From 075735dc0cb820eaf4aafa0a1b33362cd5b25507 Mon Sep 17 00:00:00 2001 From: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 12:10:26 +0000 Subject: [PATCH] Update third-party rules as of 2025-11-16 --- third_party/yara/YARAForge/RELEASE | 2 +- .../yara/YARAForge/yara-rules-full.yar | 1224 ++++++++++------- 2 files changed, 712 insertions(+), 514 deletions(-) diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index 3f9d6e815..5b6643c3b 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20251109 +20251116 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index ba70352c1..5b4b9e74a 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,24 +12,24 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2025-11-09 - * Number of Rules: 11418 - * Skipped: 0 (age), 234 (quality), 8 (score), 0 (importance) + * Creation Date: 2025-11-16 + * Number of Rules: 11424 + * Skipped: 0 (age), 229 (quality), 8 (score), 0 (importance) */ import "pe" import "dotnet" -import "console" +import "hash" import "math" import "elf" -import "hash" +import "console" /* * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: e0a0be54aa1e11ccfd6854e4f19e9476f328fd84 * Number of Rules: 1240 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -6965,8 +6965,8 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Vit virus." author = "ReversingLabs" id = "4515fe43-4c5a-521d-82b7-273823f0c64e" - date = "2025-11-09" - date = "2025-11-09" + date = "2025-11-16" + date = "2025-11-16" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/virus/Linux.Virus.Vit.yara#L3-L36" @@ -45148,8 +45148,8 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" - date = "2025-10-09" - date = "2025-10-09" + date = "2025-10-16" + date = "2025-10-16" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" @@ -56924,8 +56924,8 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" - date = "2025-11-09" - date = "2025-11-09" + date = "2025-11-16" + date = "2025-11-16" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" @@ -60235,7 +60235,7 @@ rule REVERSINGLABS_Win32_Ransomware_Babuk : TC_DETECTION MALICIOUS MALWARE FILE * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -60994,9 +60994,9 @@ rule R3C0NST_Exploit_Outlook_CVE_2023_23397 : CVE_2023_23397 FILE * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2025-11-09 - * Git Commit: 4fe8e23b24e5b58fe38f24619206d6933f0ec44d - * Number of Rules: 183 + * Retrieval Date: 2025-11-16 + * Git Commit: 9cf8bf5a0ee601c0afc7068413c59a1049674c64 + * Number of Rules: 184 * Skipped: 0 (age), 16 (quality), 3 (score), 0 (importance) * * @@ -61677,8 +61677,8 @@ rule CAPE_Formhooka date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 @@ -61703,8 +61703,8 @@ rule CAPE_Formconfa date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Formbook.yar#L32-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Formbook.yar#L32-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 @@ -61728,8 +61728,8 @@ rule CAPE_Formhelper date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Formbook.yar#L46-L58" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Formbook.yar#L46-L58" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" score = 75 quality = 70 @@ -61753,8 +61753,8 @@ rule CAPE_Formconfb date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Formbook.yar#L60-L75" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Formbook.yar#L60-L75" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "bb8f54220394420e698b5eac9276c3d0ab03148808cfb9e98feb56437ce2a5a7" score = 75 quality = 70 @@ -61781,8 +61781,8 @@ rule CAPE_Xworm date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 @@ -61804,8 +61804,8 @@ rule CAPE_Modiloader : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "1f0cbf841a6bc18d632e0bc3c591266e77c99a7717a15fc4b84d3e936605761f" logic_hash = "9e64e0c40192cc832a1ffa7b3ac65a704596af82515d03706cd7aa1f4498f32f" score = 75 @@ -61829,8 +61829,8 @@ rule CAPE_Modiloaderold : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 @@ -61874,8 +61874,8 @@ rule CAPE_Vbcrypter date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 @@ -61897,8 +61897,8 @@ rule CAPE_Bumblebee : FILE date = "2023-02-08" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0a632a0b30b28d544880eb1cfdd85e95f455c343d60f8d6922d4196ef7415961" score = 75 quality = 70 @@ -61922,8 +61922,8 @@ rule CAPE_Zloader : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 @@ -61946,8 +61946,8 @@ rule CAPE_Zloader_2024 : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 @@ -61971,8 +61971,8 @@ rule CAPE_Buerloader : FILE date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 @@ -61994,8 +61994,8 @@ rule CAPE_Heavenssyscall : FILE date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 @@ -62019,8 +62019,8 @@ rule CAPE_Gettickcountantivm date = "2022-02-25" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" @@ -62051,8 +62051,8 @@ rule CAPE_Doomedloader : FILE date = "2024-07-25" modified = "2024-07-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 @@ -62076,8 +62076,8 @@ rule CAPE_Emotetpacker : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 @@ -62101,8 +62101,8 @@ rule CAPE_Smokeloader : FILE date = "2023-02-06" modified = "2023-02-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" score = 75 quality = 70 @@ -62124,8 +62124,8 @@ rule CAPE_Slowloader date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 @@ -62148,8 +62148,8 @@ rule CAPE_Anticuckoo : FILE date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 @@ -62169,11 +62169,11 @@ rule CAPE_Rhadamanthys description = "No description has been set in the source file - CAPE" author = "kevoreilly" id = "d9d387e1-76b3-55f6-a40f-a8c9cb9e9bea" - date = "2025-11-03" - modified = "2025-11-03" + date = "2025-11-11" + modified = "2025-11-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 @@ -62195,11 +62195,11 @@ rule CAPE_Rhadaanti description = "No description has been set in the source file - CAPE" author = "kevoreilly" id = "25c31ccc-63e7-56f0-a62f-e64d992c34b5" - date = "2025-11-03" - modified = "2025-11-03" + date = "2025-11-11" + modified = "2025-11-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Rhadamanthys.yar#L15-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Rhadamanthys.yar#L15-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b54fd25e3297d358f2a8ec3a868bb4d233ee32d6942f21a53c3d25d35164530b" score = 75 quality = 70 @@ -62212,6 +62212,31 @@ rule CAPE_Rhadaanti condition: all of them } +rule CAPE_Rhadunhook +{ + meta: + description = "No description has been set in the source file - CAPE" + author = "Kevin O'Reilly" + id = "7bbeeb3a-9437-50d8-89e6-306a07886a17" + date = "2025-11-11" + modified = "2025-11-11" + reference = "https://github.com/kevoreilly/CAPEv2" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Rhadamanthys.yar#L26-L36" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" + logic_hash = "f2da2f1ee6b0a3b9fe58b2c35ccf0a0f6dee44228ec92659370d30defdef7ea3" + score = 75 + quality = 70 + tags = "" + cape_options = "bp0=$scan*,action0=scan:rbx,count=0,patch=$target+21:9090" + packed = "dd4af0f1888977f6d9eb820b19f4afc2a73d1c494a132ab4261498328005dda7" + + strings: + $scan = {48 85 DB 0F 84 E1 00 00 00 4C 8D 44 24 70 48 8D 54 24 40 48 8B CE 44 89 7C 24 50 4C 89 64 24 40 48 C7 44 24 48 00 00 00 00 C6 44 24 54 00 FF} + $target = {4D 85 C9 48 8B C6 4A 8D 0C 1E 74 15 48 2B D8 49 2B DB 8A 04 0B 88 01 48 83 C1 01 49 83 E9 01 75 F1 5F 5E 5D 5B C3} + + condition: + any of them +} rule CAPE_Pikahook : FILE { meta: @@ -62221,8 +62246,8 @@ rule CAPE_Pikahook : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 @@ -62247,8 +62272,8 @@ rule CAPE_Pikexport : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 @@ -62272,8 +62297,8 @@ rule CAPE_Risepro : FILE date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 @@ -62298,8 +62323,8 @@ rule CAPE_Lumma : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 @@ -62324,8 +62349,8 @@ rule CAPE_Lummaremap date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 @@ -62348,8 +62373,8 @@ rule CAPE_Rdtscpantivm date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 @@ -62371,8 +62396,8 @@ rule CAPE_Privateloader date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 @@ -62395,8 +62420,8 @@ rule CAPE_Singlestepantihook date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 @@ -62418,8 +62443,8 @@ rule CAPE_Darkgateloader date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "00692123615d2f7eaf8aea07754fc9439cf58e1fb8eb4f44f0428b362f27e794" score = 75 quality = 70 @@ -62445,8 +62470,8 @@ rule CAPE_Guloaderprecursor : FILE date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 @@ -62469,8 +62494,8 @@ rule CAPE_Mysterysnail date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 @@ -62492,8 +62517,8 @@ rule CAPE_Blister : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 @@ -62521,8 +62546,8 @@ rule CAPE_Darkgate date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/DarkGate.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/DarkGate.