Merge pull request #359 from hwvs/master

Add MALW_FUDCrypt.yar and MALW_MSILStealer.yar

Merge pull request #359 from hwvs/master
Add MALW_FUDCrypt.yar and MALW_MSILStealer.yar
ce92a410 · jovimon · GitHub · 4c9e3bc6 · c453c861 · ce92a410
Unverified Commit ce92a410 authored Jan 07, 2020 by jovimon Committed by GitHub Jan 07, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 0 deletions

MALW_FUDCrypt.yar malware/MALW_FUDCrypt.yar +29 -0

MALW_MSILStealer.yar malware/MALW_MSILStealer.yar +23 -0

No files found.
--- a/malware/MALW_FUDCrypt.yar
+++ b/malware/MALW_FUDCrypt.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule FUDCrypter
+{
+    meta:
+        description = "Detects unmodified FUDCrypt samples"
+        reference = "https://github.com/gigajew/FudCrypt/"
+        author = "https://github.com/hwvs"
+        last_modified = "2019-11-21"
+
+    strings:
+        $ = "OcYjzPUtJkNbLOABqYvNbvhZf" wide ascii
+        $ = "gwiXxyIDDtoYzgMSRGMckRbJi" wide ascii
+        $ = "BclWgISTcaGjnwrzSCIuKruKm" wide ascii
+        $ = "CJyUSiUNrIVbgksjxpAMUkAJJ" wide ascii
+        $ = "fAMVdoPUEyHEWdxQIEJPRYbEN" wide ascii
+        $ = "CIGQUctdcUPqUjoucmcoffECY" wide ascii
+        $ = "wcZfHOgetgAExzSoWFJFQdAyO" wide ascii
+        $ = "DqYKDnIoLeZDWYlQWoxZnpfPR" wide ascii
+        $ = "MkhMoOHCbGUMqtnRDJKnBYnOj" wide ascii
+        $ = "sHEqLMGglkBAOIUfcSAgMvZfs" wide ascii
+        $ = "JtZApJhbFAIFxzHLjjyEQvtgd" wide ascii
+        $ = "IIQrSWZEMmoQIKGuxxwoTwXka" wide ascii
+
+    condition:
+        1 of them
+}
--- a/malware/MALW_MSILStealer.yar
+++ b/malware/MALW_MSILStealer.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule MSILStealer
+{
+    meta:
+        description = "Detects strings from C#/VB Stealers and QuasarRat"
+        reference = "https://github.com/quasar/QuasarRAT"
+        author = "https://github.com/hwvs"
+        last_modified = "2019-11-21"
+
+    strings:
+        $ = "Firefox does not have any profiles, has it ever been launched?" wide ascii
+        $ = "Firefox is not installed, or the install path could not be located" wide ascii
+        $ = "No installs of firefox recorded in its key." wide ascii
+        $ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii
+        $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii
+        $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii
+
+    condition:
+        1 of them
+}