Merge branch 'master' of github.com:Yara-Rules/rules

.travis.yml

@@ -2,13 +2,16 @@ language: c
 sudo: required
 #dist: trusty
 before_install:
+  - sudo apt-get -qq update
+  - sudo apt-get install jq
 # Yara
-  - wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz -O yara.tar.gz
-  - tar -xzvf yara.tar.gz
+  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
+  - mkdir yara
+  - tar -C yara -xzvf yara.tar.gz --strip-components 1
 # Androguard for Yara
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/androguard.c -O yara-3.5.0/libyara/modules/androguard.c
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.5.0/libyara/modules/module_list -O yara-3.5.0/libyara/modules/module_list
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.5.0/libyara/Makefile.am -O yara-3.5.0/libyara/Makefile.am
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/androguard.c -O yara/libyara/modules/androguard.c
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/modules/module_list -O yara/libyara/modules/module_list
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/Makefile.am -O yara/libyara/Makefile.am
 # libjansson
   - wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz
   - tar -xzvf jansson-2.7.tar.gz
@@ -18,7 +21,7 @@ before_install:
   - sudo make install
 
 # Compile Yara
-  - cd ../yara-3.5.0
+  - cd ../yara
   # Update per issue 176
   - sed -i 's/#define RE_MAX_SPLIT_ID     128/#define RE_MAX_SPLIT_ID     255/g' libyara/re.c
   - ./bootstrap.sh

Antidebug_AntiVM_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"

CVE_Rules/CVE-2017-11882.yar

+rule potential_CVE_2017_11882
+{
+    meta:
+      author = "ReversingLabs"
+      reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
+      
+    strings:
+        $docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
+
+        $equation1 = "Equation Native" wide ascii
+        $equation2 = "Microsoft Equation 3.0" wide ascii
+
+        $mshta = "mshta"
+        $http  = "http://"
+        $https = "https://"
+        $cmd   = "cmd"
+        $pwsh  = "powershell"
+        $exe   = ".exe"
+
+        $address = { 12 0C 43 00 }
+
+    condition:
+        $docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
+}
+
+rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
+    meta:
+        author = "John Davison"
+        description = "Attempts to identify the exploit CVE 2017 11882"
+        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
+        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
+        score = 60
+        //file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
+    strings:
+        $headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
+        $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
+        //$code = /[\x01-\x7F]{44}/
+        $winexec = { 12 0c 43 00 }
+    condition:
+        all of them and @font > @headers and @winexec == @font + 5 + 44
+}
+
+// same as above but for RTF documents
+rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
+    meta:
+        author = "John Davison"
+        description = "Attempts to identify the exploit CVE 2017 11882"
+        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
+        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
+        score = 60
+        //file_ext = "rtf"
+    strings:
+        $headers = { 31 63 30 30 30 30 30 30  30 32 30 30 ?? ?? ?? ??
+                     61 39 30 30 30 30 30 30  ?? ?? ?? ?? ?? ?? ?? ??
+                     ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??
+                     ?? ?? ?? ?? ?? ?? ?? ??  30 33 30 31 30 31 30 33
+                     ?? ?? }
+        $font = { 30 61 30 31 30 38 35 61  35 61 }
+        $winexec = { 31 32 30 63 34 33 30 30 }
+    condition:
+        all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
+}

CVE_Rules/CVE-2018-4878.yar

+rule crime_ole_loadswf_cve_2018_4878
+{
+meta:
+description = "Detects CVE-2018-4878"
+vuln_type = "Remote Code Execution"
+vuln_impact = "Use-after-free"
+affected_versions = "Adobe Flash 28.0.0.137 and earlier versions"
+mitigation0 = "Implement Protected View for Office documents"
+mitigation1 = "Disable Adobe Flash"
+weaponization = "Embedded in Microsoft Office first payloads"
+actor = "Purported North Korean actors"
+reference = "hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998"
+report = "https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/"
+author = "Vitali Kremez, Flashpoint"
+version = "1.1"
+
+strings:
+// EMBEDDED FLASH OBJECT BIN HEADER
+$header = "rdf:RDF" wide ascii
+
+// OBJECT APPLICATION TYPE TITLE
+$title = "Adobe Flex" wide ascii
+
+// PDB PATH 
+$pdb = "F:\\work\\flash\\obfuscation\\loadswf\\src" wide ascii
+
+// LOADER STRINGS
+$s0 = "URLRequest" wide ascii
+$s1 = "URLLoader" wide ascii
+$s2 = "loadswf" wide ascii
+$s3 = "myUrlReqest" wide ascii
+
+condition:
+all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
+}

CVE_Rules_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
+include "./CVE_Rules/CVE-2010-0887.yar"
 include "./CVE_Rules/CVE-2015-2426.yar"
+include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2015-1701.yar"
 include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
+include "./CVE_Rules/CVE-2018-4878.yar"
 include "./CVE_Rules/CVE-2013-0422.yar"
+include "./CVE_Rules/CVE-2017-11882.yar"
 include "./CVE_Rules/CVE-2015-5119.yar"
 include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2010-0805.yar"
+include "./CVE_Rules/CVE-2015-2545.yar"

Crypto_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
 include "./Crypto/crypto_signatures.yar"

Exploit-Kits_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./Exploit-Kits/EK_Crimepack.yar"
+include "./Exploit-Kits/EK_Blackhole.yar"
 include "./Exploit-Kits/EK_ZeroAcces.yar"
+include "./Exploit-Kits/EK_Sakura.yar"
+include "./Exploit-Kits/EK_Angler.yar"
+include "./Exploit-Kits/EK_Zeus.yar"
+include "./Exploit-Kits/EK_Crimepack.yar"
 include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
+include "./Exploit-Kits/EK_BleedingLife.yar"
 include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"
-include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
+include "./Exploit-Kits/EK_Eleonore.yar"

Malicious_Documents_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./Malicious_Documents/Maldoc_Dridex.yar"
+include "./Malicious_Documents/Maldoc_UserForm.yar"
 include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
+include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
+include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
+include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
+include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
+include "./Malicious_Documents/Maldoc_PDF.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/maldoc_somerules.yar"

Mobile_Malware/Android_Polish_Bankbot.yar

+import "androguard"
+
+rule bankbot_polish_banks : banker
+{
+    meta:
+        author = "Eternal"
+        hash0 = "86aaed9017e3af5d1d9c8460f2d8164f14e14db01b1a278b4b93859d3cf982f5"
+        description = "BankBot/Mazain attacking polish banks"
+        reference = "https://www.cert.pl/en/news/single/analysis-of-a-polish-bankbot/"
+    strings:
+        $bank1 = "com.comarch.mobile"
+        $bank2 = "eu.eleader.mobilebanking.pekao"
+        $bank3 = "eu.eleader.mobilebanking.raiffeisen"
+        $bank4 = "pl.fmbank.smart"
+        $bank5 = "pl.mbank"
+        $bank6 = "wit.android.bcpBankingApp.millenniumPL"
+        $bank7 = "pl.pkobp.iko"
+        $bank8 = "pl.plus.plusonline"
+        $bank9 = "pl.ing.mojeing"
+        $bank10 = "pl.bzwbk.bzwbk24"
+        $bank11 = "com.getingroup.mobilebanking"
+        $bank12 = "eu.eleader.mobilebanking.invest"
+        $bank13 = "pl.bph"
+        $bank14 = "com.konylabs.cbplpat"
+        $bank15 = "eu.eleader.mobilebanking.pekao.firm"
+
+        $s1 = "IMEI"
+        $s2 = "/:/"
+        $s3 = "p="
+        $s4 = "SMS From:"
+
+    condition:
+        all of ($s*) and 1 of ($bank*) and 
+        androguard.permission(/android.permission.INTERNET/) and 
+        androguard.permission(/android.permission.WAKE_LOCK/) and
+        androguard.permission(/android.permission.READ_EXTERNAL_STORAGE/) and
+        androguard.permission(/android.permission.RECEIVE_MMS/) and
+        androguard.permission(/android.permission.READ_SMS/) and
+        androguard.permission(/android.permission.RECEIVE_SMS/)
+}

Mobile_Malware/Android_Tempting_Cedar_Spyware.yar

+rule android_tempting_cedar_spyware
+{
+	meta:
+    	Author = "@X0RC1SM"
+        Date = "2018-03-06"
+        Reference = "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware"
+	strings:
+		$PK_HEADER = {50 4B 03 04}
+		$MANIFEST = "META-INF/MANIFEST.MF"
+		$DEX_FILE = "classes.dex"
+		$string = "rsdroid.crt"
+	
+	condition:
+    	$PK_HEADER in (0..4) and $MANIFEST and $DEX_FILE and any of ($string*)
+}

Mobile_Malware_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
+include "./Mobile_Malware/Android_Switcher.yar"
 include "./Mobile_Malware/Android_Dendroid_RAT.yar"
-include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_Banker_Acecard.yar"
-include "./Mobile_Malware/Android_SpyNote.yar"
-include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
-include "./Mobile_Malware/Android_malware_Dropper.yar"
-include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_RuMMS.yar"
-include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
-include "./Mobile_Malware/Android_MazarBot_z.yar"
-include "./Mobile_Malware/Android_VikingOrder.yar"
-include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
-include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
-include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
-include "./Mobile_Malware/Android_Tachi.yar"
-include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
+include "./Mobile_Malware/Android_Spywaller.yar"
+include "./Mobile_Malware/Android_Malware_Towelroot.yar"
 include "./Mobile_Malware/Android_pornClicker.yar"
+include "./Mobile_Malware/Android_Banker_Acecard.yar"
 include "./Mobile_Malware/Android_mapin.yar"
-include "./Mobile_Malware/Android_DeathRing.yar"
-include "./Mobile_Malware/Android_Copy9.yar"
-include "./Mobile_Malware/Android_malware_HackingTeam.yar"
+include "./Mobile_Malware/Android_Polish_Bankbot.yar"
+include "./Mobile_Malware/Android_SlemBunk.yar"
+include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
 include "./Mobile_Malware/Android_Marcher_2.yar"
-include "./Mobile_Malware/Android_OmniRat.yar"
-include "./Mobile_Malware/Android_generic_smsfraud.yar"
+include "./Mobile_Malware/Android_VirusPolicia.yar"
+include "./Mobile_Malware/Android_VikingOrder.yar"
+include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
+include "./Mobile_Malware/Android_Metasploit_Payload.yar"
+include "./Mobile_Malware/Android_RuMMS.yar"
 include "./Mobile_Malware/Android_Overlayer.yar"
-include "./Mobile_Malware/Android_SlemBunk.yar"
-include "./Mobile_Malware/Android_adware.yar"
-include "./Mobile_Malware/Android_malware_banker.yar"
-include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
-include "./Mobile_Malware/Android_Backdoor_script.yar"
+include "./Mobile_Malware/Android_malware_xbot007.yar"
 include "./Mobile_Malware/Android_Triada_Banking.yar"
-include "./Mobile_Malware/Android_ASSDdeveloper.yar"
-include "./Mobile_Malware/Android_Spynet.yar"
-include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
+include "./Mobile_Malware/Android_malware_Dropper.yar"
+include "./Mobile_Malware/Android_SMSFraud.yar"
+include "./Mobile_Malware/Android_Dectus_rswm.yar"
 include "./Mobile_Malware/Android_SandroRat.yar"
-include "./Mobile_Malware/Android_Pink_Locker.yar"
+include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
+include "./Mobile_Malware/Android_malware_banker.yar"
+include "./Mobile_Malware/Android_malware_SMSsender.yar"
+include "./Mobile_Malware/Android_Backdoor_script.yar"
+include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
+include "./Mobile_Malware/Android_malware_HackingTeam.yar"
+include "./Mobile_Malware/Android_MalwareCertificates.yar"
+include "./Mobile_Malware/Android_DeathRing.yar"
+include "./Mobile_Malware/Android_Metasploit.yar"
+include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
+include "./Mobile_Malware/Android_Clicker_G.yar"
+include "./Mobile_Malware/Android_BadMirror.yar"
+include "./Mobile_Malware/Android_Tachi.yar"
+include "./Mobile_Malware/Android_SpyAgent.yar"
+include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
+include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
+include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
+include "./Mobile_Malware/Android_MazarBot_z.yar"
 include "./Mobile_Malware/Android_sk_bankTr.yar"
+include "./Mobile_Malware/Android_AVITOMMS.yar"
+include "./Mobile_Malware/Android_Spynet.yar"
+include "./Mobile_Malware/Android_Tordow.yar"
+include "./Mobile_Malware/Android_FakeApps.yar"
 include "./Mobile_Malware/Android_Godless.yar"
 include "./Mobile_Malware/Android_Backdoor.yar"
-include "./Mobile_Malware/Android_Dectus_rswm.yar"
 include "./Mobile_Malware/Android_Dogspectus.yar"
-include "./Mobile_Malware/Android_Tordow.yar"
-include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
-include "./Mobile_Malware/Android_SMSFraud.yar"
-include "./Mobile_Malware/Android_VirusPolicia.yar"
-include "./Mobile_Malware/Android_malware_SMSsender.yar"
-include "./Mobile_Malware/Android_Metasploit_Payload.yar"
-include "./Mobile_Malware/Android_Clicker_G.yar"
-include "./Mobile_Malware/Android_generic_adware.yar"
-include "./Mobile_Malware/Android_AVITOMMS.yar"
-include "./Mobile_Malware/Android_malware_xbot007.yar"
-include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
+include "./Mobile_Malware/Android_Copy9.yar"
+include "./Mobile_Malware/Android_SpyNote.yar"
 include "./Mobile_Malware/Android_malware_Advertising.yar"
-include "./Mobile_Malware/Android_SpyAgent.yar"
-include "./Mobile_Malware/Android_Spywaller.yar"
-include "./Mobile_Malware/Android_Metasploit.yar"
-include "./Mobile_Malware/Android_Malware_Towelroot.yar"
-include "./Mobile_Malware/Android_Switcher.yar"
-include "./Mobile_Malware/Android_FakeApps.yar"
+include "./Mobile_Malware/Android_adware.yar"
+include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
+include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
+include "./Mobile_Malware/Android_generic_adware.yar"
+include "./Mobile_Malware/Android_generic_smsfraud.yar"
+include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
+include "./Mobile_Malware/Android_ASSDdeveloper.yar"
+include "./Mobile_Malware/Android_OmniRat.yar"
+include "./Mobile_Malware/Android_Pink_Locker.yar"
+include "./Mobile_Malware/Android_malware_ChinesePorn.yar"

Packers_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
+include "./Packers/JJencode.yar"
 include "./Packers/packer.yar"
+include "./Packers/peid.yar"
 include "./Packers/Javascript_exploit_and_obfuscation.yar"
 include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/JJencode.yar"
-include "./Packers/peid.yar"

README.md

@@ -2,9 +2,9 @@
 
 # Project
 
-This project covers the need of a group of IT Security Researches to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and begin as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
+This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
 
-Yara is being increasingly used, but knowledge about the tool and its usage is dispersed in many different places. Yara Rules project aims to be the meeting point for Yara users, gathering together a ruleset as complete as possible thus providing users a quick way to get Yara ready for usage.
+Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.
 
 We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.
 
@@ -14,36 +14,35 @@ If you’re interested in sharing your Yara rules with us and the Security Commu
 
 Twitter account: https://twitter.com/yararules
 
-Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
+Mailing list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
 
 # Requirements
 
-Yara **version 3.0** or higher is required for most of the rules to work. This is mainly due to the use of the "pe" module introduced in that version.
+Yara **version 3.0** or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
 
 You can check your installed version with `yara -v`
 
-The available packages in Ubuntu 14.04 LTS default repositories are too old.  You can install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
+Packages available in Ubuntu 14.04 LTS default repositories are too old.  You can alternatively install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
 
-Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in mobile_malware category.
+Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.
 
 # Categories
 
-## Antidebug/AntiVM
+## Anti-debug/Anti-VM
 
-In this section you will find Yara Rules aimed to detect anti debug and anti virtualization techniques used by malware to evade automated analysis.
+In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
 
 ## CVE_Rules
 
-In this section you will find Yara Rules specialised on the identification of specifics CVE
+In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
 
 ## Crypto
 
-In this section you will find Yara rules aimed to detect the existence of cryptographic algorithms.
+In this section you will find Yara rules aimed toward the detection and existence of cryptographic algorithims.
 
 ## Exploit Kits
 
-In this section you will find Yara rules aimed to detect the existence of Exploit Kits.
-
+In this section you will find Yara rules aimed toward the detection and existence of Exploit Kits.
 
 ## Malicious Documents
 
@@ -51,7 +50,7 @@ In this section you will find Yara Rules to be used with documents to find if th
 
 ## Malware
 
-In this section you will find Yara rules specialised on the identification of well-known malware.
+In this section you will find Yara rules specialised toward the identification of well-known malware.
 
 ## Packers
 
@@ -59,17 +58,17 @@ In this section you will find Yara Rules aimed to detect well-known software pac
 
 ## WebShells
 
-In this section you will find Yara rules specialised on the identification of well-known WebShells.
+In this section you will find Yara rules specialised toward the identification of well-known webshells.
 
 ## Email
 
-In this section you will find Yara rules specialised on the identification of malicious e-mails.
+In this section you will find Yara rules specialised toward the identification of malicious e-mails.
 
 ## Malware Mobile
 
-In this section you will find Yara rules specialised on the identification of well-known mobile malware.
+In this section you will find Yara rules specialised toward the indentification of well-known mobile malware.
 
-Many rules in this section use Androguard module developed by people at https://koodous.com/.
+Many rules in this section use the Androguard module developed by the people over at https://koodous.com/.
 
 You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
 

Webshells_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
 include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_fire2013.yar"
+include "./Webshells/WShell_THOR_Webshells.yar"
+include "./Webshells/WShell_APT_Laudanum.yar"

email/Email_generic_phishing

@@ -37,5 +37,6 @@ rule Email_Generic_Phishing : email
   condition:
     all of ($eml*) and
     any of ($greeting*) and
+    any of ($url*) and
     any of ($lie*)
 }

email_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./email/attachment.yar"
-include "./email/scam.yar"
-include "./email/bank_rule.yar"
+include "./email/EMAIL_Cryptowall.yar"
 include "./email/image.yar"
+include "./email/scam.yar"
+include "./email/attachment.yar"
 include "./email/urls.yar"
-include "./email/EMAIL_Cryptowall.yar"
+include "./email/bank_rule.yar"
 include "./email/email_Ukraine_BE_powerattack.yar"

