa01275894734f4492" - logic_hash = "98dfb71adbde4f8965e612c19f0965d8fa95805825569290fdf72eb1d86cfb70" + logic_hash = "v1_sha256_98dfb71adbde4f8965e612c19f0965d8fa95805825569290fdf72eb1d86cfb70" score = 75 quality = 75 tags = "FILE" @@ -128903,14 +128981,14 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_2 : FILE $s1 = "ResumeThread" condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x010B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x010B ) and all of them } rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_2 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "84881e5c-05df-5911-af42-ec82e559588c" + id = "055ad13d-d65f-57fd-825f-9961105d586e" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128918,7 +128996,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9529c4c9773392893a8a0ab8ce8f8ce1,05b99d438dac63a5a993cea37c036673" - logic_hash = "1f2e1f644b1932486444dfda30b7dad7f50121f59fa493eb8a1a0528ae46db26" + logic_hash = "v1_sha256_1f2e1f644b1932486444dfda30b7dad7f50121f59fa493eb8a1a0528ae46db26" score = 75 quality = 75 tags = "FILE" @@ -128932,14 +129010,14 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_2 : FILE $5 = "Cookie: SID1=%s" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_2 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "043f4e29-710d-5e17-a0ed-82cd3a565194" + id = "5d42b476-ba68-5907-8952-b6f88fa24b0f" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128947,7 +129025,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_2.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "100d73b35f23b2fe84bf7cd37140bf4d" - logic_hash = "9fad845ed963fae46ac7ddc44407d5f6ed0a061f6a106764b9f912ef718279b4" + logic_hash = "v1_sha256_9fad845ed963fae46ac7ddc44407d5f6ed0a061f6a106764b9f912ef718279b4" score = 75 quality = 75 tags = "FILE" @@ -128959,21 +129037,21 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_2 : FILE $s1 = "ResumeThread" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) and all of them } rule FIREEYE_RT_Hacktool_MSIL_Sharpschtask_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project." author = "FireEye" - id = "5c7a5dee-3bc2-54b2-a7e2-be05ba74d4a1" + id = "a43eb60a-e9da-5da4-9f6e-6549cdf78e56" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSCHTASK/production/yara/HackTool_MSIL_SharpSchtask_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "7437fde82920f4d015a7f149b58924baf6cb220c6f6857d9509e23795ff0811c" + logic_hash = "v1_sha256_7437fde82920f4d015a7f149b58924baf6cb220c6f6857d9509e23795ff0811c" score = 75 quality = 73 tags = "FILE" @@ -128983,21 +129061,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpschtask_1 : FILE $typelibguid0 = "0a64a5f4-bdb6-443c-bdc7-f6f0bf5b5d6c" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_Hacktool_MSIL_Prepshellcode_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'PrepShellcode' project." author = "FireEye" - id = "32fb6b1d-e01f-5555-8516-088dca2166cf" + id = "6449eba5-ffca-5117-9766-4fca17fb946c" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PREPSHELLCODE/production/yara/HackTool_MSIL_PrepShellcode_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "aedae87d84275f6589c982c04175ddc0aee3e4f3ae959ced4b4e2294675522e6" + logic_hash = "v1_sha256_aedae87d84275f6589c982c04175ddc0aee3e4f3ae959ced4b4e2294675522e6" score = 75 quality = 73 tags = "FILE" @@ -129007,21 +129085,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Prepshellcode_1 : FILE $typelibguid0 = "d16ed275-70d5-4ae5-8ce7-d249f967616c" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Hacktool_MSIL_WMISPY_2 : FILE { meta: description = "wql searches" author = "FireEye" - id = "474af878-a657-54bc-a063-04532df928d4" + id = "dcbdbb39-e85b-586a-853e-61c7fec636f1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMISPY/production/yara/APT_HackTool_MSIL_WMISPY_2.