Task Information
Task ID: 811cab8f-7a67-11f0-8fb7-42010aa4000b File name: yara-rules-core.yar Task parameters: ClamAV scan: True Unpack: True Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: _Bitchin_Threads_
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file =Bitchin Threads=.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: _network_php_php_xinfo_php_php_nfm_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: _nst_php_php_img_php_php_nstview_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: _r577_php_php_r57_php_php_spy_php_php_s_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: _root_040_zip_Folder_deploy
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file deploy.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Adfind
Author: @bartblaze Description: Identifies Adfind, a Command line Active Directory query tool. Reference: http://www.joeware.net/freetools/tools/adfind/ TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: ADSync_CredDump_Wide
Author: SBousseaden Description: AD Connect Sync Credential Extract Reference: https://blog.xpnsec.com/azuread-connect-for-redteam/ TLP: TLP:WHITE Repository: sbousseaden
Rule name: ADSync_CredDump_Xor
Author: SBousseaden Description: Azure AdSync Service Account Password Dumping Reference: https://blog.xpnsec.com/azuread-connect-for-redteam/ TLP: TLP:WHITE Repository: sbousseaden
Rule name: agent_tesla
Author: Stormshield Description: Detecting HTML strings used by Agent Tesla malware TLP: TLP:WHITE Repository: CAPE
Rule name: AgentTeslaV2
Author: ditekshen Description: AgenetTesla Type 2 Keylogger payload TLP: TLP:WHITE Repository: CAPE
Rule name: AgentTeslaV3
Author: ditekshen Description: AgentTeslaV3 infostealer payload TLP: TLP:WHITE Repository: CAPE
Rule name: Ajan_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Ajan.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ajax_PHP_Command_Shell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: allcome
Author: Michelle Khalil Description: This rule detects unpacked allcome malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: Antichat_Shell_v1_3_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Antichat Shell v1.3.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Antichat_Socks5_Server_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT28_drovorub_unique_network_comms_strings
Author: NSA / FBI Description: Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based Reference: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT28_Win_FreshFire
Author: threatintel@volexity.com Description: The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_BoomBox_May21_1
Author: Florian Roth Description: Detects BoomBox malware as described in APT29 NOBELIUM report Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_NOBELIUM_BoomBox_May21_1_RID31ED
Author: Florian Roth Description: Detects BoomBox malware as described in APT29 NOBELIUM report Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_Stageless_Loader_May21_2
Author: Florian Roth (Nextron Systems) Description: Detects stageless loader as used by APT29 / NOBELIUM Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_Win_FlipFlop_LDR
Author: threatintel@volexity.com Description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: APT_APT34_PS_Malware_Apr19_1
Author: Florian Roth (Nextron Systems) Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT34_PS_Malware_Apr19_1_RID3047
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE
Rule name: APT_APT34_PS_Malware_Apr19_3
Author: Florian Roth (Nextron Systems) Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT34_PS_Malware_Apr19_3_RID3049
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE
Rule name: APT_APT41_CN_ELF_Speculoos_Backdoor
Author: Florian Roth (Nextron Systems) Description: Detects Speculoos Backdoor used by APT41 Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT41_CN_ELF_Speculoos_Backdoor_RID3365
Author: Florian Roth Description: Detects Speculoos Backdoor used by APT41 Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ TLP: TLP:WHITE
Rule name: APT_Backdoor_Win_GoRat_Memory
Author: FireEye Description: Identifies GoRat malware in memory based on strings. Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Bitter_ZxxZ_Downloader
Author: SECUINFRA Falcon Team (@SI_FalconTeam) Description: Detects Bitter (T-APT-17) ZxxZ Downloader Reference: https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh TLP: TLP:WHITE Repository: SIFalcon
Rule name: APT_Builder_PY_REDFLARE_1
Author: FireEye Description: Detects FireEye's Python Redflar Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_FIN7_Strings_Aug18_1
Author: Florian Roth (Nextron Systems) Description: Detects strings from FIN7 report in August 2018 Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: APT_FIN7_Strings_Aug18_1
Author: Florian Roth Description: Detects strings from FIN7 report in August 2018 Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: APT_FIN7_Strings_Aug18_1_RID2F27
Author: Florian Roth Description: Detects strings from FIN7 report in August 2018 Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html TLP: TLP:WHITE
Rule name: APT_HAFNIUM_Forensic_Artefacts_Mar21_1
Author: Florian Roth (Nextron Systems) Description: Detects forensic artefacts found in HAFNIUM intrusions Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_HAFNIUM_Forensic_Artefacts_Mar21_1_RID3463
Author: Florian Roth Description: Detects forensic artefacts found in HAFNIUM intrusions Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ TLP: TLP:WHITE
Rule name: APT_MAL_CN_Wocao_Agent_Csharp
Author: Fox-IT SRT Description: Strings from CSharp version of Agent Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_powershell_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from Agent CSharp version Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_powershell_dropper
Author: Fox-IT SRT Description: Strings from PowerShell dropper of CSharp version of Agent Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_py_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from Agent Python version Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_checkadmin_bin
Author: Fox-IT SRT Description: Checkadmin utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_getos_py
Author: Fox-IT SRT Description: Python getos utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_info_vbs
Author: Fox-IT SRT Description: Strings from the information grabber VBS Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_injector_bin
Author: Fox-IT SRT Description: Process injector/launcher Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_keylogger_py
Author: Fox-IT SRT Description: Strings from Python keylogger Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_timeliner_bin
Author: Fox-IT SRT Description: Timeliner utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_console_jsp
Author: Fox-IT SRT Description: Strings from the console.jsp webshell Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_ver_jsp
Author: Fox-IT SRT Description: Strings from the ver.jsp webshell Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_webinfo
Author: Fox-IT SRT Description: Generic strings from webinfo.war webshells Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_csharp
Author: Fox-IT SRT Description: Strings from the CSharp version of XServer Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_powershell_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from the XServer PowerShell dropper Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_powershell_dropper
Author: Fox-IT SRT Description: Strings from the PowerShell dropper of XServer Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_DTRACK_Oct19_1
Author: Florian Roth (Nextron Systems) Description: Detects DTRACK malware Reference: https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_HP_iLO_Firmware_Dec21_1
Author: Florian Roth (Nextron Systems) Description: Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021 Reference: https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3
Author: Florian Roth (Nextron Systems) Description: Detects BPFDoor implants used by Chinese actor Red Menshen Reference: https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_LUA_Hunting_Lua_SEASPRAY_1
Author: Mandiant Description: Hunting rule looking for strings observed in SEASPRAY samples. Reference: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Configuration_Key
Author: FR/ANSSI/SDO Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...] Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted
Author: FR/ANSSI/SDO Description: Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...] Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Socket_Path
Author: FR/ANSSI/SDO Description: Detects path of the unix socket created to prevent concurrent executions in Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Strings
Author: FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth) Description: Detects Strings used by Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Task_Names
Author: FR/ANSSI/SDO Description: Detects names of the tasks received from the CC server in Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_UNC4841_SEASPY_Jun23_1
Author: Florian Roth Description: Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868 Reference: https://blog.talosintelligence.com/alchimist-offensive-framework/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_NK_MAL_DLL_Apr23_1
Author: Florian Roth (Nextron Systems) Description: Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group) Reference: https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_PY_ESXi_Backdoor_Dec22
Author: Florian Roth Description: Detects Python backdoor found on ESXi servers Reference: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_RANSOM_Lockbit_ForensicArtifacts_Nov23
Author: Florian Roth Description: Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966 Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_RU_Sandworm_PY_May20_1
Author: Florian Roth (Nextron Systems) Description: Detects Sandworm Python loader Reference: https://twitter.com/billyleonard/status/1266054881225236482 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_RU_Sandworm_PY_May20_1_RID3026
Author: Florian Roth Description: Detects Sandworm Python loader Reference: https://twitter.com/billyleonard/status/1266054881225236482 TLP: TLP:WHITE
Rule name: APT_SharpTongue_JS_SharpExt_Chrome_Extension
Author: threatintel@volexity.com Description: A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim Reference: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ TLP: TLP:WHITE
Rule name: APT_Turla_Agent_BTZ_Gen_1
Author: Florian Roth (Nextron Systems) Description: Detects Turla Agent.BTZ Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UA_Hermetic_Wiper_Artefacts_Feb22_1
Author: Florian Roth (Nextron Systems) Description: Detects artefacts found in Hermetic Wiper malware related intrusions Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1
Author: Florian Roth (Nextron Systems) Description: Detects scheduled task pattern found in Hermetic Wiper malware related intrusions Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_MAL_SOMBRAT_May21_1
Author: Florian Roth (Nextron Systems) Description: Detects SombRAT samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_MAL_SOMBRAT_May21_1_RID3035
Author: Florian Roth Description: Detects SombRAT samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE
Rule name: APT_UNC2447_PS1_WARPRISM_May21_1
Author: Florian Roth (Nextron Systems) Description: Detects WARPRISM PowerShell samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_PS1_WARPRISM_May21_1_RID308C
Author: Florian Roth Description: Detects WARPRISM PowerShell samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE
Rule name: APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1
Author: Florian Roth Description: Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability Reference: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ TLP: TLP:WHITE
Rule name: apt_Windows_TA410_X4_strings
Author: ESET Research Description: Matches various strings found in TA410 X4 Reference: https://www.welivesecurity.com/ TLP: TLP:WHITE Repository:
Rule name: APT10_Himawari_strings
Author: JPCERT/CC Incident Response Group Description: detect Himawari(a variant of RedLeaves) in memory Reference: https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf TLP: TLP:WHITE Repository: JPCERTCC
Rule name: APT9002
Author: Seth Hardy Description: 9002 TLP: TLP:WHITE
Rule name: APT9002Strings
Author: Seth Hardy Description: 9002 Identifying Strings TLP: TLP:WHITE
Rule name: Asmodeus_v0_1_pl
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Asmodeus v0.1.pl.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: AutoIT_Script
Author: @bartblaze Description: Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious. TLP: TLP:WHITE Repository: bartblaze
