YARAify Scan Results

Task Information

---

Task ID:	27fabfa2-c115-11ed-866d-42010aa4000b
File name:	4d2861b3f36fb9558cdf4e207d157ee0
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

---

The file matched the following open source and commercial ClamAV rules.

Signature:	ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL Alert Create hunting rule

Signature:	Osx.Adware.Crossrider-6543518-0 Alert Create hunting rule

Signature:	Sanesecurity.Malware.28935.UNOFFICIAL Alert Create hunting rule

Signature:	SecuriteInfo.com.PUA.IminentToolbar-2.UNOFFICIAL Alert Create hunting rule

Signature:	SecuriteInfo.com.Spam-62411.UNOFFICIAL Alert Create hunting rule

Signature:	SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL Alert Create hunting rule

Signature:	Win.Coinminer.Generic-7150608-0 Alert Create hunting rule

Signature:	Win.Coinminer.Generic-7165577-2 Alert Create hunting rule

Signature:	Win.Downloader.RaspberryRobin-9962681-0 Alert Create hunting rule

Signature:	Win.Exploit.Shellcode-1 Alert Create hunting rule

Signature:	Win.Malware.Midie-9958370-0 Alert Create hunting rule

Signature:	Win.Trojan.Bisonal-7596692-0 Alert Create hunting rule

Signature:	Win.Trojan.Generic-9935691-0 Alert Create hunting rule

Signature:	Win.Trojan.HackTool_MSIL_SharPivot_3-9805042-0 Alert Create hunting rule

Signature:	Win.Trojan.I13-37 Alert Create hunting rule

Signature:	Win.Trojan.Smanager-9822863-2 Alert Create hunting rule

Signature:	Win.Trojan.WPDownloader-9939915-0 Alert Create hunting rule

Signature:	Win.Trojan.ZeroCleare-7511225-0 Alert Create hunting rule

YARA Results

---

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	adonunix2 Alert Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	APT_APT29_NOBELIUM_Stageless_Loader_May21_2 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects stageless loader as used by APT29 / NOBELIUM
Reference:	https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_APT29_sorefang_custom_encode_decode Alert Create hunting rule
Author:	NCSC
Description:	Rule to detect SoreFang based on the custom encoding/decoding algorithm function
Reference:	https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_APT41_POISONPLUG_2 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects APT41 malware POISONPLUG
Reference:	https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_APT41_POISONPLUG_2_RID2D9F Alert Create hunting rule
Author:	Florian Roth
Description:	Detects APT41 malware POISONPLUG
Reference:	https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
TLP:	TLP:WHITE

Rule name:	APT_ATP28_Sofacy_Indicators_May19_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects APT28 Sofacy indicators in samples
Reference:	https://twitter.com/cyb3rops/status/1129647994603790338
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_ATP28_Sofacy_Indicators_May19_1_RID3357 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects APT28 Sofacy indicators in samples
Reference:	https://twitter.com/cyb3rops/status/1129647994603790338
TLP:	TLP:WHITE

Rule name:	APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Red Delta samples
Reference:	https://twitter.com/JAMESWT_MHT/status/1316387482708119556
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2_RID36A3 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Red Delta samples
Reference:	https://twitter.com/JAMESWT_MHT/status/1316387482708119556
TLP:	TLP:WHITE

Rule name:	apt_equation_exploitlib_mutexes Alert Create hunting rule
Description:	Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW
Reference:	http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_MAL_CN_Wocao_getos_py Alert Create hunting rule
Author:	Fox-IT SRT
Description:	Python getos utility
Reference:	https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_Malware_PutterPanda_MsUpdater_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Malware related to PutterPanda - MSUpdater
Reference:	VT Analysis
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	APT_Malware_PutterPanda_MsUpdater_1_RID3469 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Malware related to PutterPanda - MSUpdater
Reference:	VT Analysis
TLP:	TLP:WHITE

Rule name:	ATM_Malware_DispenserXFS Alert Create hunting rule
Author:	@Xylit0l @r3c0nst / Modified by Florian Roth
Description:	Detects ATM Malware DispenserXFS
Reference:	https://twitter.com/r3c0nst/status/1100775857306652673
TLP:	TLP:WHITE
Repository:	fboldewin

