Merge remote-tracking branch 'upstream/master' into master

README.md

-[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
+[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg?branch=master)](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
 
 
 # Project
@@ -79,7 +79,7 @@ In this section you will find Yara rules deprecated.
 
 # Contact
 
-Webpage: http://yararules.com
+Webpage: https://yara-rules.github.io/blog/
 
 Twitter account: https://twitter.com/yararules
 

antidebug_antivm_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./antidebug_antivm/antidebug_antivm.yar"

capabilities_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./capabilities/capabilities.yar"

crypto/crypto_signatures.yar

@@ -1057,25 +1057,26 @@ rule RijnDael_AES_CHAR
 		$c0
 }
 
-rule RijnDael_AES_CHAR_inv
+rule ARIA_SB2
 {	meta:
-		author = "_pusher_"
-		description = "RijnDael AES S-inv [char]"
-		//needs improvement
-		date = "2016-07"
+		author = "spelissier"
+		description = "Aria SBox 2"
+		date = "2020-12"
+		reference="http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf#page=7"
 	strings:
-		$c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }
+		$c0 = { E2 4E 54 FC 94 C2 4A CC 62 0D 6A 46 3C 4D 8B D1 5E FA 64 CB B4 97 BE 2B BC 77 2E 03 D3 19 59 C1 }
 	condition:
 		$c0
 }
 
-rule RijnDael_AES_LONG
+rule RijnDael_AES_CHAR_inv
 {	meta:
 		author = "_pusher_"
-		description = "RijnDael AES"
-		date = "2016-06"
+		description = "RijnDael AES S-inv [char]"
+		//needs improvement
+		date = "2016-07"
 	strings:
-		$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }
+		$c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }
 	condition:
 		$c0
 }
@@ -1472,8 +1473,10 @@ rule Chacha_256_constant {
 		reference = "https://tools.ietf.org/html/rfc8439#page-8"
 	strings:
 		$c0 = "expand 32-byte k"
+		$split1 = "expand 3"
+		$split2 = "2-byte k"
 	condition:
-		$c0
+		$c0 or ( $split1 and $split2 )
 }
 
 rule ecc_order {
@@ -1559,3 +1562,18 @@ rule SHA3_interleaved {
 	condition:
 		10 of them
 }
+
+rule SipHash_big_endian_constants {
+    meta:
+		author = "spelissier"
+		description = "Look for SipHash constants in big endian"
+		date = "2020-07"
+		reference = "https://131002.net/siphash/siphash.pdf#page=6"
+	strings:
+		$c0 = "uespemos"
+		$c1 = "modnarod"
+		$c2 = "arenegyl"
+		$c3 = "setybdet"
+	condition:
+		2 of them
+}
\ No newline at end of file

crypto_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./crypto/crypto_signatures.yar"

cve_rules_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./cve_rules/CVE-2010-0805.yar"
 include "./cve_rules/CVE-2010-0887.yar"