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3651f252d53d2f46040652788499d65a" - logic_hash = "553fc1e536482a56b3228a5c9ebac843af9083e8ac864bf65c81b36a39ca5e5e" + logic_hash = "v1_sha256_553fc1e536482a56b3228a5c9ebac843af9083e8ac864bf65c81b36a39ca5e5e" score = 75 quality = 75 tags = "FILE" @@ -129040,21 +129118,21 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_WMISPY_2 : FILE $str9 = "from Win32_Process" wide condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and $MSIL and all of ($str*) + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and $MSIL and all of ( $str* ) } rule FIREEYE_RT_Hacktool_MSIL_Wmispy_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIspy' project." author = "FireEye" - id = "ac394751-da40-564b-8e24-8f353326b46a" + id = "a269aaf0-a8a5-59dc-a94f-119dcc291c85" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMISPY/production/yara/HackTool_MSIL_WMIspy_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "a5a9f7c7a7bfe474e8b21306ea220b4d476832f3ad4fafdd8967a2250d15a701" + logic_hash = "v1_sha256_a5a9f7c7a7bfe474e8b21306ea220b4d476832f3ad4fafdd8967a2250d15a701" score = 75 quality = 73 tags = "FILE" @@ -129064,21 +129142,21 @@ rule FIREEYE_RT_Hacktool_MSIL_Wmispy_1 : FILE $typelibguid0 = "5ee2bca3-01ad-489b-ab1b-bda7962e06bb" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Backdoor_Win_GORAT_1 : FILE { meta: description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)." author = "FireEye" - id = "5ac84cf1-49fb-533d-b211-b1a92239063b" + id = "20d24576-826d-5a49-89a3-e751cd8c875d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_1.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "66cdaa156e4d372cfa3dea0137850d20" - logic_hash = "f6a0a923f64375e7ffdc080aec41db19a9e162405f1290ed0bbcce5a342bdadb" + logic_hash = "v1_sha256_f6a0a923f64375e7ffdc080aec41db19a9e162405f1290ed0bbcce5a342bdadb" score = 75 quality = 75 tags = "FILE" @@ -129096,21 +129174,21 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_1 : FILE $s9 = "!This program cannot be run in DOS mode." ascii wide condition: - filesize <50KB and all of them + filesize < 50KB and all of them } rule FIREEYE_RT_APT_Backdoor_Win_Gorat_Memory { meta: description = "Identifies GoRat malware in memory based on strings." author = "FireEye" - id = "16fb1db7-711c-5d8d-9203-738c94f253fe" + id = "c1113e4f-b351-5403-a6a4-0ef45649e0cc" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GoRat_Memory.yar#L4-L27" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3b926b5762e13ceec7ac3a61e85c93bb" - logic_hash = "88272e59325d106f96d6b6f1d57daf968823c1e760067dee0334c66c521ce8c2" + logic_hash = "v1_sha256_88272e59325d106f96d6b6f1d57daf968823c1e760067dee0334c66c521ce8c2" score = 75 quality = 75 tags = "" @@ -129132,14 +129210,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_Gorat_Memory $winblows = "rat/platforms/win.(*winblows).GetStage" fullword condition: - $winblows or #murica>10 or 3 of ($rat*) + $winblows or #murica > 10 or 3 of ( $rat* ) } rule FIREEYE_RT_APT_Backdoor_Win_GORAT_5 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "73102bd2-7b94-5c7b-b9a4-cfc9cf5e3212" + id = "38cae6a5-d7ee-5504-9844-3250ac43d94e" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129147,7 +129225,7 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_5 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_5.