From af79a0ea5525ba2f95200b972c8e202532b74786 Mon Sep 17 00:00:00 2001 From: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 30 Jun 2025 00:27:56 +0000 Subject: [PATCH] Update third-party rules as of 2025-06-30 --- third_party/yara/YARAForge/RELEASE | 2 +- .../yara/YARAForge/yara-rules-full.yar | 1233 ++++++++--------- .../yara/elastic/Linux_Rootkit_Generic.yar | 21 + .../yara/elastic/Linux_Trojan_Mirai.yar | 20 - third_party/yara/elastic/RELEASE | 2 +- 5 files changed, 620 insertions(+), 658 deletions(-) diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index 9ab4803a6..b64dbd127 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20250622 +20250629 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index 174aeeb76..f95c00f20 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,24 +12,24 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2025-06-22 - * Number of Rules: 11333 - * Skipped: 0 (age), 222 (quality), 7 (score), 0 (importance) + * Creation Date: 2025-06-29 + * Number of Rules: 11331 + * Skipped: 0 (age), 224 (quality), 7 (score), 0 (importance) */ -import "hash" +import "math" import "console" +import "hash" import "pe" -import "elf" import "dotnet" -import "math" +import "elf" /* * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: e3267cfb8a5a81fad12e7e7e3112ac574086046a * Number of Rules: 1230 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -8178,8 +8178,8 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" - date = "2025-06-22" - date = "2025-06-22" + date = "2025-06-29" + date = "2025-06-29" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e3267cfb8a5a81fad12e7e7e3112ac574086046a/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" @@ -14272,8 +14272,8 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" - date = "2025-10-22" - date = "2025-10-22" + date = "2025-10-29" + date = "2025-10-29" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e3267cfb8a5a81fad12e7e7e3112ac574086046a/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" @@ -56639,8 +56639,8 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Vit virus." author = "ReversingLabs" id = "4515fe43-4c5a-521d-82b7-273823f0c64e" - date = "2025-06-22" - date = "2025-06-22" + date = "2025-06-29" + date = "2025-06-29" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e3267cfb8a5a81fad12e7e7e3112ac574086046a/yara/virus/Linux.Virus.Vit.yara#L3-L36" @@ -58584,7 +58584,7 @@ rule REVERSINGLABS_Bytecode_MSIL_Infostealer_Gomorrahstealer : TC_DETECTION MALI * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -59343,9 +59343,9 @@ rule R3C0NST_ATM_Malware_ATMITCH : FILE * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2025-06-22 - * Git Commit: 359936d50bcc1c773e6c9bea770de8556b590a1a - * Number of Rules: 169 + * Retrieval Date: 2025-06-29 + * Git Commit: 3892929bec8fdca10f61a7974a9ab584da8963fd + * Number of Rules: 168 * Skipped: 0 (age), 15 (quality), 3 (score), 0 (importance) * * @@ -60026,8 +60026,8 @@ rule CAPE_Themida : FILE date = "2024-09-11" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/binaries/Themida.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/binaries/Themida.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 @@ -60049,11 +60049,11 @@ rule CAPE_Asyncrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L1-L30" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L1-L30" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "1400d2029dfb66d8f2dc34db8643d6301f3af9bd356639f883d2c10bcc0c3947" score = 75 - quality = 33 + quality = 58 tags = "" cape_type = "AsyncRAT Payload" @@ -60088,8 +60088,8 @@ rule CAPE_Stormkitty : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L32-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L32-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "258f5d9da80ff912459194b1139f062491df21a44456942951e2bd98e4b86c9b" score = 75 quality = 66 @@ -60124,8 +60124,8 @@ rule CAPE_Worldwind : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L60-L82" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L60-L82" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" score = 75 quality = 70 @@ -60160,11 +60160,11 @@ rule CAPE_Prynt : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L85-L107" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L85-L107" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" score = 75 - quality = 45 + quality = 70 tags = "FILE" cape_type = "Prynt Payload" @@ -60196,11 +60196,11 @@ rule CAPE_Xworm : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L110-L136" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L110-L136" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 - quality = 43 + quality = 68 tags = "FILE" cape_type = "XWorm Payload" @@ -60236,8 +60236,8 @@ rule CAPE_Xworm_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L138-L155" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L138-L155" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 @@ -60268,11 +60268,11 @@ rule CAPE_Dcrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L157-L222" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L157-L222" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 - quality = 20 + quality = 45 tags = "FILE" cape_type = "DCRat Payload" @@ -60342,8 +60342,8 @@ rule CAPE_Dcrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L224-L243" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L224-L243" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 @@ -60375,8 +60375,8 @@ rule CAPE_Quasarrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L245-L266" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L245-L266" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 @@ -60410,8 +60410,8 @@ rule CAPE_Quasarrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AsyncRAT.yar#L268-L287" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AsyncRAT.yar#L268-L287" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 @@ -60443,8 +60443,8 @@ rule CAPE_Scarab : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 @@ -60468,8 +60468,8 @@ rule CAPE_Vidar : FILE date = "2023-04-21" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 @@ -60502,8 +60502,8 @@ rule CAPE_Jaff : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 @@ -60528,8 +60528,8 @@ rule CAPE_Doomedloader : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 @@ -60553,8 +60553,8 @@ rule CAPE_Ramnit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 @@ -60578,8 +60578,8 @@ rule CAPE_Locky : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 @@ -60603,8 +60603,8 @@ rule CAPE_Carbanak : FILE date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 @@ -60629,8 +60629,8 @@ rule CAPE_Stealc : FILE date = "2024-09-10" modified = "2024-09-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 @@ -60654,8 +60654,8 @@ rule CAPE_Dridexloader : FILE date = "2021-03-10" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 @@ -60682,8 +60682,8 @@ rule CAPE_Aurorastealer : FILE date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 @@ -60762,8 +60762,8 @@ rule CAPE_Petya : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 @@ -60787,8 +60787,8 @@ rule CAPE_Eternalromance : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 @@ -60832,8 +60832,8 @@ rule CAPE_Tclient : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 @@ -60855,8 +60855,8 @@ rule CAPE_Zloader : FILE date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" logic_hash = "525670973b67aac048199529c97d6be00b0a8cca9bc90deb647366d92a5ea540" score = 75 @@ -60885,8 +60885,8 @@ rule CAPE_Zerot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 @@ -60912,8 +60912,8 @@ rule CAPE_Nanolocker : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 @@ -60937,8 +60937,8 @@ rule CAPE_Bruteratel date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 @@ -60963,8 +60963,8 @@ rule CAPE_Latrodectus date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" logic_hash = "a8430299930f4c8de0a88c6836d4821871f7183cc5ff44ea9be84fbea47bbb13" score = 75 @@ -60991,8 +60991,8 @@ rule CAPE_Latrodectus_AES date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" logic_hash = "058d278c16527969066d1b4ea7f0e3ab2809d5480cdab06ec476b465e0c4795a" score = 75 @@ -61020,8 +61020,8 @@ rule CAPE_Rcsession date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 @@ -61044,8 +61044,8 @@ rule CAPE_Amadey : FILE date = "2023-09-04" modified = "2023-09-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Amadey.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Amadey.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" logic_hash = "38f710b422a3644c9f0f3e80ad9ff28ef02050368c651a6cc2ce8b152b67bf48" score = 75 @@ -61070,8 +61070,8 @@ rule CAPE_Doppelpaymer : FILE date = "2022-06-27" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 @@ -61094,8 +61094,8 @@ rule CAPE_Ursnifv3 : FILE date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 @@ -61124,8 +61124,8 @@ rule CAPE_Obfuscar : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Obfuscar.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Obfuscar.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 70 @@ -61146,8 +61146,8 @@ rule CAPE_Bazar : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 @@ -61170,8 +61170,8 @@ rule CAPE_Formbook date = "2023-10-13" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 @@ -61200,8 +61200,8 @@ rule CAPE_Lumma : FILE date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Lumma.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Lumma.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "44408ffa7870dbc1a8a31567dd743f46542da01ed8083e5413392920b9d1bafe" score = 75 quality = 70 @@ -61227,8 +61227,8 @@ rule CAPE_Badrabbit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 @@ -61252,8 +61252,8 @@ rule CAPE_Cerber : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 @@ -61275,8 +61275,8 @@ rule CAPE_Nemty : FILE date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 @@ -61300,8 +61300,8 @@ rule CAPE_Hermes : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 @@ -61325,8 +61325,8 @@ rule CAPE_Kovter : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 @@ -61351,8 +61351,8 @@ rule CAPE_Rhadamanthys date = "2023-09-18" modified = "2023-09-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Rhadamanthys.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Rhadamanthys.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" score = 75 quality = 70 @@ -61377,8 +61377,8 @@ rule CAPE_Adaptixbeacon date = "2025-06-16" modified = "2025-06-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AdaptixBeacon.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AdaptixBeacon.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" logic_hash = "a05b5fed6328229f8490731ef9884f5b8225f8628b81dc199ea5c11fa25b8d0c" score = 75 @@ -61405,8 +61405,8 @@ rule CAPE_Qakbot5 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 @@ -61432,8 +61432,8 @@ rule CAPE_Qakbot4 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 @@ -61463,8 +61463,8 @@ rule CAPE_Xenorat date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 @@ -61491,8 +61491,8 @@ rule CAPE_Kronos : FILE date = "2020-07-02" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 @@ -61517,8 +61517,8 @@ rule CAPE_Darkgate date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/DarkGate.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/DarkGate.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 quality = 70 @@ -61545,8 +61545,8 @@ rule CAPE_Buerloader : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 @@ -61570,8 +61570,8 @@ rule CAPE_Bitpaymer : FILE date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 @@ -61594,8 +61594,8 @@ rule CAPE_Magniber : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 @@ -61617,8 +61617,8 @@ rule CAPE_Sedreco : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Sedreco.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Sedreco.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" score = 75 quality = 70 @@ -61642,8 +61642,8 @@ rule CAPE_Kpot : FILE date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 @@ -61667,8 +61667,8 @@ rule CAPE_Blister : FILE date = "2023-09-20" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" @@ -61696,8 +61696,8 @@ rule CAPE_Azorult : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 @@ -61720,8 +61720,8 @@ rule CAPE_Cobaltstrikestager date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 @@ -61746,8 +61746,8 @@ rule CAPE_Rozena date = "2024-03-15" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 @@ -61770,8 +61770,8 @@ rule CAPE_Remcos : FILE date = "2022-05-10" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 @@ -61796,8 +61796,8 @@ rule CAPE_Gandcrab : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 @@ -61822,8 +61822,8 @@ rule CAPE_Cryptoshield : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 @@ -61847,8 +61847,8 @@ rule CAPE_Masslogger : FILE date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 @@ -61871,8 +61871,8 @@ rule CAPE_Ryuk : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 @@ -61897,8 +61897,8 @@ rule CAPE_Smokeloader date = "2024-11-12" modified = "2024-11-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/SmokeLoader.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/SmokeLoader.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" score = 75 quality = 70 @@ -61923,8 +61923,8 @@ rule CAPE_Azer : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 @@ -61948,8 +61948,8 @@ rule CAPE_Varenyky : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 @@ -61971,8 +61971,8 @@ rule CAPE_Oyster date = "2024-05-30" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 @@ -62002,8 +62002,8 @@ rule CAPE_Agent_Tesla date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 @@ -62029,8 +62029,8 @@ rule CAPE_Agenttesla : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 @@ -62062,8 +62062,8 @@ rule CAPE_Agentteslav2 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 @@ -62099,8 +62099,8 @@ rule CAPE_Agentteslav3 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L69-L111" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L69-L111" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" score = 75 quality = 68 @@ -62153,8 +62153,8 @@ rule CAPE_Agentteslav4 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L113-L126" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L113-L126" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 @@ -62179,8 +62179,8 @@ rule CAPE_Agentteslav4Jit date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/AgentTesla.yar#L128-L141" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/AgentTesla.yar#L128-L141" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 @@ -62205,8 +62205,8 @@ rule CAPE_Dridexv4 : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 @@ -62232,8 +62232,8 @@ rule CAPE_Atlas : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 @@ -62257,8 +62257,8 @@ rule CAPE_Fareit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 @@ -62281,8 +62281,8 @@ rule CAPE_Nighthawk date = "2022-12-05" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 @@ -62306,8 +62306,8 @@ rule CAPE_Mole : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 @@ -62331,8 +62331,8 @@ rule CAPE_Gootkit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 @@ -62354,8 +62354,8 @@ rule CAPE_Lokibot : FILE date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 @@ -62378,8 +62378,8 @@ rule CAPE_Socks5Systemz : FILE date = "2025-05-23" modified = "2025-05-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Socks5Systemz.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Socks5Systemz.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "7e324bacd1ea57585435b6a5a4c93bda63ca146c100f2361a1c5530b87668299" score = 75 quality = 70 @@ -62409,8 +62409,8 @@ rule CAPE_Bumblebee : FILE date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BumbleBee.yar#L35-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BumbleBee.yar#L35-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "bc7c2ce9d3cd598c9510dc64d78048999f2f89ee5a84cd0d6046dbdfabe260ee" score = 75 quality = 70 @@ -62437,8 +62437,8 @@ rule CAPE_Bumblebee2024 date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 @@ -62466,8 +62466,8 @@ rule CAPE_Codoso : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 @@ -62491,8 +62491,8 @@ rule CAPE_Conti : FILE date = "2021-03-15" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 @@ -62516,8 +62516,8 @@ rule CAPE_Squirrelwaffle : FILE date = "2021-10-13" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 @@ -62540,8 +62540,8 @@ rule CAPE_Seduploader : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 @@ -62563,8 +62563,8 @@ rule CAPE_Pikabotloader : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 @@ -62588,8 +62588,8 @@ rule CAPE_Pikabot : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 @@ -62614,8 +62614,8 @@ rule CAPE_Pik23 : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 @@ -62641,8 +62641,8 @@ rule CAPE_Dreambot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 @@ -62667,8 +62667,8 @@ rule CAPE_Wanacry : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 @@ -62694,8 +62694,8 @@ rule CAPE_Trickbot date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 @@ -62726,8 +62726,8 @@ rule CAPE_Trickbot_Permadll_UEFI_Module date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "491115422a6b94dc952982e6914adc39" logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 @@ -62755,8 +62755,8 @@ rule CAPE_Hancitor : FILE date = "2020-10-20" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 @@ -62781,8 +62781,8 @@ rule CAPE_Cargobayloader : FILE date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 @@ -62806,8 +62806,8 @@ rule CAPE_Ursnif : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 @@ -62836,8 +62836,8 @@ rule CAPE_Rokrat : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 @@ -62860,8 +62860,8 @@ rule CAPE_Amatera : FILE date = "2025-06-19" modified = "2025-06-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Amatera.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Amatera.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af" logic_hash = "1c02f04846568b85acbd4101b2e944dc824179f7cff1bceaec1c657939b610d5" score = 75 @@ -62886,8 +62886,8 @@ rule CAPE_Emotetloader : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 @@ -62909,8 +62909,8 @@ rule CAPE_Tscookie : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 @@ -62934,8 +62934,8 @@ rule CAPE_Icedid date = "2021-12-16" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 @@ -62964,8 +62964,8 @@ rule CAPE_Zeuspanda : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 @@ -62988,8 +62988,8 @@ rule CAPE_Nitrogenloader date = "2025-06-17" modified = "2025-06-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/NitrogenLoader.yar#L1-L31" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/NitrogenLoader.yar#L1-L31" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "1c23e702d7b44d531ec3653c759b44fadea332cc7233eb3f817d94dc53a7f814" score = 75 quality = 70 @@ -63031,8 +63031,8 @@ rule CAPE_Koiloader date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 @@ -63076,8 +63076,8 @@ rule CAPE_Blackdropper date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/BlackDropper.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/BlackDropper.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" logic_hash = "c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" score = 75 @@ -63105,8 +63105,8 @@ rule CAPE_Megacortex : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 @@ -63130,8 +63130,8 @@ rule CAPE_Lockbit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 @@ -63157,8 +63157,8 @@ rule CAPE_Arkei : FILE date = "2025-01-10" modified = "2025-01-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/Arkei.yar#L1-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/Arkei.yar#L1-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "296e420880d8d2f24424d0411e7ef4939e18147689557512f410da48498a44c9" score = 75 quality = 70 @@ -63214,8 +63214,8 @@ rule CAPE_Petrwrap : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 @@ -63240,8 +63240,8 @@ rule CAPE_Stealcanti : FILE date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 @@ -63265,8 +63265,8 @@ rule CAPE_Stealcstrings : FILE date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 @@ -63289,8 +63289,8 @@ rule CAPE_Dridexloader_1 : FILE date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 @@ -63312,8 +63312,8 @@ rule CAPE_Rdtscpantivm date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 @@ -63335,8 +63335,8 @@ rule CAPE_Privateloader date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 @@ -63359,8 +63359,8 @@ rule CAPE_Mysterysnail date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 @@ -63382,8 +63382,8 @@ rule CAPE_Zloader_1 : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 @@ -63406,8 +63406,8 @@ rule CAPE_Zloader_2024 : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 @@ -63431,8 +63431,8 @@ rule CAPE_Bruteratelsyscall date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 @@ -63455,8 +63455,8 @@ rule CAPE_Bruteratelpacker date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 @@ -63480,8 +63480,8 @@ rule CAPE_Bruterateldate date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 @@ -63504,8 +63504,8 @@ rule CAPE_Bruteratelconfig date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 @@ -63527,8 +63527,8 @@ rule CAPE_Latrodectus_1 : FILE date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 @@ -63551,8 +63551,8 @@ rule CAPE_Guloaderprecursor : FILE date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 @@ -63575,8 +63575,8 @@ rule CAPE_Ursnifv3_1 date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 @@ -63603,8 +63603,8 @@ rule CAPE_Formhooka date = "2025-06-13" modified = "2025-06-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 @@ -63629,8 +63629,8 @@ rule CAPE_Formhookb date = "2025-06-13" modified = "2025-06-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Formbook.yar#L16-L30" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Formbook.yar#L16-L30" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "a844652c1f883548d17b08f8ff5d9927f92dabc09ab6600554eab7cf1dd50ccb" score = 75 quality = 70 @@ -63656,8 +63656,8 @@ rule CAPE_Formconfa date = "2025-06-13" modified = "2025-06-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Formbook.yar#L32-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Formbook.yar#L32-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 @@ -63681,8 +63681,8 @@ rule CAPE_Formhelper date = "2025-06-13" modified = "2025-06-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Formbook.yar#L46-L58" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Formbook.yar#L46-L58" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" score = 75 quality = 70 @@ -63706,8 +63706,8 @@ rule CAPE_Formconfb date = "2025-06-13" modified = "2025-06-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Formbook.yar#L60-L75" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Formbook.yar#L60-L75" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "bb8f54220394420e698b5eac9276c3d0ab03148808cfb9e98feb56437ce2a5a7" score = 75 quality = 70 @@ -63734,8 +63734,8 @@ rule CAPE_Lumma_1 : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 @@ -63760,8 +63760,8 @@ rule CAPE_Lummaremap date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 @@ -63784,8 +63784,8 @@ rule CAPE_Slowloader date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 @@ -63808,8 +63808,8 @@ rule CAPE_Anticuckoo : FILE date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 @@ -63832,8 +63832,8 @@ rule CAPE_Rhadamanthys_1 date = "2023-04-18" modified = "2023-04-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 @@ -63858,8 +63858,8 @@ rule CAPE_Qakbot5_1 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 @@ -63883,8 +63883,8 @@ rule CAPE_Qakbot4_1 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 @@ -63910,8 +63910,8 @@ rule CAPE_Qakbotloader : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 @@ -63938,8 +63938,8 @@ rule CAPE_Qakbotantivm date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 @@ -63962,8 +63962,8 @@ rule CAPE_Buerloader_1 : FILE date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 @@ -63985,8 +63985,8 @@ rule CAPE_Xworm_1 date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 @@ -63999,30 +63999,6 @@ rule CAPE_Xworm_1 condition: any of them } -rule CAPE_Sysenter -{ - meta: - description = "No description has been set in the source file - CAPE" - author = "Kevin O'Reilly" - id = "b0c9b571-86d1-56d3-b72e-7a5603c8597f" - date = "2025-06-20" - modified = "2025-06-20" - reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Sysenter.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" - logic_hash = "9622a26f852a6b4ef1c64970a6a982861d18001ba610a77ff367c89f49c39f01" - score = 75 - quality = 70 - tags = "" - cape_options = "clear,dump,sysbp=$sysenterA,sysbp=$sysenterB+10" - - strings: - $sysenterA = {64 FF 15 C0 00 00 00 C3} - $sysenterB = {B8 [3] 00 BA [4] FF D2 C?} - - condition: - any of them -} rule CAPE_Blister_1 : FILE { meta: @@ -64032,8 +64008,8 @@ rule CAPE_Blister_1 : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 @@ -64061,8 +64037,8 @@ rule CAPE_Smokeloader_1 : FILE date = "2023-02-06" modified = "2023-02-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" score = 75 quality = 70 @@ -64084,8 +64060,8 @@ rule CAPE_Agentteslav3Jit date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 @@ -64107,8 +64083,8 @@ rule CAPE_Risepro : FILE date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 @@ -64133,8 +64109,8 @@ rule CAPE_Modiloader : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "1f0cbf841a6bc18d632e0bc3c591266e77c99a7717a15fc4b84d3e936605761f" logic_hash = "9e64e0c40192cc832a1ffa7b3ac65a704596af82515d03706cd7aa1f4498f32f" score = 75 @@ -64158,8 +64134,8 @@ rule CAPE_Modiloaderold : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 @@ -64203,8 +64179,8 @@ rule CAPE_Pikahook : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 @@ -64229,8 +64205,8 @@ rule CAPE_Pikexport : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 @@ -64254,8 +64230,8 @@ rule CAPE_Bumblebeeshellcode_1 date = "2023-02-08" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "865510868ee7c089c2ada0645098e851ca2bb9084a74315ce16296eb19c93ab4" score = 75 quality = 70 @@ -64281,8 +64257,8 @@ rule CAPE_Emotetpacker : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 @@ -64306,8 +64282,8 @@ rule CAPE_Heavenssyscall : FILE date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 @@ -64331,8 +64307,8 @@ rule CAPE_Gettickcountantivm date = "2022-02-25" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" @@ -64363,8 +64339,8 @@ rule CAPE_Icedidsyscallwritemem : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 @@ -64388,8 +64364,8 @@ rule CAPE_Icedidhook date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 @@ -64411,8 +64387,8 @@ rule CAPE_Icedidpackera : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 @@ -64437,8 +64413,8 @@ rule CAPE_Icedidpackerb : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 @@ -64463,8 +64439,8 @@ rule CAPE_Icedidpackerc : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" @@ -64489,8 +64465,8 @@ rule CAPE_Icedidpackerd : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 @@ -64515,8 +64491,8 @@ rule CAPE_Icedsleep : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 @@ -64539,8 +64515,8 @@ rule CAPE_Vbcrypter date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 @@ -64562,8 +64538,8 @@ rule CAPE_Singlestepantihook date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 @@ -64582,11 +64558,11 @@ rule CAPE_Loadersyscall description = "Loader Syscall" author = "enzok" id = "45193b38-938e-55cf-9ea0-7bd48f0d77e4" - date = "2025-06-17" - modified = "2025-06-17" + date = "2025-06-26" + modified = "2025-06-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 @@ -64607,11 +64583,11 @@ rule CAPE_Nitrogenloaderaes description = "NitrogenLoader AES and IV" author = "enzok" id = "c79a00af-52f9-5f07-9c58-e8964e70986f" - date = "2025-06-17" - modified = "2025-06-17" + date = "2025-06-26" + modified = "2025-06-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 @@ -64632,11 +64608,11 @@ rule CAPE_Nitrogenloaderbypass description = "Nitrogen Loader Exit Bypass" author = "enzok" id = "397b0b79-d569-5a71-bcac-ce0d64f706e6" - date = "2025-06-17" - modified = "2025-06-17" + date = "2025-06-26" + modified = "2025-06-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 @@ -64656,13 +64632,13 @@ rule CAPE_Nitrogenloaderconfig meta: description = "NitrogenLoader Config Extraction" author = "enzok" - id = "f9df37a0-d7f2-509d-be1c-1f72f97e9932" - date = "2025-06-17" - modified = "2025-06-17" + id = "00de881d-6c50-54a6-9ba0-14204a6b54e9" + date = "2025-06-26" + modified = "2025-06-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" - logic_hash = "8306c93802ab5948e308b187bcd8539b8cf668af8c5664f74890876bf42f5708" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L62" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" + logic_hash = "ecbba45cbff628eeba158049432c4a928ed2e1a26b5bcc242572ab54a270d04a" score = 75 quality = 70 tags = "" @@ -64673,9 +64649,15 @@ rule CAPE_Nitrogenloaderconfig $decrypt2 = {8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} $decrypt3 = {8B 8C 24 ?? ?? ?? ?? 2B C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} $key = {74 ?? E8 [4] 85 C0 75 ?? 4? 8B 0D [3] 00 4? 8D 15 [3] 00 E8} + $taskman_1 = {E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 73 00 00 00 88 84 24 [4] E8 [4] B9 6B 00 00 00 88 84 24 [4] E8 [3] FF} + $taskman_2 = {B9 4D 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [3] FF} + $taskman_3 = {B9 61 00 00 00 88 84 24 [4] E8 [4] B9 67 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF} + $taskman_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] 31 C9 88 84 24 [4] E8 [3] FF} + $rc4decrypt_1 = {48 89 ?? 48 89 ?? E8 [4] 48 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 89 EA E8 [4] 48 89} + $rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF} condition: - any of them + any of ( $decrypt* ) or ( $key and ( 3 of ( $taskman_* ) and 1 of ( $rc4decrypt_* ) ) ) } rule CAPE_Darkgateloader { @@ -64686,8 +64668,8 @@ rule CAPE_Darkgateloader date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/359936d50bcc1c773e6c9bea770de8556b590a1a/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/3892929bec8fdca10f61a7974a9ab584da8963fd/LICENSE" logic_hash = "00692123615d2f7eaf8aea07754fc9439cf58e1fb8eb4f44f0428b362f27e794" score = 75 quality = 70 @@ -64708,7 +64690,7 @@ rule CAPE_Darkgateloader * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 78 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -67119,7 +67101,7 @@ rule BINARYALERT_Ransomware_Windows_Wannacry * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 * Number of Rules: 19 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -67142,7 +67124,7 @@ rule DEADBITS_KPOT_V2 : WINMALWARE INFOSTEALER FILE license_url = "N/A" logic_hash = "dc8cce2ae3a427f771b19b4d0e027b653ff03a7bf816303460398987535c5351" score = 75 - quality = 55 + quality = 80 tags = "WINMALWARE, INFOSTEALER, FILE" Description = "Attempts to detect KPOT version 2 payloads" Author = "Adam M. Swanda" @@ -67443,7 +67425,7 @@ rule DEADBITS_Acbackdoor_ELF : LINUX MALWARE BACKDOOR description = "No description has been set in the source file - DeadBits" author = "Adam M. Swanda" id = "82eb41bf-cd1d-5b00-973b-31a79c75cfc0" - date = "2019-11-22" + date = "2019-11-29" modified = "2019-12-04" reference = "https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/ACBackdoor_Linux.yara#L1-L41" @@ -67972,7 +67954,7 @@ rule DEADBITS_Dacls_Trojan_Windows : FILE * YARA Rule Set * Repository Name: DelivrTo * Repository: https://github.com/delivr-to/detections - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 376762d71eb1777874d366136595994378416ef5 * Number of Rules: 12 * Skipped: 0 (age), 2 (quality), 0 (score), 0 (importance) @@ -68268,7 +68250,7 @@ rule DELIVRTO_SUSP_Onenote_RTLO_Character_Feb23 : FILE * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: eeab168d4cd6bac7c5bd06defb3d7198bd58f37f * Number of Rules: 103 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -70703,7 +70685,7 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" id = "403c1845-bc25-5a49-8553-8a0be18d6970" - date = "2025-01-22" + date = "2025-01-29" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/eeab168d4cd6bac7c5bd06defb3d7198bd58f37f/ta410/ta410.yar#L417-L496" @@ -71978,7 +71960,7 @@ rule ESET_Sparklinggoblin_Mutex * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b * Number of Rules: 167 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -74005,7 +73987,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_2 hash = "f3dd8aa567a01098a8a610529d892485" logic_hash = "ccbbe507798f16c7acf0780770fdb81b2e7dc333ab8bc51e6216816276c3f14b" score = 75 - quality = 50 + quality = 25 tags = "" rev = 2 @@ -74569,7 +74551,7 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_2 