email/Email_PHP_Mailer.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
+    organization, as long as you use it under this license.
+*/
+rule Email_Generic_PHP_Mailer_Script
+{
+    meta:
+        Description ="Generic rule to identify potential emails sent from hacktool mailer scripts"
+        Author = "Xylitol <xylitol@temari.fr>"
+        date = "2020-05-11"
+        // Attempt at getting live urls of HackTool.PHP.SpyMail (kav), 
+        // Script.Trojan.PHPMailer (gdata), Trojan.PHP.Mailar (Ikarus)
+        // This Yara rule is meant to be run against .eml files
+        // May only the challenge guide you
+    strings:
+ 
+        // Files, part of php package who can trigger the rules
+        // we don't want that if we scan a mixed batch of files.
+        $donotwant1 = { FE ED FA CE } // Mach-O binary (32-bit)
+        $donotwant2 = { FE ED FA CF } // Mach-O binary (64-bit)
+        $donotwant3 = { CE FA ED FE } // Mach-O binary (reverse byte ordering scheme, 32-bit)
+        $donotwant4 = { CE FA ED FE } // Mach-O binary (reverse byte ordering scheme, 64-bit)
+        $donotwant5 = { 4D 5A 50 00 02 } // Win32 Dynamic Link Library - Borland C/C++
+        $donotwant6 = { 53 75 62 6A 65 63 74 3A 20 25 73 } // "Subject: %s"
+       
+        // Adjust to your need the list of legitimate. You may miss web sent
+        // spam through this filter, but we don't need stuff we can't access
+        // publicly like cpanel, Roundcube, etc...
+        $legit1 = "(https://github.com/PHPMailer/PHPMailer)" // PHPMailer
+        $legit2 = "(phpmailer.sourceforge.net)" // PHPMailer
+        $legit3 = "X-Mailer: PHPMailer" // PHPMailer
+        $legit4 = "SimpleMailInvoker.php" // Swiftmailer
+        $legit5 = "X-Mailer: SMF" // Simple Machines Forum
+        $legit6 = "X-Mailer: phpBB3" // phpBB3
+        $legit7 = "X-Mailer: PHP/Xooit" // Xooit forum
+        $legit8 = "X-Mailer: vBulletin" // vBulletin
+        $legit9 = "X-Mailer: MediaWiki mailer" // MediaWiki
+        $legit10 = "X-Mailer: Drupal" // Drupal
+        $legit11 = "X-Mailer: osCommerce Mailer" // osCommerce
+        $legit12 = "abuse@mailjet.com" // Message sent by Mailjet
+        $legit13 = "class.foxycart.transaction.php" // Foxy Ecommerce
+        $legit14 = "User-Agent: Roundcube Webmail" // Roundcube
+        $legit15 = "User-Agent: SquirrelMail" // SquirrelMail
+        $legit16 = "X-Source: /opt/cpanel/" // mail send from cpanel
+        $legit17 = { 58 2D 50 48 50 2D 4F 72 69 67 69 6E 61 74 69 6E 67 2D 53 63 72 69 70 74 3A 20 [1-6] 3A 70 6F 73 74 2E 70 68 70 28 [1-6] 29 } // "X-PHP-Originating-Script: ?:post.php(?)" Might be related to cpanel.
+        $legit18 = { 58 2D 50 48 50 2D 53 63 72 69 70 74 3A 20 [3-30] 2F 70 6F 73 74 2E 70 68 70 20 66 6F 72 20 } // "X-PHP-Script: ????/post.php for " Might be related to cpanel.
+ 
+        $eml1 = "From:"
+        $eml2 = "To:"
+        $eml3 = "Subject:"
+   
+        $mailer1 = /X-PHP-Originating-Script: ([\w\.]+(.*\.php))?/
+        $mailer2 = /X-PHP-Script: ([\w\.\/]+\/(.*\.php))?/
+        $mailer3 = /X-PHP-Filename: (\/[\w]+\/(.*\.php))?/
+        // $mailer4 = /X-Source-Args: (\/[\w]+\/(.*\.php))?/  // may lead to false positive and unwanted, up to you.
+ 
+    condition:
+        not  any of ($donotwant*) and not any of ($legit*)
+        and all of ($eml*) and 2 of ($mailer*)
+}

email/Email_fake_it_maintenance_bulletin.yar

@@ -12,8 +12,8 @@ rule Fake_it_maintenance_bulletin : mail
     $eml_1="From:"
     $eml_2="To:"
     $eml_3="Subject:"
-    $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e [1-20]} //Range is for varying date of "notification"
-    $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65 [1-20]} //Range is for server name varriation 
+    $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e} //Range is for varying date of "notification"
+    $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65} //Range is for server name varriation 
     $body1="Message prompted from IT Helpdesk Support" nocase
     $body2="We are currently undergoing server maintenance upgrade" nocase
     $body3="Upgrade is to improve our security and new mail experience" nocase
@@ -23,7 +23,7 @@ rule Fake_it_maintenance_bulletin : mail
     $body7="Thanks,/n OWA - IT Helpdesk Service" nocase
 
   condition:
-    All of ($eml_*)and
+    all of ($eml_*)and
     1 of ($subject*) and
     4 of ($body*) 
 }

email/Email_quota_limit_warning.yar

@@ -16,7 +16,7 @@ rule Email_quota_limit_warning : mail
     $subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted
     $hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 }
     $body1="You have exceded" nocase
-    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrade" sizes
+    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 } //Range allows for different quota "upgrade" sizes
     $body3="requested to expand it within 24 hours" nocase
     $body4="e-mail account will be disable from our database" nocase
     $body5="simply click with the complete information" nocase