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f" - logic_hash = "67f85fb3bedfd18a1226c92318f387be3c7ff9566ca2d554c49cf62389482552" + logic_hash = "v1_sha256_67f85fb3bedfd18a1226c92318f387be3c7ff9566ca2d554c49cf62389482552" score = 75 quality = 75 tags = "FILE" @@ -129164,21 +129242,21 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_5 : FILE $8 = "/rat/cmd/gorat_shared/dllmain.go" fullword condition: - ( uint16(0)==0x5A4D) and ( uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D ) and ( uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_Trojan_MSIL_GORAT_Plugin_DOTNET_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project." author = "FireEye" - id = "faa73d64-4bb1-5c06-a3a5-1f1aa99ea932" + id = "7b35c937-f3ff-5654-b3fb-096c8802b0f4" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "e979822273c6d1ccdfebd341c9e2cb1040fe34a04e8b41c024885063fd946ad5" + logic_hash = "v1_sha256_e979822273c6d1ccdfebd341c9e2cb1040fe34a04e8b41c024885063fd946ad5" score = 75 quality = 71 tags = "FILE" @@ -129189,21 +129267,21 @@ rule FIREEYE_RT_Trojan_MSIL_GORAT_Plugin_DOTNET_1 : FILE $typelibguid1 = "fc3daedf-1d01-4490-8032-b978079d8c2d" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Backdoor_Win_GORAT_3 : FILE { meta: description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it." author = "FireEye" - id = "94c195b5-b8e8-56a7-bc11-dbbe2f969b06" + id = "1ed4e6ed-82f0-5b0b-bdb4-54788acbea90" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_3.yar#L4-L39" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "995120b35db9d2f36d7d0ae0bfc9c10d" - logic_hash = "592745e9c67f7adf0cd48975ed1497211d8efeff29b52be1e2d082b9a648bb57" + logic_hash = "v1_sha256_592745e9c67f7adf0cd48975ed1497211d8efeff29b52be1e2d082b9a648bb57" score = 75 quality = 28 tags = "FILE" @@ -129237,21 +129315,21 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_3 : FILE $str11 = "rat.New" ascii wide condition: - uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and filesize <10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat>1000 and any of ($dirty*) + uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and filesize < 10MB and all of ( $go* ) and all of ( $json* ) and all of ( $str* ) and #rat > 1000 and any of ( $dirty* ) } rule FIREEYE_RT_APT_Backdoor_Macos_GORAT_1 : FILE { meta: description = "This rule is looking for specific strings associated with network activity found within the MacOS generated variant of GORAT" author = "FireEye" - id = "4646eadb-7acf-582f-9ad6-00f012ceed8a" + id = "0350efb2-6327-52f8-98aa-ac24958f385b" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_MacOS_GORAT_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "68acf11f5e456744262ff31beae58526" - logic_hash = "2df5f87d44968670511880d21ad184779d0561c7c426a5d6426bcefd0904a9b7" + logic_hash = "v1_sha256_2df5f87d44968670511880d21ad184779d0561c7c426a5d6426bcefd0904a9b7" score = 75 quality = 75 tags = "FILE" @@ -129265,21 +129343,21 @@ rule FIREEYE_RT_APT_Backdoor_Macos_GORAT_1 : FILE $s5 = "Cookie" ascii wide condition: - (( uint32(0)==0xBEBAFECA) or ( uint32(0)==0xFEEDFACE) or ( uint32(0)==0xFEEDFACF) or ( uint32(0)==0xCEFAEDFE)) and all of them + (( uint32( 0 ) == 0xBEBAFECA ) or ( uint32( 0 ) == 0xFEEDFACE ) or ( uint32( 0 ) == 0xFEEDFACF ) or ( uint32( 0 ) == 0xCEFAEDFE ) ) and all of them } rule FIREEYE_RT_Trojan_MSIL_GORAT_Module_Powershell_1 : FILE { meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Module - PowerShell' project." author = "FireEye" - id = "b0fba130-9cd9-5b7f-a806-9ff8099f5731" + id = "e6c7a1e4-2639-5fc4-a60b-05fefb47715e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Module_PowerShell_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "e596bc0316a4ef85f04c2683ebc7c94bf9b831843232c33e62c84991e4caeb97" + logic_hash = "v1_sha256_e596bc0316a4ef85f04c2683ebc7c94bf9b831843232c33e62c84991e4caeb97" score = 75 quality = 71 tags = "FILE" @@ -129290,7 +129368,7 @@ rule FIREEYE_RT_Trojan_MSIL_GORAT_Module_Powershell_1 : FILE $typelibguid1 = "845ee9dc-97c9-4c48-834e-dc31ee007c25" ascii