Rule name: AveMaria
Author: @bartblaze Description: Identifies AveMaria aka WarZone RAT. TLP: TLP:WHITE Repository: bartblaze
Rule name: Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: aZRaiLPhp_v1_0_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: classified Author: classified Description: classified TLP TLP:AMBER
Rule name: backdoor1_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file backdoor1.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: backdoorfr_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file backdoorfr.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Base64_decoding
Author: iam-py-test Description: Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages) TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: Base64_PS1_Shellcode
Author: Nick Carr, David Ledbetter Description: Detects Base64 encoded PS1 Shellcode Reference: https://twitter.com/ItsReallyNick/status/1062601684566843392 TLP: TLP:WHITE Repository: Neo23x0
Rule name: BatModifier2
Author: Madhav Description: This is a bat file which is setup a game. 49509 TLP: TLP:WHITE Repository: YARAify
Rule name: bdcli100
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file bdcli100.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: bdcli100
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file bdcli100.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: bin_Client
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Client.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: bin_Client
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Client.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: BIN_Server
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Server.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: BIN_Server
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Server.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: binder2_binder2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file binder2.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: binder2_binder2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file binder2.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: BKDR_XZUtil_KillSwitch_CVE_2024_3094_Mar24_1
Author: Florian Roth Description: Detects kill switch used by the backdoored XZ library (xzutil) CVE-2024-3094. Reference: https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01?permalink_comment_id=5006558#gistcomment-5006558 TLP: TLP:WHITE Repository: Neo23x0
Rule name: BKDR_XZUtil_Script_CVE_2024_3094_Mar24_1
Author: Florian Roth Description: Detects make file and script contents used by the backdoored XZ library (xzutil) CVE-2024-3094. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 TLP: TLP:WHITE Repository: YARAify
Rule name: BlackDropper
Author: enzok Description: BlackDropper TLP: TLP:WHITE Repository: CAPE
Rule name: BlackGuard_Rule
Author: Jiho Kim Description: Yara rule for BlackGuarad Stealer v1.0 - v3.0 Reference: https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: blackguard_stealer
Author: Michelle Khalil Description: This rule detects unpacked blackguard malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: BlackTech_PLEAD_mutex
Author: JPCERT/CC Incident Response Group Description: PLEAD malware mutex strings TLP: TLP:WHITE Repository: JPCERTCC
Rule name: BluenoroffPoS_DLL
Author: http://blog.trex.re.kr/ Description: Bluenoroff POS malware - hkp.dll Reference: http://blog.trex.re.kr/3?category=737685 TLP: TLP:WHITE Repository: Neo23x0
Rule name: BluesPortScan
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file BluesPortScan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Borland
Author: malware-lu TLP: TLP:WHITE Repository:
Rule name: botnet_plaintext_c2
Author: cip Description: Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols. TLP: TLP:WHITE Repository: YARAify
Rule name: by063cli
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file by063cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: by063cli
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file by063cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: by064cli
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file by064cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: by064cli
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file by064cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: BypassUac2
Author: yarGen Yara Rule Generator Description: Auto-generated rule - file BypassUac2.zip TLP: TLP:WHITE Repository: Neo23x0
Rule name: byshell063_ntboot_2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file ntboot.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: byshell063_ntboot_2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file ntboot.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: c99madshell_v2_0_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file c99madshell_v2.0.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Casus15_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Casus15.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cerberus
Author: Jean-Philippe Teissier / @Jipe_ Description: Cerberus TLP: TLP:WHITE
Rule name: cgi_python_py
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file cgi-python.py.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: CGISscan_CGIScan
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file CGIScan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Check_Dlls
TLP: TLP:WHITE Repository:
Rule name: ciscotools
Author: Tim Brown @timb_machine Description: Cisco tools TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: CmdAsp_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file CmdAsp.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: cmdjsp_jsp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file cmdjsp.jsp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cobaltbaltstrike_Beacon_Encoded
Author: Avast Threat Intel Team Description: Detects CobaltStrike payloads Reference: https://github.com/avast/ioc TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cobaltgang_PDF_Metadata_Rev_A
Author: Palo Alto Networks Unit 42 Description: Find documents saved from the same potential Cobalt Gang PDF template Reference: https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: CobaltStrike_Resources_Template_Py_v3_3_to_v4_x
Author: gssincla@google.com Description: Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x Reference: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse TLP: TLP:WHITE Repository: Neo23x0
Rule name: CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13
Author: gssincla@google.com Description: Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13 Reference: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse TLP: TLP:WHITE Repository: Neo23x0
Rule name: CobaltStrikeBeacon
Author: ditekshen, enzo & Elastic Description: Cobalt Strike Beacon Payload TLP: TLP:WHITE Repository: CAPE
Rule name: connectback2_pl
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file connectback2.pl.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: connector
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file connector.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: connector
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file connector.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: crack_Loader
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file Loader.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: CryLock
Author: @bartblaze Description: Identifies CryLock aka Cryakl ransomware. TLP: TLP:WHITE Repository: bartblaze
Rule name: csh_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file csh.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: cyberlords_sql_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file cyberlords_sql.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: darkgate_
Author: Michelle Khalil Description: This rule detects unpacked darkgate malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: Darkside
Author: @bartblaze Description: Identifies Darkside ransomware. TLP: TLP:WHITE Repository: bartblaze
Rule name: DarkSpy105
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file DarkSpy105.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: DarkSpy105
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file DarkSpy105.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: dbgiis6cli
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file dbgiis6cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: dbgiis6cli
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file dbgiis6cli.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: dbgntboot
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file dbgntboot.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: dbgntboot
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file dbgntboot.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: Debug_cress
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file cress.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Debug_cress
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file cress.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: DebuggerCheck__QueryInfo
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: DebuggerCheck__RemoteAPI
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: DeepPanda_htran_exe
Author: Florian Roth (Nextron Systems) Description: Hack Deep Panda - htran-exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: DefenderControl
Author: @bartblaze Description: Identifies Defender Control, used by attackers to disable Windows Defender. Reference: https://www.sordum.org/9480/defender-control-v1-8/ TLP: TLP:WHITE Repository: bartblaze
Rule name: dependsonpythonailib
Author: Tim Brown Description: Hunts for dependencies on Python AI libraries TLP: TLP:WHITE Repository: YARAify
Rule name: classified Author: classified Description: classified
Rule name: detect_powershell
Author: daniyyell Description: Detects suspicious PowerShell activity related to malware execution TLP: TLP:WHITE Repository: YARAify
Rule name: Detect_PowerShell_Obfuscation
Author: daniyyell Description: Detects obfuscated PowerShell commands commonly used in malicious scripts. TLP: TLP:WHITE Repository: YARAify
Rule name: Detect_Remcos_RAT
Author: daniyyell Description: Detects Remcos RAT payloads and commands TLP: TLP:WHITE Repository: YARAify
Rule name: DetectEncryptedVariants
Author: Zinyth Description: Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded TLP: TLP:WHITE Repository: YARAify
Rule name: DetectGoMethodSignatures
Author: Wyatt Tauber Description: Detects Go method signatures in unpacked Go binaries TLP: TLP:WHITE Repository: YARAify
Rule name: dgaaga
Author: Harshit Description: Detects suspicious PowerShell or registry activity TLP: TLP:WHITE Repository: YARAify
Rule name: Disable_Defender
Author: iam-py-test Description: Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: dsc
Author: Aaron DeVera Description: Discord domains TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: Dx_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Dx.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: echelon
Author: Michelle Khalil Description: This rule detects unpacked echelon malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: EditServer_2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file EditServer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: EditServer_2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file EditServer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: EditServer_3
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file EditServer.exe TLP: TLP:WHITE Repository:
Rule name: EditServer_EXE
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file EditServer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: EFSO_2_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file EFSO_2.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: elf_bpfdoor_w2
Author: Florian Roth Description: Detects BPFDoor implants used by Chinese actor Red Menshen Reference: https://twitter.com/jcksnsec/status/1522163033585467393 TLP: TLP:WHITE Repository: Malpedia
Rule name: elf_kobalos_w1
Author: Marc-Etienne M.Léveillé Description: Kobalos SSH credential stealer seen in OpenSSH client Reference: http://www.welivesecurity.com TLP: TLP:WHITE Repository: Malpedia
Rule name: Elf_plead
Author: JPCERT/CC Incident Response Group Description: ELF_PLEAD TLP: TLP:WHITE Repository: JPCERTCC
Rule name: elf_winnti_w0
Author: Silas Cutler (havex [@] chronicle.security), Chronicle Security TLP: TLP:WHITE Repository: Malpedia
Rule name: elmaliseker
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file elmaliseker.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: elmaliseker
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file elmaliseker.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: elmaliseker_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file elmaliseker.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Cleo_Exploitation_Log_Indicators_Dec24
Author: Florian Roth Description: Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024) Reference: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild TLP: TLP:WHITE
Rule name: EXPL_GitLab_CE_RCE_CVE_2021_22205
Author: Florian Roth (Nextron Systems) Description: Detects signs of exploitation of GitLab CE CVE-2021-22205 Reference: https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1
Author: Florian Roth (Nextron Systems) Description: Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065 Reference: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ TLP: TLP:WHITE
Rule name: EXPL_ManageEngine_CVE_2022_47966_Jan23_1
Author: Florian Roth (Nextron Systems) Description: Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3 Reference: https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_PaloAlto_CVE_2024_3400_Apr24_1
Author: Florian Roth Description: Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400 Reference: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_POC_SpringCore_0day_Indicators_Mar22_1
Author: Florian Roth (Nextron Systems) Description: Detects indicators found after SpringCore exploitation attempts and in the POC script Reference: https://twitter.com/vxunderground/status/1509170582469943303 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Shitrix_Exploit_Code_Jan20_1
Author: Florian Roth (Nextron Systems) Description: Detects payloads used in Shitrix exploitation CVE-2019-19781 Reference: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Shitrix_Exploit_Code_Jan20_1_RID331C
Author: Florian Roth Description: Detects payloads used in Shitrix exploitation CVE-2019-19781 Reference: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ TLP: TLP:WHITE
Rule name: EXT_MAL_SystemBC_Mar22_1
Author: Thomas Barabosch, Deutsche Telekom Security Description: Detects unpacked SystemBC module as used by Emotet in March 2022 Reference: https://twitter.com/Cryptolaemus1/status/1502069552246575105 TLP: TLP:WHITE Repository: Neo23x0
Rule name: FeliksPack3___PHP_Shells_ssh
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file ssh.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FeliksPack3___PHP_Shells_usr
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file usr.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FreddyBearDropper
Author: Dwarozh Hoshiar Description: Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. TLP: TLP:WHITE Repository: YARAify
Rule name: FSO_s_casus15_2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file casus15.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_casus15_2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file casus15.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_phpinj
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file phpinj.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_phpinj
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file phpinj.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_reader
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file reader.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_reader
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file reader.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_zehir4
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file zehir4.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: FSO_s_zehir4
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file zehir4.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: fuckphpshell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file fuckphpshell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: generic_IG_stealer
Author: RE4rensics Description: Detects stealers that interacts with IG endpoints after stealing IG cookies TLP: TLP:WHITE Repository: YARAify
Rule name: Gmer
Author: @bartblaze Description: Identifies Gmer, sometimes used by attackers to disable security software. Reference: http://www.gmer.net/ TLP: TLP:WHITE Repository: bartblaze
Rule name: h4ntu_shell__powered_by_tsoi_
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Hacktool_Strings_p0wnedShell
Author: Florian Roth Description: Detects strings found in Runspace Post Exploitation Toolkit Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: Hacktool_Strings_p0wnedShell_RID3234
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: hidshell_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file hidshell.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Himawari
Author: JPCERT/CC Incident Response Group Description: detect Himawari(a variant of RedLeaves) in memory Reference: https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf TLP: TLP:WHITE Repository: JPCERTCC
Rule name: hkdoordll
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file hkdoordll.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: hkdoordll
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file hkdoordll.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: hkshell_hkrmv
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file hkrmv.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: hkshell_hkrmv
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file hkrmv.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: hkshell_hkshell
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file hkshell.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: hkshell_hkshell
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file hkshell.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_bdcli100_RID2B32
Author: Florian Roth Description: Webshells Auto-generated - file bdcli100.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_BIN_Server_RID2C52
Author: Florian Roth Description: Webshells Auto-generated - file Server.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_by063cli_RID2B4F
Author: Florian Roth Description: Webshells Auto-generated - file by063cli.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_by064cli_RID2B50
Author: Florian Roth Description: Webshells Auto-generated - file by064cli.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_CobaltStrike_Beacon_Strings
Author: Elastic Description: Identifies strings used in Cobalt Strike Beacon DLL Reference: https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_dbgiis6cli_RID2C83
Author: Florian Roth Description: Webshells Auto-generated - file dbgiis6cli.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_dbgntboot_RID2C66
Author: Florian Roth Description: Webshells Auto-generated - file dbgntboot.dll Reference: - TLP: TLP:WHITE
Rule name: HKTL_Debug_cress_RID2D09
Author: Florian Roth Description: Webshells Auto-generated - file cress.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_EditServer_2_RID2D31
Author: Florian Roth Description: Webshells Auto-generated - file EditServer.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_hkdoordll_RID2C66
Author: Florian Roth Description: Webshells Auto-generated - file hkdoordll.dll Reference: - TLP: TLP:WHITE
Rule name: HKTL_hkshell_hkrmv_RID2E15
Author: Florian Roth Description: Webshells Auto-generated - file hkrmv.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_IP_Stealing_Utilities_RID30ED
Author: Florian Roth Description: Semiautomatically generated YARA rule on file IP Stealing Utilities.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_Khepri_Beacon_Sep21_1
Author: Florian Roth (Nextron Systems) Description: Detects Khepri C2 framework beacons Reference: https://github.com/geemion/Khepri/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Lazagne_Gen_18
Author: Florian Roth (Nextron Systems) Description: Detects Lazagne password extractor hacktool Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Lazagne_Gen_18_RID2DA6
Author: Florian Roth Description: Detects Lazagne password extractor hacktool Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE
Rule name: HKTL_Mithril_tool_RID2D99
Author: Florian Roth Description: Webshells Auto-generated - file Mithril.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_NATBypass_Dec22_1
Author: Florian Roth (Nextron Systems) Description: Detects NatBypass tool (also used by APT41) Reference: https://github.com/cw1997/NATBypass TLP: TLP:WHITE
Rule name: HKTL_NetBIOS_Name_Scanner_RID3000
Author: Florian Roth Description: Semiautomatically generated YARA rule on file NetBIOS Name Scanner.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_NFS_Fuse_NFS
Author: Moritz Oettle Description: Detects the nfs-security-tooling fuse_nfs by HvS Consulting Reference: https://github.com/hvs-consulting/nfs-security-tooling TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_NFS_NFS_Analyze
Author: Marc Stroebel Description: Detects the nfs-security-tooling nfy_analyze by HvS Consulting Reference: https://github.com/hvs-consulting/nfs-security-tooling TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine
Author: Florian Roth (Nextron Systems) Description: Detects PowerShell Oneliner in Nishang's repository Reference: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine_RID379E
Author: Florian Roth Description: Detects PowerShell Oneliner in Nishang's repository Reference: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1 TLP: TLP:WHITE
Rule name: HKTL_NoPowerShell
Author: Florian Roth (Nextron Systems) Description: Detects NoPowerShell hack tool Reference: https://github.com/bitsadmin/nopowershell TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_NoPowerShell_RID2D65
Author: Florian Roth Description: Detects NoPowerShell hack tool Reference: https://github.com/bitsadmin/nopowershell TLP: TLP:WHITE
Rule name: HKTL_PasswordReminder_RID2F2C
Author: Florian Roth Description: Webshells Auto-generated - file PasswordReminder.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_PortRacer_RID2C35
Author: Florian Roth Description: Semiautomatically generated YARA rule on file PortRacer.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_PortScanner_RID2D12
Author: Florian Roth Description: Semiautomatically generated YARA rule on file PortScanner.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_PortScanner_Simple_Jan14
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file PortScanner.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_PowerKatz_Feb19_1
Author: Florian Roth (Nextron Systems) Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_PowerKatz_Feb19_1_RID2EB0
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE
Rule name: HKTL_PS1_PowerCat_Mar21
Author: Florian Roth (Nextron Systems) Description: Detects PowerCat hacktool Reference: https://github.com/besimorhino/powercat TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_PS1_PowerCat_Mar21_RID2EDD
Author: Florian Roth Description: Detects PowerCat hacktool Reference: https://github.com/besimorhino/powercat TLP: TLP:WHITE
Rule name: HKTL_rdrbs084_RID2B5C
Author: Florian Roth Description: Webshells Auto-generated - file rdrbs084.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_rdrbs100_RID2B51
Author: Florian Roth Description: Webshells Auto-generated - file rdrbs100.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_scanarator_RID2CD1
Author: Florian Roth Description: Semiautomatically generated YARA rule on file scanarator.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_Unknown_Feb19_1
Author: Florian Roth (Nextron Systems) Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Unknown_Feb19_1_RID2DF9
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE
Rule name: HKTL_Unpack_Injectt_RID2E35
Author: Florian Roth Description: Webshells Auto-generated - file Injectt.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_vanquish_2_RID2CA3
Author: Florian Roth Description: Webshells Auto-generated - file vanquish.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_Venom_LIB_Dec22
Author: Ido Veltzman, Florian Roth Description: Detects Venom - a library that meant to perform evasive communication using stolen browser socket Reference: https://github.com/Idov31/Venom TLP: TLP:WHITE Repository: Neo23x0
Rule name: HTML_Windows_Search_Abuse
Author: marcin@ulikowski.pl Description: Detects HTML files abusing Windows system functionalities to redirect and download malicious payloads TLP: TLP:WHITE Repository:
Rule name: HYTop_CaseSwitch_2005
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file 2005.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop_CaseSwitch_2005
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file 2005.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop_DevPack_server
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file server.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop_DevPack_server
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file server.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop_DevPack_server_RID2ED8