email_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./email/EMAIL_Cryptowall.yar"
+include "./email/Email_PHP_Mailer.yar"
 include "./email/Email_fake_it_maintenance_bulletin.yar"
 include "./email/Email_generic_phishing.yar"
 include "./email/Email_quota_limit_warning.yar"

exploit_kits_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./exploit_kits/EK_Angler.yar"
 include "./exploit_kits/EK_Blackhole.yar"

index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./antidebug_antivm/antidebug_antivm.yar"
 include "./capabilities/capabilities.yar"
@@ -20,6 +20,7 @@ include "./cve_rules/CVE-2017-11882.yar"
 include "./cve_rules/CVE-2018-20250.yar"
 include "./cve_rules/CVE-2018-4878.yar"
 include "./email/EMAIL_Cryptowall.yar"
+include "./email/Email_PHP_Mailer.yar"
 include "./email/Email_fake_it_maintenance_bulletin.yar"
 include "./email/Email_generic_phishing.yar"
 include "./email/Email_quota_limit_warning.yar"
@@ -42,7 +43,7 @@ include "./exploit_kits/EK_ZeroAcces.yar"
 include "./exploit_kits/EK_Zerox88.yar"
 include "./exploit_kits/EK_Zeus.yar"
 include "./maldocs/Maldoc_APT10_MenuPass.yar"
-include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
 include "./maldocs/Maldoc_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_CVE_2017_11882.yar"
@@ -58,6 +59,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
@@ -110,6 +112,7 @@ include "./malware/APT_Minidionis.yar"
 include "./malware/APT_Mirage.yar"
 include "./malware/APT_Molerats.yar"
 include "./malware/APT_Mongall.yar"
+include "./malware/APT_MoonlightMaze.yar"
 include "./malware/APT_NGO.yar"
 include "./malware/APT_OPCleaver.yar"
 include "./malware/APT_Oilrig.yar"
@@ -123,8 +126,11 @@ include "./malware/APT_Platinum.yar"
 include "./malware/APT_Poseidon_Group.yar"
 include "./malware/APT_Prikormka.yar"
 include "./malware/APT_PutterPanda.yar"
+include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
+include "./malware/APT_Sauron.yar"
+include "./malware/APT_Sauron_extras.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -186,6 +192,7 @@ include "./malware/MALW_Derkziel.yar"
 include "./malware/MALW_Dexter.yar"
 include "./malware/MALW_DiamondFox.yar"
 include "./malware/MALW_DirtJumper.yar"
+include "./malware/MALW_Eicar.yar"
 include "./malware/MALW_Elex.yar"
 include "./malware/MALW_Elknot.yar"
 include "./malware/MALW_Emotet.yar"
@@ -259,10 +266,12 @@ include "./malware/MALW_Odinaff.yar"
 include "./malware/MALW_Olyx.yar"
 include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PolishBankRat.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
 include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
+include "./malware/MALW_PurpleWave.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
 include "./malware/MALW_Quarian.yar"
@@ -311,6 +320,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -388,13 +398,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
+include "./malware/RANSOM_Petya_MS17_010.yar"
+include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_Shiva.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"
@@ -418,6 +437,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
 include "./malware/RAT_Nanocore.yar"
 include "./malware/RAT_NetwiredRC.yar"
 include "./malware/RAT_Njrat.yar"
+include "./malware/RAT_Orcus.yar"
 include "./malware/RAT_PlugX.yar"
 include "./malware/RAT_PoetRATDoc.yar"
 include "./malware/RAT_PoetRATPython.yar"
@@ -440,6 +460,9 @@ include "./malware/TOOLKIT_Mandibule.yar"
 include "./malware/TOOLKIT_PassTheHash.yar"
 include "./malware/TOOLKIT_Powerstager.yar"
 include "./malware/TOOLKIT_Pwdump.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_GUID.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_Name.yar"
+include "./malware/TOOLKIT_Solarwinds_credential_stealer.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
 include "./malware/TOOLKIT_exe2hex_payload.yar"

