{"report_id":"2447bb96-f53b-4a79-8a8d-c0d55a8d5128","version":6,"status":"done","tags":[],"date":"2024-03-28T19:26:20Z","url":{"schema":"http","addr":"github.com/YARAHQ/yara-forge/releases/download/20240324/yara-forge-rules-full.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":0,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T21:00:42Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"github.com","ip":{"addr":"140.82.121.3","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":1423,"first_seen":"2016-07-13 12:28:22","last_seen":"2024-03-24 14:57:11","alert_count":0,"request_count":1,"received_data":3953,"sent_data":535,"comment":"","tags":null,"fingerprints":null},{"fqdn":"objects.githubusercontent.com","ip":{"addr":"185.199.109.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"domain_registered":"2014-02-06","domain_rank":134060,"first_seen":"2021-11-01 22:34:29","last_seen":"2024-03-28 05:21:49","alert_count":0,"request_count":1,"received_data":3635050,"sent_data":1004,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"c44f3a330c92ddafea8d40f52670ec4e","sha1":"acb1332410ebf8626d75db32815b5be51f5a6cc8","sha256":"09f46a1fa84e7a26de7e64f6f28c13202dd2a3031c1e1963da82a27cce3d3af8","sha512":"ebb2d1a913e628e683de4c4462b712bb539105ba46a3a835c1b5b4a4241cf39161c216aa3ea73c0130551f5a3b4fb06138e69f587b3eb4f13f92b7e3288c49e4","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":3634228,"url":{"schema":"https","addr":"objects.githubusercontent.com/github-production-release-asset-2e65be/711268411/cfbb9c85-58d3-4c78-a4b9-96e498ca23c7?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240328%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20240328T192502Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=967bddb61f2143a1c7f0d08f39d01e570aa4df718f97cf724675aeab6029f589\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=711268411\u0026response-content-disposition=attachment%3B%20filename%3Dyara-forge-rules-full.zip\u0026response-content-type=application%2Foctet-stream","fqdn":"objects.githubusercontent.com","domain":"objects.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.109.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"archive":[{"path":"packages/full/yara-rules-full.yar","filename":"yara-rules-full.yar","modified":"","Modified":"2024-03-24T02:01:00Z","magic":"ASCII text, with very long lines (887)","size":18156363,"md5":"8643632a780602e680fe9b4a7e7c057c","sha1":"4963f27b929fa33cc025eca10a3a4aa2ac5c670c","sha256":"6b7a7ce3d56c29cbb7894e47b0fc126602a4e2d25cee3f0df8a6d52adf17825a","sha512":"9e6543db039b310274f3a47e03b1bc354c9492f709dcbbab71b3de8e74952ca391bde5fee6fb593c53f94c43116f6b381c62486eb494fb6f7240a3076e94d85b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla Agent.BTZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-06-16","description":"Detects Turla Agent.BTZ","hash1":"c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615","reference":"Internal Research","rule":"APT_Turla_Agent_BTZ_Gen_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Find generic data potentially relating to AP15 tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Find generic data potentially relating to AP15 tools","rule":"malware_apt15_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2022-02-07","description":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","hash1":"624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27","rule":"HvS_APT27_HyperBro_Stage3_C2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NSA / FBI","date":"2020-08-13","description":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","reference":"https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/","rule":"APT_APT28_drovorub_unique_network_comms_strings","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-29","description":"Auto-generated rule","hash1":"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0","hash2":"55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/WVflzO","rule":"GRIZZLY_STEPPE_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-25","description":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","hash":"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT29_Win_FlipFlop_LDR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-27","description":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","hash":"ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT28_Win_FreshFire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BoomBox malware as described in APT29 NOBELIUM report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-27","description":"Detects BoomBox malware as described in APT29 NOBELIUM report","reference":"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/","rule":"APT_APT29_NOBELIUM_BoomBox_May21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects stageless loader as used by APT29 / NOBELIUM","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects stageless loader as used by APT29 / NOBELIUM","hash1":"a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf","hash2":"c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_Stageless_Loader_May21_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"North Korean origin malware which uses a custom Google App for c2 communications.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-21","description":"North Korean origin malware which uses a custom Google App for c2 communications.","hash1":"837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/","rule":"APT_MAL_Win_BlueLight_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Speculoos Backdoor used by APT41","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-14","description":"Detects Speculoos Backdoor used by APT41","hash1":"6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167","hash2":"99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28","reference":"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/","rule":"APT_APT41_CN_ELF_Speculoos_Backdoor","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","hash1":"1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b","hash2":"510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_LazyCat_LogEraser"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_PowerKatz_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_Unknown_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Custome SSH backdoor based on python and paramiko - file server.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-05-14","description":"Custome SSH backdoor based on python and paramiko - file server.py","hash":"0953b6c2181249b94282ca5736471f85d80d41c9","modified":"2022-08-18","reference":"https://goo.gl/S46L3o","rule":"custom_ssh_backdoor_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_Included_Strings","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_SystemInformation_Output","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Chinese APT by Proofpoint ZeroT RAT  - file Mcutil.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Chinese APT by Proofpoint ZeroT RAT  - file Mcutil.dll","hash1":"266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"CN_APT_ZeroT_extracted_Mcutil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Delta samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc","hash2":"42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2","hash3":"480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa","hash4":"7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Delta samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b","hash2":"9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5","hash3":"b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Identifies strings used in Cobalt Strike Beacon DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Elastic","date":"2021-03-16","description":"Identifies strings used in Cobalt Strike Beacon DLL","reference":"https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures","rule":"HKTL_CobaltStrike_Beacon_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unmodified CobaltStrike beacon DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yara@s3c.za.net","date":"2019-08-16","description":"Detects unmodified CobaltStrike beacon DLL","rule":"CobaltStrike_Unmodifed_Beacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT CustomTCP Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT CustomTCP Malware","hash1":"ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0","hash2":"130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8","hash3":"3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa","hash4":"02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_CustomTCP_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT Gh0st Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash":"bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT Gh0st Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash1":"5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841","hash2":"7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8","hash3":"d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT PGV PVID Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT PGV PVID Malware","hash1":"41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824","hash2":"58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3","hash3":"934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7","hash4":"ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266","hash5":"e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_PGV_PVID_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a malware sysdll.exe from the Rocket Kitten APT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"27.12.2014","description":"Detects a malware sysdll.exe from the Rocket Kitten APT","hash":"f89a4d4ae5cca6d69a5256c96111e707","modified":"2023-01-06","rule":"CoreImpact_sysdll_exe","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects trojan from APT report named http.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects trojan from APT report named http.exe","hash1":"ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/13Wgy1","rule":"Mal_http_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a malicious PotPlayer.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects a malicious PotPlayer.dll","hash1":"705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/13Wgy1","rule":"Mal_PotPlayer_DLL","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack Deep Panda - lot1.tmp-pwdump","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - lot1.tmp-pwdump","hash":"5d201a0fb0f4a96cefc5f73effb61acff9c818e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_lot1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack Deep Panda - htran-exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DTRACK malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects DTRACK malware","hash1":"c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c","hash2":"a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68","hash3":"93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9","hash4":"3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682","hash5":"bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364","hash6":"58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb","hash7":"9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21","rule":"APT_MAL_DTRACK_Oct19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file create_dns_injection.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file create_dns_injection.py","hash1":"488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_create_dns_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file screamingplow.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file screamingplow.sh","hash1":"c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_screamingplow"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file MixText.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file MixText.py","hash1":"e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_MixText"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file tunnel_state_reader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tunnel_state_reader","hash1":"49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tunnel_state_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file payload.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file payload.py","hash1":"21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_payload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file eligiblecandidate.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file eligiblecandidate.py","hash1":"c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_eligiblecandidate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","hash1":"d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_2211_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","hash1":"ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_networkProfiler_orderScans"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","hash1":"4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_epicbanana_2_1_0_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file sniffer_xml2pcap","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sniffer_xml2pcap","hash1":"f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sniffer_xml2pcap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BananaAid","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BananaAid","hash1":"7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaAid"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file config_jp1_UA.pl","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file config_jp1_UA.pl","hash1":"2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_config_jp1_UA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file userscript.FW","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file userscript.FW","hash1":"5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_userscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","hash1":"6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_3001_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file workit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file workit.py","hash1":"fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Research","rule":"EQGRP_workit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","hash1":"3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tinyhttp_setup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file EPBA.script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file EPBA.script","hash1":"53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_EPBA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file jetplow.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file jetplow.sh","hash1":"ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_jetplow_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","hash1":"59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_extrabacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file sploit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file uninstallPBD.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file uninstallPBD.bat","hash1":"692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_uninstallPBD"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BICECREAM-2140","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BICECREAM-2140","hash1":"4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BICECREAM"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BFLEA-2201.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BFLEA-2201.exe","hash1":"15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BFLEA_2201"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file StoreFc.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file StoreFc.py","hash1":"f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_StoreFc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","hash1":"498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BBALL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BARPUNCH_BPICKER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","hash1":"1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f","hash2":"c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_pandarock","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaUsurper_writeJetPlow","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash3":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash4":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BLIAR_BLIQUER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","hash2":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7","hash9":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","hash1":"630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e","hash2":"07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_ssh_telnet_29","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Callback addresses","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Callback addresses","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_callbacks"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Extrabacon exploit output","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Extrabacon exploit output","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Extrabacon_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Unique strings","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Unique strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Unique_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","hash1":"0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","hash1":"634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","hash1":"eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbshave"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","hash1":"b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_eggbasket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file sambal","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file sambal","hash1":"2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_sambal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","hash1":"2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file DUL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file DUL","hash1":"24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_DUL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","hash1":"a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_slugger2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","hash1":"0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_jackpop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","hash1":"eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_epoxyresin_v1_0_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","hash1":"33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estesfox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash2":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell_ftshell_v3_10_3_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","hash2":"9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__scanner_scanner_v2_1_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","hash1":"d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1","hash2":"82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ghost_sparc_ghost_x86_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","hash1":"8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984","hash2":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__jparsescan_parsescan_5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash4":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d","hash2":"b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Eternalromance","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5","hash2":"561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e","hash3":"f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b","hash4":"8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927","hash2":"5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6","hash2":"c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd","hash3":"9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556","hash4":"c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674","hash5":"5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"netadr, modified by Florian Roth for performance reasons","date":"2023-04-02","description":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","modified":"2023-05-08","reference":"https://netadr.github.io/blog/a-quick-glimpse-sbz/","rule":"SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware Redosdru - file systemHome.