diff --git a/data/yara/CAPE/Downloaders.yar b/data/yara/CAPE/Downloaders.yar index 0c9c505b..3ae7f986 100644 --- a/data/yara/CAPE/Downloaders.yar +++ b/data/yara/CAPE/Downloaders.yar @@ -457,3 +457,20 @@ rule PackedLoader { condition: uint16(0) == 0x5a4d and 11 of them } + +rule PWSHDLLDL { + meta: + author = "ditekShen" + description = "Detects downloader" + strings: + $s1 = "powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file " fullword wide nocase + $s2 = "objShell.run \"powershell -WindowStyle hidden -command wscript.exe //b //nologo '" fullword wide nocase + $s3 = "cmd.exe /c schtasks.exe /create /tn \"" fullword wide nocase + $s4 = "-WindowStyle hidden -command wscript.exe //b //nologo '" fullword wide nocase + $s6 = "\" /tr \"wscript.exe //b //nologo '" fullword wide nocase + $s7 = "\" -Value \"Powershell.exe -WindowStyle hidden \"\"& '" fullword wide nocase + $op0 = { 61 01 00 34 53 79 73 74 65 6d 2e 57 65 62 2e 53 } + $op1 = { 4b 04 00 00 34 01 00 00 7f 05 00 00 1a } + condition: + uint16(0) == 0x5a4d and pe.is_dll() and 5 of them +} diff --git a/data/yara/CAPE/GraphicalProton.yar b/data/yara/CAPE/GraphicalProton.yar new file mode 100644 index 00000000..123eeb05 --- /dev/null +++ b/data/yara/CAPE/GraphicalProton.yar @@ -0,0 +1,17 @@ +rule GraphicalProton_rsockstun { + meta: + author = "ditekShen" + description = "Detects GraphicalProton custom rsockstun" + cape_type = "GraphicalProton Payload" + strings: + $m1 = "main.connectviaproxy" ascii + $m2 = "main.connectForSocks" ascii + $m3 = "main.listenForClients" ascii + $m4 = "main.listenForSocks" ascii + $s1 = "Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=" ascii + $s2 = "Server: nginx/1.14.1" ascii + $s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" ascii + $s4 = "wine_get" ascii + condition: + uint16(0) == 0x5a4d and ((all of ($m*) and 2 of ($s*)) or (all of ($s*) and 1 of ($m*)) or 7 of them) +} diff --git a/data/yara/CAPE/RisePro.yar b/data/yara/CAPE/RisePro.yar new file mode 100644 index 00000000..bbad3536 --- /dev/null +++ b/data/yara/CAPE/RisePro.yar @@ -0,0 +1,32 @@ +rule RisePro { + meta: + author = "ditekShen" + description = "Detects RisePro infostealer" + cape_type = "RisePro Payload" + strings: + $x1 = "t.me/riseprosupport" ascii wide nocase + $s1 = "failed readpacket" fullword wide + $s2 = "faield sendpacket" fullword wide + $s3 = "PersistWal" fullword wide + $s4 = /CRED_ENUMERATE_(ALL|SESSION)_CREDENTIALS/ fullword ascii + $s5 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36" fullword wide + $s6 = { 4c 00 6f 00 67 00 69 00 6e 00 20 00 44 00 61 00 + 74 00 61 [10] 57 00 65 00 62 00 20 00 44 00 61 00 + 74 00 61 [2] 48 00 69 00 73 00 74 00 6f 00 72 00 + 79 [21] 43 00 6f 00 6f 00 6b 00 69 00 65 00 73 } + $s7 = { 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 + 69 00 6f 00 6e 00 2f 00 78 00 2d 00 77 00 77 00 + 77 00 2d 00 66 00 6f 00 72 00 6d 00 2d 00 75 00 + 72 00 6c 00 65 00 6e 00 63 00 6f 00 64 00 65 00 + 64 00 3b 00 20 00 63 00 68 00 61 00 72 00 73 00 + 65 00 74 00 3d 00 75 00 74 00 66 00 2d 00 38 00 + 42 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 + 00 69 00 6f 00 6e 00 2f 00 6a 00 73 00 6f 00 6e + 00 2c 00 20 00 74 00 65 00 78 00 74 00 2f 00 70 + 00 6c 00 61 00 69 00 6e 00 2c 00 20 00 2a 00 2f + 00 2a } + $s8 = /_(SET|GET)_(GRABBER|LOADER)/ wide + $s9 = /catch (save )?