Author: Florian Roth Description: Webshells Auto-generated - file server.asp Reference: - TLP: TLP:WHITE
Rule name: HYTop_DevPack_upload
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file upload.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop_DevPack_upload
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file upload.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop2006_rar_Folder_2006
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file 2006.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: HYTop2006_rar_Folder_2006
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file 2006.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: IcedID_init_loader
Author: @bartblaze Description: Identifies IcedID (stage 1 and 2, initial loaders). TLP: TLP:WHITE Repository: bartblaze
Rule name: IDATDropper
Author: NDA0E Description: Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta). TLP: TLP:WHITE Repository: YARAify
Rule name: IIS_Group14
Author: ESET Research Description: Detects Group 14 native IIS malware family Reference: https://www.welivesecurity.com/ TLP: TLP:WHITE Repository:
Rule name: Impacket
Author: @bartblaze Description: Identifies Impacket, a collection of Python classes for working with network protocols. Reference: https://github.com/SecureAuthCorp/impacket TLP: TLP:WHITE Repository: bartblaze
Rule name: Indicator_MiniDumpWriteDump
Author: Obscurity Labs LLC Description: Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references TLP: TLP:WHITE
Rule name: INDICATOR_TOOL_GoCLR
Author: ditekSHen Description: Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory TLP: TLP:WHITE Repository: diˈtekSHən
Rule name: installer
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file installer.cmd TLP: TLP:WHITE Repository: Neo23x0
Rule name: installer
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file installer.cmd TLP: TLP:WHITE Repository: Neo23x0
Rule name: IP_Stealing_Utilities
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file IP Stealing Utilities.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: ironshell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file ironshell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: IronTiger_ASPXSpy
Author: Cyber Safety Solutions, Trend Micro Description: ASPXSpy detection. It might be used by other fraudsters Reference: http://goo.gl/T5fSJC TLP: TLP:WHITE Repository:
Rule name: IronTiger_wmiexec
Author: Cyber Safety Solutions, Trend Micro Description: Iron Tiger Tool - wmi.vbs detection Reference: http://goo.gl/T5fSJC TLP: TLP:WHITE Repository: Neo23x0
Rule name: Java_Shell_js
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Java Shell.js.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: js_node_rat_w0
Author: JPCERT/CC Incident Response Group Description: detect Noderat in memory Reference: https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html TLP: TLP:WHITE Repository: Malpedia
Rule name: jsp_reverse_jsp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file jsp-reverse.jsp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: jspshall_jsp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file jspshall.jsp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: JspWebshell_1_2_jsp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file JspWebshell 1.2.jsp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Jupyter_infostealer
Author: CD_R0M_ Description: Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022 TLP: TLP:WHITE Repository: CD-R0M
Rule name: Jupyter_Infostealer_PowerShell
Author: Lucas Acha (http://www.lukeacha.com) Description: observed powershell command strings Reference: http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html TLP: TLP:WHITE Repository:
Rule name: kacak_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file kacak.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: kill_explorer
Author: iam-py-test Description: Detect files killing explorer.exe TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: KINS_dropper
Author: AlienVault Labs aortega@alienvault.com Description: Match protocol, process injects and windows exploit present in KINS dropper Reference: http://goo.gl/arPhm3 TLP: TLP:WHITE Repository: Neo23x0
Rule name: kobalos_ssh_credential_stealer
Author: Marc-Etienne M.Léveillé Description: Kobalos SSH credential stealer seen in OpenSSH client Reference: http://www.welivesecurity.com TLP: TLP:WHITE Repository:
Rule name: kraken_cryptor_ransomware
Author: Marc Rivero | McAfee ATR Team Description: Rule to detect the Kraken Cryptor Ransomware Reference: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/ TLP: TLP:WHITE Repository: advanced-threat-research
Rule name: lamashell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file lamashell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: LaZagne
Author: @bartblaze Description: Identifies LaZagne, credentials recovery project. Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE Repository: bartblaze
Rule name: Lazarus_BTREE_str
Author: JPCERT/CC Incident Response Group Description: BTREE malware using Lazarus TLP: TLP:WHITE Repository: JPCERTCC
Rule name: Linux_Exploit_Log4j_7fc4d480
Author: Elastic Security Reference: https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security TLP: TLP:WHITE Repository: elastic
Rule name: LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1
Author: Florian Roth (Nextron Systems) Description: Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting Reference: https://twitter.com/jdferrell3/status/1368626281970024448 TLP: TLP:WHITE
Rule name: LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21
Author: Florian Roth (Nextron Systems) Description: Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539 Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-259a TLP: TLP:WHITE
Rule name: LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
Author: Florian Roth Description: Detects a potential compromise indicator found in MOVEit Transfer logs Reference: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response TLP: TLP:WHITE Repository: Neo23x0
Rule name: LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2
Author: Florian Roth Description: Detects a potential compromise indicator found in MOVEit Transfer logs Reference: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response TLP: TLP:WHITE Repository: Neo23x0
Rule name: LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3
Author: Nasreddine Bencherchali Description: Detects a potential compromise indicator found in MOVEit DMZ Web API logs Reference: https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis TLP: TLP:WHITE Repository: Neo23x0
Rule name: LOG_EXPL_ProxyToken_Exploitation_Aug21_1
Author: Florian Roth (Nextron Systems) Description: Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system Reference: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server TLP: TLP:WHITE Repository: Neo23x0
Rule name: LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1
Author: Florian Roth (Nextron Systems) Description: Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup Reference: https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/ TLP: TLP:WHITE
Rule name: LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1_RID3A2F
Author: Florian Roth Description: Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup Reference: https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/ TLP: TLP:WHITE
Rule name: LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22
Author: Florian Roth (Nextron Systems) Description: Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers Reference: https://github.com/testanull/ProxyNotShell-PoC TLP: TLP:WHITE Repository: Neo23x0
Rule name: LucaStealer
Author: Chat3ux Description: Lucasstealer TLP: TLP:WHITE Repository: YARAify
Rule name: Lumma_Stealer_Detection
Author: ashizZz Description: Detects a specific Lumma Stealer malware sample using unique strings and behaviors Reference: https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/ TLP: TLP:WHITE Repository: YARAify
Rule name: lurm_safemod_on_cgi
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file lurm_safemod_on.cgi.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: MacOS_Trojan_KandyKorn_a7bb6944
Author: Elastic Security Reference: https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn TLP: TLP:WHITE Repository: elastic
Rule name: MacOS_Trojan_RustBucket_e64f7a92
Author: Elastic Security Reference: https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket TLP: TLP:WHITE Repository: elastic
Rule name: MAL_APT_NK_Andariel_KaosRAT_Yamabot
Author: CISA.gov Description: Detects the KaosRAT variant Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_ELF_SALTWATER_Jun23_1
Author: Florian Roth Description: Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868) Reference: https://www.barracuda.com/company/legal/esg-vulnerability TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_EXPL_Perfctl_Oct24
Author: Florian Roth Description: Detects exploits used in relation with Perfctl malware campaigns Reference: https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_Github_Repo_Compromise_MyJino_Ru_Aug22
Author: Florian Roth (Nextron Systems) Description: Detects URL mentioned in report on compromised Github repositories in August 2022 Reference: https://twitter.com/stephenlacy/status/1554697077430505473 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_Go_Modbus_Jul24_1
Author: Florian Roth Description: Detects characteristics reported by Dragos for FrostyGoop ICS malware Reference: https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_Grace_Dec22
Author: X__Junior Description: Detects Grace (aka FlawedGrace and GraceWire) RAT Reference: https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_HawkEye_Keylogger_Gen_Dec18
Author: Florian Roth (Nextron Systems) Description: Detects HawkEye Keylogger Reborn Reference: https://twitter.com/James_inthe_box/status/1072116224652324870 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_HawkEye_Keylogger_Gen_Dec18_RID324D
Author: Florian Roth Description: Detects HawkEye Keylogger Reborn Reference: https://twitter.com/James_inthe_box/status/1072116224652324870 TLP: TLP:WHITE
Rule name: MAL_IcedId_Core_LDR_202104
Author: Thomas Barabosch, Telekom Security Description: 2021 loader for Bokbot / Icedid core (license.dat) Reference: https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_LNX_CamaroDragon_HorseShell_Oct23
Author: Florian Roth Description: Detects CamaroDragon's HorseShell implant for routers Reference: https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_LNX_CamaroDragon_Sheel_Oct23
Author: Florian Roth Description: Detects CamaroDragon's tool named sheel Reference: https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_LNX_RedMenshen_BPFDoor_May23_1
Author: Florian Roth Description: Detects BPFDoor malware Reference: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_PY_Dimorf
Author: Silas Cutler Description: Detection for Dimorf ransomeware Reference: https://github.com/Ort0x36/Dimorf TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_QBot_HTML_Smuggling_Indicators_Oct22_1
Author: Florian Roth (Nextron Systems) Description: Detects double encoded PKZIP headers as seen in HTML files used by QBot Reference: https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Crime_DearCry_Mar2021_1
Author: Nils Kuhnert Description: Triggers on strings of known DearCry samples Reference: https://twitter.com/phillip_misner/status/1370197696280027136 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_DarkBit_Feb23_1
Author: Florian Roth Description: Detects indicators found in DarkBit ransomware Reference: https://twitter.com/idonaor1/status/1624703255770005506?s=12&t=mxHaauzwR6YOj5Px8cIeIw TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Darkside_May21_1
Author: Florian Roth (Nextron Systems) Description: Detects Darkside Ransomware Reference: https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Darkside_May21_1_RID3019
Author: Florian Roth Description: Detects Darkside Ransomware Reference: https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/ TLP: TLP:WHITE
Rule name: MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1
Author: Florian Roth Description: Detects ransomware exploiting and encrypting ESXi servers Reference: https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_LNX_macOS_LockBit_Apr23_1
Author: Florian Roth Description: Detects LockBit ransomware samples for Linux and macOS Reference: https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_LockBit_Locker_LOG_Apr23_1
Author: Florian Roth Description: Detects indicators found in LockBit ransomware log files Reference: https://objective-see.org/blog/blog_0x75.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_vanquish_RID2BB9
Author: Florian Roth Description: Webshells Auto-generated - file vanquish.dll Reference: - TLP: TLP:WHITE
Rule name: MAL_WAR_Ivanti_EPMM_MobileIron_LogClear_JAVA_Aug23