nocase wide condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } import "pe" @@ -129299,14 +129377,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_4 : FILE meta: description = "Verifies that the sample is a Windows PE that is less than 10MB in size and exports numerous functions that are known to be exported by the Gorat implant. This is done in an effort to provide detection for packed samples that may not have other strings but will need to replicate exports to maintain functionality." author = "FireEye" - id = "fa3bcaad-c210-5b9c-8567-fe85b8e78055" + id = "3cb62012-0414-5842-b3aa-889d41b78ae9" date = "2021-03-03" modified = "2021-03-03" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar#L5-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f59095f0ab15f26a1ead7eed8cdb4902" - logic_hash = "ec201614cb91fae9d7c89febfa22dfd6ba7f353e0eeb0b2fec6c8d887992e79e" + logic_hash = "v1_sha256_ec201614cb91fae9d7c89febfa22dfd6ba7f353e0eeb0b2fec6c8d887992e79e" score = 75 quality = 25 tags = "FILE" @@ -129316,21 +129394,21 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_4 : FILE $mz = "MZ" condition: - $mz at 0 and uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and filesize <10MB and pe.exports("MemoryCallEntryPoint") and pe.exports("MemoryDefaultAlloc") and pe.exports("MemoryDefaultFree") and pe.exports("MemoryDefaultFreeLibrary") and pe.exports("MemoryDefaultGetProcAddress") and pe.exports("MemoryDefaultLoadLibrary") and pe.exports("MemoryFindResource") and pe.exports("MemoryFindResourceEx") and pe.exports("MemoryFreeLibrary") and pe.exports("MemoryGetProcAddress") and pe.exports("MemoryLoadLibrary") and pe.exports("MemoryLoadLibraryEx") and pe.exports("MemoryLoadResource") and pe.exports("MemoryLoadString") and pe.exports("MemoryLoadStringEx") and pe.exports("MemorySizeofResource") and pe.exports("callback") and pe.exports("crosscall2") and pe.exports("crosscall_386") + $mz at 0 and uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and filesize < 10MB and pe.exports ( "MemoryCallEntryPoint" ) and pe.exports ( "MemoryDefaultAlloc" ) and pe.exports ( "MemoryDefaultFree" ) and pe.exports ( "MemoryDefaultFreeLibrary" ) and pe.exports ( "MemoryDefaultGetProcAddress" ) and pe.exports ( "MemoryDefaultLoadLibrary" ) and pe.exports ( "MemoryFindResource" ) and pe.exports ( "MemoryFindResourceEx" ) and pe.exports ( "MemoryFreeLibrary" ) and pe.exports ( "MemoryGetProcAddress" ) and pe.exports ( "MemoryLoadLibrary" ) and pe.exports ( "MemoryLoadLibraryEx" ) and pe.exports ( "MemoryLoadResource" ) and pe.exports ( "MemoryLoadString" ) and pe.exports ( "MemoryLoadStringEx" ) and pe.exports ( "MemorySizeofResource" ) and pe.exports ( "callback" ) and pe.exports ( "crosscall2" ) and pe.exports ( "crosscall_386" ) } rule FIREEYE_RT_APT_Backdoor_Win_GORAT_2 : FILE { meta: description = "Verifies that the sample is a Windows PE that is less than 10MB in size and has the Go build ID strings. Then checks for various strings known to be in the Gorat implant including strings used in C2 json, names of methods, and the unique string 'murica' used in C2 comms. A check is done to ensure the string 'rat' appears in the binary over 1000 times as it is the name of the project used by the implant and is present well over 2000 times." author = "FireEye" - id = "e2c47711-d088-5cb4-8d21-f8199a865a28" + id = "882c743d-dc53-5e80-aa78-f876f73c6833" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_2.yar#L4-L34" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f59095f0ab15f26a1ead7eed8cdb4902" - logic_hash = "8efc904498386d89879766a5021148a250f639bc328df12a34cfc8d620df6f6c" + logic_hash = "v1_sha256_8efc904498386d89879766a5021148a250f639bc328df12a34cfc8d620df6f6c" score = 75 quality = 