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-04","description":"Detects malware Redosdru - file systemHome.exe","hash1":"4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/OOB3mH","rule":"Backdoor_Redosdru_Jun17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a string found in memory of malware cedt370r(3).exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-09","description":"Detects a string found in memory of malware cedt370r(3).exe","reference":"http://goo.gl/ZjJyti","rule":"Fidelis_Advisory_cedt370"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from FIN7 report in August 2018","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-08-01","description":"Detects strings from FIN7 report in August 2018","hash1":"b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html","rule":"APT_FIN7_Strings_Aug18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Word Dropper from Proofpoint FIN7 Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-04","description":"Detects Word Dropper from Proofpoint FIN7 Report","reference":"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor","rule":"FIN7_Backdoor_Aug17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FourElementSword Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_Config_File"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FourElementSword Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_ElevateDLL_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file violetspirit.README","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_violetspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file gr.notes","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file gr.notes","hash1":"b2b60dce7a4cfdddbd3d3f1825f1885728956bae009de3a307342fbdeeafcb79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_gr_gr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.yellowspirit.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.yellowspirit.COMMON","hash1":"a7c4b718fa92934a9182567288146ffa3312d9f3edc3872478c90e0e2814078c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_yellowspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file opscript.se","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file opscript.se","hash1":"275c91531a9ac5a240336714093b6aa146b8d7463cb2780cfeeceaea4c789682","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_opscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.epichero.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.epichero.COMMON","hash1":"679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_epichero"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.elatedmonkey","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elatedmonkey","hash1":"98ae935dd9515529a34478cb82644828d94a2d273816d50485665535454e37cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.dubmoat.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.dubmoat.COMMON","hash1":"bcd4ee336050488f5ffeb850d8eaa11eec34d8ba099b370d94d2c83f08a4d881","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_dubmoat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file strifeworld.1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file strifeworld.1","hash1":"222b00235bf143645ad0d55b2b6839febc5b570e3def00b77699915a7c9cb670","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_strifeworld"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.pork.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.pork.COMMON","hash1":"9c400aab74e75be8770387d35ca219285e2cedc0c7895225bbe567ce9c9dc078","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_pork"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.ebbisland.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.ebbisland.COMMON","hash1":"390e776ae15fadad2e3825a5e2e06c4f8de6d71813bef42052c7fd8494146222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.elgingamble.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elgingamble.COMMON","hash1":"4130284727ddef4610d63bfa8330cdafcb6524d3d2e7e8e0cb34fde8864c8118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file README.cup.NOPEN","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file README.cup.NOPEN","hash1":"98aaad31663b89120eb781b25d6f061037aecaeb20cf5e32c36c68f34807e271","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_README_cup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file oneshot.example","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file oneshot.example","hash1":"a85b260d6a53ceec63ad5f09e1308b158da31062047dc0e4d562d2683a82bf9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_nopen_oneshot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.earlyshovel.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.earlyshovel.COMMON","hash1":"504e7a376c21ffbfb375353c5451dc69a35a10d7e2a5d0358f9ce2df34edf256","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_earlyshovel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.envisioncollision.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.envisioncollision.COMMON","hash1":"2f04f078a8f0fdfc864d3d2e37d123f55ecc1d5e401a87eccd0c3846770f9e02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_envisioncollision"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash2":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash3":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash3":"3fe78949a9f3068db953b475177bcad3c76d16169469afd72791b4312f60cfb3","hash4":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash5":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","hash6":"89748906d1c574a75fe030645c7572d7d4145b143025aa74c9b5e2be69df8773","hash7":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files violetspirit.README, violetspirit.README","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files violetspirit.README, violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","hash2":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197","hash2":"99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2","hash3":"6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df","hash4":"b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT_Sample2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ISMDoor Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Detects ISMDoor Backdoor","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"BlackEnergy / Voodoo Bear Implant by APT28","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"BlackEnergy / Voodoo Bear Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_4_v9","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Unidentified Implant by APT29","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"Unidentified Implant by APT29","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"Unidentified_Malware_Two","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts found in HAFNIUM intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"APT_HAFNIUM_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerCat hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects PowerCat hacktool","hash1":"c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2","reference":"https://github.com/besimorhino/powercat","rule":"HKTL_PS1_PowerCat_Mar21"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell Oneliner in Nishang's repository","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-03","description":"Detects PowerShell Oneliner in Nishang's repository","hash1":"2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32","reference":"https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1","rule":"HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"variation on reGeorgtunnel","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"variation on reGeorgtunnel","hash":"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928","reference":"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx","rule":"WEBSHELL_ASPX_reGeorgTunnel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","hash":"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"WEBSHELL_ASPX_SportsBall"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CVE-2021-27065 Webshellz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"CISA Code \u0026 Media Analysis","date":"2021-03-17","description":"Detects CVE-2021-27065 Webshellz","hash":"c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5","reference":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a","rule":"WEBSHELL_HAFNIUM_CISA_10328929_01"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Chopper like ASPX Webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75","reference":"Internal Research","rule":"WEBSHELL_ASPX_FileExplorer_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Chopper like ASPX Webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"ac44513e5ef93d8cbc17219350682c2246af6d5eb85c1b4302141d94c3b06c90","reference":"Internal Research","rule":"WEBSHELL_ASPX_Chopper_Like_Mar21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-08","description":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","reference":"https://twitter.com/jdferrell3/status/1368626281970024448","rule":"LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Zach Stanford - @svch0st, Florian Roth","date":"2021-03-10","description":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","modified":"2021-03-15","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log","reference_2":"https://www.praetorian.com/blog/reproducing-proxylogon-exploit/","rule":"EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Tofu Trojan","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-28","description":"Detects Tofu Trojan","reference":"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html","rule":"Tofu_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"detection for Hellsing implants","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Costin Raiu, Kaspersky Lab","copyright":"Kaspersky Lab","date":"2015-04-07","description":"detection for Hellsing implants","filetype":"PE","rule":"apt_hellsing_implantstrings","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Industroyer related custom port scaner output file","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related custom port scaner output file","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Portscan_3_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Industroyer related malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related malware","hash1":"7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects IronGate APT Malware - Step7ProSim DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-04","description":"Detects IronGate APT Malware - Step7ProSim DLL","hash1":"0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3","hash2":"fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f","hash3":"5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/Mr6M2J","rule":"IronGate_APT_Step7ProSim_Gen","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Panda malware DnsTunClient - file named.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda malware DnsTunClient - file named.exe","hash":"a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_DNSTunClient","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Panda Malware Htran","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda Malware Htran","hash":"7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_Malware_Htran"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"ASPXSpy detection. It might be used by other fraudsters","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"ASPXSpy detection. It might be used by other fraudsters","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_ASPXSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Tiger Tool - wmi.vbs detection","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"Iron Tiger Tool - wmi.vbs detection","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_wmiexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keylogger - generic rule for a Chinese variant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Keylogger - generic rule for a Chinese variant","hash":"3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Keylogger_CN_APT","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LinaDoor Linux Rootkit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-05-19","description":"Detects LinaDoor Linux Rootkit","hash1":"25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9","hash2":"4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7","hash3":"9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7","hash4":"940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff","hash5":"a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044","hash6":"c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27","hash7":"c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7","modified":"2023-05-16","reference":"Internal Research","rule":"MAL_LNX_LinaDoor_Rootkit_May22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pupy RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-04-03","description":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","hash1":"69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf","hash3":"bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9","hash4":"dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9","hash5":"fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e","reference":"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/","rule":"APT_NK_MAL_DLL_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-28","description":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","reference":"https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/","rule":"APT_MAL_HP_iLO_Firmware_Dec21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware sample mentioned in Microcin technical report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-26","description":"Malware sample mentioned in Microcin technical report by Kaspersky","hash1":"b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf","rule":"Microcin_Sample_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CommentCrew Malware MiniASP APT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"CommentCrew Malware MiniASP APT","hash0":"0af4360a5ae54d789a8814bf7791d5c77136d625","hash1":"777bf8def279942a25750feffc11d8a36cc0acf9","hash2":"173f20b126cb57fc8ab04d01ae223071e2345f97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_CommentCrew_MiniASP","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShimRat and the ShimRat loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRat and the ShimRat loader","rule":"shimrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShimRatReporter","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRatReporter","rule":"shimratreporter"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze sniffer tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze sniffer tools","hash":"927426b558888ad680829bd34b0ad0e7","original_filename":"ora;tdn","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customsniffer","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","hash":"8b56e8552a74133da4bc5939b5f74243","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_de_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'cle' log cleaning tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'cle' log cleaning tool","hash":"647d7b711f7b4434145ea30d0ef207b0","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_cle_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'xk' keylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'xk' keylogger","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_xk_keylogger","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs the Nanocore RAT and similar malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT and similar malware","hash1":"e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs the Nanocore RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT","hash1":"755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_2","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects user function string from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects user function string from NCSC report","hash":"b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"User_Function_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malicious batch file from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Script_To_Run_PsExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malicious batch file from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Powershell_Invoke_Inveigh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects RDP brute forcer from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects RDP brute forcer from NCSC report","hash":"8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"RDP_Brute_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Z Webshell from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects Z Webshell from NCSC report","hash":"ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Z_WebShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ruby loader seen loading the ROKRAT malware family.