index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./Crypto/crypto_signatures.yar"
-include "./Exploit-Kits/EK_Crimepack.yar"
-include "./Exploit-Kits/EK_ZeroAcces.yar"
-include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
-include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"
-include "./Exploit-Kits/EK_Angler.yar"
-include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
-include "./Packers/packer.yar"
-include "./Packers/Javascript_exploit_and_obfuscation.yar"
-include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/JJencode.yar"
-include "./Packers/peid.yar"
-include "./malware/RAT_Bolonyokte.yar"
-include "./malware/APT_APT3102.yar"
-include "./malware/TOOLKIT_Pwdump.yar"
-include "./malware/RAT_Crimson.yar"
-include "./malware/APT_Oilrig.yar"
-include "./malware/APT_Ke3Chang_TidePool.yar"
-include "./malware/MALW_Naikon.yar"
+include "./email/EMAIL_Cryptowall.yar"
+include "./email/image.yar"
+include "./email/scam.yar"
+include "./email/attachment.yar"
+include "./email/urls.yar"
+include "./email/bank_rule.yar"
+include "./email/email_Ukraine_BE_powerattack.yar"
+include "./malware/MALW_Intel_Virtualization.yar"
+include "./malware/RANSOM_Alpha.yar"
+include "./malware/MALW_Korplug.yar"
+include "./malware/TOOLKIT_Dubrute.yar"
+include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Madness.yar"
+include "./malware/MALW_Retefe.yar"
+include "./malware/RANSOM_DMALocker.yar"
+include "./malware/RANSOM_Satana.yar"
+include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_AgentTesla.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/RAT_Adwind.yar"
+include "./malware/RANSOM_Tox.yar"
+include "./malware/APT_Winnti.yar"
+include "./malware/MALW_Notepad.yar"
 include "./malware/MALW_Tinba.yar"
-include "./malware/MALW_FakeM.yar"
-include "./malware/MALW_IMuler.yar"
-include "./malware/APT_APT9002.yar"
-include "./malware/TOOLKIT_PassTheHash.yar"
-include "./malware/MALW_Ponmocup.yar"
+include "./malware/MALW_Torte_ELF.yar"
+include "./malware/APT_PCclient.yar"
+include "./malware/MALW_IcedID.yar"
+include "./malware/MALW_LinuxBew.yar"
+include "./malware/APT_Sofacy_Bundestag.yar"
+include "./malware/TOOLKIT_exe2hex_payload.yar"
+include "./malware/RAT_Hizor.yar"
+include "./malware/MALW_DiamondFox.yar"
+include "./malware/APT_APT3102.yar"
+include "./malware/MALW_Iexpl0ree.yar"
+include "./malware/RANSOM_Cryptolocker.yar"
+include "./malware/APT_Emissary.yar"
+include "./malware/MALW_Alina.yar"
+include "./malware/APT_Derusbi.yar"
+include "./malware/MALW_Kelihos.yar"
+include "./malware/RAT_FlyingKitten.yar"
+include "./malware/MALW_XMRIG_Miner.yar"
+include "./malware/RAT_NetwiredRC.yar"
+include "./malware/APT_Sofacy_Fysbis.yar"
+include "./malware/APT_fancybear_downdelph.yar"
+include "./malware/APT_Seaduke.yar"
+include "./malware/RAT_xRAT20.yar"
+include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/MALW_Derkziel.yar"
+include "./malware/APT_Prikormka.yar"
+include "./malware/RAT_Shim.yar"
+include "./malware/MALW_F0xy.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
+include "./malware/RAT_Inocnation.yar"
+include "./malware/MALW_Rovnix.yar"
+include "./malware/APT_HackingTeam.yar"
+include "./malware/MALW_Miscelanea_Linux.yar"
+include "./malware/MALW_Miscelanea.yar"
 include "./malware/MALW_NetTraveler.yar"
+include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Olyx.yar"
+include "./malware/MALW_T5000.yar"
+include "./malware/MALW_MiniAsp3_mem.yar"
+include "./malware/RANSOM_.CRYPTXXX.yar"
 include "./malware/POS_Easterjack.yar"
-include "./malware/RANSOM_PetrWrap.yar"
-include "./malware/MALW_Derkziel.yar"
-include "./malware/MALW_BlackRev.yar"
-include "./malware/MALW_Mailers.yar"
-include "./malware/APT_TradeSecret.yar"
-include "./malware/RAT_xRAT20.yar"
-include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/RAT_Cerberus.yar"
-include "./malware/APT_furtim.yar"
-include "./malware/APT_Dubnium.yar"
-include "./malware/POS_BruteforcingBot.yar"
-include "./malware/APT_HackingTeam.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/MALW_LostDoor.yar"
+include "./malware/APT_OpDustStorm.yar"
+include "./malware/RAT_CrossRAT.yar"
+include "./malware/MALW_XOR_DDos.yar"
+include "./malware/RAT_xRAT.yar"
+include "./malware/APT_Ke3Chang_TidePool.yar"
+include "./malware/RAT_Ratdecoders.yar"
+include "./malware/MALW_TrickBot.yar"
+include "./malware/MALW_Furtim.yar"
+include "./malware/MALW_Jolob_Backdoor.yar"
+include "./malware/MALW_TRITON_HATMAN.yar"
+include "./malware/APT_APT29_Grizzly_Steppe.yar"
+include "./malware/MALW_Backoff.yar"
+include "./malware/MALW_FakeM.yar"
+include "./malware/APT_Sofacy_Jun16.yar"
+include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
 include "./malware/RAT_Bozok.yar"
-include "./malware/RANSOM_777.yar"
-include "./malware/RANSOM_Alpha.yar"
-include "./malware/MALW_Pony.yar"
-include "./malware/MALW_Safenet.yar"
-include "./malware/MALW_BackdoorSSH.yar"
-include "./malware/APT_Derusbi.yar"
-include "./malware/RAT_Glass.yar"
-include "./malware/MALW_Torte_ELF.yar"
-include "./malware/APT_OPCleaver.yar"
-include "./malware/MALW_Grozlex.yar"
-include "./malware/RAT_PlugX.yar"
-include "./malware/MALW_Upatre.yar"
-include "./malware/MALW_Intel_Virtualization.yar"
-include "./malware/APT_Cloudduke.yar"
-include "./malware/MALW_Empire.yar"
-include "./malware/RANSOM_Comodosec.yar"
-include "./malware/APT_Prikormka.yar"
-include "./malware/MALW_Boouset.yar"
-include "./malware/GEN_PowerShell.yar"
+include "./malware/POS_MalumPOS.yar"
+include "./malware/MALW_XHide.yar"
+include "./malware/TOOLKIT_Chinese_Hacktools.yar"
 include "./malware/RAT_DarkComet.yar"
-include "./malware/MALW_Chicken.yar"
-include "./malware/MALW_Lateral_Movement.yar"
-include "./malware/MALW_Emotet.yar"
-include "./malware/RAT_Ratdecoders.yar"
-include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Lenovo_Superfish.yar"
-include "./malware/APT_Hikit.yar"
-include "./malware/MALW_Korlia.yar"
-include "./malware/RAT_Sakula.yar"
-include "./malware/MALW_LuckyCat.yar"
-include "./malware/APT_Turla_RUAG.yar"
-include "./malware/MALW_Kovter.yar"
-include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_LotusBlossom.yar"
-include "./malware/RANSOM_Crypren.yar"
-include "./malware/APT_WoolenGoldfish.yar"
-include "./malware/RAT_Inocnation.yar"
-include "./malware/MALW_Sakurel.yar"
-include "./malware/RAT_Xtreme.yar"
-include "./malware/APT_Blackenergy.yar"
-include "./malware/MALW_Stealer.yar"
-include "./malware/MALW_Retefe.yar"
-include "./malware/MALW_Fareit.yar"
-include "./malware/MALW_KINS.yar"
-include "./malware/MALW_Miancha.yar"
-include "./malware/MALW_Exploit_UAC_Elevators.yar"
-include "./malware/MALW_Furtim.yar"
-include "./malware/MALW_Cookies.yar"
+include "./malware/APT_APT1.yar"
+include "./malware/APT_Irontiger.yar"
+include "./malware/RANSOM_Comodosec.yar"
+include "./malware/MALW_Monero_Miner_installer.yar"
+include "./malware/RAT_Nanocore.yar"
+include "./malware/TOOLKIT_PassTheHash.yar"
+include "./malware/MALW_LURK0.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
+include "./malware/TOOLKIT_Powerstager.yar"
+include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Waterbug.yar"
+include "./malware/APT_Scarab_Scieron.yar"
+include "./malware/APT_Hellsing.yar"
+include "./malware/MALW_Upatre.yar"
+include "./malware/APT_Codoso.yar"
+include "./malware/APT_Snowglobe_Babar.yar"
+include "./malware/MALW_Sendsafe.yar"
+include "./malware/APT_EQUATIONGRP.yar"
+include "./malware/APT_Minidionis.yar"
+include "./malware/MALW_Naspyupdate.yar"
+include "./malware/MALW_CAP_HookExKeylogger.yar"
+include "./malware/MALW_Rebirth_Vulcan_ELF.yar"
+include "./malware/MALW_BlackRev.yar"
 include "./malware/MALW_Surtr.yar"
-include "./malware/MALW_NionSpy.yar"
-include "./malware/APT_APT10.yar"
+include "./malware/MALW_Exploit_UAC_Elevators.yar"
+include "./malware/MALW_Cythosia.yar"
+include "./malware/MALW_Quarian.yar"
+include "./malware/APT_Pipcreat.yar"
+include "./malware/APT_fancybear_dnc.yar"
+include "./malware/APT_Stuxnet.yar"
+include "./malware/MALW_Gafgyt.yar"
+include "./malware/TOOLKIT_THOR_HackTools.yar"
+include "./malware/RAT_PoisonIvy.yar"
+include "./malware/POS_BruteforcingBot.yar"
+include "./malware/MALW_Ponmocup.yar"
+include "./malware/APT_KeyBoy.yar"
+include "./malware/APT_Turla_RUAG.yar"
+include "./malware/APT_FiveEyes.yar"
+include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_Atmos.yar"
+include "./malware/MALW_Favorite.yar"
+include "./malware/MALW_Genome.yar"
+include "./malware/APT_Sphinx_Moth.yar"
+include "./malware/MALW_IotReaper.yar"
+include "./malware/APT_Bluetermite_Emdivi.yar"
+include "./malware/APT_TradeSecret.yar"
+include "./malware/APT_Turla_Neuron.yar"
+include "./malware/MALW_Hsdfihdf_banking.yar"
+include "./malware/MALW_LinuxHelios.yar"
+include "./malware/MALW_CAP_Win32Inet.yara"
+include "./malware/APT_OpPotao.yar"
+include "./malware/TOOLKIT_Gen_powerkatz.yar"
+include "./malware/MALW_PE_sections.yar"
+include "./malware/RAT_Terminator.yar"
+include "./malware/APT_UP007_SLServer.yar"
+include "./malware/MALW_Lateral_Movement.yar"
+include "./malware/APT_DeepPanda_Anthem.yar"
+include "./malware/MALW_Pyinstaller.yar"
+include "./malware/POS_Mozart.yar"
+include "./malware/APT_C16.yar"
+include "./malware/RANSOM_BadRabbit.yar"
 include "./malware/MALW_Warp.yar"
-include "./malware/RANSOM_Stampado.yar"
-include "./malware/Operation_Blockbuster/RomeoEcho.yara"
-include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
+include "./malware/MALW_Buzus_Softpulse.yar"
+include "./malware/MALW_Ezcob.yar"
+include "./malware/APT_Backspace.yar"
+include "./malware/APT_Passcv.yar"
+include "./malware/MALW_DirtJumper.yar"
+include "./malware/RANSOM_Crypren.yar"
+include "./malware/APT_FIN7.yar"
+include "./malware/Operation_Blockbuster/HotelAlfa.yara"
+include "./malware/Operation_Blockbuster/UniformAlfa.yara"
+include "./malware/Operation_Blockbuster/PapaAlfa.yara"
+include "./malware/Operation_Blockbuster/SierraAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
-include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
-include "./malware/Operation_Blockbuster/IndiaHotel.yara"
-include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
+include "./malware/Operation_Blockbuster/LimaBravo.yara"
 include "./malware/Operation_Blockbuster/KiloAlfa.yara"
-include "./malware/Operation_Blockbuster/UniformJuliett.yara"
-include "./malware/Operation_Blockbuster/SierraAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
-include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/SierraJuliettMikeOne.yara"
-include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
-include "./malware/Operation_Blockbuster/SierraBravo.yara"
-include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
+include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
 include "./malware/Operation_Blockbuster/WhiskeyBravo_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaEcho.yara"
-include "./malware/Operation_Blockbuster/RomeoBravo.yara"
-include "./malware/Operation_Blockbuster/UniformAlfa.yara"
-include "./malware/Operation_Blockbuster/LimaBravo.yara"
-include "./malware/Operation_Blockbuster/IndiaGolf.yara"
-include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
-include "./malware/Operation_Blockbuster/cert_wiper.yara"
-include "./malware/Operation_Blockbuster/PapaAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
-include "./malware/Operation_Blockbuster/SierraCharlie.yara"
-include "./malware/Operation_Blockbuster/IndiaBravo.yara"
+include "./malware/Operation_Blockbuster/SierraBravo.yara"
 include "./malware/Operation_Blockbuster/LimaCharlie.yara"
-include "./malware/Operation_Blockbuster/LimaDelta.yara"
+include "./malware/Operation_Blockbuster/RomeoBravo.yara"
 include "./malware/Operation_Blockbuster/TangoBravo.yara"
-include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/IndiaHotel.yara"
+include "./malware/Operation_Blockbuster/UniformJuliett.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
-include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
-include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
-include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/general.yara"
+include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaGolf.yara"
 include "./malware/Operation_Blockbuster/IndiaDelta.yara"
+include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
+include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaEcho.yara"
+include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaBravo.yara"
+include "./malware/Operation_Blockbuster/TangoAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
 include "./malware/Operation_Blockbuster/WhiskeyCharlie.yara"
+include "./malware/Operation_Blockbuster/SierraCharlie.yara"
 include "./malware/Operation_Blockbuster/sharedcode.yara"
-include "./malware/Operation_Blockbuster/TangoAlfa.yara"
-include "./malware/RAT_ZoxPNG.yar"
-include "./malware/MALW_Cloaking.yar"
-include "./malware/POS_LogPOS.yar"
-include "./malware/APT_Bestia.yar"
-include "./malware/TOOLKIT_Dubrute.yar"
-include "./malware/MALW_Kraken.yar"
-include "./malware/MALW_Olyx.yar"
-include "./malware/MALW_DirtJumper.yar"
-include "./malware/MALW_LURK0.yar"
-include "./malware/MALW_MiniAsp3_mem.yar"
-include "./malware/MALW_Bangat.yar"
-include "./malware/MALW_Regsubdat.yar"
-include "./malware/APT_Hellsing.yar"
-include "./malware/APT_Industroyer.yar"
-include "./malware/APT_Bluetermite_Emdivi.yar"
-include "./malware/MALW_Elknot.yar"
-include "./malware/MALW_TrickBot.yar"
-include "./malware/APT_APT17.yar"
-include "./malware/MALW_Magento_backend.yar"
-include "./malware/RAT_PoisonIvy.yar"
-include "./malware/APT_DeepPanda_Anthem.yar"
-include "./malware/APT_Pipcreat.yar"
-include "./malware/MALW_Notepad.yar"
-include "./malware/POS_Bernhard.yar"
-include "./malware/RANSOM_GoldenEye.yar"
-include "./malware/RAT_Shim.yar"
-include "./malware/RANSOM_DMALocker.yar"
-include "./malware/MALW_Athena.yar"
-include "./malware/POS.yar"
-include "./malware/RAT_BlackShades.yar"
-include "./malware/RAT_Adwind.yar"
-include "./malware/APT_Winnti.yar"
-include "./malware/MALW_Odinaff.yar"
-include "./malware/RANSOM_.CRYPTXXX.yar"
-include "./malware/APT_Duqu2.yar"
-include "./malware/RAT_NetwiredRC.yar"
-include "./malware/APT_Shamoon_StoneDrill.yar"
-include "./malware/MALW_adwind_RAT.yar"
-include "./malware/APT_eqgrp_apr17.yar"
-include "./malware/APT_DeputyDog.yar"
-include "./malware/RAT_FlyingKitten.yar"
-include "./malware/RANSOM_Tox.yar"
-include "./malware/APT_Equation.yar"
-include "./malware/APT_Mongall.yar"
-include "./malware/APT_FIN7.yar"
-include "./malware/RAT_Adzok.yar"
-include "./malware/RANSOM_Petya.yar"
-include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/cert_wiper.yara"
+include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
+include "./malware/Operation_Blockbuster/LimaDelta.yara"
+include "./malware/MALW_NSFree.yar"
+include "./malware/RAT_Gholee.yar"
+include "./malware/MALW_KINS.yar"
+include "./malware/RANSOM_Locky.yar"
+include "./malware/MALW_TreasureHunt.yar"
+include "./malware/RAT_Glass.yar"
 include "./malware/POS_FastPOS.yar"
-include "./malware/APT_Terracota.yar"
-include "./malware/APT_APT29_Grizzly_Steppe.yar"
-include "./malware/MALW_Glasses.yar"
-include "./malware/APT_Irontiger.yar"
-include "./malware/MALW_Jolob_Backdoor.yar"
-include "./malware/MALW_Install11.yar"
-include "./malware/APT_Regin.yar"
-include "./malware/RAT_ShadowTech.yar"
-include "./malware/RANSOM_Cryptolocker.yar"
 include "./malware/APT_Casper.yar"
-include "./malware/MALW_XOR_DDos.yar"
-include "./malware/MALW_LuaBot.yar"
-include "./malware/APT_ThreatGroup3390.yar"
-include "./malware/POS_MalumPOS.yar"
-include "./malware/APT_Carbanak.yar"
-include "./malware/MALW_Genome.yar"
-include "./malware/MALW_DiamondFox.yar"
-include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Athena.yar"
+include "./malware/RAT_Xtreme.yar"
+include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/MALW_Dexter.yar"
-include "./malware/RAT_Terminator.yar"
-include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/RANSOM_Cerber.yar"
-include "./malware/APT_APT1.yar"
-include "./malware/MALW_Citadel.yar"
-include "./malware/MALW_Zeus.yar"
-include "./malware/APT_Sofacy_Fysbis.yar"
-include "./malware/RANSOM_Erebus.yar"
-include "./malware/TOOLKIT_Gen_powerkatz.yar"
-include "./malware/RANSOM_DoublePulsar_Petya.yar"
-include "./malware/MALW_AZORULT.yar"
-include "./malware/MALW_Scarhikn.yar"
-include "./malware/MALW_Ezcob.yar"
-include "./malware/APT_CrashOverride.yar"
-include "./malware/RAT_xRAT.yar"
-include "./malware/MALW_Sqlite.yar"
-include "./malware/MALW_Alina.yar"
-include "./malware/MALW_Quarian.yar"
-include "./malware/MALW_Bublik.yar"
-include "./malware/MALW_Buzus_Softpulse.yar"
-include "./malware/APT_Molerats.yar"
-include "./malware/MALW_Magento_suspicious.yar"
-include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
-include "./malware/MALW_Magento_frontend.yar"
-include "./malware/APT_PCclient.yar"
-include "./malware/MALW_Atmos.yar"
-include "./malware/APT_Unit78020.yar"
+include "./malware/MALW_Cloaking.yar"
+include "./malware/MALW_Volgmer.yar"
 include "./malware/MALW_Zegost.yar"
-include "./malware/MALW_LinuxMoose.yar"
-include "./malware/MALW_Tedroo.yar"
-include "./malware/MALW_PubSab.yar"
-include "./malware/APT_Greenbug.yar"
-include "./malware/MALW_Miscelanea_Linux.yar"
-include "./malware/TOOLKIT_THOR_HackTools.yar"
-include "./malware/APT_UP007_SLServer.yar"
-include "./malware/APT_Seaduke.yar"
-include "./malware/MALW_Mirai.yar"
-include "./malware/MALW_Gozi.yar"
-include "./malware/APT_Emissary.yar"
-include "./malware/MALW_Hsdfihdf_banking.yar"
-include "./malware/MALW_Shamoon.yar"
-include "./malware/APT_Careto.yar"
-include "./malware/APT_Codoso.yar"
-include "./malware/MALW_xDedic_marketplace.yar"
-include "./malware/MALW_Wimmie.yar"
-include "./malware/MALW_Sendsafe.yar"
-include "./malware/MALW_Andromeda.yar"
-include "./malware/APT_Backspace.yar"
-include "./malware/APT_fancybear_downdelph.yar"
-include "./malware/APT_Snowglobe_Babar.yar"
-include "./malware/RANSOM_Locky.yar"
+include "./malware/RAT_PlugX.yar"
+include "./malware/RANSOM_Petya.yar"
+include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
+include "./malware/MALW_Miancha.yar"
+include "./malware/MALW_Grozlex.yar"
+include "./malware/RAT_Adzok.yar"
+include "./malware/MALW_MacControl.yar"
+include "./malware/MALW_Kovter.yar"
+include "./malware/MALW_Corkow.yar"
+include "./malware/APT_HiddenCobra.yar"
+include "./malware/MALW_Urausy.yar"
+include "./malware/MALW_Cookies.yar"
+include "./malware/APT_Molerats.yar"
+include "./malware/APT_Terracota.yar"
+include "./malware/RANSOM_DoublePulsar_Petya.yar"
+include "./malware/RAT_ZoxPNG.yar"
 include "./malware/MALW_Cxpid.yar"
-include "./malware/APT_OpClandestineWolf.yar"
-include "./malware/APT_KeyBoy.yar"
-include "./malware/MALW_Miscelanea.yar"
-include "./malware/APT_EQUATIONGRP.yar"
-include "./malware/MALW_NSFree.yar"
+include "./malware/APT_APT9002.yar"
+include "./malware/APT_Dubnium.yar"
+include "./malware/MALW_Emotet.yar"
+include "./malware/MALW_Yayih.yar"
 include "./malware/MALW_BlackWorm.yar"
-include "./malware/MALW_Corkow.yar"
 include "./malware/TOOLKIT_FinFisher_.yar"
+include "./malware/MALW_NionSpy.yar"
+include "./malware/APT_OPCleaver.yar"
+include "./malware/APT_WoolenGoldfish.yar"
+include "./malware/APT_Blackenergy.yar"
+include "./malware/MALW_Sakurel.yar"
+include "./malware/MALW_Scarhikn.yar"
+include "./malware/MALW_PubSab.yar"
+include "./malware/RAT_BlackShades.yar"
+include "./malware/MALW_Bublik.yar"
+include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_Andromeda.yar"
+include "./malware/MALW_AZORULT.yar"
+include "./malware/RAT_Crimson.yar"
+include "./malware/APT_NGO.yar"
+include "./malware/MALW_DDoSTf.yar"
+include "./malware/MALW_Safenet.yar"
+include "./malware/APT_PutterPanda.yar"
+include "./malware/MALW_Wabot.yar"
+include "./malware/MALW_Fareit.yar"
+include "./malware/APT_Regin.yar"
+include "./malware/TOOLKIT_Pwdump.yar"
+include "./malware/MALW_Skeleton.yar"
+include "./malware/MALW_LuaBot.yar"
+include "./malware/RAT_Bolonyokte.yar"
 include "./malware/APT_CheshireCat.yar"
-include "./malware/TOOLKIT_exe2hex_payload.yar"
-include "./malware/MALW_Naspyupdate.yar"
-include "./malware/MALW_Elex.yar"
-include "./malware/RAT_Gh0st.yar"
-include "./malware/APT_OpDustStorm.yar"
-include "./malware/APT_fancybear_dnc.yar"
-include "./malware/MALW_LinuxHelios.yar"
-include "./malware/APT_C16.yar"
-include "./malware/MALW_Sayad.yar"
-include "./malware/APT_HiddenCobra.yar"
-include "./malware/MALW_Iexpl0ree.yar"
-include "./malware/MALW_Trumpbot.yar"
-include "./malware/MALW_MacControl.yar"
-include "./malware/APT_Sofacy_Jun16.yar"
-include "./malware/MALW_Favorite.yar"
-include "./malware/RAT_jRAT.yar"
+include "./malware/POS_LogPOS.yar"
+include "./malware/MALW_Chicken.yar"
+include "./malware/MALW_Magento_backend.yar"
+include "./malware/MALW_Spora.yar"
+include "./malware/MALW_Magento_suspicious.yar"
+include "./malware/MALW_Empire.yar"
+include "./malware/MALW_Mirai.yar"
+include "./malware/APT_RemSec.yar"
 include "./malware/RAT_CyberGate.yar"
+include "./malware/MALW_Mailers.yar"
+include "./malware/MALW_Mirai_Satori_ELF.yar"
+include "./malware/MALW_Httpsd_ELF.yar"
+include "./malware/APT_CrashOverride.yar"
+include "./malware/MALW_Boouset.yar"
+include "./malware/MALW_Glasses.yar"
+include "./malware/APT_Poseidon_Group.yar"
+include "./malware/MALW_Shamoon.yar"
+include "./malware/RANSOM_Cerber.yar"
+include "./malware/APT_eqgrp_apr17.yar"
+include "./malware/MALW_Odinaff.yar"
+include "./malware/MALW_TRITON_ICS_FRAMEWORK.yar"
+include "./malware/APT_Equation.yar"
 include "./malware/MALW_Hajime.yar"
-include "./malware/APT_Kaba.yar"
-include "./malware/MALW_LinuxBew.yar"
-include "./malware/APT_Minidionis.yar"
-include "./malware/MALW_Enfal.yar"
-include "./malware/APT_Grasshopper.yar"
-include "./malware/MALW_F0xy.yar"
-include "./malware/MALW_Kelihos.yar"
-include "./malware/MALW_Cythosia.yar"
-include "./malware/APT_NGO.yar"
-include "./malware/EXPERIMENTAL_Beef.yar"
-include "./malware/POS_Mozart.yar"
-include "./malware/MALW_Madness.yar"
-include "./malware/MALW_viotto_keylogger.yar"
-include "./malware/RAT_Indetectables.yar"
+include "./malware/APT_Carbanak.yar"
+include "./malware/POS_Bernhard.yar"
+include "./malware/APT_Industroyer.yar"
+include "./malware/MALW_Wimmie.yar"
+include "./malware/MALW_Kraken.yar"
+include "./malware/RAT_ShadowTech.yar"
+include "./malware/APT_ThreatGroup3390.yar"
+include "./malware/MALW_Naikon.yar"
+include "./malware/APT_Careto.yar"
+include "./malware/RANSOM_GoldenEye.yar"
+include "./malware/MALW_Gozi.yar"
+include "./malware/MALW_Bangat.yar"
 include "./malware/RAT_Njrat.yar"
-include "./malware/MALW_Korplug.yar"
-include "./malware/MALW_Backoff.yar"
-include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
-include "./malware/MALW_PyPI.yar"
-include "./malware/TOOLKIT_Wineggdrop.yar"
+include "./malware/MALW_Magento_frontend.yar"
 include "./malware/RAT_Havex.yar"
-include "./malware/APT_Passcv.yar"
-include "./malware/APT_Waterbug.yar"
-include "./malware/APT_Platinum.yar"
-include "./malware/MALW_PE_sections.yar"
-include "./malware/APT_Sphinx_Moth.yar"
-include "./malware/RAT_Hizor.yar"
-include "./malware/APT_Mirage.yar"
-include "./malware/MALW_LostDoor.yar"
-include "./malware/MALW_Vidgrab.yar"
-include "./malware/MALW_DDoSTf.yar"
-include "./malware/APT_Grizzlybear_uscert.yar"
-include "./malware/MALW_T5000.yar"
-include "./malware/MALW_TreasureHunt.yar"
-include "./malware/RAT_Nanocore.yar"
-include "./malware/MALW_Skeleton.yar"
-include "./malware/APT_Scarab_Scieron.yar"
-include "./malware/APT_FiveEyes.yar"
+include "./malware/APT_furtim.yar"
+include "./malware/RAT_Indetectables.yar"
+include "./malware/MALW_Enfal.yar"
+include "./malware/RAT_Gh0st.yar"
+include "./malware/RANSOM_777.yar"
+include "./malware/RANSOM_Stampado.yar"
+include "./malware/APT_Kaba.yar"
+include "./malware/MALW_Regsubdat.yar"
+include "./malware/MALW_PittyTiger.yar"
+include "./malware/APT_WildNeutron.yar"
+include "./malware/APT_APT10.yar"
+include "./malware/RAT_jRAT.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
-include "./malware/MALW_Shifu.yar"
-include "./malware/TOOLKIT_Chinese_Hacktools.yar"
-include "./malware/MALW_Urausy.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
-include "./malware/RAT_Gholee.yar"
-include "./malware/APT_Poseidon_Group.yar"
-include "./malware/APT_OpPotao.yar"
-include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
+include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/MALW_BackdoorSSH.yar"
 include "./malware/MALW_Batel.yar"
-include "./malware/MALW_Rooter.yar"
-include "./malware/MALW_IotReaper.yar"
-include "./malware/APT_PutterPanda.yar"
-include "./malware/MALW_Pyinstaller.yar"
-include "./malware/RANSOM_Satana.yar"
-include "./malware/MALW_Rovnix.yar"
-include "./malware/MALW_Spora.yar"
-include "./malware/MALW_Wabot.yar"
-include "./malware/MALW_Gafgyt.yar"
-include "./malware/APT_Stuxnet.yar"
-include "./malware/MALW_Yayih.yar"
-include "./malware/RANSOM_BadRabbit.yar"
+include "./malware/APT_Platinum.yar"
+include "./malware/MALW_LinuxMoose.yar"
+include "./malware/MALW_Install11.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
+include "./malware/APT_Mirage.yar"
+include "./malware/RANSOM_Erebus.yar"
+include "./malware/POS.yar"
 include "./malware/MALW_Rockloader.yar"
-include "./Antidebug_AntiVM/antidebug_antivm.yar"
+include "./malware/MALW_Sayad.yar"
+include "./malware/RAT_Sakula.yar"
+include "./malware/APT_Hikit.yar"
+include "./malware/MALW_Tedroo.yar"
+include "./malware/APT_Mongall.yar"
+include "./malware/APT_Oilrig.yar"
+include "./malware/MALW_IMuler.yar"
+include "./malware/MALW_Korlia.yar"
+include "./malware/MALW_Rooter.yar"
+include "./malware/APT_DeputyDog.yar"
+include "./malware/APT_Cloudduke.yar"
+include "./malware/MALW_Shifu.yar"
+include "./malware/APT_Bestia.yar"
+include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MALW_Zeus.yar"
+include "./malware/MALW_Vidgrab.yar"
+include "./malware/MALW_Citadel.yar"
+include "./malware/TOOLKIT_Wineggdrop.yar"
+include "./malware/APT_Duqu2.yar"
+include "./malware/MALW_Elex.yar"
+include "./malware/GEN_PowerShell.yar"
+include "./malware/APT_APT17.yar"
+include "./malware/MALW_Elknot.yar"
+include "./malware/MALW_Stealer.yar"
+include "./malware/MALW_Trumpbot.yar"
+include "./malware/APT_OpClandestineWolf.yar"
+include "./malware/MALW_Mirai_Okiru_ELF.yar"
+include "./malware/RANSOM_PetrWrap.yar"
+include "./malware/MALW_Sqlite.yar"
+include "./malware/MALW_viotto_keylogger.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_fire2013.yar"
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
+include "./Webshells/WShell_THOR_Webshells.yar"
+include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Crypto/crypto_signatures.yar"
+include "./CVE_Rules/CVE-2010-0887.yar"
 include "./CVE_Rules/CVE-2015-2426.yar"
+include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2015-1701.yar"
 include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
+include "./CVE_Rules/CVE-2018-4878.yar"
 include "./CVE_Rules/CVE-2013-0422.yar"
+include "./CVE_Rules/CVE-2017-11882.yar"
 include "./CVE_Rules/CVE-2015-5119.yar"
 include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2010-0805.yar"
-include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./CVE_Rules/CVE-2015-2545.yar"
+include "./Antidebug_AntiVM/antidebug_antivm.yar"
+include "./Packers/JJencode.yar"
+include "./Packers/packer.yar"
+include "./Packers/peid.yar"
+include "./Packers/Javascript_exploit_and_obfuscation.yar"
+include "./Packers/packer_compiler_signatures.yar"
+include "./Malicious_Documents/Maldoc_Dridex.yar"
+include "./Malicious_Documents/Maldoc_UserForm.yar"
 include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
+include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
-include "./email/attachment.yar"
-include "./email/scam.yar"
-include "./email/bank_rule.yar"
-include "./email/image.yar"
-include "./email/urls.yar"
-include "./email/EMAIL_Cryptowall.yar"
-include "./email/email_Ukraine_BE_powerattack.yar"
+include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
+include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
+include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
+include "./Malicious_Documents/Maldoc_PDF.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/maldoc_somerules.yar"
+include "./Exploit-Kits/EK_Blackhole.yar"
+include "./Exploit-Kits/EK_ZeroAcces.yar"
+include "./Exploit-Kits/EK_Sakura.yar"
+include "./Exploit-Kits/EK_Angler.yar"
+include "./Exploit-Kits/EK_Zeus.yar"
+include "./Exploit-Kits/EK_Crimepack.yar"
+include "./Exploit-Kits/EK_Phoenix.yar"
+include "./Exploit-Kits/EK_BleedingLife.yar"
+include "./Exploit-Kits/EK_Zerox88.yar"
+include "./Exploit-Kits/EK_Fragus.yar"
+include "./Exploit-Kits/EK_Eleonore.yar"