index_w_mobile.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./antidebug_antivm/antidebug_antivm.yar"
 include "./capabilities/capabilities.yar"
@@ -20,6 +20,7 @@ include "./cve_rules/CVE-2017-11882.yar"
 include "./cve_rules/CVE-2018-20250.yar"
 include "./cve_rules/CVE-2018-4878.yar"
 include "./email/EMAIL_Cryptowall.yar"
+include "./email/Email_PHP_Mailer.yar"
 include "./email/Email_fake_it_maintenance_bulletin.yar"
 include "./email/Email_generic_phishing.yar"
 include "./email/Email_quota_limit_warning.yar"
@@ -42,7 +43,7 @@ include "./exploit_kits/EK_ZeroAcces.yar"
 include "./exploit_kits/EK_Zerox88.yar"
 include "./exploit_kits/EK_Zeus.yar"
 include "./maldocs/Maldoc_APT10_MenuPass.yar"
-include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
 include "./maldocs/Maldoc_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_CVE_2017_11882.yar"
@@ -58,6 +59,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
@@ -110,6 +112,7 @@ include "./malware/APT_Minidionis.yar"
 include "./malware/APT_Mirage.yar"
 include "./malware/APT_Molerats.yar"
 include "./malware/APT_Mongall.yar"
+include "./malware/APT_MoonlightMaze.yar"
 include "./malware/APT_NGO.yar"
 include "./malware/APT_OPCleaver.yar"
 include "./malware/APT_Oilrig.yar"
@@ -123,8 +126,11 @@ include "./malware/APT_Platinum.yar"
 include "./malware/APT_Poseidon_Group.yar"
 include "./malware/APT_Prikormka.yar"
 include "./malware/APT_PutterPanda.yar"
+include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
+include "./malware/APT_Sauron.yar"
+include "./malware/APT_Sauron_extras.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -186,6 +192,7 @@ include "./malware/MALW_Derkziel.yar"
 include "./malware/MALW_Dexter.yar"
 include "./malware/MALW_DiamondFox.yar"
 include "./malware/MALW_DirtJumper.yar"
+include "./malware/MALW_Eicar.yar"
 include "./malware/MALW_Elex.yar"
 include "./malware/MALW_Elknot.yar"
 include "./malware/MALW_Emotet.yar"
@@ -259,10 +266,12 @@ include "./malware/MALW_Odinaff.yar"
 include "./malware/MALW_Olyx.yar"
 include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PolishBankRat.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
 include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
+include "./malware/MALW_PurpleWave.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
 include "./malware/MALW_Quarian.yar"
@@ -311,6 +320,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -388,13 +398,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
+include "./malware/RANSOM_Petya_MS17_010.yar"
+include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_Shiva.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"
@@ -418,6 +437,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
 include "./malware/RAT_Nanocore.yar"
 include "./malware/RAT_NetwiredRC.yar"
 include "./malware/RAT_Njrat.yar"
+include "./malware/RAT_Orcus.yar"
 include "./malware/RAT_PlugX.yar"
 include "./malware/RAT_PoetRATDoc.yar"
 include "./malware/RAT_PoetRATPython.yar"
@@ -440,6 +460,9 @@ include "./malware/TOOLKIT_Mandibule.yar"
 include "./malware/TOOLKIT_PassTheHash.yar"
 include "./malware/TOOLKIT_Powerstager.yar"
 include "./malware/TOOLKIT_Pwdump.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_GUID.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_Name.yar"
+include "./malware/TOOLKIT_Solarwinds_credential_stealer.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
 include "./malware/TOOLKIT_exe2hex_payload.yar"

maldocs/Maldoc_hancitor_dropper.yar

 /*
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
 */
-
 rule hancitor_dropper : vb_win32api
 {
   meta:

maldocs_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./maldocs/Maldoc_APT10_MenuPass.yar"
-include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
 include "./maldocs/Maldoc_CVE-2017-0199.yar"
 include "./maldocs/Maldoc_CVE_2017_11882.yar"
@@ -11,7 +11,6 @@ include "./maldocs/Maldoc_CVE_2017_8759.yar"
 include "./maldocs/Maldoc_Contains_VBE_File.yar"
 include "./maldocs/Maldoc_DDE.yar"
 include "./maldocs/Maldoc_Dridex.yar"
-include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_Hidden_PE_file.yar"
 include "./maldocs/Maldoc_MIME_ActiveMime_b64.yar"
 include "./maldocs/Maldoc_PDF.yar"
@@ -20,5 +19,6 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
 include "./maldocs/Maldoc_UserForm.yar"
 include "./maldocs/Maldoc_VBA_macro_code.yar"
 include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_malrtf_ole2link.yar"
 include "./maldocs/maldoc_somerules.yar"

