YARAhub

You are currently viewing the YARAhub entry of the YARA rule PacketSDK_Proxy_Tunnel_Malware. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: PacketSDK_Proxy_Tunnel_Malware

Rule name:PacketSDK_Proxy_Tunnel_Malware
Author:Valton Tahiri (cybee.ai)
Description:Detects PacketSDK-based proxy/tunnel component used in sysvideo/onedrivesync case
Reference MD5: 7f3b2a4d9e1c0f85b3c1d0e7a4b2c9f1
Likes: 0
Reference Link :n/a
Malpedia Family :n/a
Date added:2025-12-18
Rule Matching TLP :TLP:WHITE
Rule Sharing TLP :TLP:WHITE
License : https://creativecommons.org/licenses/by/4.0/
UUID: 9f3d2b8e-7c41-4f0a-9a2b-3c5d7e1f2a9b
Static hits:4
Unpacker hits:0

YARA Rule Content

The content of the YARA rule is shown below.

rule PacketSDK_Proxy_Tunnel_Malware {
    meta:
        description = "Detects PacketSDK-based proxy/tunnel component used in sysvideo/onedrivesync case"
        author = "Valton Tahiri (cybee.ai)"
        date = "2025-12-18"
        reference = "https://www.linkedin.com/in/valton-tahiri/"
        severity = "critical"
        category = "proxy_tunnel"
        malware_family = "PacketSDK_tunnel"
        hash_sample = "ff6f1a93c2e0b46d9a3e18c75d"
        yarahub_reference_md5 = "7f3b2a4d9e1c0f85b3c1d0e7a4b2c9f1"
        yarahub_uuid = "9f3d2b8e-7c41-4f0a-9a2b-3c5d7e1f2a9b"
        yarahub_license = "CC BY 4.0"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp = "TLP:WHITE"
        yaraify_uuid = "4c1e9f72-3b58-4a91-8e6d-9a2075c3d8f4"

    strings:
        // Branding / messages
        $s_tool_1 = " Packet SDK" ascii wide
        $s_tool_2 = "Packet SDK is running." ascii wide
        $s_tool_3 = "Packet SDK not running." ascii wide
        $s_tool_4 = "This device has been successfully certified." ascii wide
        $s_tool_5 = "When \"This device has been successfully certified\" appears in the console, it means that you have successfully launched the Packet SDK." ascii wide
        $s_tool_6 = "Certification successful." ascii wide

        // C2 / infrastructure
        $d_1 = "packetsdk.net" ascii wide
        $d_2 = "packetsdk.io" ascii wide
        $d_3 = "packetsdk.xyz" ascii wide
        $d_4 = "rt-guard.com" ascii wide

        // Docker / CLI usage
        $c_1 = "docker run --restart unless-stopped packetsdk/packetsdk -appkey=APPKEY" ascii
        $c_2 = ".run_On_Docker" ascii
        $c_3 = "-deviceInfo=DEVICEINFO" ascii
        $c_4 = "-deviceInfo=" ascii
        $c_5 = "-appkey=APPKEY" ascii
        $c_6 = "-appkey=" ascii
        $c_7 = "Your appkey: " ascii
        $c_8 = "Invalid appkey." ascii
        $c_9 = "App key not set." ascii
        $c_10 = "Auth domain: {}" ascii
        $c_11 = "Device info:" ascii

        // UID / fingerprinting
        $u_1 = "UID_MD5: {}" ascii
        $u_2 = "UID: {}" ascii
        $u_3 = "Use CPUID + MAC to generate uuid --->  Normal" ascii
        $u_4 = "CPUID or MAC address is empty. Manual generation uid." ascii
        $u_5 = "Baseboard id: {}" ascii
        $u_6 = "MacAddress: {}" ascii
        $u_7 = "wmic csproduct get UUID" ascii
        $u_8 = "Your IP address: {}" ascii

