diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE index a4cbdc025..35d9b4000 100644 --- a/third_party/yara/elastic/RELEASE +++ b/third_party/yara/elastic/RELEASE @@ -1 +1 @@ -0d52fa9af8c9881639edf793f58a8cb637ece5b7 +b5a0c1956d0aa92e2f44156bc9983c25ddc817d1 diff --git a/third_party/yara/elastic/Windows_Ransomware_Stop.yar b/third_party/yara/elastic/Windows_Ransomware_Stop.yar index 00e6e18f9..ff2a6a06e 100644 --- a/third_party/yara/elastic/Windows_Ransomware_Stop.yar +++ b/third_party/yara/elastic/Windows_Ransomware_Stop.yar @@ -2,9 +2,9 @@ rule Windows_Ransomware_Stop_1e8d48ff { meta: author = "Elastic Security" id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79" - fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb" + fingerprint = "bef9770e8deb4a5ba76cea1050ca0de1ef9ab6a6aa53f071126c3f0dacf368fd" creation_date = "2021-06-10" - last_modified = "2021-08-23" + last_modified = "2025-09-26" threat_name = "Windows.Ransomware.Stop" reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" severity = 100 @@ -14,7 +14,7 @@ rule Windows_Ransomware_Stop_1e8d48ff { os = "windows" strings: $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword - $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF } + $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF FF FF C6 45 FC 01 50 FF D3 85 F6 79 36 56 68 } condition: any of them } diff --git a/third_party/yara/elastic/Windows_Trojan_AveMaria.yar b/third_party/yara/elastic/Windows_Trojan_AveMaria.yar index d4a18f93c..282fdfa1a 100644 --- a/third_party/yara/elastic/Windows_Trojan_AveMaria.yar +++ b/third_party/yara/elastic/Windows_Trojan_AveMaria.yar @@ -30,3 +30,32 @@ rule Windows_Trojan_AveMaria_31d2bce9 { 8 of ($a*) } +rule Windows_Trojan_AveMaria_e01305a0 { + meta: + author = "Elastic Security" + id = "e01305a0-724e-420a-99af-38a3c6436095" + fingerprint = "52acf71c9a53a56337722c43d9bba34957815b8c2c6fe52bea9b38e343dae803" + creation_date = "2025-08-18" + last_modified = "2025-09-19" + threat_name = "Windows.Trojan.AveMaria" + reference_sample = "21f1e24abcda47e08ba3e6bf19c0b2d9adb52b908f625c4a08f74ade5b863bf9" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = "SOFTWARE\\_rptls" wide fullword + $b = "-w %ws -d C -f %s" fullword + $c = "RDPClip" wide fullword + $d = "ExplorerIdentifier" wide fullword + $e = "WM_FIND" wide fullword + $f = "WM_DISP" wide fullword + $g = "MsgBox.exe" wide fullword + $h = "Hey I'm Admin" wide fullword + $i = "/n:%temp%\\ellocnak.xml" wide fullword + $j = "CommandHandler::handleStartVncCommand() Start VNC on port : %d" wide fullword + condition: + 7 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_CastleLoader.yar b/third_party/yara/elastic/Windows_Trojan_CastleLoader.yar new file mode 100644 index 000000000..bff3c4218 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_CastleLoader.yar @@ -0,0 +1,24 @@ +rule Windows_Trojan_CastleLoader_173548b8 { + meta: + author = "Elastic Security" + id = "173548b8-ff11-4528-8ef6-7e9f7d738e6c" + fingerprint = "a894955aebf7db79279c58fa3800a21ec9c4cf44dcb6e516825824439931cc15" + creation_date = "2025-08-14" + last_modified = "2025-09-19" + threat_name = "Windows.Trojan.CastleLoader" + reference_sample = "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = { 8B 34 BA 33 DB 03 F1 BA AA AA AA AA 38 1E 74 ?? 0F BE 0C 1E 8B C2 F6 C3 01 75 ?? C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 EB ?? C1 E8 05 33 C1 8B CA C1 E1 0B 03 C1 F7 D0 43 33 D0 } + $b = { 8D 42 ?? 83 E0 03 0F B6 80 ?? ?? ?? ?? 66 33 44 0C ?? 66 89 84 0C ?? ?? ?? ?? 8D 42 ?? 83 E0 03 0F B6 80 ?? ?? ?? ?? 66 33 44 0C ?? 66 89 84 0C } + $c = { 3D 20 6C 72 70 75 ?? 81 7D F8 65 70 79 68 75 ?? 81 7D F4 20 20 76 72 75 ?? B9 01 } + $d = { 69 C0 6D 4E C6 41 05 39 30 00 00 } + $e = { 83 7C 24 ?? 20 0F 85 ?? ?? ?? ?? 80 7C 24 ?? B8 0F 85 ?? ?? ?? ?? B9 01 00 00 00 C7 44 24 ?? B8 BB 00 00 C7 44 24 ?? C0 C2 10 00 C7 44 24 ?? 