(windows cred|screen|pluginscrypto|historyCC|autofill|cookies|passwords|passwords sql|autofills sql|dwnlhistory sql|discordToken|quantum|isDropped)/ fullword wide + condition: + uint16(0) == 0x5a4d and (1 of ($x*) or 6 of ($s*)) +} diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar index e8166bb1..45a221d1 100644 --- a/data/yara/binaries/indicator_tools.yar +++ b/data/yara/binaries/indicator_tools.yar @@ -1276,16 +1276,14 @@ rule INDICATOR_TOOL_PROX_revsocks { description = "Detects revsocks Reverse socks5 tunneler with SSL/TLS and proxy support" strings: $s1 = "main.agentpassword" fullword ascii - $s2 = "main.CommitID" fullword ascii - $s3 = "main.connectForSocks" fullword ascii - $s4 = "main.connectviaproxy" fullword ascii - $s5 = "main.DnsConnectSocks" fullword ascii - $s6 = "main.listenForAgents" fullword ascii - $s7 = "main.listenForClients" fullword ascii - $s8 = "main.getPEMs" fullword ascii - $s9 = "mygithub/revsocks/main.go" ascii + $s2 = "main.connectForSocks" fullword ascii + $s3 = "main.connectviaproxy" fullword ascii + $s4 = "main.DnsConnectSocks" fullword ascii + $s5 = "main.listenForAgents" fullword ascii + $s6 = "main.listenForClients" fullword ascii + $s7 = "main.getPEMs" fullword ascii condition: - (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and 5 of them + (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and 4 of them } rule INDICATOR_TOOL_PWS_azbelt { @@ -1753,3 +1751,74 @@ rule INDICATOR_TOOL_Havoc { ) ) } + +rule INDICATOR_TOOLS_LocalPotato { + meta: + author = "ditekShen" + description = "Detects LocalPotato" + strings: + $x1 = "LocalPotato.stg" fullword wide + $x2 = "we always love potatoes" fullword ascii + $s1 = "{00000306-0000-0000-c000-000000000046}" wide + $s2 = "{854A20FB-2D44-457D-992F-EF13785D2B51}" wide + $s3 = "cifs/127.0.0.1" wide + $s4 = "\\\\127.0.0.1\\c$" wide + $s5 = "complete failed: 0x%08x" ascii + $s6 = "Authorization: NTLM %s" ascii + $s7 = "Objref Moniker Display Name = %S" ascii + $s8 = "SMB Connect Tree: %S" ascii + $s9 = "b64type=%s" fullword ascii + $s10 = "decodes=%s" fullword ascii + $s11 = { 53 4d 42 72 00 00 00 00 18 01 48 00 00 00 00 00 + 00 00 00 00 00 00 00 ff ff ac 7b 00 00 00 00 00 + 22 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00 02 53 + 4d 42 20 32 2e 30 30 32 00 02 53 4d 42 20 32 2e + 3f 3f 3f 00 00 00 00 00 00 00 00 00 00 00 68 fe + 53 4d 42 40 } + $o1 = { 44 8b 4c 24 34 48 8d 44 24 38 48 89 44 24 28 4c } + $o2 = { e8 c4 ff ff ff 33 d2 48 8d 4d f0 41 b8 d0 04 00 } + $o3 = { 83 7b 0c 00 75 42 8b 03 25 ff ff ff 1f 3d 21 05 } + $o4 = { 3c 68 74 6c 3c 6a 74 5c 3c 6c 74 34 3c 74 74 24 } + $o5 = { e9 39 ff ff ff cc 48 89 5c 24 08 4c 89 4c 24 20 } + $o6 = { 48 b9 ff ff ff ff ff ff 0f 00 48 8b c2 41 b8 0c } + condition: + uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 5 of ($s*)) or 8 of($s*) or (4 of ($o*) and (1 of ($x*) or 5 of ($s*)))) +} + +rule INDICATOR_TOOLS_EDRSandBlast { + meta: + author = "ditekShen" + description = "Detects EDRSandBlast" + strings: + $s1 = "credguard" fullword wide + $s2 = "\\cmd.exe" fullword wide + $s3 = "ci_%s.dll" fullword wide + $s4 = "cmd /c sc" wide + $s5 = "fltmgr_%s.sys" fullword wide + $s6 = "ntoskrnl_%s.exe" fullword wide + $s7 = "ProductDir" fullword wide + $s8 = "lsass.exe" fullword wide + $s9 = "0x%p;%ws;%ws;;;" ascii + $s10 = "MiniDumpWriteDump" ascii + $s11 = "EDRSB_Init: %u" ascii + $s12 = "ntoskrnloffsets.csv" fullword wide nocase + $s13 = "wdigestoffsets.csv" fullword wide nocase + $o1 = { eb 0e 8b 85 34 15 00 00 ff c0 89 85 34 15 00 00 } + $o2 = { 74 48 8b 85 34 15 00 00 41 b9 04 01 00 00 4c 8d } + condition: + uint16(0) == 0x5a4d and 7 of them +} + +rule INDICATOR_TOOLS_rsockstun { + meta: + author = "ditekShen" + description = "Detects rsockstun" + strings: + $s1 = "main.connectviaproxy" ascii + $s2 = "main.connectForSocks" ascii + $s3 = "main.listenForClients" ascii + $s4 = "main.listenForSocks" ascii + $s5 = "Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=" ascii + condition: + (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and all of them +}