Fixing issues

a4a25120 · Xumeiquer · 9d49e981 · a4a25120 · a4a25120 · a4a25120
Unverified Commit a4a25120 authored Jul 01, 2020 by Xumeiquer
4 changed files
--- a/email/Email_fake_it_maintenance_bulletin.yar
+++ b/email/Email_fake_it_maintenance_bulletin.yar
@@ -7,8 +7,8 @@ rule Fake_it_maintenance_bulletin : mail
    $eml_1="From:"
    $eml_2="To:"
    $eml_3="Subject:"
-    $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e [1-20] } //Range is for varying date of "notification"
-    $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65 [1-20]} //Range is for server name varriation 
+    $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e} //Range is for varying date of "notification"
+    $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65} //Range is for server name varriation 
    $body1="Message prompted from IT Helpdesk Support" nocase
    $body2="We are currently undergoing server maintenance upgrade" nocase
    $body3="Upgrade is to improve our security and new mail experience" nocase
@@ -18,7 +18,7 @@ rule Fake_it_maintenance_bulletin : mail
    $body7="Thanks,/n OWA - IT Helpdesk Service" nocase

  condition:
-    All of ($eml_*)and
+    all of ($eml_*)and
    1 of ($subject*) and
    4 of ($body*) 
 }
--- a/email/Email_quota_limit_warning.yar
+++ b/email/Email_quota_limit_warning.yar
@@ -16,7 +16,7 @@ rule Email_quota_limit_warning : mail
    $subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted
    $hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 }
    $body1="You have exceded" nocase
-    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrade" sizes
+    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 } //Range allows for different quota "upgrade" sizes
    $body3="requested to expand it within 24 hours" nocase
    $body4="e-mail account will be disable from our database" nocase
    $body5="simply click with the complete information" nocase

--- a/malware/RANSOM_acroware.yar
+++ b/malware/RANSOM_acroware.yar
@@ -16,3 +16,4 @@ rule screenlocker_acroware {
      
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them
+}
--- a/malware/TOOLKIT_THOR_HackTools.yar
+++ b/malware/TOOLKIT_THOR_HackTools.yar
@@ -2946,21 +2946,6 @@ rule mimikatz_lsass_mdmp
 		(uint32(0) == 0x504d444d) and $lsass
 }

-
-rule mimikatz_kirbi_ticket
-{
-	meta:
-		description		= "KiRBi ticket for mimikatz"
-		author			= "Benjamin DELPY (gentilkiwi)"
-
-	strings:
-		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
-
-	condition:
-		$asn1 at 0
-}
-
-
 rule wce
 {
 	meta: