diff --git a/yara/crime_corkow_dll.yar b/yara/crime_corkow_dll.yar index 85c922a..6492983 100644 --- a/yara/crime_corkow_dll.yar +++ b/yara/crime_corkow_dll.yar @@ -4,7 +4,7 @@ rule CorkowDLL { meta: description = "Rule to detect the Corkow DLL files" author = "Group IB" - date = "2016/02" + date = "01.02.2016" referenced = "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" strings: $binary1 = { 60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3 } diff --git a/yara/gen_rats_malwareconfig.yar b/yara/gen_rats_malwareconfig.yar index 99a4dc5..f52efea 100644 --- a/yara/gen_rats_malwareconfig.yar +++ b/yara/gen_rats_malwareconfig.yar @@ -2,7 +2,7 @@ rule RAT_AAR { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects AAR RAT" reference = "http://malwareconfig.com/stats/AAR" maltype = "Remote Access Trojan" @@ -26,7 +26,7 @@ rule RAT_Adzok author = "Kevin Breen " description = "Detects Adzok RAT" Versions = "Free 1.0.0.3," - date = "2015/05" + date = "01.05.2015" reference = "http://malwareconfig.com/stats/Adzok" maltype = "Remote Access Trojan" filetype = "jar" @@ -50,7 +50,7 @@ rule RAT_Ap0calypse meta: author = "Kevin Breen " description = "Detects Ap0calypse RAT" - date = "2014/04" + date = "01.04.2014" reference = "http://malwareconfig.com/stats/Ap0calypse" maltype = "Remote Access Trojan" filetype = "exe" @@ -70,7 +70,7 @@ rule RAT_Arcom { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Arcom RAT" reference = "http://malwareconfig.com/stats/Arcom" maltype = "Remote Access Trojan" @@ -92,7 +92,7 @@ rule RAT_Bandook { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Bandook RAT" reference = "http://malwareconfig.com/stats/bandook" maltype = "Remote Access Trojan" @@ -118,7 +118,7 @@ rule RAT_BlackNix { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects BlackNix RAT" reference = "http://malwareconfig.com/stats/BlackNix" maltype = "Remote Access Trojan" @@ -139,7 +139,7 @@ rule RAT_BlackShades { meta: author = "Brian Wallace (@botnet_hunter)" - date = "2014/04" + date = "01.04.2014" description = "Detects BlackShades RAT" reference = "http://blog.cylance.com/a-study-in-bots-blackshades-net" family = "blackshades" @@ -157,7 +157,7 @@ rule RAT_BlueBanana { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects BlueBanana RAT" reference = "http://malwareconfig.com/stats/BlueBanana" maltype = "Remote Access Trojan" @@ -179,7 +179,7 @@ rule RAT_Bozok { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Bozok RAT" reference = "http://malwareconfig.com/stats/Bozok" maltype = "Remote Access Trojan" @@ -200,7 +200,7 @@ rule RAT_ClientMesh { meta: author = "Kevin Breen (slightly modified by Florian Roth to improve performance)" - date = "2014/06" + date = "01.06.2014" description = "Detects ClientMesh RAT" reference = "http://malwareconfig.com/stats/ClientMesh" family = "torct" @@ -222,7 +222,7 @@ rule RAT_CyberGate meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects CyberGate RAT" reference = "http://malwareconfig.com/stats/CyberGate" maltype = "Remote Access Trojan" @@ -246,7 +246,7 @@ rule RAT_DarkComet { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects DarkComet RAT" reference = "http://malwareconfig.com/stats/DarkComet" maltype = "Remote Access Trojan" @@ -273,7 +273,7 @@ rule RAT_DarkRAT { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects DarkRAT" reference = "http://malwareconfig.com/stats/DarkRAT" maltype = "Remote Access Trojan" @@ -296,7 +296,7 @@ rule RAT_Greame { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Greame RAT" reference = "http://malwareconfig.com/stats/Greame" maltype = "Remote Access Trojan" @@ -320,7 +320,7 @@ rule RAT_HawkEye { meta: author = "Kevin Breen " - date = "2015/06" + date = "01.06.2015" description = "Detects HawkEye RAT" reference = "http://malwareconfig.com/stats/HawkEye" maltype = "KeyLogger" @@ -345,7 +345,7 @@ rule RAT_Imminent { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Imminent RAT" reference = "http://malwareconfig.com/stats/Imminent" maltype = "Remote Access Trojan" @@ -376,7 +376,7 @@ rule RAT_Infinity { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Infinity RAT" reference = "http://malwareconfig.com/stats/Infinity" maltype = "Remote Access Trojan" @@ -400,7 +400,7 @@ rule RAT_JavaDropper { meta: author = "Kevin Breen (slightly modified by Florian Roth to improve performance)" - date = "2015/10" + date = "01.10.2015" description = "Detects JavaDropper RAT" reference = "http://malwareconfig.com/stats/JavaDropper" maltype = "Remote Access Trojan" @@ -422,7 +422,7 @@ rule RAT_LostDoor { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects LostDoor RAT" reference = "http://malwareconfig.com/stats/LostDoor" maltype = "Remote Access Trojan" @@ -448,7 +448,7 @@ rule RAT_LuminosityLink { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects LuminosityLink RAT" reference = "http://malwareconfig.com/stats/LuminosityLink" maltype = "Remote Access Trojan" @@ -475,7 +475,7 @@ rule RAT_LuxNet { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects LuxNet RAT" reference = "http://malwareconfig.com/stats/LuxNet" maltype = "Remote Access Trojan" @@ -498,7 +498,7 @@ rule RAT_NanoCore { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects NanoCore RAT" reference = "http://malwareconfig.com/stats/NanoCore" maltype = "Remote Access Trojan" @@ -526,7 +526,7 @@ rule RAT_NetWire { meta: author = "Kevin Breen & David Cannings" - date = "2014/04" + date = "01.04.2014" description = "Detects NetWire RAT" reference = "http://malwareconfig.com/stats/NetWire" maltype = "Remote Access Trojan" @@ -549,7 +549,7 @@ rule RAT_Pandora { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Pandora RAT" reference = "http://malwareconfig.com/stats/Pandora" maltype = "Remote Access Trojan" @@ -578,7 +578,7 @@ rule RAT_Paradox { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Paradox RAT" reference = "http://malwareconfig.com/stats/Paradox" maltype = "Remote Access Trojan" @@ -601,7 +601,7 @@ rule RAT_Plasma { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Plasma RAT" reference = "http://malwareconfig.com/stats/Plasma" maltype = "Remote Access Trojan" @@ -626,7 +626,7 @@ rule RAT_PoisonIvy { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects PoisonIvy RAT" reference = "http://malwareconfig.com/stats/PoisonIvy" maltype = "Remote Access Trojan" @@ -648,7 +648,7 @@ rule RAT_PredatorPain { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects PredatorPain RAT" reference = "http://malwareconfig.com/stats/PredatorPain" maltype = "Remote Access Trojan" @@ -677,7 +677,7 @@ rule RAT_Punisher { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Punisher RAT" reference = "http://malwareconfig.com/stats/Punisher" maltype = "Remote Access Trojan" @@ -700,7 +700,7 @@ rule RAT_PythoRAT { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Python RAT" reference = "http://malwareconfig.com/stats/PythoRAT" maltype = "Remote Access Trojan" @@ -724,7 +724,7 @@ rule RAT_QRat { meta: author = "Kevin Breen @KevTheHermit" - date = "2015/08" + date = "01.08.2015" description = "Detects QRAT" reference = "http://malwareconfig.com" maltype = "Remote Access Trojan" @@ -788,7 +788,7 @@ rule RAT_ShadowTech { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects ShadowTech RAT" reference = "http://malwareconfig.com/stats/ShadowTech" maltype = "Remote Access Trojan" @@ -811,7 +811,7 @@ rule RAT_SmallNet { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects SmallNet RAT" reference = "http://malwareconfig.com/stats/SmallNet" maltype = "Remote Access Trojan" @@ -832,7 +832,7 @@ rule RAT_SpyGate { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects SpyGate RAT" reference = "http://malwareconfig.com/stats/SpyGate" maltype = "Remote Access Trojan" @@ -860,7 +860,7 @@ rule RAT_Sub7Nation { meta: author = "Kevin Breen (slightly modified by Florian Roth to improve performance)" - date = "2014/04" + date = "01.04.2014" description = "Detects Sub7Nation RAT" reference = "http://malwareconfig.com/stats/Sub7Nation" maltype = "Remote Access Trojan" @@ -882,7 +882,7 @@ rule RAT_Vertex { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Vertex RAT" reference = "http://malwareconfig.com/stats/Vertex" maltype = "Remote Access Trojan" @@ -906,7 +906,7 @@ rule RAT_VirusRat { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects VirusRAT" reference = "http://malwareconfig.com/stats/VirusRat" maltype = "Remote Access Trojan" @@ -934,7 +934,7 @@ rule RAT_Xtreme { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Xtreme RAT" reference = "http://malwareconfig.com/stats/Xtreme" maltype = "Remote Access Trojan" @@ -956,7 +956,7 @@ rule RAT_adWind { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects Adwind RAT" reference = "http://malwareconfig.com/stats/adWind" maltype = "Remote Access Trojan" @@ -976,7 +976,7 @@ rule RAT_njRat { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects njRAT" reference = "http://malwareconfig.com/stats/njRat" maltype = "Remote Access Trojan" @@ -1000,7 +1000,7 @@ rule RAT_unrecom { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects unrecom RAT" reference = "http://malwareconfig.com/stats/unrecom" maltype = "Remote Access Trojan" @@ -1021,7 +1021,7 @@ rule RAT_xRAT { meta: author = "Kevin Breen " - date = "2014/04" + date = "01.04.2014" description = "Detects xRAT" reference = "http://malwareconfig.com/stats/xRat" maltype = "Remote Access Trojan" diff --git a/yara/thor-hacktools.yar b/yara/thor-hacktools.yar index 06934bb..d02a757 100644 --- a/yara/thor-hacktools.yar +++ b/yara/thor-hacktools.yar @@ -122,7 +122,7 @@ rule Fierce2 license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the Fierce2 domain scanner" - date = "07/2014" + date = "01.07.2014" score = 60 strings: $s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars," @@ -136,7 +136,7 @@ rule Ncrack license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the Ncrack brute force tool" - date = "07/2014" + date = "01.07.2014" score = 60 strings: $s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via" @@ -150,7 +150,7 @@ rule SQLMap license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the SQLMap SQL injection tool" - date = "07/2014" + date = "01.07.2014" score = 60 strings: $s1 = "except SqlmapBaseException, ex:"