New Signatures

yara/apt_irontiger_trendmicro.yar

@@ -124,6 +124,7 @@ rule IronTiger_Gh0stRAT_variant
 		$str4 = "Winds Update" nocase wide ascii
 	condition:
 		uint16(0) == 0x5a4d and (any of ($str*))
+		and not filename == "UpdateSystemMib.exe"
 }
 
 rule IronTiger_GTalk_Trojan

yara/apt_keylogger_cn.yar

@@ -0,0 +1,33 @@
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-03-07
+	Identifier: CN Keylogger APT
+*/
+
+rule Keylogger_CN_APT {
+	meta:
+		description = "Keylogger - generic rule for a Chinese variant"
+		author = "Florian Roth"
+		date = "2016-03-07"
+		score = 75
+		hash = "3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7"
+	strings:
+		$x1 = "Mozilla/4.0 (compatible; MSIE6.0;Windows NT 5.1)" fullword ascii
+		$x2 = "attrib -s -h -r c:\\ntldr" fullword ascii
+		$x3 = "%sWindows NT %d.%d" fullword ascii
+		$x4 = "Referer: http://%s/%s.aspx?n=" fullword ascii
+
+		$s1 = "\\cmd.exe /c \"systeminfo.exe >> " fullword ascii
+		$s2 = "%s\\cmd.exe /c %s >> \"%s\"" fullword ascii
+		$s3 = "shutdown.exe -r -t 0" fullword ascii
+		$s4 = "dir \"%SystemDrive%\\\" /s /a" fullword ascii
+		$s5 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;" fullword ascii
+		$s6 = "http_s.exe" fullword ascii
+		$s7 = "User Agent\\Post Platform\\" fullword ascii
+		$s8 = "desktop.tmp" fullword ascii
+		$s9 = "\\support.icw" fullword ascii
+		$s10 = "agc.tmp" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 100KB and 1 of ($x*) ) or 3 of them
+}

yara/thor-hacktools.yar

@@ -2935,6 +2935,7 @@ rule mimikatz
 		author			= "Benjamin DELPY (gentilkiwi)"
 		tool_author		= "Benjamin DELPY (gentilkiwi)"
       score          = 80
+      type           = "file"
 	strings:
 		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
 		$exe_x86_2		= { 89 79 04 89 [0-3] 38 8d 04 b5 }
@@ -3068,3 +3069,41 @@ rule VSSown_VBS {
 	condition:
 		all of them
 }
+
+rule Netview_Hacktool {
+	meta:
+		description = "Network domain enumeration tool - often used by attackers - file Nv.exe"
+		author = "Florian Roth"
+		reference = "https://github.com/mubix/netview"
+		date = "2016-03-07"
+      score = 60
+		hash = "52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a"
+	strings:
+		$s1 = "[+] %ws - Target user found - %s\\%s" fullword wide
+		$s2 = "[*] -g used without group specified - using \"Domain Admins\"" fullword ascii
+		$s3 = "[*] -i used without interval specified - ignoring" fullword ascii
+		$s4 = "[+] %ws - Session - %s from %s - Active: %d - Idle: %d" fullword wide
+		$s5 = "[+] %ws - Backup Domain Controller" fullword wide
+		$s6 = "[-] %ls - Share - Error: %ld" fullword wide
+		$s7 = "[-] %ls - Session - Error: %ld" fullword wide
+		$s8 = "[+] %s - OS Version - %d.%d" fullword ascii
+		$s9 = "Enumerating Logged-on Users" fullword ascii
+		$s10 = ": Specifies a domain to pull a list of hosts from" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 500KB and 2 of them ) or 3 of them
+}
+
+rule Netview_Hacktool_Output {
+	meta:
+		description = "Network domain enumeration tool output - often used by attackers - file filename.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/mubix/netview"
+		date = "2016-03-07"
+      score = 60
+	strings:
+		$s1 = "[*] Using interval:" fullword
+		$s2 = "[*] Using jitter:" fullword
+		$s3 = "[+] Number of hosts:" fullword
+	condition:
+		2 of them
+}