Merge pull request kevoreilly#2723 from YungBinary/master

kevoreilly · web-flow · commit 3743b265096e · 2025-10-16T20:17:38.000+01:00
Add DarkCloud, ChaosBot yara rules
diff --git a/data/yara/CAPE/ChaosBot.yar b/data/yara/CAPE/ChaosBot.yar
@@ -0,0 +1,24 @@
+rule ChaosBot 
+{
+    meta:
+        author = "YungBinary"
+        description = "https://x.com/YungBinary/status/1976580501508182269"
+        cape_type = "ChaosBot Payload"
+    strings: 
+        $s1 = { 48 6f 73 74 20 20 63 6f 6e 6e 65 63 74 65 64 2c 20 63 68 61 6e 6e 65 6c 20 63 72 65 61 74 65 64 3a 20 3c }
+        $s2 = { 73 68 65 6c 6c 20 64 6f 77 6e 6c 6f 61 64 20 63 64 20 46 61 69 6c 65 64 20 74 6f 20 63 68 61 6e 67 65 20 64 69 72 65 63 74 6f 72 79 3a }
+        $s3 = { 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 41 6d 73 69 53 63 61 6e 42 75 66 66 65 72 45 74 77 45 76 65 6e 74 57 72 69 74 65 43 4f 4d 50 55 54 45 52 4e 41 4d 45 }
+        $s4 = { 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 6d 65 73 73 61 67 65 5f 2e 74 78 74 }
+        $bypass = { 
+            74 ?? 
+            66 C7 03 31 C0 
+            C6 43 02 C3 
+        } 
+        $antivm = { 
+            48 ?? 30 30 3A 30 43 3A 32 39 
+            49 39 ?? 00 
+        } 
+    condition: 
+        uint16(0) == 0x5a4d and (1 of ($s*) or ($antivm and $bypass)) 
+
+}
diff --git a/data/yara/CAPE/DarkCloud.yar b/data/yara/CAPE/DarkCloud.yar
@@ -0,0 +1,39 @@
+rule DarkCloud {
+    meta:
+        author = "YungBinary"
+        description = "https://x.com/YungBinary/status/1971585972912689643"
+        cape_type = "DarkCloud Payload"
+    strings:
+        $darkcloud1 = "===============DARKCLOUD===============" fullword wide
+        $creds1 = "@GateUrl" wide
+        $creds2 = "@StrFtpUser" wide
+        $creds3 = "@StrFtpPass" wide
+        $creds4 = "@StrFtpServer" wide
+        $creds5 = "@StrReceiver" wide 
+        $creds6 = "@StrSmtpUser" wide
+        $creds7 = "@StrSmtpPass" wide
+        $sql1 = "SELECT item1 FROM metadata" wide
+        $sql2 = "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards" wide
+        $sql3 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" wide
+        $sql4 = "SELECT address FROM ConversationRecipients" wide
+        $sql5 = "SELECT address FROM ConversationSenders" wide
+        $app1 = "Application : Pidgin" wide
+        $app2 = "Application: CoreFTP" wide
+        $app3 = "Application: WinSCP" wide
+        $app4 = "Application: Outlook" wide
+        $app5 = "Application : FileZilla" fullword wide
+        $fingerprint1 = "Computer Name: " fullword wide
+        $fingerprint2 = "OS FullName: " fullword wide
+        $fingerprint3 = "CPU: " fullword wide
+        $fingerprint4 = "SELECT * FROM Win32_Processor" fullword wide
+        $fingerprint5 = "SELECT * FROM Win32_OperatingSystem" fullword wide
+    condition:
+        uint16(0) == 0x5a4d and 
+        (
+            $darkcloud1 and 1 of ($creds*) or 
+            (3 of ($creds*) and 1 of ($sql*)) or 
+            (2 of ($sql*) and 2 of ($app*)) or 
+            (2 of ($creds*) and 2 of ($fingerprint*)) or 
+            (2 of ($app*) and 2 of ($fingerprint*) and 1 of ($sql*))
+        )
+}
