|
1 | | -rule AsyncRAT |
2 | | -{ |
3 | | - meta: |
4 | | - author = "kevoreilly, JPCERT/CC Incident Response Group" |
5 | | - description = "AsyncRAT Payload" |
6 | | - cape_type = "AsyncRAT Payload" |
7 | | - strings: |
8 | | - $salt = {BF EB 1E 56 FB CD 97 3B B2 19 02 24 30 A5 78 43 00 3D 56 44 D2 1E 62 B9 D4 F1 80 E7 E6 C3 39 41} |
9 | | - $b1 = {00 00 00 0D 53 00 48 00 41 00 32 00 35 00 36 00 00} |
10 | | - $b2 = {09 50 00 6F 00 6E 00 67 00 00} |
11 | | - $string1 = "Pastebin" ascii wide nocase |
12 | | - $string2 = "Pong" wide |
13 | | - $string3 = "Stub.exe" ascii wide |
14 | | - $kitty = "StormKitty" ascii |
15 | | - condition: |
16 | | - uint16(0) == 0x5A4D and not $kitty and ($salt and (2 of ($str*) or 1 of ($b*))) or (all of ($b*) and 2 of ($str*)) |
17 | | -} |
18 | | - |
19 | 1 | rule AsyncRAT_kingrat { |
20 | 2 | meta: |
21 | 3 | author = "jeFF0Falltrades" |
22 | | - cape_type = "AsyncRAT Payload" |
| 4 | + cape_type = "AsyncRAT Payload" |
23 | 5 |
|
24 | 6 | strings: |
25 | 7 | $str_async = "AsyncClient" wide ascii nocase |
26 | 8 | $str_aes_exc = "masterKey can not be null or empty" wide ascii |
27 | 9 | $str_schtasks = "schtasks /create /f /sc onlogon /rl highest" wide ascii |
| 10 | + $byte_aes_key_base = { 7E [3] 04 73 [3] 06 80 } |
| 11 | + $byte_aes_salt_base = { BF EB 1E 56 FB CD 97 3B B2 19 } |
| 12 | + $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } |
| 13 | + $patt_config = { 72 [3] 70 80 [3] 04 } |
| 14 | +
|
28 | 15 | $dcrat_1 = "dcrat" wide ascii nocase |
29 | 16 | $dcrat_2 = "qwqdan" wide ascii |
30 | 17 | $dcrat_3 = "YW1zaS5kbGw=" wide ascii |
31 | 18 | $dcrat_4 = "VmlydHVhbFByb3RlY3Q=" wide ascii |
32 | 19 | $dcrat_5 = "save_Plugin" wide ascii |
| 20 | +
|
| 21 | + $ww2 = "WorldWindClient" wide fullword nocase |
| 22 | + $ww3 = "WorldWindStealer" wide fullword nocase |
| 23 | + $ww4 = "*WorldWind Pro - Results:*" wide fullword nocase |
| 24 | + $ww5 = /WorldWind(\s)?Stealer/ ascii wide |
| 25 | +
|
| 26 | + $prynt = /Prynt(\s)?Stealer/ ascii wide |
| 27 | +
|
| 28 | + condition: |
| 29 | + (not any of ($dcrat*) and not any of ($ww*) and not $prynt) and 6 of them and #patt_config >= 10 |
| 30 | +} |
| 31 | + |
| 32 | +rule StormKitty { |
| 33 | + meta: |
| 34 | + author = "ditekSHen" |
| 35 | + description = "StormKitty infostealer payload" |
| 36 | + cape_type = "StormKitty Payload" |
| 37 | + strings: |
| 38 | + $x1 = "\\ARTIKA\\Videos\\Chrome-Password-Recovery" ascii |
| 39 | + $x2 = "https://github.com/LimerBoy/StormKitty" fullword ascii |
| 40 | + $x3 = "StormKitty" fullword ascii |
| 41 | + $s1 = "GetBSSID" fullword ascii |
| 42 | + $s2 = "GetAntivirus" fullword ascii |
| 43 | + $s3 = "C:\\Users\\Public\\credentials.txt" fullword wide |
| 44 | + $s4 = "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" fullword wide |
| 45 | + $s5 = "BCrypt.BCryptGetProperty() (get size) failed with status code:{0}" fullword wide |
| 46 | + $s6 = "\"encrypted_key\":\"(.*?)\"" fullword wide |
| 47 | +
|
| 48 | + $ww2 = "WorldWindClient" wide fullword nocase |
| 49 | + $ww3 = "WorldWindStealer" wide fullword nocase |
| 50 | + $ww4 = "*WorldWind Pro - Results:*" wide fullword nocase |
| 51 | + $ww5 = /WorldWind(\s)?Stealer/ ascii wide |
| 52 | +
|
| 53 | + $prynt = /Prynt(\s)?Stealer/ ascii wide |
| 54 | +
|
| 55 | + condition: |
| 56 | + uint16(0) == 0x5a4d and (not any of ($ww*) and not $prynt) and (2 of ($x*) or 5 of ($s*) or (3 of ($s*) and 1 of ($x*))) |
| 57 | +} |
| 58 | + |
| 59 | + |
| 60 | +rule WorldWind { |
| 61 | + meta: |
| 62 | + author = "ditekSHen" |
| 63 | + description = "Detects WorldWind infostealer" |
| 64 | + cape_type = "WorldWind Payload" |
| 65 | + strings: |
| 66 | + $c1 = /WorldWind(\s)?Stealer/ ascii wide |
| 67 | + $x2 = "@FlatLineStealer" ascii wide |
| 68 | + $x3 = "@CashOutGangTalk" ascii wide |
| 69 | + $m1 = ".Passwords.Targets." ascii |
| 70 | + $m2 = ".Modules.Keylogger" ascii |
| 71 | + $m3 = ".Modules.Clipper" ascii |
| 72 | + $m4 = ".Modules.Implant" ascii |
| 73 | + $s1 = "--- Clipper" wide |
| 74 | + $s2 = "Downloading file: \"{file}\"" wide |
| 75 | + $s3 = "/bot{0}/getUpdates?offset={1}" wide |
| 76 | + $s4 = "send command to bot!" wide |
| 77 | + $s5 = " *Keylogger " fullword wide |
| 78 | + $s6 = "*Stealer" wide |
| 79 | + $s7 = "Bot connected" wide |
| 80 | + condition: |
| 81 | + uint16(0) == 0x5a4d and 1 of ($c*) and (1 of ($x*) or 2 of ($m*) or 3 of ($s*)) |
| 82 | +} |
| 83 | + |
| 84 | + |
| 85 | +rule Prynt { |
| 86 | + meta: |
| 87 | + author = "ditekSHen" |
| 88 | + description = "Detects Prynt infostealer" |
| 89 | + cape_type = "Prynt Payload" |
| 90 | + strings: |
| 91 | + $c1 = /Prynt(\s)?Stealer/ ascii wide |
| 92 | + $x2 = "@FlatLineStealer" ascii wide |
| 93 | + $x3 = "@CashOutGangTalk" ascii wide |
| 94 | + $m1 = ".Passwords.Targets." ascii |
| 95 | + $m2 = ".Modules.Keylogger" ascii |
| 96 | + $m3 = ".Modules.Clipper" ascii |
| 97 | + $m4 = ".Modules.Implant" ascii |
| 98 | + $s1 = "--- Clipper" wide |
| 99 | + $s2 = "Downloading file: \"{file}\"" wide |
| 100 | + $s3 = "/bot{0}/getUpdates?offset={1}" wide |
| 101 | + $s4 = "send command to bot!" wide |
| 102 | + $s5 = " *Keylogger " fullword wide |
| 103 | + $s6 = "*Stealer" wide |
| 104 | + $s7 = "Bot connected" wide |
| 105 | + condition: |
| 106 | + uint16(0) == 0x5a4d and 1 of ($c*) and (1 of ($x*) or 2 of ($m*) or 3 of ($s*)) |
| 107 | +} |
| 108 | + |
| 109 | + |
| 110 | +rule XWorm { |
| 111 | + meta: |
| 112 | + author = "ditekSHen" |
| 113 | + description = "Detects XWorm" |
| 114 | + cape_type = "XWorm Payload" |
