Merge pull request #308 from techhelplist/master

dc577884 · jovimon · GitHub · 7966196c · 92983d44 · dc577884
Unverified Commit dc577884 authored May 10, 2018 by jovimon Committed by GitHub May 10, 2018
4 changed files
--- a/malware/MALW_AgentTesla_SMTP.yar
+++ b/malware/MALW_AgentTesla_SMTP.yar
+rule agenttesla_smtp_variant {
+    meta:
+        author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!"
+        date = "2018/2"
+	reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
+	reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
+	reference3 = "Agent Tesla == negasteal -- @coldshell"
+	version = 1
+        maltype = "Stealer"
+        filetype = "memory"
+    strings:
+		$a = "type={"
+		$b = "hwid={"
+		$c = "time={"
+		$d = "pcname={"
+		$e = "logdata={"
+		$f = "screen={"
+		$g = "ipadd={"
+		$h = "webcam_link={"
+		$i = "screen_link={"
+		$j = "site_username={"
+		$k = "[passwords]"
+    condition:
+        6 of them
+}
--- a/malware/MALW_shifu_shiz
+++ b/malware/MALW_shifu_shiz
+rule shifu_shiz {
+	meta:
+		description = "Memory string yara for Shifu/Shiz"
+		author = "J from THL <j@techhelplist.com>"
+		reference1 = "https://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
+		reference2 = "https://beta.virusbay.io/sample/browse/24a6dfaa98012a839658c143475a1e46"
+    reference3 = "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/crime_shifu_trojan.yar"
+		date = "2018-03-16"
+		maltype1 = "Banker"
+		maltype2 = "Keylogger"
+		maltype3 = "Stealer"
+		filetype = "memory"
+	strings:
+		$aa = "auth_loginByPassword"	fullword ascii
+		$ab = "back_command"	fullword ascii
+		$ac = "back_custom1"	fullword ascii
+		$ad = "GetClipboardData"	fullword ascii
+		$ae = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe"	fullword ascii
+		$af = "mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe"	fullword ascii
+		$ag = "svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe"	fullword ascii
+		$ah = "!inject"	fullword ascii
+		$ai = "!deactivebc"	fullword ascii
+		$aj = "!kill_os"	fullword ascii
+		$ak = "!load"	fullword ascii
+		$al = "!new_config"	fullword ascii
+		$am = "!activebc"	fullword ascii
+		$an = "keylog.txt"	fullword ascii
+		$ao = "keys_path.txt"	fullword ascii
+		$ap = "pass.log"	fullword ascii
+		$aq = "passwords.txt"	fullword ascii
+		$ar = "Content-Disposition: form-data; name=\"file\"; filename=\"report\""	fullword ascii
+		$as = "Content-Disposition: form-data; name=\"pcname\""	fullword ascii
+		$at = "botid=%s&ver="	fullword ascii
+		$au = "action=auth&np=&login="	fullword ascii
+		$av = "&ctl00%24MainMenu%24Login1%24UserName="	fullword ascii
+		$aw = "&cvv="	fullword ascii
+		$ax = "&cvv2="	fullword ascii
+		$ay = "&domain="	fullword ascii
+		$az = "LOGIN_AUTHORIZATION_CODE="	fullword ascii
+		$ba = "name=%s&port=%u"	fullword ascii
+		$bb = "PeekNamedPipe"	fullword ascii
+		$bc = "[pst]"	fullword ascii
+		$bd = "[ret]"	fullword ascii
+		$be = "[tab]"	fullword ascii
+		$bf = "[bks]"	fullword ascii
+		$bg = "[del]"	fullword ascii
+		$bh = "[ins]"	fullword ascii
+		$bi = "&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d&cn="	fullword ascii
+	condition:
+		18 of them
+}
--- a/malware/MALW_sitrof_fortis_scar.yar
+++ b/malware/MALW_sitrof_fortis_scar.yar
+rule sitrof_fortis_scar {
+    meta:
+        author = "J from THL <j@techhelplist.com>"
+        date = "2018/23"
+        reference1 = "https://www.virustotal.com/#/file/59ab6cb69712d82f3e13973ecc7e7d2060914cea6238d338203a69bac95fd96c/community"
+	reference2 = "ETPRO rule 2806032, ETPRO TROJAN Win32.Scar.hhrw POST"
+	version = 2
+        maltype = "Stealer"
+        filetype = "memory"
+    strings:
+	$a = "?get&version"
+	$b = "?reg&ver="
+	$c = "?get&exe"
+	$d = "?get&download"
+	$e = "?get&module"
+	$f = "&ver="
+	$g = "&comp="
+	$h = "&addinfo="
+	$i = "%s@%s; %s %s \"%s\" processor(s)"
+	$j = "User-Agent: fortis"
+    condition:
+        6 of them
+}
--- a/malware/RANSOM_Sigma.yar
+++ b/malware/RANSOM_Sigma.yar
+rule sigma_ransomware {
+  meta:
+    author = "J from THL <j@techhelplist.com>"
+    date = "20180509"
+    reference1 = "https://www.virustotal.com/#/file/705ad78bf5503e6022f08da4c347afb47d4e740cfe6c39c08550c740c3be96ba"
+    reference2 = "https://www.virustotal.com/#/file/bb3533440c27a115878ae541aba3bda02d441f3ea1864b868862255aabb0c8ff"
+    version = 1
+    maltype = "Ransomware"
+    filetype = "memory"
+  strings:
+    $a = ".php?"
+    $b = "uid="
+    $c = "&uname="
+    $d = "&os="
+    $e = "&pcname="
+    $f = "&total="
+    $g = "&country="
+    $h = "&network="
+    $i = "&subid="
+  condition:
+    all of them
+}