diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index 8a8350ab3..befd73573 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20251026 +20251102 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index 6d2ff6e06..909222064 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,24 +12,24 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2025-10-26 - * Number of Rules: 11415 - * Skipped: 0 (age), 228 (quality), 8 (score), 0 (importance) + * Creation Date: 2025-11-02 + * Number of Rules: 11414 + * Skipped: 0 (age), 231 (quality), 8 (score), 0 (importance) */ -import "dotnet" -import "pe" import "hash" -import "console" -import "elf" import "math" +import "elf" +import "console" +import "pe" +import "dotnet" /* * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: af35d842f569bd9f726a9a77f947dda7763f87ec * Number of Rules: 1238 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -6650,8 +6650,8 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Vit virus." author = "ReversingLabs" id = "4515fe43-4c5a-521d-82b7-273823f0c64e" - date = "2025-10-26" - date = "2025-10-26" + date = "2025-11-02" + date = "2025-11-02" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/af35d842f569bd9f726a9a77f947dda7763f87ec/yara/virus/Linux.Virus.Vit.yara#L3-L36" @@ -44833,8 +44833,8 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" - date = "2025-10-26" - date = "2025-10-26" + date = "2025-10-02" + date = "2025-10-02" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/af35d842f569bd9f726a9a77f947dda7763f87ec/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" @@ -56609,8 +56609,8 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" - date = "2025-10-26" - date = "2025-10-26" + date = "2025-11-02" + date = "2025-11-02" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/af35d842f569bd9f726a9a77f947dda7763f87ec/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" @@ -59920,7 +59920,7 @@ rule REVERSINGLABS_Win32_Ransomware_Babuk : TC_DETECTION MALICIOUS MALWARE FILE * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -60679,9 +60679,9 @@ rule R3C0NST_Exploit_Outlook_CVE_2023_23397 : CVE_2023_23397 FILE * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2025-10-26 - * Git Commit: 054d9ba3709496537788e50ca83e701835368596 - * Number of Rules: 178 + * Retrieval Date: 2025-11-02 + * Git Commit: 724bafc14f078ad7a6fb8e5233ef7b58c19a858e + * Number of Rules: 180 * Skipped: 0 (age), 16 (quality), 3 (score), 0 (importance) * * @@ -61362,8 +61362,8 @@ rule CAPE_Formhooka date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 @@ -61388,8 +61388,8 @@ rule CAPE_Formconfa date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Formbook.yar#L32-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Formbook.yar#L32-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 @@ -61413,8 +61413,8 @@ rule CAPE_Formhelper date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Formbook.yar#L46-L58" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Formbook.yar#L46-L58" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" score = 75 quality = 70 @@ -61438,8 +61438,8 @@ rule CAPE_Formconfb date = "2025-07-16" modified = "2025-07-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Formbook.yar#L60-L75" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Formbook.yar#L60-L75" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "bb8f54220394420e698b5eac9276c3d0ab03148808cfb9e98feb56437ce2a5a7" score = 75 quality = 70 @@ -61466,8 +61466,8 @@ rule CAPE_Xworm date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 @@ -61489,8 +61489,8 @@ rule CAPE_Modiloader : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "1f0cbf841a6bc18d632e0bc3c591266e77c99a7717a15fc4b84d3e936605761f" logic_hash = "9e64e0c40192cc832a1ffa7b3ac65a704596af82515d03706cd7aa1f4498f32f" score = 75 @@ -61514,8 +61514,8 @@ rule CAPE_Modiloaderold : FILE date = "2025-01-31" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 @@ -61559,8 +61559,8 @@ rule CAPE_Vbcrypter date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 @@ -61582,8 +61582,8 @@ rule CAPE_Bumblebee : FILE date = "2023-02-08" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0a632a0b30b28d544880eb1cfdd85e95f455c343d60f8d6922d4196ef7415961" score = 75 quality = 70 @@ -61607,8 +61607,8 @@ rule CAPE_Zloader : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 @@ -61631,8 +61631,8 @@ rule CAPE_Zloader_2024 : FILE date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 @@ -61656,8 +61656,8 @@ rule CAPE_Buerloader : FILE date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 @@ -61679,8 +61679,8 @@ rule CAPE_Heavenssyscall : FILE date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 @@ -61704,8 +61704,8 @@ rule CAPE_Gettickcountantivm date = "2022-02-25" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" @@ -61736,8 +61736,8 @@ rule CAPE_Doomedloader : FILE date = "2024-07-25" modified = "2024-07-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 @@ -61761,8 +61761,8 @@ rule CAPE_Emotetpacker : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 @@ -61786,8 +61786,8 @@ rule CAPE_Smokeloader : FILE date = "2023-02-06" modified = "2023-02-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" score = 75 quality = 70 @@ -61809,8 +61809,8 @@ rule CAPE_Slowloader date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 @@ -61833,8 +61833,8 @@ rule CAPE_Anticuckoo : FILE date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 @@ -61857,8 +61857,8 @@ rule CAPE_Rhadamanthys date = "2023-04-18" modified = "2023-04-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 @@ -61883,8 +61883,8 @@ rule CAPE_Pikahook : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 @@ -61909,8 +61909,8 @@ rule CAPE_Pikexport : FILE date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 @@ -61934,8 +61934,8 @@ rule CAPE_Risepro : FILE date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 @@ -61960,8 +61960,8 @@ rule CAPE_Lumma : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 @@ -61986,8 +61986,8 @@ rule CAPE_Lummaremap date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 @@ -62010,8 +62010,8 @@ rule CAPE_Rdtscpantivm date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 @@ -62033,8 +62033,8 @@ rule CAPE_Privateloader date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 @@ -62057,8 +62057,8 @@ rule CAPE_Singlestepantihook date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 @@ -62080,8 +62080,8 @@ rule CAPE_Darkgateloader date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "00692123615d2f7eaf8aea07754fc9439cf58e1fb8eb4f44f0428b362f27e794" score = 75 quality = 70 @@ -62107,8 +62107,8 @@ rule CAPE_Guloaderprecursor : FILE date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 @@ -62131,8 +62131,8 @@ rule CAPE_Mysterysnail date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 @@ -62154,8 +62154,8 @@ rule CAPE_Blister : FILE date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 @@ -62183,8 +62183,8 @@ rule CAPE_Darkgate date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/DarkGate.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/DarkGate.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "c1d35921f4fc3bac681a3d5148f517dc0ec90ab8c51e267c8c6cd5b1ca3dc085" logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 @@ -62212,8 +62212,8 @@ rule CAPE_Aurastealerbypass date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ae174c96c262b1734c58bd6c5f7112221b08596c180612e4970acada35dbd070" score = 75 quality = 70 @@ -62238,8 +62238,8 @@ rule CAPE_Loadersyscall date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 @@ -62263,8 +62263,8 @@ rule CAPE_Nitrogenloaderaes date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 @@ -62288,8 +62288,8 @@ rule CAPE_Nitrogenloaderbypass date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 @@ -62313,8 +62313,8 @@ rule CAPE_Nitrogenloaderconfig date = "2025-07-23" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "06d49ebf3f67476c83a77734dff0245a51027a35d92e5af07bb9146db5b156ca" score = 75 quality = 70 @@ -62349,8 +62349,8 @@ rule CAPE_Agentteslav4Jit date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 @@ -62375,8 +62375,8 @@ rule CAPE_Agentteslav3Jit date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 @@ -62398,8 +62398,8 @@ rule CAPE_Icedidsyscallwritemem : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 @@ -62423,8 +62423,8 @@ rule CAPE_Icedidhook date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 @@ -62446,8 +62446,8 @@ rule CAPE_Icedidpackera : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 @@ -62472,8 +62472,8 @@ rule CAPE_Icedidpackerb : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 @@ -62498,8 +62498,8 @@ rule CAPE_Icedidpackerc : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" @@ -62524,8 +62524,8 @@ rule CAPE_Icedidpackerd : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 @@ -62550,8 +62550,8 @@ rule CAPE_Icedsleep : FILE date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 @@ -62574,8 +62574,8 @@ rule CAPE_Stealcanti : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 @@ -62599,8 +62599,8 @@ rule CAPE_Stealcstrings : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 @@ -62623,8 +62623,8 @@ rule CAPE_Stealcv2Strings : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Stealc.yar#L28-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Stealc.yar#L28-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "923f70edb3ad70957576994008729bf7a087479eed1973c42161aa96fa694baa" score = 75 quality = 70 @@ -62651,8 +62651,8 @@ rule CAPE_Stealcv2Datecheck : FILE date = "2025-09-01" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Stealc.yar#L45-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Stealc.yar#L45-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f074aceb7c111156752891acac8690c00dad7c26240fb0752cc12a9a65aa3d30" score = 75 quality = 70 @@ -62675,8 +62675,8 @@ rule CAPE_Latrodectus : FILE date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 @@ -62699,8 +62699,8 @@ rule CAPE_Dridexloader : FILE date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 @@ -62722,8 +62722,8 @@ rule CAPE_Bruteratelsyscall date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 @@ -62746,8 +62746,8 @@ rule CAPE_Bruteratelpacker date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 @@ -62771,8 +62771,8 @@ rule CAPE_Bruterateldate date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 @@ -62795,8 +62795,8 @@ rule CAPE_Bruteratelconfig date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 @@ -62818,8 +62818,8 @@ rule CAPE_Themida : FILE date = "2024-09-11" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Themida.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Themida.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 @@ -62842,8 +62842,8 @@ rule CAPE_Amatera : FILE date = "2025-06-25" modified = "2025-06-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Amatera.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Amatera.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af" logic_hash = "1c02f04846568b85acbd4101b2e944dc824179f7cff1bceaec1c657939b610d5" score = 75 @@ -62868,8 +62868,8 @@ rule CAPE_Cargobayloader : FILE date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 @@ -62893,8 +62893,8 @@ rule CAPE_Socks5Systemz : FILE date = "2025-05-23" modified = "2025-05-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "7e324bacd1ea57585435b6a5a4c93bda63ca146c100f2361a1c5530b87668299" score = 75 quality = 70 @@ -62924,8 +62924,8 @@ rule CAPE_Ursnifv3 date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 @@ -62952,8 +62952,8 @@ rule CAPE_Qakbot5 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 @@ -62977,8 +62977,8 @@ rule CAPE_Qakbot4 : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 @@ -63004,8 +63004,8 @@ rule CAPE_Qakbotloader : FILE date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 @@ -63032,8 +63032,8 @@ rule CAPE_Qakbotantivm date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 @@ -63056,8 +63056,8 @@ rule CAPE_Formbook date = "2023-10-13" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 @@ -63086,8 +63086,8 @@ rule CAPE_Wanacry : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 @@ -63113,8 +63113,8 @@ rule CAPE_Zeuspanda : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 @@ -63137,8 +63137,8 @@ rule CAPE_Oyster date = "2024-05-30" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 @@ -63168,8 +63168,8 @@ rule CAPE_Kronos : FILE date = "2020-07-02" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 @@ -63194,8 +63194,8 @@ rule CAPE_Pikabotloader : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 @@ -63219,8 +63219,8 @@ rule CAPE_Pikabot : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 @@ -63245,8 +63245,8 @@ rule CAPE_Pik23 : FILE date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 @@ -63272,8 +63272,8 @@ rule CAPE_Jaff : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 @@ -63298,8 +63298,8 @@ rule CAPE_Bumblebeeshellcode_1 date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BumbleBee.yar#L18-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BumbleBee.yar#L18-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d56f8c4e491d0d1b34e396e73750bef9917ca4f708fb6a2681de772a65c13a40" score = 75 quality = 70 @@ -63326,8 +63326,8 @@ rule CAPE_Bumblebee2024 date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 @@ -63355,8 +63355,8 @@ rule CAPE_Zloader_1 : FILE date = "2025-04-07" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" logic_hash = "525670973b67aac048199529c97d6be00b0a8cca9bc90deb647366d92a5ea540" score = 75 @@ -63386,8 +63386,8 @@ rule CAPE_Netsupport : FILE date = "2025-10-17" modified = "2025-10-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/NetSupport.yar#L3-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/NetSupport.yar#L3-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d12e46d74ae0ba9f599d27dc2f55ff92a6648accbcd1a43cc3f1a9a2755e5fc7" score = 75 quality = 70 @@ -63412,8 +63412,8 @@ rule CAPE_Asyncrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L1-L30" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L1-L30" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "1400d2029dfb66d8f2dc34db8643d6301f3af9bd356639f883d2c10bcc0c3947" score = 75 quality = 33 @@ -63451,8 +63451,8 @@ rule CAPE_Stormkitty : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L32-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L32-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "258f5d9da80ff912459194b1139f062491df21a44456942951e2bd98e4b86c9b" score = 75 quality = 66 @@ -63487,11 +63487,11 @@ rule CAPE_Worldwind : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L60-L82" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L60-L82" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" score = 75 - quality = 70 + quality = 45 tags = "FILE" cape_type = "WorldWind Payload" @@ -63523,8 +63523,8 @@ rule CAPE_Prynt : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L85-L107" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L85-L107" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" score = 75 quality = 45 @@ -63559,8 +63559,8 @@ rule CAPE_Xworm_1 : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L110-L136" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L110-L136" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 quality = 43 @@ -63599,8 +63599,8 @@ rule CAPE_Xworm_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L138-L155" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L138-L155" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 @@ -63631,11 +63631,11 @@ rule CAPE_Dcrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L157-L222" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L157-L222" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 - quality = 45 + quality = 20 tags = "FILE" cape_type = "DCRat Payload" @@ -63705,8 +63705,8 @@ rule CAPE_Dcrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L224-L243" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L224-L243" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 @@ -63738,8 +63738,8 @@ rule CAPE_Quasarrat : FILE date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L245-L266" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L245-L266" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 @@ -63773,8 +63773,8 @@ rule CAPE_Quasarrat_Kingrat date = "2025-02-03" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AsyncRAT.yar#L268-L287" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AsyncRAT.yar#L268-L287" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 @@ -63806,8 +63806,8 @@ rule CAPE_Buerloader_1 : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 @@ -63831,8 +63831,8 @@ rule CAPE_Scarab : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 @@ -63856,8 +63856,8 @@ rule CAPE_Arkei : FILE date = "2025-01-10" modified = "2025-01-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Arkei.yar#L1-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Arkei.yar#L1-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "296e420880d8d2f24424d0411e7ef4939e18147689557512f410da48498a44c9" score = 75 quality = 70 @@ -63913,8 +63913,8 @@ rule CAPE_Cerber : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 @@ -63936,8 +63936,8 @@ rule CAPE_Squirrelwaffle : FILE date = "2021-10-13" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 @@ -63960,8 +63960,8 @@ rule CAPE_Seduploader : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 @@ -63983,8 +63983,8 @@ rule CAPE_Dridexv4 : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 @@ -64010,8 +64010,8 @@ rule CAPE_Smokeloader_1 date = "2024-11-12" modified = "2024-11-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/SmokeLoader.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/SmokeLoader.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" score = 75 quality = 70 @@ -64036,8 +64036,8 @@ rule CAPE_Rozena date = "2024-03-15" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 @@ -64060,8 +64060,8 @@ rule CAPE_Varenyky : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 @@ -64083,8 +64083,8 @@ rule CAPE_Vipkeylogger : FILE date = "2025-09-11" modified = "2025-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b9dba7562bba4807c0789692d44650996e62c8d0c4031dedd65773877621b1de" score = 75 quality = 70 @@ -64109,8 +64109,8 @@ rule CAPE_Vidar : FILE date = "2023-04-21" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 @@ -64143,8 +64143,8 @@ rule CAPE_Azer : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 @@ -64168,8 +64168,8 @@ rule CAPE_Eternalromance : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 @@ -64214,8 +64214,8 @@ rule CAPE_Nighthawk date = "2022-12-05" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 @@ -64239,8 +64239,8 @@ rule CAPE_Rhadamanthys_1 date = "2023-09-18" modified = "2023-09-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Rhadamanthys.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Rhadamanthys.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" score = 75 quality = 70 @@ -64265,8 +64265,8 @@ rule CAPE_Megacortex : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 @@ -64290,8 +64290,8 @@ rule CAPE_Lumma_1 : FILE date = "2025-07-08" modified = "2025-07-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Lumma.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Lumma.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ca7822292c58af68e7a1610362bf0b5d27c93e3222ceec8d216e05a442008f37" score = 75 quality = 70 @@ -64318,8 +64318,8 @@ rule CAPE_Bitpaymer : FILE date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 @@ -64342,8 +64342,8 @@ rule CAPE_Petya : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 @@ -64367,8 +64367,8 @@ rule CAPE_Dreambot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 @@ -64393,8 +64393,8 @@ rule CAPE_Lockbit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 @@ -64420,8 +64420,8 @@ rule CAPE_Doppelpaymer : FILE date = "2022-06-27" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 @@ -64444,8 +64444,8 @@ rule CAPE_Trickbot date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 @@ -64476,8 +64476,8 @@ rule CAPE_Trickbot_Permadll_UEFI_Module date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "491115422a6b94dc952982e6914adc39" logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 @@ -64505,8 +64505,8 @@ rule CAPE_Gootkit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 @@ -64528,8 +64528,8 @@ rule CAPE_Nanolocker : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 @@ -64553,8 +64553,8 @@ rule CAPE_Ryuk : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 @@ -64579,8 +64579,8 @@ rule CAPE_Badrabbit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 @@ -64604,8 +64604,8 @@ rule CAPE_Conti : FILE date = "2021-03-15" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 @@ -64629,8 +64629,8 @@ rule CAPE_Codoso : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 @@ -64654,8 +64654,8 @@ rule CAPE_Cryptoshield : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 @@ -64679,8 +64679,8 @@ rule CAPE_Blackdropper date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BlackDropper.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BlackDropper.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" logic_hash = "c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" score = 75 @@ -64708,8 +64708,8 @@ rule CAPE_Remcos : FILE date = "2022-05-10" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 @@ -64734,8 +64734,8 @@ rule CAPE_Rcsession date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 @@ -64749,6 +64749,58 @@ rule CAPE_Rcsession condition: ( any of ( $a* ) ) } +rule CAPE_Winosstager : FILE +{ + meta: + description = "No description has been set in the source file - CAPE" + author = "YungBinary" + id = "aa3cb1fb-1a10-5753-ae4a-31ba6ea8297b" + date = "2025-10-24" + modified = "2025-10-24" + reference = "https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/WinosStager.yar#L1-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" + logic_hash = "180f0eb0d73fb499c7934ca7419f04937dad17f5f7c44293543f1722280ba6d3" + score = 75 + quality = 70 + tags = "FILE" + cape_type = "WinosStager Payload" + + strings: + $s1 = "Windows\\SysWOW64\\tracerpt.exe" ascii fullword + $s2 = "Windows\\System32\\tracerpt.exe" ascii fullword + $s3 = { 70 00 31 00 3A 00 00 00 } + $s4 = { 6F 00 31 00 3A 00 00 00 } + $s5 = { 70 00 32 00 3A 00 00 00 } + $s6 = { 6F 00 32 00 3A 00 00 00 } + $s7 = { 70 00 33 00 3A 00 00 00 } + $s8 = { 6F 00 33 00 3A 00 00 00 } + $s9 = "IpDates_info" wide fullword + $s10 = "%s-%04d%02d%02d-%02d%02d%02d.dmp" wide fullword + $s11 = "Console\\0" wide fullword + $s12 = "d33f351a4aeea5e608853d1a56661059" wide fullword + $config_parse = { + (3B CE | 7D ??) // cmp ecx, esi or jge short loc_?????? + (7D ?? | 0F 1F ?? 00) // jge short loc_?????? or nop dword ptr [??+00h] + (66 83 3C 4D ?? ?? ?? ?? 7C | 66 41 83 ?? ?? 7C) // cmp ??, 7Ch ; '|' + 74 ?? // jz short loc_?????? + (41 | 48 FF C1) // inc ecx or inc rcx + (3B CE | FF C2) // cmp ecx, esi or inc edx + (7C ?? | 49 3B CB 7C ??) // jl loc_?????? | cmp rcx, r11, jl short loc_?????? + } + $zero_config = { + FF [1-5] // call + 83 (7C|7D) [1-2] 0A // cmp [ebp+??], 0Ah + 0F 86 ?? ?? ?? ?? // jbe loc_?????? + (68 D0 07 00 00 | 33 D2) // push 7D0h or xor edx,edx + (6A 00 | 41 B8 D0 07 00 00) // push 0 or mov r8d, 0x7D0 + (68 ?? ?? ?? ?? | 48 8B CD) // push offset wszConfig or mov rcx, rbp + E8 // call + } + + condition: + uint16( 0 ) == 0x5a4d and ( ( 3 of ( $s* ) ) or ( $config_parse or $zero_config ) ) +} rule CAPE_Blister_1 : FILE { meta: @@ -64758,8 +64810,8 @@ rule CAPE_Blister_1 : FILE date = "2023-09-20" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" @@ -64787,8 +64839,8 @@ rule CAPE_Aurastealer date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AuraStealer.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AuraStealer.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "960b83639a898509dc272f3235822401a8f861fa6607991993285b618b882d8b" score = 75 quality = 70 @@ -64817,8 +64869,8 @@ rule CAPE_Aurorastealer : FILE date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 @@ -64897,8 +64949,8 @@ rule CAPE_Kovter : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 @@ -64923,8 +64975,8 @@ rule CAPE_Kpot : FILE date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 @@ -64948,8 +65000,8 @@ rule CAPE_Adaptixbeacon date = "2025-06-16" modified = "2025-06-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AdaptixBeacon.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AdaptixBeacon.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" logic_hash = "a05b5fed6328229f8490731ef9884f5b8225f8628b81dc199ea5c11fa25b8d0c" score = 75 @@ -64976,8 +65028,8 @@ rule CAPE_Amadey : FILE date = "2025-08-15" modified = "2025-08-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Amadey.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Amadey.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" logic_hash = "5a7405a174b63826500f3b04c6f10bc9b40d5b49e85377bef027204e75dd1e9e" score = 75 @@ -65003,8 +65055,8 @@ rule CAPE_Hancitor : FILE date = "2020-10-20" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 @@ -65029,8 +65081,8 @@ rule CAPE_Emotetloader : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 @@ -65052,8 +65104,8 @@ rule CAPE_Magniber : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 @@ -65075,8 +65127,8 @@ rule CAPE_Nitrogenloader date = "2025-07-28" modified = "2025-07-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/NitrogenLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/NitrogenLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "4aab353aacc8f6910884e722f2d57439891680963accb906c2cee245437732c6" score = 75 quality = 68 @@ -65122,8 +65174,8 @@ rule CAPE_Agent_Tesla date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 @@ -65149,8 +65201,8 @@ rule CAPE_Agenttesla : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 @@ -65182,8 +65234,8 @@ rule CAPE_Agentteslav2 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 @@ -65219,8 +65271,8 @@ rule CAPE_Agentteslav3 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AgentTesla.yar#L69-L111" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AgentTesla.yar#L69-L111" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" score = 75 quality = 68 @@ -65273,8 +65325,8 @@ rule CAPE_Agentteslav4 : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/AgentTesla.yar#L113-L126" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/AgentTesla.yar#L113-L126" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 @@ -65299,8 +65351,8 @@ rule CAPE_Icedid date = "2021-12-16" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 @@ -65329,8 +65381,8 @@ rule CAPE_Xenorat date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 @@ -65357,8 +65409,8 @@ rule CAPE_Atlas : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 @@ -65382,8 +65434,8 @@ rule CAPE_Hermes : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 @@ -65398,6 +65450,41 @@ rule CAPE_Hermes : FILE condition: uint16( 0 ) == 0x5A4D and all of ( $* ) } +rule CAPE_Mykings : FILE +{ + meta: + description = "No description has been set in the source file - CAPE" + author = "YungBinary" + id = "c9d7b061-b76c-595c-a362-6c89c96093d9" + date = "2025-10-26" + modified = "2025-10-26" + reference = "https://x.com/YungBinary/status/1981108948498333900" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/MyKings.yar#L1-L23" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" + logic_hash = "82647dd23c0247faa045893ec1cf111da2a30528a1b737b59ce1b71172a64473" + score = 75 + quality = 70 + tags = "FILE" + cape_type = "MyKings Payload" + + strings: + $s1 = "login.php?uid=0" wide + $s2 = "download.txt?rnd=" wide + $s3 = "AcceptOK" ascii + $s4 = "winsta0\\default" wide + $s5 = "base64_ip.txt" wide + $s6 = { 70 00 6F 00 77 00 65 00 72 00 74 00 6F 00 6F 00 6C 00 00 00 6B 00 61 00 73 00 70 00 65 00 72 00 73 00 6B 00 79 } + $s7 = { 53 00 61 00 66 00 65 00 00 00 00 00 45 00 73 00 65 00 74 } + $s8 = { 4E 00 6F 00 64 00 33 00 32 00 00 00 4D 00 61 00 6C 00 77 00 61 00 72 00 65 } + $s9 = "Custom C++ HTTP Client/1.0" wide + $s10 = "/ru \"SYSTEM\" /f" ascii + $s11 = "cmd.exe /C timeout /t 1 & del " wide + $s12 = "/login.aspx?uid=0" wide + $s13 = "cmd-230812.ru" base64 + + condition: + uint16( 0 ) == 0x5a4d and ( 3 of ( $s* ) ) +} rule CAPE_Stealc : FILE { meta: @@ -65407,8 +65494,8 @@ rule CAPE_Stealc : FILE date = "2025-08-21" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 @@ -65432,8 +65519,8 @@ rule CAPE_Stealcv2 : FILE date = "2025-08-21" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Stealc.yar#L15-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Stealc.yar#L15-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "911c6a7f63e91a788898f3cc6e66396e39d5bd48f8fbaac49ee5dbbdaa64d5a0" score = 75 quality = 70 @@ -65462,8 +65549,8 @@ rule CAPE_Ursnif : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 @@ -65492,8 +65579,8 @@ rule CAPE_Tclient : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 @@ -65515,8 +65602,8 @@ rule CAPE_Tscookie : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 @@ -65540,8 +65627,8 @@ rule CAPE_Carbanak : FILE date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 @@ -65566,8 +65653,8 @@ rule CAPE_Latrodectus_1 date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" logic_hash = "a8430299930f4c8de0a88c6836d4821871f7183cc5ff44ea9be84fbea47bbb13" score = 75 @@ -65594,8 +65681,8 @@ rule CAPE_Latrodectus_AES date = "2025-05-10" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" logic_hash = "058d278c16527969066d1b4ea7f0e3ab2809d5480cdab06ec476b465e0c4795a" score = 75 @@ -65623,8 +65710,8 @@ rule CAPE_Nightshadec2 : FILE date = "2025-09-12" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/NightshadeC2.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/NightshadeC2.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d" logic_hash = "f9fabc391e21180a1c92abea0a5ded6d7669e8d8f2330b69d6c1227c9b4237a0" score = 75 @@ -65654,8 +65741,8 @@ rule CAPE_Dridexloader_1 : FILE date = "2021-03-10" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 @@ -65682,8 +65769,8 @@ rule CAPE_Petrwrap : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 @@ -65708,8 +65795,8 @@ rule CAPE_Zerot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 @@ -65735,8 +65822,8 @@ rule CAPE_Bazar : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 @@ -65759,8 +65846,8 @@ rule CAPE_Fareit : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 @@ -65782,8 +65869,8 @@ rule CAPE_Mole : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 @@ -65807,8 +65894,8 @@ rule CAPE_Chaosbot : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1976580501508182269" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/ChaosBot.yar#L1-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/ChaosBot.yar#L1-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "fcb04697dbef62497421318d5dfe7cdf5533b432975ebbfb3bd64ebbfeb4a592" score = 75 quality = 62 @@ -65842,8 +65929,8 @@ rule CAPE_Nemty : FILE date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 @@ -65867,8 +65954,8 @@ rule CAPE_Monsterv2 : FILE date = "2025-09-12" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/MonsterV2.yar#L1-L21" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/MonsterV2.yar#L1-L21" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "d4e65f860e69b2eee8a818a4146d91b84ce6da30c8fa27593587932e4f0847a8" score = 75 quality = 70 @@ -65900,8 +65987,8 @@ rule CAPE_Lokibot : FILE date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 @@ -65924,8 +66011,8 @@ rule CAPE_Bruteratel date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 @@ -65950,8 +66037,8 @@ rule CAPE_Locky : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 @@ -65975,8 +66062,8 @@ rule CAPE_Sedreco : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Sedreco.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Sedreco.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" score = 75 quality = 70 @@ -66000,8 +66087,8 @@ rule CAPE_Darkcloud : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1971585972912689643" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/DarkCloud.yar#L1-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/DarkCloud.yar#L1-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "e9a67fce4c1e4ffa7322c225522263aa4db94ae9f29113a81f5216fb4fa68b57" score = 75 quality = 68 @@ -66045,8 +66132,8 @@ rule CAPE_Cobaltstrikestager date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 @@ -66071,8 +66158,8 @@ rule CAPE_Koiloader date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 @@ -66116,8 +66203,8 @@ rule CAPE_Obfuscar : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Obfuscar.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Obfuscar.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 70 @@ -66138,8 +66225,8 @@ rule CAPE_Ramnit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 @@ -66163,8 +66250,8 @@ rule CAPE_Gandcrab : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 @@ -66189,8 +66276,8 @@ rule CAPE_Ursnifv3_1 : FILE date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 @@ -66219,8 +66306,8 @@ rule CAPE_Qakbot5_1 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 @@ -66246,8 +66333,8 @@ rule CAPE_Qakbot4_1 : FILE date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 @@ -66277,8 +66364,8 @@ rule CAPE_Masslogger : FILE date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 @@ -66301,8 +66388,8 @@ rule CAPE_Azorult : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 @@ -66325,8 +66412,8 @@ rule CAPE_Rokrat : FILE date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/054d9ba3709496537788e50ca83e701835368596/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/724bafc14f078ad7a6fb8e5233ef7b58c19a858e/LICENSE" logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 @@ -66344,7 +66431,7 @@ rule CAPE_Rokrat : FILE * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 80 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -68808,7 +68895,7 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Icloudcontacts * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 * Number of Rules: 19 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -69308,7 +69395,7 @@ rule DEADBITS_Acbackdoor_ELF : LINUX MALWARE BACKDOOR description = "No description has been set in the source file - DeadBits" author = "Adam M. Swanda" id = "82eb41bf-cd1d-5b00-973b-31a79c75cfc0" - date = "2019-11-26" + date = "2019-11-02" modified = "2019-12-04" reference = "https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/ACBackdoor_Linux.yara#L1-L41" @@ -69400,7 +69487,7 @@ rule DEADBITS_Jsworm : MALWARE FILE license_url = "N/A" logic_hash = "99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" score = 75 - quality = 78 + quality = 53 tags = "MALWARE, FILE" strings: @@ -69661,7 +69748,7 @@ rule DEADBITS_APT34_PICKPOCKET : APT APT34 INFOSTEALER WINMALWARE FILE * YARA Rule Set * Repository Name: DelivrTo * Repository: https://github.com/delivr-to/detections - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: f85e1d0c477cbf4689d1cfe4a80049c465673b23 * Number of Rules: 13 * Skipped: 0 (age), 2 (quality), 0 (score), 0 (importance) @@ -69980,7 +70067,7 @@ rule DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23 : CVE_2023_23397 FILE * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 266938e95240a83d965971095f513d465f53c182 * Number of Rules: 99 * Skipped: 0 (age), 8 (quality), 1 (score), 0 (importance) @@ -72515,7 +72602,7 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" id = "403c1845-bc25-5a49-8553-8a0be18d6970" - date = "2025-01-26" + date = "2025-01-02" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/266938e95240a83d965971095f513d465f53c182/ta410/ta410.yar#L417-L496" @@ -73576,7 +73663,7 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b * Number of Rules: 167 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -75021,7 +75108,7 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_3 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "41cc6a4c7765b1e5e88d12660b69e434c83938ca974b9ccf6545b4dd5dd78378" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -75046,7 +75133,7 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_1 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "56237d686b954950849adeedc87d5f9fbff2335a0ff033ba8571b3e3b93f587c" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -77128,7 +77215,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_LUALOADER_1 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "2d73d434ac39ebde990aca817a54208cd04bfbce33f1bcadcf48a50d9389658c" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -78274,7 +78361,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_1 : FILE * YARA Rule Set * Repository Name: GCTI * Repository: https://github.com/chronicle/GCTI - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 1c5fd42b1895098527fde00c2d9757edf6b303bb * Number of Rules: 90 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -81491,7 +81578,7 @@ rule GCTI_Cobaltstrike_Resources__Template_Vbs_V3_3_To_V4_X * YARA Rule Set * Repository Name: Malpedia * Repository: https://github.com/malpedia/signator-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 6558c417dcf07146b1309b6acde6be0aa96dea10 * Number of Rules: 1468 * Skipped: 0 (age), 16 (quality), 0 (score), 0 (importance) @@ -142515,7 +142602,7 @@ rule MALPEDIA_Win_Chir_Auto : FILE * YARA Rule Set * Repository Name: Trellix ARC * Repository: https://github.com/advanced-threat-research/Yara-Rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 1919562a59f190bda60c982424f6a24c542ee3e0 * Number of Rules: 163 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -142911,7 +142998,7 @@ rule TRELLIX_ARC_Nionspy : FILEINFECTOR FILE description = "Triggers on old and new variants of W32/NionSpy file infector" author = "Trellix ARC Team" id = "86051ef8-a18b-553c-b06c-490f8d6df5cf" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_NionSpy.yar#L1-L25" @@ -142997,7 +143084,7 @@ rule TRELLIX_ARC_Msworldexploit_Builder_Doc : MALDOC FILE description = "Rule to detect RTF/Docs files created by MsWordExploit Builder" author = "Marc Rivero | McAfee ATR Team" id = "6c4c091b-5fce-583a-bc17-31830251892c" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_MsWordExploit_DOC.yar#L1-L24" @@ -143024,7 +143111,7 @@ rule TRELLIX_ARC_Malw_Eicar : EICAR description = "Rule to detect the EICAR pattern" author = "Marc Rivero | McAfee ATR Team" id = "16307b03-7fab-5d68-ad3b-0efcea952fcf" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://www.eicar.org/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_Eicar.yar#L1-L22" @@ -143306,7 +143393,7 @@ rule TRELLIX_ARC_Shifu : FINANCIAL description = "No description has been set in the source file - Trellix ARC" author = "McAfee Labs" id = "81e9ad25-1df0-5196-be8b-1d1d5d8e4387" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_Shifu.yar#L1-L24" @@ -143449,7 +143536,7 @@ rule TRELLIX_ARC_Rovnix_Downloader : DOWNLOADER description = "Rovnix downloader with sinkhole checks" author = "Intel Security" id = "d51f8f73-7a3a-5ccf-9122-86061b5399f1" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_Rovnix.yar#L1-L38" @@ -143854,7 +143941,7 @@ rule TRELLIX_ARC_Rietspoof_Loader : RANSOMWARE FILE description = "Rule to detect the Rietspoof loader" author = "Marc Rivero | McAfee ATR Team" id = "f306e381-e2ae-528e-937b-aced72356d77" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://blog.avast.com/rietspoof-malware-increases-activity" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/malware/MALW_rietspoof_loader.yar#L1-L22" @@ -146432,7 +146519,7 @@ rule TRELLIX_ARC_Megacortex_Signed : RANSOMWARE FILE description = "Rule to detect MegaCortex samples digitally signed" author = "Marc Rivero | McAfee ATR Team" id = "78a74e30-4de0-5e63-8ca5-31251c296f98" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://blog.malwarebytes.com/detections/ransom-megacortex/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/ransomware/RANSOM_MegaCortex.yar#L3-L26" @@ -146816,7 +146903,7 @@ rule TRELLIX_ARC_Badrabbit_Ransomware : RANSOMWARE FILE description = "Rule to detect Bad Rabbit Ransomware" author = "Marc Rivero | McAfee ATR Team" id = "d6e78c14-0913-5eed-be15-a6d1a8cd1a8d" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://securelist.com/bad-rabbit-ransomware/82851/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/ransomware/RANSOM_BadRabbit.yar#L49-L101" @@ -147855,7 +147942,7 @@ rule TRELLIX_ARC_Sodinokobi : RANSOMWARE description = "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future." author = "McAfee ATR team" id = "dd05ce31-9699-50a9-944c-5883340791af" - date = "2025-10-01" + date = "2025-11-01" modified = "2025-03-18" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/ransomware/RANSOM_Sodinokibi.yar#L32-L53" @@ -147883,7 +147970,7 @@ rule TRELLIX_ARC_Ransom_Black_Kingdom : RANSOMWARE FILE description = "Rule to detect Black Kingdom ransomware that is spread using the latest Exchange vulns" author = "McAfee ATR" id = "c38e6dbf-7fb9-52f0-acd0-f824647b6041" - date = "2025-10-01" + date = "2025-11-01" modified = "2021-04-06" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/ransomware/ransom_BlackKingDom.yar#L3-L49" @@ -148209,7 +148296,7 @@ rule TRELLIX_ARC_Cryptonar_Ransomware : RANSOMWARE FILE description = "Rule to detect CryptoNar Ransomware" author = "Marc Rivero | McAfee ATR Team" id = "0911250f-fc1f-58bc-ac09-d77d2a2ed3ce" - date = "2025-10-01" + date = "2025-11-01" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/1919562a59f190bda60c982424f6a24c542ee3e0/ransomware/RANSOM_CryptoNar.yar#L1-L36" @@ -148409,7 +148496,7 @@ rule TRELLIX_ARC_Backdoorfckg : CTB_LOCKER_RANSOMWARE RANSOMWARE * YARA Rule Set * Repository Name: Arkbird SOLG * Repository: https://github.com/StrangerealIntel/DailyIOC - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: a873ff1298c43705e9c67286f3014f4300dd04f7 * Number of Rules: 215 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -155518,7 +155605,7 @@ rule ARKBIRD_SOLG_APT_Chisel_Hafnium_Feb_2021_1 : FILE * YARA Rule Set * Repository Name: Telekom Security * Repository: https://github.com/telekom-security/malware_analysis/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: bf832d97e8fd292ec5e095e35bde992a6462e71c * Number of Rules: 12 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -155886,7 +155973,7 @@ rule TELEKOM_SECURITY_Win_Systembc_20220311 : FILE * YARA Rule Set * Repository Name: Volexity * Repository: https://github.com/volexity/threat-intel - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: c24b8d9bea44ac757193a3152b1fd9dbf34fe503 * Number of Rules: 86 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -159069,7 +159156,7 @@ rule VOLEXITY_Apt_Win_Powerstar : CHARMINGKITTEN * YARA Rule Set * Repository Name: JPCERTCC * Repository: https://github.com/JPCERTCC/MalConfScan/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 19ec0d145535a6a4cfd37c0960114f455a8c343e * Number of Rules: 30 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -159913,7 +160000,7 @@ rule JPCERTCC_Elf_Wellmess : FILE * YARA Rule Set * Repository Name: SecuInfra * Repository: https://github.com/SIFalcon/Detection - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd * Number of Rules: 45 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -161206,7 +161293,7 @@ rule SECUINFRA_SUSP_LNK_Staging_Directory : FILE * YARA Rule Set * Repository Name: RussianPanda * Repository: https://github.com/RussianPanda95/Yara-Rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 51411489a2f384df8a4983387b83c78bcca9afc6 * Number of Rules: 87 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -163485,7 +163572,7 @@ rule RUSSIANPANDA_Purecrypter : FILE * YARA Rule Set * Repository Name: Check Point * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 4 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -163699,7 +163786,7 @@ rule CHECK_POINT_Injector_ZZ_Dotrunpex_Oldnew : FILE * YARA Rule Set * Repository Name: Dragon Threat Labs * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 7 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -163890,7 +163977,7 @@ rule DRAGON_THREAT_LABS_Apt_Win_Mocelpa * YARA Rule Set * Repository Name: Microsoft * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 21 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -164493,7 +164580,7 @@ rule MICROSOFT_Devilstongue_Hijackdll : FILE * YARA Rule Set * Repository Name: NCSC * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 17 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -164963,7 +165050,7 @@ rule NCSC_Sparrowdoor_Sleep_Routine * YARA Rule Set * Repository Name: Dr4k0nia * Repository: https://github.com/dr4k0nia/yara-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -165141,7 +165228,7 @@ rule DR4K0NIA_MAL_MSIL_NET_Typhonlogger_Jul23 : FILE * YARA Rule Set * Repository Name: EmbeeResearch * Repository: https://github.com/embee-research/Yara-detection-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4 * Number of Rules: 39 * Skipped: 0 (age), 8 (quality), 0 (score), 0 (importance) @@ -166222,8 +166309,8 @@ rule EMBEERESEARCH_Win_Havoc_Djb2_Hashing_Routine_Oct_2022 : FILE * YARA Rule Set * Repository Name: AvastTI * Repository: https://github.com/avast/ioc - * Retrieval Date: 2025-10-26 - * Git Commit: 5659f4f0f4e09970c5de29c536ceb500d5634951 + * Retrieval Date: 2025-11-02 + * Git Commit: e385a6358edfd0d107b3bb53b384aa2926af22e1 * Number of Rules: 33 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) * @@ -166241,7 +166328,7 @@ private rule AVASTTI_EXE_PRIVATE : FILE date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L9-L13" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L9-L13" license_url = "N/A" logic_hash = "0688672446142f95a22e49a04234cc90b6c9021efeda9ce57034c88d84944663" score = 75 @@ -166260,7 +166347,7 @@ private rule AVASTTI_ELF_PRIVATE date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L1-L7" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L1-L7" license_url = "N/A" logic_hash = "eb05e5d53bb8dea91467a76a164542894cdb1355cf3909f56818e27c589344ec" score = 75 @@ -166282,7 +166369,7 @@ rule AVASTTI_Manjusaka_Framework_Go_Build_Id date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L15-L62" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L15-L62" license_url = "N/A" hash = "955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1" hash = "f275ca5129399a521c8cd9754b1133ecd2debcfafc928c01df6bd438522c564a" @@ -166329,7 +166416,7 @@ rule AVASTTI_Manjusaka_Payload_Encoded_Hexstring date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L64-L93" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L64-L93" license_url = "N/A" logic_hash = "5c0b83e709baea7db6185d888bfa10bab073eb0eb2f3fb72df2da76fff3f6f22" score = 75 @@ -166359,7 +166446,7 @@ rule AVASTTI_Manjusaka_Payload_Elf date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L95-L122" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L95-L122" license_url = "N/A" hash = "0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b" hash = "76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365" @@ -166395,7 +166482,7 @@ rule AVASTTI_Manjusaka_Payload_Mz date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/Manjusaka/Manjusaka.yar#L124-L161" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/Manjusaka/Manjusaka.yar#L124-L161" license_url = "N/A" hash = "6839180bc3a2404e629c108d7e8c8548caf9f8249bbbf658b47c00a15a64758f" hash = "cd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d" @@ -166441,7 +166528,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Dns_Stager_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L1-L26" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L1-L26" license_url = "N/A" logic_hash = "d447fac16f0a712b1c264bc83b4cf2e56e5e98b369617799b981cd75b37c3511" score = 75 @@ -166463,7 +166550,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Smb_Stager_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L28-L57" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L28-L57" license_url = "N/A" logic_hash = "7459bcb0353f114a869aa61adc0229197ca9a1cfce0741dc227fabbeea2afba9" score = 75 @@ -166485,7 +166572,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L59-L96" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L59-L96" license_url = "N/A" logic_hash = "5c56e1f1d85375f19b6085b3d4654d2d1ba38d3dfcfea66707ca8957a6ed7bf8" score = 75 @@ -166507,7 +166594,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L98-L133" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L98-L133" license_url = "N/A" logic_hash = "a803a9c76142ccadda5f5c8f6abf78ac9a60523576edf62f4a1600556f4b6261" score = 75 @@ -166529,7 +166616,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L135-L164" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L135-L164" license_url = "N/A" logic_hash = "c20de49c3225a7aed8460d0e3cc3bce715c8746fb4313a2faf9da3c8d1d87387" score = 75 @@ -166551,7 +166638,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L166-L195" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L166-L195" license_url = "N/A" logic_hash = "58ae5351bac70ab9530cb033d1f6bb90acb6b66df395d59a55d221ef2a2e5dcf" score = 75 @@ -166573,7 +166660,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L197-L232" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L197-L232" license_url = "N/A" logic_hash = "d3c74ff363d113d25d9ecca114dd0872487e713a978da4f94f3cccc2e92943ff" score = 75 @@ -166595,7 +166682,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L234-L263" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L234-L263" license_url = "N/A" logic_hash = "a89a8e25d894bf7e5c4a10e2a14b78a52543e42fb185667db9f9548f52ef58bf" score = 75 @@ -166617,7 +166704,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L266-L303" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L266-L303" license_url = "N/A" logic_hash = "c168b6f2ce35e57cd4c572ce40652261df7af7900beab7ffcdae58113cad88c0" score = 75 @@ -166639,7 +166726,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L306-L337" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L306-L337" license_url = "N/A" logic_hash = "cb36d75efcd0e76bf96793863d1aa5145237ec3ce5c7195e679f2e1019d5bbab" score = 75 @@ -166661,7 +166748,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Dns_Stager_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L339-L354" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L339-L354" license_url = "N/A" logic_hash = "3519d2af99a159483ba22cd87907bcc87bea1cfc2fb92f5f0334fff1c385ef00" score = 75 @@ -166683,7 +166770,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Smb_Stager_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L356-L373" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L356-L373" license_url = "N/A" logic_hash = "74c50e1c989167ea6d9309e2b53629c7103484faa809a80e90b7d5c318b2370c" score = 75 @@ -166705,7 +166792,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L375-L396" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L375-L396" license_url = "N/A" logic_hash = "2c5ac98ffbea197d14cd6e508729885b5f86adbace0a6d978664908e070965cf" score = 75 @@ -166727,7 +166814,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X64_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L398-L418" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L398-L418" license_url = "N/A" logic_hash = "cdd8e0c9bdaf8d7662a118964abdea8eaea6c0e17fe1f20a80497c0c43d496d6" score = 75 @@ -166749,7 +166836,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L420-L437" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L420-L437" license_url = "N/A" logic_hash = "5495405ef3a54c960cf27147dce0d25cb298fee84a99415b59bc548c4f64a1e6" score = 75 @@ -166771,7 +166858,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X64_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L439-L456" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L439-L456" license_url = "N/A" logic_hash = "d7e8fe5d2e07b7a85fadaa432bf345231ac4ddac5458167431403ddfe05467fc" score = 75 @@ -166793,7 +166880,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L458-L478" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L458-L478" license_url = "N/A" logic_hash = "b6e19ee9141aa22d73de6d8145257eba7b3b2bb2edc0996591085c84f242ec87" score = 75 @@ -166815,7 +166902,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X64_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L480-L497" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L480-L497" license_url = "N/A" logic_hash = "f88378749f0da0c66d66b917eeb11a56f083bb487c19c22a230dee4f50e1e309" score = 75 @@ -166837,7 +166924,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X86_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L499-L520" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L499-L520" license_url = "N/A" logic_hash = "5003ebd545182bb105cdcaaac2105a92cdd99a0178c24eb5ae2888232897aeb5" score = 75 @@ -166859,7 +166946,7 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X64_Utf16 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L522-L540" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L522-L540" license_url = "N/A" logic_hash = "dee3eb3353da0179c58a33c3be0af6ad1e6aa9f13e9e6b9821c94f11d209266f" score = 75 @@ -166881,7 +166968,7 @@ rule AVASTTI_Cobaltstrike_Payload_Encoded date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L542-L593" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L542-L593" license_url = "N/A" logic_hash = "03c650b3c1797c03c635e25ea9d1d4589c6a4b31da0a3e48631fa16d0e3a342b" score = 75 @@ -166926,7 +167013,7 @@ rule AVASTTI_Cobaltstrike_Strike_Payload_Xored date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L595-L613" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L595-L613" license_url = "N/A" logic_hash = "532cf38554ad7211fab74d050007f6fe8d63c20e05f21a6737fff12ac92a81d7" score = 75 @@ -166948,7 +167035,7 @@ rule AVASTTI_Cobaltstrike_Beacon_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L615-L632" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L615-L632" license_url = "N/A" logic_hash = "e6328aae5954ac8e3914e65603813ba4f11d97ff91d08a1398e1f71740879463" score = 75 @@ -166973,7 +167060,7 @@ rule AVASTTI_Cobaltstrike_Beacon_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L634-L651" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L634-L651" license_url = "N/A" logic_hash = "7abf5f9a337c60944a52efcc7a16a768652c46843d2da3df2f946dd6e63f9375" score = 75 @@ -166998,7 +167085,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Encoded date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L653-L703" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L653-L703" license_url = "N/A" logic_hash = "f763c0c41a69c6bafb65517d20ef76242bf7b1626d6745d9a1c26772de3ffa26" score = 75 @@ -167043,7 +167130,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X86 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L705-L726" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L705-L726" license_url = "N/A" logic_hash = "1415c8ab5b4ddd6eb0f561b570358f04f967621dfc6274e0380879563b612c27" score = 75 @@ -167067,7 +167154,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X64 date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" - source_url = "https://github.com/avast/ioc/blob/5659f4f0f4e09970c5de29c536ceb500d5634951/CobaltStrike/yara_rules/cs_rules.yar#L728-L746" + source_url = "https://github.com/avast/ioc/blob/e385a6358edfd0d107b3bb53b384aa2926af22e1/CobaltStrike/yara_rules/cs_rules.yar#L728-L746" license_url = "N/A" logic_hash = "11e6c8be28325d42f24fb5bb43c0b5fd35990a46857bae7c9940262a33c02a8c" score = 75 @@ -167085,7 +167172,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X64 * YARA Rule Set * Repository Name: SBousseaden * Repository: https://github.com/sbousseaden/YaraHunts/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 71b27a2a7c57c2aa1877a11d8933167794e2b4fb * Number of Rules: 37 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -168191,7 +168278,7 @@ rule SBOUSSEADEN_Hunt_Susp_Vhd : FILE * YARA Rule Set * Repository Name: Elceef * Repository: https://github.com/elceef/yara-rulz - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 791721372091836f5bf477d7f21114f45a310052 * Number of Rules: 19 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -168745,7 +168832,7 @@ rule ELCEEF_Outlook_CVE_2023_23397_Exploit : FILE * YARA Rule Set * Repository Name: GodModeRules * Repository: https://github.com/Neo23x0/god-mode-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 436dc682164cf17a123d6b09d1424e7e2acf0c25 * Number of Rules: 1 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -169016,7 +169103,7 @@ rule GODMODERULES_IDDQD_God_Mode_Rule * YARA Rule Set * Repository Name: Cod3nym * Repository: https://github.com/cod3nym/detection-rules/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 5939dadd34ebd3c111f97ba0bc0085b639e142a5 * Number of Rules: 13 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -169473,7 +169560,7 @@ rule COD3NYM_MAL_NET_Niximports_Loader_Jan24 : FILE * YARA Rule Set * Repository Name: craiu * Repository: https://github.com/craiu/yararules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 23cf0ca22021fa3684e180a18416b9ae1b695243 * Number of Rules: 13 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -170638,10 +170725,10 @@ rule CRAIU_Crime_Noabot : FILE * YARA Rule Set * Repository Name: DitekSHen * Repository: https://github.com/ditekshen/detection - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: e76c93dcdedff04076380ffc60ea54e45b313635 - * Number of Rules: 1439 - * Skipped: 0 (age), 114 (quality), 0 (score), 0 (importance) + * Number of Rules: 1436 + * Skipped: 0 (age), 117 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -171114,35 +171201,6 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWSH_Asciiencoding_Pattern : FILE condition: 1 of ( $enc* ) and 4 of ( $s* ) and filesize < 2500KB } -rule DITEKSHEN_INDICATOR_SUSPICIOUS_JS_Hex_B64Encoded_EXE : FILE -{ - meta: - description = "Detects JavaScript files hex and base64 encoded executables" - author = "ditekSHen" - id = "37516c6b-0a77-5a20-a36f-5f8309b37362" - date = "2024-06-08" - modified = "2024-06-08" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L726-L740" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "60185e6ec96875085ffb7a6bf6eb8643368bbce42b89290ab987eb32c1e153bd" - score = 40 - quality = 20 - tags = "FILE" - importance = 20 - - strings: - $s1 = ".SaveToFile" ascii - $s2 = ".Run" ascii - $s3 = "ActiveXObject" ascii - $s4 = "fromCharCode" ascii - $s5 = "\\x66\\x72\\x6F\\x6D\\x43\\x68\\x61\\x72\\x43\\x6F\\x64\\x65" ascii - $binary = "\\x54\\x56\\x71\\x51\\x41\\x41" ascii - $pattern = /[\s\{\(\[=]_0x[0-9a-z]{3,6}/ ascii - - condition: - $binary and $pattern and 2 of ( $s* ) and filesize < 2500KB -} rule DITEKSHEN_INDICATOR_SUSPICIOUS_WMIC_Downloader : FILE { meta: @@ -174332,7 +174390,7 @@ rule DITEKSHEN_INDICATOR_TOOL_LTM_Sharpexec : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "17ae5c9f0b22e8ecbbbcbe052e466d00cb7b62cff423688b5138209c52f0698d" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -175888,7 +175946,7 @@ rule DITEKSHEN_INDICATOR_TOOL_ENUM_Sharpshares : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8b35d6a692814e1b27ffc1db4ab124bf621c156aaf57f24796c422ec95a85715" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -191657,7 +191715,7 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_Soundcapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c0efa9f383373dec1c5b9d127c2b4c6f4906718ae8f62eea28d7a369001be5af" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav1 = "INDICATOR.Win.RMM.DWAgent-SoundCapture" @@ -194728,7 +194786,7 @@ rule DITEKSHEN_MALWARE_BAT_Koadicbat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1ee6c0189a5111c61af1dbe571524427bff95a7e3907f97ce51d272a8f701cf5" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -195940,7 +195998,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginclipboardmonitor : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c3e692a06388e143a8e1053e75a6eb6a82da5bdf26d38e3a0e339bc20d8312a1" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -195969,7 +196027,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginscreencapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "7b4378ae883d01338fabe2eb50a5509b722c661e63afc287afa07b263a0ebc42" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -196002,7 +196060,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginransomhansom : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "b22f6d22630f311241634513eb051df2b36af84a938c1ae1f5284e5a5d7d3077" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -198576,33 +198634,6 @@ rule DITEKSHEN_MALWARE_Win_Gaudox : FILE condition: uint16( 0 ) == 0x5a4d and all of them } -rule DITEKSHEN_MALWARE_Win_Phobos : FILE -{ - meta: - description = "Detects Phobos ransomware" - author = "ditekshen" - id = "7bf659ef-f2a1-5ee2-a334-c233e26a2526" - date = "2024-11-01" - modified = "2024-11-01" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3895-L3908" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "bbf8eef0863e9d6423b3b0f938561b2be486b92b4f59b5d0b67f52dba536a582" - score = 75 - quality = 25 - tags = "FILE" - - strings: - $x1 = "\\\\?\\UNC\\\\\\e-" fullword wide - $x2 = "\\\\?\\ :" fullword wide - $x3 = "POST" fullword wide - $s1 = "ELVL" fullword wide - $s2 = /SUP\d{3}/ fullword wide - $s3 = { 41 31 47 ?? 41 2b } - - condition: - uint16( 0 ) == 0x5a4d and all of ( $x* ) and 1 of ( $s* ) -} rule DITEKSHEN_MALWARE_Win_Ratty : FILE { meta: @@ -202444,7 +202475,7 @@ rule DITEKSHEN_MALWARE_Win_Xfiles : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0c04a8f019aea36f4bba3ce8289c2d608c69d76bbf321052560b4ca2214be057" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -203870,7 +203901,7 @@ rule DITEKSHEN_MALWARE_Win_Horuseyesrat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c0f499e3a17923b391ed6b7fa723525a9d4aef0ce04a2c7abec60d5eda15888f" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -205782,7 +205813,7 @@ rule DITEKSHEN_MALWARE_Win_Tardigrade : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "2bd4f23f66844a320b6bed6242ba39096f66a08affb84abd78c342d433ed9fe6" score = 75 - quality = 75 + quality = 50 tags = "FILE" hash1 = "c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858" hash2 = "966b2c7c72a28310acd58bb23af4d3c893b2afca264b2d9c0ec42db815c77487" @@ -206306,7 +206337,7 @@ rule DITEKSHEN_MALWARE_Win_Locked : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "b838b996946fb268c66bac68d5e326ff3049340dfb08f2e0a77492df49915d5a" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -206559,7 +206590,7 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "cd76e5b87f33d91c17fd032417583c3f68d0e310aaf6f08e26ec5d53844ed9d2" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -206580,38 +206611,6 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE condition: ( uint16( 0 ) == 0x5a4d or uint16( 0 ) == 0x457f ) and ( all of ( $x* ) or 5 of ( $s* ) or ( 1 of ( $x* ) and 3 of ( $s* ) ) ) } -rule DITEKSHEN_MALWARE_Win_Koxic : FILE -{ - meta: - description = "Detects Koxic ransomware" - author = "ditekSHen" - id = "6a82bf44-b155-5746-b798-20a13623a14a" - date = "2024-11-01" - modified = "2024-11-01" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9291-L9309" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "d874c8ebf330814e52d159cbf71f8bc05ebeb4a9fb93d96c3f861b51e57925a3" - score = 75 - quality = 25 - tags = "FILE" - - strings: - $c1 = " INFO: >> %TEMP%\\" ascii wide - $c2 = "cmd /c \"wmic" ascii wide - $c3 = "cmd /c \"echo" ascii wide - $c4 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" fullword wide - $c5 = /sc config.{1,30}start=disabled/ fullword ascii wide - $s1 = "Container: %s" fullword wide - $s2 = "Shotcut dir : %s" fullword wide - $s3 = "\\Microsoft\\Windows\\Network Shortcuts\\" fullword wide - $s4 = "Thread %d started." fullword ascii - $s5 = "ADD our TOXID:" wide - $s6 = "[Recommended] Using an email" wide - - condition: - uint16( 0 ) == 0x5a4d and ( ( 4 of ( $s* ) and 1 of ( $c* ) ) or ( 2 of ( $s* ) and ( #c1 > 5 or #c2 > 5 or #c3 > 5 or #c5 > 5 ) ) ) -} rule DITEKSHEN_MALWARE_Win_Timetime : FILE { meta: @@ -206655,7 +206654,7 @@ rule DITEKSHEN_MALWARE_Win_Strifewater : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ddb189dfe58af08d2c0682239551a5b9d82db94eedcefc02895316bcbbaca3f2" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -206755,7 +206754,7 @@ rule DITEKSHEN_MALWARE_Win_Jesterstealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c84df5d3ad2bc7a75a11c07995cc034c2a92b2f6f6f6943288add9c44c57bf6d" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -207052,7 +207051,7 @@ rule DITEKSHEN_MALWARE_Win_Mystic : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "26e0b85141df818d70124c0b19b5b6a05ac24ae679724d7a8ad94415a6462d17" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -207689,7 +207688,7 @@ rule DITEKSHEN_MALWARE_Win_Hakunamatata_Builder : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ac258851de38504cf63ba51fd06f8a9a3dfbe0096d199ba702e9763b5ecc43e4" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -208042,7 +208041,7 @@ rule DITEKSHEN_MALWARE_Win_Rootteamstealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "d1693865253067527d58c980653d550b55d022d5a394b88090a958e5d5818143" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -208344,7 +208343,7 @@ rule DITEKSHEN_MALWARE_Win_Rustystealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e60e66360c8f97a31e75cd90a12519f75f3a672874fc985a8da1d4d02e185b4d" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -208850,7 +208849,7 @@ rule DITEKSHEN_MALWARE_Win_Toxiceye : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "ee01c107dd295b923801c0d1a77b1534d3a5f2abf8d2cfa93c6786a1b0553504" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -209597,7 +209596,7 @@ rule DITEKSHEN_MALWARE_Win_Blackhunt : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "62e9bc505eff3e19ff0cdaf180e45e6d7917f0bec7cd9b007bee9fe1d9d09b66" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -209969,7 +209968,7 @@ rule DITEKSHEN_MALWARE_Win_Ktlvdoor : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "3ced9b558c7e17acd015cd2c9dd0c5d024bf9c31c7f2e7c9b7b937124109cf8b" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -210270,8 +210269,8 @@ rule DITEKSHEN_MALWARE_Win_Babylockerkz : FILE * YARA Rule Set * Repository Name: WithSecureLabs * Repository: https://github.com/WithSecureLabs/iocs - * Retrieval Date: 2025-10-26 - * Git Commit: 406a52176a3f5202a772bc0c47364b81d2222331 + * Retrieval Date: 2025-11-02 + * Git Commit: d17db32370fd4503050d9d6bc191ed66720cd156 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) * @@ -210313,8 +210312,8 @@ rule WITHSECURELABS_Kapeka_Backdoor : FILE date = "2024-04-17" modified = "2024-04-17" reference = "https://labs.withsecure.com/publications/kapeka" - source_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/Kapeka/kapeka_backdoor.yar#L2-L21" - license_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/Kapeka/kapeka_backdoor.yar#L2-L21" + license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "49795c6e3f3690eeccd731a9ba0c6bd8d5840d9171939e71d3a4d6f0d1834f05" score = 75 quality = 25 @@ -210343,8 +210342,8 @@ rule WITHSECURELABS_Ducktail_Artifacts : FILE date = "2022-07-18" modified = "2022-07-26" reference = "https://labs.withsecure.com/publications/ducktail" - source_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/DUCKTAIL/ducktail_artifacts.yar#L1-L20" - license_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/DUCKTAIL/ducktail_artifacts.yar#L1-L20" + license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "1daa5e654058c802826b6a306b5bfc9d0c05c4ee54607e94e618a8d409ce74d9" score = 75 quality = 50 @@ -210372,8 +210371,8 @@ rule WITHSECURELABS_Ducktail_Dotnet_Core_Infostealer : FILE date = "2022-07-18" modified = "2022-07-25" reference = "https://labs.withsecure.com/publications/ducktail" - source_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/DUCKTAIL/ducktail_dotnet_core_infostealer.yar#L1-L103" - license_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/DUCKTAIL/ducktail_dotnet_core_infostealer.yar#L1-L103" + license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "81b4da5860894397e9cd416e451c3098f8560407cd79f070f8edd5a3ba91512a" score = 75 quality = 50 @@ -210476,8 +210475,8 @@ rule WITHSECURELABS_Ducktail_Nativeaot : FILE date = "2022-11-17" modified = "2022-11-22" reference = "https://labs.withsecure.com/publications/ducktail_returns" - source_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/DUCKTAIL/ducktail_nativeaot.yara#L2-L22" - license_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/DUCKTAIL/ducktail_nativeaot.yara#L2-L22" + license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "976b28ac45e5a13d4ce900b857e6bd3afc82b65b0235791fd698b762287cd60e" score = 75 quality = 75 @@ -210500,8 +210499,8 @@ rule WITHSECURELABS_SILKLOADER date = "2023-03-15" modified = "2023-03-15" reference = "https://labs.withsecure.com/publications/silkloader" - source_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/SILKLOADER/silkloader.yar#L2-L20" - license_url = "https://github.com/WithSecureLabs/iocs/blob/406a52176a3f5202a772bc0c47364b81d2222331/LICENSE" + source_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/SILKLOADER/silkloader.yar#L2-L20" + license_url = "https://github.com/WithSecureLabs/iocs/blob/d17db32370fd4503050d9d6bc191ed66720cd156/LICENSE" logic_hash = "48aa249ea78e5a3bfe9934fd0dfa26b79f9e6cbe1e5b1426b84f8d8a3d77d742" score = 75 quality = 75 @@ -210522,8 +210521,8 @@ rule WITHSECURELABS_SILKLOADER * YARA Rule Set * Repository Name: HarfangLab * Repository: https://github.com/HarfangLab/iocs - * Retrieval Date: 2025-10-26 - * Git Commit: 4b3d974950cb01f499fc7b24b86a20b6de879edc + * Retrieval Date: 2025-11-02 + * Git Commit: 1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d * Number of Rules: 35 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) * @@ -210541,7 +210540,7 @@ rule HARFANGLAB_Masepie_Campaign_Htmlstarter : FILE date = "2024-01-24" modified = "2025-10-21" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L1-L16" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L1-L16" license_url = "N/A" hash = "628bc9f4aa71a015ec415d5d7d8cb168359886a231e17ecac2e5664760ee8eba" logic_hash = "d131372c6ad01ae77e5630bae0c0a04ce311718eb1bcf423e6575f3b0ecdba5d" @@ -210566,7 +210565,7 @@ rule HARFANGLAB_Masepie_Campaign_Webdavlnk : FILE date = "2024-01-24" modified = "2025-10-21" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L17-L39" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L17-L39" license_url = "N/A" hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" logic_hash = "26075e47b54404c55f4ca5eb757efa2b1711d919de0ffbfbdf6935e2e4dd3f3d" @@ -210594,7 +210593,7 @@ rule HARFANGLAB_Masepie_Campaign_Masepie : FILE date = "2024-01-24" modified = "2025-10-21" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L40-L60" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L40-L60" license_url = "N/A" hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6" logic_hash = "02da8119267978e63e3ee5ecdefb52285718f8875ec64d320f2752460c05588d" @@ -210624,7 +210623,7 @@ rule HARFANGLAB_Masepie_Campaign_Oceanmap : FILE date = "2024-01-24" modified = "2024-01-31" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L61-L95" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L61-L95" license_url = "N/A" hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04" logic_hash = "5fe244025f49358b4285e1272489378a46363ae915881dece26691d971aa93f3" @@ -210664,7 +210663,7 @@ rule HARFANGLAB_Allasenhamaycampaign_Executorloader date = "2024-05-28" modified = "2025-10-21" reference = "TRR240501" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L96-L114" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L96-L114" license_url = "N/A" logic_hash = "61aa0bf180574856e57d0b26442bfa6f4b1e25844611d6eadaed529e1bb86625" score = 75 @@ -210692,7 +210691,7 @@ rule HARFANGLAB_Allasenhamaycampaign_Allasenha date = "2024-05-28" modified = "2025-10-21" reference = "TRR240501" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L115-L137" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L115-L137" license_url = "N/A" logic_hash = "affe75ade6c8d9eeba00006f78678a48b1cfc5ffa9f9675fdea6ffd6cb3a02bd" score = 75 @@ -210725,7 +210724,7 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Unpacked_Large : FILE date = "2024-09-24" modified = "2025-10-21" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L254-L275" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L254-L275" license_url = "N/A" hash = "18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da" logic_hash = "eedbf91f9ea7607dc68126840da338035b48509c5649a89f490d8cdfb32844b2" @@ -210755,7 +210754,7 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Pe_Inmem_Large date = "2024-09-24" modified = "2025-10-21" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L276-L294" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L276-L294" license_url = "N/A" hash = "7798b45ffc488356f7253805dc9c8d2210552bee39db9082f772185430360574" logic_hash = "b9bbbbd93dc39f8c16c7f8275fa73f4c345c3ba8f21da76ae491e89d3a22c473" @@ -210784,7 +210783,7 @@ rule HARFANGLAB_Nhas_Reverse_Shell_Elf_Inmem_Large date = "2024-09-24" modified = "2025-10-21" reference = "TRR250201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L295-L312" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L295-L312" license_url = "N/A" hash = "9f97997581f513166aae47b3664ca23c4f4ea90c24916874ff82891e2cd6e01e" logic_hash = "54ba4fc366fb6e4a252d51528ede3ec418b369881ad98e9119d1a9650b6a1bab" @@ -210812,7 +210811,7 @@ rule HARFANGLAB_Trr250801_Csharp_Downloader_Combined : FILE date = "2025-08-08" modified = "2025-10-21" reference = "TRR250801" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L313-L346" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L313-L346" license_url = "N/A" hash = "559ee2fad8d16ecaa7be398022aa7aa1adbd8f8f882a34d934be9f90f6dcb90b" hash = "a2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e" @@ -210854,7 +210853,7 @@ rule HARFANGLAB_Trr250801_Cpp_Downloader : FILE date = "2025-08-08" modified = "2025-10-21" reference = "TRR250801" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L347-L367" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L347-L367" license_url = "N/A" hash = "5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36" logic_hash = "c3e7f4a8b18d941a782056e76a576d90e83dbb28cdf7d5d316b58edf316be2c7" @@ -210882,7 +210881,7 @@ rule HARFANGLAB_Charmingkitten_Cyclops : FILE date = "2024-08-05" modified = "2025-10-21" reference = "TRR240801" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L368-L388" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L368-L388" license_url = "N/A" hash = "fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69" logic_hash = "70ab3f44b6889d478a94dc6aefcd30f0e82e0b80bcf26921167b72f35bdb7fa8" @@ -210910,7 +210909,7 @@ rule HARFANGLAB_Samecoin_Campaign_Loader : FILE date = "2024-02-13" modified = "2025-10-21" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L389-L409" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L389-L409" license_url = "N/A" hash = "cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6" logic_hash = "7df04ab208d2caa5a137b1c3481ef734df54bbe8330979f524b16e9ba8cf48d5" @@ -210941,7 +210940,7 @@ rule HARFANGLAB_Samecoin_Campaign_Wiper : FILE date = "2024-02-13" modified = "2025-10-21" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L410-L428" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L410-L428" license_url = "N/A" hash = "e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89" logic_hash = "ebe7c90398464ecf74ede17551c2ebc58b851ba6502092320934d1f5353581a2" @@ -210970,7 +210969,7 @@ rule HARFANGLAB_Samecoin_Campaign_Tasksspreader : FILE date = "2024-02-13" modified = "2025-10-21" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L429-L466" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L429-L466" license_url = "N/A" hash = "b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7" logic_hash = "61d602c343365608e5bc587ee9c7898e256f2411d78c7fe74c211e68bf4ab707" @@ -211011,7 +211010,7 @@ rule