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "5a2e0559e3b47c1957a42929fbbeba7a53c21619125381b01dcd8453b6ec4802" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -74593,7 +74575,7 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_3 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "41cc6a4c7765b1e5e88d12660b69e434c83938ca974b9ccf6545b4dd5dd78378" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -75048,7 +75030,7 @@ rule FIREEYE_RT_FE_APT_Loader_MSIL_REVOLVER_1 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "1231f4c961dec122ebcb142052c2c7c03acf9b556cdb71a3efabde6bcf50a939" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -76676,7 +76658,7 @@ rule FIREEYE_RT_Loader_MSIL_Netshshellcoderunner_1 : FILE * YARA Rule Set * Repository Name: GCTI * Repository: https://github.com/chronicle/GCTI - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 1c5fd42b1895098527fde00c2d9757edf6b303bb * Number of Rules: 90 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -79893,7 +79875,7 @@ rule GCTI_Sliver_Implant_64Bit * YARA Rule Set * Repository Name: Malpedia * Repository: https://github.com/malpedia/signator-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 6558c417dcf07146b1309b6acde6be0aa96dea10 * Number of Rules: 1469 * Skipped: 0 (age), 15 (quality), 0 (score), 0 (importance) @@ -140956,7 +140938,7 @@ rule MALPEDIA_Win_Zedhou_Auto : FILE * YARA Rule Set * Repository Name: Trellix ARC * Repository: https://github.com/advanced-threat-research/Yara-Rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 1919562a59f190bda60c982424f6a24c542ee3e0 * Number of Rules: 163 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -146850,7 +146832,7 @@ rule TRELLIX_ARC_Apt_Aurora_Pdb_Samples : BACKDOOR FILE * YARA Rule Set * Repository Name: Arkbird SOLG * Repository: https://github.com/StrangerealIntel/DailyIOC - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: a873ff1298c43705e9c67286f3014f4300dd04f7 * Number of Rules: 215 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -153959,7 +153941,7 @@ rule ARKBIRD_SOLG_MAL_ELF_Rotajakiro_May_2021_1 : FILE * YARA Rule Set * Repository Name: Telekom Security * Repository: https://github.com/telekom-security/malware_analysis/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: bf832d97e8fd292ec5e095e35bde992a6462e71c * Number of Rules: 12 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -154327,7 +154309,7 @@ rule TELEKOM_SECURITY_Cn_Utf8_Windows_Terminal : CAPABILITY HACKTOOL * YARA Rule Set * Repository Name: Volexity * Repository: https://github.com/volexity/threat-intel - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 1ef34c2e4704d1e6e6768c2d6800863bbae05a0d * Number of Rules: 85 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -157447,7 +157429,7 @@ rule VOLEXITY_Apt_Malware_Elf_Catchdns_Aug20_Memory : DRIFTINGBAMBOO FILE MEMORY * YARA Rule Set * Repository Name: JPCERTCC * Repository: https://github.com/JPCERTCC/MalConfScan/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 19ec0d145535a6a4cfd37c0960114f455a8c343e * Number of Rules: 30 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -158291,7 +158273,7 @@ rule JPCERTCC_Elf_Wellmess : FILE * YARA Rule Set * Repository Name: SecuInfra * Repository: https://github.com/SIFalcon/Detection - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd * Number of Rules: 45 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -159584,7 +159566,7 @@ rule SECUINFRA_MAL_WSHRAT : RAT JAVASCRIPT WSHRAT FILE * YARA Rule Set * Repository Name: RussianPanda * Repository: https://github.com/RussianPanda95/Yara-Rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 1ce9c0dec191b43d51ceb34234a12e63970b252c * Number of Rules: 86 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -161838,7 +161820,7 @@ rule RUSSIANPANDA_Illyrianstealer : FILE * YARA Rule Set * Repository Name: Check Point * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 4 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -162052,7 +162034,7 @@ rule CHECK_POINT_Malware_Bumblebee_Packed * YARA Rule Set * Repository Name: Dragon Threat Labs * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 7 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -162243,7 +162225,7 @@ rule DRAGON_THREAT_LABS_Apt_Win_Mocelpa * YARA Rule Set * Repository Name: Microsoft * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 21 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -162846,7 +162828,7 @@ rule MICROSOFT_Trojan_Win32_Plakpeer : PLATINUM * YARA Rule Set * Repository Name: NCSC * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 17 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -163316,7 +163298,7 @@ rule NCSC_Sparrowdoor_Strings * YARA Rule Set * Repository Name: Dr4k0nia * Repository: https://github.com/dr4k0nia/yara-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -163494,7 +163476,7 @@ rule DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse : FILE * YARA Rule Set * Repository Name: EmbeeResearch * Repository: https://github.com/embee-research/Yara-detection-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4 * Number of Rules: 39 * Skipped: 0 (age), 8 (quality), 0 (score), 0 (importance) @@ -164575,7 +164557,7 @@ rule EMBEERESEARCH_Win_Bruteratel_Syscall_Hashes_Oct_2022 : FILE * YARA Rule Set * Repository Name: AvastTI * Repository: https://github.com/avast/ioc - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 5659f4f0f4e09970c5de29c536ceb500d5634951 * Number of Rules: 33 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -165438,7 +165420,7 @@ rule AVASTTI_Manjusaka_Payload_Mz * YARA Rule Set * Repository Name: SBousseaden * Repository: https://github.com/sbousseaden/YaraHunts/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 71b27a2a7c57c2aa1877a11d8933167794e2b4fb * Number of Rules: 37 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -166544,7 +166526,7 @@ rule SBOUSSEADEN_Zerlologon_Mimikatz : FILE * YARA Rule Set * Repository Name: Elceef * Repository: https://github.com/elceef/yara-rulz - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 05834717d1464d5efce8ad9d688ff7b53886a0bb * Number of Rules: 18 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -166695,7 +166677,7 @@ rule ELCEEF_Outlook_CVE_2023_23397_Exploit : FILE license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" logic_hash = "695721ec276415c6a6a0f4ce6378ff2d11c15d28271f587966bc3d9d8c06f63a" score = 75 - quality = 50 + quality = 25 tags = "FILE" hash1 = "52dbaf64ce1a5cd1db9a9d385f8204e5f665ca53a3d904033bf1a10369490646" hash2 = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf" @@ -167075,7 +167057,7 @@ rule ELCEEF_HTA_Wscriptshell_Onenote : FILE * YARA Rule Set * Repository Name: GodModeRules * Repository: https://github.com/Neo23x0/god-mode-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 436dc682164cf17a123d6b09d1424e7e2acf0c25 * Number of Rules: 1 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -167346,7 +167328,7 @@ rule GODMODERULES_IDDQD_God_Mode_Rule * YARA Rule Set * Repository Name: Cod3nym * Repository: https://github.com/cod3nym/detection-rules/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: ad485bff0ce30afb56e367b7f2b76fea81e78fc9 * Number of Rules: 13 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -167803,7 +167785,7 @@ rule COD3NYM_SUSP_RLO_Exe_Extension_Spoofing_Jan24 * YARA Rule Set * Repository Name: craiu * Repository: https://github.com/craiu/yararules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 23cf0ca22021fa3684e180a18416b9ae1b695243 * Number of Rules: 13 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -168968,10 +168950,10 @@ rule CRAIU_Crashstrike : FILE * YARA Rule Set * Repository Name: DitekSHen * Repository: https://github.com/ditekshen/detection - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: e76c93dcdedff04076380ffc60ea54e45b313635 - * Number of Rules: 1440 - * Skipped: 0 (age), 113 (quality), 0 (score), 0 (importance) + * Number of Rules: 1438 + * Skipped: 0 (age), 115 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -169644,7 +169626,7 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_Soundcapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c0efa9f383373dec1c5b9d127c2b4c6f4906718ae8f62eea28d7a369001be5af" score = 75 - quality = 75 + quality = 50 tags = "FILE" clamav1 = "INDICATOR.Win.RMM.DWAgent-SoundCapture" @@ -170160,35 +170142,6 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWSH_Asciiencoding_Pattern : FILE condition: 1 of ( $enc* ) and 4 of ( $s* ) and filesize < 2500KB } -rule DITEKSHEN_INDICATOR_SUSPICIOUS_JS_Hex_B64Encoded_EXE : FILE -{ - meta: - description = "Detects JavaScript files hex and base64 encoded executables" - author = "ditekSHen" - id = "37516c6b-0a77-5a20-a36f-5f8309b37362" - date = "2024-06-08" - modified = "2024-06-08" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L726-L740" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "60185e6ec96875085ffb7a6bf6eb8643368bbce42b89290ab987eb32c1e153bd" - score = 40 - quality = 20 - tags = "FILE" - importance = 20 - - strings: - $s1 = ".SaveToFile" ascii - $s2 = ".Run" ascii - $s3 = "ActiveXObject" ascii - $s4 = "fromCharCode" ascii - $s5 = "\\x66\\x72\\x6F\\x6D\\x43\\x68\\x61\\x72\\x43\\x6F\\x64\\x65" ascii - $binary = "\\x54\\x56\\x71\\x51\\x41\\x41" ascii - $pattern = /[\s\{\(\[=]_0x[0-9a-z]{3,6}/ ascii - - condition: - $binary and $pattern and 2 of ( $s* ) and filesize < 2500KB -} rule DITEKSHEN_INDICATOR_SUSPICIOUS_WMIC_Downloader : FILE { meta: @@ -187513,7 +187466,7 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Eternalblue : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "63e56637118accb8c32c20e52465c027df2dbf83b3b663d316b453ce879572c8" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -188955,7 +188908,7 @@ rule DITEKSHEN_INDICATOR_TOOL_ENUM_Sharpshares : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8b35d6a692814e1b27ffc1db4ab124bf621c156aaf57f24796c422ec95a85715" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -191451,7 +191404,7 @@ rule DITEKSHEN_MALWARE_DOC_Koadicdoc : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "9f0538e1faee737a08d403a7f321ce45bdc70b390accfe378ba0d26292509fd7" score = 75 - quality = 25 + quality = 50 tags = "FILE" strings: @@ -191537,7 +191490,7 @@ rule DITEKSHEN_MALWARE_Win_NETEAGLE : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "148de0ca332d3885d94eae8d15eb4aaa2bc4950c691c0e8817c816b7d4c55510" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -192089,7 +192042,7 @@ rule DITEKSHEN_MALWARE_Win_Ircbot : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1ea640202cfbd0c3425a192c45938f632dc644f41c7974118e7491b026122818" score = 75 - quality = 42 + quality = 67 tags = "FILE" strings: @@ -192161,7 +192114,7 @@ rule DITEKSHEN_MALWARE_Win_Osno : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "3df59c306017001467a5f237db2ab37d97c34116558e18420a6a1f01f08f520f" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -192720,7 +192673,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginscreencapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "7b4378ae883d01338fabe2eb50a5509b722c661e63afc287afa07b263a0ebc42" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -194472,7 +194425,7 @@ rule DITEKSHEN_MALWARE_Win_STOP : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "61f7e7c1139c56088b2f58b78ae132ffcfef0f931c15b67ea775b0d5e51d189d" score = 75 - quality = 48 + quality = 73 tags = "FILE" snort2_sid = "920113" snort3_sid = "920111" @@ -195327,33 +195280,6 @@ rule DITEKSHEN_MALWARE_Win_Gaudox : FILE condition: uint16( 0 ) == 0x5a4d and all of them } -rule DITEKSHEN_MALWARE_Win_Phobos : FILE -{ - meta: - description = "Detects Phobos ransomware" - author = "ditekshen" - id = "7bf659ef-f2a1-5ee2-a334-c233e26a2526" - date = "2024-11-01" - modified = "2024-11-01" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3895-L3908" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "bbf8eef0863e9d6423b3b0f938561b2be486b92b4f59b5d0b67f52dba536a582" - score = 75 - quality = 25 - tags = "FILE" - - strings: - $x1 = "\\\\?