Rule name:	ATM_Malware_DispenserXFS Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	fboldewin

Rule name:	AutoIT_Compiled Alert Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).
TLP:	TLP:WHITE
Repository:	bartblaze

Rule name:	BergSilva_Malware Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a malware from the same author as the Indetectables RAT
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	BergSilva_Malware_RID2DB8 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects a malware from the same author as the Indetectables RAT
Reference:	-
TLP:	TLP:WHITE

Rule name:	BernhardPOS Alert Create hunting rule
Author:	Nick Hoffman / Jeremy Humble
Description:	BernhardPOS Credit Card dumping tool
Reference:	http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	BeyondExec_RemoteAccess_Tool Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects BeyondExec Remote Access Tool - file rexesvr.exe
Reference:	https://goo.gl/BvYurS
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	BeyondExec_RemoteAccess_Tool_RID3211 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects BeyondExec Remote Access Tool - file rexesvr.exe
Reference:	https://goo.gl/BvYurS
TLP:	TLP:WHITE

Rule name:	CMD_Ping_Localhost Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	CMD_Shutdown Alert Create hunting rule
Author:	adm1n_usa32
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Codoso_Gh0st_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Codoso_Gh0st_1_RID2C2D Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
TLP:	TLP:WHITE

Rule name:	crime_win32_ransom_maze_dll_1 Alert Create hunting rule
Author:	@VK_Intel
Description:	Detects Maze ransomware payload dll unpacked
Reference:	https://twitter.com/VK_Intel/status/1251388507219726338
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	DeepPanda_htran_exe Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Hack Deep Panda - htran-exe
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	DeepPanda_htran_exe_RID2E90 Alert Create hunting rule
Author:	Florian Roth
Description:	Hack Deep Panda - htran-exe
Reference:	-
TLP:	TLP:WHITE

Rule name:	DeepPanda_sl_txt_packed Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Hack Deep Panda - ScanLine sl-txt-packed
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	DeepPanda_sl_txt_packed_RID3037 Alert Create hunting rule
Author:	Florian Roth
Description:	Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - ScanLine sl-txt-packed
Reference:	http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf
TLP:	TLP:WHITE

Rule name:	Disable_Defender Alert Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	dsc Alert Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Duqu2_Sample4 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Duqu2 Malware
Reference:	https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Enfal_Malware_Backdoor Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Generic Rule to detect the Enfal Malware
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	EquationDrug_HDDSSD_Op Alert Create hunting rule
Author:	Florian Roth (Nextron Systems) @4nc4p
Description:	EquationDrug - HDD/SSD firmware operation - nls_933w.dll
Reference:	http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	EquationDrug_HDDSSD_Op_RID2F20 Alert Create hunting rule
Author:	Florian Roth
Description:	EquationDrug - HDD/SSD firmware operation - nls_933w.dll
Reference:	http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
TLP:	TLP:WHITE

Rule name:	EquationGroup_nethide_Lp Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	EquationGroup Malware - file nethide_Lp.dll
Reference:	https://goo.gl/tcSoiJ
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	EquationGroup_nethide_Lp_RID30BF Alert Create hunting rule
Author:	Florian Roth
Description:	EquationGroup Malware - file nethide_Lp.dll
Reference:	https://goo.gl/tcSoiJ
TLP:	TLP:WHITE

Rule name:	Exploit_MS15_077_078 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	MS15-078 / MS15-077 exploit - generic signature
Reference:	https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Exploit_MS15_077_078_RID2D56 Alert Create hunting rule
Author:	Florian Roth
Description:	MS15-078 / MS15-077 exploit - generic signature
Reference:	https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200
TLP:	TLP:WHITE

Rule name:	FiveEyes_QUERTY_Malwaresig_20123_sys Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	FiveEyes QUERTY Malware - file 20123.sys.bin
Reference:	http://www.spiegel.de/media/media-35668.pdf
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	FiveEyes_QUERTY_Malwaresig_20123_sys_RID33FA Alert Create hunting rule
Author:	Florian Roth
Description:	FiveEyes QUERTY Malware - file 20123.sys.bin
Reference:	http://www.spiegel.de/media/media-35668.pdf
TLP:	TLP:WHITE