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "c1d35921f4fc3bac681a3d5148f517dc0ec90ab8c51e267c8c6cd5b1ca3dc085" logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 @@ -62550,8 +62575,8 @@ rule CAPE_Aurastealerbypass date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ae174c96c262b1734c58bd6c5f7112221b08596c180612e4970acada35dbd070" score = 75 quality = 70 @@ -62576,8 +62601,8 @@ rule CAPE_Loadersyscall date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 @@ -62601,8 +62626,8 @@ rule CAPE_Nitrogenloaderaes date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 @@ -62626,8 +62651,8 @@ rule CAPE_Nitrogenloaderbypass date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 @@ -62651,8 +62676,8 @@ rule CAPE_Nitrogenloaderconfig date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "06d49ebf3f67476c83a77734dff0245a51027a35d92e5af07bb9146db5b156ca" score = 75 quality = 70 @@ -62687,8 +62712,8 @@ rule CAPE_Agentteslav4Jit date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 @@ -62713,8 +62738,8 @@ rule CAPE_Agentteslav3Jit date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 @@ -62736,8 +62761,8 @@ rule CAPE_Icedidsyscallwritemem : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 @@ -62761,8 +62786,8 @@ rule CAPE_Icedidhook date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 @@ -62784,8 +62809,8 @@ rule CAPE_Icedidpackera : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 @@ -62810,8 +62835,8 @@ rule CAPE_Icedidpackerb : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 @@ -62836,8 +62861,8 @@ rule CAPE_Icedidpackerc : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" @@ -62862,8 +62887,8 @@ rule CAPE_Icedidpackerd : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 @@ -62888,8 +62913,8 @@ rule CAPE_Icedsleep : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 @@ -62912,8 +62937,8 @@ rule CAPE_Stealcanti : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 @@ -62937,8 +62962,8 @@ rule CAPE_Stealcstrings : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 @@ -62961,8 +62986,8 @@ rule CAPE_Stealcv2Strings : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Stealc.yar#L28-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Stealc.yar#L28-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "923f70edb3ad70957576994008729bf7a087479eed1973c42161aa96fa694baa" score = 75 quality = 70 @@ -62989,8 +63014,8 @@ rule CAPE_Stealcv2Datecheck : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Stealc.yar#L45-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Stealc.yar#L45-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "f074aceb7c111156752891acac8690c00dad7c26240fb0752cc12a9a65aa3d30" score = 75 quality = 70 @@ -63013,8 +63038,8 @@ rule CAPE_Latrodectus : FILE date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 @@ -63037,8 +63062,8 @@ rule CAPE_Dridexloader : FILE date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 @@ -63060,8 +63085,8 @@ rule CAPE_Bruteratelsyscall date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 @@ -63084,8 +63109,8 @@ rule CAPE_Bruteratelpacker date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 @@ -63109,8 +63134,8 @@ rule CAPE_Bruterateldate date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 @@ -63133,8 +63158,8 @@ rule CAPE_Bruteratelconfig date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 @@ -63156,8 +63181,8 @@ rule CAPE_Themida : FILE date = "2024-09-11" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Themida.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Themida.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 @@ -63180,8 +63205,8 @@ rule CAPE_Amatera : FILE date = "2025-06-25" modified = "2025-06-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Amatera.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Amatera.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af" logic_hash = "1c02f04846568b85acbd4101b2e944dc824179f7cff1bceaec1c657939b610d5" score = 75 @@ -63206,8 +63231,8 @@ rule CAPE_Cargobayloader : FILE date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 @@ -63231,8 +63256,8 @@ rule CAPE_Socks5Systemz : FILE date = "2025-05-23" modified = "2025-05-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "7e324bacd1ea57585435b6a5a4c93bda63ca146c100f2361a1c5530b87668299" score = 75 quality = 70 @@ -63262,8 +63287,8 @@ rule CAPE_Ursnifv3 date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 @@ -63290,8 +63315,8 @@ rule CAPE_Qakbot5 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 @@ -63315,8 +63340,8 @@ rule CAPE_Qakbot4 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 @@ -63342,8 +63367,8 @@ rule CAPE_Qakbotloader : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 @@ -63370,8 +63395,8 @@ rule CAPE_Qakbotantivm date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 @@ -63394,8 +63419,8 @@ rule CAPE_Formbook date = "2023-10-13" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 @@ -63424,8 +63449,8 @@ rule CAPE_Wanacry : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 @@ -63451,8 +63476,8 @@ rule CAPE_Zeuspanda : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 @@ -63475,8 +63500,8 @@ rule CAPE_Oyster date = "2024-05-30" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 @@ -63506,8 +63531,8 @@ rule CAPE_Nitrobunnydownloader : FILE date = "2025-10-28" modified = "2025-10-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/NitroBunnyDownloader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/NitroBunnyDownloader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b" logic_hash = "ccac428aef5382a3f82c986034549c459bbd666cedff49409b9ff4fef8e37744" score = 75 @@ -63535,8 +63560,8 @@ rule CAPE_Kronos : FILE date = "2020-07-02" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 @@ -63561,8 +63586,8 @@ rule CAPE_Pikabotloader : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 @@ -63586,8 +63611,8 @@ rule CAPE_Pikabot : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 @@ -63612,8 +63637,8 @@ rule CAPE_Pik23 : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 @@ -63639,8 +63664,8 @@ rule CAPE_Jaff : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 @@ -63665,8 +63690,8 @@ rule CAPE_Bumblebeeshellcode_1 date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BumbleBee.yar#L18-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BumbleBee.yar#L18-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d56f8c4e491d0d1b34e396e73750bef9917ca4f708fb6a2681de772a65c13a40" score = 75 quality = 70 @@ -63693,8 +63718,8 @@ rule CAPE_Bumblebee2024 date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 @@ -63722,8 +63747,8 @@ rule CAPE_Zloader_1 : FILE date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" logic_hash = "525670973b67aac048199529c97d6be00b0a8cca9bc90deb647366d92a5ea540" score = 75 @@ -63753,8 +63778,8 @@ rule CAPE_Netsupport : FILE date = "2025-10-17" modified = "2025-10-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/NetSupport.yar#L3-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/NetSupport.yar#L3-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d12e46d74ae0ba9f599d27dc2f55ff92a6648accbcd1a43cc3f1a9a2755e5fc7" score = 75 quality = 70 @@ -63779,8 +63804,8 @@ rule CAPE_Asyncrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L1-L30" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L1-L30" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "1400d2029dfb66d8f2dc34db8643d6301f3af9bd356639f883d2c10bcc0c3947" score = 75 quality = 33 @@ -63818,8 +63843,8 @@ rule CAPE_Stormkitty : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L32-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L32-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "258f5d9da80ff912459194b1139f062491df21a44456942951e2bd98e4b86c9b" score = 75 quality = 41 @@ -63854,8 +63879,8 @@ rule CAPE_Worldwind : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L60-L82" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L60-L82" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" score = 75 quality = 45 @@ -63890,8 +63915,8 @@ rule CAPE_Prynt : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L85-L107" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L85-L107" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" score = 75 quality = 45 @@ -63926,11 +63951,11 @@ rule CAPE_Xworm_1 : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L110-L136" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L110-L136" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 - quality = 43 + quality = 68 tags = "FILE" cape_type = "XWorm Payload" @@ -63966,8 +63991,8 @@ rule CAPE_Xworm_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L138-L155" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L138-L155" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 @@ -63998,8 +64023,8 @@ rule CAPE_Dcrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L157-L222" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L157-L222" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 quality = 20 @@ -64072,8 +64097,8 @@ rule CAPE_Dcrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L224-L243" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L224-L243" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 @@ -64105,8 +64130,8 @@ rule CAPE_Quasarrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L245-L266" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L245-L266" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 @@ -64140,8 +64165,8 @@ rule CAPE_Quasarrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AsyncRAT.yar#L268-L287" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AsyncRAT.yar#L268-L287" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 @@ -64173,8 +64198,8 @@ rule CAPE_Buerloader_1 : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 @@ -64198,8 +64223,8 @@ rule CAPE_Scarab : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 @@ -64223,8 +64248,8 @@ rule CAPE_Arkei : FILE date = "2025-01-10" modified = "2025-01-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Arkei.yar#L1-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Arkei.yar#L1-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "296e420880d8d2f24424d0411e7ef4939e18147689557512f410da48498a44c9" score = 75 quality = 70 @@ -64280,8 +64305,8 @@ rule CAPE_Cerber : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 @@ -64303,8 +64328,8 @@ rule CAPE_Squirrelwaffle : FILE date = "2021-10-13" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 @@ -64327,8 +64352,8 @@ rule CAPE_Seduploader : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 @@ -64350,8 +64375,8 @@ rule CAPE_Dridexv4 : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 @@ -64377,8 +64402,8 @@ rule CAPE_Smokeloader_1 date = "2024-11-12" modified = "2024-11-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/SmokeLoader.