rule apt_hellsing_implantstrings { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing implants" strings: $mz = "MZ" $a1 = "the file uploaded failed !" $a2 = "ping 127.0.0.1" $b1 = "the file downloaded failed !" $b2 = "common.asp" $c = "xweber_server.exe" $d = "action=" $debugpath1 = "d:\\Hellsing\\release\\msger\\" nocase $debugpath2 = "d:\\hellsing\\sys\\xrat\\" nocase $debugpath3 = "D:\\Hellsing\\release\\exe\\" nocase $debugpath4 = "d:\\hellsing\\sys\\xkat\\" nocase $debugpath5 = "e:\\Hellsing\\release\\clare" nocase $debugpath6 = "e:\\Hellsing\\release\\irene\\" nocase $debugpath7 = "d:\\hellsing\\sys\\irene\\" nocase $e = "msger_server.dll" $f = "ServiceMain" condition: ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 } rule apt_hellsing_installer { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing xweber/msger installers" strings: $mz = "MZ" $cmd = "cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" $a1 = "xweber_install_uac.exe" $a2 = "system32\\cmd.exe" wide $a4 = "S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" $a5 = "S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6 = "7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" $a8 = "vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSINjl2tyI" $a9 = "C:\\Windows\\System32\\sysprep\\sysprep.exe" wide $a10 = "%SystemRoot%\\system32\\cmd.exe" wide $a11 = "msger_install.dll" $a12 = {00 65 78 2E 64 6C 6C 00} condition: ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 } rule apt_hellsing_proxytool { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing proxy testing tool" strings: $mz = "MZ" $a1 = "PROXY_INFO: automatic proxy url => %s" $a2 = "PROXY_INFO: connection type => %d" $a3 = "PROXY_INFO: proxy server => %s" $a4 = "PROXY_INFO: bypass list => %s" $a5 = "InternetQueryOption failed with GetLastError() %d" $a6 = "D:\\Hellsing\\release\\exe\\exe\\" nocase condition: ($mz at 0) and (2 of ($a*)) and filesize < 300000 } rule apt_hellsing_xkat { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing xKat tool" strings: $mz = "MZ" $a1 = "\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error." $a4 = "driver_load error. " $a5 = "driver_create error." $a6 = "delete file:%s error." $a7 = "delete file:%s ok." $a8 = "kill pid:%d error." $a9 = "kill pid:%d ok." $a10 = "-pid-delete" $a11 = "kill and delete pid:%d error." $a12 = "kill and delete pid:%d ok." condition: ($mz at 0) and (6 of ($a*)) and filesize < 300000 } rule apt_hellsing_msgertype2 { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing msger type 2 implants" strings: $mz = "MZ" $a1 = "%s\\system\\%d.txt" $a2 = "_msger" $a3 = "http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" $a4 = "http://%s/data/%s.1000001000" $a5 = "/lib/common.asp?action=user_upload&file=" $a6 = "%02X-%02X-%02X-%02X-%02X-%02X" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 } rule apt_hellsing_irene { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing msger irene installer" strings: $mz = "MZ" $a1 = "\\Drivers\\usbmgr.tmp" wide $a2 = "\\Drivers\\usbmgr.sys" wide $a3 = "common_loadDriver CreateFile error!" $a4 = "common_loadDriver StartService error && GetLastError():%d!" $a5 = "irene" wide $a6 = "aPLib v0.43 - the smaller the better" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 }