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-22","description":"Ruby loader seen loading the ROKRAT malware family.","hash1":"5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/","rule":"APT_RUBY_RokRat_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings found in POOLRAT malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2023-04-20","description":"Detects strings found in POOLRAT malware","disclaimer":"This rule is meant for hunting and is not tested to run in a production environment","hash1":"451c23709ecd5a8461ad060f6346930c","old_rule_name":"APT_NK_MAL_M_Hunting_POOLRAT","reference":"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise","rule":"SUSP_NK_MAL_M_Hunting_POOLRAT","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Oilrig malware samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-12","description":"Detects Oilrig malware samples","hash1":"c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d","hash2":"293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb","modified":"2023-01-07","reference":"https://goo.gl/QMRZ8K","rule":"OilRig_Malware_Campaign_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects OilRig malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela (slightly modified by Florian Roth)","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager_macro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects APT34 PowerShell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects APT34 PowerShell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed","modified":"2023-01-06","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-12","description":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","hash1":"30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97","hash2":"94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340","hash3":"a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd","hash4":"c202e9d5b99f6137c7c07305c7314e55f52bae832d460c44efc8f2a90ff03615","hash5":"dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6","hash6":"f0954774c91603fc2595f0ba0727b9af4e80f6f9be7bb629e7fb6ba4309ed4ea","hash7":"f3906be01d51e2e1ae9b03cd09702b6e0794b9c9fd7dc04024f897e96bb13232","hash8":"f65ae9ccf988a06a152f27a4c0d7992100a2d9d23d80efe8d8c2a5c9bd78a3a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/p32Ozf","rule":"ONHAT_Proxy_Hacktool","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keylogger used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keylogger used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_BackDoorLogger","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"ARP cache poisoner used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"ARP cache poisoner used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_Jasus","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ShellCreator2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SmartCopy2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SynFlooder","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tiny Bot used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Tiny Bot used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_TinyZBot","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keywords used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keywords used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ZhoupinExploitCrew","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_antivirusdetector","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_csext","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_kagent","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Mimikatz Wrapper used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz Wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_mimikatzWrapper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Parviz tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Parviz tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_pvz_in","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhLookUp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Mimikatz wrapper used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhmimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CCProxy config known from Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/02","description":"CCProxy config known from Operation Cleaver","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_CCProxy_Config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from Operation Cloud Hopper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-03","description":"Detects malware from Operation Cloud Hopper","hash1":"beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"OpCloudHopper_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware related to Operation Cloud Hopper - Page 25","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Malware related to Operation Cloud Hopper - Page 25","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"OpCloudHopper_WmiDLL_inMemory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tools related to Operation Cloud Hopper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Tools related to Operation Cloud Hopper","hash1":"21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"VBS_WMIExec_Tool_Apr17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from CSharp version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_Agent_Csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from PowerShell dropper of CSharp version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from PowerShell dropper of CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from Agent CSharp version","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent CSharp version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from Python version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from Agent Python version","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent Python version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from Python keylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python keylogger","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_keylogger_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the CSharp version of XServer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the CSharp version of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from the XServer PowerShell dropper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from the XServer PowerShell dropper","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the PowerShell dropper of XServer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the PowerShell dropper of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Process injector/launcher","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Process injector/launcher","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_injector_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Timeliner utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Timeliner utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_timeliner_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Checkadmin utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Checkadmin utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_checkadmin_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Python getos utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Python getos utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_getos_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the information grabber VBS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the information grabber VBS","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_info_vbs"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the console.jsp webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the console.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_console_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the ver.jsp webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the ver.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_ver_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Generic strings from webinfo.war webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Generic strings from webinfo.war webshells","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_webinfo"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PassCV Malware mentioned in Cylance Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-20","description":"PassCV Malware mentioned in Cylance Report","hash1":"475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4","hash2":"009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78","hash3":"92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b","hash4":"0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies","rule":"PassCV_Sabre_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PoisonIvy RAT sample set","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects PoisonIvy RAT sample set","hash1":"8c2630ab9b56c00fd748a631098fa4339f46d42b","hash2":"36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"PoisonIvy_Sample_6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Poseidon Group Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-09","description":"Detects Poseidon Group Malware","hash1":"337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4","hash2":"344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3","hash3":"432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61","hash4":"8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47","hash5":"d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f","hash6":"d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb","hash7":"ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/","rule":"PoseidonGroup_Malware","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-15","description":"Detects","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html","rule":"POSHSPY_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_Scripts"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Dsniff hack tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-19","description":"Detects Dsniff hack tool","reference":"https://goo.gl/eFoP4A","rule":"HKTL_Dsniff","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from arping module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from arping module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_arping_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from kblogi module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from kblogi module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_kblogi_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from basex module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from basex module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_basex_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from dext module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from dext module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_dext_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"1aef507c385a234e8b10db12852ad1bd66a04730451547b2dcb26f7fae16e01f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an APT malware related to PutterPanda","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects an APT malware related to PutterPanda","hash":"5367e183df155e3133d916f7080ef973f7741d34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Rel","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects all QuarksPWDump versions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-29","description":"Detects all QuarksPWDump versions","hash1":"2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa","hash2":"87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f","hash3":"a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9","hash4":"c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab","hash5":"677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa","hash6":"d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674","hash7":"8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"QuarksPwDump_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Quasar RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Detects Quasar RAT","hash1":"0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740","hash2":"515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89","hash3":"f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"Quasar_RAT_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found in DarkBit ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-13","description":"Detects indicators found in DarkBit ransomware","reference":"https://twitter.com/idonaor1/status/1624703255770005506?s=12\u0026t=mxHaauzwR6YOj5Px8cIeIw","rule":"MAL_RANSOM_DarkBit_Feb23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from Rehashed RAT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-08","description":"Detects malware from Rehashed RAT incident","hash1":"49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations","rule":"Rehashed_RAT_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects RevengeRAT malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-04","description":"Detects RevengeRAT malware","hash1":"2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a","hash2":"7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213","hash3":"fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2020-07-27","reference":"Internal Research","rule":"RevengeRAT_Sep17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Sakula malware - strings after unpacking (memory rule)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Sakula malware - strings after unpacking (memory rule)","md5":"b3852b9e7f2b8954be447121bb6b65c3","rule":"malware_sakula_memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an archive file created by P.A.S. for download operation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (modified by Florian Roth)","date":"2021-02-15","description":"Detects an archive file created by P.A.S. for download operation","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_ZIPArchiveFile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SQL dump file created by P.A.S. webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects SQL dump file created by P.A.S. webshell","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_SQLDumpFile","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Key","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects names of the tasks received from the CC server in Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects names of the tasks received from the CC server in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Task_Names","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Strings used by Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)","date":"2021-02-15","description":"Detects Strings used by Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Strings","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects shell script used by Sandworm in attack against Exim mail server","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects shell script used by Sandworm in attack against Exim mail server","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_SH_Sandworm_Shell_Script_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sandworm Python loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects Sandworm Python loader","hash1":"c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca","reference":"https://twitter.com/billyleonard/status/1266054881225236482","rule":"APT_RU_Sandworm_PY_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/28","description":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","hash1":"8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9","hash2":"d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d","hash3":"3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference1":"http://goo.gl/MUUfjv","reference2":"http://goo.gl/WXUQcP","rule":"ScanBox_Malware_Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-09-14","description":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","hash1":"1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00","hash2":"6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4","hash3":"6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c","license":"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt","memory_suitable":"1","reference":"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/","rule":"APT_SharpTongue_JS_SharpExt_Chrome_Extension","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-09","description":"Detects a ","reference":"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar","rule":"StreamEx_ShellCrew","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware sample mentioned in the Silence report on Securelist","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-01","description":"Detects malware sample mentioned in the Silence report on Securelist","hash1":"75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/the-silence/83009/","rule":"Silence_malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sofacy Fysbis Linux Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-13","description":"Detects Sofacy Fysbis Linux Backdoor","hash1":"02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592","hash2":"8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/","rule":"Sofacy_Fybis_ELF_Backdoor_Gen1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects webshell access mentioned in FireEye's SUNBURST report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-21","description":"Detects webshell access mentioned in FireEye's SUNBURST report","reference":"https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/","rule":"LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"STUXSHOP_config","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"JAG-S (turla@chronicle.security)","desc":"Stuxshop standalone sample configuration","hash":"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579","reference":"https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0","rule":"STUXSHOP_config"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"inveigh pen testing tools \u0026 related artifacts","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US-CERT Code Analysis Team (modified by Florian Roth)","date":"2017/07/17","description":"inveigh pen testing tools \u0026 related artifacts","hash0":"61C909D2F625223DB2FB858BBDF42A76","hash1":"A07AA521E7CAFB360294E56969EDA5D6","hash10":"4595DBE00A538DF127E0079294C87DA0","hash2":"BA756DD64C1147515BA2298B6A760260","hash3":"8943E71A8C73B5E343AA9D2E19002373","hash4":"04738CA02F59A5CD394998A99FCD9613","hash5":"038A97B4E2F37F34B255F0643E49FC9D","hash6":"65A1A73253F04354886F375B59550B46","hash7":"AA905A3508D9309A93AD5C0EC26EBC9B","hash8":"5DBEF7BDDAF50624E840CCBCE2816594","hash9":"722154A36F32BA10E98020A8AD758A7A","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_malware_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects TeleBots malware - IntercepterNG","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects TeleBots malware - IntercepterNG","hash1":"5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4if3HG","rule":"TeleBots_IntercepterNG"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Liudoor daemon backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"RSA FirstWatch","date":"2015-07-23","description":"Detects Liudoor daemon backdoor","hash0":"78b56bc3edbee3a425c96738760ee406","hash1":"5aa0510f6f1b0e48f0303b9a4bfc641e","hash2":"531d30c8ee27d62e6fbe855299d0e7de","hash3":"2be2ac65fd97ccc97027184f0310f2f3","hash4":"6093505c7f7ec25b1934d3657649ef07","rule":"APT_Liudoor","type":"Win32 DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash10":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash5":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash6":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash7":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash8":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash9":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware used in the RUAG APT case","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects malware used in the RUAG