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/SmokeLoader.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" score = 75 quality = 70 @@ -64403,8 +64428,8 @@ rule CAPE_Rozena date = "2024-03-15" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 @@ -64427,8 +64452,8 @@ rule CAPE_Varenyky : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 @@ -64450,8 +64475,8 @@ rule CAPE_Vipkeylogger : FILE date = "2025-09-11" modified = "2025-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b9dba7562bba4807c0789692d44650996e62c8d0c4031dedd65773877621b1de" score = 75 quality = 70 @@ -64476,8 +64501,8 @@ rule CAPE_Vidar : FILE date = "2023-04-21" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 @@ -64510,8 +64535,8 @@ rule CAPE_Azer : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 @@ -64535,8 +64560,8 @@ rule CAPE_Eternalromance : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 @@ -64581,8 +64606,8 @@ rule CAPE_Nighthawk date = "2022-12-05" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 @@ -64606,8 +64631,8 @@ rule CAPE_Rhadamanthys_1 date = "2025-11-03" modified = "2025-11-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Rhadamanthys.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Rhadamanthys.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "dc82a6f919fb748042b0164fb24e418e04a2ecc6a9e39defa3c70c53b1819609" score = 75 quality = 70 @@ -64636,8 +64661,8 @@ rule CAPE_Rhadamanthysloader date = "2025-11-03" modified = "2025-11-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Rhadamanthys.yar#L20-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Rhadamanthys.yar#L20-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5505c9ba1f0c6cb9aa9c212bf8bc2c49ad544e99996a1f4c1fa79a27a14d4c7f" score = 75 quality = 70 @@ -64661,8 +64686,8 @@ rule CAPE_Megacortex : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 @@ -64686,8 +64711,8 @@ rule CAPE_Lumma_1 : FILE date = "2025-07-08" modified = "2025-07-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Lumma.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Lumma.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ca7822292c58af68e7a1610362bf0b5d27c93e3222ceec8d216e05a442008f37" score = 75 quality = 70 @@ -64714,8 +64739,8 @@ rule CAPE_Bitpaymer : FILE date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 @@ -64738,8 +64763,8 @@ rule CAPE_Petya : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 @@ -64763,8 +64788,8 @@ rule CAPE_Dreambot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 @@ -64789,8 +64814,8 @@ rule CAPE_Lockbit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 @@ -64816,8 +64841,8 @@ rule CAPE_Doppelpaymer : FILE date = "2022-06-27" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 @@ -64840,8 +64865,8 @@ rule CAPE_Trickbot date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 @@ -64872,8 +64897,8 @@ rule CAPE_Trickbot_Permadll_UEFI_Module date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "491115422a6b94dc952982e6914adc39" logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 @@ -64901,8 +64926,8 @@ rule CAPE_Gootkit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 @@ -64924,8 +64949,8 @@ rule CAPE_Nanolocker : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 @@ -64949,8 +64974,8 @@ rule CAPE_Ryuk : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 @@ -64975,8 +65000,8 @@ rule CAPE_Badrabbit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 @@ -65000,8 +65025,8 @@ rule CAPE_Conti : FILE date = "2021-03-15" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 @@ -65025,8 +65050,8 @@ rule CAPE_Codoso : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 @@ -65050,8 +65075,8 @@ rule CAPE_Cryptoshield : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 @@ -65075,8 +65100,8 @@ rule CAPE_Blackdropper date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BlackDropper.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BlackDropper.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" logic_hash = "c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" score = 75 @@ -65104,8 +65129,8 @@ rule CAPE_Remcos : FILE date = "2022-05-10" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 @@ -65130,8 +65155,8 @@ rule CAPE_Rcsession date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 @@ -65154,8 +65179,8 @@ rule CAPE_Winosstager : FILE date = "2025-10-24" modified = "2025-10-24" reference = "https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/WinosStager.yar#L1-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/WinosStager.yar#L1-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "180f0eb0d73fb499c7934ca7419f04937dad17f5f7c44293543f1722280ba6d3" score = 75 quality = 70 @@ -65206,8 +65231,8 @@ rule CAPE_Blister_1 : FILE date = "2023-09-20" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" @@ -65235,8 +65260,8 @@ rule CAPE_Aurastealer date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AuraStealer.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AuraStealer.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "960b83639a898509dc272f3235822401a8f861fa6607991993285b618b882d8b" score = 75 quality = 70 @@ -65265,8 +65290,8 @@ rule CAPE_Aurorastealer : FILE date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 @@ -65345,8 +65370,8 @@ rule CAPE_Kovter : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 @@ -65371,8 +65396,8 @@ rule CAPE_Kpot : FILE date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 @@ -65396,8 +65421,8 @@ rule CAPE_Adaptixbeacon date = "2025-10-28" modified = "2025-10-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AdaptixBeacon.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AdaptixBeacon.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" logic_hash = "2c1d09cd5e19e5a09dde65411691afd5922959d4a7b5232b28ebf56f26d2f07d" score = 75 @@ -65426,8 +65451,8 @@ rule CAPE_Amadey : FILE date = "2025-08-15" modified = "2025-08-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Amadey.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Amadey.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" logic_hash = "5a7405a174b63826500f3b04c6f10bc9b40d5b49e85377bef027204e75dd1e9e" score = 75 @@ -65453,8 +65478,8 @@ rule CAPE_Hancitor : FILE date = "2020-10-20" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 @@ -65479,8 +65504,8 @@ rule CAPE_Emotetloader : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 @@ -65502,8 +65527,8 @@ rule CAPE_Magniber : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 @@ -65525,8 +65550,8 @@ rule CAPE_Nitrogenloader date = "2025-07-28" modified = "2025-07-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/NitrogenLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/NitrogenLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "4aab353aacc8f6910884e722f2d57439891680963accb906c2cee245437732c6" score = 75 quality = 68 @@ -65572,8 +65597,8 @@ rule CAPE_Agent_Tesla date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 @@ -65599,8 +65624,8 @@ rule CAPE_Agenttesla : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 @@ -65632,8 +65657,8 @@ rule CAPE_Agentteslav2 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 @@ -65669,8 +65694,8 @@ rule CAPE_Agentteslav3 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AgentTesla.yar#L69-L111" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AgentTesla.yar#L69-L111" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" score = 75 quality = 68 @@ -65723,8 +65748,8 @@ rule CAPE_Agentteslav4 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/AgentTesla.yar#L113-L126" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/AgentTesla.yar#L113-L126" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 @@ -65749,8 +65774,8 @@ rule CAPE_Icedid date = "2021-12-16" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 @@ -65779,8 +65804,8 @@ rule CAPE_Xenorat date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 @@ -65807,8 +65832,8 @@ rule CAPE_Atlas : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 @@ -65832,8 +65857,8 @@ rule CAPE_Hermes : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 @@ -65857,8 +65882,8 @@ rule CAPE_Mykings : FILE date = "2025-10-26" modified = "2025-10-26" reference = "https://x.com/YungBinary/status/1981108948498333900" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/MyKings.yar#L1-L23" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/MyKings.yar#L1-L23" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "82647dd23c0247faa045893ec1cf111da2a30528a1b737b59ce1b71172a64473" score = 75 quality = 70 @@ -65892,8 +65917,8 @@ rule CAPE_Stealc : FILE date = "2025-08-21" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 @@ -65917,8 +65942,8 @@ rule CAPE_Stealcv2 : FILE date = "2025-08-21" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Stealc.yar#L15-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Stealc.yar#L15-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "911c6a7f63e91a788898f3cc6e66396e39d5bd48f8fbaac49ee5dbbdaa64d5a0" score = 75 quality = 70 @@ -65947,8 +65972,8 @@ rule CAPE_Ursnif : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 @@ -65977,8 +66002,8 @@ rule CAPE_Tclient : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 @@ -66000,8 +66025,8 @@ rule CAPE_Tscookie : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 @@ -66025,8 +66050,8 @@ rule CAPE_Carbanak : FILE date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 @@ -66051,8 +66076,8 @@ rule CAPE_Latrodectus_1 date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" logic_hash = "a8430299930f4c8de0a88c6836d4821871f7183cc5ff44ea9be84fbea47bbb13" score = 75 @@ -66079,8 +66104,8 @@ rule CAPE_Latrodectus_AES date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" logic_hash = "058d278c16527969066d1b4ea7f0e3ab2809d5480cdab06ec476b465e0c4795a" score = 75 @@ -66108,8 +66133,8 @@ rule CAPE_Nightshadec2 : FILE date = "2025-09-12" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/NightshadeC2.