Added new yara rules 2023-01-31

Author: shu-tom

BlackTech/blacktech.yara

@@ -355,7 +355,7 @@ rule BlackTech_BTSDoor_str {
        (1 of ($pdb*) or 4 of ($data*))
 }
 
-rule BlackTech_mabackdoor_str {
+rule BlackTech_Hipid_str {
      meta:
         description = "Multi-architecture (ARM or x64) backdoor in BlackTech"
         author = "JPCERT/CC Incident Response Group"

Lazarus/lazarus.yara

@@ -429,11 +429,12 @@ rule Lazarus_obfuscate_string {
         all of them
 }
 
-rule Lazarus_Bpanda3_str {
+rule Lazarus_VSingle_github {
      meta:
-        description = "Bpanda3 backdoor in Lazarus"
+        description = "VSingle using GitHub in Lazarus"
         author = "JPCERT/CC Incident Response Group"
         hash = "199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1"
+        hash = "2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc"
 
      strings:
         $str1 = "Arcan3" ascii wide fullword
@@ -464,3 +465,52 @@ rule Lazarus_Bpanda3_str {
        uint32(uint32(0x3c)) == 0x00004550 and
        8 of ($str*))
 }
+
+rule Lazarus_BTREE_str {
+     meta:
+        description = "BTREE malware using Lazarus"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "4fb31b9f5432fd09f1fa51a35e8de98fca6081d542827b855db4563be2e50e58"
+
+     strings:
+        $command1 = "curl -A cur1-agent -L %s -s -d da" ascii wide
+        $command2 = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" ascii wide
+        $command3 = "rundll32.exe %s #1 %S" ascii wide
+        $command4 = "%s\\marcoor.dll" ascii wide
+        $rc4key = "FaDm8CtBH7W660wlbtpyWg4jyLFbgR3IvRw6EdF8IG667d0TEimzTiZ6aBteigP3" ascii wide
+
+     condition:
+       2 of ($command*) or $rc4key
+}
+
+//import "pe"
+//import "hash"
+
+//rule Lazarus_PDFIcon {
+//    meta:
+//        description = "PDF icon used in PE file by Lazarus"
+//        author = "JPCERT/CC Incident Response Group"
+//        hash = "e5466b99c1af9fe3fefdd4da1e798786a821c6d853a320d16cc10c06bc6f3fc5"
+
+//    condition:
+//        for any i in (0..pe.number_of_resources - 1) : (
+//            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b3e0e069d00fb2a746b7ed1eb3d6470772a684349800fc84bae9f40c8a43d87a"
+//        )
+//}
+
+rule Lazarus_msi_str {
+    meta:
+        description = "msi file using Lazarus"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "f0b6d6981e06c7be2e45650e5f6d39570c1ee640ccb157ddfe42ee23ad4d1cdb"
+	
+    strings:
+        $magic = /^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00/
+        $s1 = "New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 300)" ascii wide
+        $s2 = "New-ScheduledTaskAction -Execute \"c:\\windows\\system32\\pcalua.exe" ascii wide
+        $s3 = "function sendbi(pd)" ascii wide
+        $s4 = "\\n\\n\"+g_mac()+\"\\n\\n\"+g_proc()" ascii wide
+
+     condition:
+       $magic at 0 and 2 of ($s*)
+}

other/RestyLink.yara

@@ -0,0 +1,57 @@
+rule malware_droplink_str {
+     meta:
+        description = "malware using dropbox api(TRANSBOX, PLUGBOX)"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "bdc15b09b78093a1a5503a1a7bfb487f7ef4ca2cb8b4d1d1bdf9a54cdc87fae4"
+        hash = "6e5e2ed25155428b8da15ac78c8d87d2c108737402ecba90d70f305056aeabaa"
+
+     strings:
+        $data1 = "%u/%u_%08X_%u_%u.jpg" ascii wide
+        $data2 = "%u/%u.jpg" ascii wide
+        $data3 = "%u/%s" ascii wide
+        $data4 = "%u/%u.3_bk.jpg"
+        $data5 = "%u/%u.2_bk.jpg" ascii wide
+        $data6 = "%u/%u_%08X_%d.jpg" ascii wide
+        $data7 = "%s\",\"mode\":\"overwrite" ascii wide
+        $data8 = "Dropbox-API-Art-Type:" ascii wide
+        $data9 = "/2/files/upload" ascii wide
+        $data10 = "Dropbox-API-Arg: {\"path\":\"/" ascii wide
+        $data11 = "/oauth2/token" ascii wide
+        $data12 = "LoadPlgFromRemote.dll" ascii wide
+        $data13 = "FILETRANDLL.dll" ascii wide
+        $data14 = "NVIDLA" ascii wide
+        $data15 = "start.ini" ascii wide
+        $data16 = "RunMain" ascii wide
+        $data17 = "cfg.png" ascii wide
+        $data18 = "DWrite.dll" ascii wide
+        $pdb1 = "\\\\daddev\\office10\\2609.0\\setup\\x86\\ship\\program files\\common files\\microsoft shared\\office10\\1033\\DWINTLO.PDB" ascii
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       filesize<1MB and
+       (1 of ($pdb*) or 5 of ($data*))
+}
+
+rule malware_RestyLink_lnk {
+     meta:
+        description = "RestyLink lnk file"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "90a223625738e398d2cf0be8d37144392cc2e7d707b096a7bfc0a52b408d98b1"
+        hash = "9aa2187dbdeef231651769ec8dc5f792c2a9a7233fbbbcf383b05ff3d6179fcf"
+        hash = "3feb9275050827543292a97cbf18c50c552a1771c4423c4df4f711a39696ed93"
+
+     strings:
+        $cmd1 = "C:\\Windows\\System32\\cmd.exe" wide
+        $cmd2 = "Windows\\system32\\ScriptRunner.exe" wide
+        $command1 = "/c set a=start winword.exe /aut&&set" wide
+        $command2 = "&&set n=omation /vu /q&&cmd /c %a%%n% %m%" wide
+        $command3 = "-appvscript explorer.exe https://" wide
+        $command4 = "-appvscript curl.exe -s https://" wide
+
+     condition:
+       uint16(0) == 0x004c and
+       filesize<100KB and
+       1 of ($cmd*) and
+       1 of ($command*)
+}

other/brc4.yara

@@ -0,0 +1,19 @@
+rule malware_BRC4_code {
+     meta:
+        description = "Brute Ratel C4"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d"
+        hash = "31acf37d180ab9afbcf6a4ec5d29c3e19c947641a2d9ce3ce56d71c1f576c069"
+        hash = "973f573cab683636d9a70b8891263f59e2f02201ffb4dd2e9d7ecbb1521da03e"
+
+     strings:
+        $func1 = { 41 57 41 56 41 55 41 54 55 57 56 53 48 81 EC A8 00 00 00 E8 }
+        $func2 = { 50 68 ?? ?? 00 00 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 }
+        $func3 = { 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 (02|01) 00 00 00 }
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       filesize<500KB and
+       ($func1 or #func2 > 2 or #func3 > 2)
+}

other/darkcloud.yara

@@ -0,0 +1,18 @@
+rule malware_DarkCloud_Stealer_str {
+    meta:
+        description = "DarkCloud Stealer"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "a8f6bcae61ed785c8ee0703fb9d3d72b717302c4bc5d651fd2a7aa83b1b696ea"
+
+    strings:
+        $vb1 = "__vba" ascii wide
+        $vb2 = "VB6.OLB" ascii wide
+        $name1 = "DarkCloud Gecko Recovery" ascii wide
+        $name2 = "DarkCloud CryptoWallets" ascii wide
+        $name3 = "DarkCloud FilesGrabber" ascii wide
+        $name4 = "DarkCloud Credentials" ascii wide
+        $name5 = "===============DARKCLOUD===============" ascii wide
+
+     condition:
+         uint16(0) == 0x5a4d and any of ($vb*) and 3 of ($name*)
+}