Author: Florian Roth Description: Detects LogClear.class found in the Ivanti EPMM / MobileIron Core compromises exploiting CVE-2023-35078 Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_apt15_generic
Author: David Cannings Description: Find generic data potentially relating to AP15 tools TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_Nanocore_strings
Author: JPCERT/CC Incident Response Group Description: detect Nanocore in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: malware_netwire_strings
Author: JPCERT/CC Incident Response Group Description: detect netwire in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: malware_Noderat_strings
Author: JPCERT/CC Incident Response Group Description: detect Noderat in memory Reference: https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html TLP: TLP:WHITE Repository: JPCERTCC
Rule name: malware_sakula_memory
Author: David Cannings Description: Sakula malware - strings after unpacking (memory rule) TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_Ursnif_strings
Author: JPCERT/CC Incident Response Group Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: MALWARE_Win_HoudiniConfig
Author: ditekshen Description: Detects Houdini Trojan configurations Reference: https://github.com/ditekshen/back-in-2017 TLP: TLP:WHITE Repository: diˈtekSHən
Rule name: MALWARE_Win_QuilClipper
Author: ditekSHen Description: Detects QuilClipper variants mostly in memory or extracted AutoIt script TLP: TLP:WHITE Repository: diˈtekSHən
Rule name: MALWARE_Win_Qulab
Author: ditekSHen Description: Qulab information stealer payload or artifacts TLP: TLP:WHITE Repository: diˈtekSHən
Rule name: Matanbuchus_name_only
Author: James_inthe_box Description: Matanbuchus Reference: https://twitter.com/pr0xylife/status/1537511268591992840 TLP: TLP:WHITE Repository: silence-is-best
Rule name: meduza
Author: Michelle Khalil Description: This rule detects unpacked meduza malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: mercurial
Author: Michelle Khalil Description: This rule detects unpacked mercurial malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: mht_inside_word
Author: dPhish Description: Detect embedded mht files inside microsfot word. TLP: TLP:WHITE
Rule name: Mimikatz_Memory_Rule_1
Author: Florian Roth Description: Detects password dumper mimikatz in memory TLP: TLP:WHITE
Rule name: Mimikatz_SampleSet_5
Author: Florian Roth - Florian Roth Description: Mimikatz Rule generated from a big Mimikatz sample set TLP: TLP:WHITE
Rule name: Mithril_Mithril
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Mithril.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Mithril_Mithril
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Mithril.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Multi_Hacktool_Rakshasa_d5d3ef21
Author: Elastic Security Reference: https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657 TLP: TLP:WHITE Repository: elastic
Rule name: multiple_php_webshells
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - from files multiple_php_webshells TLP: TLP:WHITE Repository: Neo23x0
Rule name: mysql_shell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file mysql_shell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: MySQL_Web_Interface_Version_0_8_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Nanocore
Author: JPCERT/CC Incident Response Group Description: detect Nanocore in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: NET
Author: malware-lu TLP: TLP:WHITE Repository:
Rule name: NetBIOS_Name_Scanner
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file NetBIOS Name Scanner.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: netwire
Author: JPCERT/CC Incident Response Group Description: detect netwire in memory Reference: internal research TLP: TLP:WHITE Repository: jeFF0Falltrades
Rule name: NetWiredRC_B
Author: Jean-Philippe Teissier / @Jipe_ Description: NetWiredRC TLP: TLP:WHITE
Rule name: ngh_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file ngh.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Noderat
Author: JPCERT/CC Incident Response Group Description: detect Noderat in memory Reference: https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html TLP: TLP:WHITE Repository: JPCERTCC
Rule name: NT_Addy_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file NT Addy.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedPowerCat
Author: Florian Roth (Nextron Systems) Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedPowerCat_RID2C84
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat_RID2C84.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: Parallax
Author: @bartblaze Description: Identifies Parallax RAT. TLP: TLP:WHITE Repository: bartblaze
Rule name: PasswordReminder
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file PasswordReminder.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: PasswordReminder
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file PasswordReminder.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: perlbot_pl
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file perlbot.pl.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHANTASMA_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file PHANTASMA.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHP_Backdoor_Connect_pl_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: php_backdoor_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file php-backdoor.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: php_include_w_shell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file php-include-w-shell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHP_shell
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHP_shell
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHP_Shell_v1_7
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file PHP_Shell_v1.7.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: PHP_Shell_v1_7
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file PHP_Shell_v1.7.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: pHpINJ_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file pHpINJ.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: phpjackal_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file phpjackal.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: phpshell17_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file phpshell17.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: phvayvv_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file phvayvv.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Phyton_Shell_py
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Phyton Shell.py.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: PingPull_mem
Author: James_inthe_box Description: GALLIUM PingPull Reference: https://unit42.paloaltonetworks.com/pingpull-gallium/ TLP: TLP:WHITE Repository: silence-is-best
Rule name: PortRacer
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file PortRacer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: portscan
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file portscan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: PortScanner
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file PortScanner.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: classified Author: classified Description: classified TLP TLP:AMBER
Rule name: power_pe_injection
Author: Benjamin DELPY (gentilkiwi) Description: PowerShell with PE Reflective Injection TLP: TLP:WHITE Repository: Neo23x0
Rule name: PowerTool
Author: @bartblaze Description: Identifies PowerTool, sometimes used by attackers to disable security software. Reference: https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml TLP: TLP:WHITE Repository: bartblaze
Rule name: ProPort_zip_Folder_ProPort
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file ProPort.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Pupy_Backdoor
Author: Florian Roth (Nextron Systems) Description: Detects Pupy backdoor Reference: https://github.com/n1nj4sec/pupy-binaries TLP: TLP:WHITE Repository: Neo23x0
Rule name: Pupy_Backdoor_RID2C43
Author: Florian Roth Description: Detects Pupy backdoor Reference: https://github.com/n1nj4sec/pupy-binaries TLP: TLP:WHITE
Rule name: py_BraodoStealer
Author: NDA0E Description: Detects Braodo Stealer python payload TLP: TLP:WHITE Repository: YARAify
Rule name: Pysa
Author: @bartblaze Description: Identifies Pysa aka Mespinoza ransomware. TLP: TLP:WHITE Repository: bartblaze
Rule name: QBOT_HTMLSmuggling_a
Author: Ankit Anubhav - ankitanubhav.info Description: Detects QBOT HTML smuggling variants TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: r57shell_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file r57shell.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: raccoon_
Author: Michelle Khalil Description: This rule detects unpacked raccoon malware samples. TLP: TLP:WHITE Repository: YARAify
Rule name: RagnarLocker
Author: @bartblaze Description: Identifies RagnarLocker ransomware unpacked or in memory. TLP: TLP:WHITE Repository: bartblaze
Rule name: RANSOM_ESXiArgs_Ransomware_Python_Feb23
Author: SECUINFRA Falcon Team (@SI_FalconTeam) Description: Detects the ESXiArgs Ransomware encryption python script Reference: https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ TLP: TLP:WHITE Repository: YARAify
Rule name: rdrbs084
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file rdrbs084.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: rdrbs084
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file rdrbs084.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: rdrbs100
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file rdrbs100.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: rdrbs100
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file rdrbs100.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Reader_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Reader.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: RedDelta_loader
Author: Intezer Labs Reference: https://www.intezer.com TLP: TLP:WHITE Repository: Intezer
Rule name: REDLEAVES_CoreImplant_UniqueStrings
Author: USG Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state Reference: https://www.us-cert.gov/ncas/alerts/TA17-117A TLP: TLP:WHITE Repository: Neo23x0
Rule name: Rem_View_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Rem View.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Remcos
Author: JPCERT/CC Incident Response Group Description: detect Remcos in memory TLP: TLP:WHITE Repository: CAPE
Rule name: rknt_zip_Folder_RkNT
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file RkNT.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: rknt_zip_Folder_RkNT
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file RkNT.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: RkNTLoad
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file RkNTLoad.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: RkNTLoad
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file RkNTLoad.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Rookie
Author: Seth Hardy Description: Rookie TLP: TLP:WHITE
Rule name: RookieStrings
Author: Seth Hardy Description: Rookie Identifying Strings TLP: TLP:WHITE
Rule name: rootshell_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file rootshell.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: rst_sql_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file rst_sql.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: ru24_post_sh_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file ru24_post_sh.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Rustyloader_mem
Author: James_inthe_box Description: Corroded buerloader Reference: https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24 TLP: TLP:WHITE Repository: silence-is-best
Rule name: Rustyloader_mem_loose
Author: James_inthe_box Description: Corroded buerloader Reference: https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24 TLP: TLP:WHITE Repository: silence-is-best
Rule name: s72_Shell_v1_1_Coding_html
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: scanarator
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file scanarator.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: scanarator_iis
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file iis.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: screencap
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file screencap.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: screencap
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file screencap.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: SEH__vba
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: sendmail
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file sendmail.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sendmail