index_w_mobile.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./Crypto/crypto_signatures.yar"
-include "./Exploit-Kits/EK_Crimepack.yar"
-include "./Exploit-Kits/EK_ZeroAcces.yar"
-include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
-include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"
-include "./Exploit-Kits/EK_Angler.yar"
-include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
-include "./Packers/packer.yar"
-include "./Packers/Javascript_exploit_and_obfuscation.yar"
-include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/JJencode.yar"
-include "./Packers/peid.yar"
-include "./malware/RAT_Bolonyokte.yar"
-include "./malware/APT_APT3102.yar"
-include "./malware/TOOLKIT_Pwdump.yar"
-include "./malware/RAT_Crimson.yar"
-include "./malware/APT_Oilrig.yar"
-include "./malware/APT_Ke3Chang_TidePool.yar"
-include "./malware/MALW_Naikon.yar"
+include "./email/EMAIL_Cryptowall.yar"
+include "./email/image.yar"
+include "./email/scam.yar"
+include "./email/attachment.yar"
+include "./email/urls.yar"
+include "./email/bank_rule.yar"
+include "./email/email_Ukraine_BE_powerattack.yar"
+include "./malware/MALW_Intel_Virtualization.yar"
+include "./malware/RANSOM_Alpha.yar"
+include "./malware/MALW_Korplug.yar"
+include "./malware/TOOLKIT_Dubrute.yar"
+include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Madness.yar"
+include "./malware/MALW_Retefe.yar"
+include "./malware/RANSOM_DMALocker.yar"
+include "./malware/RANSOM_Satana.yar"
+include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_AgentTesla.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/RAT_Adwind.yar"
+include "./malware/RANSOM_Tox.yar"
+include "./malware/APT_Winnti.yar"
+include "./malware/MALW_Notepad.yar"
 include "./malware/MALW_Tinba.yar"
-include "./malware/MALW_FakeM.yar"
-include "./malware/MALW_IMuler.yar"
-include "./malware/APT_APT9002.yar"
-include "./malware/TOOLKIT_PassTheHash.yar"
-include "./malware/MALW_Ponmocup.yar"
+include "./malware/MALW_Torte_ELF.yar"
+include "./malware/APT_PCclient.yar"
+include "./malware/MALW_IcedID.yar"
+include "./malware/MALW_LinuxBew.yar"
+include "./malware/APT_Sofacy_Bundestag.yar"
+include "./malware/TOOLKIT_exe2hex_payload.yar"
+include "./malware/RAT_Hizor.yar"
+include "./malware/MALW_DiamondFox.yar"
+include "./malware/APT_APT3102.yar"
+include "./malware/MALW_Iexpl0ree.yar"
+include "./malware/RANSOM_Cryptolocker.yar"
+include "./malware/APT_Emissary.yar"
+include "./malware/MALW_Alina.yar"
+include "./malware/APT_Derusbi.yar"
+include "./malware/MALW_Kelihos.yar"
+include "./malware/RAT_FlyingKitten.yar"
+include "./malware/MALW_XMRIG_Miner.yar"
+include "./malware/RAT_NetwiredRC.yar"
+include "./malware/APT_Sofacy_Fysbis.yar"
+include "./malware/APT_fancybear_downdelph.yar"
+include "./malware/APT_Seaduke.yar"
+include "./malware/RAT_xRAT20.yar"
+include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/MALW_Derkziel.yar"
+include "./malware/APT_Prikormka.yar"
+include "./malware/RAT_Shim.yar"
+include "./malware/MALW_F0xy.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
+include "./malware/RAT_Inocnation.yar"
+include "./malware/MALW_Rovnix.yar"
+include "./malware/APT_HackingTeam.yar"
+include "./malware/MALW_Miscelanea_Linux.yar"
+include "./malware/MALW_Miscelanea.yar"
 include "./malware/MALW_NetTraveler.yar"
+include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Olyx.yar"
+include "./malware/MALW_T5000.yar"
+include "./malware/MALW_MiniAsp3_mem.yar"
+include "./malware/RANSOM_.CRYPTXXX.yar"
 include "./malware/POS_Easterjack.yar"
-include "./malware/RANSOM_PetrWrap.yar"
-include "./malware/MALW_Derkziel.yar"
-include "./malware/MALW_BlackRev.yar"
-include "./malware/MALW_Mailers.yar"
-include "./malware/APT_TradeSecret.yar"
-include "./malware/RAT_xRAT20.yar"
-include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/RAT_Cerberus.yar"
-include "./malware/APT_furtim.yar"
-include "./malware/APT_Dubnium.yar"
-include "./malware/POS_BruteforcingBot.yar"
-include "./malware/APT_HackingTeam.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/MALW_LostDoor.yar"
+include "./malware/APT_OpDustStorm.yar"
+include "./malware/RAT_CrossRAT.yar"
+include "./malware/MALW_XOR_DDos.yar"
+include "./malware/RAT_xRAT.yar"
+include "./malware/APT_Ke3Chang_TidePool.yar"
+include "./malware/RAT_Ratdecoders.yar"
+include "./malware/MALW_TrickBot.yar"
+include "./malware/MALW_Furtim.yar"
+include "./malware/MALW_Jolob_Backdoor.yar"
+include "./malware/MALW_TRITON_HATMAN.yar"
+include "./malware/APT_APT29_Grizzly_Steppe.yar"
+include "./malware/MALW_Backoff.yar"
+include "./malware/MALW_FakeM.yar"
+include "./malware/APT_Sofacy_Jun16.yar"
+include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
 include "./malware/RAT_Bozok.yar"
-include "./malware/RANSOM_777.yar"
-include "./malware/RANSOM_Alpha.yar"
-include "./malware/MALW_Pony.yar"
-include "./malware/MALW_Safenet.yar"
-include "./malware/MALW_BackdoorSSH.yar"
-include "./malware/APT_Derusbi.yar"
-include "./malware/RAT_Glass.yar"
-include "./malware/MALW_Torte_ELF.yar"
-include "./malware/APT_OPCleaver.yar"
-include "./malware/MALW_Grozlex.yar"
-include "./malware/RAT_PlugX.yar"
-include "./malware/MALW_Upatre.yar"
-include "./malware/MALW_Intel_Virtualization.yar"
-include "./malware/APT_Cloudduke.yar"
-include "./malware/MALW_Empire.yar"
-include "./malware/RANSOM_Comodosec.yar"
-include "./malware/APT_Prikormka.yar"
-include "./malware/MALW_Boouset.yar"
-include "./malware/GEN_PowerShell.yar"
+include "./malware/POS_MalumPOS.yar"
+include "./malware/MALW_XHide.yar"
+include "./malware/TOOLKIT_Chinese_Hacktools.yar"
 include "./malware/RAT_DarkComet.yar"
-include "./malware/MALW_Chicken.yar"
-include "./malware/MALW_Lateral_Movement.yar"
-include "./malware/MALW_Emotet.yar"
-include "./malware/RAT_Ratdecoders.yar"
-include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Lenovo_Superfish.yar"
-include "./malware/APT_Hikit.yar"
-include "./malware/MALW_Korlia.yar"
-include "./malware/RAT_Sakula.yar"
-include "./malware/MALW_LuckyCat.yar"
-include "./malware/APT_Turla_RUAG.yar"
-include "./malware/MALW_Kovter.yar"
-include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_LotusBlossom.yar"
-include "./malware/RANSOM_Crypren.yar"
-include "./malware/APT_WoolenGoldfish.yar"
-include "./malware/RAT_Inocnation.yar"
-include "./malware/MALW_Sakurel.yar"
-include "./malware/RAT_Xtreme.yar"
-include "./malware/APT_Blackenergy.yar"
-include "./malware/MALW_Stealer.yar"
-include "./malware/MALW_Retefe.yar"
-include "./malware/MALW_Fareit.yar"
-include "./malware/MALW_KINS.yar"
-include "./malware/MALW_Miancha.yar"
-include "./malware/MALW_Exploit_UAC_Elevators.yar"
-include "./malware/MALW_Furtim.yar"
-include "./malware/MALW_Cookies.yar"
+include "./malware/APT_APT1.yar"
+include "./malware/APT_Irontiger.yar"
+include "./malware/RANSOM_Comodosec.yar"
+include "./malware/MALW_Monero_Miner_installer.yar"
+include "./malware/RAT_Nanocore.yar"
+include "./malware/TOOLKIT_PassTheHash.yar"
+include "./malware/MALW_LURK0.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
+include "./malware/TOOLKIT_Powerstager.yar"
+include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Waterbug.yar"
+include "./malware/APT_Scarab_Scieron.yar"
+include "./malware/APT_Hellsing.yar"
+include "./malware/MALW_Upatre.yar"
+include "./malware/APT_Codoso.yar"
+include "./malware/APT_Snowglobe_Babar.yar"
+include "./malware/MALW_Sendsafe.yar"
+include "./malware/APT_EQUATIONGRP.yar"
+include "./malware/APT_Minidionis.yar"
+include "./malware/MALW_Naspyupdate.yar"
+include "./malware/MALW_CAP_HookExKeylogger.yar"
+include "./malware/MALW_Rebirth_Vulcan_ELF.yar"
+include "./malware/MALW_BlackRev.yar"
 include "./malware/MALW_Surtr.yar"
-include "./malware/MALW_NionSpy.yar"
-include "./malware/APT_APT10.yar"
+include "./malware/MALW_Exploit_UAC_Elevators.yar"
+include "./malware/MALW_Cythosia.yar"
+include "./malware/MALW_Quarian.yar"
+include "./malware/APT_Pipcreat.yar"
+include "./malware/APT_fancybear_dnc.yar"
+include "./malware/APT_Stuxnet.yar"
+include "./malware/MALW_Gafgyt.yar"
+include "./malware/TOOLKIT_THOR_HackTools.yar"
+include "./malware/RAT_PoisonIvy.yar"
+include "./malware/POS_BruteforcingBot.yar"
+include "./malware/MALW_Ponmocup.yar"
+include "./malware/APT_KeyBoy.yar"
+include "./malware/APT_Turla_RUAG.yar"
+include "./malware/APT_FiveEyes.yar"
+include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_Atmos.yar"
+include "./malware/MALW_Favorite.yar"
+include "./malware/MALW_Genome.yar"
+include "./malware/APT_Sphinx_Moth.yar"
+include "./malware/MALW_IotReaper.yar"
+include "./malware/APT_Bluetermite_Emdivi.yar"
+include "./malware/APT_TradeSecret.yar"
+include "./malware/APT_Turla_Neuron.yar"
+include "./malware/MALW_Hsdfihdf_banking.yar"
+include "./malware/MALW_LinuxHelios.yar"
+include "./malware/MALW_CAP_Win32Inet.yara"
+include "./malware/APT_OpPotao.yar"
+include "./malware/TOOLKIT_Gen_powerkatz.yar"
+include "./malware/MALW_PE_sections.yar"
+include "./malware/RAT_Terminator.yar"
+include "./malware/APT_UP007_SLServer.yar"
+include "./malware/MALW_Lateral_Movement.yar"
+include "./malware/APT_DeepPanda_Anthem.yar"
+include "./malware/MALW_Pyinstaller.yar"
+include "./malware/POS_Mozart.yar"
+include "./malware/APT_C16.yar"
+include "./malware/RANSOM_BadRabbit.yar"
 include "./malware/MALW_Warp.yar"
-include "./malware/RANSOM_Stampado.yar"
-include "./malware/Operation_Blockbuster/RomeoEcho.yara"
-include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
+include "./malware/MALW_Buzus_Softpulse.yar"
+include "./malware/MALW_Ezcob.yar"
+include "./malware/APT_Backspace.yar"
+include "./malware/APT_Passcv.yar"
+include "./malware/MALW_DirtJumper.yar"
+include "./malware/RANSOM_Crypren.yar"
+include "./malware/APT_FIN7.yar"
+include "./malware/Operation_Blockbuster/HotelAlfa.yara"
+include "./malware/Operation_Blockbuster/UniformAlfa.yara"
+include "./malware/Operation_Blockbuster/PapaAlfa.yara"
+include "./malware/Operation_Blockbuster/SierraAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
-include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
-include "./malware/Operation_Blockbuster/IndiaHotel.yara"
-include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
+include "./malware/Operation_Blockbuster/LimaBravo.yara"
 include "./malware/Operation_Blockbuster/KiloAlfa.yara"
-include "./malware/Operation_Blockbuster/UniformJuliett.yara"
-include "./malware/Operation_Blockbuster/SierraAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
-include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/SierraJuliettMikeOne.yara"
-include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
-include "./malware/Operation_Blockbuster/SierraBravo.yara"
-include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
+include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
 include "./malware/Operation_Blockbuster/WhiskeyBravo_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaEcho.yara"
+include "./malware/Operation_Blockbuster/SierraBravo.yara"
+include "./malware/Operation_Blockbuster/LimaCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoBravo.yara"
-include "./malware/Operation_Blockbuster/UniformAlfa.yara"
-include "./malware/Operation_Blockbuster/LimaBravo.yara"
-include "./malware/Operation_Blockbuster/IndiaGolf.yara"
-include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
-include "./malware/Operation_Blockbuster/cert_wiper.yara"
-include "./malware/Operation_Blockbuster/PapaAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
-include "./malware/Operation_Blockbuster/SierraCharlie.yara"
-include "./malware/Operation_Blockbuster/IndiaBravo.yara"
-include "./malware/Operation_Blockbuster/LimaCharlie.yara"
-include "./malware/Operation_Blockbuster/LimaDelta.yara"
 include "./malware/Operation_Blockbuster/TangoBravo.yara"
-include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/IndiaHotel.yara"
+include "./malware/Operation_Blockbuster/UniformJuliett.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
-include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
-include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
-include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/general.yara"
+include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaGolf.yara"
 include "./malware/Operation_Blockbuster/IndiaDelta.yara"
+include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
+include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaEcho.yara"
+include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaBravo.yara"
+include "./malware/Operation_Blockbuster/TangoAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
 include "./malware/Operation_Blockbuster/WhiskeyCharlie.yara"
+include "./malware/Operation_Blockbuster/SierraCharlie.yara"
 include "./malware/Operation_Blockbuster/sharedcode.yara"
-include "./malware/Operation_Blockbuster/TangoAlfa.yara"
-include "./malware/RAT_ZoxPNG.yar"
-include "./malware/MALW_Cloaking.yar"
-include "./malware/POS_LogPOS.yar"
-include "./malware/APT_Bestia.yar"
-include "./malware/TOOLKIT_Dubrute.yar"
-include "./malware/MALW_Kraken.yar"
-include "./malware/MALW_Olyx.yar"
-include "./malware/MALW_DirtJumper.yar"
-include "./malware/MALW_LURK0.yar"
-include "./malware/MALW_MiniAsp3_mem.yar"
-include "./malware/MALW_Bangat.yar"
-include "./malware/MALW_Regsubdat.yar"
-include "./malware/APT_Hellsing.yar"
-include "./malware/APT_Industroyer.yar"
-include "./malware/APT_Bluetermite_Emdivi.yar"
-include "./malware/MALW_Elknot.yar"
-include "./malware/MALW_TrickBot.yar"
-include "./malware/APT_APT17.yar"
-include "./malware/MALW_Magento_backend.yar"
-include "./malware/RAT_PoisonIvy.yar"
-include "./malware/APT_DeepPanda_Anthem.yar"
-include "./malware/APT_Pipcreat.yar"
-include "./malware/MALW_Notepad.yar"
-include "./malware/POS_Bernhard.yar"
-include "./malware/RANSOM_GoldenEye.yar"
-include "./malware/RAT_Shim.yar"
-include "./malware/RANSOM_DMALocker.yar"
-include "./malware/MALW_Athena.yar"
-include "./malware/POS.yar"
-include "./malware/RAT_BlackShades.yar"
-include "./malware/RAT_Adwind.yar"
-include "./malware/APT_Winnti.yar"
-include "./malware/MALW_Odinaff.yar"
-include "./malware/RANSOM_.CRYPTXXX.yar"
-include "./malware/APT_Duqu2.yar"
-include "./malware/RAT_NetwiredRC.yar"
-include "./malware/APT_Shamoon_StoneDrill.yar"
-include "./malware/MALW_adwind_RAT.yar"
-include "./malware/APT_eqgrp_apr17.yar"
-include "./malware/APT_DeputyDog.yar"
-include "./malware/RAT_FlyingKitten.yar"
-include "./malware/RANSOM_Tox.yar"
-include "./malware/APT_Equation.yar"
-include "./malware/APT_Mongall.yar"
-include "./malware/APT_FIN7.yar"
-include "./malware/RAT_Adzok.yar"
-include "./malware/RANSOM_Petya.yar"
-include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/cert_wiper.yara"
+include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
+include "./malware/Operation_Blockbuster/LimaDelta.yara"
+include "./malware/MALW_NSFree.yar"
+include "./malware/RAT_Gholee.yar"
+include "./malware/MALW_KINS.yar"
+include "./malware/RANSOM_Locky.yar"
+include "./malware/MALW_TreasureHunt.yar"
+include "./malware/RAT_Glass.yar"
 include "./malware/POS_FastPOS.yar"
-include "./malware/APT_Terracota.yar"
-include "./malware/APT_APT29_Grizzly_Steppe.yar"
-include "./malware/MALW_Glasses.yar"
-include "./malware/APT_Irontiger.yar"
-include "./malware/MALW_Jolob_Backdoor.yar"
-include "./malware/MALW_Install11.yar"
-include "./malware/APT_Regin.yar"
-include "./malware/RAT_ShadowTech.yar"
-include "./malware/RANSOM_Cryptolocker.yar"
 include "./malware/APT_Casper.yar"
-include "./malware/MALW_XOR_DDos.yar"
-include "./malware/MALW_LuaBot.yar"
-include "./malware/APT_ThreatGroup3390.yar"
-include "./malware/POS_MalumPOS.yar"
-include "./malware/APT_Carbanak.yar"
-include "./malware/MALW_Genome.yar"
-include "./malware/MALW_DiamondFox.yar"
-include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Athena.yar"
+include "./malware/RAT_Xtreme.yar"
+include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/MALW_Dexter.yar"
-include "./malware/RAT_Terminator.yar"
-include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/RANSOM_Cerber.yar"
-include "./malware/APT_APT1.yar"
-include "./malware/MALW_Citadel.yar"
-include "./malware/MALW_Zeus.yar"
-include "./malware/APT_Sofacy_Fysbis.yar"
-include "./malware/RANSOM_Erebus.yar"
-include "./malware/TOOLKIT_Gen_powerkatz.yar"
-include "./malware/RANSOM_DoublePulsar_Petya.yar"
-include "./malware/MALW_AZORULT.yar"
-include "./malware/MALW_Scarhikn.yar"
-include "./malware/MALW_Ezcob.yar"
-include "./malware/APT_CrashOverride.yar"
-include "./malware/RAT_xRAT.yar"
-include "./malware/MALW_Sqlite.yar"
-include "./malware/MALW_Alina.yar"
-include "./malware/MALW_Quarian.yar"
-include "./malware/MALW_Bublik.yar"
-include "./malware/MALW_Buzus_Softpulse.yar"
-include "./malware/APT_Molerats.yar"
-include "./malware/MALW_Magento_suspicious.yar"
-include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
-include "./malware/MALW_Magento_frontend.yar"
-include "./malware/APT_PCclient.yar"
-include "./malware/MALW_Atmos.yar"
-include "./malware/APT_Unit78020.yar"
+include "./malware/MALW_Cloaking.yar"
+include "./malware/MALW_Volgmer.yar"
 include "./malware/MALW_Zegost.yar"
-include "./malware/MALW_LinuxMoose.yar"
-include "./malware/MALW_Tedroo.yar"
-include "./malware/MALW_PubSab.yar"
-include "./malware/APT_Greenbug.yar"
-include "./malware/MALW_Miscelanea_Linux.yar"
-include "./malware/TOOLKIT_THOR_HackTools.yar"
-include "./malware/APT_UP007_SLServer.yar"
-include "./malware/APT_Seaduke.yar"
-include "./malware/MALW_Mirai.yar"
-include "./malware/MALW_Gozi.yar"
-include "./malware/APT_Emissary.yar"