| 115 | + strings: |
| 116 | + $x1 = "XWorm " wide nocase |
| 117 | + $x2 = /XWorm\s(V|v)\d+\.\d+/ fullword wide |
| 118 | + $s1 = "RunBotKiller" fullword wide |
| 119 | + $s2 = "XKlog.txt" fullword wide |
| 120 | + $s3 = /(shell|reg)fuc/ fullword wide |
| 121 | + $s4 = "closeshell" fullword ascii |
| 122 | + $s5 = { 62 00 79 00 70 00 73 00 73 00 00 ?? 63 00 61 00 6c 00 6c 00 75 00 61 00 63 00 00 ?? 73 00 63 00 } |
| 123 | + $s6 = { 44 00 44 00 6f 00 73 00 54 00 00 ?? 43 00 69 00 6c 00 70 00 70 00 65 00 72 00 00 ?? 50 00 45 00 } |
| 124 | + $s7 = { 69 00 6e 00 6a 00 52 00 75 00 6e 00 00 ?? 73 00 74 00 61 00 72 00 74 00 75 00 73 00 62 } |
| 125 | + $s8 = { 48 6f 73 74 00 50 6f 72 74 00 75 70 6c 6f 61 64 65 72 00 6e 61 6d 65 65 65 00 4b 45 59 00 53 50 4c 00 4d 75 74 65 78 78 00 } |
| 126 | + $v2_1 = "PING!" fullword wide |
| 127 | + $v2_2 = "Urlhide" fullword wide |
| 128 | + $v2_3 = /PC(Restart|Shutdown)/ fullword wide |
| 129 | + $v2_4 = /(Start|Stop)(DDos|Report)/ fullword wide |
| 130 | + $v2_5 = /Offline(Get|Keylogger)/ wide |
| 131 | + $v2_6 = "injRun" fullword wide |
| 132 | + $v2_7 = "Xchat" fullword wide |
| 133 | + $v2_8 = "UACFunc" fullword ascii wide |
| 134 | + condition: |
| 135 | + uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v2*))) or 6 of them) |
| 136 | +} |
| 137 | + |
| 138 | +rule xworm_kingrat { |
| 139 | + meta: |
| 140 | + author = "jeFF0Falltrades" |
| 141 | + cape_type = "XWorm payload" |
| 142 | + strings: |
| 143 | + $str_xworm = "xworm" wide ascii nocase |
| 144 | + $str_xwormmm = "Xwormmm" wide ascii |
| 145 | + $str_xclient = "XClient" wide ascii |
| 146 | + $str_default_log = "\\Log.tmp" wide ascii |
| 147 | + $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii |
| 148 | + $str_ddos_start = "StartDDos" wide ascii |
| 149 | + $str_ddos_stop = "StopDDos" wide ascii |
| 150 | + $str_timeout = "timeout 3 > NUL" wide ascii |
| 151 | + $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f } |
| 152 | + $patt_config = { 72 [3] 70 80 [3] 04 } |
| 153 | + condition: |
| 154 | + 5 of them and #patt_config >= 7 |
| 155 | +} |
| 156 | + |
| 157 | +rule DCRat { |
| 158 | + meta: |
| 159 | + author = "ditekSHen" |
| 160 | + description = "DCRat payload" |
| 161 | + cape_type = "DCRat Payload" |
| 162 | + strings: |
| 163 | + // DCRat |
| 164 | + $dc1 = "DCRatBuild" ascii |
| 165 | + $dc2 = "DCStlr" ascii |
| 166 | + $x1 = "px\"><center>DCRat Keylogger" wide |
| 167 | + $x2 = "DCRat-Log#" wide |
| 168 | + $x3 = "DCRat.Code" wide |
| 169 | + $string1 = "CaptureBrowsers" fullword ascii |
| 170 | + $string2 = "DecryptBrowsers" fullword ascii |
| 171 | + $string3 = "Browsers.IE10" ascii |
| 172 | + $string4 = "Browsers.Chromium" ascii |
| 173 | + $string5 = "WshShell" ascii |