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file sendmail.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sh_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file sh.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: shankar_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file shankar.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: SharpAdidnsdump
Author: @bartblaze Description: Identifies SharpAdidnsdump, which allows for AD integrated DNS dumping and also abused by attackers such as Storm-2603. Reference: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities TLP: TLP:WHITE Repository: bartblaze
Rule name: shell_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file shell.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: shellbot_pl
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file shellbot.pl.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: shells_PHP_wso
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file wso.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_Fport
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Fport.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_Fport
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Fport.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_HideRun
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file HideRun.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_HideRun
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file HideRun.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_resolve
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file resolve.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_resolve
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file resolve.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_xwhois
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file xwhois.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shelltools_g0t_root_xwhois
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file xwhois.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: shortloader
Author: Nikos 'n0t' Totosis Description: ShortLoader Payload TLP: TLP:WHITE Repository: YARAify
Rule name: sig_2008_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file 2008.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: simple_backdoor_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file simple-backdoor.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Simple_PHP_BackDooR
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Simple_PHP_BackDooR.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Simple_PHP_BackDooR
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Simple_PHP_BackDooR.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Simple_PHP_BackDooR_RID2E06
Author: Florian Roth Description: Webshells Auto-generated - file Simple_PHP_BackDooR_RID2E06.php Reference: - TLP: TLP:WHITE
Rule name: SimpleTea
Author: Still Description: attempts to match strings/instructions found in SimpleTea TLP: TLP:WHITE Repository: YARAify
Rule name: SimShell_1_0___Simorgh_Security_MGZ_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Sincap_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Sincap.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: small_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file small.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: SparklingGoblin_Mutex
Author: ESET Research Description: SparklingGoblin ChaCha20 loaders mutexes Reference: http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/ TLP: TLP:WHITE Repository:
Rule name: SparkRAT
Author: t-mtsmt Description: SparkRAT Payload TLP: TLP:WHITE Repository: CAPE
Rule name: sql_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file sql.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Start2_net_mem
Author: James_inthe_box Description: SystemBC Reference: 7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e TLP: TLP:WHITE Repository: silence-is-best
Rule name: StealthWasp_s_Basic_PortScanner_v1_2
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: STNC_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file STNC.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: STUXSHOP_config
Author: JAG-S (turla@chronicle.security) Reference: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 TLP: TLP:WHITE Repository: Neo23x0
Rule name: Sus_CMD_Powershell_Usage
Author: XiAnzheng Description: May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) TLP: TLP:WHITE Repository: YARAify
Rule name: SUSP_Disable_ETW_Jun20_1
Author: Florian Roth (Nextron Systems) Description: Detects method to disable ETW in ENV vars before executing a program Reference: https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22
Author: Christian Burkard Description: Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Email_Redirection_Spoofing_Feb25
Author: Jonathan Peters (cod3nym) Description: Detects redirect spoofing in embedded URLs. This technique is used by threat actors to obscure the actual destination of a link Reference: https://any.run/cybersecurity-blog/cyber-attacks-january-2025/#fake-youtube-links-redirect-users-to-phishing-pages-11298 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_EXPL_LNX_CUPS_CVE_2024_47177_Sep24
Author: Florian Roth Description: Detects suspicious FoomaticRIPCommandLine command in printer config, which could be used to exploit CUPS CVE-2024-47177 Reference: https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_JDNIExploit_Error_Indicators_Dec21_1
Author: Florian Roth (Nextron Systems) Description: Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation Reference: https://twitter.com/marcioalm/status/1470361495405875200?s=20 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Netsh_PortProxy_Command
Author: Florian Roth (Nextron Systems) Description: Detects a suspicious command line with netsh and the portproxy command Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Netsh_PortProxy_Command_RID3201
Author: Florian Roth Description: Detects a suspicious command line with netsh and the portproxy command Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy TLP: TLP:WHITE
Rule name: SUSP_NK_MAL_M_Hunting_POOLRAT
Author: Mandiant Description: Detects strings found in POOLRAT malware Reference: https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_PY_Import_Statement_Apr24_1
Author: Florian Roth Description: Detects suspicious Python import statement and socket usage often found in Python reverse shells Reference: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Websites
Author: SECUINFRA Falcon Team Description: Detects the reference of suspicious sites that might be used to download further malware TLP: TLP:WHITE Repository: SIFalcon
Rule name: Suspicious_PS_Strings
Author: Lucas Acha (http://www.lukeacha.com) Description: observed set of strings which are likely malicious, observed with Jupyter malware. Reference: http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html TLP: TLP:WHITE Repository:
Rule name: classified Author: classified
Rule name: svchostdll
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file svchostdll.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: svchostdll
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file svchostdll.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: SystemBC_Config
Author: @bartblaze Description: Identifies SystemBC RAT, decrypted config. TLP: TLP:WHITE Repository: bartblaze
Rule name: telegram_bot_api
Author: rectifyq Description: Detects file containing Telegram Bot API TLP: TLP:WHITE Repository: YARAify
Rule name: telnet_cgi
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file telnet.cgi.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: telnetd_pl
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file telnetd.pl.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: classified Author: classified
Rule name: thelast_orice2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file orice2.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: thelast_orice2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file orice2.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: thelast_orice2_RID2CA9
Author: Florian Roth Description: Webshells Auto-generated - file orice2.php Reference: - TLP: TLP:WHITE
Rule name: ThreadControl__Context
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: tick_xxmm_strings
Author: JPCERT/CC Incident Response Group Description: detect xxmm in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: Tool_asp
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file Tool.asp.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: TrickBot
Author: sysopfb & kevoreilly Description: TrickBot Payload TLP: TLP:WHITE Repository: CAPE
Rule name: Trickbot_PermaDll_UEFI_Module
Author: @VK_Intel | Advanced Intelligence Description: Detects TrickBot Banking module permaDll TLP: TLP:WHITE Repository: CAPE
Rule name: turla_outlook_filenames
Author: ESET Research Description: Turla Outlook filenames Reference: https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf TLP: TLP:WHITE Repository:
Rule name: unastealer3_mem
Author: James_inthe_box Description: Una Stealer Reference: https://www.hybrid-analysis.com/string-search/results/54fb74afabde582ae0a730401ea31ee5e0d9cf33582c8a64d634350150cdd78b TLP: TLP:WHITE Repository: silence-is-best
Rule name: Unpack_Injectt
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file Injectt.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Unpack_Injectt
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file Injectt.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ursnif
Author: Embee_Research @ Huntress TLP: TLP:WHITE Repository: CAPE
Rule name: Ursnif
Author: JPCERT/CC Incident Response Group Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Reference: internal research TLP: TLP:WHITE Repository: CAPE
Rule name: vanquish
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file vanquish.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: vanquish
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file vanquish.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: vanquish_2
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file vanquish.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: vanquish_2
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file vanquish.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: vmdetect
Author: nex Description: Possibly employs anti-virtualization techniques TLP: TLP:WHITE Repository:
Rule name: VUL_JQuery_FileUpload_CVE_2018_9206
Author: Florian Roth (Nextron Systems) Description: Detects JQuery File Upload vulnerability CVE-2018-9206 Reference: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: VUL_JQuery_FileUpload_CVE_2018_9206_RID32A2
Author: Florian Roth Description: Detects JQuery File Upload vulnerability CVE-2018-9206 Reference: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ TLP: TLP:WHITE
Rule name: w3d_php_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file w3d.php.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: WCE_Modified_1_1014
Author: Florian Roth Description: Modified (packed) version of Windows Credential Editor TLP: TLP:WHITE Repository: Neo23x0
Rule name: WCE_Modified_1_1014
Author: Florian Roth (Nextron Systems) Description: Modified (packed) version of Windows Credential Editor TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell__CrystalShell_v_1_erne_stres
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_Ajan_asp_RID2DC3
Author: Florian Roth Description: Semi-Auto-generated - file Ajan.asp.txt Reference: - TLP: TLP:WHITE
Rule name: WEBSHELL_ASPX_reGeorgTunnel
Author: threatintel@volexity.com Description: variation on reGeorgtunnel Reference: https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx TLP: TLP:WHITE
Rule name: WEBSHELL_ASPX_SportsBall
Author: threatintel@volexity.com Description: The SPORTSBALL webshell allows attackers to upload files or execute commands on the system. Reference: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_aZRaiLPhp_v1_0
Author: Florian Roth Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_aZRaiLPhp_v1_0_2
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_aZRaiLPhp_v1_0_RID2F66
Author: Florian Roth Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_b374k_php
Author: Florian Roth Description: PHP Webshells Github Archive - file b374k.php.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_b374k_php
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file b374k.php.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_b374k_php_RID2D98
Author: Florian Roth Description: PHP Webshells Github Archive - file b374k.php.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_backupsql
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file backupsql.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_backupsql