-include "./malware/MALW_Hsdfihdf_banking.yar"
-include "./malware/MALW_Shamoon.yar"
-include "./malware/APT_Careto.yar"
-include "./malware/APT_Codoso.yar"
-include "./malware/MALW_xDedic_marketplace.yar"
-include "./malware/MALW_Wimmie.yar"
-include "./malware/MALW_Sendsafe.yar"
-include "./malware/MALW_Andromeda.yar"
-include "./malware/APT_Backspace.yar"
-include "./malware/APT_fancybear_downdelph.yar"
-include "./malware/APT_Snowglobe_Babar.yar"
-include "./malware/RANSOM_Locky.yar"
+include "./malware/RAT_PlugX.yar"
+include "./malware/RANSOM_Petya.yar"
+include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
+include "./malware/MALW_Miancha.yar"
+include "./malware/MALW_Grozlex.yar"
+include "./malware/RAT_Adzok.yar"
+include "./malware/MALW_MacControl.yar"
+include "./malware/MALW_Kovter.yar"
+include "./malware/MALW_Corkow.yar"
+include "./malware/APT_HiddenCobra.yar"
+include "./malware/MALW_Urausy.yar"
+include "./malware/MALW_Cookies.yar"
+include "./malware/APT_Molerats.yar"
+include "./malware/APT_Terracota.yar"
+include "./malware/RANSOM_DoublePulsar_Petya.yar"
+include "./malware/RAT_ZoxPNG.yar"
 include "./malware/MALW_Cxpid.yar"
-include "./malware/APT_OpClandestineWolf.yar"
-include "./malware/APT_KeyBoy.yar"
-include "./malware/MALW_Miscelanea.yar"
-include "./malware/APT_EQUATIONGRP.yar"
-include "./malware/MALW_NSFree.yar"
+include "./malware/APT_APT9002.yar"
+include "./malware/APT_Dubnium.yar"
+include "./malware/MALW_Emotet.yar"
+include "./malware/MALW_Yayih.yar"
 include "./malware/MALW_BlackWorm.yar"
-include "./malware/MALW_Corkow.yar"
 include "./malware/TOOLKIT_FinFisher_.yar"
-include "./malware/APT_CheshireCat.yar"
-include "./malware/TOOLKIT_exe2hex_payload.yar"
-include "./malware/MALW_Naspyupdate.yar"
-include "./malware/MALW_Elex.yar"
-include "./malware/RAT_Gh0st.yar"
-include "./malware/APT_OpDustStorm.yar"
-include "./malware/APT_fancybear_dnc.yar"
-include "./malware/MALW_LinuxHelios.yar"
-include "./malware/APT_C16.yar"
-include "./malware/MALW_Sayad.yar"
-include "./malware/APT_HiddenCobra.yar"
-include "./malware/MALW_Iexpl0ree.yar"
-include "./malware/MALW_Trumpbot.yar"
-include "./malware/MALW_MacControl.yar"
-include "./malware/APT_Sofacy_Jun16.yar"
-include "./malware/MALW_Favorite.yar"
-include "./malware/RAT_jRAT.yar"
-include "./malware/RAT_CyberGate.yar"
-include "./malware/MALW_Hajime.yar"
-include "./malware/APT_Kaba.yar"
-include "./malware/MALW_LinuxBew.yar"
-include "./malware/APT_Minidionis.yar"
-include "./malware/MALW_Enfal.yar"
-include "./malware/APT_Grasshopper.yar"
-include "./malware/MALW_F0xy.yar"
-include "./malware/MALW_Kelihos.yar"
-include "./malware/MALW_Cythosia.yar"
+include "./malware/MALW_NionSpy.yar"
+include "./malware/APT_OPCleaver.yar"
+include "./malware/APT_WoolenGoldfish.yar"
+include "./malware/APT_Blackenergy.yar"
+include "./malware/MALW_Sakurel.yar"
+include "./malware/MALW_Scarhikn.yar"
+include "./malware/MALW_PubSab.yar"
+include "./malware/RAT_BlackShades.yar"
+include "./malware/MALW_Bublik.yar"
+include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_Andromeda.yar"
+include "./malware/MALW_AZORULT.yar"
+include "./malware/RAT_Crimson.yar"
 include "./malware/APT_NGO.yar"
-include "./malware/EXPERIMENTAL_Beef.yar"
-include "./malware/POS_Mozart.yar"
-include "./malware/MALW_Madness.yar"
-include "./malware/MALW_viotto_keylogger.yar"
-include "./malware/RAT_Indetectables.yar"
-include "./malware/RAT_Njrat.yar"
-include "./malware/MALW_Korplug.yar"
-include "./malware/MALW_Backoff.yar"
-include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
-include "./malware/MALW_PyPI.yar"
-include "./malware/TOOLKIT_Wineggdrop.yar"
-include "./malware/RAT_Havex.yar"
-include "./malware/APT_Passcv.yar"
-include "./malware/APT_Waterbug.yar"
-include "./malware/APT_Platinum.yar"
-include "./malware/MALW_PE_sections.yar"
-include "./malware/APT_Sphinx_Moth.yar"
-include "./malware/RAT_Hizor.yar"
-include "./malware/APT_Mirage.yar"
-include "./malware/MALW_LostDoor.yar"
-include "./malware/MALW_Vidgrab.yar"
 include "./malware/MALW_DDoSTf.yar"
-include "./malware/APT_Grizzlybear_uscert.yar"
-include "./malware/MALW_T5000.yar"
-include "./malware/MALW_TreasureHunt.yar"
-include "./malware/RAT_Nanocore.yar"
+include "./malware/MALW_Safenet.yar"
+include "./malware/APT_PutterPanda.yar"
+include "./malware/MALW_Wabot.yar"
+include "./malware/MALW_Fareit.yar"
+include "./malware/APT_Regin.yar"
+include "./malware/TOOLKIT_Pwdump.yar"
 include "./malware/MALW_Skeleton.yar"
-include "./malware/APT_Scarab_Scieron.yar"
-include "./malware/APT_FiveEyes.yar"
+include "./malware/MALW_LuaBot.yar"
+include "./malware/RAT_Bolonyokte.yar"
+include "./malware/APT_CheshireCat.yar"
+include "./malware/POS_LogPOS.yar"
+include "./malware/MALW_Chicken.yar"
+include "./malware/MALW_Magento_backend.yar"
+include "./malware/MALW_Spora.yar"
+include "./malware/MALW_Magento_suspicious.yar"
+include "./malware/MALW_Empire.yar"
+include "./malware/MALW_Mirai.yar"
+include "./malware/APT_RemSec.yar"
+include "./malware/RAT_CyberGate.yar"
+include "./malware/MALW_Mailers.yar"
+include "./malware/MALW_Mirai_Satori_ELF.yar"
+include "./malware/MALW_Httpsd_ELF.yar"
+include "./malware/APT_CrashOverride.yar"
+include "./malware/MALW_Boouset.yar"
+include "./malware/MALW_Glasses.yar"
+include "./malware/APT_Poseidon_Group.yar"
+include "./malware/MALW_Shamoon.yar"
+include "./malware/RANSOM_Cerber.yar"
+include "./malware/APT_eqgrp_apr17.yar"
+include "./malware/MALW_Odinaff.yar"
+include "./malware/MALW_TRITON_ICS_FRAMEWORK.yar"
+include "./malware/APT_Equation.yar"
+include "./malware/MALW_Hajime.yar"
+include "./malware/APT_Carbanak.yar"
+include "./malware/POS_Bernhard.yar"
+include "./malware/APT_Industroyer.yar"
+include "./malware/MALW_Wimmie.yar"
+include "./malware/MALW_Kraken.yar"
+include "./malware/RAT_ShadowTech.yar"
+include "./malware/APT_ThreatGroup3390.yar"
+include "./malware/MALW_Naikon.yar"
+include "./malware/APT_Careto.yar"
+include "./malware/RANSOM_GoldenEye.yar"
+include "./malware/MALW_Gozi.yar"
+include "./malware/MALW_Bangat.yar"
+include "./malware/RAT_Njrat.yar"
+include "./malware/MALW_Magento_frontend.yar"
+include "./malware/RAT_Havex.yar"
+include "./malware/APT_furtim.yar"
+include "./malware/RAT_Indetectables.yar"
+include "./malware/MALW_Enfal.yar"
+include "./malware/RAT_Gh0st.yar"
+include "./malware/RANSOM_777.yar"
+include "./malware/RANSOM_Stampado.yar"
+include "./malware/APT_Kaba.yar"
+include "./malware/MALW_Regsubdat.yar"
+include "./malware/MALW_PittyTiger.yar"
+include "./malware/APT_WildNeutron.yar"
+include "./malware/APT_APT10.yar"
+include "./malware/RAT_jRAT.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
-include "./malware/MALW_Shifu.yar"
-include "./malware/TOOLKIT_Chinese_Hacktools.yar"
-include "./malware/MALW_Urausy.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
-include "./malware/RAT_Gholee.yar"
-include "./malware/APT_Poseidon_Group.yar"
-include "./malware/APT_OpPotao.yar"
-include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
+include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/MALW_BackdoorSSH.yar"
 include "./malware/MALW_Batel.yar"
-include "./malware/MALW_Rooter.yar"
-include "./malware/MALW_IotReaper.yar"
-include "./malware/APT_PutterPanda.yar"
-include "./malware/MALW_Pyinstaller.yar"
-include "./malware/RANSOM_Satana.yar"
-include "./malware/MALW_Rovnix.yar"
-include "./malware/MALW_Spora.yar"
-include "./malware/MALW_Wabot.yar"
-include "./malware/MALW_Gafgyt.yar"
-include "./malware/APT_Stuxnet.yar"
-include "./malware/MALW_Yayih.yar"
-include "./malware/RANSOM_BadRabbit.yar"
+include "./malware/APT_Platinum.yar"
+include "./malware/MALW_LinuxMoose.yar"
+include "./malware/MALW_Install11.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
+include "./malware/APT_Mirage.yar"
+include "./malware/RANSOM_Erebus.yar"
+include "./malware/POS.yar"
 include "./malware/MALW_Rockloader.yar"
-include "./Antidebug_AntiVM/antidebug_antivm.yar"
+include "./malware/MALW_Sayad.yar"
+include "./malware/RAT_Sakula.yar"
+include "./malware/APT_Hikit.yar"
+include "./malware/MALW_Tedroo.yar"
+include "./malware/APT_Mongall.yar"
+include "./malware/APT_Oilrig.yar"
+include "./malware/MALW_IMuler.yar"
+include "./malware/MALW_Korlia.yar"
+include "./malware/MALW_Rooter.yar"
+include "./malware/APT_DeputyDog.yar"
+include "./malware/APT_Cloudduke.yar"
+include "./malware/MALW_Shifu.yar"
+include "./malware/APT_Bestia.yar"
+include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MALW_Zeus.yar"
+include "./malware/MALW_Vidgrab.yar"
+include "./malware/MALW_Citadel.yar"
+include "./malware/TOOLKIT_Wineggdrop.yar"
+include "./malware/APT_Duqu2.yar"
+include "./malware/MALW_Elex.yar"
+include "./malware/GEN_PowerShell.yar"
+include "./malware/APT_APT17.yar"
+include "./malware/MALW_Elknot.yar"
+include "./malware/MALW_Stealer.yar"
+include "./malware/MALW_Trumpbot.yar"
+include "./malware/APT_OpClandestineWolf.yar"
+include "./malware/MALW_Mirai_Okiru_ELF.yar"
+include "./malware/RANSOM_PetrWrap.yar"
+include "./malware/MALW_Sqlite.yar"
+include "./malware/MALW_viotto_keylogger.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/Wshell_fire2013.yar"
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
-include "./CVE_Rules/CVE-2015-2426.yar"
-include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
-include "./CVE_Rules/CVE-2013-0422.yar"
-include "./CVE_Rules/CVE-2015-5119.yar"
-include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
-include "./CVE_Rules/CVE-2010-0805.yar"
-include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
+include "./Webshells/WShell_THOR_Webshells.yar"
+include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Crypto/crypto_signatures.yar"
+include "./Mobile_Malware/Android_Switcher.yar"
 include "./Mobile_Malware/Android_Dendroid_RAT.yar"
-include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_Banker_Acecard.yar"
-include "./Mobile_Malware/Android_SpyNote.yar"
-include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
-include "./Mobile_Malware/Android_malware_Dropper.yar"
-include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_RuMMS.yar"
-include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
-include "./Mobile_Malware/Android_MazarBot_z.yar"
-include "./Mobile_Malware/Android_VikingOrder.yar"
-include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
-include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
-include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
-include "./Mobile_Malware/Android_Tachi.yar"
-include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
+include "./Mobile_Malware/Android_Spywaller.yar"
+include "./Mobile_Malware/Android_Malware_Towelroot.yar"
 include "./Mobile_Malware/Android_pornClicker.yar"
+include "./Mobile_Malware/Android_Banker_Acecard.yar"
 include "./Mobile_Malware/Android_mapin.yar"
-include "./Mobile_Malware/Android_DeathRing.yar"
-include "./Mobile_Malware/Android_Copy9.yar"
-include "./Mobile_Malware/Android_malware_HackingTeam.yar"
+include "./Mobile_Malware/Android_Polish_Bankbot.yar"
+include "./Mobile_Malware/Android_SlemBunk.yar"
+include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
 include "./Mobile_Malware/Android_Marcher_2.yar"
-include "./Mobile_Malware/Android_OmniRat.yar"
-include "./Mobile_Malware/Android_generic_smsfraud.yar"
+include "./Mobile_Malware/Android_VirusPolicia.yar"
+include "./Mobile_Malware/Android_VikingOrder.yar"
+include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
+include "./Mobile_Malware/Android_Metasploit_Payload.yar"
+include "./Mobile_Malware/Android_RuMMS.yar"
 include "./Mobile_Malware/Android_Overlayer.yar"
-include "./Mobile_Malware/Android_SlemBunk.yar"
-include "./Mobile_Malware/Android_adware.yar"
-include "./Mobile_Malware/Android_malware_banker.yar"
-include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
-include "./Mobile_Malware/Android_Backdoor_script.yar"
+include "./Mobile_Malware/Android_malware_xbot007.yar"
 include "./Mobile_Malware/Android_Triada_Banking.yar"
-include "./Mobile_Malware/Android_ASSDdeveloper.yar"
-include "./Mobile_Malware/Android_Spynet.yar"
-include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
+include "./Mobile_Malware/Android_malware_Dropper.yar"
+include "./Mobile_Malware/Android_SMSFraud.yar"
+include "./Mobile_Malware/Android_Dectus_rswm.yar"
 include "./Mobile_Malware/Android_SandroRat.yar"
-include "./Mobile_Malware/Android_Pink_Locker.yar"
+include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
+include "./Mobile_Malware/Android_malware_banker.yar"
+include "./Mobile_Malware/Android_malware_SMSsender.yar"
+include "./Mobile_Malware/Android_Backdoor_script.yar"
+include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
+include "./Mobile_Malware/Android_malware_HackingTeam.yar"
+include "./Mobile_Malware/Android_MalwareCertificates.yar"
+include "./Mobile_Malware/Android_DeathRing.yar"
+include "./Mobile_Malware/Android_Metasploit.yar"
+include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
+include "./Mobile_Malware/Android_Clicker_G.yar"
+include "./Mobile_Malware/Android_BadMirror.yar"
+include "./Mobile_Malware/Android_Tachi.yar"
+include "./Mobile_Malware/Android_SpyAgent.yar"
+include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
+include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
+include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
+include "./Mobile_Malware/Android_MazarBot_z.yar"
 include "./Mobile_Malware/Android_sk_bankTr.yar"
+include "./Mobile_Malware/Android_AVITOMMS.yar"
+include "./Mobile_Malware/Android_Spynet.yar"
+include "./Mobile_Malware/Android_Tordow.yar"
+include "./Mobile_Malware/Android_FakeApps.yar"
 include "./Mobile_Malware/Android_Godless.yar"
 include "./Mobile_Malware/Android_Backdoor.yar"
-include "./Mobile_Malware/Android_Dectus_rswm.yar"
 include "./Mobile_Malware/Android_Dogspectus.yar"
-include "./Mobile_Malware/Android_Tordow.yar"
-include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
-include "./Mobile_Malware/Android_SMSFraud.yar"
-include "./Mobile_Malware/Android_VirusPolicia.yar"
-include "./Mobile_Malware/Android_malware_SMSsender.yar"
-include "./Mobile_Malware/Android_Metasploit_Payload.yar"
-include "./Mobile_Malware/Android_Clicker_G.yar"
-include "./Mobile_Malware/Android_generic_adware.yar"
-include "./Mobile_Malware/Android_AVITOMMS.yar"
-include "./Mobile_Malware/Android_malware_xbot007.yar"
-include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
+include "./Mobile_Malware/Android_Copy9.yar"
+include "./Mobile_Malware/Android_SpyNote.yar"
 include "./Mobile_Malware/Android_malware_Advertising.yar"
-include "./Mobile_Malware/Android_SpyAgent.yar"
-include "./Mobile_Malware/Android_Spywaller.yar"
-include "./Mobile_Malware/Android_Metasploit.yar"
-include "./Mobile_Malware/Android_Malware_Towelroot.yar"
-include "./Mobile_Malware/Android_Switcher.yar"
-include "./Mobile_Malware/Android_FakeApps.yar"
-include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./Mobile_Malware/Android_adware.yar"
+include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
+include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
+include "./Mobile_Malware/Android_generic_adware.yar"
+include "./Mobile_Malware/Android_generic_smsfraud.yar"
+include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
+include "./Mobile_Malware/Android_ASSDdeveloper.yar"
+include "./Mobile_Malware/Android_OmniRat.yar"
+include "./Mobile_Malware/Android_Pink_Locker.yar"
+include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
+include "./CVE_Rules/CVE-2010-0887.yar"
+include "./CVE_Rules/CVE-2015-2426.yar"
+include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2015-1701.yar"
+include "./CVE_Rules/CVE-2010-1297.yar"
+include "./CVE_Rules/CVE-2018-4878.yar"
+include "./CVE_Rules/CVE-2013-0422.yar"
+include "./CVE_Rules/CVE-2017-11882.yar"
+include "./CVE_Rules/CVE-2015-5119.yar"
+include "./CVE_Rules/CVE-2012-0158.yar"
+include "./CVE_Rules/CVE-2016-5195.yar"
+include "./CVE_Rules/CVE-2010-0805.yar"
+include "./CVE_Rules/CVE-2015-2545.yar"
+include "./Antidebug_AntiVM/antidebug_antivm.yar"
+include "./Packers/JJencode.yar"
+include "./Packers/packer.yar"
+include "./Packers/peid.yar"
+include "./Packers/Javascript_exploit_and_obfuscation.yar"
+include "./Packers/packer_compiler_signatures.yar"
+include "./Malicious_Documents/Maldoc_Dridex.yar"
+include "./Malicious_Documents/Maldoc_UserForm.yar"
 include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/Maldoc_DDE.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
+include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
-include "./email/attachment.yar"
-include "./email/scam.yar"
-include "./email/bank_rule.yar"
-include "./email/image.yar"
-include "./email/urls.yar"
-include "./email/EMAIL_Cryptowall.yar"
-include "./email/email_Ukraine_BE_powerattack.yar"
+include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
+include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
+include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
+include "./Malicious_Documents/Maldoc_PDF.yar"
+include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
+include "./Malicious_Documents/maldoc_somerules.yar"
+include "./Exploit-Kits/EK_Blackhole.yar"
+include "./Exploit-Kits/EK_ZeroAcces.yar"
+include "./Exploit-Kits/EK_Sakura.yar"
+include "./Exploit-Kits/EK_Angler.yar"
+include "./Exploit-Kits/EK_Zeus.yar"
+include "./Exploit-Kits/EK_Crimepack.yar"
+include "./Exploit-Kits/EK_Phoenix.yar"
+include "./Exploit-Kits/EK_BleedingLife.yar"
+include "./Exploit-Kits/EK_Zerox88.yar"
+include "./Exploit-Kits/EK_Fragus.yar"
+include "./Exploit-Kits/EK_Eleonore.yar"