Rule name:	HackTool_MSIL_SharPersist_2 Alert Create hunting rule
Author:	FireEye
Reference:	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HackTool_MSIL_SharPivot_3 Alert Create hunting rule
Author:	FireEye
Description:	This rule looks for .NET PE files that have the strings of various method names in the SharPivot code.
Reference:	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	has_telegram_urls Alert Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	HKTL_Meterpreter_inMemory Alert Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_NET_GUID_clr_meterpreter Alert Create hunting rule
Author:	Arnim Rupp
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/OJ/clr-meterpreter
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_NET_GUID_DeviceGuardBypasses Alert Create hunting rule
Author:	Arnim Rupp
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/tyranid/DeviceGuardBypasses
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_NET_GUID_OffensiveCSharp Alert Create hunting rule
Author:	Arnim Rupp
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/diljith369/OffensiveCSharp
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_NET_GUID_Pen_Test_Tools Alert Create hunting rule
Author:	Arnim Rupp
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/awillard1/Pen-Test-Tools
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_NET_GUID_SharpC2 Alert Create hunting rule
Author:	Arnim Rupp
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/SharpC2/SharpC2
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_RedMimicry_Agent Alert Create hunting rule
Author:	mirar@chaosmail.org
Description:	matches the RedMimicry agent executable and payload
Reference:	https://redmimicry.com
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_Unknown_Feb19_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detetcs a tool used in the Australian Parliament House network compromise
Reference:	https://twitter.com/cyb3rops/status/1097423665472376832
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	HKTL_Unknown_Feb19_1_RID2DF9 Alert Create hunting rule
Author:	Florian Roth
Description:	Detetcs a tool used in the Australian Parliament House network compromise
Reference:	https://twitter.com/cyb3rops/status/1097423665472376832
TLP:	TLP:WHITE

Rule name:	iKAT_tools_nmap Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Generic rule for NMAP - based on NMAP 4 standalone
Reference:	http://ikat.ha.cked.net/Windows/functions/ikatfiles.html
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	IMPLANT_3_v1 Alert Create hunting rule
Author:	US CERT
Description:	X-Agent/CHOPSTICK Implant by APT28
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	IMPLANT_4_v11 Alert Create hunting rule
Author:	US CERT
Description:	BlackEnergy / Voodoo Bear Implant by APT28
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	IMPLANT_4_v4 Alert Create hunting rule
Author:	US CERT
Description:	BlackEnergy / Voodoo Bear Implant by APT28
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	IMPLANT_4_v7 Alert Create hunting rule
Author:	US CERT
Description:	BlackEnergy / Voodoo Bear Implant by APT28
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	INDICATOR_EXE_Packed_aPLib Alert Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with aPLib.
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Alert Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_ClearWinLogs Alert Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing commands for clearing Windows Event Logs
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Alert Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Alert Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Alert Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Alert Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Alert Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery Alert Create hunting rule
Author:	ditekSHen
Description:	Detects JS potentially executing WMI queries
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Alert Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_TOOL_PWS_Mimikatz Alert Create hunting rule
Author:	ditekSHen
Description:	Detects Mimikatz
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	IronTiger_dnstunnel Alert Create hunting rule
Author:	Cyber Safety Solutions, Trend Micro
Description:	This rule detects a dns tunnel tool used in Operation Iron Tiger
Reference:	http://goo.gl/T5fSJC
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Jupyter_infostealer Alert Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
TLP:	TLP:WHITE
Repository:	CD-R0M

Rule name:	Linux_Worm_Generic_98efcd38 Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	MAL_APT_RocketKitten_Keylogger_RID326D Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Keylogger used in Rocket Kitten APT
Reference:	https://goo.gl/SjQhlp
TLP:	TLP:WHITE

Rule name:	MAL_IceId_Core_202104 Alert Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	2021 Bokbot / Icedid core
Reference:	https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_Passwordstate_Moserware_Backdoor_Apr21_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects backdoor used in Passwordstate incident
Reference:	https://thehackernews.com/2021/04/passwordstate-password-manager-update.html
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_Passwordstate_Moserware_Backdoor_Apr21_1_RID37CB Alert Create hunting rule
Author:	Florian Roth
Description:	Detects backdoor used in Passwordstate incident
Reference:	https://thehackernews.com/2021/04/passwordstate-password-manager-update.html
TLP:	TLP:WHITE

