Merge branch 'master' into master

antidebug_antivm_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./antidebug_antivm/antidebug_antivm.yar"

capabilities_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./capabilities/capabilities.yar"

crypto_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./crypto/crypto_signatures.yar"

cve_rules_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./cve_rules/CVE-2010-0805.yar"
 include "./cve_rules/CVE-2010-0887.yar"

email_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./email/EMAIL_Cryptowall.yar"
 include "./email/Email_fake_it_maintenance_bulletin.yar"

exploit_kits_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./exploit_kits/EK_Angler.yar"
 include "./exploit_kits/EK_Blackhole.yar"

index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./antidebug_antivm/antidebug_antivm.yar"
 include "./capabilities/capabilities.yar"
@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar"
 include "./malware/APT_Mirage.yar"
 include "./malware/APT_Molerats.yar"
 include "./malware/APT_Mongall.yar"
+include "./malware/APT_MoonlightMaze.yar"
 include "./malware/APT_NGO.yar"
 include "./malware/APT_OPCleaver.yar"
 include "./malware/APT_Oilrig.yar"
@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar"
 include "./malware/APT_Poseidon_Group.yar"
 include "./malware/APT_Prikormka.yar"
 include "./malware/APT_PutterPanda.yar"
+include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
+include "./malware/APT_Sauron.yar"
+include "./malware/APT_Sauron_extras.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar"
 include "./malware/MALW_Dexter.yar"
 include "./malware/MALW_DiamondFox.yar"
 include "./malware/MALW_DirtJumper.yar"
+include "./malware/MALW_Eicar.yar"
 include "./malware/MALW_Elex.yar"
 include "./malware/MALW_Elknot.yar"
 include "./malware/MALW_Emotet.yar"
@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
+include "./malware/RANSOM_Petya_MS17_010.yar"
+include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_Shiva.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"
@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
 include "./malware/RAT_Nanocore.yar"
 include "./malware/RAT_NetwiredRC.yar"
 include "./malware/RAT_Njrat.yar"
+include "./malware/RAT_Orcus.yar"
 include "./malware/RAT_PlugX.yar"
 include "./malware/RAT_PoetRATDoc.yar"
 include "./malware/RAT_PoetRATPython.yar"

index_w_mobile.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./antidebug_antivm/antidebug_antivm.yar"
 include "./capabilities/capabilities.yar"
@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar"
 include "./malware/APT_Mirage.yar"
 include "./malware/APT_Molerats.yar"
 include "./malware/APT_Mongall.yar"
+include "./malware/APT_MoonlightMaze.yar"
 include "./malware/APT_NGO.yar"
 include "./malware/APT_OPCleaver.yar"
 include "./malware/APT_Oilrig.yar"
@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar"
 include "./malware/APT_Poseidon_Group.yar"
 include "./malware/APT_Prikormka.yar"
 include "./malware/APT_PutterPanda.yar"
+include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
+include "./malware/APT_Sauron.yar"
+include "./malware/APT_Sauron_extras.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar"
 include "./malware/MALW_Dexter.yar"
 include "./malware/MALW_DiamondFox.yar"
 include "./malware/MALW_DirtJumper.yar"
+include "./malware/MALW_Eicar.yar"
 include "./malware/MALW_Elex.yar"
 include "./malware/MALW_Elknot.yar"
 include "./malware/MALW_Emotet.yar"
@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
+include "./malware/RANSOM_Petya_MS17_010.yar"
+include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_Shiva.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"
@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
 include "./malware/RAT_Nanocore.yar"
 include "./malware/RAT_NetwiredRC.yar"
 include "./malware/RAT_Njrat.yar"
+include "./malware/RAT_Orcus.yar"
 include "./malware/RAT_PlugX.yar"
 include "./malware/RAT_PoetRATDoc.yar"
 include "./malware/RAT_PoetRATPython.yar"

maldocs/Maldoc_hancitor_dropper.yar

 /*
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
 */
-
 rule hancitor_dropper : vb_win32api
 {
   meta:

maldocs_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./maldocs/Maldoc_APT10_MenuPass.yar"
 include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
@@ -20,5 +20,6 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"

malware/RANSOM_acroware.yar

@@ -12,7 +12,7 @@ rule screenlocker_acroware {
       $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii
       $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii
       $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
-      $s5 = "webserver, after 72 hours thedecryption key will get removed and your personal" fullword ascii
+      $s5 = "webserver, after 72 hours the decryption key will get removed and your personal" fullword ascii
       
    condition:
       ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them

malware_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
@@ -260,6 +260,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -353,6 +354,12 @@ include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_termite.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"

mobile_malware_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */

packers_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./packers/JJencode.yar"
 include "./packers/Javascript_exploit_and_obfuscation.yar"

webshells_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 01-07-2020
 */
 include "./webshells/WShell_APT_Laudanum.yar"
 include "./webshells/WShell_ASPXSpy.yar"