APT case","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","modified":"2023-01-06","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"RUAG_APT_Malware_Gen2","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash2":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash3":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash4":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash5":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash6":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","hash7":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash8":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash9":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule for detection of Nautilus related strings","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC UK / Florian Roth","date":"2017/11/23","description":"Rule for detection of Nautilus related strings","reference":"https://www.ncsc.gov.uk/alerts/turla-group-malware","rule":"Nautilus_forensic_artificats","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects artefacts found in Hermetic Wiper malware related intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects artefacts found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Artefacts_Feb22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SombRAT samples from UNC2447 campaign","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects SombRAT samples from UNC2447 campaign","hash1":"61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9","hash2":"99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e","modified":"2023-01-07","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_MAL_SOMBRAT_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects WARPRISM PowerShell samples from UNC2447 campaign","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects WARPRISM PowerShell samples from UNC2447 campaign","hash1":"3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80","hash2":"63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806","hash3":"b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_PS1_WARPRISM_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DEWMODE webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-02-22","description":"Detects DEWMODE webshells","hash1":"2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7","hash2":"5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b","reference":"https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html","rule":"WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-24","description":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","hash1":"2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac","hash2":"5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://threatconnect.com/camerashy/?utm_campaign=CameraShy","rule":"Unit78020_Malware_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"REDLEAVES_CoreImplant_UniqueStrings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects specific RedLeaves and PlugX binaries","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"MD5_1":"598FF82EA4FB52717ACAFB227C83D474","MD5_2":"7D10708A518B26CC8C3CBFBAA224E032","MD5_3":"AF406D35C77B1E0DF17F839E36BCE630","MD5_4":"6EB9E889B091A5647F6095DCD4DE7C83","MD5_5":"566291B277534B63EAFC938CDAAB8A399E41AF7D","author":"US-CERT Code Analysis Team","date":"2017-04-03","description":"Detects specific RedLeaves and PlugX binaries","incident":"10118538","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"PLUGX_RedLeaves"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Symantec Security Response","date":"22.01.2015","description":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","reference":"http://t.co/rF35OaAXrl","rule":"WaterBug_wipbot_2013_dll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects powershell script used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell script used in Operation Wilted Tulip","hash1":"e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_powershell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Windows scheduled task as used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects a Windows scheduled task as used in Operation Wilted Tulip","hash1":"4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_Windows_UM_Task"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","hash1":"c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c","hash2":"340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d","hash3":"b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01","hash4":"5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a","hash5":"984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_WindowsTask"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PlugX Malware Samples from June 2016","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects PlugX Malware Samples from June 2016","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Research","rule":"PlugX_J16_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Winnti sample - file NlaifSvc.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Winnti sample - file NlaifSvc.dll","hash1":"964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/VbvJtL","rule":"Winnti_NlaifSvc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash":"7ad0eb113bc575363a058f4bf21dbab8c8f7073a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Sample_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash1":"86222ef166474e53f1eb6d7e6701713834e6fee7","hash2":"e8dbcde49c7f760165ebb0cb3452e4f1c24981f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Generic_3","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a ZxShell - CN threat group","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell - CN threat group","hash1":"5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Jul17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"BernhardPOS Credit Card dumping tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Hoffman / Jeremy Humble","description":"BernhardPOS Credit Card dumping tool","last_update":"2015-07-14","md5":"e49820ef02ba5308ff84e4c8c12e7c3d","reference":"http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick","rule":"BernhardPOS","score":"70","source":"Morphick Inc."}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Bluenoroff POS malware - hkp.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"http://blog.trex.re.kr/","date":"2018-06-07","description":"Bluenoroff POS malware - hkp.dll","reference":"http://blog.trex.re.kr/3?category=737685","rule":"BluenoroffPoS_DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Find documents saved from the same potential Cobalt Gang PDF template","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Palo Alto Networks Unit 42","date":"2018-10-25","description":"Find documents saved from the same potential Cobalt Gang PDF template","reference":"https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/","rule":"Cobaltgang_PDF_Metadata_Rev_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Triggers on strings of known DearCry samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nils Kuhnert","date":"2021-03-12","description":"Triggers on strings of known DearCry samples","hash1":"2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff","hash2":"e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6","hash3":"feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede","reference":"https://twitter.com/phillip_misner/status/1370197696280027136","rule":"MAL_RANSOM_Crime_DearCry_Mar2021_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unpacked SystemBC module as used by Emotet in March 2022","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Deutsche Telekom Security","date":"2022-03-11","description":"Detects unpacked SystemBC module as used by Emotet in March 2022","hash1":"c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5","malpedia_reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc","reference":"https://twitter.com/Cryptolaemus1/status/1502069552246575105","reference2":"https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6","rule":"EXT_MAL_SystemBC_Mar22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EternalRocks Malware - file taskhost.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-05-18","description":"Detects EternalRocks Malware - file taskhost.exe","hash1":"cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/stamparm/status/864865144748298242","rule":"EternalRocks_taskhost"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Fireball malware - file clearlog.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-02","description":"Detects Fireball malware - file clearlog.dll","hash1":"14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4pTkGQ","rule":"clearlog"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"2021 loader for Bokbot / Icedid core (license.dat)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Telekom Security","date":"2021-04-13","description":"2021 loader for Bokbot / Icedid core (license.dat)","reference":"https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240","rule":"MAL_IcedId_Core_LDR_202104"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Match protocol, process injects and windows exploit present in KINS dropper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"AlienVault Labs aortega@alienvault.com","description":"Match protocol, process injects and windows exploit present in KINS dropper","reference":"http://goo.gl/arPhm3","rule":"KINS_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Darkside Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-10","description":"Detects Darkside Ransomware","hash1":"ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce","reference":"https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/","rule":"MAL_RANSOM_Darkside_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-01","description":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","reference":"https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md","rule":"LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-12","description":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","reference":"https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b","rule":"EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-10","description":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","modified":"2021-12-17","reference":"https://twitter.com/marcioalm/status/1470361495405875200?s=20","rule":"SUSP_JDNIExploit_Error_Indicators_Dec21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-13","description":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","reference":"https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/","rule":"EXPL_ManageEngine_CVE_2022_47966_Jan23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects webshells dropped by DropHell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-01","description":"Detects webshells dropped by DropHell malware","reference":"https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside","rule":"WEBSHELL_ProxyShell_Exploitation_Nov21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found after SpringCore exploitation attempts and in the POC script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects indicators found after SpringCore exploitation attempts and in the POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Indicators_Mar22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-30","description":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","reference":"https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server","rule":"LOG_EXPL_ProxyToken_Exploitation_Aug21_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-04-08","description":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","modified":"2022-04-12","reference":"https://github.com/sherlocksecurity/VMware-CVE-2022-22954","reference2":"https://twitter.com/rwincey/status/1512241638994853891/photo/1","rule":"EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-20","description":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","reference":"https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/","rule":"LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects signs of exploitation of GitLab CE CVE-2021-22205","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-26","description":"Detects signs of exploitation of GitLab CE CVE-2021-22205","reference":"https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/","rule":"EXPL_GitLab_CE_RCE_CVE_2021_22205","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detection for Dimorf ransomeware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Silas Cutler","date":"2023-01-03","description":"Detection for Dimorf ransomeware","reference":"https://github.com/Ort0x36/Dimorf","rule":"MAL_PY_Dimorf","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CobaltStrike payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Payload_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CobaltStrike payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Get-SecurityPackages.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-SecurityPackages.ps1","hash1":"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_SecurityPackages"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-PowerDump.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PowerDump.ps1","hash1":"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PowerDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","hash1":"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_ShellcodeMSIL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-SmbScanner.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SmbScanner.ps1","hash1":"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SmbScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-EgressCheck.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-EgressCheck.ps1","hash1":"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_EgressCheck"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-PostExfil.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PostExfil.ps1","hash1":"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PostExfil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","hash1":"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SMBAutoBrute"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Get-Keystrokes.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-Keystrokes.ps1","hash1":"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_Keystrokes"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-DllInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-DllInjection.ps1","hash1":"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_DllInjection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file KeePassConfig.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file KeePassConfig.ps1","hash1":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash3":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash4":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash5":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","hash1":"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerUp_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash3":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash5":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash6":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash8":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","hash2":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","hash2":"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Portscan_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","hash1":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash2":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash3":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","md5":"7af24305a409a2b8f83ece27bb0f7900","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"Hunting_GadgetToJScript_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"HackTool_MSIL_SharPersist_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"98ecf58d48a3eae43899b45cec0fc6b7","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SharPersist_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CredTheft_MSIL_ADPassHunt_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"6efb58cf54d1bb45c057efcfbbd68a93","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"CredTheft_MSIL_ADPassHunt_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Identifies GoRat malware in memory based on strings.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"Identifies GoRat malware in memory based on strings.","md5":"3b926b5762e13ceec7ac3a61e85c93bb","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Backdoor_Win_GoRat_Memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"APT_Builder_PY_REDFLARE_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-12-01","md5":"4410e95de247d7f1ab649aa640ee86fb","modified":"2020-12-01","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FireEye's Python Redflar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-11-27","description":"Detects FireEye's Python Redflar","md5":"d0a830403e56ebaa4bfbe87dbfdee44f","modified":"2020-11-27","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CactusTorch Hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-31","description":"Detects CactusTorch Hacktool","hash1":"314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c","hash2":"0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea","hash3":"a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mdsecactivebreach/CACTUSTORCH","rule":"CACTUSTORCH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects URL mentioned in report on compromised Github repositories in August 2022","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-08-03","description":"Detects URL mentioned in report on compromised Github repositories in August 2022","reference":"https://twitter.com/stephenlacy/status/1554697077430505473","rule":"MAL_Github_Repo_Compromise_MyJino_Ru_Aug22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects HawkEye Keylogger Reborn","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-10","description":"Detects HawkEye Keylogger Reborn","hash1":"b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad","reference":"https://twitter.com/James_inthe_box/status/1072116224652324870","rule":"MAL_HawkEye_Keylogger_Gen_Dec18"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Ido Veltzman, Florian Roth","date":"2022-12-17","description":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","reference":"https://github.com/Idov31/Venom","rule":"HKTL_Venom_LIB_Dec22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Compiled Impacket Tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Compiled Impacket Tools","hash1":"4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3","hash10":"4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a","hash11":"47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d","hash12":"7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2","hash13":"9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f","hash14":"d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7","hash15":"8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699","hash16":"efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769","hash17":"e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b","hash18":"19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4","hash19":"2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086","hash2":"d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3","hash20":"202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094","hash3":"2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1","hash4":"ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6","hash5":"e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742","hash6":"27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364","hash7":"dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98","hash8":"0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b","hash9":"21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"Impacket_Tools_Generic_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Invoke-Mimikatz String","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97","hash2":"7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_WMIExec_Gen_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file kerberoast.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-21","description":"Auto-generated rule - file kerberoast.py","hash1":"73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/skelsec/PyKerberoast","rule":"kerberoast_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Khepri C2 framework beacons","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-08","description":"Detects Khepri C2 framework beacons","hash1":"86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431","reference":"https://github.com/geemion/Khepri/","rule":"HKTL_Khepri_Beacon_Sep21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","hash1":"c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae","hash2":"b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell AMSI Bypass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects PowerShell AMSI Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1","rule":"PS_AMSI_Bypass","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects MSHTA Bypass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects MSHTA Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/887705105239343104","rule":"JS_Suspicious_MSHTA_Bypass","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious Javascript Run command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-23","description":"Detects a suspicious Javascript Run command","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/craiu/status/900314063560998912","rule":"JavaScript_Run_Suspicious","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"VT Research QA uploaded malware - file vqgk.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-29","description":"VT Research QA uploaded malware - file vqgk.dll","hash1":"99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"VT Research QA","rule":"Malware_QA_vqgk","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Merlin agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Hilko Bengen","date":"2017-12-26","description":"Detects Merlin agent","filetype":"pe, elf, mach","reference":"https://github.com/Ne0nd0g/merlin","rule":"merlinAgent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Metasploit Loader by RSMudge - file loader.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-20","description":"Detects a Metasploit Loader by RSMudge - file loader.exe","hash1":"afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/rsmudge/metasploit-loader","rule":"Metasploit_Loader_RSMudge"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-psh.vba","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-psh.vba","hash1":"5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_psh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-exe.vba","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-exe.vba","hash1":"321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf.psh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.psh","hash1":"335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf.aspx","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.aspx","hash1":"26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-cmd.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-cmd.ps1","hash1":"9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-ref.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-ref.ps1","hash1":"4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_ref"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PowerShell with PE Reflective Injection","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"PowerShell with PE Reflective Injection","rule":"power_pe_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a log file generated by malicious hack tool mimikatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/31","description":"Detects a log file generated by malicious hack tool mimikatz","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mimikatz_Logfile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-19","description":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","hash1":"14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/putterpanda/mimikittenz","rule":"Invoke_mimikittenz","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Mimipenguin Password Extractor - Linux","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-01","description":"Detects Mimipenguin Password Extractor - Linux","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/huntergregal/mimipenguin","rule":"Mimipenguin_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Bella MacOS/OSX backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"Bella MacOS/OSX backdoor","hash":"4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be","reference":"https://twitter.com/JohnLaTwC/status/911998777182924801","rule":"OSX_backdoor_Bella"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","hash1":"6a3ba991d3b5d127c4325bc194b3241dde5b3a5853b78b4df1bce7cbe87c0fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPowerCat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","hash1":"aff2b694a01b48ef96c82daf387b25845abbe01073b76316f1aab3142fdb235b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPotato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","hash1":"54548e7848e742566f5596d8f02eca1fd2cbfeae88648b01efb7bab014b9301b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedExploits"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","hash1":"fd7014625b58d00c6e54ad0e587c6dba5d50f8ca4b0f162d5af3357c2183c7a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedBinaries"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","hash1":"345e8e6f38b2914f4533c4c16421d372d61564a4275537e674a2ac3360b19284","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedAmsiBypass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedShell_outputs","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-29","description":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","hash1":"caaa5c5733fca95804fffe70af82ee505a8ca2991e4cc05bc97a022e5f5b331c","hash2":"a746d8c41609a70ce10bc69d459f9abb42957cc9626f2e83810c1af412cb8729","reference":"https://twitter.com/0xtoxin/status/1540524891623014400?s=12\u0026t=IQ0OgChk8tAIdTHaPxh0Vg","rule":"SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pirpi Backdoor - and other malware (generic rule)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor - and other malware (generic rule)","hash1":"2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c","hash2":"8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pirpi Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor","hash1":"498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects hack tool PowerShdll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-03","description":"Detects hack tool PowerShdll","hash1":"4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a","hash2":"f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p3nt4/PowerShdll","rule":"PowerShdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell ISESteroids obfuscation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-23","description":"Detects PowerShell ISESteroids obfuscation","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/danielhbohannon/status/877953970437844993","rule":"PowerShell_ISESteroids_Obfuscation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-Shellcode.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Shellcode.ps1","hash1":"24abe9f3f366a3d269f8681be80c99504dea51e50318d83ee42f9a4c7435999a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Shellcode","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-Mimikatz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Mimikatz.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","hash1":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_RelfectivePEInjection","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Persistence.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","hash2":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash1":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Persistence.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash3":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_3","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pupy backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects Pupy backdoor","hash1":"ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153","hash2":"83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4","hash3":"90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc","hash4":"20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8","hash5":"06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e","hash6":"be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2","hash7":"8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/n1nj4sec/pupy-binaries","rule":"Pupy_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Adzok RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"Versions":"Free 1.0.0.3,","author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.05.2015","description":"Detects Adzok RAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Adzok","rule":"RAT_Adzok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Ap0calypse RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Ap0calypse RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Ap0calypse","rule":"RAT_Ap0calypse"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BlackShades RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Brian Wallace (@botnet_hunter)","date":"01.04.2014","description":"Detects BlackShades RAT","family":"blackshades","reference":"http://blog.cylance.com/a-study-in-bots-blackshades-net","rule":"RAT_BlackShades"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BlueBanana RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects BlueBanana RAT","filetype":"Java","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/BlueBanana","rule":"RAT_BlueBanana"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Bozok RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Bozok RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Bozok","rule":"RAT_Bozok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ClientMesh RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.06.2014","description":"Detects ClientMesh RAT","family":"torct","reference":"http://malwareconfig.com/stats/ClientMesh","rule":"RAT_ClientMesh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DarkComet RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkComet RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkComet","rule":"RAT_DarkComet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DarkRAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkRAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkRAT","rule":"RAT_DarkRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects JavaDropper RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LostDoor RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects LostDoor RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/LostDoor","rule":"RAT_LostDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Paradox RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Paradox RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Paradox","rule":"RAT_Paradox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects QRAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen @KevTheHermit","date":"01.08.2015","description":"Detects QRAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com","rule":"RAT_QRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShadowTech RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects ShadowTech RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/ShadowTech","rule":"RAT_ShadowTech"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sub7Nation RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.04.2014","description":"Detects Sub7Nation RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Sub7Nation","rule":"RAT_Sub7Nation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Vertex RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Vertex RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Vertex","rule":"RAT_Vertex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Adwind RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Adwind RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/adWind","rule":"RAT_adWind"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unrecom RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects unrecom RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/unrecom","rule":"RAT_unrecom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Sails Hacktool - Python","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-02","description":"Detects Red Sails Hacktool - Python","hash1":"6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661","hash2":"5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/BeetleChunks/redsails","rule":"redSails_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects code which uses the python lib sectools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-01-27","description":"Detects code which uses the python lib sectools","hash":"8cd205d5380278cff6673520439057e78fb8bf3d2b1c3c9be8463e949e5be4a1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p0dalirius/sectools","rule":"HKTL_Python_sectools","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an executable that has been encoded with base64 twice","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-29","description":"Detects an executable that has been encoded with base64 twice","hash1":"1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9","reference":"https://twitter.com/TweeterCyber/status/1189073238803877889","rule":"SUSP_Double_Base64_Encoded_Executable"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects a suspicious ","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100","rule":"Suspicious_Script_Running_from_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious command line with netsh and the portproxy command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-20","description":"Detects a suspicious command line with netsh and the portproxy command","hash1":"9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09","reference":"https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy","rule":"SUSP_Netsh_PortProxy_Command","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects method to disable ETW in ENV vars before executing a program","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-06","description":"Detects method to disable ETW in ENV vars before executing a program","reference":"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3","rule":"SUSP_Disable_ETW_Jun20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","hash1":"7d34e214ef2ca33516875fb91a72d5798f89b9ea8964d3990f99863c79530c06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/","rule":"Win_PrivEsc_gp3finder_v4_0","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","hash1":"1aa87df34826b1081c40bb4b702750587b32d717ea6df3c29715eb7fc04db755","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.greyhathacker.net/?p=738","rule":"Win_PrivEsc_folderperm","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - file s3.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s3.exe","hash":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_s3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - file s1.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s1.exe","hash":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindosShell_s1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","hash1":"a7c3d85eabac01e7a7ec914477ea9f17e3020b3b2f8584a46a98eb6a2a7611c5","hash2":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","hash3":"df0693caae2e5914e63e9ee1a14c1e9506f13060faed67db5797c9e61f3907f0","hash4":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash5":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - from files s3.exe, s4.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files s3.exe, s4.exe","hash1":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash2":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file WMImplant.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-24","description":"Auto-generated rule - file WMImplant.ps1","hash1":"860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html","rule":"WMImplant"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads - file Spring1.bin","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - file Spring1.bin","hash1":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash2":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash3":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash6":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash7":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_Spring1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads","hash1":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash10":"0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8","hash11":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash12":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash13":"f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e","hash2":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","hash3":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4","hash6":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash7":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","hash8":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash9":"1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","hash1":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash2":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"NTML Hash Dump output file - John/LC format","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"NTML Hash Dump output file - John/LC format","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"NTLM_Dump_Output","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payload generated by exe2hex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-15","description":"Detects payload generated by exe2hex","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/g0tmi1k/exe2hex","rule":"Payload_Exe2Hex","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects NatBypass tool (also used by APT41)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-27","description":"Detects NatBypass tool (also used by APT41)","hash1":"4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff","reference":"https://github.com/cw1997/NATBypass","rule":"HKTL_NATBypass_Dec22_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","limit":"Logscan","modified":"2020-12-16","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Chinese_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","limit":"Logscan","modified":"2022-12-07","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Russian_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-07","description":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","hash1":"601f44cc102ae5a113c0b5fe5d18350db8a24d780c0ff289880cc45de28e2b80","reference":"https://www.barracuda.com/company/legal/esg-vulnerability","rule":"MAL_ELF_SALTWATER_Jun23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-05-11","description":"Detects BPFDoor malware","hash1":"afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7","reference":"https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game","rule":"MAL_LNX_RedMenshen_BPFDoor_May23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor implants used by Chinese actor Red Menshen","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-05-08","description":"Detects BPFDoor implants used by Chinese actor Red Menshen","hash1":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","hash2":"fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73","reference":"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Exatrack","date":"2022-05-09","description":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","reference":"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Tricephalic_Implant_May22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LockBit ransomware samples for Linux and macOS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-15","description":"Detects LockBit ransomware samples for Linux and macOS","hash1":"0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e","hash2":"9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66","hash3":"a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442","hash4":"c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8","hash5":"dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf","hash6":"e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096","hash7":"0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde","hash8":"3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79","reference":"https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20","rule":"MAL_RANSOM_LNX_macOS_LockBit_Apr23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found in LockBit ransomware log files","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware log files","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Locker_LOG_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artifacts found in LockBit intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects forensic artifacts found in LockBit intrusions","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","hash1":"10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_SH_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ransomware exploiting and encrypting ESXi servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects ransomware exploiting and encrypting ESXi servers","hash1":"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Python backdoor found on ESXi servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects Python backdoor found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_PY_ESXi_Backdoor_Dec22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect the EquationLaser malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"copyright":"Kaspersky Lab","description":"Rule to detect the EquationLaser malware","last_modified":"2015-02-16","reference":"https://securelist.com/blog/","rule":"apt_equation_equationlaser_runtimeclasses","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","hash":"7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20123_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20123.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123.xml","hash":"edc7228b2e27df9e7ff9286bddbf4e46adb51ed9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwareqwerty_20123"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","hash":"cda9ceaf0a39d6b8211ce96307302a53dfbd71ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20120_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","hash":"64ac06aa4e8d93ea6063eade7ce9687b1d035907","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20121_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware Sample - maybe Regin related","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Malware Sample - maybe Regin related","hash":"76c355bfeb859a347e38da89e3d30a6ff1f94229","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"Regin_Related_Malware","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Windows Credential Editor","rule":"WindowsCredentialEditor","score":"90","threat_level":"10"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Amplia Security Tool like Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2013-01-01","description":"Detects Amplia Security Tool like Windows Credential Editor","modified":"2023-02-14","nodeepdive":"1","rule":"HKTL_Amplia_Security_Tool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PwDump 6 variant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2014-04-24","description":"PwDump 6 variant","rule":"PwDump","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PScan - Port Scanner","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"F. Roth","description":"PScan - Port Scanner","rule":"PScan_Portscan_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the Fierce2 domain scanner","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Fierce2 domain scanner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Fierce2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the Ncrack brute force tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Ncrack brute force tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncrack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the SQLMap SQL injection tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the SQLMap SQL injection tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SQLMap","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file PortScanner.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortScanner.exe","hash":"b381b9212282c0c650cb4b0323436c63","rule":"PortScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file NetBIOS Name Scanner.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file NetBIOS Name Scanner.exe","hash":"888ba1d391e14c0a9c829f5a1964ca2c","rule":"NetBIOS_Name_Scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ipscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"6c1bcf0b1297689c8c4c12cc70996a75","rule":"FeliksPack3___Scanners_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file IP Stealing Utilities.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file IP Stealing Utilities.exe","hash":"65646e10fb15a2940a37c5ab9f59c7fc","rule":"IP_Stealing_Utilities"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file PortRacer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortRacer.exe","hash":"2834a872a0a8da5b1be5db65dfdef388","rule":"PortRacer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file scanarator.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file scanarator.exe","hash":"848bd5a518e0b6c05bd29aceb8536c46","rule":"scanarator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file =Bitchin Threads=.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file =Bitchin Threads=.exe","hash":"7491b138c1ee5a0d9d141fbfd1f0071b","rule":"_Bitchin_Threads_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file portscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file portscan.exe","hash":"a8bfdb2a925e89a281956b1e3bb32348","rule":"portscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ProPort.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ProPort.exe","hash":"c1937a86939d4d12d10fc44b7ab9ab27","rule":"ProPort_zip_Folder_ProPort"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","hash":"7c0f2cab134534cd35964fe4c6a1ff00","rule":"StealthWasp_s_Basic_PortScanner_v1_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file BluesPortScan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file BluesPortScan.exe","hash":"6292f5fc737511f91af5e35643fc9eef","rule":"BluesPortScan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file iis.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file iis.exe","hash":"3a8fc02c62c8dd65e038cc03e5451b6e","rule":"scanarator_iis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ipscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"70cf2c09776a29c3e837cb79d291514a","rule":"Angry_IP_Scanner_v2_08_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file Loader.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file Loader.exe","hash":"f4f79358a6c600c1f0ba1f7e4879a16d","rule":"crack_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the backdoor Beastdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Detects the backdoor Beastdoor","hash":"5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Beastdoor_Backdoor","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Powershell version of the Netcat network hacking tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Detects a Powershell version of the Netcat network hacking tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Powershell_Netcat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a chinese Portscanner named MilkT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"12.10.2014","description":"Detects a chinese Portscanner named MilkT","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CN_Hacktool_MilkT_Scanner","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Modified (packed) version of Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Modified (packed) version of Windows Credential Editor","hash":"09a412ac3c85cedce2642a19e99d8f903a2e0354","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WCE_Modified_1_1014","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"iKAT hack tools set agent - file ikat.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"iKAT hack tools set agent - file ikat.exe","hash":"c802ee1e49c0eae2a3fc22d2e82589d857f96d94","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_command_lines_agent","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","hash":"0cac59b80b5427a8780168e1b85c540efffaf74f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_startbar","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file BypassUac2.zip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac2.zip","hash":"ef3e7dd2d1384ecec1a37254303959a43695df61","rule":"BypassUac2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"APT Malware - Proxy","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FRoth","date":"2014-11-10","description":"APT Malware - Proxy","hash":"6b6a86ceeab64a6cb273debfa82aec58","rule":"APT_Proxy_Malware_Packed_dev","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file nc.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file nc.exe","hash":"001c0c01c96fa56216159f83f6f298755366e528","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncat_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file cs.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file cs.exe","hash":"a3e9e0655447494253a1a60dbc763d9661181322","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"MS08_067_Exploit_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file sql.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file sql.exe","hash":"d5139b865e99b7a276af7ae11b14096adb928245","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_sql","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file 445TOOL.rar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file 445TOOL.rar","hash":"92050ba43029f914696289598cf3b18e34457a11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_445TOOL","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file s.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file s.exe","hash":"7665011742ce01f57e8dc0a85d35ec556035145d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_WinEggDrop","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Burst.rar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Burst.rar","hash":"ce8e3d95f89fb887d284015ff2953dbdb1f16776","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_Burst","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file GOGOGO.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file GOGOGO.bat","hash":"4bd4f5b070acf7fe70460d7eefb3623366074bbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_GOGOGO_Bat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file pass.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file pass.txt","hash":"55a05cf93dbd274355d798534be471dff26803f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_pass","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","hash":"d157f9a76f9d72dba020887d7b861a05f2e56b6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_JoHor_Posts_Killer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Start.bat - DoS tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-11-17","description":"Disclosed hacktool set - file Start.bat - DoS tool","hash":"75d194d53ccc37a68286d246f2a84af6b070e30c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"Hacktools_CN_Burst_Start","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Blast.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Blast.bat","hash":"b07702a381fa2eaee40b96ae2443918209674051","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_Blast","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","hash":"166fa8c5a0ebb216c832ab61bf8872da556576a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VUBrute_VUBrute","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","hash":"b9f66b9265d2370dab887604921167c11f7d93e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xiIphp","rule":"VUBrute_config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file listip.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file listip.exe","hash":"f32a0c5bf787c10eb494eb3b83d0c7a035e7172b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_listip","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","hash":"4867214a3d96095d14aa8575f0adbb81a9381e6c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ArtTrayHookDll","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditServer.exe","hash":"87b29c9121cac6ae780237f7e04ee3bc1a9777d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file letmein.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file letmein.exe","hash":"74d223a56f97b223a640e4139bb9b94d8faa895d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_letmein","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file token.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file token.exe","hash":"c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_token","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file webget.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file webget.exe","hash":"36b5a5dee093aa846f906bbecf872a4e66989e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_webget","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","hash":"02a9394bc2ec385876c4b4f61d72471ac8251a8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ASPack_Chinese","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","hash":"dfa90540b0e58346f4b6ea12e30c1404e15fbe5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLogReadMe","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","hash":"a450c31f13c23426b24624f53873e4fc3777dc6b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","hash":"dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","hash":"820674b59f32f2cf72df50ba4411d7132d863ad2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Jc_WinEggDrop_Shell","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file TBack.DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file TBack.DLL","hash":"30fc9b00c093cec54fcbd753f96d0ca9e1b2660f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_TBack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file Inject.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Inject.exe","hash":"34f564301da528ce2b3e5907fd4b1acb7cb70728","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ByPassFireWall_zip_Folder_Inject","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","hash":"b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_sqlcmd","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file 2323.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file 2323.exe","hash":"21812186a9e92ee7ddc6e91e4ec42991f0143763","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_2323","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","hash":"827cd898bfe8aa7e9aaefbe949d26298f9e24094","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CleanIISLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","hash":"5a5778ac200078b627db84fdc35bf5bcee232dc7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sqlcheck","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","hash":"a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_RunAsEx","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file splitjoin.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file splitjoin.exe","hash":"21409117b536664a913dcd159d6f4d8758f43435","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SplitJoin_V1_3_3_rar_Folder_3","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InstGina.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InstGina.exe","hash":"5317fbc39508708534246ef4241e78da41a4f31c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"InstGina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file findoor.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file findoor.exe","hash":"cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_findoor","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"516e80e4a25660954de8c12313e2d7642bdb79dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WinEggDropShellFinal_zip_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file gina.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file gina.dll","hash":"e0429e1b59989cbab6646ba905ac312710f5ed30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"gina_zip_Folder_gina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file xsniff.