Author: Florian Roth Description: PHP Webshells Github Archive - file backupsql.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_c99_locus7s
Author: Florian Roth Description: PHP Webshells Github Archive - file c99_locus7s.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_c99_locus7s
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file c99_locus7s.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_c99_locus7s_RID2E8A
Author: Florian Roth Description: PHP Webshells Github Archive - file c99_locus7s.php Reference: - TLP: TLP:WHITE
Rule name: Webshell_c99madshell_v2_RID2FCC
Author: Florian Roth Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_c99php_NIX_REMOTE_WEB_SHELL_RID3350
Author: Florian Roth Description: Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_c99shell_v1_0_99_RID2FF9
Author: Florian Roth Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_CasuS_1_5
Author: Florian Roth Description: PHP Webshells Github Archive - file CasuS 1.5.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_CasuS_1_5
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file CasuS 1.5.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_CmdAsp_asp_php
Author: Florian Roth Description: PHP Webshells Github Archive - file CmdAsp.asp.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_CmdAsp_asp_php
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file CmdAsp.asp.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_CmdAsp_asp_RID2E81
Author: Florian Roth Description: Semi-Auto-generated - file CmdAsp.asp.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_cmdjsp_jsp_RID2ED3
Author: Florian Roth Description: Semi-Auto-generated - file cmdjsp.jsp.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_connector_ASP_RID2FB4
Author: Florian Roth Description: Webshells Auto-generated - file connector.asp Reference: - TLP: TLP:WHITE
Rule name: Webshell_csh_php_php_RID2F32
Author: Florian Roth Description: Semi-Auto-generated - file csh.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_DarkSpy105_RID2DFA
Author: Florian Roth Description: Webshells Auto-generated - file DarkSpy105.exe Reference: - TLP: TLP:WHITE
Rule name: WebShell_DTool_Pro
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file DTool Pro.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_DTool_Pro
Author: Florian Roth Description: PHP Webshells Github Archive - file DTool Pro.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: webshell_Dx_Dx
Author: Florian Roth Description: Web Shell - file Dx.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: webshell_Dx_Dx
Author: Florian Roth (Nextron Systems) Description: Web Shell - file Dx.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_Dx_Dx_RID2C7D
Author: Florian Roth Description: Web Shell - file Dx.php Reference: - TLP: TLP:WHITE
Rule name: Webshell_Dx_php_php_RID2EB0
Author: Florian Roth Description: Semi-Auto-generated - file Dx.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_EFSO_2_asp_RID2E07
Author: Florian Roth Description: Semi-Auto-generated - file EFSO_2.asp.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_elmaliseker_RID2F34
Author: Florian Roth Description: Webshells Auto-generated - file elmaliseker.asp Reference: - TLP: TLP:WHITE
Rule name: Webshell_FSO_s_phpinj_RID2F48
Author: Florian Roth Description: Webshells Auto-generated - file phpinj.php Reference: - TLP: TLP:WHITE
Rule name: Webshell_FSO_s_reader_RID2F32
Author: Florian Roth Description: Webshells Auto-generated - file reader.asp Reference: - TLP: TLP:WHITE
Rule name: Webshell_FSO_s_zehir4_RID2F15
Author: Florian Roth Description: Webshells Auto-generated - file zehir4.asp Reference: - TLP: TLP:WHITE
Rule name: WebShell_Gamma_Web_Shell
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file Gamma Web Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Gamma_Web_Shell
Author: Florian Roth Description: PHP Webshells Github Archive - file Gamma Web Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Gamma_Web_Shell_RID303D
Author: Florian Roth Description: PHP Webshells Github Archive - file Gamma Web Shell.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_Generic_PHP_6
Author: Florian Roth Description: PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Generic_PHP_6
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Generic_PHP_6_RID2F1F
Author: Florian Roth Description: PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_go_shell
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file go-shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_go_shell
Author: Florian Roth Description: PHP Webshells Github Archive - file go-shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_HAFNIUM_CISA_10328929_01
Author: CISA Code & Media Analysis Description: Detects CVE-2021-27065 Webshellz Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a TLP: TLP:WHITE
Rule name: WebShell_hiddens_shell_v1
Author: Florian Roth Description: PHP Webshells Github Archive - file hiddens shell v1.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_hiddens_shell_v1
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file hiddens shell v1.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_installer_RID2E74
Author: Florian Roth Description: Webshells Auto-generated - file installer.cmd Reference: - TLP: TLP:WHITE
Rule name: WebShell_ironshell
Author: Florian Roth Description: PHP Webshells Github Archive - file ironshell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_IronShell_4
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file ironshell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_jspshall_jsp_RID2FB3
Author: Florian Roth Description: Semi-Auto-generated - file jspshall.jsp.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_kacak_asp_RID2E44
Author: Florian Roth Description: Semi-Auto-generated - file kacak.asp.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_lamashell
Author: Florian Roth Description: PHP Webshells Github Archive - file lamashell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_lamashell
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file lamashell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_lamashell_RID2E39
Author: Florian Roth Description: PHP Webshells Github Archive - file lamashell.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_NCC_Shell
Author: Florian Roth Description: PHP Webshells Github Archive - file NCC-Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_NCC_Shell
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file NCC-Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_network_php_xinfo_RID31DA
Author: Florian Roth Description: Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_ngh_php_php_RID2F31
Author: Florian Roth Description: Semi-Auto-generated - file ngh.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_nst_perl_proxy_shell_RID3325
Author: Florian Roth Description: Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_nst_php_cybershell_RID322E
Author: Florian Roth Description: Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_NT_Addy_asp_RID2ECC
Author: Florian Roth Description: Semi-Auto-generated - file NT Addy.asp.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_NTDaddy_v1_9
Author: Florian Roth Description: PHP Webshells Github Archive - file NTDaddy v1.9.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_NTDaddy_v1_9
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file NTDaddy v1.9.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_PAS_webshell_SQLDumpFile
Author: FR/ANSSI/SDO Description: Detects SQL dump file created by P.A.S. webshell Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_PAS_webshell_ZIPArchiveFile
Author: FR/ANSSI/SDO (modified by Florian Roth) Description: Detects an archive file created by P.A.S. for download operation Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_perlbot_pl_RID2ED9
Author: Florian Roth Description: Semi-Auto-generated - file perlbot.pl.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_php_backdoor
Author: Florian Roth Description: PHP Webshells Github Archive - file php-backdoor.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_PHP_Backdoor_2
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file php-backdoor.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_php_include_w_shell
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file php-include-w-shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_PHP_shell_RID2E05
Author: Florian Roth Description: Webshells Auto-generated - file shell.php Reference: - TLP: TLP:WHITE
Rule name: Webshell_PHP_Shell_v1_7_RID2F81
Author: Florian Roth Description: Webshells Auto-generated - file PHP_Shell_v1.7.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_php_webshells_529
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file 529.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_php_webshells_kral
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file kral.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_php_webshells_NGH
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file NGH.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_php_webshells_pws
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file pws.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_PhpSpy_Ver_2006
Author: Florian Roth Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_PhpSpy_Ver_2006
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_PhpSpy_Ver_2006_RID2F9D
Author: Florian Roth Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php Reference: - TLP: TLP:WHITE
Rule name: WEBSHELL_ProxyShell_Exploitation_Nov21_1
Author: Florian Roth (Nextron Systems) Description: Detects webshells dropped by DropHell malware Reference: https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_qsd_php_backdoor
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file qsd-php-backdoor.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_qsd_php_backdoor
Author: Florian Roth Description: PHP Webshells Github Archive - file qsd-php-backdoor.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_r577_php_php_SnIpEr_2_RID322A
Author: Florian Roth Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_r577_php_php_SnIpEr_RID3199
Author: Florian Roth Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_r577_php_RID2D62
Author: Florian Roth Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_r577_php_spy_2_RID2FAE
Author: Florian Roth Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_reader_asp_php
Author: Florian Roth Description: PHP Webshells Github Archive - file reader.asp.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_reader_asp_php
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file reader.asp.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_Reader_asp_RID2E9C
Author: Florian Roth Description: Semi-Auto-generated - file Reader.asp.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_ru24_post_sh
Author: Florian Roth Description: PHP Webshells Github Archive - file ru24_post_sh.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_ru24_post_sh
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file ru24_post_sh.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_ru24_post_sh_RID2F32
Author: Florian Roth Description: PHP Webshells Github Archive - file ru24_post_sh.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_safe0ver
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file safe0ver.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_safe0ver
Author: Florian Roth Description: PHP Webshells Github Archive - file safe0ver.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_sh_php_php_RID2ECF
Author: Florian Roth Description: Semi-Auto-generated - file sh.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_shellbot_pl_RID2F3E
Author: Florian Roth Description: Semi-Auto-generated - file shellbot.pl.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_simattacker
Author: Florian Roth Description: PHP Webshells Github Archive - file simattacker.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_simattacker
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file simattacker.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: webshell_simple_backdoor
Author: Florian Roth (Nextron Systems) Description: Web Shell - file simple-backdoor.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_simple_cmd
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file simple_cmd.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_simple_cmd
Author: Florian Roth Description: PHP Webshells Github Archive - file simple_cmd.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_simple_cmd_RID2EA3
Author: Florian Roth Description: PHP Webshells Github Archive - file simple_cmd.php Reference: - TLP: TLP:WHITE
Rule name: WebShell_Sincap_1_0
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file Sincap 1.0.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Sincap_1_0