Rule name:	MAL_RANSOM_Ragna_Locker_Apr20_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Ragna Locker Ransomware
Reference:	https://otx.alienvault.com/indicator/file/c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_RANSOM_Ragna_Locker_Apr20_1_RID3195 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Ragna Locker Ransomware
Reference:	https://otx.alienvault.com/indicator/file/c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
TLP:	TLP:WHITE

Rule name:	malware_apt15_royaldll Alert Create hunting rule
Author:	David Cannings
Description:	DLL implant, originally rights.dll and runs as a service
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MALWARE_Multi_Exaramel Alert Create hunting rule
Author:	ditekSHen
Description:	Exaramel Windows/Linux backdoor payload
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	Malware_QA_not_copy Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file not copy.exe
Reference:	VT Research QA
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Malware_QA_not_copy_RID2E95 Alert Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file not copy.exe
Reference:	VT Research QA
TLP:	TLP:WHITE

Rule name:	MALWARE_Win_AsyncRAT Alert Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	meth_peb_parsing Alert Create hunting rule
Author:	Willi Ballenthin
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	mybillgates Alert Create hunting rule
Description:	billgates
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	PE_Potentially_Signed_Digital_Certificate Alert Create hunting rule
Author:	albertzsigovits
TLP:	TLP:WHITE

Rule name:	Powerkatz_DLL_Generic Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Reference:	PowerKatz Analysis
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Powerkatz_DLL_Generic_RID2F2F Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Reference:	PowerKatz Analysis
TLP:	TLP:WHITE

Rule name:	PowerShell_Mal_HackTool_Gen Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects PowerShell hack tool samples - generic PE loader
Reference:	Internal Research
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	PowerShell_Mal_HackTool_Gen_RID317C Alert Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell hack tool samples - generic PE loader
Reference:	Internal Research
TLP:	TLP:WHITE

Rule name:	PSAttack_EXE Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	PSAttack - Powershell attack tool - file PSAttack.exe
Reference:	https://github.com/gdssecurity/PSAttack/releases/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	PSAttack_EXE_RID2B4D Alert Create hunting rule
Author:	Florian Roth
Description:	PSAttack - Powershell attack tool - file PSAttack.exe
Reference:	https://github.com/gdssecurity/PSAttack/releases/
TLP:	TLP:WHITE

Rule name:	QbotStuff Alert Create hunting rule
Author:	anonymous
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Ransom_LockerGoga_Mar19_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects LockerGoga ransomware binaries
Reference:	https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Ransom_LockerGoga_Mar19_1_RID3037 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects LockerGoga ransomware binaries
Reference:	https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
TLP:	TLP:WHITE

Rule name:	RAT_Imminent Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects Imminent RAT
Reference:	http://malwareconfig.com/stats/Imminent
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	RAT_LuminosityLink Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects LuminosityLink RAT
Reference:	http://malwareconfig.com/stats/LuminosityLink
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	RAT_Plasma Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects Plasma RAT
Reference:	http://malwareconfig.com/stats/Plasma
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	ReflectiveLoader Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	reverse_http Alert Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)
TLP:	TLP:WHITE
Repository:	CD-R0M

Rule name:	RocketKitten_Keylogger Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Keylogger used in Rocket Kitten APT
Reference:	https://goo.gl/SjQhlp
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	sig_238_Glass2k Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Disclosed hacktool set (old stuff) - file Glass2k.exe
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	sig_238_nbtdump Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Disclosed hacktool set (old stuff) - file nbtdump.exe
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	SUSP_Discord_Attachments_URL Alert Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
TLP:	TLP:WHITE

Rule name:	SUSP_ENV_Folder_Root_File_Jan23_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:	Internal Research
TLP:	TLP:WHITE

Rule name:	SUSP_Ngrok_URL Alert Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel
TLP:	TLP:WHITE

Rule name:	SUSP_OneNote Alert Create hunting rule
Author:	spatronn
Description:	Hard-Detect One
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	SUSP_PowerShell_Caret_Obfuscation_2 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects powershell keyword obfuscated with carets
Reference:	Internal Research
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	SUSP_PowerShell_Caret_Obfuscation_2_RID347B Alert Create hunting rule
Author:	Florian Roth
Description:	Detects powershell keyword obfuscated with carets
Reference:	Internal Research
TLP:	TLP:WHITE