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/NightshadeC2.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d" logic_hash = "f9fabc391e21180a1c92abea0a5ded6d7669e8d8f2330b69d6c1227c9b4237a0" score = 75 @@ -66139,8 +66164,8 @@ rule CAPE_Dridexloader_1 : FILE date = "2021-03-10" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 @@ -66167,8 +66192,8 @@ rule CAPE_Petrwrap : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 @@ -66193,8 +66218,8 @@ rule CAPE_Zerot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 @@ -66220,8 +66245,8 @@ rule CAPE_Bazar : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 @@ -66244,8 +66269,8 @@ rule CAPE_Fareit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 @@ -66267,8 +66292,8 @@ rule CAPE_Mole : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 @@ -66292,8 +66317,8 @@ rule CAPE_Chaosbot : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1976580501508182269" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/ChaosBot.yar#L1-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/ChaosBot.yar#L1-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "fcb04697dbef62497421318d5dfe7cdf5533b432975ebbfb3bd64ebbfeb4a592" score = 75 quality = 62 @@ -66327,8 +66352,8 @@ rule CAPE_Nemty : FILE date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 @@ -66352,8 +66377,8 @@ rule CAPE_Monsterv2 : FILE date = "2025-09-12" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/MonsterV2.yar#L1-L21" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/MonsterV2.yar#L1-L21" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "d4e65f860e69b2eee8a818a4146d91b84ce6da30c8fa27593587932e4f0847a8" score = 75 quality = 70 @@ -66385,8 +66410,8 @@ rule CAPE_Lokibot : FILE date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 @@ -66409,8 +66434,8 @@ rule CAPE_Bruteratel date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 @@ -66435,8 +66460,8 @@ rule CAPE_Locky : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 @@ -66460,8 +66485,8 @@ rule CAPE_Sedreco : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Sedreco.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Sedreco.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" score = 75 quality = 70 @@ -66485,8 +66510,8 @@ rule CAPE_Darkcloud : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1971585972912689643" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/DarkCloud.yar#L1-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/DarkCloud.yar#L1-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "e9a67fce4c1e4ffa7322c225522263aa4db94ae9f29113a81f5216fb4fa68b57" score = 75 quality = 68 @@ -66530,8 +66555,8 @@ rule CAPE_Cobaltstrikestager date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 @@ -66556,8 +66581,8 @@ rule CAPE_Koiloader date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 @@ -66601,8 +66626,8 @@ rule CAPE_Obfuscar : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Obfuscar.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Obfuscar.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 70 @@ -66623,8 +66648,8 @@ rule CAPE_Ramnit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 @@ -66648,8 +66673,8 @@ rule CAPE_Gandcrab : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 @@ -66674,8 +66699,8 @@ rule CAPE_Ursnifv3_1 : FILE date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 @@ -66704,8 +66729,8 @@ rule CAPE_Qakbot5_1 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 @@ -66731,8 +66756,8 @@ rule CAPE_Qakbot4_1 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 @@ -66762,8 +66787,8 @@ rule CAPE_Masslogger : FILE date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 @@ -66786,8 +66811,8 @@ rule CAPE_Azorult : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 @@ -66810,8 +66835,8 @@ rule CAPE_Rokrat : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/4fe8e23b24e5b58fe38f24619206d6933f0ec44d/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/9cf8bf5a0ee601c0afc7068413c59a1049674c64/LICENSE" logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 @@ -66829,7 +66854,7 @@ rule CAPE_Rokrat : FILE * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 80 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -69293,10 +69318,10 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Icloudcontacts * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 - * Number of Rules: 18 - * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) + * Number of Rules: 19 + * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -69747,13 +69772,53 @@ rule DEADBITS_Silenttrinity : FILE condition: uint16( 0 ) == 0x5a4d and ( ( 8 of ( $str* ) or ( all of ( $a* ) and $pdb01 ) or $pdb01 ) ) } +rule DEADBITS_Crescentcore_DMG : INSTALLER MACOSMALWARE FILE +{ + meta: + description = "No description has been set in the source file - DeadBits" + author = "Adam Swanda" + id = "2bd03287-3f10-50b0-9560-4c88644f5b20" + date = "2019-07-18" + modified = "2019-07-22" + reference = "https://github.com/deadbits/yara-rules" + source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/crescentcore_dmg.yara#L1-L48" + license_url = "N/A" + logic_hash = "819f01fdacea1e95f0f4d4f8e59ebae97ff9489a1be2c60e33253580a8f9e418" + score = 75 + quality = 26 + tags = "INSTALLER, MACOSMALWARE, FILE" + Author = "Adam M. Swanda" + + strings: + $header0 = "__PAGEZERO" ascii + $header1 = "__TEXT" ascii + $path0 = "/Users/mehdi/Desktop/RED MOON/Project/WaningCrescent/WaningCrescent/" ascii + $install0 = ".app\" /Applications" ascii fullword + $install1 = "open \"/Applications/" ascii fullword + $str1 = /Flash_Player\dVirusMp/ ascii + $str2 = /Flash_Player\dAntivirus33/ ascii + $str3 = /Flash_Player\d{2}Armageddon/ ascii + $str4 = /Flash_Player\d{2}Armageddon\w\dapocalypsyy/ + $str5 = /Flash_Player\d{2}Armageddon\w\ddoomsdayyy/ + $str6 = /SearchModel\w\dbrowser/ + $str8 = /SearchModel\w\dcountry/ + $str9 = /SearchModel\w\dhomepage/ + $str10 = /SearchModel\w\dthankyou/ + $str11 = /SearchModel\w\dinterrupt/ + $str12 = /SearchModel\w\dsearch/ + $str13 = /SearchModel\w\dsuccess/ + $str14 = /SearchModel\w\d{2}carrierURL/ + + condition: + ( uint32( 0 ) == 0xfeedface or uint32( 0 ) == 0xcefaedfe or uint32( 0 ) == 0xfeedfacf or uint32( 0 ) == 0xcffaedfe or uint32( 0 ) == 0xbebafeca ) and $header0 and $header1 and ( ( $path0 and ( any of ( $install* ) ) ) or ( 5 of ( $str* ) ) ) or all of them +} rule DEADBITS_Acbackdoor_ELF : LINUX MALWARE BACKDOOR { meta: description = "No description has been set in the source file - DeadBits" author = "Adam M. Swanda" id = "82eb41bf-cd1d-5b00-973b-31a79c75cfc0" - date = "2019-11-09" + date = "2019-11-16" modified = "2019-12-04" reference = "https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/ACBackdoor_Linux.yara#L1-L41" @@ -70106,7 +70171,7 @@ rule DEADBITS_APT34_PICKPOCKET : APT APT34 INFOSTEALER WINMALWARE FILE * YARA Rule Set * Repository Name: DelivrTo * Repository: https://github.com/delivr-to/detections - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: f85e1d0c477cbf4689d1cfe4a80049c465673b23 * Number of Rules: 12 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -70401,7 +70466,7 @@ rule DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23 : CVE_2023_23397 FILE * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 266938e95240a83d965971095f513d465f53c182 * Number of Rules: 99 * Skipped: 0 (age), 8 (quality), 1 (score), 0 (importance) @@ -72936,7 +73001,7 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" id = "403c1845-bc25-5a49-8553-8a0be18d6970" - date = "2025-01-09" + date = "2025-01-16" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/266938e95240a83d965971095f513d465f53c182/ta410/ta410.yar#L417-L496" @@ -73997,7 +74062,7 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b * Number of Rules: 167 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -78695,7 +78760,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_1 : FILE * YARA Rule Set * Repository Name: GCTI * Repository: https://github.com/chronicle/GCTI - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 1c5fd42b1895098527fde00c2d9757edf6b303bb * Number of Rules: 90 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -81912,7 +81977,7 @@ rule GCTI_Cobaltstrike_Resources__Template_Vbs_V3_3_To_V4_X * YARA Rule Set * Repository Name: Malpedia * Repository: https://github.com/malpedia/signator-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 6558c417dcf07146b1309b6acde6be0aa96dea10 * Number of Rules: 1468 * Skipped: 0 (age), 16 (quality), 0 (score), 0 (importance) @@ -142936,7 +143001,7 @@ rule MALPEDIA_Win_Chir_Auto : FILE * YARA Rule Set * Repository Name: Trellix ARC * Repository: https://github.com/advanced-threat-research/Yara-Rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 1919562a59f190bda60c982424f6a24c542ee3e0 * Number of Rules: 163 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -148830,7 +148895,7 @@ rule TRELLIX_ARC_Backdoorfckg : CTB_LOCKER_RANSOMWARE RANSOMWARE * YARA Rule Set * Repository Name: Arkbird SOLG * Repository: https://github.com/StrangerealIntel/DailyIOC - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: a873ff1298c43705e9c67286f3014f4300dd04f7 * Number of Rules: 215 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -155939,7 +156004,7 @@ rule ARKBIRD_SOLG_APT_Chisel_Hafnium_Feb_2021_1 : FILE * YARA Rule Set * Repository Name: Telekom Security * Repository: https://github.com/telekom-security/malware_analysis/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: bf832d97e8fd292ec5e095e35bde992a6462e71c * Number of Rules: 12 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -156307,7 +156372,7 @@ rule TELEKOM_SECURITY_Win_Systembc_20220311 : FILE * YARA Rule Set * Repository Name: Volexity * Repository: https://github.com/volexity/threat-intel - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: c24b8d9bea44ac757193a3152b1fd9dbf34fe503 * Number of Rules: 86 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -159490,7 +159555,7 @@ rule VOLEXITY_Apt_Win_Powerstar : CHARMINGKITTEN * YARA Rule Set * Repository Name: JPCERTCC * Repository: https://github.com/JPCERTCC/MalConfScan/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 19ec0d145535a6a4cfd37c0960114f455a8c343e * Number of Rules: 30 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -160334,7 +160399,7 @@ rule JPCERTCC_Elf_Wellmess : FILE * YARA Rule Set * Repository Name: SecuInfra * Repository: https://github.com/SIFalcon/Detection - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd * Number of Rules: 45 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -161627,7 +161692,7 @@ rule SECUINFRA_SUSP_LNK_Staging_Directory : FILE * YARA Rule Set * Repository Name: RussianPanda * Repository: https://github.com/RussianPanda95/Yara-Rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: bf5ed3a626a4adbb6f53a2f5c369ba2e0e47adbf * Number of Rules: 89 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -163957,7 +164022,7 @@ rule RUSSIANPANDA_Purecrypter : FILE * YARA Rule Set * Repository Name: Check Point * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 4 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -164171,7 +164236,7 @@ rule CHECK_POINT_Injector_ZZ_Dotrunpex_Oldnew : FILE * YARA Rule Set * Repository Name: Dragon Threat Labs * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 7 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -164362,7 +164427,7 @@ rule DRAGON_THREAT_LABS_Apt_Win_Mocelpa * YARA Rule Set * Repository Name: Microsoft * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 21 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -164965,7 +165030,7 @@ rule MICROSOFT_Devilstongue_Hijackdll : FILE * YARA Rule Set * Repository Name: NCSC * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 17 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -165435,7 +165500,7 @@ rule NCSC_Sparrowdoor_Sleep_Routine * YARA Rule Set * Repository Name: Dr4k0nia * Repository: https://github.com/dr4k0nia/yara-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -165613,7 +165678,7 @@ rule DR4K0NIA_MAL_MSIL_NET_Typhonlogger_Jul23 : FILE * YARA Rule Set * Repository Name: EmbeeResearch * Repository: https://github.com/embee-research/Yara-detection-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4 * Number of Rules: 39 * Skipped: 0 (age), 8 (quality), 0 (score), 0 (importance) @@ -166694,7 +166759,7 @@ rule EMBEERESEARCH_Win_Havoc_Djb2_Hashing_Routine_Oct_2022 : FILE * YARA Rule Set * Repository Name: AvastTI * Repository: https://github.com/avast/ioc - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: e385a6358edfd0d107b3bb53b384aa2926af22e1 * Number of Rules: 33 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -167557,7 +167622,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X64 * YARA Rule Set * Repository Name: SBousseaden * Repository: https://github.com/sbousseaden/YaraHunts/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 71b27a2a7c57c2aa1877a11d8933167794e2b4fb * Number of Rules: 37 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -168663,10 +168728,10 @@ rule SBOUSSEADEN_Hunt_Susp_Vhd : FILE * YARA Rule Set * Repository Name: Elceef * Repository: https://github.com/elceef/yara-rulz - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 791721372091836f5bf477d7f21114f45a310052 - * Number of Rules: 18 - * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) + * Number of Rules: 19 + * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -169182,11 +169247,42 @@ rule ELCEEF_EICAR_Encrypted_ZIP condition: for any i in ( 1 .. #local ) : ( ( uint8( @local [ i ] + 6 ) & 0x01 or uint8( @local [ i ] + 6 ) & 0x40 ) and uint32( @local [ i ] + 14 ) == 0x6851cf3c and uint32( @local [ i ] + 22 ) == 68 ) } +rule ELCEEF_Outlook_CVE_2023_23397_Exploit : FILE +{ + meta: + description = "Detects Outlook meeting/appointment/task files with ReminderSoundFile property set to UNC path" + author = "marcin@ulikowski.pl" + id = "f0dfb7a6-b3bf-58c4-a9a2-978f436679d9" + date = "2023-03-16" + modified = "2023-04-20" + reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" + source_url = "https://github.com/elceef/yara-rulz/blob/791721372091836f5bf477d7f21114f45a310052/rules/Outlook_CVE_2023_23397.yara#L1-L29" + license_url = "https://github.com/elceef/yara-rulz/blob/791721372091836f5bf477d7f21114f45a310052/LICENSE" + logic_hash = "695721ec276415c6a6a0f4ce6378ff2d11c15d28271f587966bc3d9d8c06f63a" + score = 75 + quality = 25 + tags = "FILE" + hash1 = "52dbaf64ce1a5cd1db9a9d385f8204e5f665ca53a3d904033bf1a10369490646" + hash2 = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf" + hash3 = "078b5023cae7bd784a84ec4ee8df305ee7825025265bf2ddc1f5238c3e432f5f" + hash4 = "1867bc9f81e99a55103288ce10c5c05267119ebb13757686e59bfed156f62b51" + + strings: + $pid_reminder_file = { 1f 85 00 00 0? 00 ?? 00 } + $pid_reminder_override = { 1c 85 00 00 0? 00 ?? 00 } + $psetid_common = { 08 20 06 00 00 00 00 00 c0 00 00 00 00 00 00 46 } + $psetid_appointment = { 02 20 06 00 00 00 00 00 c0 00 00 00 00 00 00 46 } + $psetid_task = { 03 20 06 00 00 00 00 00 c0 00 00 00 00 00 00 46 } + $unc = /\\\\([a-z1-9][a-z0-9.]{6}|\.\\UNC\\\\)/ wide ascii + + condition: + filesize < 1MB and ( uint32be( 0 ) == 0xd0cf11e0 or uint32be( 0 ) == 0x789f3e22 ) and ( $psetid_appointment or $psetid_task ) and $psetid_common and ( $pid_reminder_file and $pid_reminder_override ) and $unc +} /* * YARA Rule Set * Repository Name: GodModeRules * Repository: https://github.com/Neo23x0/god-mode-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 436dc682164cf17a123d6b09d1424e7e2acf0c25 * Number of Rules: 1 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -169410,7 +169506,7 @@ rule GODMODERULES_IDDQD_God_Mode_Rule license_url = "https://github.com/Neo23x0/god-mode-rules//blob/436dc682164cf17a123d6b09d1424e7e2acf0c25/LICENSE" logic_hash = "f2996ad7090a79c470e64c9e0ac43c2ba3fc1bf18e39686ecda9dc5b89744d7e" score = 60 - quality = -4 + quality = 21 tags = "" importance = 60 @@ -169457,7 +169553,7 @@ rule GODMODERULES_IDDQD_God_Mode_Rule * YARA Rule Set * Repository Name: Cod3nym * Repository: https://github.com/cod3nym/detection-rules/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 5939dadd34ebd3c111f97ba0bc0085b639e142a5 * Number of Rules: 13 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -169914,7 +170010,7 @@ rule COD3NYM_MAL_NET_Niximports_Loader_Jan24 : FILE * YARA Rule Set * Repository Name: craiu * Repository: https://github.com/craiu/yararules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 23cf0ca22021fa3684e180a18416b9ae1b695243 * Number of Rules: 13 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -171079,10 +171175,10 @@ rule CRAIU_Crime_Noabot : FILE * YARA Rule Set * Repository Name: DitekSHen * Repository: https://github.com/ditekshen/detection - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: e76c93dcdedff04076380ffc60ea54e45b313635 - * Number of Rules: 1436 - * Skipped: 0 (age), 117 (quality), 0 (score), 0 (importance) + * Number of Rules: 1439 + * Skipped: 0 (age), 114 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -194534,7 +194630,7 @@ rule DITEKSHEN_MALWARE_Win_Robbinhood : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "f1c4226ed5cb1583418d5ef0efc2c2b5bc3cfe7f148f359c5d432fd660331a46" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav_sig = "MALWARE.Win.Ransomware.Robbinhood" @@ -195140,7 +195236,7 @@ rule DITEKSHEN_MALWARE_BAT_Koadicbat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1ee6c0189a5111c61af1dbe571524427bff95a7e3907f97ce51d272a8f701cf5" score = 75 - quality = 25 + quality = 50 tags = "FILE" strings: @@ -195712,7 +195808,7 @@ rule DITEKSHEN_MALWARE_Win_Slothfulmedia : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "6f742e8d9d555b44daaa09835f599c99e16cd39bb106c8f43fbbca7093de462e" score = 75 - quality = 23 + quality = 48 tags = "FILE" strings: @@ -195750,7 +195846,7 @@ rule DITEKSHEN_MALWARE_Win_Ircbot : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1ea640202cfbd0c3425a192c45938f632dc644f41c7974118e7491b026122818" score = 75 - quality = 42 + quality = 67 tags = "FILE" strings: @@ -196352,7 +196448,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginclipboardmonitor : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c3e692a06388e143a8e1053e75a6eb6a82da5bdf26d38e3a0e339bc20d8312a1" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -196381,7 +196477,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginscreencapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "7b4378ae883d01338fabe2eb50a5509b722c661e63afc287afa07b263a0ebc42" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -198416,7 +198512,7 @@ rule DITEKSHEN_MALWARE_Win_Bobik : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "735dcb9e04956863305ca89a43686b8e48e3b20784ae9292cfc40d1c2c09d467" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav_sig = "MALWARE.Win.Trojan.Bobik" @@ -198988,6 +199084,33 @@ rule DITEKSHEN_MALWARE_Win_Gaudox : FILE condition: uint16( 0 ) == 0x5a4d and all of them } +rule DITEKSHEN_MALWARE_Win_Phobos : FILE +{ + meta: + description = "Detects Phobos ransomware" + author = "ditekshen" + id = "7bf659ef-f2a1-5ee2-a334-c233e26a2526" + date = "2024-11-01" + modified = "2024-11-01" + reference = "https://github.com/ditekshen/detection" + source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3895-L3908" + license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" + logic_hash = "bbf8eef0863e9d6423b3b0f938561b2be486b92b4f59b5d0b67f52dba536a582" + score = 75 + quality = 25 + tags = "FILE" + + strings: + $x1 = "\\\\?