malware/APT_APT15.yar

+import "pe"
+
+rule clean_apt15_patchedcmd{
+	meta:
+		author = "Ahmed Zaki"
+		description = "This is a patched CMD. This is the CMD that RoyalCli uses."
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+		sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
+	strings:
+	    $ = "eisableCMD" wide
+	    $ = "%WINDOWS_COPYRIGHT%" wide
+	    $ = "Cmd.Exe" wide
+	    $ = "Windows Command Processor" wide
+	condition:
+        	all of them
+}
+
+rule malware_apt15_royalcli_1{
+	meta:
+    description = "Generic strings found in the Royal CLI tool"
+    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+		author = "David Cannings"
+		sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
+
+	strings:
+	    $ = "%s~clitemp%08x.tmp" fullword
+	    $ = "qg.tmp" fullword
+	    $ = "%s /c %s>%s" fullword
+	    $ = "hkcmd.exe" fullword
+	    $ = "%snewcmd.exe" fullword
+	    $ = "%shkcmd.exe" fullword
+	    $ = "%s~clitemp%08x.ini" fullword
+	    $ = "myRObject" fullword
+	    $ = "myWObject" fullword
+	    $ = "10 %d %x\x0D\x0A"
+	    $ = "4 %s  %d\x0D\x0A"
+	    $ = "6 %s  %d\x0D\x0A"
+	    $ = "1 %s  %d\x0D\x0A"
+	    $ = "3 %s  %d\x0D\x0A"
+	    $ = "5 %s  %d\x0D\x0A"
+	    $ = "2 %s  %d 0 %d\x0D\x0A"
+	    $ = "2 %s  %d 1 %d\x0D\x0A"
+	    $ = "%s file not exist" fullword
+
+	condition:
+	    5 of them
+}
+
+rule malware_apt15_royalcli_2{
+	meta:
+    author = "Nikolaos Pantazopoulos"
+    description = "APT15 RoyalCli backdoor"
+    reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+	strings:
+		$string1 = "%shkcmd.exe" fullword
+		$string2 = "myRObject" fullword
+		$string3 = "%snewcmd.exe" fullword
+		$string4 = "%s~clitemp%08x.tmp" fullword
+		$string5 = "hkcmd.exe" fullword
+		$string6 = "myWObject" fullword
+	condition:
+		uint16(0) == 0x5A4D and 2 of them
+}
+
+rule malware_apt15_bs2005{
+	meta:
+		author	=	"Ahmed Zaki"
+		md5	=	"ed21ce2beee56f0a0b1c5a62a80c128b"
+		description	=	"APT15 bs2005"
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+   	strings:
+		$ = "%s&%s&%s&%s"  wide ascii
+		$ = "%s\\%s"  wide ascii
+		$ = "WarOnPostRedirect"  wide ascii fullword
+		$ = "WarnonZoneCrossing"  wide ascii fullword
+		$ = "^^^^^" wide ascii fullword
+			/*
+				"%s" /C "%s > "%s\tmp.txt" 2>&1 "     
+			*/
+		$ =  /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/ 
+		$ ="IEharden" wide ascii fullword
+		$ ="DEPOff" wide ascii fullword
+		$ ="ShownVerifyBalloon" wide ascii fullword
+		$ ="IEHardenIENoWarn" wide ascii fullword
+   	condition:
+		(uint16(0) == 0x5A4D and 5 of them) or 
+		( uint16(0) == 0x5A4D and 3 of them and 
+		( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
+		pe.imports("ole32.dll", "CoCreateInstance")))}
+
+rule malware_apt15_royaldll{
+	meta:
+		author = "David Cannings"
+		description = "DLL implant, originally rights.dll and runs as a service"
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+		sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"          
+	strings:
+	    /*
+	      56                push    esi
+	      B8 A7 C6 67 4E    mov     eax, 4E67C6A7h
+	      83 C1 02          add     ecx, 2
+	      BA 04 00 00 00    mov     edx, 4
+	      57                push    edi
+	      90                nop
+	    */
+	    // JSHash implementation (Justin Sobel's hash algorithm)
+		$opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
+
+	    /*
+	      0F B6 1C 03       movzx   ebx, byte ptr [ebx+eax]
+	      8B 55 08          mov     edx, [ebp+arg_0]
+	      30 1C 17          xor     [edi+edx], bl
+	      47                inc     edi
+	      3B 7D 0C          cmp     edi, [ebp+arg_4]
+	      72 A4             jb      short loc_10003F31
+	    */
+	    // Encode loop, used to "encrypt" data before DNS request
+		$opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
+
+	    /*
+	      68 88 13 00 00    push    5000 # Also seen 3000, included below
+	      FF D6             call    esi ; Sleep
+	      4F                dec     edi
+	      75 F6             jnz     short loc_10001554
+	    */
+	    // Sleep loop
+		$opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 }
+
+	    // Generic strings
+	    $ = "Nwsapagent" fullword
+	    $ = "\"%s\">>\"%s\"\\s.txt"
+	    $ = "myWObject" fullword
+	    $ = "del c:\\windows\\temp\\r.exe /f /q"
+	    $ = "del c:\\windows\\temp\\r.ini /f /q"
+	condition:
+		3 of them
+}
+
+rule malware_apt15_royaldll_2	{
+	meta:
+		author	=	"Ahmed Zaki"
+		sha256	=	"bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
+		description	=	"DNS backdoor used by APT15"
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+	strings:
+		    $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii 
+		    $= "netsvcs" wide ascii fullword
+		    $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
+		    $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
+		    $= "myWObject" wide ascii 
+	condition:
+		uint16(0) == 0x5A4D and all of them
+		and pe.exports("ServiceMain")
+		and filesize > 50KB and filesize < 600KB
+}
+
+rule malware_apt15_exchange_tool {
+	meta:
+		author = "Ahmed Zaki"
+		md5 = "d21a7e349e796064ce10f2f6ede31c71"
+		description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+	strings:
+		$s1= "subjectname" fullword
+		$s2= "sendername" fullword
+		$s3= "WebCredentials" fullword
+		$s4= "ExchangeVersion"	fullword
+		$s5= "ExchangeCredentials"	fullword
+		$s6= "slfilename"	fullword
+		$s7= "EnumMail"	fullword
+		$s8= "EnumFolder"	fullword
+		$s9= "set_Credentials"	fullword
+		$s10 = "/de" wide
+		$s11 = "/sn" wide
+		$s12 = "/sbn" wide
+		$s13 = "/list" wide
+		$s14 = "/enum" wide
+		$s15 = "/save" wide
+		$s16 = "/ao" wide
+		$s17 = "/sl" wide
+		$s18 = "/v or /t is null" wide
+		$s19 = "2007" wide
+		$s20 = "2010" wide
+		$s21 = "2010sp1" wide
+		$s22 = "2010sp2" wide
+		$s23 = "2013" wide
+		$s24 = "2013sp1" wide
+	condition:
+		uint16(0) == 0x5A4D and 15 of ($s*)
+}
+
+rule malware_apt15_generic {
+	meta:
+		author = "David Cannings"
+		description = "Find generic data potentially relating to AP15 tools"
+		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
+	strings:
+	    // Appears to be from copy/paste code
+		$str01 = "myWObject" fullword
+		$str02 = "myRObject" fullword
+
+	    /*
+	      6A 02             push    2               ; dwCreationDisposition
+	      6A 00             push    0               ; lpSecurityAttributes
+	      6A 00             push    0               ; dwShareMode
+	      68 00 00 00 C0    push    0C0000000h      ; dwDesiredAccess
+	      50                push    eax             ; lpFileName
+	      FF 15 44 F0 00 10 call    ds:CreateFileA
+	    */
+	    // Arguments for CreateFileA
+		$opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
+  	condition:
+		2 of them
+}

malware/APT_DPRK_ROKRAT.yar

+rule ROKRAT_loader : TAU DPRK APT
+
+{
+
+meta:
+
+    author = "CarbonBlack Threat Research" //JMyers
+
+    date = "2018-Jan-11"
+
+    description = "Designed to catch loader observed used with ROKRAT malware"
+    
+    reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
+
+    rule_version = 1
+
+  	yara_version = "3.7.0"
+
+    TLP = "White"
+
+  	exemplar_hashes = "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd"
+
+strings:
+
+	$n1 = "wscript.exe"
+
+	$n2 = "cmd.exe"
+
+	$s1 = "CreateProcess"
+
+	$s2 = "VirtualAlloc"
+
+	$s3 = "WriteProcessMemory"
+
+	$s4 = "CreateRemoteThread"
+
+	$s5 = "LoadResource"
+
+	$s6 = "FindResource"
+
+	$b1 = {33 C9 33 C0 E8 00 00 00 00 5E} //Clear Register, call+5, pop ESI
+
+	$b2 = /\xB9.{3}\x00\x81\xE9?.{3}\x00/ //subtraction for encoded data offset 
+
+  //the above regex could slow down scanning
+
+	$b3 = {03 F1 83 C6 02} //Fix up position
+
+	$b4 = {3E 8A 06 34 90 46} //XOR decode Key
+
+	$b5 = {3E 30 06 46 49 83 F9 00 75 F6} //XOR routine and jmp to code
+
+	//push api hash values plain text
+
+	$hpt_1 = {68 EC 97 03 0C} //api name hash value – Global Alloc
+
+	$hpt_2 = {68 54 CA AF 91} //api name hash value – Virtual Alloc
+
+	$hpt_3 = {68 8E 4E 0E EC} //api name hash value – Load Library
+
+	$hpt_4 = {68 AA FC 0D 7C} //api name hash value – GetProc Addr
+
+	$hpt_5 = {68 1B C6 46 79} //api name hash value – Virtual Protect
+
+	$hpt_6 = {68 F6 22 B9 7C} //api name hash value – Global Free
+
+	//push api hash values encoded XOR 0x13
+
+	$henc_1 = {7B FF 84 10 1F} //api name hash value – Global Alloc
+
+	$henc_2 = {7B 47 D9 BC 82} //api name hash value – Virtual Alloc
+
+	$henc_3 = {7B 9D 5D 1D EC} //api name hash value – Load Library
+
+	$henc_4 = {7B B9 EF 1E 6F} //api name hash value – GetProc Addr
+
+	$henc_5 = {7B 08 D5 55 6A} //api name hash value – Virtual Protect
+
+	$henc_6 = {7B E5 31 AA 6F} //api name hash value – Global Free
+
+condition:
+
+	(1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or all of ($hpt*) or all of ($henc*)
+
+}
+
+
+rule ROKRAT_payload : TAU DPRK APT
+
+{
+
+meta:
+
+    author = "CarbonBlack Threat Research" //JMyers
+
+    date = "2018-Jan-11"
+
+    description = "Designed to catch loader observed used with ROKRAT malware"
+    
+    reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
+
+    rule_version = 1
+
+  	yara_version = "3.7.0"
+
+    TLP = "White"
+
+  	exemplar_hashes = "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573"
+
+strings:
+
+	$s1 = "api.box.com/oauth2/token" wide
+
+	$s2 = "upload.box.com/api/2.0/files/content" wide
+
+	$s3 = "api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" wide
+
+	$s4 = "cloud-api.yandex.net/v1/disk/resources/download?path=%s" wide
+
+	$s5 = "SbieDll.dll"
+
+	$s6 = "dbghelp.dll"
+
+	$s7 = "api_log.dll"
+
+	$s8 = "dir_watch.dll"
+
+	$s9 = "def_%s.jpg" wide
+
+	$s10 = "pho_%s_%d.jpg" wide
+
+	$s11 = "login=%s&password=%s&login_submit=Authorizing" wide
+
+	$s12 = "gdiplus.dll"
+
+	$s13 = "Set-Cookie:\\b*{.+?}\\n" wide
+
+	$s14 = "charset={[A-Za-z0-9\\-_]+}" wide
+
+condition:
+
+	12 of ($s*)
+
+}
+

malware/APT_EnergeticBear_backdoored_ssh.yar

+rule Backdoored_ssh {
+meta:
+author = "Kaspersky"
+reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/"
+actor = "Energetic Bear/Crouching Yeti"
+strings:
+$a1 = "OpenSSH"
+$a2 = "usage: ssh"
+$a3 = "HISTFILE"
+condition:
+uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)
+}

malware/APT_HiddenCobra.yar

@@ -4,7 +4,7 @@ meta:
 
 	description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
 	author = "US-CERT"
-	url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+	url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -35,7 +35,7 @@ meta:
 
     description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
     author = "US-CERT"
-    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -56,7 +56,7 @@ meta:
 
     description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
     author = "US-CERT"
-    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -65,3 +65,105 @@ $randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B
 condition: 
     $randomUrlBuilder
 }
+
+
+rule Malware_Updater
+{
+meta:
+	Author="US-CERT Code Analysis Team"
+	Date="2017/08/02"
+	Incident="10132963"
+	MD5_1="8F4FC2E10B6EC15A01E0AF24529040DD"
+	MD5_2="584AC94142F0B7C0DF3D0ADDE6E661ED"
+	Info="Malware may be used to update multiple systems with secondary payloads"
+	super_rule=1
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10132963.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = { 8A4C040480F15D80C171884C04044083F8107CEC }
+	$s1 = { 8A4D0080F19580E97C884D00454B75F0 }
+condition: 
+	any of them
+} 
+
+rule Unauthorized_Proxy_Server_RAT
+{
+meta:
+	Author="US-CERT Code Analysis Team"
+	Incident="10135536"
+	MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
+	MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"
+	Info="Detects Proxy Server RAT"
+	super_rule = 1
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
+	$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
+	$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
+	$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
+	$s4 = {B91A7900008A140780F29A8810404975F4}
+	$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
+	$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
+	$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
+	$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
+	$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
+	$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
+	$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
+	$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
+	$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
+condition:
+	any of them
+} 
+
+rule NK_SSL_PROXY{
+meta:
+	Author = "US-CERT Code Analysis Team"
+	Date = "2018/01/09"
+	MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
+	MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
+	Info= "Detects NK SSL PROXY"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
+	$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
+	$s2 = {4775401F713435747975366867766869375E2524736466}
+	$s3 = {67686667686A75797566676467667472}
+	$s4 = {6D2A5E265E676866676534776572}
+	$s5 = {3171617A5853444332337765}
+	$s6 = "ghfghjuyufgdgftr"
+	$s7 = "q45tyu6hgvhi7^%$sdf"
+	$s8 = "m*^&^ghfge4wer"
+condition:
+	($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
+} 
+
+rule r4_wiper_1
+{
+meta:
+	source = "NCCIC Partner"
+	date = "2017-12-12"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }
+	$controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A 24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?? ?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }
+condition:
+	uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them
+}
+
+rule r4_wiper_2
+{
+meta:
+	source = "NCCIC Partner"
+	date = "2017-12-12"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	// BIOS Extended Write
+	$PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
+	$ExtendedWrite = { B4 43 B0 00 CD 13 }
+condition:
+	uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them
+}

malware/APT_Turla_Neuron.yar

+rule MW_neuron2_loader_strings : Turla APT loader
+{
+    meta:
+        description = "Rule for detection of Neuron2 based on strings within the loader"
+        author = "NCSC"
+        family = "Turla"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+        date = "2018-01-18"
+        hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
+    strings:
+        $ = "dcom_api" ascii
+        $ = "http://*:80/OWA/OAB/" ascii
+        $ = "https://*:443/OWA/OAB/" ascii
+        $ = "dcomnetsrv.cpp" wide
+        $ = "dcomnet.dll" ascii
+        $ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them
+}
+
+
+rule MW_neuron2_decryption_routine : Turla APT
+{
+    meta:
+        description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload"
+        author = "NCSC"
+        family = "Turla"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+        date = "2018-01-18"
+        hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
+    strings:
+        $ = {81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01}
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
+}
+
+
+rule MW_neuron2_dotnet_strings : Turla APT
+{
+    meta:
+        description = "Rule for detection of the .NET payload for Neuron2 based on strings used"
+        author = "NCSC"
+        family = "Turla"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+        date = "2018-01-18"
+        hash1 = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015"
+    strings:
+        $dotnetMagic = "BSJB" ascii
+        $s1 = "http://*:80/W3SVC/" wide
+        $s2 = "https://*:443/W3SVC/" wide
+        $s3 = "neuron2.exe" ascii
+        $s4 = "D:\\Develop\\sps\\neuron2\\neuron2\\obj\\Release\\neuron2.pdb" ascii
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 2 of ($s*)
+}
+

malware/MALW_AZORULT.yar

@@ -2,13 +2,14 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
 */
 
-rule Windows_Malware_Azorult : Azorult_V2
+import "cuckoo"
+rule Windows_Malware : Azorult_V2
     {
             meta:
                     author = "Xylitol xylitol@temari.fr"
                     date = "2017-09-30"
                     description = "Match first two bytes, strings, and parts of routines present in Azorult"
-                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
+                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819&p=30867"
                     // May only the challenge guide you
             strings:
                     $mz = {4D 5A}
@@ -19,5 +20,5 @@ rule Windows_Malware_Azorult : Azorult_V2
                     $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
                     $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
             condition:
-                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2))
+                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2) or cuckoo.sync.mutex(/Ad48qw4d6wq84d56as|Adkhvhhydhasdasashbc/))
     }

malware/MALW_AgentTesla.yar

+
+rule Agenttesla
+{
+    meta:
+        description = "Detecting HTML strings used by Agent Tesla malware"
+        author = "Stormshield"
+        reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/"
+        version = "1.0"
+
+    strings:
+        $html_username    = "<br>UserName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " wide ascii
+        $html_pc_name     = "<br>PC&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " wide ascii
+        $html_os_name     = "<br>OS&nbsp;Full&nbsp;Name&nbsp;&nbsp;: " wide ascii
+        $html_os_platform = "<br>OS&nbsp;Platform&nbsp;&nbsp;&nbsp;: " wide ascii
+        $html_clipboard   = "<br><span style=font-style:normal;text-decoration:none;text-transform:none;color:#FF0000;><strong>[clipboard]</strong></span>" wide ascii
+
+    condition:
+        3 of them
+}

malware/MALW_AgentTesla_SMTP.yar

+rule agenttesla_smtp_variant {
+
+    meta:
+        author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!"
+        date = "2018/2"
+	reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
+	reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
+	reference3 = "Agent Tesla == negasteal -- @coldshell"
+	version = 1
+        maltype = "Stealer"
+        filetype = "memory"
+
+    strings:
+		$a = "type={"
+		$b = "hwid={"
+		$c = "time={"
+		$d = "pcname={"
+		$e = "logdata={"
+		$f = "screen={"
+		$g = "ipadd={"
+		$h = "webcam_link={"
+		$i = "screen_link={"
+		$j = "site_username={"
+		$k = "[passwords]"
+
+    condition:
+        6 of them
+}