50 tags = "FILE" @@ -129359,14 +129437,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_2 : FILE $str11 = "rat.New" ascii wide condition: - uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and filesize <10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat>1000 + uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and filesize < 10MB and all of ( $go* ) and all of ( $json* ) and all of ( $str* ) and #rat > 1000 } rule FIREEYE_RT_Trojan_Win64_Generic_23 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "470bfeed-e000-58c6-b115-dfa8aea25bef" + id = "7e2fdec7-acb4-59aa-a66c-0ae1fd510bcd" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129374,7 +129452,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_23 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_23.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "b66347ef110e60b064474ae746701d4a" - logic_hash = "4c1860801b26abbab8c4aea730bf69f388c902083b9945e11e6782af3ab22789" + logic_hash = "v1_sha256_4c1860801b26abbab8c4aea730bf69f388c902083b9945e11e6782af3ab22789" score = 75 quality = 75 tags = "FILE" @@ -129390,14 +129468,14 @@ rule FIREEYE_RT_Trojan_Win64_Generic_23 : FILE $token = { FF 15 [4] 4C 8D 45 ?? BA 0A 00 00 00 48 8B C8 FF 15 [4] 85 C0 75 ?? E9 [4] 48 8D [2-5] 48 89 44 24 28 C7 44 24 20 02 00 00 00 41 B9 02 00 00 00 45 33 C0 BA 0B 00 00 00 48 8B 4D ?? FF 15 [4] 85 C0 75 ?? E9 [4] 4C 8D 8D [4] 45 33 C0 BA 01 00 00 00 33 C9 FF 15 } condition: - (( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B)) and all of them + (( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) ) and all of them } rule FIREEYE_RT_Trojan_Win64_Generic_22 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e79661a8-5254-5e8e-b92b-edf1ddb072ff" + id = "fde0e6b8-12a5-5afe-97f5-5a8798f668c5" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -129405,7 +129483,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_22 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_22.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f7d9961463b5110a3d70ee2e97842ed3" - logic_hash = "52fbe5c0ee7c05df5fcd62c26caaa5498e32352da9c5940e522aa31d6c808028" + logic_hash = "v1_sha256_52fbe5c0ee7c05df5fcd62c26caaa5498e32352da9c5940e522aa31d6c808028" score = 75 quality = 75 tags = "FILE" @@ -129421,21 +129499,21 @@ rule FIREEYE_RT_Trojan_Win64_Generic_22 : FILE $token = { FF 15 [4] 4C 8D 44 24 ?? BA 0A 00 00 00 48 8B C8 FF 15 [4] 85 C0 0F 84 [4] 48 8B 4C 24 ?? 48 8D [2-3] 41 B9 02 00 00 00 48 89 44 24 28 45 33 C0 C7 44 24 20 02 00 00 00 41 8D 51 09 FF 15 [4] 85 C0 0F 84 [4] 45 33 C0 4C 8D 4C 24 ?? 33 C9 41 8D 50 01 FF 15 } condition: - (( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B)) and all of them + (( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) ) and all of them } rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_1 : FILE { meta: description = "This rule looks for the binary signature of the 'Inject' method found in the main Excavator PE." author = "FireEye" - id = "7cabc230-e55b-5096-996a-b6a8c9693bdc" + id = "93079007-63ee-5450-99c8-f7c6c9c1c393" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f7d9961463b5110a3d70ee2e97842ed3" - logic_hash = "bf4b776f34a1a9aa5438504f63a63ef452a747363de3b70cec52145d777055bd" + logic_hash = "v1_sha256_bf4b776f34a1a9aa5438504f63a63ef452a747363de3b70cec52145d777055bd" score = 75 quality = 75 tags = "FILE" @@ -129448,21 +129526,21 @@ rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_1 : FILE $bytes4 = { 48 89 74 24 ?? 48 89 7C 24 ?? 4C 89 74 24 ?? 55 48 8D 6C 24 ?? 48 81 EC 20 01 00 00 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 45 ?? 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 ?? 48 8D 0D ?? ?? ?? ?? 4C 89 74 24 ?? 0F 11 45 ?? 