HARFANGLAB_Samecoin_Campaign_Nativewiper : FILE date = "2024-02-13" modified = "2025-10-21" reference = "TRR240201" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L467-L487" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L467-L487" license_url = "N/A" hash = "248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817" logic_hash = "2779664830df3b5be72b7fe7d4da3d27e2a86b289ee3974596abf1df12317cd8" @@ -211042,7 +211041,7 @@ rule HARFANGLAB_Supposed_Grasshopper_Downloader : FILE date = "2024-06-20" modified = "2025-10-21" reference = "TRR240601" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L488-L503" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L488-L503" license_url = "N/A" logic_hash = "93509319ab8028b0215fcfb81d1ff5d3d810922999f1dd8359b706a965221b2f" score = 75 @@ -211068,7 +211067,7 @@ rule HARFANGLAB_Donut_Shellcode : FILE date = "2024-06-20" modified = "2025-10-21" reference = "TRR240601" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L504-L552" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L504-L552" license_url = "N/A" logic_hash = "1bf4e253195e39cc0b3cf45797c35a9f06078350aa35e65d9d36adbcc09a150b" score = 75 @@ -211099,7 +211098,7 @@ rule HARFANGLAB_Muddywater_Ateraagent_Operators : FILE date = "2024-04-17" modified = "2025-10-21" reference = "TRR240402" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L553-L583" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L553-L583" license_url = "N/A" hash = "9b49d6640f5f0f1d68f649252a96052f1d2e0822feadd7ebe3ab6a3cadd75985" logic_hash = "63d5d3a6723191dccd20c8d9f25607df512b91f57ac891ef8c87b2dd107ee5a2" @@ -211138,7 +211137,7 @@ rule HARFANGLAB_Xdspy_LNK_2025 : FILE date = "2025-05-16" modified = "2025-10-21" reference = "TRR250601" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L584-L605" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L584-L605" license_url = "N/A" hash = "904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e" hash = "536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d" @@ -211166,7 +211165,7 @@ rule HARFANGLAB_Xdspy_Etdownloader : FILE date = "2025-05-16" modified = "2025-10-21" reference = "https://github.com/HarfangLab/iocs" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L606-L639" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L606-L639" license_url = "N/A" hash = "792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b" logic_hash = "050bf26c5665c68055f1f31b4cdce40fb8c6d2b9d8e08925e684cf70e80eb2dd" @@ -211206,7 +211205,7 @@ rule HARFANGLAB_Xdspy_Xdigo : FILE date = "2025-05-16" modified = "2025-10-21" reference = "https://github.com/HarfangLab/iocs" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L640-L667" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L640-L667" license_url = "N/A" hash = "49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341" hash = "0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e" @@ -211242,7 +211241,7 @@ rule HARFANGLAB_Packxor : FILE date = "2024-08-05" modified = "2025-10-21" reference = "https://harfanglab.io/insidethelab/unpacking-packxor/" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L668-L807" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L668-L807" license_url = "N/A" hash = "0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44" logic_hash = "ecc7e241f98da8bcd248493f6443676e4c1e516f1fd19f488a62acd314be1898" @@ -211389,7 +211388,7 @@ rule HARFANGLAB_Gamaredon_Pterolnk_Vbscript : FILE date = "2025-04-04" modified = "2025-10-21" reference = "TRR250401" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L808-L827" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L808-L827" license_url = "N/A" hash = "d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705" logic_hash = "b6aad0ca4653c111a4f481f9d4636e272712dc7ad53fa3b2041f2c47a1eee527" @@ -211417,7 +211416,7 @@ rule HARFANGLAB_Gamaredon_Pterolnk_LNK : FILE date = "2025-04-04" modified = "2025-10-21" reference = "TRR250401" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L828-L846" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L828-L846" license_url = "N/A" hash = "n/a" logic_hash = "69565365da1632407e223f87978a91543b1281879aa372cd055d08e26e1a2d93" @@ -211443,7 +211442,7 @@ rule HARFANGLAB_Gamaredon_Pterolnk_Vbscript_Update2506 : FILE date = "2025-06-23" modified = "2025-10-21" reference = "TRR250401;TRR250401_update2506" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L847-L873" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L847-L873" license_url = "N/A" hash = "d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705" hash = "4787fe23a4ba66137e41d6caa877251092a7f4957ccd89ed374b71aa6f6e2037" @@ -211478,7 +211477,7 @@ rule HARFANGLAB_Apt31_Rawdoor_Dropper : FILE date = "2024-04-12" modified = "2025-10-21" reference = "TRR240401" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L874-L895" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L874-L895" license_url = "N/A" hash = "c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be" logic_hash = "d0cbe02c4fafb4895bd0126d2496802a3fee6a0362e55bfa91cfd1c75043d94a" @@ -211509,7 +211508,7 @@ rule HARFANGLAB_Apt31_Rawdoor_Payload : FILE date = "2024-04-12" modified = "2025-10-21" reference = "TRR240401" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L896-L920" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L896-L920" license_url = "N/A" hash = "fade96ec359474962f2167744ca8c55ab4e6d0700faa142b3d95ec3f4765023b" logic_hash = "51bd04603419d5bc77f12618df986f6b31ea8ddea553c6bc7580698fa236b3ed" @@ -211543,7 +211542,7 @@ rule HARFANGLAB_Iis_Module_Hijackserver_Native : FILE date = "2025-08-25" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L921-L954" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L921-L954" license_url = "N/A" hash = "c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2" logic_hash = "f0539a40958b34bb8372f8a8a6ca22617626fc7806556d6353175aa5f2ec0aea" @@ -211584,12 +211583,12 @@ rule HARFANGLAB_Iis_Module_Hijackserver_Dotnet : FILE date = "2025-10-14" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L955-L986" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L955-L986" license_url = "N/A" hash = "915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964" logic_hash = "83476157c66ac9586d28bf2e8614575c4950ab3e3538fd12d0a31fc451970686" score = 75 - quality = 80 + quality = 55 tags = "FILE" context = "file" @@ -211623,12 +211622,12 @@ rule HARFANGLAB_Apache_Module_Hijackserver_Php_Decoded : FILE date = "2025-10-15" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L987-L1014" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L987-L1014" license_url = "N/A" hash = "e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850" logic_hash = "bf40ee8ae3a491c311d5221cb96adef6bd55153d602f1d534f2cb42a12aa68ec" score = 75 - quality = 80 + quality = 55 tags = "FILE" context = "file" @@ -211660,12 +211659,12 @@ rule HARFANGLAB_Apache_Module_Hijackserver_Php : FILE date = "2025-10-15" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L1015-L1030" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L1015-L1030" license_url = "N/A" hash = "e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850" logic_hash = "fe503e8d30a354927c1d4e1cffa18411b4c3ac5058cd3aef8df0e7d87624fe43" score = 75 - quality = 53 + quality = 78 tags = "FILE" context = "file" @@ -211686,7 +211685,7 @@ rule HARFANGLAB_Wingtb_Rootkit : FILE date = "2025-10-15" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L1031-L1057" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L1031-L1057" license_url = "N/A" hash = "f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1" hash = "88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268" @@ -211722,7 +211721,7 @@ rule HARFANGLAB_Wingtb_Rootkit_Commandline_Tool_Wingtbcli : FILE date = "2025-10-15" modified = "2025-10-21" reference = "TRR251001" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/hl_public_reports_master.yar#L1058-L1088" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/hl_public_reports_master.yar#L1058-L1088" license_url = "N/A" hash = "913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc" logic_hash = "57a180c8eb395694611c02c674ab94cc721f572a513a88dfe951f56b1ece1cb5" @@ -211762,7 +211761,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE date = "2024-04-17" modified = "2024-04-22" reference = "TRR240402" - source_url = "https://github.com/HarfangLab/iocs/blob/4b3d974950cb01f499fc7b24b86a20b6de879edc/TRR240402/trr240402_yara-template.yar#L1-L20" + source_url = "https://github.com/HarfangLab/iocs/blob/1770ec1114cc8c83eea7d0ab8f9f29c267b11a2d/TRR240402/trr240402_yara-template.yar#L1-L20" license_url = "N/A" logic_hash = "71622b61c5f645dd846327b79bf6dddefef458b73a82caa34d086da2ba48cd8c" score = 75 @@ -211784,7 +211783,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE * YARA Rule Set * Repository Name: LOLDrivers * Repository: https://github.com/magicsword-io/LOLDrivers/ - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 9be6ee6cd1df0bf6c715fda82150cf9a2f8dc3c6 * Number of Rules: 569 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -229539,7 +229538,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 : * YARA Rule Set * Repository Name: SEKOIA * Repository: https://github.com/SEKOIA-IO/Community - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: a47734fa931e56f8646dab2abf31629431982429 * Number of Rules: 746 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -252547,7 +252546,7 @@ rule SEKOIA_Generic_Python_Reverse_Shell : FILE * YARA Rule Set * Repository Name: Synacktiv * Repository: https://github.com/synacktiv/synacktiv-rules - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: d234cc4da0783db7dca56ae8dd5252afdc248df8 * Number of Rules: 8 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -252904,7 +252903,7 @@ rule SYNACKTIV_MAL_Linkpro_Arpdiag_ELF_KO_Oct25 : FILE * YARA Rule Set * Repository Name: Signature Base * Repository: https://github.com/Neo23x0/signature-base - * Retrieval Date: 2025-10-26 + * Retrieval Date: 2025-11-02 * Git Commit: 1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c * Number of Rules: 4388 * Skipped: 0 (age), 9 (quality), 4 (score), 0 (importance) @@ -263521,7 +263520,7 @@ rule SIGNATURE_BASE_FE_APT_Webshell_PL_HARDPULSE hash = "980cba9e82faf194edb6f3cc20dc73ff" logic_hash = "37fc40fd998d3294edb05707170bc2deec524fc6451bff212901f9ac3e34bb35" score = 75 - quality = 58 + quality = 83 tags = "" strings: @@ -263657,7 +263656,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_PULSEJUMP_1 hash = "91ee23ee24e100ba4a943bb4c15adb4c" logic_hash = "c9aa2b9ef8aff14c20ed6597b1a71eafc3e3c181aabf9a3a68df18945207ff86" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -263683,7 +263682,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_QUIETPULSE hash = "00575bec8d74e221ff6248228c509a16" logic_hash = "226a56369e141834d4834400bbf1a006bbb6e9b39e16e24b0106bff1a9c202a9" score = 75 - quality = 83 + quality = 58 tags = "" strings: @@ -263711,7 +263710,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_1 hash = "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b" logic_hash = "d65a466cc15214d8e26597588c039a6b9fb4637ef8f3b1ebea27f016fbd5cba8" score = 75 - quality = 83 + quality = 58 tags = "" strings: @@ -263738,7 +263737,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_2 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "4ade993176c918ec23e99fc585e9ab14d9f9e93a7eca00f2c3b0ebbd13d6ec5b" score = 75 - quality = 85 + quality = 60 tags = "" strings: @@ -263765,7 +263764,7 @@ rule SIGNATURE_BASE_FE_APT_Trojan_PL_RADIALPULSE_3 hash = "4a2a7cbc1c8855199a27a7a7b51d0117" logic_hash = "025308591e058de284f949fd4f788e4a4f46bb2f6c0e1161237f1f811d8179ba" score = 75 - quality = 60 + quality = 85 tags = "" strings: @@ -264696,7 +264695,7 @@ rule SIGNATURE_BASE_EXPL_Exchange_Proxyshell_Successful_Aug21_1 : SCRIPT license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "06ab609a8efe3b36b6356a9cf7b7b11b2fc2a556ec1df6995008a9df86b3fcee" score = 65 - quality = 83 + quality = 58 tags = "SCRIPT" strings: @@ -265537,7 +265536,7 @@ rule SIGNATURE_BASE_TA17_293A_Energetic_Bear_Api_Hashing_Tool : FILE description = "Energetic Bear API Hashing Tool" author = "CERT RE Team" id = "4e58800a-9618-5d8b-954c-e843be6002c2" - date = "2025-02-26" + date = "2025-02-02" modified = "2023-12-05" reference = "https://github.com/Neo23x0/signature-base" source_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/yara/apt_ta17_293A.yar#L77-L93" @@ -308882,7 +308881,7 @@ rule SIGNATURE_BASE_Trojan_ISMRAT_Gen : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "c4d26f79b8110e92a5e427de303eca6eaf79765a4c9cc437864dc5160ef2e343" score = 75 - quality = 85 + quality = 60 tags = "FILE" hash1 = "146a112cb01cd4b8e06d36304f6bdf7b" hash2 = "fa3dbe37108b752c38bf5870b5862ce5" @@ -311581,7 +311580,7 @@ rule SIGNATURE_BASE_Office_OLE_DDE : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "2d2f7dce166dc8ef8aba7e8eaafaf4d1bb34cdc1ce97d34125a65147cf5e08ac" score = 50 - quality = 60 + quality = 35 tags = "FILE" strings: @@ -315721,7 +315720,7 @@ rule SIGNATURE_BASE_Methodology_Shortcut_Hotkey : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "a48f7c1125218ee89f58f1517e81150038a5d71889d847e7690b13c818b32fb5" score = 50 - quality = 85 + quality = 60 tags = "FILE" strings: @@ -315795,7 +315794,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Evasion : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "c4fafae6af3ed5cc2e83e30427107d1c42cc4bc86d5c6a60e26953a11847029f" score = 50 - quality = 85 + quality = 60 tags = "FILE" strings: @@ -315819,7 +315818,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Lolcommand : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "4ac9a555e61303a173443de2a189536c8ea0fc32ee73c589dd104275c7967c57" score = 50 - quality = 60 + quality = 85 tags = "FILE" strings: @@ -315843,7 +315842,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Webdav : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "4fec084392140245eeb25bb512f3a4631ec6be08c197ec130a907fc118161197" score = 50 - quality = 85 + quality = 60 tags = "FILE" strings: @@ -315867,7 +315866,7 @@ rule SIGNATURE_BASE_Methodology_Suspicious_Shortcut_Scripturl : FILE license_url = "https://github.com/Neo23x0/signature-base/blob/1cfa4a0b2f6be888aa4e12b6dd48e39a5df3939c/LICENSE" logic_hash = "ece0013dbc9836fa800f99a10ab46c1eb081e1c04fe45fe17be26ffac1d464e9" score = 50 - quality = 85 + quality = 60 tags = "FILE" strings: @@ -367669,7 +367668,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic : FILE hash = "dd5d8a9b4bb406e0b8f868165a1714fe54ffb18e621582210f96f6e5ae850b33" logic_hash = "03c1963ec7a0409970baa98dc3a62f721c092b41d4026475a38b1ef466426b75" score = 70 - quality = -159 + quality = -134 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368292,7 +368291,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Double_Eval_Tiny : FILE hash = "006620d2a701de73d995fc950691665c0692af11" logic_hash = "cf0405e8a44497574d75291bf86bf9413d9a64140e820f7f5a655fe5302c6918" score = 75 - quality = 42 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368332,7 +368331,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC : FILE hash = "1d0643927f04cb1133f00aa6c5fa84aaf88e5cf14d7df8291615b402e8ab6dc2" logic_hash = "c23896664a1fa7ccc94d19fb12bb72c00e1db09fd0d09943c01da40bffe100eb" score = 75 - quality = -23 + quality = -73 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368407,7 +368406,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Encoded : FILE hash = "8a1e2d72c82f6a846ec066d249bfa0aaf392c65149d39b7b15ba19f9adc3b339" logic_hash = "c2a88e48374f949fcc9c14b773f7709c96b3147d1982ae9721708474ee5a3dcd" score = 70 - quality = -64 + quality = -89 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368455,7 +368454,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Encoded_Mixed_Dec_And_Hex : FILE hash = "0ff05e6695074f98b0dee6200697a997c509a652f746d2c1c92c0b0a0552ca47" logic_hash = "d9b4d224d43915cf08050c173627b314c3e41a30ecfffe28038281eadc114e51" score = 75 - quality = 17 + quality = -8 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368491,7 +368490,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Tiny : FILE hash = "5c871183444dbb5c8766df6b126bd80c624a63a16cc39e20a0f7b002216b2ba5" logic_hash = "993f1c98362dcbc207c6ceacb116a27d44505dc6dfa1874def780af50422e1b9" score = 75 - quality = -140 + quality = -90 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368602,7 +368601,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_OBFUSC_Fopo : FILE hash = "a698441f817a9a72908a0d93a34133469f33a7b34972af3e351bdccae0737d99" logic_hash = "076c0c256e5951cdcb2b7bc55030f55bec48c1bea953b8bd85559a3230e387ae" score = 75 - quality = 40 + quality = 15 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368652,7 +368651,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Gzinflated : FILE hash = "07eb6634f28549ebf26583e8b154c6a579b8a733" logic_hash = "d2edb7050c986a00889fd01b709ec0aa1409ce2e40a15b7942562d12596b190e" score = 75 - quality = 7 + quality = 32 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368914,7 +368913,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Includer_Eval : FILE hash = "b51a6d208ec3a44a67cce16dcc1e93cdb06fe150acf16222815333ddf52d4db8" logic_hash = "a7e9632c495e5d4cc883e2593c8ebe41cdf6a18b54bd6dfd3aec85352f19321c" score = 75 - quality = 46 + quality = 21 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -368953,7 +368952,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Includer_Tiny : FILE hash = "b3b0274cda28292813096a5a7a3f5f77378b8905205bda7bb7e1a679a7845004" logic_hash = "e1efb6384009def30d845650fd0dd77319c3c7b4402cca074ca5c2a06372ab58" score = 75 - quality = 42 + quality = 17 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369052,7 +369051,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Dynamic_Big : FILE hash = "ee34d62e136a04e2eaf84b8daa12c9f2233a366af83081a38c3c973ab5e2c40f" logic_hash = "1a29df7465b475e74d0f21f1705405e9663699a6e3c7b7107988ee3e202c3a25" score = 50 - quality = -361 + quality = -336 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369234,7 +369233,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Encoded_Big : FILE hash = "042245ee0c54996608ff8f442c8bafb8" logic_hash = "9c995f9c1c5e3a70dbb8170f6d1a2fba51c0f29184a5d3647016b520f4bfc0e3" score = 50 - quality = -75 + quality = -125 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369283,7 +369282,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Backticks : FILE hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00" logic_hash = "faa064686a5632788497d0300ba017c3e564f3b70f07a01f2e49bf7c934feb28" score = 75 - quality = 44 + quality = 19 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369320,7 +369319,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Generic_Backticks_OBFUSC : FILE hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00" logic_hash = "34354283762d6f62a4537e914d969f84546339da9be533e209d8738605b7e3ac" score = 75 - quality = 44 + quality = 19 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369372,7 +369371,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_By_String_Known_Webshell : FILE hash = "d52128bcfff5e9a121eab3d76382420c3eebbdb33cd0879fbef7c3426e819695" logic_hash = "8909bf77b7bacdae092fd7a94099224bf1660a6d341e113412e93f864298851b" score = 70 - quality = 17 + quality = -8 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369468,7 +369467,7 @@ rule SIGNATURE_BASE_WEBSHELL_PHP_Strings_SUSP : FILE hash = "1ab3ae4d613b120f9681f6aa8933d66fa38e4886" logic_hash = "5c3837ab761ee2209fab5fc333b050a56d80addb03b088ae28040c7393429bb3" score = 50 - quality = 40 + quality = 15 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369755,7 +369754,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_OBFUSC : FILE hash = "cafc4ede15270ab3f53f007c66e82627a39f4d0f" logic_hash = "96369062f963c3604c05808755fdfca922e5a6da960cb0ee05dee2df72d5d69b" score = 75 - quality = -117 + quality = -142 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -369930,7 +369929,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Nano : FILE hash = "28cfcfe28419a399c606bf96505bc68d6fe05624dba18306993f9fe0d398fbe1" logic_hash = "1b969e098a0b2c86ceba9cbb7f31770ba04f1a4c225716ea27d7e4e4177c90c4" score = 75 - quality = -117 + quality = -142 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370031,7 +370030,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Encoded : FILE hash = "af40f4c36e3723236c59dc02f28a3efb047d67dd" logic_hash = "dc33423874a49edfe9994db50959e6a55e2d475f4cd7d0b1b0a288c4ee1f7961" score = 75 - quality = -24 + quality = -49 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370087,7 +370086,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Encoded_Aspcoding : FILE hash = "f5095345ee085318235c11ae5869ae564d636a5342868d0935de7582ba3c7d7a" logic_hash = "a0f0b8585b28b13a90c5d112997cacea00af8c89c81eda5edf05508ad41459ab" score = 60 - quality = -30 + quality = -5 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370151,7 +370150,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_By_String : FILE hash = "de173ea8dcef777368089504a4af0804864295b75e51794038a6d70f2bcfc6f5" logic_hash = "b6ff83bc501753b893a0f5e60c6aafa292617279c0855ce3ba2d0b9b73325e8a" score = 75 - quality = -41 + quality = -66 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370263,7 +370262,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Sniffer : FILE hash = "ed5938c04f61795834751d44a383f8ca0ceac833" logic_hash = "874ec4c5dff024a899976e46cd553b52c361779a5507cf08ff0de596fd460d41" score = 75 - quality = -24 + quality = -49 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370435,7 +370434,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic : FILE hash = "f3398832f697e3db91c3da71a8e775ebf66c7e73" logic_hash = "c1807922c71cb591ce63ea2d4531d85c5b45ad0f03db07381f8160aec18264ed" score = 60 - quality = -126 + quality = -151 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370601,7 +370600,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Generic_Registry_Reader : FILE hash = "898ebfa1757dcbbecb2afcdab1560d72ae6940de" logic_hash = "515bff52bebaad45481202ff934f8d1cbb79c27ccf47ca811077acacb7a47f13" score = 50 - quality = -28 + quality = -53 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370679,7 +370678,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASPX_Regeorg_CSHARP : FILE hash = "aea0999c6e5952ec04bf9ee717469250cddf8a6f" logic_hash = "0c68f5955df2e75c3b5b4f1c6398fd57add1f64bfb3d46ccebf1c6767f5d2eb1" score = 75 - quality = -7 + quality = -57 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370802,7 +370801,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Runtime_Compile : FILE hash = "8ce4eaf111c66c2e6c08a271d849204832713f8b66aceb5dadc293b818ccca9e" logic_hash = "6699a44e396eedebb3bafa0e89c3b6d080586a158ed056ec7220bdf2ad764444" score = 75 - quality = 19 + quality = -6 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -370965,7 +370964,7 @@ rule SIGNATURE_BASE_WEBSHELL_ASP_Scan_Writable : FILE hash = "af1c00696243f8b062a53dad9fb8b773fa1f0395631ffe6c7decc42c47eedee7" logic_hash = "80969fd0c27903dabf08a250a47971725ac5762fd2f9afd96167b8f88f277348" score = 75 - quality = -64 + quality = -89 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371041,7 +371040,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Regeorg : FILE hash = "9108a33058aa9a2fb6118b719c5b1318f33f0989" logic_hash = "9d4c60a4daaadf6cefe8bf1d84b1e4af491cd23136332db4a022715b265c8f4e" score = 75 - quality = 50 + quality = 25 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371082,7 +371081,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_HTTP_Proxy : FILE hash = "2f9b647660923c5262636a5344e2665512a947a4" logic_hash = "7183902d43fc633db06a41b4a6bc02d2eb5662b7ee08080b57563783b8b67568" score = 75 - quality = 50 + quality = 25 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371228,7 +371227,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic : FILE hash = "ee9408eb923f2d16f606a5aaac7e16b009797a07" logic_hash = "1a464e222704cfc947ed2f1c027c7871db8ab73e5130a309738afd25c8e614ab" score = 75 - quality = -49 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371380,7 +371379,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Generic_Reflection : FILE hash = "bf0ff88cbb72c719a291c722ae3115b91748d5c4920afe7a00a0d921d562e188" logic_hash = "386aeb3745c5dd815f00bbc941450a2c3f1ddfc2956c67ecd5bee9318b1756ef" score = 75 - quality = -25 + quality = 0 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371507,7 +371506,7 @@ rule SIGNATURE_BASE_WEBSHELL_JSP_Netspy : FILE hash = "3870b31f26975a7cb424eab6521fc9bffc2af580" logic_hash = "65432e42ad2626b62b1d1a6298c301513c2fb03d89193a77b053069cebcb45e9" score = 75 - quality = 1 + quality = -24 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371674,7 +371673,7 @@ rule SIGNATURE_BASE_WEBSHELL_Generic_OS_Strings : FILE hash = "0353ae68b12b8f6b74794d3273967b530d0d526f" logic_hash = "10b956cac601c97d1483d35a7730d7178c4175800b4e4c9ed62ad583d3cac3d7" score = 50 - quality = -98 + quality = -123 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70 @@ -371752,7 +371751,7 @@ rule SIGNATURE_BASE_WEBSHELL_In_Image : FILE hash = "52b918a64afc55d28cd491de451bb89c57bce424f8696d6a94ec31fb99b17c11" logic_hash = "e7e78107c661aa5124a37b8e492986e5a3da63c79c97c4dc3199e648a5aa4aa8" score = 55 - quality = -192 + quality = -167 tags = "FILE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" importance = 70