malware/APT_Stuxnet.yar

@@ -197,3 +197,33 @@ rule Stuxnet_s7hkimdb
         ( uint16(0) == 0x5a4d and filesize < 40KB and $x1 and all of ($op*) )
 }
 
+rule Stuxnet_MadeInPython
+{
+    meta:
+        description = "Python has been used frequently by threat actors for compiling executable file with source code. I found python Stuxnet source code that can be executed with required dependencies. This rule is created in hopes to catch potental breakout of future Stuxnet."
+        author = "Jin Kim"
+        reference = "https://github.com/kenmueller/stuxnet"
+        date = "2020-12-23"
+    
+    strings:
+    // main function include this call stack as a second function call.
+        $str1 = "old_infected_attributes = node_infected_attributes(graph)"
+    //     def node_total_attributes(graph: nx.Graph) -> dict:
+	// filter_for_node_type = lambda node_type: list(filter(lambda node: get_node_type(graph, node) == node_type, graph.node))
+	// return {
+	// 	NodeType.COMPUTER: len(filter_for_node_type(NodeType.COMPUTER)),
+	// 	NodeType.DISCONNECTED_COMPUTER: len(filter_for_node_type(NodeType.DISCONNECTED_COMPUTER)),
+	// 	NodeType.USB: len(filter_for_node_type(NodeType.USB)),
+	// 	NodeType.PLC: len(filter_for_node_type(NodeType.PLC)),
+	// 	'total': len(graph.node)
+        $str2 = "NodeType.DISCONNECTED_COMPUTER"
+
+    // found in create-graph.py
+    // This line adds router nodes and computer nodes fro all the wireless networks.
+    // for router_node in range(NUMBER_OF_LOCAL_WIRED_NETWORKS, NUMBER_OF_LOCAL_NETWORKS):
+		// add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)
+        $str3 = "add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)"
+    
+    condition:
+        any of them
+}
\ No newline at end of file

malware/MALW_PurpleWave.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
+    organization, as long as you use it under this license.
+*/
+rule MALW_PurpleWave_v1
+{
+    meta:
+        Description ="Generic rule to identify PurpleWave v1.0"
+        Author = "Xylitol <xylitol@temari.fr>"
+        date = "2020-08-01"
+        reference = "https://twitter.com/3xp0rtblog/status/1289125217751781376"
+        hash1 = "7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df"
+        hash2 = "76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304"
+        hash3 = "832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd"
+        hash4 = "917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9"
+        hash5 = "a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16"
+        hash6 = "d5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161"
+        hash7 = "d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9"
+        hash8 = "d4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554"
+        hash9 = "4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d"
+
+    strings:
+        $MZ = {4D 5A}
+        $decoderoutine = { 8B 45 E8 33 C9 8A 04 07 28 04 1A 42 83 FF 07 8D 47 01 0F 45 C8 8B F9 3B D6 7C E5 }
+        /*
+        generic routine used to decode strings (bot name, bot version, mutex, c2 url, etc..)
+        /8B45 E8         /MOV EAX,[LOCAL.6]
+        |33C9            |XOR ECX,ECX
+        |8A0407          |MOV AL,BYTE PTR DS:[EDI+EAX]
+        |28041A          |SUB BYTE PTR DS:[EDX+EBX],AL
+        |42              |INC EDX
+        |83FF 07         |CMP EDI,7
+        |8D47 01         |LEA EAX,DWORD PTR DS:[EDI+1]
+        |0F45C8          |CMOVNE ECX,EAX
+        |8BF9            |MOV EDI,ECX
+        |3BD6            |CMP EDX,ESI
+        \7C E5           \JL SHORT 76bffcf0.0135B57F
+        */
+
+        // Regular strings that can be found into purplewave 1.0 samples
+        $string1 = " at t.me/LuckyStoreSupport |" fullword wide
+        $string2 = "][aes_key]" wide ascii
+        $string3 = "][passwords][" wide ascii
+        $string4 = "][is_encrypted]" wide ascii
+        $string5 = "][cards][" wide ascii
+        $string6 = "][number]" wide ascii
+        $string7 = "][domain]" wide ascii
+        $string8 = "][cookies][" wide ascii
+        $string9 = "][flag]" wide ascii
+        $string10 = "][histories][" wide ascii
+        $string11 = "D877F783D5D3EF8C" wide ascii
+
+        $alphabet1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
+        $alphabet2 = "0123456789abcdefghijklmnopqrstuvwxyz"
+
+    condition: 
+	($MZ at 0 and $decoderoutine) and
+	(
+		(5 of ($string*) and all of ($alphabet*))
+	)
+
+	and filesize < 700KB // Standard size when not packed should be arround ~598/600kb
+}