Author: Florian Roth Description: PHP Webshells Github Archive - file Sincap 1.0.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_Sincap_1_0_RID2E03
Author: Florian Roth Description: PHP Webshells Github Archive - file Sincap 1.0.php Reference: - TLP: TLP:WHITE
Rule name: Webshell_SpecialShell_99_php_php_a_RID343E
Author: Florian Roth Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_SpecialShell_99b_RID3092
Author: Florian Roth Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_sql_php_php_RID2F44
Author: Florian Roth Description: Semi-Auto-generated - file sql.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_STNC_php_php_RID2F2C
Author: Florian Roth Description: Semi-Auto-generated - file STNC.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_telnet_cgi_RID2EC4
Author: Florian Roth Description: Semi-Auto-generated - file telnet.cgi.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_telnetd_pl_RID2ED1
Author: Florian Roth Description: Semi-Auto-generated - file telnetd.pl.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_Tool_asp_RID2DE7
Author: Florian Roth Description: Semi-Auto-generated - file Tool.asp.txt Reference: - TLP: TLP:WHITE
Rule name: Webshell_w3d_php_php_RID2F02
Author: Florian Roth Description: Semi-Auto-generated - file w3d.php.php.txt Reference: - TLP: TLP:WHITE
Rule name: WebShell_WinX_Shell
Author: Florian Roth Description: PHP Webshells Github Archive - file WinX Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: WebShell_WinX_Shell_2
Author: Florian Roth (Nextron Systems) Description: PHP Webshells Github Archive - file WinX Shell.php TLP: TLP:WHITE Repository: Neo23x0
Rule name: Webshell_xssshell_db_RID2F41
Author: Florian Roth Description: Webshells Auto-generated - file db.asp Reference: - TLP: TLP:WHITE
Rule name: wh_bindshell_py
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file wh_bindshell.py.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Wimmie
Author: Seth Hardy Description: Wimmie family TLP: TLP:WHITE
Rule name: WimmieStrings
Author: Seth Hardy Description: Strings used by Wimmie TLP: TLP:WHITE
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: WIN_ClickFix_Detection
Author: dogsafetyforeverone Description: Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands Reference: ClickFix social engineering and malicious PowerShell commands TLP: TLP:WHITE Repository: YARAify
Rule name: win_crackshot_w0
Author: Florian Roth Description: Detects APT41 malware CRACKSHOT Reference: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html TLP: TLP:WHITE Repository: Malpedia
Rule name: win_dispenserxfs_w0
Author: @Xylit0l @r3c0nst / Modified by Florian Roth Description: Detects ATM Malware DispenserXFS Reference: https://twitter.com/r3c0nst/status/1100775857306652673 TLP: TLP:WHITE Repository: Malpedia
Rule name: WIN_FileFix_Detection
Author: dogsafetyforeverone Description: Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths Reference: FileFix social engineering with PowerShell and PHP commands TLP: TLP:WHITE Repository: YARAify
Rule name: win_gimmick_w0
Author: threatintel@volexity.com Description: Detects the base version of GIMMICK in .NET. TLP: TLP:WHITE Repository: Malpedia
Rule name: win_gimmick_w1
Author: threatintel@volexity.com Description: Detects the macOS port of the GIMMICK malware. TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: win_iceid_core_ldr_202104
Author: Thomas Barabosch, Telekom Security Description: 2021 loader for Bokbot / Icedid core (license.dat) TLP: TLP:WHITE Repository: Sandnet
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: win_lockergoga_w0
Author: Florian Roth Description: Detects LockerGoga ransomware binaries Reference: https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202 TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: win_netwire_w0
Author: Jean-Philippe Teissier / @Jipe_ Description: NetWiredRC TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified Description: classified Reference: classified TLP TLP:GREEN
Rule name: WIN_PowerShell_Telegram_RAT_20250726
Author: dogsafetyforeverone Description: Detects PowerShell-based remote access tools (RATs) that leverage the Telegram Bot API for command and control. The rule looks for the Telegram API base URL along with REST endpoints such as sendMessage, getUpdates, sendPhoto and sendDocument, and command strings used to implement RAT features (webcam capture, password grabbing, file execution, process termination, blue screen, microphone recording, self-destruct). TLP: TLP:WHITE Repository: YARAify
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: win_ratankbapos_w0
Author: Threat Exchange http://blog.trex.re.kr/3 Description: hkp.dll TLP: TLP:WHITE Repository: Malpedia
Rule name: win_remcos_rat_unpacked
Author: Matthew @ Embee_Research Description: Detects strings present in remcos rat Samples. TLP: TLP:WHITE Repository: YARAify
Rule name: win_remcos_w0
Author: Matthew @ Embee_Research Description: Detects strings present in remcos rat Samples. TLP: TLP:WHITE Repository: Malpedia
Rule name: win_rgdoor_w0
Author: Florian Roth Description: Detects RGDoor backdoor used by OilRig group Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ TLP: TLP:WHITE Repository: Malpedia
Rule name: win_robinhood_w0
Author: anonymous submission Description: Unpacked RobinHood ransomware TLP: TLP:WHITE Repository: Malpedia
Rule name: win_royal_dns_w0
Author: Florian Roth Description: Detects malware from APT 15 report by NCC Group Reference: https://goo.gl/HZ5XMN TLP: TLP:WHITE Repository: Malpedia
Rule name: win_royalcli_w0
Author: Florian Roth Description: Detects malware from APT 15 report by NCC Group Reference: https://goo.gl/HZ5XMN TLP: TLP:WHITE Repository: Malpedia
Rule name: win_shylock_w0
Author: Jean-Philippe Teissier / @Jipe_ Description: Shylock Banker TLP: TLP:WHITE Repository: Malpedia
Rule name: win_stuxnet_w0
Author: JAG-S (turla@chronicle.security) Description: Stuxshop standalone sample configuration TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: classified Author: classified Description: classified TLP TLP:GREEN
Rule name: WIN_WebSocket_Base64_C2_20250726
Author: dogsafetyforeverone Description: Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data. TLP: TLP:WHITE Repository: YARAify
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: win_yty_w0
Author: James E.C, ProofPoint Description: Modular malware framework with similarities to EHDevel TLP: TLP:WHITE Repository: Malpedia
Rule name: Windows_Ransomware_Bitpaymer_bca25ac6
Author: Elastic Security Description: Identifies BITPAYMER ransomware Reference: https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ TLP: TLP:WHITE
Rule name: Windows_Ransomware_Dharma_b31cac3f
Author: Elastic Security Description: Identifies DHARMA ransomware Reference: https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/ TLP: TLP:WHITE
Rule name: Windows_Ransomware_Egregor_f24023f3
Author: Elastic Security Description: Identifies EGREGOR (Sekhemt) ransomware Reference: https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110 TLP: TLP:WHITE
Rule name: Windows_Ransomware_Ragnarok_1cab7ea1
Author: Elastic Security Description: Identifies RAGNAROK ransomware Reference: https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20 TLP: TLP:WHITE
Rule name: Windows_Ransomware_Ragnarok_5625d3f6
Author: Elastic Security Description: Identifies RAGNAROK ransomware Reference: https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20 TLP: TLP:WHITE
Rule name: Windows_Ransomware_Ragnarok_efafbe48
Author: Elastic Security Description: Identifies RAGNAROK ransomware Reference: https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20 TLP: TLP:WHITE
Rule name: Windows_Ransomware_Snake_550e0265
Author: Elastic Security Description: Identifies SNAKE ransomware Reference: https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/ TLP: TLP:WHITE
Rule name: Windows_Ransomware_Thanos_e19feca1
Author: Elastic Security Description: Identifies THANOS (Hakbit) ransomware Reference: https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/ TLP: TLP:WHITE
Rule name: Windows_Trojan_Behinder_b9a49f4b
Author: Elastic Security Description: Webshell found in REF2924, either Behinder or Godzilla based shell in C# Reference: https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Carberp_d6de82ae
Author: Elastic Security Description: Identifies VNC module from the leaked Carberp source code. This could exist in other malware families. Reference: https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342 TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_DoorMe_246eda61
Author: Elastic Security Reference: https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_IcedID_11d24d35
Author: Elastic Security Reference: https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_IcedID_56459277
Author: Elastic Security Description: IcedID Gzip Variant Core Reference: https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Kronos_cdd2e2c5
Author: Elastic Security Description: Strings used by the Kronos banking trojan and variants. Reference: https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Metasploit_dd5ce989
Author: Elastic Security Description: Identifies Meterpreter DLL used by Metasploit Reference: https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/ TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Netwire_1b43df38
Author: Elastic Security Reference: https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Netwire_f42cb379
Author: Elastic Security Reference: https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Qbot_7d5dc64a
Author: Elastic Security Reference: https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Remcos_7591e9f1
Author: Elastic Security Reference: https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Remcos_b296e965
Author: Elastic Security Reference: https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_ShadowPad_be71209d
Author: Elastic Security Description: Target ShadowPad loader Reference: https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Trickbot_2d89e9cd
Author: Elastic Security Description: Targets tabDll64.dll module containing functionality using SMB for lateral movement TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Trickbot_32930807
Author: Elastic Security Description: Targets cookiesdll.dll module containing functionality used to retrieve browser cookie data TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Trickbot_618b27d2
Author: Elastic Security Description: Targets Outlook.dll module containing functionality used to retrieve Outlook data TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Trickbot_6eb31e7b
Author: Elastic Security Description: Targets DomainDll module containing functionality using LDAP to retrieve credentials and configuration information TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Trickbot_d2110921
Author: Elastic Security Description: Targets shareDll64.dll module containing functionality use to spread Trickbot across local networks TLP: TLP:WHITE Repository: elastic
Rule name: WinX_Shell_html
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file WinX Shell.html.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: xssshell_db
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file db.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: xssshell_db
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file db.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: xssshell_save
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file save.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: xssshell_save
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file save.asp TLP: TLP:WHITE Repository: Neo23x0
Rule name: xxmm
Author: JPCERT/CC Incident Response Group Description: detect xxmm in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: zacosmall_php
Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Description: Semi-Auto-generated - file zacosmall.php.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Zeppelin
Author: @bartblaze Description: Identifies Zeppelin ransomware and variants (Buran, Vega etc.) TLP: TLP:WHITE Repository: bartblaze
Rule name: ZXshell2_0_rar_Folder_nc
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file nc.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: ZXshell2_0_rar_Folder_nc
Author: Florian Roth (Nextron Systems) Description: Webshells Auto-generated - file nc.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: ZXshell2_0_rar_Folder_zxrecv
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file zxrecv.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: ZXshell2_0_rar_Folder_ZXshell
Author: Yara Bulk Rule Generator by Florian Roth Description: Webshells Auto-generated - file ZXshell.exe TLP: TLP:WHITE Repository: Neo23x0
The following YARA rules matched on the unpacked file.
No matches
Unpacked Files
The following files could be unpacked from this sample.
No unpacked files found