41 8B FE 4C 89 74 24 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 ?? 66 66 0F 1F 84 00 ?? ?? 00 00 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 ?? 48 89 44 24 ?? 66 0F 6F 15 ?? ?? 01 00 48 8D 05 ?? ?? ?? ?? B9 C8 05 00 00 90 F3 0F 6F 40 ?? 48 8D 40 ?? 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? F3 0F 6F 40 ?? 66 0F EF C2 F3 0F 7F 40 ?? 48 83 E9 01 75 ?? FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? BA 0A 00 00 00 48 8B C8 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 45 ?? 41 B9 02 00 00 00 48 89 44 24 ?? 45 33 C0 C7 44 24 ?? 02 00 00 00 41 8D 51 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 33 C9 41 8D 50 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B 44 24 ?? 33 D2 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 48 8B C8 41 8D 50 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 ?? 4C 8D 4C 24 ?? 4C 89 74 24 ?? 33 D2 41 B8 00 00 02 00 48 C7 44 24 ?? 08 00 00 00 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 45 ?? 48 89 44 24 ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 45 ?? 48 89 7D ?? 48 89 44 24 ?? 45 33 C9 4C 89 74 24 ?? 33 D2 4C 89 74 24 ?? C7 44 24 ?? 04 00 08 00 44 89 74 24 ?? 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 8B 5D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 44 8B C3 33 D2 B9 3A 04 00 00 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA FF FF FF FF 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF 15 ?? ?? ?? ?? 33 C0 48 8B 9C 24 ?? ?? ?? ?? 48 8B 4D ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 73 ?? 49 8B 7B ?? 4D 8B 73 ?? 49 8B E3 5D C3 } condition: - uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and any of ($bytes*) + uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and any of ( $bytes* ) } rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_2 : FILE { meta: description = "This rule looks for the binary signature of the routine that calls PssFreeSnapshot found in the Excavator-Reflector DLL." author = "FireEye" - id = "89037b9a-78b0-5a8c-bb60-3d54842d81e1" + id = "9aa2b168-c8a0-52fa-9b5e-90a8ee91e907" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_2.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6a9a114928554c26675884eeb40cc01b" - logic_hash = "408e8862f0c470105648fdba00dc5531ffcd739fa544f89acb70f0fa1b105c03" + logic_hash = "v1_sha256_408e8862f0c470105648fdba00dc5531ffcd739fa544f89acb70f0fa1b105c03" score = 75 quality = 75 tags = "FILE" @@ -129475,14 +129553,14 @@ rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_2 : FILE $bytes4 = { 4C 89 74 24 ?? 55 48 8D AC 24 ?? ?? ?? ?? 48 81 EC A0 01 00 00 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 85 ?? ?? ?? ?? BA 50 00 00 00 C7 05 ?? ?? ?? ?? 43 00 3A 00 66 89 15 ?? ?? 01 00 4C 8D 44 24 ?? 48 8D 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 5C 00 57 00 33 C9 C7 05 ?? ?? ?? ?? 69 00 6E 00 C7 05 ?? ?? ?? ?? 64 00 6F 00 C7 05 ?? ?? ?? ?? 77 00 73 00 C7 05 ?? ?? ?? ?? 5C 00 4D 00 C7 05 ?? ?? ?? ?? 45 00 4D 00 C7 05 ?? ?? ?? ?? 4F 00 52 00 C7 05 ?? ?? ?? ?? 59 00 2E 00 C7 05 ?? ?? ?? ?? 44 00 4D 00 C7 05 ?? ?? ?? ?? 53 00 65 00 C7 05 ?? ?? ?? ?? 44 00 65 00 C7 05 ?? ?? ?? ?? 42 00 75 00 C7 05 ?? ?? ?? ?? 47 00 50 00 C7 05 ?? ?? ?? ?? 72 00 69 00 C7 05 ?? ?? ?? ?? 56 00 69 00 C7 05 ?? ?? ?? ?? 4C 00 45 00 C7 05 ?? ?? ?? ?? 67 00 65 00 C7 05 ?? ?? ?? ?? 6C 73 61 73 C7 05 ?? ?? ?? ?? 73 2E 65 78 C6 05 ?? ?? ?? ?? 65 FF 15 ?? ?? ?? ?? 45 33 F6 85 C0 74 ?? 48 8B 44 24 ?? 48 89 44 24 ?? C7 44 24 ?? 01 00 00 00 C7 44 24 ?? 02 00 00 00 FF 15 ?? ?? ?? ?? 48 8B C8 4C 8D 44 24 ?? 41 8D 56 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 4C 8D 44 24 ?? 4C 89 74 24 ?? 45 33 C9 33 D2 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? ?? 