Removed duplicates

0e3ac178 · Jose Vila · ec77c4b5 · 0e3ac178 · 0e3ac178 · 0e3ac178
Commit 0e3ac178 authored Jan 28, 2016 by Jose Vila
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 17 deletions

Miscelanea.yar malware/Miscelanea.yar +0 -0

THOR_HackTools.yar malware/THOR_HackTools.yar +6 -15

THOR_Webshells.yar malware/THOR_Webshells.yar +2 -2

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
--- a/malware/THOR_HackTools.yar
+++ b/malware/THOR_HackTools.yar
@@ -1524,7 +1524,7 @@ rule aspfile1 {
 		3 of them
 }

-rule EditServer {
+rule EditServer_HackTool {
 	meta:
 		description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
 		author = "Florian Roth"
@@ -2782,6 +2782,7 @@ rule CN_Toolset__XScanLib_XScanLib_XScanLib {
 		description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
 		author = "Florian Roth"
 		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
 		date = "2015/03/30"
 		score = 70
 		super_rule = 1
@@ -2803,6 +2804,7 @@ rule CN_Toolset_NTscan_PipeCmd {
 		description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
 		author = "Florian Roth"
 		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
 		date = "2015/03/30"
 		score = 70
 		hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
@@ -2827,6 +2829,7 @@ rule CN_Toolset_LScanPortss_2 {
 		description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
 		author = "Florian Roth"
 		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
 		date = "2015/03/30"
 		score = 70
 		hash = "4631ec57756466072d83d49fbc14105e230631a0"
@@ -2847,6 +2850,7 @@ rule CN_Toolset_sig_1433_135_sqlr {
 		description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
 		author = "Florian Roth"
 		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
 		date = "2015/03/30"
 		score = 70
 		hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
@@ -2859,20 +2863,6 @@ rule CN_Toolset_sig_1433_135_sqlr {
 		all of them
 }

-rule DarkComet_Keylogger_File
-{
-	meta:
-		author = "Florian Roth"
-		description = "Looks like a keylogger file created by DarkComet Malware"
-		date = "25.07.14"
-		score = 50
-	strings:
-		$magic = "::"
-		$entry = /\n:: [A-Z]/
-		$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
-	condition:
-		($magic at 0) and #entry > 10 and #timestamp > 10
-}

 /* Mimikatz */

@@ -3013,6 +3003,7 @@ rule Mimikatz_Logfile
 		author = "Florian Roth"
 		score = 80
 		date = "2015/03/31"
+		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
 	strings:
 		$s1 = "SID               :" ascii fullword
 		$s2 = "* NTLM     :" ascii fullword

--- a/malware/THOR_Webshells.yar
+++ b/malware/THOR_Webshells.yar
@@ -6643,7 +6643,7 @@ rule DarkSpy105 {
 	condition:
 		all of them
 }
-rule EditServer {
+rule EditServer_Webshell {
 	meta:
 		description = "Webshells Auto-generated - file EditServer.exe"
 		author = "Yara Bulk Rule Generator by Florian Roth"
@@ -7623,7 +7623,7 @@ rule xssshell_default {
 	condition:
 		all of them
 }
-rule EditServer_2 {
+rule EditServer_Webshell_2 {
 	meta:
 		description = "Webshells Auto-generated - file EditServer.exe"
 		author = "Yara Bulk Rule Generator by Florian Roth"