Rule name:	SUSP_PowerShell_Download_Temp_Rundll Alert Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detect a Download to %temp% and execution with rundll32.exe
TLP:	TLP:WHITE

Rule name:	SUSP_Websites Alert Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware
TLP:	TLP:WHITE
Repository:	SIFalcon

Rule name:	classified

Rule name:	TempRacer Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects privilege escalation tool - file TempRacer.exe
Reference:	http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	TempRacer_RID2A94 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects privilege escalation tool - file TempRacer_RID2A94.exe
Reference:	http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/
TLP:	TLP:WHITE

Rule name:	TidePool_Malware Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
Reference:	http://goo.gl/m2CXWR
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	TidePool_Malware_RID2D59 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
Reference:	http://goo.gl/m2CXWR
TLP:	TLP:WHITE

Rule name:	Tmanger_Family_20210223 Alert Create hunting rule
Author:	Rintaro Koike (@nao_sec)
Description:	Tmanger Family
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	UACME_Akagi_2 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe
Reference:	https://github.com/hfiref0x/UACME
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	UACME_Akagi_2_RID2B49 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe
Reference:	https://github.com/hfiref0x/UACME
TLP:	TLP:WHITE

Rule name:	Unauthorized_Proxy_Server_RAT Alert Create hunting rule
Author:	US-CERT Code Analysis Team
Reference:	https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Unidentified_Malware_Two Alert Create hunting rule
Author:	US CERT
Description:	Unidentified Implant by APT29
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	WaterBug_fa_malware Alert Create hunting rule
Author:	Symantec Security Response
Description:	Symantec Waterbug Attack - FA malware variant
Reference:	http://t.co/rF35OaAXrl
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	classified
Author:	classified
TLP :	TLP:GREEN

Rule name:	classified
Author:	classified
TLP :	TLP:GREEN

Rule name:	win_dispenserxfs_w0 Alert Create hunting rule
Author:	@Xylit0l @r3c0nst / Modified by Florian Roth
Description:	Detects ATM Malware DispenserXFS
Reference:	https://twitter.com/r3c0nst/status/1100775857306652673
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_enfal_w0 Alert Create hunting rule
Author:	Florian Roth
Description:	Generic Rule to detect the Enfal Malware
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_extreme_rat_w0 Alert Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	Xtrem RAT v3.5
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_ghole_w0 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Reference:	http://goo.gl/NpJpVZ
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_iceid_core_202104 Alert Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	2021 Bokbot / Icedid core
TLP:	TLP:WHITE
Repository:	Sandnet

Rule name:	classified
Author:	classified
TLP :	TLP:GREEN

Rule name:	win_korlia_w0 Alert Create hunting rule
Author:	Nick Hoffman
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_lockergoga_w0 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects LockerGoga ransomware binaries
Reference:	https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_rgdoor_w0 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects RGDoor backdoor used by OilRig group
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_royal_dns_w1 Alert Create hunting rule
Author:	David Cannings
Description:	DLL implant, originally rights.dll and runs as a service
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_woolger_w0 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects Keylogger used in Rocket Kitten APT
Reference:	https://goo.gl/SjQhlp
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	Win32_Buzus_Softpulse Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Trojan Buzus / Softpulse
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Windows_Exploit_Dcom_7a1bcec7 Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Exploit_Dcom_7a1bcec7 Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	WoolenGoldfish_Generic_1 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Reference:	http://goo.gl/NpJpVZ
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	WoolenGoldfish_Generic_1_RID3061 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Reference:	http://goo.gl/NpJpVZ
TLP:	TLP:WHITE

Rule name:	WoolenGoldfish_Generic_3 Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Reference:	http://goo.gl/NpJpVZ
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	xRAT Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
TLP:	TLP:WHITE
Repository:

Rule name:	XYZCmd_zip_Folder_XYZCmd Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Disclosed hacktool set (old stuff) - file XYZCmd.exe
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	yara_template Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

---

The following files could be unpacked from this sample.