| 174 | + $string6 = "SysMngmts" fullword ascii |
| 175 | + $string7 = "LoggerData" fullword ascii |
| 176 | + // DCRat Plugins/Libraries |
| 177 | + $plugin = "DCRatPlugin" fullword ascii |
| 178 | + // AntiVM |
| 179 | + $av1 = "AntiVM" ascii wide |
| 180 | + $av2 = "vmware" fullword wide |
| 181 | + $av3 = "VirtualBox" fullword wide |
| 182 | + $av4 = "microsoft corporation" fullword wide |
| 183 | + $av5 = "VIRTUAL" fullword wide |
| 184 | + $av6 = "DetectVirtualMachine" fullword ascii |
| 185 | + $av7 = "Select * from Win32_ComputerSystem" fullword wide |
| 186 | + // Plugin_AutoStealer, Plugin_AutoKeylogger |
| 187 | + $pl1 = "dcratAPI" fullword ascii |
| 188 | + $pl2 = "dsockapi" fullword ascii |
| 189 | + $pl3 = "file_get_contents" fullword ascii |
| 190 | + $pl4 = "classthis" fullword ascii |
| 191 | + $pl5 = "typemdt" fullword ascii |
| 192 | + $pl6 = "Plugin_AutoStealer" ascii wide |
| 193 | + $pl7 = "Plugin_AutoKeylogger" ascii wide |
| 194 | + // variant |
| 195 | + $v1 = "Plugin couldn't process this action!" wide |
| 196 | + $v2 = "Unknown command!" wide |
| 197 | + $v3 = "PLUGINCONFIGS" wide |
| 198 | + $v4 = "Saving log..." wide |
| 199 | + $v5 = "~Work.log" wide |
| 200 | + $v6 = "MicrophoneNum" fullword wide |
| 201 | + $v7 = "WebcamNum" fullword wide |
| 202 | + $v8 = "%SystemDrive% - Slow" wide |
| 203 | + $v9 = "%UsersFolder% - Fast" wide |
| 204 | + $v10 = "%AppData% - Very Fast" wide |
| 205 | + $v11 = /<span style=\"color: #F85C50;\">\[(Up|Down|Enter|ESC|CTRL|Shift|Win|Tab|CAPSLOCK: (ON|OFF))\]<\/span>/ wide |
| 206 | + $px1 = "[Browsers] Scanned elements: " wide |
| 207 | + $px2 = "[Browsers] Grabbing cookies" wide |
| 208 | + $px3 = "[Browsers] Grabbing passwords" wide |
| 209 | + $px4 = "[Browsers] Grabbing forms" wide |
| 210 | + $px5 = "[Browsers] Grabbing CC" wide |
| 211 | + $px6 = "[Browsers] Grabbing history" wide |
| 212 | + $px7 = "[StealerPlugin] Invoke: " wide |
| 213 | + $px8 = "[Other] Grabbing steam" wide |
| 214 | + $px9 = "[Other] Grabbing telegram" wide |
| 215 | + $px10 = "[Other] Grabbing discord tokens" wide |
| 216 | + $px11 = "[Other] Grabbing filezilla" wide |
| 217 | + $px12 = "[Other] Screenshots:" wide |
| 218 | + $px13 = "[Other] Clipboard" wide |
| 219 | + $px14 = "[Other] Saving system information" wide |
| 220 | + condition: |
| 221 | + uint16(0) == 0x5a4d and (all of ($dc*) or all of ($string*) or 2 of ($x*) or 6 of ($v*) or 5 of ($px*)) or ($plugin and (4 of ($av*) or 5 of ($pl*))) |
| 222 | +} |
| 223 | + |
| 224 | +rule dcrat_kingrat { |
| 225 | + meta: |
| 226 | + author = "jeFF0Falltrades" |
| 227 | + cape_type = "DCRat Payload" |
| 228 | + strings: |
| 229 | + $venom_1 = "VenomRAT" wide ascii nocase |
| 230 | + $venom_2 = "HVNC_REPLY_MESSAGE" wide ascii |