\\UNC\\\\\\e-" fullword wide + $x2 = "\\\\?\\ :" fullword wide + $x3 = "POST" fullword wide + $s1 = "ELVL" fullword wide + $s2 = /SUP\d{3}/ fullword wide + $s3 = { 41 31 47 ?? 41 2b } + + condition: + uint16( 0 ) == 0x5a4d and all of ( $x* ) and 1 of ( $s* ) +} rule DITEKSHEN_MALWARE_Win_Ratty : FILE { meta: @@ -200471,7 +200594,7 @@ rule DITEKSHEN_MALWARE_Win_Maktub : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "5c11d04fc3088eb8a0132b9ed83748ddb7e1bbe9d03b9e884d4003181cbb6d69" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -204242,6 +204365,49 @@ rule DITEKSHEN_MALWARE_Win_MB150 : FILE condition: uint16( 0 ) == 0x5a4d and ( 4 of ( $x* ) or ( $go and 4 of ( $s* ) ) or ( 1 of ( $mac* ) and ( 2 of ( $x* ) or 3 of ( $s* ) ) ) ) } +rule DITEKSHEN_MALWARE_Win_Chaos : FILE +{ + meta: + description = "Detects Chaos ransomware" + author = "ditekSHen" + id = "59d43cfb-72d8-5c17-87bf-f1f364d23bed" + date = "2024-11-01" + modified = "2024-11-01" + reference = "https://github.com/ditekshen/detection" + source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7404-L7433" + license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" + logic_hash = "6203ab09745db817b9e909d70cf1d5be9769c414461ee5f7bb344b6959986537" + score = 75 + quality = 44 + tags = "FILE" + + strings: + $s1 = "" fullword wide + $s2 = "" fullword wide + $s3 = "C:\\Users\\" fullword wide + $s4 = "read_it.txt" fullword wide + $s5 = "#base64Image" fullword wide + $s6 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" fullword wide + $s7 = /check(Spread|Sleep|AdminPrivilage|deleteShadowCopies|disableRecoveryMode|deleteBackupCatalog)/ fullword ascii nocase + $s8 = /(delete|disable)(ShadowCopies|RecoveryMode|BackupCatalog)/ fullword ascii nocase + $s9 = "spreadName" fullword ascii + $s10 = "processName" fullword ascii + $s11 = "sleepOutOfTempFolder" fullword ascii + $s12 = "AlreadyRunning" fullword ascii + $s13 = "random_bytes" fullword ascii + $s14 = "encryptDirectory" fullword ascii nocase + $s15 = "EncryptFile" fullword ascii nocase + $s16 = "intpreclp" fullword ascii + $s17 = "bytesToBeEncrypted" fullword ascii + $s18 = "textToEncrypt" fullword ascii + $m1 = "Chaos is" wide + $m2 = "Payment informationAmount:" wide + $m3 = "Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com" wide + $m4 = "where do I get Bitcoin" wide + + condition: + uint16( 0 ) == 0x5a4d and 6 of ( $s* ) or all of ( $m* ) or ( 2 of ( $m* ) and 4 of ( $s* ) ) +} rule DITEKSHEN_MALWARE_Win_Horuseyesrat : FILE { meta: @@ -204255,7 +204421,7 @@ rule DITEKSHEN_MALWARE_Win_Horuseyesrat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c0f499e3a17923b391ed6b7fa723525a9d4aef0ce04a2c7abec60d5eda15888f" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -205967,7 +206133,7 @@ rule DITEKSHEN_MALWARE_Win_Virlock : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8d516a0d771d7134c0f917f010b3973ed53b4ee7e4a2cf0bb5daecf9867b0081" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -206167,7 +206333,7 @@ rule DITEKSHEN_MALWARE_Win_Tardigrade : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "2bd4f23f66844a320b6bed6242ba39096f66a08affb84abd78c342d433ed9fe6" score = 75 - quality = 50 + quality = 75 tags = "FILE" hash1 = "c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858" hash2 = "966b2c7c72a28310acd58bb23af4d3c893b2afca264b2d9c0ec42db815c77487" @@ -206691,7 +206857,7 @@ rule DITEKSHEN_MALWARE_Win_Locked : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "b838b996946fb268c66bac68d5e326ff3049340dfb08f2e0a77492df49915d5a" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -206900,7 +207066,7 @@ rule DITEKSHEN_MALWARE_Win_Lorenz : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e9fc9d405b955c379ae40b1804d43b19999f6ea264fc645c897080fb020e8ae8" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -206965,6 +207131,38 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE condition: ( uint16( 0 ) == 0x5a4d or uint16( 0 ) == 0x457f ) and ( all of ( $x* ) or 5 of ( $s* ) or ( 1 of ( $x* ) and 3 of ( $s* ) ) ) } +rule DITEKSHEN_MALWARE_Win_Koxic : FILE +{ + meta: + description = "Detects Koxic ransomware" + author = "ditekSHen" + id = "6a82bf44-b155-5746-b798-20a13623a14a" + date = "2024-11-01" + modified = "2024-11-01" + reference = "https://github.com/ditekshen/detection" + source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9291-L9309" + license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" + logic_hash = "d874c8ebf330814e52d159cbf71f8bc05ebeb4a9fb93d96c3f861b51e57925a3" + score = 75 + quality = 25 + tags = "FILE" + + strings: + $c1 = " INFO: >> %TEMP%\\" ascii wide + $c2 = "cmd /c \"wmic" ascii wide + $c3 = "cmd /c \"echo" ascii wide + $c4 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" fullword wide + $c5 = /sc config.{1,30}start=disabled/ fullword ascii wide + $s1 = "Container: %s" fullword wide + $s2 = "Shotcut dir : %s" fullword wide + $s3 = "\\Microsoft\\Windows\\Network Shortcuts\\" fullword wide + $s4 = "Thread %d started." fullword ascii + $s5 = "ADD our TOXID:" wide + $s6 = "[Recommended] Using an email" wide + + condition: + uint16( 0 ) == 0x5a4d and ( ( 4 of ( $s* ) and 1 of ( $c* ) ) or ( 2 of ( $s* ) and ( #c1 > 5 or #c2 > 5 or #c3 > 5 or #c5 > 5 ) ) ) +} rule DITEKSHEN_MALWARE_Win_Timetime : FILE { meta: @@ -207047,7 +207245,7 @@ rule DITEKSHEN_MALWARE_Win_Surtr : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "a8db5588079d471d8904f0444973973a0c01dbec1ccbe3d43a34d41a0dde495d" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -207365,7 +207563,7 @@ rule DITEKSHEN_MALWARE_Win_Laplas : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e4a1f39a539782118db9c4ab89d03e359420397ef970165389cc79e7ea0952b3" score = 75 - quality = 25 + quality = 50 tags = "FILE" clamav_sig1 = "MALWARE.Win.LapLas-DotNET" clamav_sig2 = "MALWARE.Win.LapLas-GoLang" @@ -207556,7 +207754,7 @@ rule DITEKSHEN_MALWARE_Win_Darkeye : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "5496dcbfe075a4030a446027765186e9dd1931561a29a481139281e1708ce87d" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -208355,7 +208553,7 @@ rule DITEKSHEN_MALWARE_Win_Arcrypt : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "cc9fa68d093fdf9745a06beb28e29108cb2ba846122ce097ad892213b1edba25" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -208425,7 +208623,7 @@ rule DITEKSHEN_MALWARE_Win_Espioloader : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8ad77a50db48f12e6f6465652b24fc1daa56375bb27e37e0eead1bea55b89e0c" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav_sig = "MALWARE.Win.EspioLoader" @@ -208665,7 +208863,7 @@ rule DITEKSHEN_MALWARE_Win_WSHRAT : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "297bfe65815637a464e2a8fc23570c6e79694ffe0467d5898b7c845f1450de95" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -209177,7 +209375,7 @@ rule DITEKSHEN_MALWARE_Win_Qwixxrat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e6e44697e393da35215f7835f122cb74b05dbeebb558345d5110d6fbc809f4dd" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -209203,7 +209401,7 @@ rule DITEKSHEN_MALWARE_Win_Toxiceye : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ee01c107dd295b923801c0d1a77b1534d3a5f2abf8d2cfa93c6786a1b0553504" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -209235,7 +209433,7 @@ rule DITEKSHEN_MALWARE_Win_Rdpcredsstealerinjector : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0dfade8dde987f5134158b7c4abc3eaf8dcece86e1ff2ab1da4466da316939a2" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav1 = "MALWARE.Win.Trojan.RDPCredsStealer-Injector" @@ -209627,7 +209825,7 @@ rule DITEKSHEN_MALWARE_Win_Risepro : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "f6f1832f316df51ca108a3c75034bd53c3823cd3d9b16da120e12e252dbf90ff" score = 75 - quality = 46 + quality = 71 tags = "FILE" strings: @@ -209950,7 +210148,7 @@ rule DITEKSHEN_MALWARE_Win_Blackhunt : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "62e9bc505eff3e19ff0cdaf180e45e6d7917f0bec7cd9b007bee9fe1d9d09b66" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -209980,7 +210178,7 @@ rule DITEKSHEN_MALWARE_Win_Scoutelite : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "935bd891a9b68cb6ddad86db843de624f3a7ec0824f2b4c6ff0da56422b79668" score = 75 - quality = 25 + quality = 50 tags = "FILE" strings: @@ -210219,7 +210417,7 @@ rule DITEKSHEN_MALWARE_Win_Lighthand : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "4f06467a522b786045839e6b22b888cecc554b0f63cc20dc43dc0f8ec80f5654" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -210524,7 +210722,7 @@ rule DITEKSHEN_MALWARE_Win_Fpspy : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c26736c7f056f3d13c58e724fda601e88468e2386852b072a37c6646fb5ef8f9" score = 75 - quality = 48 + quality = 73 tags = "FILE" clamav1 = "MALWARE.Win.Trojan.FPSpy" @@ -210623,7 +210821,7 @@ rule DITEKSHEN_MALWARE_Win_Babylockerkz : FILE * YARA Rule Set * Repository Name: WithSecureLabs * Repository: https://github.com/WithSecureLabs/iocs - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: d17db32370fd4503050d9d6bc191ed66720cd156 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -210700,7 +210898,7 @@ rule WITHSECURELABS_Ducktail_Artifacts : FILE license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "1daa5e654058c802826b6a306b5bfc9d0c05c4ee54607e94e618a8d409ce74d9" score = 75 - quality = 50 + quality = 75 tags = "FILE" version = "1.0" hash1 = "3dbd9e1c3d0fd6358d4adcba04fdfc0b6e8acc49" @@ -210875,7 +211073,7 @@ rule WITHSECURELABS_SILKLOADER * YARA Rule Set * Repository Name: HarfangLab * Repository: https://github.com/HarfangLab/iocs - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d * Number of Rules: 35 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -211901,7 +212099,7 @@ rule HARFANGLAB_Iis_Module_Hijackserver_Native : FILE hash = "c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2" logic_hash = "f0539a40958b34bb8372f8a8a6ca22617626fc7806556d6353175aa5f2ec0aea" score = 75 - quality = 55 + quality = 80 tags = "FILE" context = "file" @@ -211942,7 +212140,7 @@ rule HARFANGLAB_Iis_Module_Hijackserver_Dotnet : FILE hash = "915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964" logic_hash = "83476157c66ac9586d28bf2e8614575c4950ab3e3538fd12d0a31fc451970686" score = 75 - quality = 55 + quality = 80 tags = "FILE" context = "file" @@ -212018,7 +212216,7 @@ rule HARFANGLAB_Apache_Module_Hijackserver_Php : FILE hash = "e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850" logic_hash = "fe503e8d30a354927c1d4e1cffa18411b4c3ac5058cd3aef8df0e7d87624fe43" score = 75 - quality = 53 + quality = 78 tags = "FILE" context = "file" @@ -212137,7 +212335,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE * YARA Rule Set * Repository Name: LOLDrivers * Repository: https://github.com/magicsword-io/LOLDrivers/ - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 9be6ee6cd1df0bf6c715fda82150cf9a2f8dc3c6 * Number of Rules: 569 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -229892,7 +230090,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 : * YARA Rule Set * Repository Name: SEKOIA * Repository: https://github.com/SEKOIA-IO/Community - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: a12da9a4e4f5b8b2c39d66bcdb05f0c7d67c0cd9 * Number of Rules: 746 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -252900,7 +253098,7 @@ rule SEKOIA_Generic_Python_Reverse_Shell : FILE * YARA Rule Set * Repository Name: Synacktiv * Repository: https://github.com/synacktiv/synacktiv-rules - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: d234cc4da0783db7dca56ae8dd5252afdc248df8 * Number of Rules: 8 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -253257,7 +253455,7 @@ rule SYNACKTIV_MAL_Linkpro_Arpdiag_ELF_KO_Oct25 : FILE * YARA Rule Set * Repository Name: Signature Base * Repository: https://github.com/Neo23x0/signature-base - * Retrieval Date: 2025-11-09 + * Retrieval Date: 2025-11-16 * Git Commit: 72d12c2f43c845ceafba3e7011c166df020fb990 * Number of Rules: 4388 * Skipped: 0 (age), 9 (quality), 4 (score), 0 (importance) @@ -263848,7 +264046,7 @@ rule SIGNATURE_BASE_FE_Trojan_SH_ATRIUM_1 hash = "a631b7a8a11e6df3fccb21f4d34dbd8a" logic_hash = "672a293660d89d5d7d62a658c360bad0b6408611d8794744b17a81e6a75ceea7" score = 75 - quality = 35 + quality = 60 tags = "" strings: @@ -264036,7 +264234,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_QUIETPULSE hash = "00575bec8d74e221ff6248228c509a16" logic_hash = "226a56369e141834d4834400bbf1a006bbb6e9b39e16e24b0106bff1a9c202a9" score = 75 - quality = 58 + quality = 83 tags = "" strings: @@ -264091,7 +264289,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_2 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "4ade993176c918ec23e99fc585e9ab14d9f9e93a7eca00f2c3b0ebbd13d6ec5b" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -264118,7 +264316,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_3 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "025308591e058de284f949fd4f788e4a4f46bb2f6c0e1161237f1f811d8179ba" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -265891,7 +266089,7 @@ rule SIGNATURE_BASE_TA17_293A_Energetic_Bear_Api_Hashing_Tool : FILE description = "Energetic Bear API Hashing Tool" author = "CERT RE Team" id = "4e58800a-9618-5d8b-954c-e843be6002c2" - date = "2025-02-09" + date = "2025-02-16" modified = "2023-12-05" reference = "https://github.com/Neo23x0/signature-base" source_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/yara/apt_ta17_293A.yar#L77-L93" @@ -268494,7 +268692,7 @@ rule SIGNATURE_BASE_Suspicious_Powershell_Code_1 : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "0a254e0e4f0fdaa5907f5fe0b0c3d5226e2fdac4072349019abc2b2b11cbde30" score = 60 - quality = 58 + quality = 33 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" @@ -270210,7 +270408,7 @@ rule SIGNATURE_BASE_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_2 : LOG license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "13e2e46689bc0e87c3cf13dc2ce213c384afe6c03c21e62a467974a0518c12da" score = 65 - quality = 60 + quality = 85 tags = "LOG" strings: @@ -280696,7 +280894,7 @@ rule SIGNATURE_BASE_LOG_EXPL_Sharepoint_CVE_2023_29357_Sep23_1 : CVE_2023_29357 license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "03e3a4715c8683dc8d03ad6720c1c9b40482bd0bfa3020aa1152565ec9ec929f" score = 70 - quality = 35 + quality = 60 tags = "CVE-2023-29357" strings: @@ -308353,7 +308551,7 @@ rule SIGNATURE_BASE_APT_MAL_CN_Wocao_Agent_Py license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "9b6eba750c96501aae1d86eef458d3e80de665efc7ce9d5aff842bc44363bad2" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -311935,7 +312133,7 @@ rule SIGNATURE_BASE_Office_OLE_DDE : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "2d2f7dce166dc8ef8aba7e8eaafaf4d1bb34cdc1ce97d34125a65147cf5e08ac" score = 50 - quality = 35 + quality = 60 tags = "FILE" strings: @@ -316124,7 +316322,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Iconnotfromexeordllorico : F license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "957fe9f24d08033cf6e29d7e202e04bfb579577d3850a99e97da6b70924ae88e" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -316173,7 +316371,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Lolcommand : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "4ac9a555e61303a173443de2a189536c8ea0fc32ee73c589dd104275c7967c57" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -316197,7 +316395,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Webdav : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "4fec084392140245eeb25bb512f3a4631ec6be08c197ec130a907fc118161197" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -316221,7 +316419,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Scripturl : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "ece0013dbc9836fa800f99a10ab46c1eb081e1c04fe45fe17be26ffac1d464e9" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -317060,7 +317258,7 @@ rule SIGNATURE_BASE_WEBSHELL_Compiled_Webshell_Mar2021_1 : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "d2e5f91f7bb50984c491eb9632d3863febc986760e4d03c8255872887ce4dc4a" score = 75 - quality = 56 + quality = 81 tags = "FILE" strings: @@ -368023,7 +368221,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic : FILE hash = "dd5d8a9b4bb406e0b8f868165a1714fe54ffb18e621582210f96f6e5ae850b33" logic_hash = "03c1963ec7a0409970baa98dc3a62f721c092b41d4026475a38b1ef466426b75" score = 70 - quality = -209 + quality = -109 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368236,7 +368434,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Callback : FILE hash = "487e8c08e85774dfd1f5e744050c08eb7d01c6877f7d03d7963187748339e8c4" logic_hash = "e12dec5252a816c10443fe0e0b40b0b9b4a187b32facd8e09e1f057801da25f9" score = 60 - quality = -128 + quality = -153 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368453,7 +368651,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Base64_Encoded_Payloads : FILE hash = "e2b1dfcfaa61e92526a3a444be6c65330a8db4e692543a421e19711760f6ffe2" logic_hash = "8f606dc3e1e688cca144fe769af50980b4c25fa69b08c67aca8c676a6a060010" score = 75 - quality = -8 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368603,7 +368801,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Eval : FILE hash = "dd5d8a9b4bb406e0b8f868165a1714fe54ffb18e621582210f96f6e5ae850b33" logic_hash = "4b7759e4761f5897bfb5e576df645a2e99cec4e703fb28d0fc275cf8f8848263" score = 75 - quality = 60 + quality = 85 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368686,7 +368884,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC : FILE hash = "1d0643927f04cb1133f00aa6c5fa84aaf88e5cf14d7df8291615b402e8ab6dc2" logic_hash = "d300de628add5912955f4915921dc387bd3ca3e7bf327e3d9f0ae82e3839a3ec" score = 75 - quality = -48 + quality = -23 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368763,7 +368961,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Encoded : FILE hash = "8a1e2d72c82f6a846ec066d249bfa0aaf392c65149d39b7b15ba19f9adc3b339" logic_hash = "c2a88e48374f949fcc9c14b773f7709c96b3147d1982ae9721708474ee5a3dcd" score = 70 - quality = -89 + quality = -64 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368847,7 +369045,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Tiny : FILE hash = "5c871183444dbb5c8766df6b126bd80c624a63a16cc39e20a0f7b002216b2ba5" logic_hash = "993f1c98362dcbc207c6ceacb116a27d44505dc6dfa1874def780af50422e1b9" score = 75 - quality = -140 + quality = -90 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368917,7 +369115,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Str_Replace : FILE hash = "e1a2af3477d62a58f9e6431f5a4a123fb897ea80" logic_hash = "74fb86a7ee7342ede9f49ef004a92fb7bdf06ca62f8e8f0ea1c6adcff96bcb2d" score = 75 - quality = 21 + quality = 46 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369062,7 +369260,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_3 : FILE hash = "6f97f607a3db798128288e32de851c6f56e91c1d" logic_hash = "aba86f6d8458bb119b9e495e6e77c1b89855bde31b12395a4d656878c5152932" score = 70 - quality = -273 + quality = -198 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369270,7 +369468,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Includer_Eval : FILE hash = "b51a6d208ec3a44a67cce16dcc1e93cdb06fe150acf16222815333ddf52d4db8" logic_hash = "a7e9632c495e5d4cc883e2593c8ebe41cdf6a18b54bd6dfd3aec85352f19321c" score = 75 - quality = 21 + quality = 46 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369309,7 +369507,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Includer_Tiny : FILE hash = "b3b0274cda28292813096a5a7a3f5f77378b8905205bda7bb7e1a679a7845004" logic_hash = "e1efb6384009def30d845650fd0dd77319c3c7b4402cca074ca5c2a06372ab58" score = 75 - quality = 17 + quality = 42 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369408,7 +369606,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Dynamic_Big : FILE hash = "ee34d62e136a04e2eaf84b8daa12c9f2233a366af83081a38c3c973ab5e2c40f" logic_hash = "1a29df7465b475e74d0f21f1705405e9663699a6e3c7b7107988ee3e202c3a25" score = 50 - quality = -361 + quality = -336 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369590,7 +369788,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Encoded_Big : FILE hash = "042245ee0c54996608ff8f442c8bafb8" logic_hash = "9c995f9c1c5e3a70dbb8170f6d1a2fba51c0f29184a5d3647016b520f4bfc0e3" score = 50 - quality = -125 + quality = -75 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369728,7 +369926,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_By_String_Known_Webshell : FILE hash = "d52128bcfff5e9a121eab3d76382420c3eebbdb33cd0879fbef7c3426e819695" logic_hash = "8909bf77b7bacdae092fd7a94099224bf1660a6d341e113412e93f864298851b" score = 70 - quality = -8 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369824,7 +370022,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Strings_SUSP : FILE hash = "1ab3ae4d613b120f9681f6aa8933d66fa38e4886" logic_hash = "5c3837ab761ee2209fab5fc333b050a56d80addb03b088ae28040c7393429bb3" score = 50 - quality = 15 + quality = 40 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369959,7 +370157,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Writer : FILE hash = "20281d16838f707c86b1ff1428a293ed6aec0e97" logic_hash = "34bae0c02156d1c9fd24d674443322409eba0a43e094fc6c05df94bbbe15aa64" score = 50 - quality = 17 + quality = 42 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370019,7 +370217,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Writer : FILE hash = "fc44fd7475ee6c0758ace2b17dd41ed7ea75cc73" logic_hash = "7c9f4c9a5005efad02760cf9ba3ea946068ae281cda10215bf8c88f209b582a5" score = 60 - quality = -100 + quality = -75 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370111,7 +370309,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_OBFUSC : FILE hash = "cafc4ede15270ab3f53f007c66e82627a39f4d0f" logic_hash = "96369062f963c3604c05808755fdfca922e5a6da960cb0ee05dee2df72d5d69b" score = 75 - quality = -142 + quality = -117 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370220,7 +370418,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Eval_On_Input : FILE hash = "069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6" logic_hash = "f7b9f43cf2fd6d08b7438f003242e9a19dcea282959c7a1fdff3a35e261a031e" score = 75 - quality = -24 + quality = 1 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370286,7 +370484,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Nano : FILE hash = "28cfcfe28419a399c606bf96505bc68d6fe05624dba18306993f9fe0d398fbe1" logic_hash = "1b969e098a0b2c86ceba9cbb7f31770ba04f1a4c225716ea27d7e4e4177c90c4" score = 75 - quality = -142 + quality = -117 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370443,7 +370641,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Encoded_Aspcoding : FILE hash = "f5095345ee085318235c11ae5869ae564d636a5342868d0935de7582ba3c7d7a" logic_hash = "a0f0b8585b28b13a90c5d112997cacea00af8c89c81eda5edf05508ad41459ab" score = 60 - quality = -30 + quality = -5 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370507,7 +370705,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_By_String : FILE hash = "de173ea8dcef777368089504a4af0804864295b75e51794038a6d70f2bcfc6f5" logic_hash = "b6ff83bc501753b893a0f5e60c6aafa292617279c0855ce3ba2d0b9b73325e8a" score = 75 - quality = -66 + quality = -41 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370619,7 +370817,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Sniffer : FILE hash = "ed5938c04f61795834751d44a383f8ca0ceac833" logic_hash = "874ec4c5dff024a899976e46cd553b52c361779a5507cf08ff0de596fd460d41" score = 75 - quality = -49 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370688,7 +370886,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Tiny : FILE hash = "b184dc97b19485f734e3057e67007a16d47b2a62" logic_hash = "e1b4e9fa88bb4260a83a22ec73c9fbec4d4f4928965cba9dfdd6fdba1307e8e4" score = 75 - quality = -102 + quality = -127 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370957,7 +371155,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Registry_Reader : FILE hash = "898ebfa1757dcbbecb2afcdab1560d72ae6940de" logic_hash = "515bff52bebaad45481202ff934f8d1cbb79c27ccf47ca811077acacb7a47f13" score = 50 - quality = -53 + quality = -28 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371035,7 +371233,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASPX_Regeorg_CSHARP : FILE hash = "aea0999c6e5952ec04bf9ee717469250cddf8a6f" logic_hash = "0c68f5955df2e75c3b5b4f1c6398fd57add1f64bfb3d46ccebf1c6767f5d2eb1" score = 75 - quality = -32 + quality = -7 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371158,7 +371356,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Runtime_Compile : FILE hash = "8ce4eaf111c66c2e6c08a271d849204832713f8b66aceb5dadc293b818ccca9e" logic_hash = "6699a44e396eedebb3bafa0e89c3b6d080586a158ed056ec7220bdf2ad764444" score = 75 - quality = -6 + quality = 19 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371220,7 +371418,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_SQL : FILE hash = "cafc4ede15270ab3f53f007c66e82627a39f4d0f" logic_hash = "c59250065c4be267746f716f922007b638706a76579af6509c8e97d0cee03f33" score = 75 - quality = -59 + quality = -34 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371438,7 +371636,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_HTTP_Proxy : FILE hash = "2f9b647660923c5262636a5344e2665512a947a4" logic_hash = "7183902d43fc633db06a41b4a6bc02d2eb5662b7ee08080b57563783b8b67568" score = 75 - quality = 25 + quality = 50 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371480,7 +371678,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Writer_Nano : FILE hash = "5e241d9d3a045d3ade7b6ff6af6c57b149fa356e" logic_hash = "44c11570c610b849ba9c7506fd9ef3575d270e79d7aaf5c26d54ab3f64cfc94f" score = 75 - quality = 23 + quality = 48 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371584,7 +371782,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic : FILE hash = "ee9408eb923f2d16f606a5aaac7e16b009797a07" logic_hash = "1a464e222704cfc947ed2f1c027c7871db8ab73e5130a309738afd25c8e614ab" score = 75 - quality = -49 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371787,7 +371985,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic_Classloader : FILE hash = "8e544a5f0c242d1f7be503e045738369405d39731fcd553a38b568e0889af1f2" logic_hash = "109c0063f4e8db6172fd872b3b93d4f069234f28bbf033fbd2c5f135051df77e" score = 75 - quality = -25 + quality = 0 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371831,7 +372029,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic_Encoded_Shell : FILE hash = "62e6c6065b5ca45819c1fc049518c81d7d165744" logic_hash = "74f45478e5bd7bb300e4ec493c2d3ef9a26340a141c3512a722618b3a3731500" score = 75 - quality = 58 + quality = 83 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371863,7 +372061,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Netspy : FILE hash = "3870b31f26975a7cb424eab6521fc9bffc2af580" logic_hash = "65432e42ad2626b62b1d1a6298c301513c2fb03d89193a77b053069cebcb45e9" score = 75 - quality = -24 + quality = 1 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371920,7 +372118,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_By_String : FILE hash = "850f998753fde301d7c688b4eca784a045130039512cf51292fcb678187c560b" logic_hash = "ab8d8df32ab745d8dd02d63d89264df2fbc0087daf6b4f91900ad03ab6e7949e" score = 75 - quality = -6 + quality = 19 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371982,7 +372180,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Input_Upload_Write : FILE hash = "19eca79163259d80375ebebbc440b9545163e6a3" logic_hash = "33b08a6118134819ec72a2eab0daf723c25c8869e0fa8a83f690b93e2667d15c" score = 75 - quality = 21 + quality = 46 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -372030,7 +372228,7 @@ rule SIGNATURE_BASE_WEBSHELL_Generic_OS_Strings : FILE hash = "0353ae68b12b8f6b74794d3273967b530d0d526f" logic_hash = "10b956cac601c97d1483d35a7730d7178c4175800b4e4c9ed62ad583d3cac3d7" score = 50 - quality = -123 + quality = -98 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -374664,7 +374862,7 @@ rule SIGNATURE_BASE_EXPL_LOG_Commvault_CVE_2025_57791_Indicator_Shell_Drop_Aug25 license_url = "https://github.com/Neo23x0/signature-base/blob/72d12c2f43c845ceafba3e7011c166df020fb990/LICENSE" logic_hash = "f0e9fedba803b0cd8b1469bad7a50bf4647f7e2f786520caf5a79ac626879125" score = 70 - quality = 60 + quality = 85 tags = "" strings: