-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1,465 changed files
with
39,555 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule h3ed_2a554086c2210b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=h3ed.2a554086c2210b32" | ||
| cluster="h3ed.2a554086c2210b32" | ||
| cluster_size="128" | ||
| filetype = "application/x-dosexec" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="dorv fraudtool malicious" | ||
| md5_hashes="['0066c7823e453ed3979d73f6b543e68e','05850dbd18b5e4a72c608ad5e5521ae7','275cf149913f89354b8532bdad3f0ad6']" | ||
|
|
||
| strings: | ||
| $hex_string = { 21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a240000000000000066bad1a222dbbff1 } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0253b6c9cc000b16 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0253b6c9cc000b16" | ||
| cluster="i2321.0253b6c9cc000b16" | ||
| cluster_size="13" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['0855c0cf58d017f86bd60ae40c924d47','2536c22e1a2bdff90d146bd7eb7bb345','f560be87abed8607147038423b4efc52']" | ||
|
|
||
| strings: | ||
| $hex_string = { 6aa9104e8e8c3f3d327af089ace370b0fdab0b176b73d5fab942989c1819df8c57778c975e185b2cd52e4f152b8ba5914bb1e7621a7b26ceee64e9721a383a3c } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_035bb6c9cc000b12 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.035bb6c9cc000b12" | ||
| cluster="i2321.035bb6c9cc000b12" | ||
| cluster_size="10" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['16b86734180ee5022ba13af7c2d04fa6','29d8d7ecd2cb898ccef770928f86825b','e83eac6e2bdce4e541bf1a267a624812']" | ||
|
|
||
| strings: | ||
| $hex_string = { b796df6fee683d165bf514a7da8db2ca0f9ddea8ddbbf2d4e9cbb9d849bcbdb661e9bdeae45429b6da51ac3e1ebf746743f55aecae1aeb5d4afa42cc2eaf2d8e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9c5200b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9c5200b32" | ||
| cluster="i2321.0455b6c9c5200b32" | ||
| cluster_size="6" | ||
| filetype = "PE32 executable (GUI) Intel 80386" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['1a50331635bb3b4df201b008ec5276e3','563ed2703be45ee8578bae487ba87dec','cdb44ab568ff031051ded2ed6a5caf59']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9cc040b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9cc040b32" | ||
| cluster="i2321.0455b6c9cc040b32" | ||
| cluster_size="9" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['3c3234257cd11b180f0bfddf393a48bf','4c4d0c05e09f274e82f3dadcb05408be','fb53baf2e27436bf614b5c390a208bf6']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9cc042b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9cc042b32" | ||
| cluster="i2321.0455b6c9cc042b32" | ||
| cluster_size="6" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['0a9b0da94f779069db208bdf9fd2c423','59799e8b4d6e9c3425c25a1e57440d17','eb5810aba9efabc2fca8379c9a41a78c']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9cc080b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9cc080b32" | ||
| cluster="i2321.0455b6c9cc080b32" | ||
| cluster_size="11" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['0b7eac81db040d5450c3ab43fe5b43be','327612b0a8d6b53793b96c0342150160','fa1cec1616873580651ba511073a0178']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9cc084b31 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9cc084b31" | ||
| cluster="i2321.0455b6c9cc084b31" | ||
| cluster_size="5" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['08bfb692efc5c4b08022e8d39fc07d6d','108abec0ce1535aa2ba9daf24c05ff11','f23e320bb25f26158eaa91d13f719594']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9cc420b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9cc420b32" | ||
| cluster="i2321.0455b6c9cc420b32" | ||