        // Proxy / TCPTunnel messages
        $p_1 = "ProxyControl construct success!" ascii
        $p_2 = "Construct Forward class success!" ascii
        $p_3 = "Construct TCPTunnel:" ascii
        $p_4 = "TCPTunnel destruct function called. Key:" ascii
        $p_5 = "Forward module isn't running now. Invalid operation(Stop forward). PASS!" ascii
        $p_6 = "Forward module is running now. Invalid operation(Start forward). PASS!" ascii
        $p_7 = "Proxy not connected. Close directly!" ascii
        $p_8 = "Proxy server close the connection!" ascii
        $p_9 = "ProxyControl object not exist. PASS!" ascii
        $p_10 = "Write data to proxy" ascii
        $p_11 = "Read data from proxy" ascii
        $p_12 = "Write data to target" ascii
        $p_13 = "Read data from target" ascii
        $p_14 = "Target address is domain. Need resolve." ascii
        $p_15 = "Target address is IP. Don't need resolve." ascii
        $p_16 = "Target server close the connection!" ascii
        $p_17 = "Target domain resolver failed! Error Code:" ascii
        $p_18 = "Target domain resolver success!" ascii
        $p_19 = "Dispatch server number is zero. Obtain dispatch server info." ascii
        $p_20 = "All dispatch server have been closed and destruct." ascii
        $p_21 = "Dispatch command ignored. stoi() throw an exception. Invalid target port." ascii
        $p_22 = "Dispatch command ignored. Invalid target port." ascii
        $p_23 = "Detach dispatch server port failed! stoi() throw an exception." ascii
        $p_24 = "Server[A] connect failed! Error Code:" ascii
        $p_25 = "Resolve server[A] domian failed! Error Code:" ascii
        $p_26 = "Write data to server[P] failed! Error Code:" ascii
        $p_27 = "Read data from server[P] failed! Error Code:" ascii
        $p_28 = "Connect server[P] failed! Error Code:" ascii
        $p_29 = "Read data frin server[A] failed! Error Code:" ascii
        $p_30 = "Connection of" ascii
        $p_31 = "Target address:" ascii
        $p_32 = "Target: " ascii
        $p_33 = "Both connect success! Reply to proxy server:" ascii
        $p_34 = "Proxy connected. Reply to proxy er." ascii
        $p_35 = "Reply to proxy server success! reply_str:" ascii
        $p_36 = "Reply to proxy server failed! Error Code:" ascii

        // Heartbeat / server line logic
        $h_1 = "Need retrieve server info now. Current server info amounts:" ascii
        $h_2 = "Send hearbeat data to all dispatch server." ascii
        $h_3 = "heartBeatInterval:" ascii
        $h_4 = "Heartbeat data:" ascii
        $h_5 = "Heartbeat timer error occured." ascii
        $h_6 = "Heartbeat timer cancelled." ascii
        $h_7 = "The server line information has expired and will be automatically refreshed." ascii
        $h_8 = "The server line information will expire periodically and automatically refresh, which is a normal situation." ascii
        $h_9 = "Some server lines are abnormal and have been removed. Automatically reacquire new server line information." ascii
        $h_10 = "Current number of server lines:" ascii
        $h_11 = "Start authentication and obtain server line information." ascii
        $h_12 = "Successfully obtained server information." ascii
        $h_13 = "Read dispatch info success:" ascii
        $h_14 = "Auth server connect success!" ascii
        $h_15 = "Resolve auth domain." ascii
        $h_16 = "Resolve auth domian success!" ascii
        $h_17 = "Raw auth data:" ascii
        $h_18 = "Raw auth response:" ascii
        $h_19 = "Auth data:" ascii

    condition:
        uint16(0) == 0x5A4D and
        (
            any of ($s_tool*) or
            (
                1 of ($d_*) and
                (
                    2 of ($s_tool*) or
                    2 of ($c_*) or
                    2 of ($p_*)
                )
            ) or
            (
                1 of ($d_*) and
                1 of ($u_*) and
                1 of ($h_*)
            )
        )
}

YARA Rule Matches

The following table shows the most recent files matching this particular YARA rule.

First seen (UTC)SHA256 hashStatic matchesUnpacker matches