malware/MALW_Httpsd_ELF.yar

+/* Yara rule to detect Linux/Httpsd generic
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+    and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__LinuxHttpsdStrings {
+
+    meta:
+	description = "Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)"
+	ref1 = "https://imgur.com/a/8mFGk"
+	ref2 = "https://otx.alienvault.com/pulse/5a49115f93199b171b90a212"
+	ref3 = "https://misppriv.circl.lu/events/view/9952"
+	author = "unixfreaxjp"
+	org = "MalwareMustDie"
+	date = "2018-01-02"
+	sha256 = "dd1266561fe7fcd54d1eb17efbbb6babaa9c1f44b36cef6e06052e22ce275ccd"
+	sha256 = "1b3718698fae20b63fbe6ab32411a02b0b08625f95014e03301b49afaee9d559"
+		
+	strings:
+		$st01 = "k.conectionapis.com" fullword nocase wide ascii
+		$st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii
+		$st03 = "id=%d&result=%s" fullword nocase wide ascii
+		$st04 = "rtime" fullword nocase wide ascii
+		$st05 = "down" fullword nocase wide ascii
+		$st06 = "cmd" fullword nocase wide ascii
+		$st07 = "0 */6 * * * root" fullword nocase wide ascii
+		$st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii
+		$st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii
+		$st10 = "k.conectionapis.com" fullword nocase wide ascii
+		$st11 = "/api" fullword nocase wide ascii
+		$st12 = "/tmp/.httpslog" fullword nocase wide ascii
+		$st13 = "/bin/.httpsd" fullword nocase wide ascii
+		$st14 = "/tmp/.httpsd" fullword nocase wide ascii
+		$st15 = "/tmp/.httpspid" fullword nocase wide ascii
+		$st16 = "/tmp/.httpskey" fullword nocase wide ascii
+
+	condition:
+		all of them
+}
+
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+rule Linux_Httpsd_malware_ARM {
+  
+	meta:
+		description = "Detects Linux/Httpsd ARMv5"
+		date = "2017-12-31"
+
+	strings:
+		$hexsts01 = { f0 4f 2d e9 1e db 4d e2 ec d0 4d e2 01 40 a0 e1 } // main
+		$hexsts02 = { f0 45 2d e9 0b db 4d e2 04 d0 4d e2 3c 01 9f e5 } // self-rclocal
+		$hexsts03 = { f0 45 2d e9 01 db 4d e2 04 d0 4d e2 bc 01 9f e5 } // copy-self
+
+	condition:
+		all of them
+        	and is__elf
+		and is__LinuxHttpsdStrings
+		and filesize < 200KB 
+}
+
+rule Linux_Httpsd_malware_i686 {
+
+	meta:
+		description = "Detects ELF Linux/Httpsd i686"
+		date = "2018-01-02"
+
+	
+	strings:
+		$hexsts01 = { 8d 4c 24 04 83 e4 f0 ff 71 fc 55 89 e5 57 56 53 } // main
+		$hexsts02 = { 55 89 e5 57 56 53 81 ec 14 2c 00 00 68 7a 83 05 } // self-rclocal
+		$hexsts03 = { 55 89 e5 57 56 53 81 ec 10 04 00 00 68 00 04 00 } // copy-self
+
+	condition:
+		all of them
+        	and is__elf
+		and is__LinuxHttpsdStrings
+		and filesize < 200KB 
+}

malware/MALW_IcedID.yar

+/* Yara rule to detect IcedID banking trojan generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+rule IceID_Bank_trojan {
+
+	meta:
+		description = "Detects IcedID..adjusted several times"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-14"
+    
+	strings:
+		$header = { 4D 5A }
+		$magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? }
+		$st01 = "CCmdTarget" fullword nocase wide ascii
+		$st02 = "CUserException" fullword nocase wide ascii
+		$st03 = "FileType" fullword nocase wide ascii
+		$st04 = "FlsGetValue" fullword nocase wide ascii
+		$st05 = "AVCShellWrapper@@" fullword nocase wide ascii
+		$st06 = "AVCCmdTarget@@" fullword nocase wide ascii
+		$st07 = "AUCThreadData@@" fullword nocase wide ascii
+		$st08 = "AVCUserException@@" fullword nocase wide ascii
+
+	condition:
+		$header at 0 and all of ($magic*) and 6 of ($st0*)
+		and pe.sections[0].name contains ".text"
+		and pe.sections[1].name contains ".rdata"
+		and pe.sections[2].name contains ".data"
+		and pe.sections[3].name contains ".rsrc"
+		and pe.characteristics & pe.EXECUTABLE_IMAGE
+		and pe.characteristics & pe.RELOCS_STRIPPED
+}

malware/MALW_Kwampirs.yar

+rule Kwampirs
+{
+ meta:
+ copyright = "Symantec"
+ reference = "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
+ family = "Kwampirs"
+ description = "Kwampirs dropper and main payload components"
+ strings:
+$pubkey =
+ {
+ 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00
+ 01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5
+ 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9
+ E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31
+ 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A
+ CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11
+ 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33
+ 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2
+ 9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28
+ 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B
+ 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71
+ 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9
+ 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36
+ EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82
+ C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6
+ FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D
+ 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF
+ F7 E4 0C B3
+ }
+ 
+ $network_xor_key =
+ {
+ B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38
+ C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0
+ 91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58
+ C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68
+ CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B
+ 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02
+ D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9
+ 62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B
+ 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E
+ BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83
+ 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B
+ A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91
+ 75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C
+ A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7
+ 45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F
+ DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33
+ }
+
+$decrypt_string =
+ {
+ 85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74
+ 4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9
+ 40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51
+ E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB
+ 74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38
+ 40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3
+ 32 C0 C3
+ }
+
+ $init_strings =
+ {
+ 55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00
+ 00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8
+ B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02
+ 10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02
+ 10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00
+ 00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06
+ }
+
+ condition:
+ 2 of them
+}

malware/MALW_Mirai_Okiru_ELF.yar

+/* Yara rule to detect Mirai Okiru generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__Mirai_gen7 {
+	meta:
+		description = "Generic detection for MiraiX version 7"
+		reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-05"
+
+	strings:
+        	$st01 = "/bin/busybox rm" fullword nocase wide ascii
+        	$st02 = "/bin/busybox echo" fullword nocase wide ascii
+        	$st03 = "/bin/busybox wget" fullword nocase wide ascii
+        	$st04 = "/bin/busybox tftp" fullword nocase wide ascii
+        	$st05 = "/bin/busybox cp" fullword nocase wide ascii
+        	$st06 = "/bin/busybox chmod" fullword nocase wide ascii
+		$st07 = "/bin/busybox cat" fullword nocase wide ascii
+
+	condition:
+        	5 of them
+}
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+rule Mirai_Okiru {
+	meta:
+		description = "Detects Mirai Okiru MALW"
+		reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
+		date = "2018-01-05"
+
+	strings:
+		$hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 }
+		$hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 }
+		// noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins
+    // $st07 = "iptables -F\n" fullword nocase wide ascii
+    
+	condition:
+    		all of them
+		and is__elf
+		and is__Mirai_gen7
+		and filesize < 100KB 
+}

malware/MALW_Mirai_Satori_ELF.yar

+/* Yara rule to detect Mirai Satori generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__Mirai_gen7 {
+	meta:
+		description = "Generic detection for MiraiX version 7"
+		reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-05"
+
+	strings:
+        	$st01 = "/bin/busybox rm" fullword nocase wide ascii
+        	$st02 = "/bin/busybox echo" fullword nocase wide ascii
+        	$st03 = "/bin/busybox wget" fullword nocase wide ascii
+        	$st04 = "/bin/busybox tftp" fullword nocase wide ascii
+        	$st05 = "/bin/busybox cp" fullword nocase wide ascii
+        	$st06 = "/bin/busybox chmod" fullword nocase wide ascii
+        	$st07 = "/bin/busybox cat" fullword nocase wide ascii
+
+	condition:
+        	5 of them
+}
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+private rule is__Mirai_Satori_gen {
+	meta:
+		description = "Detects Mirai Satori_gen"
+		reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
+		date = "2018-01-05"
+
+	strings:
+		$st08 = "tftp -r satori" fullword nocase wide ascii
+		$st09 = "/bins/satori" fullword nocase wide ascii
+		$st10 = "satori" fullword nocase wide ascii
+		$st11 = "SATORI" fullword nocase wide ascii
+
+	condition:
+		2 of them
+}
+
+rule Mirai_Satori {
+	meta:
+		description = "Detects Mirai Satori MALW"
+		date = "2018-01-09"
+
+	strings:
+		$hexsts01 = { 63 71 75 ?? 62 6B 77 62 75 }
+		$hexsts02 = { 53 54 68 72 75 64 62 }
+		$hexsts03 = { 28 63 62 71 28 70 66 73 64 6F 63 68 60 } 
+
+	condition:
+		all of them
+		and is__elf
+		and is__Mirai_gen7
+		and is__Mirai_Satori_gen
+		and filesize < 100KB 
+}

malware/MALW_Monero_Miner_installer.yar

+rule nkminer_monero {
+
+ meta:
+
+ description = "Detects installer of Monero miner that points to a NK domain"
+
+ author = "cdoman@alienvault.com"
+ 
+ reference = "https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner"
+
+ tlp = "white"
+
+ license = "MIT License"
+
+ strings:
+
+ $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii
+
+ $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii
+
+ $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii
+
+ $d = "C:\\SoftwaresInstall\\soft" nocase wide ascii
+
+ $e = "C:\\Windows\\Sys64\\intelservice.exe" nocase wide ascii
+
+ $f = "C:\\Windows\\Sys64\\updater.exe" nocase wide ascii
+
+ $g = "C:\\Users\\Jawhar\\documents\\" nocase wide ascii
+
+ condition:
+
+ any of them
+
+}

malware/MALW_Rebirth_Vulcan_ELF.yar

+/* Yara rule to detect ELF Linux malware Rebirth Vulcan (Torlus next-gen) generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__str_Rebirth_gen3 {
+	meta:
+		description = "Generic detection for Vulcan branch Rebirth or Katrina from Torlus nextgen"
+		reference = "https://imgur.com/a/SSKmu"
+		reference = "https://www.reddit.com/r/LinuxMalware/comments/7rprnx/vulcan_aka_linuxrebirth_or_katrina_variant_of/"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-21"
+	strings:
+        	$str01 = "/usr/bin/python" fullword nocase wide ascii
+        	$str02 = "nameserver 8.8.8.8\nnameserver 8.8.4.4\n" fullword nocase wide ascii
+        	$str03 = "Telnet Range %d->%d" fullword nocase wide ascii
+        	$str04 = "Mirai Range %d->%d" fullword nocase wide ascii
+        	$str05 = "[Updating] [%s:%s]" fullword nocase wide ascii
+        	$str06 = "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" fullword nocase wide ascii
+		$str07 = "\x1B[96m[DEVICE] \x1B[97mConnected" fullword nocase wide ascii
+	condition:
+        	4 of them
+}
+
+private rule is__hex_Rebirth_gen3 {
+	meta:
+		author = "unixfreaxjp"
+		date = "2018-01-21"
+	strings:
+		$hex01 = { 0D C0 A0 E1 00 D8 2D E9 }
+		$hex02 = { 3C 1C 00 06 27 9C 97 98 }
+		$hex03 = { 94 21 EF 80 7C 08 02 A6 }
+		$hex04 = { E6 2F 22 4F 76 91 18 3F }
+		$hex05 = { 06 00 1C 3C 20 98 9C 27 }
+		$hex06 = { 55 89 E5 81 EC ?? 10 00 }
+		$hex07 = { 55 48 89 E5 48 81 EC 90 }
+		$hex08 = { 6F 67 69 6E 00 }
+	condition:
+        	2 of them 
+}
+
+private rule is__bot_Rebirth_gen3 {
+	meta:
+		author = "unixfreaxjp"
+		date = "2018-01-21"
+	strings:
+        	$bot01 = "MIRAITEST" fullword nocase wide ascii
+        	$bot02 = "TELNETTEST" fullword nocase wide ascii
+        	$bot03 = "UPDATE" fullword nocase wide ascii
+        	$bot04 = "PHONE" fullword nocase wide ascii
+        	$bot05 = "RANGE" fullword nocase wide ascii
+		$bot06 = "KILLATTK" fullword nocase wide ascii
+		$bot07 = "STD" fullword nocase wide ascii
+        	$bot08 = "BCM" fullword nocase wide ascii
+		$bot09 = "NETIS" fullword nocase wide ascii
+		$bot10 = "FASTLOAD" fullword nocase wide ascii
+	condition:
+        	6 of them
+}
+
+private rule is__elf {
+	meta:
+		author = "@mmorenog,@yararules"
+	strings:
+		$header = { 7F 45 4C 46 }
+	condition:
+		$header at 0
+}
+
+rule MALW_Rebirth_Vulcan_ELF {
+	meta:
+		description = "Detects Rebirth Vulcan variant a torlus NextGen MALW"
+		description = "Just adjust or omit below two strings for next version they code :) @unixfreaxjp"
+		date = "2018-01-21"
+	strings:
+                $spec01 = "vulcan.sh" fullword nocase wide ascii
+		$spec02 = "Vulcan" fullword nocase wide ascii
+	condition:
+                all of them
+		and is__elf
+		and is__str_Rebirth_gen3
+		and is__hex_Rebirth_gen3
+		and is__bot_Rebirth_gen3
+		and filesize < 300KB 
+}

malware/MALW_TRITON_HATMAN.yar

+/*
+ * DESCRIPTION: Yara rules to match the known binary components of the HatMan
+ *              malware targeting Triconex safety controllers. Any matching
+ *              components should hit using the "hatman" rule in addition to a
+ *              more specific "hatman_*" rule.
+ * AUTHOR:      DHS/NCCIC/ICS-CERT
+ */
+
+/* Globally only look at small files. */
+
+private global rule hatman_filesize : hatman {
+    condition:
+        filesize < 100KB
+}
+
+/* Private rules that are used at the end in the public rules. */
+
+private rule hatman_setstatus : hatman {
+    strings:
+        $preset     = { 80 00 40 3c  00 00 62 80  40 00 80 3c  40 20 03 7c 
+                        ?? ?? 82 40  04 00 62 80  60 00 80 3c  40 20 03 7c 
+                        ?? ?? 82 40  ?? ?? 42 38                           }
+    condition:
+        $preset
+}
+private rule hatman_memcpy : hatman {
+    strings:
+        $memcpy_be  = { 7c a9 03 a6  38 84 ff ff  38 63 ff ff  8c a4 00 01 
+                        9c a3 00 01  42 00 ff f8  4e 80 00 20              }
+        $memcpy_le  = { a6 03 a9 7c  ff ff 84 38  ff ff 63 38  01 00 a4 8c
+                        01 00 a3 9c  f8 ff 00 42  20 00 80 4e              }
+    condition:
+        $memcpy_be or $memcpy_le
+}
+private rule hatman_dividers : hatman {
+    strings:
+        $div1       = { 9a 78 56 00 }
+        $div2       = { 34 12 00 00 }
+    condition:
+        $div1 and $div2
+}
+private rule hatman_nullsub : hatman {
+    strings:
+        $nullsub     = { ff ff 60 38  02 00 00 44  20 00 80 4e }
+    condition:
+        $nullsub
+}
+private rule hatman_origaddr : hatman {
+    strings:
+        $oaddr_be   = { 3c 60 00 03  60 63 96 f4  4e 80 00 20 }
+        $oaddr_le   = { 03 00 60 3c  f4 96 63 60  20 00 80 4e }
+    condition:
+        $oaddr_be or $oaddr_le
+}
+private rule hatman_origcode : hatman {
+    strings:
+        $ocode_be   = { 3c 00 00 03  60 00 a0 b0  7c 09 03 a6  4e 80 04 20 }
+        $ocode_le   = { 03 00 00 3c  b0 a0 00 60  a6 03 09 7c  20 04 80 4e }
+    condition:
+        $ocode_be or $ocode_le
+}
+private rule hatman_mftmsr : hatman {
+    strings:
+        $mfmsr_be   = { 7c 63 00 a6 }
+        $mfmsr_le   = { a6 00 63 7c }
+        $mtmsr_be   = { 7c 63 01 24 }
+        $mtmsr_le   = { 24 01 63 7c }
+    condition:
+        ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)
+}
+private rule hatman_loadoff : hatman {
+    strings:
+        $loadoff_be = { 80 60 00 04  48 00 ?? ??  70 60 ff ff  28 00 00 00
+                        40 82 ?? ??  28 03 00 00  41 82 ?? ??              }
+        $loadoff_le = { 04 00 60 80  ?? ?? 00 48  ff ff 60 70  00 00 00 28 
+                        ?? ?? 82 40  00 00 03 28  ?? ?? 82 41              }
+    condition:
+        $loadoff_be or $loadoff_le
+}
+private rule hatman_injector_int : hatman {
+    condition:
+        hatman_memcpy and hatman_origaddr and hatman_loadoff
+}
+private rule hatman_payload_int : hatman {
+    condition:
+        hatman_memcpy and hatman_origcode and hatman_mftmsr
+}
+
+/* Actual public rules to match using the private rules. */
+
+rule hatman_compiled_python : hatman {
+    condition:
+        hatman_nullsub and hatman_setstatus and hatman_dividers
+}
+rule hatman_injector : hatman {
+    condition:
+        hatman_injector_int and not hatman_payload_int
+}
+rule hatman_payload : hatman {
+    condition:
+        hatman_payload_int and not hatman_injector_int
+}
+rule hatman_combined : hatman {
+    condition:
+        hatman_injector_int and hatman_payload_int and hatman_dividers
+}
+rule hatman : hatman {
+    meta:
+        author = "DHS/NCCIC/ICS-CERT"
+        description = "Matches the known samples of the HatMan malware."
+    condition:
+        hatman_compiled_python or hatman_injector or hatman_payload
+            or hatman_combined
+}

malware/MALW_TRITON_ICS_FRAMEWORK.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule TRITON_ICS_FRAMEWORK
+{
+      meta:
+          author = "nicholas.carr @itsreallynick"
+          md5 = "0face841f7b2953e7c29c064d6886523"
+          description = "TRITON framework recovered during Mandiant ICS incident response"
+      strings:
+          $python_compiled = ".pyc" nocase ascii wide
+          $python_module_01 = "__module__" nocase ascii wide
+          $python_module_02 = "<module>" nocase ascii wide
+          $python_script_01 = "import Ts" nocase ascii wide
+          $python_script_02 = "def ts_" nocase ascii wide  
+
+          $py_cnames_01 = "TS_cnames.py" nocase ascii wide
+          $py_cnames_02 = "TRICON" nocase ascii wide
+          $py_cnames_03 = "TriStation " nocase ascii wide
+          $py_cnames_04 = " chassis " nocase ascii wide  
+
+          $py_tslibs_01 = "GetCpStatus" nocase ascii wide
+          $py_tslibs_02 = "ts_" ascii wide
+          $py_tslibs_03 = " sequence" nocase ascii wide
+          $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
+          $py_tslibs_05 = /module\s?version/ nocase ascii wide
+          $py_tslibs_06 = "bad " nocase ascii wide
+          $py_tslibs_07 = "prog_cnt" nocase ascii wide  
+
+          $py_tsbase_01 = "TsBase.py" nocase ascii wide
+          $py_tsbase_02 = ".TsBase(" nocase ascii wide 
+         
+          $py_tshi_01 = "TsHi.py" nocase ascii wide
+          $py_tshi_02 = "keystate" nocase ascii wide
+          $py_tshi_03 = "GetProjectInfo" nocase ascii wide
+          $py_tshi_04 = "GetProgramTable" nocase ascii wide
+          $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
+          $py_tshi_06 = ".TsHi(" ascii nocase wide  
+
+          $py_tslow_01 = "TsLow.py" nocase ascii wide
+          $py_tslow_02 = "print_last_error" ascii nocase wide
+          $py_tslow_03 = ".TsLow(" ascii nocase wide
+          $py_tslow_04 = "tcm_" ascii wide
+          $py_tslow_05 = " TCM found" nocase ascii wide  
+
+          $py_crc_01 = "crc.pyc" nocase ascii wide
+          $py_crc_02 = "CRC16_MODBUS" ascii wide
+          $py_crc_03 = "Kotov Alaxander" nocase ascii wide
+          $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
+          $py_crc_05 = "crc16ret" ascii wide
+          $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
+          $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  
+
+          $py_sh_01 = "sh.pyc" nocase ascii wide  
+
+          $py_keyword_01 = " FAILURE" ascii wide
+          $py_keyword_02 = "symbol table" nocase ascii wide  
+
+          $py_TRIDENT_01 = "inject.bin" ascii nocase wide
+          $py_TRIDENT_02 = "imain.bin" ascii nocase wide  
+
+      condition:
+          2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
+}

malware/MALW_shifu_shiz

+
+
+rule shifu_shiz {
+	meta:
+		description = "Memory string yara for Shifu/Shiz"
+		author = "J from THL <j@techhelplist.com>"
+		reference1 = "https://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
+		reference2 = "https://beta.virusbay.io/sample/browse/24a6dfaa98012a839658c143475a1e46"
+    reference3 = "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/crime_shifu_trojan.yar"
+		date = "2018-03-16"
+		maltype1 = "Banker"
+		maltype2 = "Keylogger"
+		maltype3 = "Stealer"
+		filetype = "memory"
+
+	strings:
+		$aa = "auth_loginByPassword"	fullword ascii
+		$ab = "back_command"	fullword ascii
+		$ac = "back_custom1"	fullword ascii
+		$ad = "GetClipboardData"	fullword ascii
+		$ae = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe"	fullword ascii
+		$af = "mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe"	fullword ascii
+		$ag = "svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe"	fullword ascii
+		$ah = "!inject"	fullword ascii
+		$ai = "!deactivebc"	fullword ascii
+		$aj = "!kill_os"	fullword ascii
+		$ak = "!load"	fullword ascii
+		$al = "!new_config"	fullword ascii
+		$am = "!activebc"	fullword ascii
+		$an = "keylog.txt"	fullword ascii
+		$ao = "keys_path.txt"	fullword ascii
+		$ap = "pass.log"	fullword ascii
+		$aq = "passwords.txt"	fullword ascii
+		$ar = "Content-Disposition: form-data; name=\"file\"; filename=\"report\""	fullword ascii
+		$as = "Content-Disposition: form-data; name=\"pcname\""	fullword ascii
+		$at = "botid=%s&ver="	fullword ascii
+		$au = "action=auth&np=&login="	fullword ascii
+		$av = "&ctl00%24MainMenu%24Login1%24UserName="	fullword ascii
+		$aw = "&cvv="	fullword ascii
+		$ax = "&cvv2="	fullword ascii
+		$ay = "&domain="	fullword ascii
+		$az = "LOGIN_AUTHORIZATION_CODE="	fullword ascii
+		$ba = "name=%s&port=%u"	fullword ascii
+		$bb = "PeekNamedPipe"	fullword ascii
+		$bc = "[pst]"	fullword ascii
+		$bd = "[ret]"	fullword ascii
+		$be = "[tab]"	fullword ascii
+		$bf = "[bks]"	fullword ascii
+		$bg = "[del]"	fullword ascii
+		$bh = "[ins]"	fullword ascii
+		$bi = "&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d&cn="	fullword ascii
+
+	condition:
+		18 of them
+}

malware/MALW_sitrof_fortis_scar.yar

+rule sitrof_fortis_scar {
+
+    meta:
+        author = "J from THL <j@techhelplist.com>"
+        date = "2018/23"
+        reference1 = "https://www.virustotal.com/#/file/59ab6cb69712d82f3e13973ecc7e7d2060914cea6238d338203a69bac95fd96c/community"
+	reference2 = "ETPRO rule 2806032, ETPRO TROJAN Win32.Scar.hhrw POST"
+	version = 2
+        maltype = "Stealer"
+        filetype = "memory"
+
+    strings:
+	
+	$a = "?get&version"
+	$b = "?reg&ver="
+	$c = "?get&exe"
+	$d = "?get&download"
+	$e = "?get&module"
+	$f = "&ver="
+	$g = "&comp="
+	$h = "&addinfo="
+	$i = "%s@%s; %s %s \"%s\" processor(s)"
+	$j = "User-Agent: fortis"
+
+    condition:
+        6 of them
+}

malware/RANSOM_GPGQwerty.yar

+rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty
+
+{
+
+meta:
+
+author = "McAfee Labs"
+
+description = "Detect GPGQwerty ransomware"
+
+reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/"
+
+strings:
+
+$a = "gpg.exe –recipient qwerty  -o"
+
+$b = "%s%s.%d.qwerty"
+
+$c = "del /Q /F /S %s$recycle.bin"
+
+$d = "cryz1@protonmail.com"
+
+condition:
+
+all of them
+
+}

malware/RANSOM_MS17-010_Wannacrypt.yar

@@ -298,3 +298,122 @@ rule WannaCry_SMB_Exploit
  condition:
  	uint16(0) == 0x5a4d and filesize < 4MB and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket")
  }
+ 
+ rule wannacry_static_ransom : wannacry_static_ransom {
+
+meta:
+
+description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants"
+
+author = "Blueliv"
+
+reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
+
+date = "2017-05-15"
+
+strings:
+
+$mutex01 = "Global\\MsWinZonesCacheCounterMutexA" ascii
+
+$lang01 = "m_bulgarian.wnr" ascii
+
+$lang02 = "m_vietnamese.wnry" ascii
+
+$startarg01 = "StartTask" ascii
+
+$startarg02 = "TaskStart" ascii
+
+$startarg03 = "StartSchedule" ascii
+
+$wcry01 = "WanaCrypt0r" ascii wide
+
+$wcry02 = "WANACRY" ascii
+
+$wcry03 = "WANNACRY" ascii
+
+$wcry04 = "WNCRYT" ascii wide
+
+$forig01 = ".wnry\x00" ascii
+
+$fvar01 = ".wry\x00" ascii
+
+condition:
+
+($mutex01 or any of ($lang*)) and ( $forig01 or all of ($fvar*) ) and any of ($wcry*) and any of ($startarg*)
+
+}
+
+rule wannacry_memory_ransom : wannacry_memory_ransom {
+
+meta:
+
+description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory"
+
+author = "Blueliv"
+
+reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
+
+date = "2017-05-15"
+
+strings:
+
+$s01 = "%08X.eky"
+
+$s02 = "%08X.pky"
+
+$s03 = "%08X.res"
+
+$s04 = "%08X.dky"
+
+$s05 = "@WanaDecryptor@.exe"
+
+condition:
+
+all of them
+
+}
+
+rule worm_ms17_010 : worm_ms17_010 {
+
+meta:
+
+description = "Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE"
+
+author = "Blueliv"
+
+reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
+
+date = "2017-05-15"
+
+strings:
+
+$s01 = "__TREEID__PLACEHOLDER__" ascii
+
+$s02 = "__USERID__PLACEHOLDER__@" ascii
+
+$s03 = "SMB3"
+
+$s05 = "SMBu"
+
+$s06 = "SMBs"
+
+$s07 = "SMBr"
+
+$s08 = "%s -m security" ascii
+
+$s09 = "%d.%d.%d.%d"
+
+$payloadwin2000_2195 =
+
+"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00"
+
+$payload2000_50 =
+
+"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
+
+condition:
+
+all of them
+
+}
+

malware/RANSOM_Petya_MS17_010

@@ -73,3 +73,22 @@ condition:
       and 9 of ($functions*)
       and 7 of ($cmd*)
 }         
+
+rule petya_eternalblue : petya_eternalblue {
+    meta:
+        author      = "blueliv"
+        description =  "Based on spreading petya version: 2017-06-28"
+        reference = "https://blueliv.com/petya-ransomware-cyber-attack-is-spreading-across-the-globe-part-2/"
+    strings:
+        /* Some commands executed by the Petya variant */
+       $cmd01 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%0" wide
+       $cmd02 = "shutdown.exe /r /f" wide
+       $cmd03 = "%s \\\\%s -accepteula -s" wide
+       $cmd04 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1" wide
+       /* Strings of encrypted files */
+       $str01 = "they have been encrypted. Perhaps you are busy looking" wide
+        /* MBR/VBR payload */
+        $mbr01 = {00 00 00 55 aa e9 ?? ??}
+    condition:
+        all of them
+}

malware/RANSOM_SamSam.yar

+import "pe"
+
+rule SAmSAmRansom2016 {
+   meta:
+      author = "Christiaan Beek"
+      date = "2018-01-25"
+      hash1 = "45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b"
+      hash2 = "946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4"
+      hash3 = "979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868"
+      hash4 = "939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8"
+      hash5 = "a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e"
+      hash6 = "e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155"
+      hash7 = "6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307"
+      hash8 = "036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050"
+      hash9 = "ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626"
+      hash10 = "89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805"
+      hash11 = "7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044"
+      hash12 = "0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac"
+      hash13 = "58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e"
+      
+   strings:
+      $x1 = "Could not list processes locking resource. Failed to get size of result." fullword wide
+      $s2 = "Could not list processes locking resource." fullword wide
+      $s3 = "samsam.del.exe" fullword ascii
+      $s4 = "samsam.exe" fullword wide
+      $s5 = "RM_UNIQUE_PROCESS" fullword ascii
+      $s6 = "KillProcessWithWait" fullword ascii
+      $s7 = "killOpenedProcessTree" fullword ascii
+      $s8 = "RM_PROCESS_INFO" fullword ascii
+      $s9 = "Exception caught in process: {0}" fullword wide
+      $s10 = "Could not begin restart session.  Unable to determine file locker." fullword wide
+      $s11 = "samsam.Properties.Resources.resources" fullword ascii
+      $s12 = "EncryptStringToBytes" fullword ascii
+      $s13 = "recursivegetfiles" fullword ascii
+      $s14 = "RSAEncryptBytes" fullword ascii
+      $s15 = "encryptFile" fullword ascii
+      $s16 = "samsam.Properties.Resources" fullword wide
+      $s17 = "TSSessionId" fullword ascii
+      $s18 = "Could not register resource." fullword wide
+      $s19 = "<recursivegetfiles>b__0" fullword ascii
+      $s20 = "create_from_resource" fullword ascii
+
+      $op0 = { 96 00 e0 00 29 00 0b 00 34 23 }
+      $op1 = { 96 00 12 04 f9 00 34 00 6c 2c }
+      $op2 = { 72 a5 0a 00 70 a2 06 20 94 }
+      
+   condition:
+      ( uint16(0) == 0x5a4d and
+        filesize < 700KB and
+        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and ( 1 of ($x*) and 4 of them ) and all of ($op*)
+      ) or ( all of them )
+}
+
+rule SamSam_Ransomware_Latest
+{
+   meta:
+      description = "Latest SamSA ransomware samples"
+      author = "Christiaan Beek"
+      reference = "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html"
+      date = "2018-01-23"
+      hash1 = "e7bebd1b1419f42293732c70095f35c8310fa3afee55f1df68d4fe6bbee5397e"
+      hash2 = "72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479"
+      hash3 = "3531bb1077c64840b9c95c45d382448abffa4f386ad88e125c96a38166832252"
+      hash4 = "88d24b497cfeb47ec6719752f2af00c802c38e7d4b5d526311d552c6d5f4ad34"
+      hash5 = "8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab"
+      hash6 = "88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828"
+
+   strings:
+      $s1 = "bedf08175d319a2f879fe720032d11e5" fullword wide
+      $s2 = "ksdghksdghkddgdfgdfgfd" fullword ascii
+      $s3 = "osieyrgvbsgnhkflkstesadfakdhaksjfgyjqqwgjrwgehjgfdjgdffg" fullword ascii
+      $s4 = "5c2d376c976669efaf9cb107f5a83d0c" fullword wide
+      $s5 = "B917754BCFE717EB4F7CE04A5B11A6351EEC5015" fullword ascii
+      $s6 = "f99e47c1d4ccb2b103f5f730f8eb598a" fullword wide
+      $s7 = "d2db284217a6e5596913e2e1a5b2672f" fullword wide
+      $s8 = "0bddb8acd38f6da118f47243af48d8af" fullword wide
+      $s9 = "f73623dcb4f62b0e5b9b4d83e1ee4323" fullword wide
+      $s10 = "916ab48e32e904b8e1b87b7e3ced6d55" fullword wide
+      $s11 = "c6e61622dc51e17195e4df6e359218a2" fullword wide
+      $s12 = "2a9e8d549af13031f6bf7807242ce27f" fullword wide
+      $s13 = "e3208957ad76d2f2e249276410744b29" fullword wide
+      $s14 = "b4d28bbd65da97431f494dd7741bee70" fullword wide
+      $s15 = "81ee346489c272f456f2b17d96365c34" fullword wide
+      $s16 = "94682debc6f156b7e90e0d6dc772734d" fullword wide
+      $s17 = "6943e17a989f11af750ea0441a713b89" fullword wide
+      $s18 = "b1c7e24b315ff9c73a9a89afac5286be" fullword wide
+      $s19 = "90928fd1250435589cc0150849bc0cff" fullword wide
+      $s20 = "67da807268764a7badc4904df351932e" fullword wide
+
+      $op0 = { 30 01 00 2b 68 79 33 38 68 34 77 65 36 34 74 72 }
+      $op1 = { 01 00 b2 04 00 00 01 00 84 }
+      $op2 = { 68 09 00 00 38 66 00 00 23 55 53 00 a0 6f 00 00 }
+
+   condition:
+      ( uint16(0) == 0x5a4d and
+        filesize < 100KB and
+        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and ( 8 of them ) and all of ($op*)
+      ) or ( all of them )
+}
+

malware/RANSOM_Sigma.yar

+
+rule sigma_ransomware {
+
+  meta:
+    author = "J from THL <j@techhelplist.com>"
+    date = "20180509"
+    reference1 = "https://www.virustotal.com/#/file/705ad78bf5503e6022f08da4c347afb47d4e740cfe6c39c08550c740c3be96ba"
+    reference2 = "https://www.virustotal.com/#/file/bb3533440c27a115878ae541aba3bda02d441f3ea1864b868862255aabb0c8ff"
+    version = 1
+    maltype = "Ransomware"
+    filetype = "memory"
+
+  strings:
+    $a = ".php?"
+    $b = "uid="
+    $c = "&uname="
+    $d = "&os="
+    $e = "&pcname="
+    $f = "&total="
+    $g = "&country="
+    $h = "&network="
+    $i = "&subid="
+
+  condition:
+    all of them
+}

malware/RAT_CrossRAT.yar

+import "hash" 
+
+global private rule javaarchive
+{
+    strings:
+        $magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
+        $string_1 = "META-INF/"
+        $string_2 = ".class" nocase
+
+	condition:
+	    filesize < 400KB and
+        $magic at 0 and 1 of ($string_*)
+}
+
+rule CrossRAT: RAT
+{
+    meta:
+        description = "Detects CrossRAT known hash"
+        author = "Simon Sigre (simon.sigre@gmail.com)"
+        date = "26/01/2018"
+        ref = "https://simonsigre.com"
+        ref= "https://objective-see.com/blog/blog_0x28.html"
+
+    condition:
+        filesize < 400KB and
+        hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
+}

malware/TOOLKIT_Powerstager.yar

+rule Powerstager
+{
+    meta:
+      author = "Jeff White - jwhite@paloaltonetworks.com @noottrak"
+      date = "02JAN2018"
+      hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86
+      hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64
+      description = "Detects PowerStager Windows executable, both x86 and x64"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/"
+      reference2 = "https://github.com/z0noxz/powerstager"
+    
+    strings:
+      $filename = /%s\\[a-zA-Z0-9]{12}/
+      $pathname = "TEMP" wide ascii
+//    $errormsg = "The version of this file is not compatible with the version of Windows you're running." wide ascii
+      $filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" wide ascii
+      $apicall_01 = "memset"
+      $apicall_02 = "getenv"
+      $apicall_03 = "fopen"
+      $apicall_04 = "memcpy"
+      $apicall_05 = "fwrite"
+      $apicall_06 = "fclose"
+      $apicall_07 = "CreateProcessA"
+      $decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? }
+      $decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D }
+      $decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 }
+      $decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 }
+
+    condition:
+      uint16be(0) == 0x4D5A
+        and
+      all of ($apicall_*)
+        and
+      $filename
+        and
+      $pathname
+        and
+      $filedesc
+        and
+      (2 of ($decoder_x86*) or 2 of ($decoder_x64*))
+}