\\UNC\\\\\\e-" fullword wide - $x2 = "\\\\?\\ :" fullword wide - $x3 = "POST" fullword wide - $s1 = "ELVL" fullword wide - $s2 = /SUP\d{3}/ fullword wide - $s3 = { 41 31 47 ?? 41 2b } - - condition: - uint16( 0 ) == 0x5a4d and all of ( $x* ) and 1 of ( $s* ) -} rule DITEKSHEN_MALWARE_Win_Ratty : FILE { meta: @@ -195716,7 +195642,7 @@ rule DITEKSHEN_MALWARE_Win_Corebot : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "518209458fc8912d47b0b99896178fda823c3174c37f21d5e9331349a69322d7" score = 75 - quality = 50 + quality = 25 tags = "FILE" snort_sid = "920211-920212" @@ -196971,7 +196897,7 @@ rule DITEKSHEN_MALWARE_Win_Dlagent08 : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0238c13b00e5778ef216b4e8576c321803da6e269c96c3051b9cc45a3ac6e567" score = 75 - quality = 50 + quality = 75 tags = "FILE" snort2_sid = "920122" snort3_sid = "920119" @@ -197691,7 +197617,7 @@ rule DITEKSHEN_MALWARE_Win_Ranumbot : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "a9c32445e62d072e4184d25497696ef6225edb176dc7a9743a54194d4ddb4b0c" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -198800,7 +198726,7 @@ rule DITEKSHEN_MALWARE_Win_Wingo : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "423b1631ad625fd46a9d10f0ecdf24931cf62a2c1694da3ebdd38daad0a4f724" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -199195,7 +199121,7 @@ rule DITEKSHEN_MALWARE_Win_Xfiles : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0c04a8f019aea36f4bba3ce8289c2d608c69d76bbf321052560b4ca2214be057" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -199592,7 +199518,7 @@ rule DITEKSHEN_MALWARE_Win_RSJON : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "abfea2955bf0d0b0511ea820582cc15fbcfc38dbed71fb2a0050cd98a9311cda" score = 75 - quality = 23 + quality = 48 tags = "FILE" strings: @@ -202477,7 +202403,7 @@ rule DITEKSHEN_MALWARE_Win_Kdcsponge : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c891db94df9cde9eaa6096ad68d96c7b85a9c03e255ce43ccb8543a016bd3853" score = 75 - quality = 65 + quality = 40 tags = "FILE" hash1 = "e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c" @@ -202576,7 +202502,7 @@ rule DITEKSHEN_MALWARE_Win_Tardigrade : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "2bd4f23f66844a320b6bed6242ba39096f66a08affb84abd78c342d433ed9fe6" score = 75 - quality = 75 + quality = 50 tags = "FILE" hash1 = "c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858" hash2 = "966b2c7c72a28310acd58bb23af4d3c893b2afca264b2d9c0ec42db815c77487" @@ -202722,7 +202648,7 @@ rule DITEKSHEN_MALWARE_Win_Onlylogger : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1b39a4d2a6d3a2633cfa98adc1dfe99d10d2493fd06c9f875c56ec7689b7a561" score = 75 - quality = 25 + quality = 50 tags = "FILE" strings: @@ -202951,7 +202877,7 @@ rule DITEKSHEN_MALWARE_Win_Chebka : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "cc8123a5d20fac51d4dfc225e743539456efb4d649060d078c3ed93e7724da01" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -203207,7 +203133,7 @@ rule DITEKSHEN_MALWARE_Win_Lokilocker : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "bf78f5e8f40c1a19f6b078a85854e95d5ef1f321393a831edda17b0d65515da7" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -203309,7 +203235,7 @@ rule DITEKSHEN_MALWARE_Win_Lorenz : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e9fc9d405b955c379ae40b1804d43b19999f6ea264fc645c897080fb020e8ae8" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -203353,7 +203279,7 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "cd76e5b87f33d91c17fd032417583c3f68d0e310aaf6f08e26ec5d53844ed9d2" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -203449,7 +203375,7 @@ rule DITEKSHEN_MALWARE_Win_Strifewater : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ddb189dfe58af08d2c0682239551a5b9d82db94eedcefc02895316bcbbaca3f2" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -203756,7 +203682,7 @@ rule DITEKSHEN_MALWARE_Win_Bandit : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e557f5a928b5da90f3ec878d6d8615a2d8b5f33e97954cd3278044f76b543386" score = 75 - quality = 57 + quality = 32 tags = "FILE" strings: @@ -203846,7 +203772,7 @@ rule DITEKSHEN_MALWARE_Win_Mystic : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "26e0b85141df818d70124c0b19b5b6a05ac24ae679724d7a8ad94415a6462d17" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -204124,7 +204050,7 @@ rule DITEKSHEN_MALWARE_Win_Lummastealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "74014c5bcc85977b90faed93b348c34e47ee033b06c2f145348ca9c54c27bda5" score = 75 - quality = 73 + quality = 48 tags = "FILE" clamav1 = "MALWARE.Win.Trojan.LummaStealer" @@ -204388,7 +204314,7 @@ rule DITEKSHEN_MALWARE_Win_Stealerium : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "a2834e7fe26ad0197a9e490ab517029ceed2e09506fcc37e6ddf0c1804fa6cb9" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -204483,7 +204409,7 @@ rule DITEKSHEN_MALWARE_Win_Hakunamatata_Builder : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ac258851de38504cf63ba51fd06f8a9a3dfbe0096d199ba702e9763b5ecc43e4" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -204796,7 +204722,7 @@ rule DITEKSHEN_MALWARE_Win_Arcrypt : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "cc9fa68d093fdf9745a06beb28e29108cb2ba846122ce097ad892213b1edba25" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -204836,7 +204762,7 @@ rule DITEKSHEN_MALWARE_Win_Rootteamstealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "d1693865253067527d58c980653d550b55d022d5a394b88090a958e5d5818143" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -205830,7 +205756,7 @@ rule DITEKSHEN_MALWARE_Win_Agnianestealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0031fbe6d76868819cbcfc638433d60a50e8f5cfd14ff25af88ed3dffefd7d62" score = 75 - quality = 75 + quality = 50 tags = "FILE" snort = "923828001" clamav = "ditekSHen.MALWARE.Win.AgnianeStealer" @@ -206925,7 +206851,7 @@ rule DITEKSHEN_MALWARE_Win_Cicada3301 : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "b8b7596bc8ae01b89742e17bd3dbfcc1e2fad486cc6ea19c8de813fc677509f4" score = 75 - quality = 75 + quality = 50 tags = "FILE" clamav1 = "MALWARE.Win.Ransomware.Cicada3301" @@ -206965,7 +206891,7 @@ rule DITEKSHEN_MALWARE_Win_Fpspy : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c26736c7f056f3d13c58e724fda601e88468e2386852b072a37c6646fb5ef8f9" score = 75 - quality = 73 + quality = 48 tags = "FILE" clamav1 = "MALWARE.Win.Trojan.FPSpy" @@ -208643,8 +208569,8 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Blackhunt * YARA Rule Set * Repository Name: WithSecureLabs * Repository: https://github.com/WithSecureLabs/iocs - * Retrieval Date: 2025-06-22 - * Git Commit: a5e50e76f7829cbab219bec94bf1887dea9bb304 + * Retrieval Date: 2025-06-29 + * Git Commit: 8165da82a9514abb69b4e2bb03f3983766a05b4a * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) * @@ -208686,8 +208612,8 @@ rule WITHSECURELABS_SILKLOADER date = "2023-03-15" modified = "2023-03-15" reference = "https://labs.withsecure.com/publications/silkloader" - source_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/SILKLOADER/silkloader.yar#L2-L20" - license_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/SILKLOADER/silkloader.yar#L2-L20" + license_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/LICENSE" logic_hash = "48aa249ea78e5a3bfe9934fd0dfa26b79f9e6cbe1e5b1426b84f8d8a3d77d742" score = 75 quality = 75 @@ -208714,8 +208640,8 @@ rule WITHSECURELABS_Kapeka_Backdoor : FILE date = "2024-04-17" modified = "2024-04-17" reference = "https://labs.withsecure.com/publications/kapeka" - source_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/Kapeka/kapeka_backdoor.yar#L2-L21" - license_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/Kapeka/kapeka_backdoor.yar#L2-L21" + license_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/LICENSE" logic_hash = "49795c6e3f3690eeccd731a9ba0c6bd8d5840d9171939e71d3a4d6f0d1834f05" score = 75 quality = 25 @@ -208744,8 +208670,8 @@ rule WITHSECURELABS_Ducktail_Dotnet_Core_Infostealer : FILE date = "2022-07-18" modified = "2022-07-25" reference = "https://labs.withsecure.com/publications/ducktail" - source_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/DUCKTAIL/ducktail_dotnet_core_infostealer.yar#L1-L103" - license_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/DUCKTAIL/ducktail_dotnet_core_infostealer.yar#L1-L103" + license_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/LICENSE" logic_hash = "81b4da5860894397e9cd416e451c3098f8560407cd79f070f8edd5a3ba91512a" score = 75 quality = 50 @@ -208847,8 +208773,8 @@ rule WITHSECURELABS_Ducktail_Artifacts : FILE date = "2022-07-18" modified = "2022-07-26" reference = "https://labs.withsecure.com/publications/ducktail" - source_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/DUCKTAIL/ducktail_artifacts.yar#L1-L20" - license_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/DUCKTAIL/ducktail_artifacts.yar#L1-L20" + license_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/LICENSE" logic_hash = "1daa5e654058c802826b6a306b5bfc9d0c05c4ee54607e94e618a8d409ce74d9" score = 75 quality = 50 @@ -208877,8 +208803,8 @@ rule WITHSECURELABS_Ducktail_Nativeaot : FILE date = "2022-11-17" modified = "2022-11-22" reference = "https://labs.withsecure.com/publications/ducktail_returns" - source_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/DUCKTAIL/ducktail_nativeaot.yara#L2-L22" - license_url = "https://github.com/WithSecureLabs/iocs/blob/a5e50e76f7829cbab219bec94bf1887dea9bb304/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/DUCKTAIL/ducktail_nativeaot.yara#L2-L22" + license_url = "https://github.com/WithSecureLabs/iocs/blob/8165da82a9514abb69b4e2bb03f3983766a05b4a/LICENSE" logic_hash = "976b28ac45e5a13d4ce900b857e6bd3afc82b65b0235791fd698b762287cd60e" score = 75 quality = 75 @@ -208895,9 +208821,9 @@ rule WITHSECURELABS_Ducktail_Nativeaot : FILE * YARA Rule Set * Repository Name: HarfangLab * Repository: https://github.com/HarfangLab/iocs - * Retrieval Date: 2025-06-22 - * Git Commit: 839185ff17a9eff560aee17048ad894ec9424667 - * Number of Rules: 26 + * Retrieval Date: 