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file xsniff.exe","hash":"d61d7329ac74f66245a92c4505a327c85875c577","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_xsniff","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file fscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file fscan.exe","hash":"d5646e86b5257f9c83ea23eca3d86de336224e55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_fscan","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","hash0":"9d4e7611a328eb430a8bb6dc7832440713926f5f","hash1":"ae23522a3529d3313dd883727c341331a1fb1ab9","hash2":"7ffc496cd4a1017485dfb571329523a52c9032d8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_FsHttp_FsPop_FsSniffer","score":"60","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/22","description":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","hash1":"b130611c92788337c4f6bb9e9454ff06eb409166","hash2":"07539abb2623fe24b9a05e240f675fa2d15268cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/gkAg2E","rule":"Ammyy_Admin_AA_v3","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file scanssh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file scanssh","hash":"467398a6994e2c1a66a3d39859cde41f090623ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_scanssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file pscan2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file pscan2","hash":"56b476cba702a4423a2d805a412cae8ef4330905","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_pscan2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file a","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file a","hash":"458ada1e37b90569b0b36afebba5ade337ea8695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file mass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file mass","hash":"2054cb427daaca9e267b252307dad03830475f15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_mass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","hash0":"af419603ac28257134e39683419966ab3d600ed2","hash1":"c5cb4f75cf241f5a9aea324783193433a42a13b0","hash2":"135f6a28e958c8f6a275d8677cfa7cb502c8a822","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset__XScanLib_XScanLib_XScanLib","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","hash":"a931d65de66e1468fe2362f7f2e0ee546f225c4e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_NTscan_PipeCmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","hash":"8542c7fb8291b02db54d2dc58cd608e612bfdc57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_sig_1433_135_sqlr","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VSSown_VBS","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Network domain enumeration tool - often used by attackers - file Nv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool - often used by attackers - file Nv.exe","hash":"52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Network domain enumeration tool output - often used by attackers - file filename.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool output - often used by attackers - file filename.txt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool_Output","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Linux Port Scanner Shark","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-01","description":"Detects Linux Port Scanner Shark","hash1":"5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986","hash2":"90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35","rule":"Linux_Portscan_Shark_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects dnscat2 - from files dnscat, dnscat2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-15","description":"Detects dnscat2 - from files dnscat, dnscat2.exe","hash1":"8bc8d6c735937c9c040cbbdcfc15f17720a7ecef202a19a7bf43e9e1c66fe66a","hash2":"4a882f013419695c8c0ac41d8a0fde1cf48172a89e342c504138bc6f1d13c7c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://downloads.skullsecurity.org/dnscat2/","rule":"dnscat2_Hacktool","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-28","description":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"WCE_in_memory","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file pstgdump.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file pstgdump.exe","hash1":"65d48a2f868ff5757c10ed796e03621961954c523c71eac1c5e044862893a106","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"pstgdump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups","hash1":"efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5","hash2":"e0327c1218fd3723e20acc780e20135f41abca35c35e0f97f7eccac265f4f44e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"lsremora"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file fgexec.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file fgexec.exe","hash1":"8697897bee415f213ce7bc24f22c14002d660b8aaffab807490ddbf4f3f20249","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"fgexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","hash1":"cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4","hash2":"e38edac8c838a043d0d9d28c71a96fe8f7b7f61c5edf69f1ce0c13e141be281f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"cachedump","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file PwDump.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file PwDump.exe","hash1":"3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"PwDump_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-07","description":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml","rule":"MSBuild_Mimikatz_Execution_via_XML"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects POC code from disclosed 0day hacktool set","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects POC code from disclosed 0day hacktool set","hash1":"ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed 0day Repos","rule":"Disclosed_0day_POCs_injector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a process injection utility that can be used ofr good and bad purposes","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-23","description":"Detects a process injection utility that can be used ofr good and bad purposes","hash1":"456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c","rule":"ProcessInjector_Gen","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Lazagne PW Dumper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis / Florian Roth","date":"2018-03-22","description":"Detects Lazagne PW Dumper","reference":"https://github.com/AlessandroZ/LaZagne/releases/","rule":"Lazagne_PW_Dumper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects susupicious bash command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski","date":"2018-05-18","description":"Detects susupicious bash command","hash1":"36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b","reference":"https://github.com/0x00-0x00/ShellPop","rule":"SUSP_shellpop_Bash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Lazagne password extractor hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-11","description":"Detects Lazagne password extractor hacktool","hash1":"51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://github.com/AlessandroZ/LaZagne","rule":"HKTL_Lazagne_Gen_18","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects NoPowerShell hack tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-28","description":"Detects NoPowerShell hack tool","hash1":"2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70","modified":"2022-12-21","reference":"https://github.com/bitsadmin/nopowershell","rule":"HKTL_NoPowerShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file iMHaPFtp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file iMHaPFtp.php","hash":"12911b73bc6a5d313b494102abcf5c57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_iMHaPFtp_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file guo.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file guo.php","hash":"9e69a8f499c660ee0b4796af14dc08f0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_guo","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file redcod.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file redcod.php","hash":"5c1c8120d82f46ff9d813fbe3354bac5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_redcod","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file server.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file server.php","hash":"d87b019e74064aa90e2bb143e5e16cfa","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_sh_server","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cihshell_fix.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cihshell_fix.php","hash":"3823ac218032549b86ee7c26f10c4cb5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_cihshell_fix","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.php","hash":"7edefb8bd0876c41906f4b39b52cd0ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file EFSO_2.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file EFSO_2.asp","hash":"a341270f9ebd01320a7490c12cb2e64c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_EFSO_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.jsp","hash":"515a5dd86fe48f673b72422cccf5a585","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Server Variables.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Server Variables.asp","hash":"47fb8a647e441488b30f92b4d39003d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Server_Variables","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file ice.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.php","hash":"1d6335247f58e0a5b03e17977888f5f2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_ice_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file phpspy2010.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file phpspy2010.php","hash":"14ae0e4f5349924a5047fed9f3b105c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy2010","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file ice.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.asp","hash":"d141e011a92f48da72728c35f1934a2b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_ice","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.asp","hash":"d9fa1e8513dbf59fa5d130f389032a2d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file webshell-cnseay02-1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay02-1.php","hash":"95fc76081a42c4f26912826cb1bd24b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay02_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file fbi.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file fbi.php","hash":"1fb32f8e58c8deb168c06297a04a21f1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_fbi","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file B374k.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file B374k.php","hash":"bed7388976f8f1d90422e8795dff1ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_B374kPHP_B374k","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file list.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file list.php","hash":"922b128ddd90e1dc2f73088956c548ed","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_list","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ee94952dc53d9a29bdf4ece54c7a7aa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file aspydrv.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file aspydrv.asp","hash":"de0a58f7d1e200d0b2c801a94ebce330","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ASP_aspydrv","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Dx.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Dx.php","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dx_Dx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file MySQL Web Interface Version 0.8.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file MySQL Web Interface Version 0.8.php","hash":"36d4f34d0a22080f47bb1cb94107c60f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_MySQL_Web_Interface_Version_0_8","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file odd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"594d1b1311bbef38a0eb3d6cbb1ab538","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_1_0_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file idc.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file idc.php","hash":"7c5b1b30196c51f1accbffb80296395f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_wsb_idc","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ced050df5ca42064056a7ad610a191b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file webshell-cnseay-x.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay-x.php","hash":"a0f9f7f5cd405a514a7f3be329f380e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay_x","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.asp","hash":"f775e721cfe85019fe41c34f47c0d67c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file odd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"3c30399e7480c09276f412271f60ed01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_0_1a_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file k81.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file k81.jsp","hash":"41efc5c71b6885add9c1d516371bd6af","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_k81","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cmdjsp.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmdjsp.jsp","hash":"b815611cc39f17f05a73444d699341d4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_cmdjsp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Java Shell.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Java Shell.jsp","hash":"36403bc776eb12e8b7cc0eb47c8aac83","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Java_Shell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file r57142.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file r57142.php","hash":"0911b6e6b8f4bcb05599b2885a7fe8a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_r57142","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file simple-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file simple-backdoor.php","hash":"f091d1b9274c881f8e41b2f96e6b9936","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_simple_backdoor","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cmd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmd.php","hash":"c38ae5ba61fd84f6bbbab98d89d8a346","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_cmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file co.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file co.php","hash":"62199f5ac721a0cb9b28f465a513874c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_co","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 150.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 150.php","hash":"400c4b0bed5c90f048398e1d268ce4dc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_150","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file c37.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file c37.php","hash":"d01144c04e7a46870a8dd823eb2fe5c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_c37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file b37.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file b37.php","hash":"0421445303cfd0ec6bc20b3846e30ff0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_b37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file bug (1).php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file bug (1).php","hash":"91c5fae02ab16d51fc5af9354ac2f015","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_bug_1_","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files ghost_source.php, icesword.php, silic.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files ghost_source.php, icesword.php, silic.php","hash0":"cbf64a56306c1b5d98898468fc1fdbd8","hash1":"6e20b41c040efb453d57780025a292ae","hash2":"437d30c94f8eef92dc2f064de4998695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ghost_source_icesword_silic","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"37603e44ee6dc1c359feb68a0d566f76","hash1":"a7e25b8ac605753ed0c438db93f6c498","hash10":"e9a5280f77537e23da2545306f6a19ad","hash11":"598eef7544935cf2139d1eada4375bb5","hash12":"fa87bbd7201021c1aefee6fcc5b8e25a","hash2":"fb8c6c3a69b93e5e7193036fd31a958d","hash3":"36331f2c81bad763528d0ae00edf55be","hash4":"793b3d0a740dbf355df3e6f68b8217a4","hash5":"8979594423b68489024447474d113894","hash6":"ec482fc969d182e5440521c913bab9bd","hash7":"f98d2b33cd777e160d1489afed96de39","hash8":"4b4c12b3002fad88ca6346a873855209","hash9":"4cc68fa572e88b669bce606c7ace0ae9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"1b5102bdc41a7bc439eea8f0010310a5","hash1":"f8a6d5306fb37414c5c772315a27832f","hash2":"37cb1db26b1b0161a4bf678a6b4565bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","hash0":"8b0e6779f25a17f0ffb3df14122ba594","hash1":"ea87f0c1f0535610becadf5a98aca2fc","hash2":"7d5e9732766cf5b8edca9b7ae2b6028f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_reverse_jsp_reverse_jspbd","score":"50","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"a2516ac6ee41a7cf931cbaef1134a9e4","hash1":"ef43fef943e9df90ddb6257950b3538f","hash10":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ae025c886fbe7f9ed159f49593674832","hash3":"911195a9b7c010f61b66439d9048f400","hash4":"697dae78c040150daff7db751fc0c03c","hash5":"513b7be8bd0595c377283a7c87b44b2e","hash6":"1d912c55b96e2efe8ca873d6040e3b30","hash7":"e5b2131dd1db0dbdb43b53c5ce99016a","hash8":"4108f28a9792b50d95f95b9e5314fa1e","hash9":"41af6fd253648885c7ad2ed524e0692d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","hash0":"8ae9d2b50dc382f0571cd7492f079836","hash1":"e2830d3286001d1455479849aacbbb38","hash2":"bd6d3b2763c705a01cc2b3f105a25fa4","hash3":"40c6ecf77253e805ace85f119fe1cebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_itsec_PHPJackal_itsecteam_shell_jHn","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"0b19e9de790cd2f4325f8c24b22af540","hash1":"f3ca29b7999643507081caab926e2e74","hash2":"527cf81f9272919bf872007e21c4bdda","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"3e4ba470d4c38765e4b16ed930facf2c","hash1":"aa17b71bb93c6789911bd1c9df834ff9","hash2":"b68bfafc6059fd26732fa07fb6f7f640","hash3":"40a1f840111996ff7200d18968e42cfe","hash4":"e0202adff532b28ef1ba206cf95962f2","hash5":"802f5cae46d394b297482fd0c27cb2fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash2":"8b457934da3821ba58b06a113e0d53d9","hash3":"d44df8b1543b837e57cc8f25a0a68d92","hash4":"e0354099bee243702eb11df8d0e046df","hash5":"90a5ba0c94199269ba33a58bc6a4ad99","hash6":"655722eaa6c646437c8ae93daac46ae0","hash7":"591ca89a25f06cf01e4345f98a22845c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"513b7be8bd0595c377283a7c87b44b2e","hash2":"1d912c55b96e2efe8ca873d6040e3b30","hash3":"4108f28a9792b50d95f95b9e5314fa1e","hash4":"3f71175985848ee46cc13282fbed2269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash10":"341298482cf90febebb8616426080d1d","hash11":"29aebe333d6332f0ebc2258def94d57e","hash12":"42654af68e5d4ea217e6ece5389eb302","hash13":"88fc87e7c58249a398efd5ceae636073","hash14":"4a812678308475c64132a9b56254edbc","hash15":"9626eef1a8b9b8d773a3b2af09306a10","hash16":"e0354099bee243702eb11df8d0e046df","hash17":"344f9073576a066142b2023629539ebd","hash18":"32dea47d9c13f9000c4c807561341bee","hash19":"90a5ba0c94199269ba33a58bc6a4ad99","hash2":"ae76c77fb7a234380cd0ebb6fe1bcddf","hash20":"655722eaa6c646437c8ae93daac46ae0","hash21":"b9744f6876919c46a29ea05b1d95b1c3","hash22":"6acc82544be056580c3a1caaa4999956","hash23":"6aa32a6392840e161a018f3907a86968","hash24":"591ca89a25f06cf01e4345f98a22845c","hash25":"349ec229e3f8eda0f9eb918c74a8bf4c","hash26":"3ea688e3439a1f56b16694667938316d","hash27":"ab77e4d1006259d7cbc15884416ca88c","hash28":"71097537a91fac6b01f46f66ee2d7749","hash29":"2434a7a07cb47ce25b41d30bc291cacc","hash3":"76037ebd781ad0eac363d56fc81f4b4f","hash30":"7a4b090619ecce6f7bd838fe5c58554b","hash4":"8b457934da3821ba58b06a113e0d53d9","hash5":"d44df8b1543b837e57cc8f25a0a68d92","hash6":"fc44f6b4387a2cb50e1a63c66a8cb81c","hash7":"14e9688c86b454ed48171a9d4f48ace8","hash8":"b330a6c2d49124ef0729539761d6ef0b","hash9":"d71716df5042880ef84427acee8b121e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_807_a_c5_config_css_dm_he1p_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","hash0":"b68bfafc6059fd26732fa07fb6f7f640","hash1":"42f211cec8032eb0881e87ebdb3d7224","hash2":"40a1f840111996ff7200d18968e42cfe","hash3":"0712e3dc262b4e1f98ed25760b206836","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"38fd7e45f9c11a37463c3ded1c76af4c","hash1":"9c34adbc8fd8d908cbb341734830f971","hash10":"b8f261a3cdf23398d573aaf55eaf63b5","hash11":"0d2c2c151ed839e6bafc7aa9c69be715","hash12":"41af6fd253648885c7ad2ed524e0692d","hash13":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ef43fef943e9df90ddb6257950b3538f","hash3":"ae025c886fbe7f9ed159f49593674832","hash4":"911195a9b7c010f61b66439d9048f400","hash5":"697dae78c040150daff7db751fc0c03c","hash6":"513b7be8bd0595c377283a7c87b44b2e","hash7":"1d912c55b96e2efe8ca873d6040e3b30","hash8":"e5b2131dd1db0dbdb43b53c5ce99016a","hash9":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_c99_locus7s_c99_w4cking_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"1d912c55b96e2efe8ca873d6040e3b30","hash2":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_kartal_r57","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file con2.