| 231 | + $str_aes_exc = "masterKey can not be null or empty" wide ascii |
| 232 | + $str_b64_amsi = "YW1zaS5kbGw=" wide ascii |
| 233 | + $str_b64_virtual_protect = "VmlydHVhbFByb3RlY3Q=" wide ascii |
| 234 | + $str_dcrat = "dcrat" wide ascii nocase |
| 235 | + $str_plugin = "save_Plugin" wide ascii |
| 236 | + $str_qwqdan = "qwqdan" wide ascii |
33 | 237 | $byte_aes_key_base = { 7E [3] 04 73 [3] 06 80 } |
34 | | - $byte_aes_salt_base = { BF EB 1E 56 FB CD 97 3B B2 19 } |
| 238 | + $patt_config = { 72 [3] 70 80 [3] 04 } |
35 | 239 | $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } |
| 240 | +
|
| 241 | + condition: |
| 242 | + (not any of ($venom*)) and 5 of them and #patt_config >= 10 |
| 243 | +} |
| 244 | + |
| 245 | +rule QuasarRAT { |
| 246 | + meta: |
| 247 | + author = "ditekshen" |
| 248 | + description = "QuasarRAT payload" |
| 249 | + cape_type = "QuasarRAT Payload" |
| 250 | + strings: |
| 251 | + $s1 = "GetKeyloggerLogsResponse" fullword ascii |
| 252 | + $s2 = "GetKeyloggerLogs" fullword ascii |
| 253 | + $s3 = "/>Log created on" wide |
| 254 | + $s4 = "User: {0}{3}Pass: {1}{3}Host: {2}" wide |
| 255 | + $s5 = "Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}" wide |
| 256 | + $s6 = "grabber_" wide |
| 257 | + $s7 = "<virtualKeyCode>" ascii |
| 258 | + $s8 = "<RunHidden>k__BackingField" fullword ascii |
| 259 | + $s9 = "<keyboardHookStruct>" ascii |
| 260 | + $s10 = "add_OnHotKeysDown" ascii |
| 261 | + $mutex = "QSR_MUTEX_" ascii wide |
| 262 | + $ua1 = "Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0" fullword wide |
| 263 | + $us2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" fullword wide |
| 264 | + condition: |
| 265 | + uint16(0) == 0x5a4d and ($mutex or (all of ($ua*) and 2 of them) or 6 of ($s*)) |
| 266 | +} |
| 267 | + |
| 268 | +rule quasarrat_kingrat { |
| 269 | + meta: |
| 270 | + author = "jeFF0Falltrades" |
| 271 | + cape_type = "QuasarRAT Payload" |
| 272 | + strings: |
| 273 | + $str_quasar = "Quasar." wide ascii |
| 274 | + $str_hidden = "set_Hidden" wide ascii |
| 275 | + $str_shell = "DoShellExecuteResponse" wide ascii |
| 276 | + $str_close = "echo DONT CLOSE THIS WINDOW!" wide ascii |
| 277 | + $str_pause = "ping -n 10 localhost > nul" wide ascii |
| 278 | + $str_aes_exc = "masterKey can not be null or empty" wide ascii |
| 279 | + $byte_aes_key_base = { 7E [3] 04 73 [3] 06 25 } |
| 280 | + $byte_aes_salt_base = { BF EB 1E 56 FB CD 97 3B B2 19 } |
| 281 | + $byte_special_folder = { 7e 73 [4] 28 [4] 80 } |
36 | 282 | $patt_config = { 72 [3] 70 80 [3] 04 } |
| 283 | + $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } |
37 | 284 |
|
38 | 285 | condition: |
39 | | - (not any of ($dcrat*)) and 6 of them and #patt_config >= 10 |
| 286 | + 6 of them and #patt_config >= 10 |
40 | 287 | } |
0 commit comments