[ { "id": 2112668010, "indicator": "444cac2a821b806c4c87d2e1196c588babdefea3", "type": "YARA", "created": "2019-05-29T10:34:57", "content": "import \"pe\"\nrule veter_random { \n meta: \n description = \"Yara rule for veter_trojan\" \n author = \"Cybaze - Yoroi ZLab\" \n last_updated = \"2019-05-22\" \n tlp = \"white\" \n category = \"informational\" \n strings: \n $a = { 5E C2 04 00 F6 44 24 04 01 56 } \n \n $b1 = { 01 8B 02 8B 48 04 03} \n $b2 = { 4A 3B C2 7E 08 8B C2 } \n \n $c1 = { E8 83 CA 04 89 55 E8 } \n $c2 = { 1F DF 70 07 22 84 82 } \n \n condition: \n $a and (($b1 and $b2 and pe.version_info[\"CompanyName\"] contains \"Miranda\") or ($c1 and $c2 and pe.version_info[\"InternalName\"] contains \"DrldwgRom\")) \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668011, "indicator": "2abefc33dff723b585a9ce6929a1c3a2af3b2046", "type": "YARA", "created": "2019-05-29T10:34:57", "content": "import \"pe\"\nrule winserv_exe { \n meta: \n description = \"Yara rule for winserv backdoor\" \n author = \"Cybaze - Yoroi ZLab\" \n last_updated = \"2019-05-22\" \n tlp = \"white\" \n category = \"informational\" \n strings: \n $a1 = \"MPRESS1\" \n $a2 = { 90 C4 73 05 E6 92 } \n $a3 = { E9 64 4B 56 3F EC } \n $a4 = { 10 EF D0 E1 36 E1 14 3C } \n \n condition: \n all of them and pe.version_info[\"CompanyName\"] contains \"tox\" \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668012, "indicator": "1977cf07ee7511f68c3d01e906dc1745ddf8cd04", "type": "YARA", "created": "2019-05-29T10:34:57", "content": "import \"pe\"\nrule pasmmm_exe { \n meta: \n description = \"Yara rule for pasmmm SFX archive\" \n author = \"Cybaze - Yoroi ZLab\" \n last_updated = \"2019-05-22\" \n tlp = \"white\" \n category = \"informational\" \n strings: \n $a1 = { 1C Cf 43 39 C8 32 B4 B0 } \n $a2 = { 60 6C B8 7C 5F FA } \n $a3 = \"LookupPrivilege\" \n $a4 = \"LoadBitmap\" \n \n condition: \n pe.number_of_sections == 6 and all of them \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668013, "indicator": "b9c88a055c1d668961f2b822495a5973231ec514", "type": "YARA", "created": "2019-05-29T10:34:57", "content": "import \"pe\"\nrule uninstall_exe { \n meta: \n description = \"Yara rule for uninstall SFX archive\" \n author = \"Cybaze - Yoroi ZLab\" \n last_updated = \"2019-05-22\" \n tlp = \"white\" \n category = \"informational\" \n strings: \n $a1 = { E8 68 BA 01 00 51 } \n $a2 = { 58 E9 8B C6 4F 6F 7A } \n $a3 = { D9 4E D5 FA D4 34 } \n \n condition: \n pe.number_of_resources == 24 and all of them \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668014, "indicator": "9410b555cbcad5af30642dcc1f9a8e28241f5ba9", "type": "YARA", "created": "2019-05-29T10:34:57", "content": "rule excel_dropper { \n meta: \n description = \"Yara rule for excel dropper\" \n author = \"Cybaze - Yoroi ZLab\" \n last_updated = \"2019-05-22\" \n tlp = \"white\" \n category = \"informational\" \n strings: \n $a1 = { 98 C3 AB F0 E7 F3 BD F4 } \n $a2 = { 41 6E D5 7E F0 10 AB A7 } \n $a3 = \"gxbgarjktzyu\" \n $a4 = \"Bob Brown\" \n \n condition: \n all of them \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668015, "indicator": "fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668016, "indicator": "c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668017, "indicator": "1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668018, "indicator": "aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668019, "indicator": "2b5eefc4bc2d34cbe5093332c47b5405cf5c32e8156767fc8bc9ddd9cdcf3018", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 1588562611, "indicator": "609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668020, "indicator": "5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668021, "indicator": "210bb55664d291d82b94b9cea6fcf41029eded9eca6e7fe7b7d58715407a0703", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668022, "indicator": "6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2112668023, "indicator": "0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273", "type": "FileHash-SHA256", "created": "2019-05-29T10:34:57", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]