malware/MALW_Surtr.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule RSharedStrings : Surtr Family {
+private rule RSharedStrings : Surtr Family {
 	meta:
 		description = "identifiers for remote and gmremote"
 		author = "Katie Kleemola"
@@ -24,7 +24,7 @@ rule RSharedStrings : Surtr Family {
 
 }
 
-rule RemoteStrings : Remote Variant Surtr Family {
+private rule RemoteStrings : Remote Variant Surtr Family {
 	meta:
 		description = "indicators for remote.dll - surtr stage 2"
 		author = "Katie Kleemola"
@@ -39,7 +39,7 @@ rule RemoteStrings : Remote Variant Surtr Family {
 		any of them
 }
 
-rule GmRemoteStrings : GmRemote Variant Family Surtr {
+private rule GmRemoteStrings : GmRemote Variant Family Surtr {
 	meta:
 		description = "identifiers for gmremote: surtr stage 2"
 		author = "Katie Kleemola"

malware/RANSOM_acroware.yar

@@ -12,7 +12,8 @@ rule screenlocker_acroware {
       $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii
       $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii
       $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
-      $s5 = "webserver, after 72 hours thedecryption key will get removed and your personal" fullword ascii
+      $s5 = "webserver, after 72 hours the decryption key will get removed and your personal" fullword ascii
       
    condition:
       ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them
+}

malware/RAT_Ratdecoders.yar

@@ -279,7 +279,7 @@ rule JavaDropper : RAT
 	    date = "2015/10"
 	    ref = "http://malwareconfig.com/stats/AlienSpy"
 	    maltype = "Remote Access Trojan"
-	    filetype = "exe"
+	    filetype = "jar"
 
     strings:
 	    $jar = "META-INF/MANIFEST.MF"

malware/TOOLKIT_Solarwinds_credential_stealer.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
+    organization, as long as you use it under this license.
+*/
+
+rule HKTL_Solarwinds_credential_stealer {
+    meta:
+        description = "Detects solarwinds credential stealers like e.g. solarflare via the touched certificate, files and database columns"
+        reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"
+        reference = "https://github.com/mubix/solarflare"
+        author = "Arnim Rupp"
+        date = "2021-01-20"
+		hash = "1b2e5186464ed0bdd38fcd9f4ab294a7ba28bd829bf296584cbc32e2889037e4"
+		hash = "4adb69d4222c80d97f8d64e4d48b574908a518f8d504f24ce93a18b90bd506dc"
+    strings:
+        $certificate = "CN=SolarWinds-Orion" ascii nocase wide
+        $credfile1 = "\\CredentialStorage\\SolarWindsDatabaseAccessCredential" ascii nocase wide
+        $credfile2 = "\\KeyStorage\\CryptoHelper\\default.dat" ascii nocase wide
+        $credfile3 = "\\Orion\\SWNetPerfMon.DB" ascii nocase wide
+        $credfile4 = "\\Orion\\RabbitMQ\\.erlang.cookie" ascii nocase wide
+        $sql1 = "encryptedkey" ascii nocase wide fullword
+        $sql2 = "protectiontype" ascii nocase wide fullword
+        $sql3 = "CredentialProperty" ascii nocase wide fullword
+        $sql4 = "passwordhash" ascii nocase wide fullword
+        $sql5 = "credentialtype" ascii nocase wide fullword
+        $sql6 = "passwordsalt" ascii nocase wide fullword
+    condition:
+        uint16(0) == 0x5A4D and $certificate and ( 2 of ( $credfile* ) or 5 of ( $sql* ) )
+}
+

malware/TOOLKIT_THOR_HackTools.yar

@@ -2946,21 +2946,6 @@ rule mimikatz_lsass_mdmp
 		(uint32(0) == 0x504d444d) and $lsass
 }
 