2025-06-29 + * Git Commit: 8dc3aaf1321031ddbd35668b4033701413418f92 + * Number of Rules: 27 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) * * @@ -208912,9 +208838,9 @@ rule HARFANGLAB_Masepie_Campaign_Htmlstarter : FILE author = "HarfangLab" id = "0cca485c-7941-5760-8c24-d993dcbf376d" date = "2024-01-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L1-L16" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L1-L16" license_url = "N/A" hash = "628bc9f4aa71a015ec415d5d7d8cb168359886a231e17ecac2e5664760ee8eba" logic_hash = "d131372c6ad01ae77e5630bae0c0a04ce311718eb1bcf423e6575f3b0ecdba5d" @@ -208937,9 +208863,9 @@ rule HARFANGLAB_Masepie_Campaign_Webdavlnk : FILE author = "HarfangLab" id = "de7fd592-e733-52d0-af9b-55adf37eaf74" date = "2024-01-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L17-L39" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L17-L39" license_url = "N/A" hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" logic_hash = "26075e47b54404c55f4ca5eb757efa2b1711d919de0ffbfbdf6935e2e4dd3f3d" @@ -208965,9 +208891,9 @@ rule HARFANGLAB_Masepie_Campaign_Masepie : FILE author = "HarfangLab" id = "f0a034fa-38d4-5c54-b865-f830f85e245e" date = "2024-01-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L40-L60" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L40-L60" license_url = "N/A" hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6" logic_hash = "02da8119267978e63e3ee5ecdefb52285718f8875ec64d320f2752460c05588d" @@ -208997,7 +208923,7 @@ rule HARFANGLAB_Masepie_Campaign_Oceanmap : FILE date = "2024-01-24" modified = "2024-01-31" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L61-L95" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L61-L95" license_url = "N/A" hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04" logic_hash = "5fe244025f49358b4285e1272489378a46363ae915881dece26691d971aa93f3" @@ -209035,9 +208961,9 @@ rule HARFANGLAB_Allasenhamaycampaign_Executorloader author = "HarfangLab" id = "0a09414d-cd86-54a4-99e4-121a7df7624b" date = "2024-05-28" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240501" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L96-L114" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L96-L114" license_url = "N/A" logic_hash = "61aa0bf180574856e57d0b26442bfa6f4b1e25844611d6eadaed529e1bb86625" score = 75 @@ -209063,9 +208989,9 @@ rule HARFANGLAB_Allasenhamaycampaign_Allasenha author = "HarfangLab" id = "787c4e66-2053-5f14-a52e-6b0415700e8c" date = "2024-05-28" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240501" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L115-L137" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L115-L137" license_url = "N/A" logic_hash = "affe75ade6c8d9eeba00006f78678a48b1cfc5ffa9f9675fdea6ffd6cb3a02bd" score = 75 @@ -209096,9 +209022,9 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Unpacked_Large : FILE author = "HarfangLab" id = "7d910d10-49a1-5fb5-b5bd-49155413c433" date = "2024-09-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L254-L275" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L254-L275" license_url = "N/A" hash = "18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da" logic_hash = "eedbf91f9ea7607dc68126840da338035b48509c5649a89f490d8cdfb32844b2" @@ -209126,9 +209052,9 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Pe_Inmem_Large author = "HarfangLab" id = "f6b38e11-c405-5623-bea3-3a8d96b435af" date = "2024-09-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L276-L294" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L276-L294" license_url = "N/A" hash = "7798b45ffc488356f7253805dc9c8d2210552bee39db9082f772185430360574" logic_hash = "b9bbbbd93dc39f8c16c7f8275fa73f4c345c3ba8f21da76ae491e89d3a22c473" @@ -209155,9 +209081,9 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Elf_Inmem_Large author = "HarfangLab" id = "cd6f7b81-b8df-5e2b-9da6-981d1f62c131" date = "2024-09-24" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L295-L312" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L295-L312" license_url = "N/A" hash = "9f97997581f513166aae47b3664ca23c4f4ea90c24916874ff82891e2cd6e01e" logic_hash = "54ba4fc366fb6e4a252d51528ede3ec418b369881ad98e9119d1a9650b6a1bab" @@ -209183,9 +209109,9 @@ rule HARFANGLAB_Charmingkitten_Cyclops : FILE author = "HarfangLab" id = "2cc7b2ff-25ca-5eac-a607-c3ee5136e0aa" date = "2024-08-05" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240801" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L313-L333" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L313-L333" license_url = "N/A" hash = "fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69" logic_hash = "70ab3f44b6889d478a94dc6aefcd30f0e82e0b80bcf26921167b72f35bdb7fa8" @@ -209211,9 +209137,9 @@ rule HARFANGLAB_Samecoin_Campaign_Loader : FILE author = "HarfangLab" id = "ab4d59f6-300d-5cdf-b91f-87f8cc1f0eac" date = "2024-02-13" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L334-L354" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L334-L354" license_url = "N/A" hash = "cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6" logic_hash = "7df04ab208d2caa5a137b1c3481ef734df54bbe8330979f524b16e9ba8cf48d5" @@ -209242,9 +209168,9 @@ rule HARFANGLAB_Samecoin_Campaign_Wiper : FILE author = "HarfangLab" id = "695e9181-cc96-5212-b33c-4d55065b7b85" date = "2024-02-13" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L355-L373" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L355-L373" license_url = "N/A" hash = "e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89" logic_hash = "ebe7c90398464ecf74ede17551c2ebc58b851ba6502092320934d1f5353581a2" @@ -209271,9 +209197,9 @@ rule HARFANGLAB_Samecoin_Campaign_Tasksspreader : FILE author = "HarfangLab" id = "7dcfdecd-00c3-502a-b29e-a10a1fd9543f" date = "2024-02-13" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L374-L411" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L374-L411" license_url = "N/A" hash = "b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7" logic_hash = "61d602c343365608e5bc587ee9c7898e256f2411d78c7fe74c211e68bf4ab707" @@ -209312,9 +209238,9 @@ rule HARFANGLAB_Samecoin_Campaign_Nativewiper : FILE author = "HarfangLab" id = "9c77c26e-50f7-5ee4-bc6b-c0333e268b2c" date = "2024-02-13" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L412-L432" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L412-L432" license_url = "N/A" hash = "248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817" logic_hash = "2779664830df3b5be72b7fe7d4da3d27e2a86b289ee3974596abf1df12317cd8" @@ -209343,9 +209269,9 @@ rule HARFANGLAB_Supposed_Grasshopper_Downloader : FILE author = "HarfangLab" id = "e53656b5-a1be-53f0-a4d4-908f24e08bd6" date = "2024-06-20" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240601" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L433-L448" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L433-L448" license_url = "N/A" logic_hash = "93509319ab8028b0215fcfb81d1ff5d3d810922999f1dd8359b706a965221b2f" score = 75 @@ -209369,9 +209295,9 @@ rule HARFANGLAB_Donut_Shellcode : FILE author = "HarfangLab" id = "54facb12-3f33-5430-b4bf-0d223dc2a413" date = "2024-06-20" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240601" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L449-L497" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L449-L497" license_url = "N/A" logic_hash = "1bf4e253195e39cc0b3cf45797c35a9f06078350aa35e65d9d36adbcc09a150b" score = 75 @@ -209400,9 +209326,9 @@ rule HARFANGLAB_Muddywater_Ateraagent_Operators : FILE author = "HarfangLab" id = "1494a0da-92de-5cfb-a870-325d02e2cdfb" date = "2024-04-17" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240402" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L498-L528" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L498-L528" license_url = "N/A" hash = "9b49d6640f5f0f1d68f649252a96052f1d2e0822feadd7ebe3ab6a3cadd75985" logic_hash = "63d5d3a6723191dccd20c8d9f25607df512b91f57ac891ef8c87b2dd107ee5a2" @@ -209439,9 +209365,9 @@ rule HARFANGLAB_Xdspy_LNK_2025 : FILE author = "HarfangLab" id = "ddd86b11-2d48-5383-9893-d7ed44210a38" date = "2025-05-16" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250601" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L529-L550" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L529-L550" license_url = "N/A" hash = "904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e" hash = "536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d" @@ -209467,9 +209393,9 @@ rule HARFANGLAB_Xdspy_Etdownloader : FILE author = "HarfangLab" id = "b335d868-7904-5270-a55e-c1445f0c4c9c" date = "2025-05-16" - modified = "2025-06-16" + modified = "2025-06-23" reference = "https://github.com/HarfangLab/iocs" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L551-L584" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L551-L584" license_url = "N/A" hash = "792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b" logic_hash = "050bf26c5665c68055f1f31b4cdce40fb8c6d2b9d8e08925e684cf70e80eb2dd" @@ -209507,9 +209433,9 @@ rule HARFANGLAB_Xdspy_Xdigo : FILE author = "HarfangLab" id = "d7df9c81-c237-5ee9-a368-fb8a90ac1889" date = "2025-05-16" - modified = "2025-06-16" + modified = "2025-06-23" reference = "https://github.com/HarfangLab/iocs" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L585-L612" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L585-L612" license_url = "N/A" hash = "49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341" hash = "0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e" @@ -209543,9 +209469,9 @@ rule HARFANGLAB_Packxor : FILE author = "Harfanglab" id = "6b4b6d61-b698-5e15-90b1-de2bdb76e425" date = "2024-08-05" - modified = "2025-06-16" + modified = "2025-06-23" reference = "https://harfanglab.io/insidethelab/unpacking-packxor/" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L613-L752" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L613-L752" license_url = "N/A" hash = "0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44" logic_hash = "ecc7e241f98da8bcd248493f6443676e4c1e516f1fd19f488a62acd314be1898" @@ -209690,9 +209616,9 @@ rule HARFANGLAB_Gamaredon_Pterolnk_Vbscript : FILE author = "HarfangLab" id = "3781749e-7f4e-55db-bdf7-2a0a056f41f4" date = "2025-04-04" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250401" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L753-L772" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L753-L772" license_url = "N/A" hash = "d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705" logic_hash = "b6aad0ca4653c111a4f481f9d4636e272712dc7ad53fa3b2041f2c47a1eee527" @@ -209718,9 +209644,9 @@ rule HARFANGLAB_Gamaredon_Pterolnk_LNK : FILE author = "HarfangLab" id = "e6e0c2cb-049a-5d80-b167-56079aefe38b" date = "2025-04-04" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR250401" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L773-L791" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L773-L791" license_url = "N/A" hash = "n/a" logic_hash = "69565365da1632407e223f87978a91543b1281879aa372cd055d08e26e1a2d93" @@ -209737,6 +209663,41 @@ rule HARFANGLAB_Gamaredon_Pterolnk_LNK : FILE condition: filesize < 10KB and uint32( 0 ) == 0x0000004C and uint32( 4 ) == 0x00021401 and 1 of ( $a* ) and $b1 } +rule HARFANGLAB_Gamaredon_Pterolnk_Vbscript_Update2506 : FILE +{ + meta: + description = "Matches Gamaredon PteroLNK VBScript samples used in 2025" + author = "HarfangLab" + id = "e1feefb6-7070-53b0-98e7-4a3d784ee014" + date = "2025-06-23" + modified = "2025-06-23" + reference = "TRR250401;TRR250401_update2506" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L792-L818" + license_url = "N/A" + hash = "d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705" + hash = "4787fe23a4ba66137e41d6caa877251092a7f4957ccd89ed374b71aa6f6e2037" + logic_hash = "e754fcdd1de5d00972f1c8352b61701f833f28bfa38e54234b3c2ced59b7f491" + score = 75 + quality = 80 + tags = "FILE" + context = "file" + + strings: + $vbs = "on error resume next" ascii wide + $a1 = "b24gZXJyb3IgcmVzdW1lIG5leHQNC" ascii wide + $b1 = "\"\"%PUBLIC%\"\"" ascii wide + $b2 = "\"\"%APPDATA%\"\"" ascii wide + $b3 = "\"\"REG_DWORD\"\"" ascii wide + $b4 = "\"\"%USERPROFILE%\"\"" ascii wide + $c1 = "\"\":SRV\"\"" ascii wide + $c2 = "\"\":GTR\"\"" ascii wide + $c3 = "\"\":LNK\"\"" ascii wide + $c4 = "\"\":URLS\"\"" ascii wide + $c5 = "\"\":IPS\"\"" ascii wide + + condition: + filesize < 600KB and $vbs in ( 0 .. 500 ) and $a1 and ( any of ( $b* ) or any of ( $c* ) ) +} rule HARFANGLAB_Apt31_Rawdoor_Dropper : FILE { meta: @@ -209744,9 +209705,9 @@ rule HARFANGLAB_Apt31_Rawdoor_Dropper : FILE author = "HarfangLab" id = "b278a157-20e2-5271-aca0-0692929b881d" date = "2024-04-12" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240401" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L792-L813" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L819-L840" license_url = "N/A" hash = "c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be" logic_hash = "d0cbe02c4fafb4895bd0126d2496802a3fee6a0362e55bfa91cfd1c75043d94a" @@ -209775,9 +209736,9 @@ rule HARFANGLAB_Apt31_Rawdoor_Payload : FILE author = "HarfangLab" id = "5fef27fe-a2ea-56b4-8cf6-8f6c4bf85d80" date = "2024-04-12" - modified = "2025-06-16" + modified = "2025-06-23" reference = "TRR240401" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/hl_public_reports_master.yar#L814-L838" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/hl_public_reports_master.yar#L841-L865" license_url = "N/A" hash = "fade96ec359474962f2167744ca8c55ab4e6d0700faa142b3d95ec3f4765023b" logic_hash = "51bd04603419d5bc77f12618df986f6b31ea8ddea553c6bc7580698fa236b3ed" @@ -209811,7 +209772,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE date = "2024-04-17" modified = "2024-04-22" reference = "TRR240402" - source_url = "https://github.com/HarfangLab/iocs/blob/839185ff17a9eff560aee17048ad894ec9424667/TRR240402/trr240402_yara-template.yar#L1-L20" + source_url = "https://github.com/HarfangLab/iocs/blob/8dc3aaf1321031ddbd35668b4033701413418f92/TRR240402/trr240402_yara-template.yar#L1-L20" license_url = "N/A" logic_hash = "71622b61c5f645dd846327b79bf6dddefef458b73a82caa34d086da2ba48cd8c" score = 75 @@ -209833,7 +209794,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE * YARA Rule Set * Repository Name: LOLDrivers * Repository: https://github.com/magicsword-io/LOLDrivers/ - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: e2e48f15a0885e8b2ad2fb81255089845f5c183c * Number of Rules: 565 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -227469,7 +227430,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsopera * YARA Rule Set * Repository Name: SEKOIA * Repository: https://github.com/SEKOIA-IO/Community - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: a47734fa931e56f8646dab2abf31629431982429 * Number of Rules: 746 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -250477,7 +250438,7 @@ rule SEKOIA_Infostealer_Win_Leaf : FILE * YARA Rule Set * Repository Name: Synacktiv * Repository: https://github.com/synacktiv/synacktiv-rules - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: 81b4591c31165a77783671ea63d64ac79c2e84c7 * Number of Rules: 3 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -250683,7 +250644,7 @@ rule SYNACKTIV_SYNACKTIV_HKTL_Tunnel_X64_GO_Iox_May25 : COMMODITY FILE * YARA Rule Set * Repository Name: Signature Base * Repository: https://github.com/Neo23x0/signature-base - * Retrieval Date: 2025-06-22 + * Retrieval Date: 2025-06-29 * Git Commit: a065133ff5763435e4e9e0f6bc72344c44b1824f * Number of Rules: 4341 * Skipped: 0 (age), 9 (quality), 4 (score), 0 (importance) @@ -258373,7 +258334,7 @@ rule SIGNATURE_BASE_SUSP_Macos_Plist_Suspicious : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "1cca4b859148d95c9e150116e08230424544ebd0886a4d152e493476b9f91a75" score = 60 - quality = 58 + quality = 33 tags = "FILE" hash1 = "0541fc6a11f4226d52ae3d4158deb8f50ed61b25bb5f889d446102e1ee57b76d" hash2 = "6cc6abec7d203f99c43ce16630edc39451428d280b02739757f17fd01fc7dca3" @@ -262927,7 +262888,7 @@ rule SIGNATURE_BASE_EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts : LOG license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "131ff0ce189dfeace0922000b0d15dfb5a1270bee8fba8e4d66aa75b1d3f864f" score = 65 - quality = 60 + quality = 35 tags = "LOG" strings: @@ -262956,7 +262917,7 @@ rule SIGNATURE_BASE_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_2 : LOG license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "13e2e46689bc0e87c3cf13dc2ce213c384afe6c03c21e62a467974a0518c12da" score = 65 - quality = 85 + quality = 60 tags = "LOG" strings: @@ -275895,7 +275856,7 @@ rule SIGNATURE_BASE_EXPL_Log4J_CVE_2021_44228_Dec21_Hard : FILE CVE_2021_44228 license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "9a4fc285dd1680ebc8a1042eeb5fbba73b9e2df70678adf3163122d84405325e" score = 65 - quality = 85 + quality = 60 tags = "FILE, CVE-2021-44228" strings: @@ -286447,7 +286408,7 @@ rule SIGNATURE_BASE_TA17_293A_Energetic_Bear_Api_Hashing_Tool : FILE description = "Energetic Bear API Hashing Tool" author = "CERT RE Team" id = "4e58800a-9618-5d8b-954c-e843be6002c2" - date = "2025-02-22" + date = "2025-02-28" modified = "2023-12-05" reference = "https://github.com/Neo23x0/signature-base" source_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/yara/apt_ta17_293A.yar#L77-L93" @@ -296887,7 +296848,7 @@ rule SIGNATURE_BASE_EXPL_Exchange_Proxyshell_Successful_Aug21_1 : SCRIPT license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "06ab609a8efe3b36b6356a9cf7b7b11b2fc2a556ec1df6995008a9df86b3fcee" score = 65 - quality = 58 + quality = 83 tags = "SCRIPT" strings: @@ -303087,7 +303048,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic : FILE hash = "dd5d8a9b4bb406e0b8f868165a1714fe54ffb18e621582210f96f6e5ae850b33" logic_hash = "03c1963ec7a0409970baa98dc3a62f721c092b41d4026475a38b1ef466426b75" score = 70 - quality = -134 + quality = -159 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -303517,7 +303478,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Base64_Encoded_Payloads : FILE hash = "e2b1dfcfaa61e92526a3a444be6c65330a8db4e692543a421e19711760f6ffe2" logic_hash = "8f606dc3e1e688cca144fe769af50980b4c25fa69b08c67aca8c676a6a060010" score = 75 - quality = -8 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -303750,7 +303711,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC : FILE hash = "1d0643927f04cb1133f00aa6c5fa84aaf88e5cf14d7df8291615b402e8ab6dc2" logic_hash = "8d7150a4fc657efe3526d5f8f624a66e7186a3f42b4605cc349bd31deeb71b7f" score = 75 - quality = -48 + quality = -23 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -303872,7 +303833,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Encoded_Mixed_Dec_And_Hex : FILE hash = "0ff05e6695074f98b0dee6200697a997c509a652f746d2c1c92c0b0a0552ca47" logic_hash = "d9b4d224d43915cf08050c173627b314c3e41a30ecfffe28038281eadc114e51" score = 75 - quality = -8 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -303978,7 +303939,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Str_Replace : FILE hash = "e1a2af3477d62a58f9e6431f5a4a123fb897ea80" logic_hash = "74fb86a7ee7342ede9f49ef004a92fb7bdf06ca62f8e8f0ea1c6adcff96bcb2d" score = 75 - quality = 21 + quality = 46 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304069,7 +304030,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Gzinflated : FILE hash = "07eb6634f28549ebf26583e8b154c6a579b8a733" logic_hash = "d2edb7050c986a00889fd01b709ec0aa1409ce2e40a15b7942562d12596b190e" score = 75 - quality = 32 + quality = 7 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304331,7 +304292,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Includer_Eval : FILE hash = "b51a6d208ec3a44a67cce16dcc1e93cdb06fe150acf16222815333ddf52d4db8" logic_hash = "a7e9632c495e5d4cc883e2593c8ebe41cdf6a18b54bd6dfd3aec85352f19321c" score = 75 - quality = 21 + quality = 46 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304407,7 +304368,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Dynamic : FILE hash = "2e11ba2d06ebe0aa818e38e24a8a83eebbaae8877c10b704af01bf2977701e73" logic_hash = "c49434662defad4945639887f4a6537c44a5559f83646f378f848b4aa4ba3c3f" score = 60 - quality = -181 + quality = -156 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304697,7 +304658,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Backticks : FILE hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00" logic_hash = "faa064686a5632788497d0300ba017c3e564f3b70f07a01f2e49bf7c934feb28" score = 75 - quality = 19 + quality = 44 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304734,7 +304695,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Backticks_OBFUSC : FILE hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00" logic_hash = "34354283762d6f62a4537e914d969f84546339da9be533e209d8738605b7e3ac" score = 75 - quality = 19 + quality = 44 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304786,7 +304747,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_By_String_Known_Webshell : FILE hash = "d52128bcfff5e9a121eab3d76382420c3eebbdb33cd0879fbef7c3426e819695" logic_hash = "22b6d58e24748933792c29b63c4f68c08b86c17a2751fbef5b93bc06c8c5341d" score = 70 - quality = -8 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -304881,7 +304842,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Strings_SUSP : FILE hash = "1ab3ae4d613b120f9681f6aa8933d66fa38e4886" logic_hash = "5c3837ab761ee2209fab5fc333b050a56d80addb03b088ae28040c7393429bb3" score = 50 - quality = 15 + quality = 40 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305016,7 +304977,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Writer : FILE hash = "20281d16838f707c86b1ff1428a293ed6aec0e97" logic_hash = "34bae0c02156d1c9fd24d674443322409eba0a43e094fc6c05df94bbbe15aa64" score = 50 - quality = 17 + quality = 42 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305277,7 +305238,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Eval_On_Input : FILE hash = "069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6" logic_hash = "f7b9f43cf2fd6d08b7438f003242e9a19dcea282959c7a1fdff3a35e261a031e" score = 75 - quality = -24 + quality = 1 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305343,7 +305304,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Nano : FILE hash = "28cfcfe28419a399c606bf96505bc68d6fe05624dba18306993f9fe0d398fbe1" logic_hash = "1b969e098a0b2c86ceba9cbb7f31770ba04f1a4c225716ea27d7e4e4177c90c4" score = 75 - quality = -142 + quality = -117 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305444,7 +305405,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Encoded : FILE hash = "af40f4c36e3723236c59dc02f28a3efb047d67dd" logic_hash = "dc33423874a49edfe9994db50959e6a55e2d475f4cd7d0b1b0a288c4ee1f7961" score = 75 - quality = -24 + quality = -49 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305500,7 +305461,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Encoded_Aspcoding : FILE hash = "f5095345ee085318235c11ae5869ae564d636a5342868d0935de7582ba3c7d7a" logic_hash = "a0f0b8585b28b13a90c5d112997cacea00af8c89c81eda5edf05508ad41459ab" score = 60 - quality = -30 + quality = -5 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -305564,7 +305525,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_By_String : FILE hash = "de173ea8dcef777368089504a4af0804864295b75e51794038a6d70f2bcfc6f5" logic_hash = "b6ff83bc501753b893a0f5e60c6aafa292617279c0855ce3ba2d0b9b73325e8a" score = 75 - quality = -41 + quality = -66 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306012,7 +305973,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Registry_Reader : FILE hash = "898ebfa1757dcbbecb2afcdab1560d72ae6940de" logic_hash = "515bff52bebaad45481202ff934f8d1cbb79c27ccf47ca811077acacb7a47f13" score = 50 - quality = -53 + quality = -28 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306090,7 +306051,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASPX_Regeorg_CSHARP : FILE hash = "aea0999c6e5952ec04bf9ee717469250cddf8a6f" logic_hash = "0c68f5955df2e75c3b5b4f1c6398fd57add1f64bfb3d46ccebf1c6767f5d2eb1" score = 75 - quality = -32 + quality = -7 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306213,7 +306174,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Runtime_Compile : FILE hash = "8ce4eaf111c66c2e6c08a271d849204832713f8b66aceb5dadc293b818ccca9e" logic_hash = "6699a44e396eedebb3bafa0e89c3b6d080586a158ed056ec7220bdf2ad764444" score = 75 - quality = 19 + quality = -6 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306376,7 +306337,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Scan_Writable : FILE hash = "af1c00696243f8b062a53dad9fb8b773fa1f0395631ffe6c7decc42c47eedee7" logic_hash = "80969fd0c27903dabf08a250a47971725ac5762fd2f9afd96167b8f88f277348" score = 75 - quality = -64 + quality = -89 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306452,7 +306413,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Regeorg : FILE hash = "9108a33058aa9a2fb6118b719c5b1318f33f0989" logic_hash = "9d4c60a4daaadf6cefe8bf1d84b1e4af491cd23136332db4a022715b265c8f4e" score = 75 - quality = 50 + quality = 25 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306493,7 +306454,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_HTTP_Proxy : FILE hash = "2f9b647660923c5262636a5344e2665512a947a4" logic_hash = "7183902d43fc633db06a41b4a6bc02d2eb5662b7ee08080b57563783b8b67568" score = 75 - quality = 25 + quality = 50 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306535,7 +306496,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Writer_Nano : FILE hash = "5e241d9d3a045d3ade7b6ff6af6c57b149fa356e" logic_hash = "44c11570c610b849ba9c7506fd9ef3575d270e79d7aaf5c26d54ab3f64cfc94f" score = 75 - quality = 23 + quality = 48 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306639,7 +306600,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic : FILE hash = "ee9408eb923f2d16f606a5aaac7e16b009797a07" logic_hash = "8b525fea9a424c3e555e9aa38a587d5936a49022db73094a17cb92fd723074f3" score = 75 - quality = -49 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306789,7 +306750,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic_Reflection : FILE hash = "bf0ff88cbb72c719a291c722ae3115b91748d5c4920afe7a00a0d921d562e188" logic_hash = "386aeb3745c5dd815f00bbc941450a2c3f1ddfc2956c67ecd5bee9318b1756ef" score = 75 - quality = -25 + quality = 0 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306840,7 +306801,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic_Classloader : FILE hash = "8e544a5f0c242d1f7be503e045738369405d39731fcd553a38b568e0889af1f2" logic_hash = "109c0063f4e8db6172fd872b3b93d4f069234f28bbf033fbd2c5f135051df77e" score = 75 - quality = -25 + quality = 0 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -306916,7 +306877,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Netspy : FILE hash = "3870b31f26975a7cb424eab6521fc9bffc2af580" logic_hash = "65432e42ad2626b62b1d1a6298c301513c2fb03d89193a77b053069cebcb45e9" score = 75 - quality = 1 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -307034,7 +306995,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Input_Upload_Write : FILE hash = "19eca79163259d80375ebebbc440b9545163e6a3" logic_hash = "33b08a6118134819ec72a2eab0daf723c25c8869e0fa8a83f690b93e2667d15c" score = 75 - quality = 46 + quality = 21 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -307082,7 +307043,7 @@ rule SIGNATURE_BASE_WEBSHELL_Generic_OS_Strings : FILE hash = "0353ae68b12b8f6b74794d3273967b530d0d526f" logic_hash = "10b956cac601c97d1483d35a7730d7178c4175800b4e4c9ed62ad583d3cac3d7" score = 50 - quality = -98 + quality = -123 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -311612,7 +311573,7 @@ rule SIGNATURE_BASE_SUSP_Themebleed_Theme_Sep23 : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "577003741f07aeffafd2b0b22913de44ea4f5ed264f4104ee013104355f65311" score = 75 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -319476,7 +319437,7 @@ rule SIGNATURE_BASE_SUSP_Katz_PDB : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "1a38f63d8e8baa9bc8f34c1886fc2aaea7f61d5e09792ba9cde4cf6ed8441fab" score = 65 - quality = 60 + quality = 85 tags = "FILE" hash1 = "6888ce8116c721e7b2fc3d7d594666784cf38a942808f35e309a48e536d8e305" @@ -326885,7 +326846,7 @@ rule SIGNATURE_BASE_M_Hunting_Python_Backdoor_Commandparser_1 : FILE hash = "61ab3f6401d60ec36cd3ac980a8deb75" logic_hash = "eefc255079e914ac81d53baf4ae159052bfda4c670e8300306c0899b3ad00a48" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -330041,7 +330002,7 @@ rule SIGNATURE_BASE_Suspicious_Powershell_Code_1 : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "0a254e0e4f0fdaa5907f5fe0b0c3d5226e2fdac4072349019abc2b2b11cbde30" score = 60 - quality = 58 + quality = 33 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" @@ -342195,7 +342156,7 @@ rule SIGNATURE_BASE_FE_Trojan_SH_ATRIUM_1 hash = "a631b7a8a11e6df3fccb21f4d34dbd8a" logic_hash = "672a293660d89d5d7d62a658c360bad0b6408611d8794744b17a81e6a75ceea7" score = 75 - quality = 35 + quality = 60 tags = "" strings: @@ -342357,7 +342318,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_PULSEJUMP_1 hash = "91ee23ee24e100ba4a943bb4c15adb4c" logic_hash = "c9aa2b9ef8aff14c20ed6597b1a71eafc3e3c181aabf9a3a68df18945207ff86" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -342383,7 +342344,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_QUIETPULSE hash = "00575bec8d74e221ff6248228c509a16" logic_hash = "226a56369e141834d4834400bbf1a006bbb6e9b39e16e24b0106bff1a9c202a9" score = 75 - quality = 33 + quality = 83 tags = "" strings: @@ -342438,7 +342399,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_2 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "4ade993176c918ec23e99fc585e9ab14d9f9e93a7eca00f2c3b0ebbd13d6ec5b" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -342465,7 +342426,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_3 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "025308591e058de284f949fd4f788e4a4f46bb2f6c0e1161237f1f811d8179ba" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -344998,7 +344959,7 @@ rule SIGNATURE_BASE_Trojan_ISMRAT_Gen : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "c4d26f79b8110e92a5e427de303eca6eaf79765a4c9cc437864dc5160ef2e343" score = 75 - quality = 60 + quality = 85 tags = "FILE" hash1 = "146a112cb01cd4b8e06d36304f6bdf7b" hash2 = "fa3dbe37108b752c38bf5870b5862ce5" @@ -368520,7 +368481,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_SMB_URL : FILE hash = "e0bef7497fcb284edb0c65b59d511830" logic_hash = "4903c8f4bb08e799f6787ad29cf7688f354f97a065bcd24c58d3ccd3778a6a15" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -368714,7 +368675,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Scripturl : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/a065133ff5763435e4e9e0f6bc72344c44b1824f/LICENSE" logic_hash = "ece0013dbc9836fa800f99a10ab46c1eb081e1c04fe45fe17be26ffac1d464e9" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: diff --git a/third_party/yara/elastic/Linux_Rootkit_Generic.yar b/third_party/yara/elastic/Linux_Rootkit_Generic.yar index 963c6fd66..c240e7512 100644 --- a/third_party/yara/elastic/Linux_Rootkit_Generic.yar +++ b/third_party/yara/elastic/Linux_Rootkit_Generic.yar @@ -179,3 +179,24 @@ rule Linux_Rootkit_Generic_f07bcabe { 2 of them } +rule Linux_Rootkit_Generic_5d17781b { + meta: + author = "Elastic Security" + id = "5d17781b-5d2a-4405-8806-274e6cabfe2c" + fingerprint = "220eff54c80a69c3df0d8f71aeacdd114cc2ea0675595c2bfde2ac47578c3a02" + creation_date = "2024-12-02" + last_modified = "2025-06-10" + threat_name = "Linux.Rootkit.Generic" + severity = 100 + arch_context = "x86, arm64" + scan_context = "file, memory" + license = "Elastic License v2" + os = "linux" + strings: + $str = "kallsyms_lookup_name_t" + $lic1 = "license=Dual BSD/GPL" + $lic2 = "license=GPL" + condition: + $str and 1 of ($lic*) +} + diff --git a/third_party/yara/elastic/Linux_Trojan_Mirai.yar b/third_party/yara/elastic/Linux_Trojan_Mirai.yar index 62123a9b4..4bdef6b2f 100644 --- a/third_party/yara/elastic/Linux_Trojan_Mirai.yar +++ b/third_party/yara/elastic/Linux_Trojan_Mirai.yar @@ -927,26 +927,6 @@ rule Linux_Trojan_Mirai_b9a9d04b { all of them } -rule Linux_Trojan_Mirai_d2205527 { - meta: - author = "Elastic Security" - id = "d2205527-0545-462b-b3c9-3bf2bdc44c6c" - fingerprint = "01d937fe8823e5f4764dea9dfe2d8d789187dcd6592413ea48e13f41943d67fd" - creation_date = "2021-01-12" - last_modified = "2021-09-16" - threat_name = "Linux.Trojan.Mirai" - reference_sample = "e4f584d1f75f0d7c98b325adc55025304d55907e8eb77b328c007600180d6f06" - severity = 100 - arch_context = "x86" - scan_context = "file, memory" - license = "Elastic License v2" - os = "linux" - strings: - $a = { CA B8 37 00 00 00 0F 05 48 3D 01 F0 FF FF 73 01 C3 48 C7 C1 C0 FF } - condition: - all of them -} - rule Linux_Trojan_Mirai_ab073861 { meta: author = "Elastic Security" diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE index 633111223..14fcbecfc 100644 --- a/third_party/yara/elastic/RELEASE +++ b/third_party/yara/elastic/RELEASE @@ -1 +1 @@ -1894c06fd2d6bcc10c29464b9032229df8f414a6 +ff154ddf0762a4a030c8832eee7753cb19b950ff