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 0F 84 ?? ?? ?? ?? 33 D2 48 8D 4D ?? 41 B8 04 01 00 00 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 ?? 66 0F 1F 44 00 ?? 48 8B 4C 24 ?? 4C 8D 45 ?? 41 B9 04 01 00 00 33 D2 FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 48 85 C0 75 ?? 33 D2 48 8D 4D ?? 41 B8 04 01 00 00 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 ?? 33 C0 E9 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 8B F0 48 85 DB 74 ?? 85 C0 74 ?? 4C 8D 4C 24 ?? 48 89 BC 24 ?? ?? ?? ?? BA FD 03 00 AC 41 B8 1F 00 10 00 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 4C 89 74 24 ?? C7 44 24 ?? 80 00 00 00 48 8D 0D ?? ?? ?? ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 C7 44 24 ?? 01 00 00 00 BA 00 00 00 10 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 83 F8 FF 74 ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 48 89 44 24 ?? 41 B9 02 00 00 00 4C 89 74 24 ?? 4C 8B C7 8B D6 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 54 24 ?? 48 8B C8 FF 15 ?? ?? ?? ?? 33 C9 FF 15 ?? ?? ?? ?? CC 48 8B CB FF 15 ?? ?? ?? ?? 48 8B BC 24 ?? ?? ?? ?? 33 C0 48 8B B4 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8B B4 24 ?? ?? ?? ?? 48 81 C4 A0 01 00 00 5D C3 } condition: - uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and any of ($bytes*) + uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and any of ( $bytes* ) } rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e593b589-747d-53c2-a39a-57485e4f7641" + id = "b5eed807-5766-5b4a-9616-3d8c9fb6ebac" date = "2020-11-30" date = "2020-11-30" modified = "2020-12-09" @@ -129490,7 +129568,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6a9a114928554c26675884eeb40cc01b" - logic_hash = "aa06628ddef0f95c4217b97a3476a0ee12e00d04c4827a512730598f3c80f1f6" + logic_hash = "v1_sha256_aa06628ddef0f95c4217b97a3476a0ee12e00d04c4827a512730598f3c80f1f6" score = 75 quality = 75 tags = "FILE" @@ -129503,14 +129581,14 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_1 : FILE $lsass = { 6C 73 61 73 [6] 73 2E 65 78 [6] 65 } condition: - (( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B)) and all of them + (( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) ) and all of them } rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_2 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "4b7640e8-5621-5cc3-8ac9-84347f23f5eb" + id = "41ad92ed-8ab3-5627-bbd9-3567bc147815" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129518,7 +129596,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4fd62068e591cbd6f413e1c2b8f75442" - logic_hash = "14263c17323cd78df10f7f101bd7a9c74f7818b34a2e42125d45205067399381" + logic_hash = "v1_sha256_14263c17323cd78df10f7f101bd7a9c74f7818b34a2e42125d45205067399381" score = 75 quality = 75 tags = "FILE" @@ -129531,14 +129609,14 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_2 : FILE $enable_dbg_pri = { 4C 8D 45 ?? 48 8D 15 [4] 33 C9 FF 15 [4] 85 C0 0F 84 [4] C7 45 ?? 01 00 00 00 B8 0C 00 00 00 48 6B C0 00 48 8B 4D ?? 48 89 4C 05 ?? B8 0C 00 00 00 48 6B C0 00 C7 44 05 ?? 02 00 00 00 FF 15 [4] 4C 8D 45 ?? BA 20 00 00 00 48 8B C8 FF 15 [4] 85 C0 74 ?? 48 C7 44 24 28 00 00 00 00 48 C7 44 24 20 00 00 00 00 45 33 C9 4C 8D 45 ?? 