-
-rule mimikatz_kirbi_ticket
-{
-	meta:
-		description		= "KiRBi ticket for mimikatz"
-		author			= "Benjamin DELPY (gentilkiwi)"
-
-	strings:
-		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
-
-	condition:
-		$asn1 at 0
-}
-
-
 rule wce
 {
 	meta:

malware_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
@@ -70,7 +70,7 @@ include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
 include "./malware/APT_Sauron.yar"
-include "./malware/APT_Sauron_extras.yar
+include "./malware/APT_Sauron_extras.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -165,7 +165,6 @@ include "./malware/MALW_Jolob_Backdoor.yar"
 include "./malware/MALW_KINS.yar"
 include "./malware/MALW_Kelihos.yar"
 include "./malware/MALW_KeyBase.yar"
-include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_Korlia.yar"
 include "./malware/MALW_Korplug.yar"
 include "./malware/MALW_Kovter.yar"
@@ -212,6 +211,7 @@ include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
 include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
+include "./malware/MALW_PurpleWave.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
 include "./malware/MALW_Quarian.yar"
@@ -260,6 +260,7 @@ include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
 include "./malware/MALW_hancitor.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"
@@ -320,7 +321,6 @@ include "./malware/POS_MalumPOS.yar"
 include "./malware/POS_Mozart.yar"
 include "./malware/RANSOM_.CRYPTXXX.yar"
 include "./malware/RANSOM_777.yar"
-include "./malware/RANSOM_acroware.yar"
 include "./malware/RANSOM_Alpha.yar"
 include "./malware/RANSOM_BadRabbit.yar"
 include "./malware/RANSOM_Cerber.yar"
@@ -333,8 +333,6 @@ include "./malware/RANSOM_DoublePulsar_Petya.yar"
 include "./malware/RANSOM_Erebus.yar"
 include "./malware/RANSOM_GPGQwerty.yar"
 include "./malware/RANSOM_GoldenEye.yar"
-include "./malware/RANSOM_jeff_dev.yar"
-include "./malware/RANSOM_locdoor.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
@@ -344,15 +342,18 @@ include "./malware/RANSOM_Petya_MS17_010.yar"
 include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
-include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
 include "./malware/RANSOM_Shiva.yar"
-include "./malware/RANSOM_shrug2.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
-include "./malware/RANSOM_termite.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
+include "./malware/RANSOM_acroware.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
+include "./malware/RANSOM_shrug2.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RAT_Adwind.yar"
 include "./malware/RAT_Adzok.yar"
 include "./malware/RAT_Asyncrat.yar"
@@ -399,6 +400,9 @@ include "./malware/TOOLKIT_Mandibule.yar"
 include "./malware/TOOLKIT_PassTheHash.yar"
 include "./malware/TOOLKIT_Powerstager.yar"
 include "./malware/TOOLKIT_Pwdump.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_GUID.yar"
+include "./malware/TOOLKIT_Redteam_Tools_by_Name.yar"
+include "./malware/TOOLKIT_Solarwinds_credential_stealer.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
 include "./malware/TOOLKIT_exe2hex_payload.yar"

mobile_malware_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */

packers_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./packers/JJencode.yar"
 include "./packers/Javascript_exploit_and_obfuscation.yar"

utils/base64.yar

@@ -3,7 +3,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule contentis_base64 : Base64
+rule contains_base64 : Base64
 {
     meta:
         author = "Jaume Martin"

webshells_index.yar

 /*
 Generated by Yara-Rules
-On 21-06-2020
+On 26-02-2021
 */
 include "./webshells/WShell_APT_Laudanum.yar"
 include "./webshells/WShell_ASPXSpy.yar"