100 Days Of YARA
@100daysofyara.bsky.social
Reposted by 100 Days Of YARA
Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
January 30, 2025 at 12:00 PM
Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
January 24, 2025 at 12:46 PM
#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysofYara Day 23
Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers.
www.bitsight.com/blog/unveili...
github.com/augustvansic...
Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers.
www.bitsight.com/blog/unveili...
github.com/augustvansic...
January 23, 2025 at 10:19 PM
#100DaysofYara Day 23
Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers.
www.bitsight.com/blog/unveili...
github.com/augustvansic...
Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers.
www.bitsight.com/blog/unveili...
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 24
A QakBot spotted in the wild (2025)
Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like it’s hosting a C2 (web ports with firewall deny all w/exceptions likely)
github.com/augustvansic...
A QakBot spotted in the wild (2025)
Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like it’s hosting a C2 (web ports with firewall deny all w/exceptions likely)
github.com/augustvansic...
January 25, 2025 at 2:08 AM
#100DaysOfYara Day 24
A QakBot spotted in the wild (2025)
Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like it’s hosting a C2 (web ports with firewall deny all w/exceptions likely)
github.com/augustvansic...
A QakBot spotted in the wild (2025)
Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like it’s hosting a C2 (web ports with firewall deny all w/exceptions likely)
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysofYara Day 14
This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry.
github.com/augustvansic...
This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry.
github.com/augustvansic...
github.com
January 14, 2025 at 9:22 PM
#100DaysofYara Day 14
This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry.
github.com/augustvansic...
This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry.
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
January 14, 2025 at 12:24 PM
#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 13
A MacOS Macho binary from MalwareZoo: Backdoor/Worm
Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings.
Also added some dylib strings
github.com/augustvansic...
A MacOS Macho binary from MalwareZoo: Backdoor/Worm
Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings.
Also added some dylib strings
github.com/augustvansic...
January 13, 2025 at 7:26 PM
#100DaysOfYara Day 13
A MacOS Macho binary from MalwareZoo: Backdoor/Worm
Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings.
Also added some dylib strings
github.com/augustvansic...
A MacOS Macho binary from MalwareZoo: Backdoor/Worm
Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings.
Also added some dylib strings
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 12
Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration.
github.com/augustvansic...
Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration.
github.com/augustvansic...
2025_100DaysofYara/Day12_PE32_DLL_DarkTortilla.yar at main · augustvansickle/2025_100DaysofYara
Contribute to augustvansickle/2025_100DaysofYara development by creating an account on GitHub.
github.com
January 12, 2025 at 3:58 PM
#100DaysOfYara Day 12
Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration.
github.com/augustvansic...
Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration.
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 11
I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools:
par.nsf.gov/servlets/pur...
and
Rule:
github.com/augustvansic...
I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools:
par.nsf.gov/servlets/pur...
and
Rule:
github.com/augustvansic...
January 11, 2025 at 8:13 PM
#100DaysOfYara Day 11
I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools:
par.nsf.gov/servlets/pur...
and
Rule:
github.com/augustvansic...
I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools:
par.nsf.gov/servlets/pur...
and
Rule:
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 10
Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings.
malpedia.caad.fkie.fraunhofer.de/details/win....
github.com/augustvansic...
Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings.
malpedia.caad.fkie.fraunhofer.de/details/win....
github.com/augustvansic...
January 11, 2025 at 1:02 AM
#100DaysOfYara Day 10
Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings.
malpedia.caad.fkie.fraunhofer.de/details/win....
github.com/augustvansic...
Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings.
malpedia.caad.fkie.fraunhofer.de/details/win....
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
January 10, 2025 at 11:05 PM
#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
January 15, 2025 at 10:46 AM
#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysOfYara
Day 15
I had more to say than what allows in a post here so it’s on medium @ : medium.com/@august.vans...
Day 15
I had more to say than what allows in a post here so it’s on medium @ : medium.com/@august.vans...
January 15, 2025 at 5:17 PM
#100DaysOfYara
Day 15
I had more to say than what allows in a post here so it’s on medium @ : medium.com/@august.vans...
Day 15
I had more to say than what allows in a post here so it’s on medium @ : medium.com/@august.vans...
Reposted by 100 Days Of YARA
#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
January 16, 2025 at 11:23 AM
#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 16
Todays Sample: a PE64 EXE tagged to SpyLyRAT
Some unique loads in this directly from github.
And some common API calls that are commonly used for manipulating processes.
github.com/augustvansic...
Todays Sample: a PE64 EXE tagged to SpyLyRAT
Some unique loads in this directly from github.
And some common API calls that are commonly used for manipulating processes.
github.com/augustvansic...
January 17, 2025 at 1:06 AM
#100DaysOfYara Day 16
Todays Sample: a PE64 EXE tagged to SpyLyRAT
Some unique loads in this directly from github.
And some common API calls that are commonly used for manipulating processes.
github.com/augustvansic...
Todays Sample: a PE64 EXE tagged to SpyLyRAT
Some unique loads in this directly from github.
And some common API calls that are commonly used for manipulating processes.
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 17
Sliver Beacon EXE
Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings.
I did some dynamic analysis and the domain drops payloads too.
Sliver Beacon EXE
Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings.
I did some dynamic analysis and the domain drops payloads too.
January 17, 2025 at 4:11 PM
#100DaysOfYara Day 17
Sliver Beacon EXE
Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings.
I did some dynamic analysis and the domain drops payloads too.
Sliver Beacon EXE
Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings.
I did some dynamic analysis and the domain drops payloads too.
Reposted by 100 Days Of YARA
This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...
github.com/mgreen27/100...
January 18, 2025 at 11:53 AM
This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...
github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 18
Happy Saturday (Go Chiefs)
Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules.
github.com/augustvansic...
Happy Saturday (Go Chiefs)
Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules.
github.com/augustvansic...
2025_100DaysofYara/Day18_PE32_RedLIne.yar at ecabc490af6a452c436659bfc5dc928a22be8bbe · augustvansickle/2025_100DaysofYara
Contribute to augustvansickle/2025_100DaysofYara development by creating an account on GitHub.
github.com
January 18, 2025 at 7:03 PM
#100DaysOfYara Day 18
Happy Saturday (Go Chiefs)
Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules.
github.com/augustvansic...
Happy Saturday (Go Chiefs)
Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules.
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 19
PE64 DLL with a lot of capability, tagged to legion loader.
github.com/augustvansic...
PE64 DLL with a lot of capability, tagged to legion loader.
github.com/augustvansic...
2025_100DaysofYara/Day19_PE64_DLL_LEGIONLOADER.yar at 491bf3357679e801dff43a91ca508904ae7972e8 · augustvansickle/2025_100DaysofYara
Contribute to augustvansickle/2025_100DaysofYara development by creating an account on GitHub.
github.com
January 19, 2025 at 5:31 PM
#100DaysOfYara Day 19
PE64 DLL with a lot of capability, tagged to legion loader.
github.com/augustvansic...
PE64 DLL with a lot of capability, tagged to legion loader.
github.com/augustvansic...
Reposted by 100 Days Of YARA
Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.
github.com/mgreen27/100...
github.com/mgreen27/100...
January 21, 2025 at 2:04 AM
Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.
github.com/mgreen27/100...
github.com/mgreen27/100...
Reposted by 100 Days Of YARA
#100DaysOfYara Day 21
Cobalt Strike Beacon of the EXE flavor
References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs
github.com/augustvansic...
Cobalt Strike Beacon of the EXE flavor
References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs
github.com/augustvansic...
January 22, 2025 at 12:23 AM
#100DaysOfYara Day 21
Cobalt Strike Beacon of the EXE flavor
References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs
github.com/augustvansic...
Cobalt Strike Beacon of the EXE flavor
References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs
github.com/augustvansic...
Reposted by 100 Days Of YARA
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
January 22, 2025 at 3:50 AM
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Reposted by 100 Days Of YARA
I finally got around to making my first contribution to #100DaysofYARA 2025 with two YARA rules. My first rule looks to detect Qbit Stealer, a Golang stealer which never really took off. My second rule is designed to hunt various "calling cards" the developer left, which might find related malware.
January 22, 2025 at 4:00 AM
I finally got around to making my first contribution to #100DaysofYARA 2025 with two YARA rules. My first rule looks to detect Qbit Stealer, a Golang stealer which never really took off. My second rule is designed to hunt various "calling cards" the developer left, which might find related malware.
Reposted by 100 Days Of YARA
#100DaysOfYara Day 22
Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules.
github.com/augustvansic...
Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules.
github.com/augustvansic...
January 22, 2025 at 8:39 PM
#100DaysOfYara Day 22
Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules.
github.com/augustvansic...
Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules.
github.com/augustvansic...
Reposted by 100 Days Of YARA
Introducing: What is this stealer?
A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules!
Check it out and contribute!
github.com/MalBeacon/wh...
A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules!
Check it out and contribute!
github.com/MalBeacon/wh...
GitHub - MalBeacon/what-is-this-stealer: A repository of credential stealer formats
A repository of credential stealer formats . Contribute to MalBeacon/what-is-this-stealer development by creating an account on GitHub.
github.com
January 13, 2025 at 4:11 PM
Introducing: What is this stealer?
A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules!
Check it out and contribute!
github.com/MalBeacon/wh...
A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules!
Check it out and contribute!
github.com/MalBeacon/wh...