00 00 00 00 } + condition: + 4 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_HiddenCli.yar b/third_party/yara/elastic/Windows_Trojan_HiddenCli.yar new file mode 100644 index 000000000..2ec6b00a4 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_HiddenCli.yar @@ -0,0 +1,21 @@ +rule Windows_Trojan_HiddenCli_a9aa62d1 { + meta: + author = "Elastic Security" + id = "a9aa62d1-f131-42c4-a62a-0172db697996" + fingerprint = "f546cfc4530294a778db94e5295227bb61e39af54526605da7f8224811ba5a3c" + creation_date = "2025-10-02" + last_modified = "2025-10-13" + threat_name = "Windows.Trojan.HiddenCli" + reference_sample = "913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $b_1 = { 48 8B 0A 48 8D 45 E7 33 FF 4C 8D 45 EB 48 89 7C 24 38 BA 04 20 22 00 48 89 44 24 30 48 8D 45 27 } + $unicode_1 = { 43 00 6F 00 6D 00 6D 00 61 00 6E 00 64 00 20 00 27 00 73 00 74 00 61 00 74 00 65 00 27 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 66 00 75 00 6C 00 00 00 } + condition: + 1 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_HiddenDriver.yar b/third_party/yara/elastic/Windows_Trojan_HiddenDriver.yar new file mode 100644 index 000000000..5f11373d8 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_HiddenDriver.yar @@ -0,0 +1,25 @@ +rule Windows_Trojan_HiddenDriver_e26590fd { + meta: + author = "Elastic Security" + id = "e26590fd-a560-4312-ba2f-4131f5817410" + fingerprint = "fe876e1cc0663fd41742a93807a4d49972fb92c3abf6560e323d1e31f8a9eb69" + creation_date = "2025-10-02" + last_modified = "2025-10-13" + threat_name = "Windows.Trojan.HiddenDriver" + reference_sample = "f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $activeProcessLinksOffsets = { C7 44 24 20 E8 00 00 00 C7 44 24 24 88 01 00 00 C7 44 24 28 E8 02 00 00 C7 44 24 2C F0 02 00 00 C7 44 24 30 48 04 00 00 } + $alloc_table = { 48 83 63 78 00 48 8D 8B 88 00 00 00 83 A3 80 00 00 00 00 B8 01 00 00 00 8B D0 48 89 43 68 45 33 C0 89 43 70 } + $str_0 = "InitializePsMonitor" + $str_1 = "image load notify registartion failed with code:%08x" + $str_2 = "file-system mini-filter haven't started" + $str_3 = "can't activate stealth mode" + condition: + $activeProcessLinksOffsets or $alloc_table or (all of ($str_*)) +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Stealc.yar b/third_party/yara/elastic/Windows_Trojan_Stealc.yar index 7d1ed5ccd..3dfce3ebb 100644 --- a/third_party/yara/elastic/Windows_Trojan_Stealc.yar +++ b/third_party/yara/elastic/Windows_Trojan_Stealc.yar @@ -69,3 +69,28 @@ rule Windows_Trojan_Stealc_5d3f297c { all of them } +rule Windows_Trojan_Stealc_41db1d4d { + meta: + author = "Elastic Security" + id = "41db1d4d-d19f-441b-82c3-5ae94ef2baab" + fingerprint = "be16274bf7c8fe038b19700aaae47ff0ffcf9cbb98ac93adb7e228c5854b782c" + creation_date = "2025-07-16" + last_modified = "2025-09-19" + threat_name = "Windows.Trojan.Stealc" + reference_sample = "a68bc167669c7c98b6742209acea111be61e6002aa652a7b8116af47b284b084" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a1 = "C:\\builder_v2\\stealc\\json.h" wide fullword + $a2 = "%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX" fullword + $a3 = "/c timeout /t 5 & del /f /q \"" fullword + $b1 = { 0F B7 C8 81 E9 19 04 00 00 74 14 83 E9 09 74 0F 83 E9 01 74 0A 83 E9 1C 74 05 83 F9 04 75 08 33 C9 FF } + $b2 = { 22 74 6F 74 61 6C 5F 70 61 72 74 73 22 3A 20 00 2C 20 00 00 00 00 00 00 22 70 61 72 74 5F 69 6E 64 65 78 22 3A 20 } + $b3 = { 48 89 5C 24 10 57 48 83 EC ?? 0F 57 C0 48 8D 3D [3] 00 0F 11 01 48 C7 41 10 00 00 00 00 48 8B D9 48 C7 41 18 0F 00 00 00 C6 01 00 8A 05 [3] 00 EB } + condition: + 3 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Tollbooth.yar b/third_party/yara/elastic/Windows_Trojan_Tollbooth.yar new file mode 100644 index 000000000..1c75a08e7 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_Tollbooth.yar @@ -0,0 +1,32 @@ +rule Windows_Trojan_Tollbooth_85bfcc68 { + meta: + author = "Elastic Security" + id = "85bfcc68-f375-4e19-817d-31ec43eac7eb" + fingerprint = "ce6b26e974a82a180f1e924f47279a1312557f7e379da4cd2cf80c7923b4e814" + creation_date = "2025-10-08" + last_modified = "2025-10-13" + threat_name = "Windows.Trojan.Tollbooth" + reference_sample = "c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = "sitemapRangeBegin" ascii wide fullword + $b = "seoGroupHijackbotUaMatchRules" ascii wide fullword + $c = "clean?type=conf" ascii wide fullword + $d = "/landpage?seoConfigId=" ascii wide fullword + $e = "" ascii wide fullword + $f = "gooqlebot" ascii wide fullword + $g = "GetRandomLinesFromMultipleResources" ascii wide fullword + $h = "hj-plugin-iis-cpp-v" + $i = "hj-iis-cim-v" wide + $j = "