Add multiple detections

ditekshen · Aug 29, 2023 · 033a1d8 · 033a1d8
1 parent 1ea379e
commit 033a1d8
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 1 deletion.
diff --git a/clamav/clamav.ldb b/clamav/clamav.ldb
@@ -148,3 +148,6 @@ ditekSHen.MALWARE.Win.Trojan.PovertyStealer;Engine:51-255,Target:1;(0|1|2|3|4)>2
 ditekSHen.MALWARE.Win.Trojan.RDPCredsStealer-Injector;Engine:51-255,Target:1;0&(1|2|3)&(4|5|6);415049486f6f6b496e6a6563746f72;436f646520496e6a6563746564;444c4c20496e6a6563746564;5244504372656473537465616c6572444c4c;4f70656e50726f636573732829206661696c65643a;5669727475616c416c6c6f6345782829206661696c65643a;43726561746552656d6f74655468726561642829206661696c65643a
 ditekSHen.INDICATOR.Win.TOOL.BURNTCIGAR;Engine:51-255,Target:1;0&1&2&3;4b696c6c20504944203d;43726561746546696c65204572726f72203d;4b696c6c4156;446576696365496f436f6e74726f6c
 ditekSHen.INDICATOR.Win.TOOL.WEDGECUT;Engine:51-255,Target:1;(0&1&2)&(3|4|5)>1;49636d7053656e644563686f;49636d70436c6f736548616e646c65;49636d7043726561746546696c65;436865636b4f6e6c696e65;2d6e616d65;2d66756c6c
+ditekSHen.MALWARE.PWSH.CUMII;Engine:51-255,Target:0;(0&1&3&4)>2&(5|6|7);2e28277b317d7b247d272e7265706c616365282724272c27302729;2c274927292e7265706c616365282721272c2765782729;272e7265706c61636528272a272c27303030312729;52656d6f76652d4974656d2024;7468652046696c652077696c6c2073746172742063756d69696e67;3031313030313130303131313031303130313130313131303031312a;303130313030313030302a313131303131302a303130303131313131;30313030313130313031303131303130313030312a31312a30303030
+ditekSHen.MALWARE.Win.Trojan.AgnianeStealer;Engine:51-255,Target:1;((0|1|2|3|4)>1)|(5&6&7&8&9&10&11)>4|((0|1|2|3|4)&(5&6&7&8&9&10&11)>2);41676e69616e652e706462;49456e756d657261626c653c41676e69616e652e436c61737365732e4c6f675265636f72643e2e;41676e69616e6520537465616c6572::w;63696e6f736869626f74::w;797162696775756e6f327a70356a78736d71626576347277636b76793237627177733563676d336869696437786f6c7436356a37326b71642e6f6e696f6e::w;3c5061737320656e636f64696e673d22626173653634223e::w;446f6d61696e204465746563743a206465746563746564207b307d::w;444f4d41494e444554454354434f4f4b494553;2e7068703f6f776e657269643d::w;6275696c6469643d::w;616e7469766d2e7068703f69643d::w;666572722e7068703f69643d::w
+ditekSHen.MALWARE.Win.Trojan.TOITOIN;Engine:51-255,Target:1;0&(((1|2)&(3|4))|(5&6));3a5c54726162616c686f5f323032335c4f46465f323032335c;444c4c5f53746172745f4f4b2e706462;444c4c5f53544152545f494e2e706462;6b726974615f6d61696e;5c75736572735c5075626c69635c446f63756d656e74735c;202f632022{-15}63006d00640000006f00700065006e;4883fa107234488b8d10??000048ffc2
diff --git a/snort/snort3.rules b/snort/snort3.rules
@@ -306,6 +306,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Vult
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NPlus cryptocurrency miner outbound connection detected"; flow:to_server,established; http_header:field user-agent; content:"NPlusMiner/",fast_pattern; metadata:ruleset community; rem:"yara:MALWARE_Win_NPlusMiner"; classtype:trojan-activity; sid:920284; rev:1; )
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.LummaStealer outbound connection detected"; flow:to_server,established; http_uri; content:"/c2conf",fast_pattern; bufferlen:7; http_client_body; content:"lid="; http_header; content:!"User-Agent"; http_method; content:"POST"; metadata:ruleset community, service http; rem:"yara:MALWARE_Win_LummaStealer, clamav:MALWARE.Win.Trojan.LummaStealer"; classtype:trojan-activity; sid:2023813001; rev:1; )
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.LummaStealer outbound connection detected"; flow:to_server,established; http_uri; content:"/c2sock",fast_pattern; bufferlen:7; http_header; http_header:field user-agent; content:"TeslaBrowser/";  http_method; content:"POST"; metadata:ruleset community, service http; rem:"yara:MALWARE_Win_LummaStealer, clamav:MALWARE.Win.Trojan.LummaStealer"; classtype:trojan-activity; sid:2023813002; rev:1; )
+alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.AgnianeStealer outbound connection detected"; flow:to_server,established; http_uri; content:".php?ownerid=",fast_pattern; content:"buildid="; http_method; content:"POST"; metadata:ruleset community, service http; rem:"yara:MALWARE_Win_AgnianeStealer, clamav:MALWARE.Win.Trojan.AgnianeStealer"; classtype:trojan-activity; sid:923828001; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587] ( msg:"MALWARE-CNC Win.Trojan.KrakenStealer outbound SMTP connection detected"; flow:to_server,established; content:"Recovered From:",fast_pattern; metadata:ruleset community, service smtp, imap, pop3; rem:"yara:MALWARE_Win_KrakenStealer"; classtype:trojan-activity; sid:923828002; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.BlankStealer outbound DNS request detected"; flow:to_server; content:"|0b|blank-",fast_pattern; content:"|02|in",within 7,distance 5; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,capesandbox.com/analysis/444899/; reference:url,www.virustotal.com/gui/file/c9848988c90013fb86d016a7bd4e761a1319d3f8dc669fe6d85fec34c1e73256/detection; classtype:trojan-activity; sid:923829001; rev:1; )
 ################################################
 # INDICATOR PACKED
 ################################################
@@ -347,6 +350,17 @@ alert file ( msg:"INDICATOR-PACKED Simple Poly Engine (Sality) packed executable
 alert file ( msg:"INDICATOR-PACKED Dotfuscator packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"DotfuscatorAttribute",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Dotfuscator"; classtype:trojan-activity; sid:930035; rev:1;)
 alert file ( msg:"INDICATOR-PACKED Unpaid ResourceTuner manipulated executable file transfer detected"; file_type:"MSEXE"; file_data; content:"u|00|n|00|p|00|a|00|i|00|d|00 20|e|00|v|00|a|00|l|00|u|00|a|00|t|00|i|00|o|00|n|00 20|c|00|o|00|p|00|y|00 20|o|00|f|00 20|R|00|e|00|s|00|o|00|u|00|r|00|c|00|e|00 20|T|00|u|00|n|00|e|00|r",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner"; classtype:trojan-activity; sid:930036; rev:1;)
 alert file ( msg:"INDICATOR-PACKED Reversed executable file transfer detected"; file_data; content:"edom SOD ni nur eb tonnac margorp sihT",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_SUSPICIOUS_EXE_Reversed"; classtype:trojan-activity; sid:930037; rev:1;)
+alert file ( msg:"INDICATOR-PACKED NoobyProtect packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"NoobyProtect SE",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_NoobyProtect"; classtype:trojan-activity; sid:930038; rev:1;)
+alert file ( msg:"INDICATOR-PACKED dotNetProtector packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"dotNetProtector",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_dotNetProtector"; classtype:trojan-activity; sid:930039; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Dotfuscator packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"DotfuscatorAttribute",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Dotfuscator"; classtype:trojan-activity; sid:930040; rev:1;)
+alert file ( msg:"INDICATOR-PACKED NETProtect.IO packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"NETProtect.IO v",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_NETProtectIO"; classtype:trojan-activity; sid:930041; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Goliath packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"ObfuscatedByGoliath",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Goliath"; classtype:trojan-activity; sid:930042; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Babel packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"BabelObfuscatorAttribute",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Babel"; classtype:trojan-activity; sid:930043; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Babel packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:";babelvm;smoketest",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Babel"; classtype:trojan-activity; sid:930044; rev:1;)
+alert file ( msg:"INDICATOR-PACKED CryptoProtector / CryptoObfuscator packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"CryptoObfuscator",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_CryptoProtector"; classtype:trojan-activity; sid:930045; rev:1;)
+alert file ( msg:"INDICATOR-PACKED CryptoProtector / CryptoObfuscator packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"C|00|r|00|y|00|p|00|t|00|o|00|P|00|r|00|o|00|t|00|e|00|c|00|t|00|o|00|r|00 20 5b 7b|",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_CryptoProtector"; classtype:trojan-activity; sid:930046; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Yano packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"YanoAttribute",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Yano"; classtype:trojan-activity; sid:930047; rev:1;)
+alert file ( msg:"INDICATOR-PACKED Yano packed executable file transfer detected"; file_type:"MSEXE"; file_data; content:"StripAfterObfuscation",fast_pattern; metadata:ruleset community, service:ftp-data, http, imap, pop3; rem:"yara:INDICATOR_EXE_Packed_Yano"; classtype:trojan-activity; sid:930048; rev:1;)
 ################################################
 # INDICATOR SUSPICIOUS
 ################################################

diff --git a/yara/indicator_knownbad_certs.yar b/yara/indicator_knownbad_certs.yar
@@ -7753,3 +7753,19 @@ rule INDICATOR_KB_CERT_29e8e993d2406454b6b18cb377471bc6 {
             pe.signatures[i].serial == "29:e8:e9:93:d2:40:64:54:b6:b1:8c:b3:77:47:1b:c6"
         )
 }
+
+rule INDICATOR_KB_CERT_00bfb15001bbf592d4962a7797ea736fa3 {
+    meta:
+        author = "ditekSHen"
+        description = "Detects executables signed with stolen, revoked, fake or invalid certificate"
+        thumbprint = "3dbc3a2a0e9ce8803b422cfdbc60acd33164965d"
+        hash1 = "c9848988c90013fb86d016a7bd4e761a1319d3f8dc669fe6d85fec34c1e73256"
+        malware = "BlankStealer / BlankGrabber / Blank-c Stealer"
+        reference = "https://capesandbox.com/analysis/444899/"
+    condition:
+        uint16(0) == 0x5a4d and
+        for any i in (0..pe.number_of_signatures): (
+            pe.signatures[i].subject contains "Akeo Consulting" and
+            pe.signatures[i].serial == "00:bf:b1:50:01:bb:f5:92:d4:96:2a:77:97:ea:73:6f:a3"
+        )
+}
diff --git a/yara/indicator_packed.yar b/yara/indicator_packed.yar
@@ -751,10 +751,16 @@ rule INDICATOR_EXE_Packed_Babel {
     meta:
         author = "ditekSHen"
         description = "Detects executables packed with Babel"
+        snort = "930043-930044"
     strings:
         $s1 = "BabelObfuscatorAttribute" fullword ascii
+        $m1 = ";babelvm;smoketest" ascii wide
+        $m2 = { 62 00 61 00 62 00 65 00 6c 00 76 00 6d [1-20] 73 00 6d 00 6f 00 6b 00 65 00 74 00 65 00 73 00 74 }
+        $m3 = "babelvm" wide
+        $m4 = "smoketest" wide
+        $m5 = /lic[A-F0-9]{8}/ ascii wide // in particular 'lic70F93782'
     condition:
-        uint16(0) == 0x5a4d and 1 of them
+        ((uint16(0) == 0x5a4d and 1 of ($s*)) or (2 of ($m*)))
 }
 
 rule INDICATOR_EXE_Packed_GEN01 {

diff --git a/yara/malware.yar b/yara/malware.yar
@@ -10700,6 +10700,7 @@ rule MALWARE_Win_BlankStealer {
     meta:
         author = "ditekSHen"
         description = "Detects BlankStealer / BlankGrabber / Blank-c Stealer"
+        snort = "923829001"
     strings:
         $s1 = "Blank-c" ascii
         $s2 = "Stealer License" ascii