| cluster_size="6" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['097d7bcb2018502e2b26383155990136','26f178aaa878b5ee053d8a55222afe73','e3f33746c216adeeb127b530218aa629']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_0455b6c9ec010b32 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.0455b6c9ec010b32" | ||
| cluster="i2321.0455b6c9ec010b32" | ||
| cluster_size="4" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['945f91a0a1c5790662d69fc057a30bc7','9c127c2139b10c39ce53f71b233ad781','e2b5e1823b38f31529c7b547c5ceb667']" | ||
|
|
||
| strings: | ||
| $hex_string = { 8b85107eb6e3a9cafcf3c5cab14a657e263cbdb3b258af554ad558f246abe444ad540ae11b6d4f95eac7e72f5c28566747e7aaa54238393cfef4f0e8a127b28e } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_04948b2cc36b09b2 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.04948b2cc36b09b2" | ||
| cluster="i2321.04948b2cc36b09b2" | ||
| cluster_size="19" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="backdoor cosmicduke razy" | ||
| md5_hashes="['1addfdccb58c1a45a8aeb8eef7bc9140','1c8caf399be7c3837b0bee844ac89a3a','da1a4e4700698b544d356ccb3a0d470d']" | ||
|
|
||
| strings: | ||
| $hex_string = { b4658715d9a1333b14b3c363d9616c6a329bea86caeb31d067ab2f1f9d6d4e979c6a9ada98b79fdab87443e5fd897796a4d7555fee3871f4c78d69cbe4b5531b } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_04b48b2cc36b0b30 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.04b48b2cc36b0b30" | ||
| cluster="i2321.04b48b2cc36b0b30" | ||
| cluster_size="8" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="backdoor cosmicduke razy" | ||
| md5_hashes="['5baa3fdddaacad6714744058e74e0796','6da3b1cc4914f5575858af1cf696f9b6','fbb4f4e9fd4a88641f2dee99f7e8b955']" | ||
|
|
||
| strings: | ||
| $hex_string = { b4658715d9a1333b14b3c363d9616c6a329bea86caeb31d067ab2f1f9d6d4e979c6a9ada98b79fdab87443e5fd897796a4d7555fee3871f4c78d69cbe4b5531b } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_04b48b2cc36b0b3a | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.04b48b2cc36b0b3a" | ||
| cluster="i2321.04b48b2cc36b0b3a" | ||
| cluster_size="12" | ||
| filetype = "application/gzip" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171117" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="backdoor cosmicduke razy" | ||
| md5_hashes="['29541cb3fd3d2686a51ab9fe7b0160bb','3e5a925f6d16d42e396418c7341feb94','f532933340cb5b2c7edf8663ba1c016c']" | ||
|
|
||
| strings: | ||
| $hex_string = { b4658715d9a1333b14b3c363d9616c6a329bea86caeb31d067ab2f1f9d6d4e979c6a9ada98b79fdab87443e5fd897796a4d7555fee3871f4c78d69cbe4b5531b } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| rule i2321_04b48b2cc36b0bb2 | ||
| { | ||
|
|
||
| meta: | ||
| copyright="Copyright (c) 2014-2018 Support Intelligence Inc, All Rights Reserved." | ||
| engine="saphire/1.3.1 divinorum/0.998 icewater/0.4" | ||
| viz_url="http://icewater.io/en/cluster/query?h64=i2321.04b48b2cc36b0bb2" | ||
| cluster="i2321.04b48b2cc36b0bb2" | ||
| cluster_size="12" | ||
| filetype = "PE32 executable (console) Intel 80386" | ||
| tlp = "amber" | ||
| version = "icewater snowflake" | ||
| author = "Rick Wesson (@wessorh) rick@support-intelligence.com" | ||
| date = "20171118" | ||
| license = "RIL-1.0 [Rick's Internet License] " | ||
| family="cosmicduke backdoor razy" | ||
| md5_hashes="['290322c42e85b57fa3893df689af1bb3','3251955ba0b29778ca2efc0761604cb2','f3f6dc6314cb83875386287fce1542db']" | ||
|
|
||
| strings: | ||
| $hex_string = { b4658715d9a1333b14b3c363d9616c6a329bea86caeb31d067ab2f1f9d6d4e979c6a9ada98b79fdab87443e5fd897796a4d7555fee3871f4c78d69cbe4b5531b } | ||
| condition: | ||
| filesize > 1024 and filesize < 4096 | ||
| and $hex_string | ||
| } |
Oops, something went wrong.