malware_index.yar

 /*
 Generated by Yara-Rules
-On 13-11-2017
+On 06-02-2018
 */
-include "./malware/RAT_Bolonyokte.yar"
-include "./malware/APT_APT3102.yar"
-include "./malware/TOOLKIT_Pwdump.yar"
-include "./malware/RAT_Crimson.yar"
-include "./malware/APT_Oilrig.yar"
-include "./malware/APT_Ke3Chang_TidePool.yar"
-include "./malware/MALW_Naikon.yar"
+include "./malware/MALW_Intel_Virtualization.yar"
+include "./malware/RANSOM_Alpha.yar"
+include "./malware/MALW_Korplug.yar"
+include "./malware/TOOLKIT_Dubrute.yar"
+include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Madness.yar"
+include "./malware/MALW_Retefe.yar"
+include "./malware/RANSOM_DMALocker.yar"
+include "./malware/RANSOM_Satana.yar"
+include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_AgentTesla.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/RAT_Adwind.yar"
+include "./malware/RANSOM_Tox.yar"
+include "./malware/APT_Winnti.yar"
+include "./malware/MALW_Notepad.yar"
 include "./malware/MALW_Tinba.yar"
-include "./malware/MALW_FakeM.yar"
-include "./malware/MALW_IMuler.yar"
-include "./malware/APT_APT9002.yar"
-include "./malware/TOOLKIT_PassTheHash.yar"
-include "./malware/MALW_Ponmocup.yar"
+include "./malware/MALW_Torte_ELF.yar"
+include "./malware/APT_PCclient.yar"
+include "./malware/MALW_IcedID.yar"
+include "./malware/MALW_LinuxBew.yar"
+include "./malware/APT_Sofacy_Bundestag.yar"
+include "./malware/TOOLKIT_exe2hex_payload.yar"
+include "./malware/RAT_Hizor.yar"
+include "./malware/MALW_DiamondFox.yar"
+include "./malware/APT_APT3102.yar"
+include "./malware/MALW_Iexpl0ree.yar"
+include "./malware/RANSOM_Cryptolocker.yar"
+include "./malware/APT_Emissary.yar"
+include "./malware/MALW_Alina.yar"
+include "./malware/APT_Derusbi.yar"
+include "./malware/MALW_Kelihos.yar"
+include "./malware/RAT_FlyingKitten.yar"
+include "./malware/MALW_XMRIG_Miner.yar"
+include "./malware/RAT_NetwiredRC.yar"
+include "./malware/APT_Sofacy_Fysbis.yar"
+include "./malware/APT_fancybear_downdelph.yar"
+include "./malware/APT_Seaduke.yar"
+include "./malware/RAT_xRAT20.yar"
+include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/MALW_Derkziel.yar"
+include "./malware/APT_Prikormka.yar"
+include "./malware/RAT_Shim.yar"
+include "./malware/MALW_F0xy.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
+include "./malware/RAT_Inocnation.yar"
+include "./malware/MALW_Rovnix.yar"
+include "./malware/APT_HackingTeam.yar"
+include "./malware/MALW_Miscelanea_Linux.yar"
+include "./malware/MALW_Miscelanea.yar"
 include "./malware/MALW_NetTraveler.yar"
+include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Olyx.yar"
+include "./malware/MALW_T5000.yar"
+include "./malware/MALW_MiniAsp3_mem.yar"
+include "./malware/RANSOM_.CRYPTXXX.yar"
 include "./malware/POS_Easterjack.yar"
-include "./malware/RANSOM_PetrWrap.yar"
-include "./malware/MALW_Derkziel.yar"
-include "./malware/MALW_BlackRev.yar"
-include "./malware/MALW_Mailers.yar"
-include "./malware/APT_TradeSecret.yar"
-include "./malware/RAT_xRAT20.yar"
-include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/RAT_Cerberus.yar"
-include "./malware/APT_furtim.yar"
-include "./malware/APT_Dubnium.yar"
-include "./malware/POS_BruteforcingBot.yar"
-include "./malware/APT_HackingTeam.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/MALW_LostDoor.yar"
+include "./malware/APT_OpDustStorm.yar"
+include "./malware/RAT_CrossRAT.yar"
+include "./malware/MALW_XOR_DDos.yar"
+include "./malware/RAT_xRAT.yar"
+include "./malware/APT_Ke3Chang_TidePool.yar"
+include "./malware/RAT_Ratdecoders.yar"
+include "./malware/MALW_TrickBot.yar"
+include "./malware/MALW_Furtim.yar"
+include "./malware/MALW_Jolob_Backdoor.yar"
+include "./malware/MALW_TRITON_HATMAN.yar"
+include "./malware/APT_APT29_Grizzly_Steppe.yar"
+include "./malware/MALW_Backoff.yar"
+include "./malware/MALW_FakeM.yar"
+include "./malware/APT_Sofacy_Jun16.yar"
+include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
 include "./malware/RAT_Bozok.yar"
-include "./malware/RANSOM_777.yar"
-include "./malware/RANSOM_Alpha.yar"
-include "./malware/MALW_Pony.yar"
-include "./malware/MALW_Safenet.yar"
-include "./malware/MALW_BackdoorSSH.yar"
-include "./malware/APT_Derusbi.yar"
-include "./malware/RAT_Glass.yar"
-include "./malware/MALW_Torte_ELF.yar"
-include "./malware/APT_OPCleaver.yar"
-include "./malware/MALW_Grozlex.yar"
-include "./malware/RAT_PlugX.yar"
-include "./malware/MALW_Upatre.yar"
-include "./malware/MALW_Intel_Virtualization.yar"
-include "./malware/APT_Cloudduke.yar"
-include "./malware/MALW_Empire.yar"
-include "./malware/RANSOM_Comodosec.yar"
-include "./malware/APT_Prikormka.yar"
-include "./malware/MALW_Boouset.yar"
-include "./malware/GEN_PowerShell.yar"
+include "./malware/POS_MalumPOS.yar"
+include "./malware/MALW_XHide.yar"
+include "./malware/TOOLKIT_Chinese_Hacktools.yar"
 include "./malware/RAT_DarkComet.yar"
-include "./malware/MALW_Chicken.yar"
-include "./malware/MALW_Lateral_Movement.yar"
-include "./malware/MALW_Emotet.yar"
-include "./malware/RAT_Ratdecoders.yar"
-include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Lenovo_Superfish.yar"
-include "./malware/APT_Hikit.yar"
-include "./malware/MALW_Korlia.yar"
-include "./malware/RAT_Sakula.yar"
-include "./malware/MALW_LuckyCat.yar"
-include "./malware/APT_Turla_RUAG.yar"
-include "./malware/MALW_Kovter.yar"
-include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_LotusBlossom.yar"
-include "./malware/RANSOM_Crypren.yar"
-include "./malware/APT_WoolenGoldfish.yar"
-include "./malware/RAT_Inocnation.yar"
-include "./malware/MALW_Sakurel.yar"
-include "./malware/RAT_Xtreme.yar"
-include "./malware/APT_Blackenergy.yar"
-include "./malware/MALW_Stealer.yar"
-include "./malware/MALW_Retefe.yar"
-include "./malware/MALW_Fareit.yar"
-include "./malware/MALW_KINS.yar"
-include "./malware/MALW_Miancha.yar"
-include "./malware/MALW_Exploit_UAC_Elevators.yar"
-include "./malware/MALW_Furtim.yar"
-include "./malware/MALW_Cookies.yar"
+include "./malware/APT_APT1.yar"
+include "./malware/APT_Irontiger.yar"
+include "./malware/RANSOM_Comodosec.yar"
+include "./malware/MALW_Monero_Miner_installer.yar"
+include "./malware/RAT_Nanocore.yar"
+include "./malware/TOOLKIT_PassTheHash.yar"
+include "./malware/MALW_LURK0.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
+include "./malware/TOOLKIT_Powerstager.yar"
+include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Waterbug.yar"
+include "./malware/APT_Scarab_Scieron.yar"
+include "./malware/APT_Hellsing.yar"
+include "./malware/MALW_Upatre.yar"
+include "./malware/APT_Codoso.yar"
+include "./malware/APT_Snowglobe_Babar.yar"
+include "./malware/MALW_Sendsafe.yar"
+include "./malware/APT_EQUATIONGRP.yar"
+include "./malware/APT_Minidionis.yar"
+include "./malware/MALW_Naspyupdate.yar"
+include "./malware/MALW_CAP_HookExKeylogger.yar"
+include "./malware/MALW_Rebirth_Vulcan_ELF.yar"
+include "./malware/MALW_BlackRev.yar"
 include "./malware/MALW_Surtr.yar"
-include "./malware/MALW_NionSpy.yar"
-include "./malware/APT_APT10.yar"
+include "./malware/MALW_Exploit_UAC_Elevators.yar"
+include "./malware/MALW_Cythosia.yar"
+include "./malware/MALW_Quarian.yar"
+include "./malware/APT_Pipcreat.yar"
+include "./malware/APT_fancybear_dnc.yar"
+include "./malware/APT_Stuxnet.yar"
+include "./malware/MALW_Gafgyt.yar"
+include "./malware/TOOLKIT_THOR_HackTools.yar"
+include "./malware/RAT_PoisonIvy.yar"
+include "./malware/POS_BruteforcingBot.yar"
+include "./malware/MALW_Ponmocup.yar"
+include "./malware/APT_KeyBoy.yar"
+include "./malware/APT_Turla_RUAG.yar"
+include "./malware/APT_FiveEyes.yar"
+include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_Atmos.yar"
+include "./malware/MALW_Favorite.yar"
+include "./malware/MALW_Genome.yar"
+include "./malware/APT_Sphinx_Moth.yar"
+include "./malware/MALW_IotReaper.yar"
+include "./malware/APT_Bluetermite_Emdivi.yar"
+include "./malware/APT_TradeSecret.yar"
+include "./malware/APT_Turla_Neuron.yar"
+include "./malware/MALW_Hsdfihdf_banking.yar"
+include "./malware/MALW_LinuxHelios.yar"
+include "./malware/MALW_CAP_Win32Inet.yara"
+include "./malware/APT_OpPotao.yar"
+include "./malware/TOOLKIT_Gen_powerkatz.yar"
+include "./malware/MALW_PE_sections.yar"
+include "./malware/RAT_Terminator.yar"
+include "./malware/APT_UP007_SLServer.yar"
+include "./malware/MALW_Lateral_Movement.yar"
+include "./malware/APT_DeepPanda_Anthem.yar"
+include "./malware/MALW_Pyinstaller.yar"
+include "./malware/POS_Mozart.yar"
+include "./malware/APT_C16.yar"
+include "./malware/RANSOM_BadRabbit.yar"
 include "./malware/MALW_Warp.yar"
-include "./malware/RANSOM_Stampado.yar"
-include "./malware/Operation_Blockbuster/RomeoEcho.yara"
-include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
+include "./malware/MALW_Buzus_Softpulse.yar"
+include "./malware/MALW_Ezcob.yar"
+include "./malware/APT_Backspace.yar"
+include "./malware/APT_Passcv.yar"
+include "./malware/MALW_DirtJumper.yar"
+include "./malware/RANSOM_Crypren.yar"
+include "./malware/APT_FIN7.yar"
+include "./malware/Operation_Blockbuster/HotelAlfa.yara"
+include "./malware/Operation_Blockbuster/UniformAlfa.yara"
+include "./malware/Operation_Blockbuster/PapaAlfa.yara"
+include "./malware/Operation_Blockbuster/SierraAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
-include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
-include "./malware/Operation_Blockbuster/IndiaHotel.yara"
-include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
+include "./malware/Operation_Blockbuster/LimaBravo.yara"
 include "./malware/Operation_Blockbuster/KiloAlfa.yara"
-include "./malware/Operation_Blockbuster/UniformJuliett.yara"
-include "./malware/Operation_Blockbuster/SierraAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoAlfa.yara"
-include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/SierraJuliettMikeOne.yara"
-include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
-include "./malware/Operation_Blockbuster/SierraBravo.yara"
-include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
+include "./malware/Operation_Blockbuster/LimaAlfa.yara"
+include "./malware/Operation_Blockbuster/WhiskeyDelta.yara"
 include "./malware/Operation_Blockbuster/WhiskeyBravo_mod.yara"
-include "./malware/Operation_Blockbuster/IndiaEcho.yara"
-include "./malware/Operation_Blockbuster/RomeoBravo.yara"
-include "./malware/Operation_Blockbuster/UniformAlfa.yara"
-include "./malware/Operation_Blockbuster/LimaBravo.yara"
-include "./malware/Operation_Blockbuster/IndiaGolf.yara"
-include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
-include "./malware/Operation_Blockbuster/cert_wiper.yara"
-include "./malware/Operation_Blockbuster/PapaAlfa.yara"
-include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
-include "./malware/Operation_Blockbuster/SierraCharlie.yara"
-include "./malware/Operation_Blockbuster/IndiaBravo.yara"
+include "./malware/Operation_Blockbuster/SierraBravo.yara"
 include "./malware/Operation_Blockbuster/LimaCharlie.yara"
-include "./malware/Operation_Blockbuster/LimaDelta.yara"
+include "./malware/Operation_Blockbuster/RomeoBravo.yara"
 include "./malware/Operation_Blockbuster/TangoBravo.yara"
-include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/IndiaHotel.yara"
+include "./malware/Operation_Blockbuster/UniformJuliett.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
-include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
-include "./malware/Operation_Blockbuster/IndiaJuliett.yara"
-include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/general.yara"
+include "./malware/Operation_Blockbuster/suicidescripts.yara"
+include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaGolf.yara"
 include "./malware/Operation_Blockbuster/IndiaDelta.yara"
-include "./malware/Operation_Blockbuster/WhiskeyCharlie.yara"
-include "./malware/Operation_Blockbuster/sharedcode.yara"
+include "./malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara"
+include "./malware/Operation_Blockbuster/WhiskeyAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaCharlie.yara"
+include "./malware/Operation_Blockbuster/IndiaEcho.yara"
+include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
+include "./malware/Operation_Blockbuster/IndiaBravo.yara"
 include "./malware/Operation_Blockbuster/TangoAlfa.yara"
-include "./malware/RAT_ZoxPNG.yar"
-include "./malware/MALW_Cloaking.yar"
-include "./malware/POS_LogPOS.yar"
-include "./malware/APT_Bestia.yar"
-include "./malware/TOOLKIT_Dubrute.yar"
-include "./malware/MALW_Kraken.yar"
-include "./malware/MALW_Olyx.yar"
-include "./malware/MALW_DirtJumper.yar"
-include "./malware/MALW_LURK0.yar"
-include "./malware/MALW_MiniAsp3_mem.yar"
-include "./malware/MALW_Bangat.yar"
-include "./malware/MALW_Regsubdat.yar"
-include "./malware/APT_Hellsing.yar"
-include "./malware/APT_Industroyer.yar"
-include "./malware/APT_Bluetermite_Emdivi.yar"
-include "./malware/MALW_Elknot.yar"
-include "./malware/MALW_TrickBot.yar"
-include "./malware/APT_APT17.yar"
-include "./malware/MALW_Magento_backend.yar"
-include "./malware/RAT_PoisonIvy.yar"
-include "./malware/APT_DeepPanda_Anthem.yar"
-include "./malware/APT_Pipcreat.yar"
-include "./malware/MALW_Notepad.yar"
-include "./malware/POS_Bernhard.yar"
-include "./malware/RANSOM_GoldenEye.yar"
-include "./malware/RAT_Shim.yar"
-include "./malware/RANSOM_DMALocker.yar"
-include "./malware/MALW_Athena.yar"
-include "./malware/POS.yar"
-include "./malware/RAT_BlackShades.yar"
-include "./malware/RAT_Adwind.yar"
-include "./malware/APT_Winnti.yar"
-include "./malware/MALW_Odinaff.yar"
-include "./malware/RANSOM_.CRYPTXXX.yar"
-include "./malware/APT_Duqu2.yar"
-include "./malware/RAT_NetwiredRC.yar"
-include "./malware/APT_Shamoon_StoneDrill.yar"
-include "./malware/MALW_adwind_RAT.yar"
-include "./malware/APT_eqgrp_apr17.yar"
-include "./malware/APT_DeputyDog.yar"
-include "./malware/RAT_FlyingKitten.yar"
-include "./malware/RANSOM_Tox.yar"
-include "./malware/APT_Equation.yar"
-include "./malware/APT_Mongall.yar"
-include "./malware/APT_FIN7.yar"
-include "./malware/RAT_Adzok.yar"
-include "./malware/RANSOM_Petya.yar"
-include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/Operation_Blockbuster/IndiaWhiskey.yara"
+include "./malware/Operation_Blockbuster/WhiskeyCharlie.yara"
+include "./malware/Operation_Blockbuster/SierraCharlie.yara"
+include "./malware/Operation_Blockbuster/sharedcode.yara"
+include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/cert_wiper.yara"
+include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
+include "./malware/Operation_Blockbuster/LimaDelta.yara"
+include "./malware/MALW_NSFree.yar"
+include "./malware/RAT_Gholee.yar"
+include "./malware/MALW_KINS.yar"
+include "./malware/RANSOM_Locky.yar"
+include "./malware/MALW_TreasureHunt.yar"
+include "./malware/RAT_Glass.yar"
 include "./malware/POS_FastPOS.yar"
-include "./malware/APT_Terracota.yar"
-include "./malware/APT_APT29_Grizzly_Steppe.yar"
-include "./malware/MALW_Glasses.yar"
-include "./malware/APT_Irontiger.yar"
-include "./malware/MALW_Jolob_Backdoor.yar"
-include "./malware/MALW_Install11.yar"
-include "./malware/APT_Regin.yar"
-include "./malware/RAT_ShadowTech.yar"
-include "./malware/RANSOM_Cryptolocker.yar"
 include "./malware/APT_Casper.yar"
-include "./malware/MALW_XOR_DDos.yar"
-include "./malware/MALW_LuaBot.yar"
-include "./malware/APT_ThreatGroup3390.yar"
-include "./malware/POS_MalumPOS.yar"
-include "./malware/APT_Carbanak.yar"
-include "./malware/MALW_Genome.yar"
-include "./malware/MALW_DiamondFox.yar"
-include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/MALW_Athena.yar"
+include "./malware/RAT_Xtreme.yar"
+include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/MALW_Dexter.yar"
-include "./malware/RAT_Terminator.yar"
-include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/RANSOM_Cerber.yar"
-include "./malware/APT_APT1.yar"
-include "./malware/MALW_Citadel.yar"
-include "./malware/MALW_Zeus.yar"
-include "./malware/APT_Sofacy_Fysbis.yar"
-include "./malware/RANSOM_Erebus.yar"
-include "./malware/TOOLKIT_Gen_powerkatz.yar"
-include "./malware/RANSOM_DoublePulsar_Petya.yar"
-include "./malware/MALW_AZORULT.yar"
-include "./malware/MALW_Scarhikn.yar"
-include "./malware/MALW_Ezcob.yar"
-include "./malware/APT_CrashOverride.yar"
-include "./malware/RAT_xRAT.yar"
-include "./malware/MALW_Sqlite.yar"
-include "./malware/MALW_Alina.yar"
-include "./malware/MALW_Quarian.yar"
-include "./malware/MALW_Bublik.yar"
-include "./malware/MALW_Buzus_Softpulse.yar"
-include "./malware/APT_Molerats.yar"
-include "./malware/MALW_Magento_suspicious.yar"
-include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
-include "./malware/MALW_Magento_frontend.yar"
-include "./malware/APT_PCclient.yar"
-include "./malware/MALW_Atmos.yar"
-include "./malware/APT_Unit78020.yar"
+include "./malware/MALW_Cloaking.yar"
+include "./malware/MALW_Volgmer.yar"
 include "./malware/MALW_Zegost.yar"
-include "./malware/MALW_LinuxMoose.yar"
-include "./malware/MALW_Tedroo.yar"
-include "./malware/MALW_PubSab.yar"
-include "./malware/APT_Greenbug.yar"
-include "./malware/MALW_Miscelanea_Linux.yar"
-include "./malware/TOOLKIT_THOR_HackTools.yar"
-include "./malware/APT_UP007_SLServer.yar"
-include "./malware/APT_Seaduke.yar"
-include "./malware/MALW_Mirai.yar"
-include "./malware/MALW_Gozi.yar"
-include "./malware/APT_Emissary.yar"
-include "./malware/MALW_Hsdfihdf_banking.yar"
-include "./malware/MALW_Shamoon.yar"
-include "./malware/APT_Careto.yar"
-include "./malware/APT_Codoso.yar"
-include "./malware/MALW_xDedic_marketplace.yar"
-include "./malware/MALW_Wimmie.yar"
-include "./malware/MALW_Sendsafe.yar"
-include "./malware/MALW_Andromeda.yar"
-include "./malware/APT_Backspace.yar"
-include "./malware/APT_fancybear_downdelph.yar"
-include "./malware/APT_Snowglobe_Babar.yar"
-include "./malware/RANSOM_Locky.yar"
+include "./malware/RAT_PlugX.yar"
+include "./malware/RANSOM_Petya.yar"
+include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
+include "./malware/MALW_Miancha.yar"
+include "./malware/MALW_Grozlex.yar"
+include "./malware/RAT_Adzok.yar"
+include "./malware/MALW_MacControl.yar"
+include "./malware/MALW_Kovter.yar"
+include "./malware/MALW_Corkow.yar"
+include "./malware/APT_HiddenCobra.yar"
+include "./malware/MALW_Urausy.yar"
+include "./malware/MALW_Cookies.yar"
+include "./malware/APT_Molerats.yar"
+include "./malware/APT_Terracota.yar"
+include "./malware/RANSOM_DoublePulsar_Petya.yar"
+include "./malware/RAT_ZoxPNG.yar"
 include "./malware/MALW_Cxpid.yar"
-include "./malware/APT_OpClandestineWolf.yar"
-include "./malware/APT_KeyBoy.yar"
-include "./malware/MALW_Miscelanea.yar"
-include "./malware/APT_EQUATIONGRP.yar"
-include "./malware/MALW_NSFree.yar"
+include "./malware/APT_APT9002.yar"
+include "./malware/APT_Dubnium.yar"
+include "./malware/MALW_Emotet.yar"
+include "./malware/MALW_Yayih.yar"
 include "./malware/MALW_BlackWorm.yar"
-include "./malware/MALW_Corkow.yar"
 include "./malware/TOOLKIT_FinFisher_.yar"
+include "./malware/MALW_NionSpy.yar"
+include "./malware/APT_OPCleaver.yar"
+include "./malware/APT_WoolenGoldfish.yar"
+include "./malware/APT_Blackenergy.yar"
+include "./malware/MALW_Sakurel.yar"
+include "./malware/MALW_Scarhikn.yar"
+include "./malware/MALW_PubSab.yar"
+include "./malware/RAT_BlackShades.yar"
+include "./malware/MALW_Bublik.yar"
+include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_Andromeda.yar"
+include "./malware/MALW_AZORULT.yar"
+include "./malware/RAT_Crimson.yar"
+include "./malware/APT_NGO.yar"
+include "./malware/MALW_DDoSTf.yar"
+include "./malware/MALW_Safenet.yar"
+include "./malware/APT_PutterPanda.yar"
+include "./malware/MALW_Wabot.yar"
+include "./malware/MALW_Fareit.yar"
+include "./malware/APT_Regin.yar"
+include "./malware/TOOLKIT_Pwdump.yar"
+include "./malware/MALW_Skeleton.yar"
+include "./malware/MALW_LuaBot.yar"
+include "./malware/RAT_Bolonyokte.yar"
 include "./malware/APT_CheshireCat.yar"
-include "./malware/TOOLKIT_exe2hex_payload.yar"
-include "./malware/MALW_Naspyupdate.yar"
-include "./malware/MALW_Elex.yar"
-include "./malware/RAT_Gh0st.yar"
-include "./malware/APT_OpDustStorm.yar"
-include "./malware/APT_fancybear_dnc.yar"
-include "./malware/MALW_LinuxHelios.yar"
-include "./malware/APT_C16.yar"
-include "./malware/MALW_Sayad.yar"
-include "./malware/APT_HiddenCobra.yar"
-include "./malware/MALW_Iexpl0ree.yar"
-include "./malware/MALW_Trumpbot.yar"
-include "./malware/MALW_MacControl.yar"
-include "./malware/APT_Sofacy_Jun16.yar"
-include "./malware/MALW_Favorite.yar"
-include "./malware/RAT_jRAT.yar"
+include "./malware/POS_LogPOS.yar"
+include "./malware/MALW_Chicken.yar"
+include "./malware/MALW_Magento_backend.yar"
+include "./malware/MALW_Spora.yar"
+include "./malware/MALW_Magento_suspicious.yar"
+include "./malware/MALW_Empire.yar"
+include "./malware/MALW_Mirai.yar"
+include "./malware/APT_RemSec.yar"
 include "./malware/RAT_CyberGate.yar"
+include "./malware/MALW_Mailers.yar"
+include "./malware/MALW_Mirai_Satori_ELF.yar"
+include "./malware/MALW_Httpsd_ELF.yar"
+include "./malware/APT_CrashOverride.yar"
+include "./malware/MALW_Boouset.yar"
+include "./malware/MALW_Glasses.yar"
+include "./malware/APT_Poseidon_Group.yar"
+include "./malware/MALW_Shamoon.yar"
+include "./malware/RANSOM_Cerber.yar"
+include "./malware/APT_eqgrp_apr17.yar"
+include "./malware/MALW_Odinaff.yar"
+include "./malware/MALW_TRITON_ICS_FRAMEWORK.yar"
+include "./malware/APT_Equation.yar"
 include "./malware/MALW_Hajime.yar"
-include "./malware/APT_Kaba.yar"
-include "./malware/MALW_LinuxBew.yar"
-include "./malware/APT_Minidionis.yar"
-include "./malware/MALW_Enfal.yar"
-include "./malware/APT_Grasshopper.yar"
-include "./malware/MALW_F0xy.yar"
-include "./malware/MALW_Kelihos.yar"
-include "./malware/MALW_Cythosia.yar"
-include "./malware/APT_NGO.yar"
-include "./malware/EXPERIMENTAL_Beef.yar"
-include "./malware/POS_Mozart.yar"
-include "./malware/MALW_Madness.yar"
-include "./malware/MALW_viotto_keylogger.yar"
-include "./malware/RAT_Indetectables.yar"
+include "./malware/APT_Carbanak.yar"
+include "./malware/POS_Bernhard.yar"
+include "./malware/APT_Industroyer.yar"
+include "./malware/MALW_Wimmie.yar"
+include "./malware/MALW_Kraken.yar"
+include "./malware/RAT_ShadowTech.yar"
+include "./malware/APT_ThreatGroup3390.yar"
+include "./malware/MALW_Naikon.yar"
+include "./malware/APT_Careto.yar"
+include "./malware/RANSOM_GoldenEye.yar"
+include "./malware/MALW_Gozi.yar"
+include "./malware/MALW_Bangat.yar"
 include "./malware/RAT_Njrat.yar"
-include "./malware/MALW_Korplug.yar"
-include "./malware/MALW_Backoff.yar"
-include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
-include "./malware/MALW_PyPI.yar"
-include "./malware/TOOLKIT_Wineggdrop.yar"
+include "./malware/MALW_Magento_frontend.yar"
 include "./malware/RAT_Havex.yar"
-include "./malware/APT_Passcv.yar"
-include "./malware/APT_Waterbug.yar"
-include "./malware/APT_Platinum.yar"
-include "./malware/MALW_PE_sections.yar"
-include "./malware/APT_Sphinx_Moth.yar"
-include "./malware/RAT_Hizor.yar"
-include "./malware/APT_Mirage.yar"
-include "./malware/MALW_LostDoor.yar"
-include "./malware/MALW_Vidgrab.yar"
-include "./malware/MALW_DDoSTf.yar"
-include "./malware/APT_Grizzlybear_uscert.yar"
-include "./malware/MALW_T5000.yar"
-include "./malware/MALW_TreasureHunt.yar"
-include "./malware/RAT_Nanocore.yar"
-include "./malware/MALW_Skeleton.yar"
-include "./malware/APT_Scarab_Scieron.yar"
-include "./malware/APT_FiveEyes.yar"
+include "./malware/APT_furtim.yar"
+include "./malware/RAT_Indetectables.yar"
+include "./malware/MALW_Enfal.yar"
+include "./malware/RAT_Gh0st.yar"
+include "./malware/RANSOM_777.yar"
+include "./malware/RANSOM_Stampado.yar"
+include "./malware/APT_Kaba.yar"
+include "./malware/MALW_Regsubdat.yar"
+include "./malware/MALW_PittyTiger.yar"
+include "./malware/APT_WildNeutron.yar"
+include "./malware/APT_APT10.yar"
+include "./malware/RAT_jRAT.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
-include "./malware/MALW_Shifu.yar"
-include "./malware/TOOLKIT_Chinese_Hacktools.yar"
-include "./malware/MALW_Urausy.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
-include "./malware/RAT_Gholee.yar"
-include "./malware/APT_Poseidon_Group.yar"
-include "./malware/APT_OpPotao.yar"
-include "./malware/MALW_Virut_FileInfector_UNK_VERSION.yar"
+include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/MALW_BackdoorSSH.yar"
 include "./malware/MALW_Batel.yar"
-include "./malware/MALW_Rooter.yar"
-include "./malware/MALW_IotReaper.yar"
-include "./malware/APT_PutterPanda.yar"
-include "./malware/MALW_Pyinstaller.yar"
-include "./malware/RANSOM_Satana.yar"
-include "./malware/MALW_Rovnix.yar"
-include "./malware/MALW_Spora.yar"
-include "./malware/MALW_Wabot.yar"
-include "./malware/MALW_Gafgyt.yar"
-include "./malware/APT_Stuxnet.yar"
-include "./malware/MALW_Yayih.yar"
-include "./malware/RANSOM_BadRabbit.yar"
+include "./malware/APT_Platinum.yar"
+include "./malware/MALW_LinuxMoose.yar"
+include "./malware/MALW_Install11.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
+include "./malware/APT_Mirage.yar"
+include "./malware/RANSOM_Erebus.yar"
+include "./malware/POS.yar"
 include "./malware/MALW_Rockloader.yar"
+include "./malware/MALW_Sayad.yar"
+include "./malware/RAT_Sakula.yar"
+include "./malware/APT_Hikit.yar"
+include "./malware/MALW_Tedroo.yar"
+include "./malware/APT_Mongall.yar"
+include "./malware/APT_Oilrig.yar"
+include "./malware/MALW_IMuler.yar"
+include "./malware/MALW_Korlia.yar"
+include "./malware/MALW_Rooter.yar"
+include "./malware/APT_DeputyDog.yar"
+include "./malware/APT_Cloudduke.yar"
+include "./malware/MALW_Shifu.yar"
+include "./malware/APT_Bestia.yar"
+include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MALW_Zeus.yar"
+include "./malware/MALW_Vidgrab.yar"
+include "./malware/MALW_Citadel.yar"
+include "./malware/TOOLKIT_Wineggdrop.yar"
+include "./malware/APT_Duqu2.yar"
+include "./malware/MALW_Elex.yar"
+include "./malware/GEN_PowerShell.yar"
+include "./malware/APT_APT17.yar"
+include "./malware/MALW_Elknot.yar"
+include "./malware/MALW_Stealer.yar"
+include "./malware/MALW_Trumpbot.yar"
+include "./malware/APT_OpClandestineWolf.yar"
+include "./malware/MALW_Mirai_Okiru_ELF.yar"
+include "./malware/RANSOM_PetrWrap.yar"
+include "./malware/MALW_Sqlite.yar"
+include "./malware/MALW_viotto_keylogger.yar"