@@ -11017,6 +11018,7 @@ rule MALWARE_Win_KrakenStealer {
     meta:
         author = "ditekSHen"
         description = "Detect Kraken infostealer"
+        snort = "923828002"
     strings:
         $x1 = /Kraken(_)?(Stub|Keyboard|Clipboard|GeneratorMachine|PostLogs|Screenshot|Keylogs|Password)/ ascii wide
         $s1 = /(get|set)_(Clipboard|Keyboard|Screen)Recorder/ fullword ascii
@@ -11072,3 +11074,89 @@ rule MALWARE_Win_QuiteRAT {
     condition:
         uint16(0) == 0x5a4d and ((all of ($x*) and 1 of ($s*)) or (1 of ($x*) and 3 of ($s*)))
 }
+
+rule MALWARE_PWSH_CUMII {
+    meta:
+        author = "ditekSHen"
+        description = "Detects multi-dropper PowerShell"
+        clamav = "ditekSHen.MALWARE.PWSH.CUMII"
+    strings:
+        $s1 = ".('{1}{$}'.replace('$','0')" ascii nocase
+        $s2 = ",'I').replace('!','ex')" ascii nocase
+        $s3 = "'.replace('*','0001')" ascii nocase
+        $s4 = "Remove-Item $" ascii nocase
+        $s5 = "the File will start cumiing" ascii nocase
+        $b1 = "011001100111010101101110011*" ascii
+        $b2 = "0101001000*1110110*010011111" ascii
+        $b3 = "01001101010110101001*11*0000" ascii
+    condition:
+       (3 of ($s*) and 1 of ($b*))
+}
+
+rule MALWARE_Win_AgnianeStealer {
+    meta:
+        author = "ditekSHen"
+        description = "Detects Agniane infostealer"
+        snort = "923828001"
+        clamav = "ditekSHen.MALWARE.Win.AgnianeStealer"
+    strings:
+        $x1 = "Agniane.pdb" ascii
+        $x2 = "IEnumerable<Agniane.Classes.LogRecord>." ascii
+        $x3 = "Agniane Stealer" wide
+        $x4 = "cinoshibot" wide
+        $x5 = "yqbiguuno2zp5jxsmqbev4rwckvy27bqws5cgm3hiid7xolt65j72kqd.onion" wide
+        $s1 = "<Pass encoding=\"base64\">" wide
+        $s2 = "Domain Detect: detected {0}" wide
+        $s3 = "DOMAINDETECTCOOKIES" ascii
+        $s4 = /(Opera|Edge|Chrome|Brave|Vivaldi|Blink|Universal|Gecko|OperaGx|Firefox)Grabber/ fullword ascii
+        $u1 = "/antivm.php?id=" wide
+        $u2 = "/ferr.php?id=" wide
+        $u3 = ".php?ownerid=" wide
+        $u4 = "&buildid=" wide
+        $u5 = "&username=" wide
+        $u6 = "&BSSID=" wide
+        $u7 = "&rndtoken=" wide
+        $u8 = "&domaindetects=" wide
+    condition:
+       uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and (2 of ($s*) or 3 of ($u*))) or (all of ($s*) and 3 of ($u*)) or (7 of ($u*)))
+}
+
+rule MALWARE_Win_TOITOIN_KritaLoader {
+    meta:
+        author = "ditekSHen"
+        description = "Detects TOITOIN KritaLoader"
+        clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
+    strings:
+       $p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
+       $p2 = "DLL_Start_OK.pdb" ascii
+       $s1 = "krita_main" fullword ascii
+    condition:
+       uint16(0) == 0x5a4d and (1 of ($p*) and 1 of ($s*))
+}
+
+rule MALWARE_Win_TOITOIN_InjectorDLL {
+    meta:
+        author = "ditekSHen"
+        description = "Detects TOITOIN InjectorDLL"
+        clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
+    strings:
+       $p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
+       $p2 = "DLL_START_IN.pdb" ascii
+       $s1 = ".ini" fullword ascii
+       $s2 = "\\users\\Public\\Documents\\" fullword ascii
+    condition:
+       uint16(0) == 0x5a4d and (1 of ($p*) and all of ($s*))
+}
+
+rule MALWARE_Win_TOITOIN_Downloader {
+    meta:
+        author = "ditekSHen"
+        description = "Detects TOITOIN Downloader"
+        clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
+    strings:
+       $p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
+       $s1 = { 20 2f 63 20 22 [6-15] 63 00 6d 00 64 00 00 00 6f 00 70 00 65 00 6e }
+       $o1 = { 48 83 fa 10 72 34 48 8b 8d 10 ?? 00 00 48 ff c2 }
+    condition:
+       uint16(0) == 0x5a4d and all of them
+}