33 D2 48 8B 4D ?? FF 15 } condition: - (( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and ( uint16( uint32(0x3C)+0x18)==0x020B)) and all of them + (( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and ( uint16( uint32( 0x3C ) + 0x18 ) == 0x020B ) ) and all of them } rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_2 { meta: description = "wmiexec" author = "FireEye" - id = "f1059f66-eaff-5866-bafb-c94236cf96a0" + id = "ee6d458a-a2dc-5de4-80e6-e5ba069e429d" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -129546,7 +129624,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_2 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/IMPACKETOBF (Wmiexec)/production/yara/HackTool_PY_ImpacketObfuscation_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f3dd8aa567a01098a8a610529d892485" - logic_hash = "ccbbe507798f16c7acf0780770fdb81b2e7dc333ab8bc51e6216816276c3f14b" + logic_hash = "v1_sha256_ccbbe507798f16c7acf0780770fdb81b2e7dc333ab8bc51e6216816276c3f14b" score = 75 quality = 75 tags = "" @@ -129567,14 +129645,14 @@ rule FIREEYE_RT_Hacktool_MSIL_GETDOMAINPASSWORDPOLICY_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the recon utility 'getdomainpasswordpolicy' project." author = "FireEye" - id = "69745e99-33cc-5171-ae7a-5c98439a0b6d" + id = "4d0aab58-eb94-5396-8b3b-59f05763f413" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/GETDOMAINPASSWORDPOLICY/production/yara/HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "6b2ea3ebfea2c87f16052f4a43b64eb2d595c2dd4a64d45dfce1642668dcf602" + logic_hash = "v1_sha256_6b2ea3ebfea2c87f16052f4a43b64eb2d595c2dd4a64d45dfce1642668dcf602" score = 75 quality = 73 tags = "FILE" @@ -129584,14 +129662,14 @@ rule FIREEYE_RT_Hacktool_MSIL_GETDOMAINPASSWORDPOLICY_1 : FILE $typelibguid0 = "a5da1897-29aa-45f4-a924-561804276f08" ascii nocase wide condition: - filesize <10MB and ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and any of them + filesize < 10MB and ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and any of them } rule FIREEYE_RT_APT_Loader_MSIL_WILDCHILD_1 : FILE { meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b9e0707e-98eb-55da-ad1d-6a84bd113747" + id = "4bfdb131-26d3-5ba7-9355-3e94cbc4259b" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -129599,7 +129677,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_WILDCHILD_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WILDCHILD/production/yara/APT_Loader_MSIL_WILDCHILD_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6f04a93753ae3ae043203437832363c4" - logic_hash = "a600c3d127f77dc1f99160e4a242e005970de0abd1798296b6a351b968ca1350" + logic_hash = "v1_sha256_a600c3d127f77dc1f99160e4a242e005970de0abd1798296b6a351b968ca1350" score = 75 quality = 75 tags = "FILE" @@ -129611,21 +129689,21 @@ rule FIREEYE_RT_APT_Loader_MSIL_WILDCHILD_1 : FILE $sb1 = { 6F [2] 00 0A 28 [2] 00 0A 6F [2] 00 0A 13 ?? 28 [2] 00 0A 28 [2] 00 0A 13 ?? 11 ?? 11 ?? 28 [2] 00 0A [0-16] 7B [2] 00 04 1? 20 [4] 28 [2] 00 0A 11 ?? 28 [2] 00 0A 28 [2] 00 0A 7E [2] 00 0A 7E [2] 00 0A 28 [2] 00 06 [0-16] 14 7E [2] 00 0A 7E [2] 00 0A 1? 20 04 00 08 08 7E [2] 00 0A 14 12 ?? 12 ?? 28 [2] 00 06 [0-16] 7B [2] 00 04 7E [2] 00 0A [0-16] 8E ?? 7E [2] 00 04 7E [2] 00 04 28 [2] 00 06 [4-120] 28 [2] 00 06 [0-80] 6F [2] 00 0A 6F [2] 00 0A 28 [2] 00 06 13 ?? 11 ?? 11 ?? 7E [2] 00 0A 28 [2] 00 06 } condition: - ( uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550) and all of them + ( uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 ) and all of them } rule FIREEYE_RT_Dropper_HTA_Wildchild_1 : FILE { meta: description = "This rule looks for strings present in unobfuscated HTAs generated by the WildChild builder." author = "FireEye" - id = "f570baa5-7d58-5a0a-b713-769e62076f76" + id = "894b69c6-5bd8-59ae-a059-3b674f659390" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WILDCHILD/production/yara/Dropper_HTA_WildChild_1.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3e61ca5057633459e96897f79970a46d" - logic_hash = "60c1d53b8a43b9b7518f3260a4d61c6806641ee894a2a331a3a0a2ea0aff9d99" + logic_hash = "v1_sha256_60c1d53b8a43b9b7518f3260a4d61c6806641ee894a2a331a3a0a2ea0aff9d99" score = 75 quality = 75 tags = "FILE" @@ -129644,21 +129722,21 @@ rule FIREEYE_RT_Dropper_HTA_Wildchild_1 : FILE $script_header = "