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file con2.asp","hash":"d3584159ab299d546bd77c9654932ae3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_con2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file Expdoor.com ASP.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Expdoor.com ASP.asp","hash":"caef01bb8906d909f24d1fa109ea18a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Expdoor_com_ASP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php2.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php2.php","hash":"fbf2e76e6f897f6f42b896c855069276","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file bypass-iisuser-p.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file bypass-iisuser-p.asp","hash":"924d294400a64fa888a79316fb3ccd90","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_bypass_iisuser_p","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file 404super.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file 404super.php","hash":"7ed63176226f83d36dce47ce82507b28","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_sig_404super","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file JSP.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file JSP.jsp","hash":"495f1a0a4c82f986f4bdf51ae1898ee7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_JSP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file webshell-123.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-03-28","description":"Web shells - generated from file webshell-123.php","hash":"2782bb170acaed3829ea9a04f0ac7218","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"webshell_webshell_123","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file dev_core.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file dev_core.php","hash":"55ad9309b006884f660c41e53150fc2e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_dev_core","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file pHp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pHp.php","hash":"b0e842bdf83396c3ef8c71ff94e64167","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file pppp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pppp.php","hash":"cf01cb6e09ee594545693c5d327bdd50","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pppp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file code.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file code.php","hash":"a444014c134ff24c0be5a05c02b81a79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_code","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file xxxx.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file xxxx.php","hash":"5bcba70b2137375225d8eedcde2c0ebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_xxxx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file PHP1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP1.php","hash":"14c7281fdaf2ae004ca5fec8753ce3cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file asp1.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file asp1.asp","hash":"b63e708cd58ae1ec85cf784060b69cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php6.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php6.php","hash":"ea75280224a735f1e445d244acdfeb7b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file GetPostpHp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file GetPostpHp.php","hash":"20ede5b8182d952728d594e6f2bb5c76","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_GetPostpHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php5.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php5.php","hash":"cf2ab009cbd2576a806bfefb74906fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php5","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file PHP.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP.php","hash":"a524e7ae8d71e37d2fd3e5fbdab405ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file Asp.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Asp.asp","hash":"32c87744ea404d0ea0debd55915010b7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_Asp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file perlbot.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file perlbot.pl.txt","hash":"7e4deb9884ffffa5d82c22f8dc533a45","rule":"perlbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file php-backdoor.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file php-backdoor.php.txt","hash":"2b5cb105c4ea9b5ebc64705b4bd86bf7","rule":"php_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shankar.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Casus15.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Casus15.php.php.txt","hash":"5e2ede2d1c4fa1fcc3cbfe0c005d7b13","rule":"Casus15_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file small.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file small.php.php.txt","hash":"fcee6226d09d150bfa5f103bee61fbde","rule":"small_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shellbot.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shellbot.pl.txt","hash":"b2a883bc3c03a35cfd020dd2ace4bab8","rule":"shellbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file fuckphpshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file fuckphpshell.php.txt","hash":"554e50c1265bb0934fcc8247ec3b9052","rule":"fuckphpshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ngh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ngh.php.php.txt","hash":"c372b725419cdfd3f8a6371cfeebc2fd","rule":"ngh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file jsp-reverse.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file jsp-reverse.jsp.txt","hash":"8b0e6779f25a17f0ffb3df14122ba594","rule":"jsp_reverse_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Tool.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Tool.asp.txt","hash":"8febea6ca6051ae5e2ad4c78f4b9c1f2","rule":"Tool_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file NT Addy.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file NT Addy.asp.txt","hash":"2e0d1bae844c9a8e6e351297d77a1fec","rule":"NT_Addy_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","hash":"089ff24d978aeff2b4b2869f0c7d38a3","rule":"SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phvayvv.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phvayvv.php.php.txt","hash":"35fb37f3c806718545d97c6559abd262","rule":"phvayvv_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file r57shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file r57shell.php.php.txt","hash":"d28445de424594a5f14d0fe2a7c4e94f","rule":"r57shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file rst_sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file rst_sql.php.php.txt","hash":"0961641a4ab2b8cb4d2beca593a92010","rule":"rst_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file wh_bindshell.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file wh_bindshell.py.txt","hash":"fab20902862736e24aaae275af5e049c","rule":"wh_bindshell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file lurm_safemod_on.cgi.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file lurm_safemod_on.cgi.txt","hash":"5ea4f901ce1abdf20870c214b3231db3","rule":"lurm_safemod_on_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt","hash":"d27292895da9afa5b60b9d3014f39294","rule":"c99madshell_v2_0_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file w3d.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file w3d.php.php.txt","hash":"987f66b29bfb209a0b4f097f84f57c3b","rule":"w3d_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file WinX Shell.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file WinX Shell.html.txt","hash":"17ab5086aef89d4951fe9b7c7a561dda","rule":"WinX_Shell_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Dx.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Dx.php.php.txt","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","rule":"Dx_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file csh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file csh.php.php.txt","hash":"194a9d3f3eac8bc56d9a7c55c016af96","rule":"csh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file pHpINJ.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file pHpINJ.php.php.txt","hash":"d7a4b0df45d34888d5a09f745e85733f","rule":"pHpINJ_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file 2008.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file 2008.php.php.txt","hash":"3e4ba470d4c38765e4b16ed930facf2c","rule":"sig_2008_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ak74shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ak74shell.php.php.txt","hash":"7f83adcb4c1111653d30c6427a94f66f","rule":"ak74shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Rem View.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Rem View.php.php.txt","hash":"29420106d9a81553ef0d1ca72b9934d9","rule":"Rem_View_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Java Shell.js.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Java Shell.js.txt","hash":"36403bc776eb12e8b7cc0eb47c8aac83","rule":"Java_Shell_js"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file STNC.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt","hash":"26b2d3943395682e36da06ed493a3715","rule":"aZRaiLPhp_v1_0_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file zacosmall.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file zacosmall.php.txt","hash":"5295ee8dc2f5fd416be442548d68f7a6","rule":"zacosmall_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file CmdAsp.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file CmdAsp.asp.txt","hash":"64f24f09ec6efaa904e2492dffc518b9","rule":"CmdAsp_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file simple-backdoor.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file simple-backdoor.php.txt","hash":"f091d1b9274c881f8e41b2f96e6b9936","rule":"simple_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file mysql_shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file mysql_shell.php.txt","hash":"d42aec2891214cace99b3eb9f3e21a63","rule":"mysql_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","hash":"1b5102bdc41a7bc439eea8f0010310a5","rule":"Dive_Shell_1_0___Emperor_Hacking_Team_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Asmodeus v0.1.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Asmodeus v0.1.pl.txt","hash":"0978b672db0657103c79505df69cb4bb","rule":"Asmodeus_v0_1_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Reader.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Reader.asp.txt","hash":"ad1a362e0a24c4475335e3e891a01731","rule":"Reader_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phpshell17.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phpshell17.php.txt","hash":"9a928d741d12ea08a624ee9ed5a8c39d","rule":"phpshell17_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt","hash":"37cb1db26b1b0161a4bf678a6b4565bd","rule":"SimShell_1_0___Simorgh_Security_MGZ_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file jspshall.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file jspshall.jsp.txt","hash":"efe0f6edaa512c4e1fdca4eeda77b7ee","rule":"jspshall_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file rootshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file rootshell.php.txt","hash":"265f3319075536030e59ba2f9ef3eac6","rule":"rootshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file connectback2.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file connectback2.pl.txt","hash":"473b7d226ea6ebaacc24504bd740822e","rule":"connectback2_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file wso.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file wso.txt","hash":"33e2891c13b78328da9062fbfcf898b6","rule":"shells_PHP_wso"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file backdoor1.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file backdoor1.php.txt","hash":"e1adda1f866367f52de001257b4d6c98","rule":"backdoor1_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file elmaliseker.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file elmaliseker.asp.txt","hash":"b32d1730d23a660fd6aa8e60c3dc549f","rule":"elmaliseker_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt","hash":"c2e8346a5515c81797af36e7e4a3828e","rule":"s72_Shell_v1_1_Coding_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file kacak.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file kacak.asp.txt","hash":"907d95d46785db21331a0324972dda8c","rule":"kacak_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt","hash":"57fcd9560dac244aeaf95fd606621900","rule":"PHP_Backdoor_Connect_pl_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt","hash":"cbe9eafbc4d86842a61a54d98e5b61f1","rule":"Antichat_Socks5_Server_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Antichat Shell v1.3.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Antichat Shell v1.3.php.txt","hash":"40d0abceba125868be7f3f990f031521","rule":"Antichat_Shell_v1_3_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","hash":"49ad9117c96419c35987aaa7e2230f63","rule":"Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cyberlords_sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cyberlords_sql.php.php.txt","hash":"03b06b4183cb9947ccda2c3d636406d4","rule":"cyberlords_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt","hash":"8a8c8bb153bd1ee097559041f2e5cf0a","rule":"Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file EFSO_2.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file EFSO_2.asp.txt","hash":"b5fde9682fd63415ae211d53c6bfaa4d","rule":"EFSO_2_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file lamashell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file lamashell.php.txt","hash":"de9abc2e38420cad729648e93dfc6687","rule":"lamashell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt","hash":"93d1a2e13a3368a2472043bd6331afe9","rule":"Ajax_PHP_Command_Shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt","hash":"70a0ee2624e5bbe5525ccadc467519f6","rule":"JspWebshell_1_2_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Sincap.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Sincap.php.php.txt","hash":"b68b90ff6012a103e57d141ed38a7ee9","rule":"Sincap_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Phyton Shell.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Phyton Shell.py.txt","hash":"92b3c897090867c65cc169ab037a0f55","rule":"Phyton_Shell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file sh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file sh.php.php.txt","hash":"330af9337ae51d0bac175ba7076d6299","rule":"sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phpjackal.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phpjackal.php.txt","hash":"ab230817bcc99acb9bdc0ec6d264d76f","rule":"phpjackal_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file sql.php.php.txt","hash":"8334249cbb969f2d33d678fec2b680c5","rule":"sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cgi-python.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cgi-python.py.txt","hash":"0a15f473e2232b89dae1075e1afdac97","rule":"cgi_python_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ru24_post_sh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ru24_post_sh.php.php.txt","hash":"5b334d494564393f419af745dc1eeec7","rule":"ru24_post_sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file telnetd.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file telnetd.pl.txt","hash":"5f61136afd17eb025109304bd8d6d414","rule":"telnetd_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file php-include-w-shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file php-include-w-shell.php.txt","hash":"4e913f159e33867be729631a7ca46850","rule":"php_include_w_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shell.php.php.txt","hash":"1a95f0163b6dea771da1694de13a3d8d","rule":"shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file telnet.cgi.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file telnet.cgi.txt","hash":"dee697481383052980c20c48de1598d1","rule":"telnet_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ironshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ironshell.php.txt","hash":"8bfa2eeb8a3ff6afc619258e39fded56","rule":"ironshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file backdoorfr.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file backdoorfr.php.txt","hash":"91e4afc7444ed258640e85bcaf0fecfc","rule":"backdoorfr_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file aspydrv.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file aspydrv.asp.txt","hash":"1c01f8a88baee39aa1cebec644bbcb99","rule":"aspydrv_asp","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cmdjsp.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cmdjsp.jsp.txt","hash":"b815611cc39f17f05a73444d699341d4","rule":"cmdjsp_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ajan.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ajan.asp.txt","hash":"b6f468252407efc2318639da22b08af0","rule":"Ajan_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file PHANTASMA.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file PHANTASMA.php.txt","hash":"52779a27fa377ae404761a7ce76a5da7","rule":"PHANTASMA_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt","hash":"36d4f34d0a22080f47bb1cb94107c60f","rule":"MySQL_Web_Interface_Version_0_8_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"17a07bb84e137b8aa60f87cd6bfab748","hash2":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","hash0":"acdbba993a5a4186fd864c5e4ea0ba4f","hash1":"2601b6fc1579f263d2f3960ce775df70","hash2":"401fbae5f10283051c39e640b77e4c26","rule":"_network_php_php_xinfo_php_php_nfm_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","hash3":"8023394542cddf8aee5dec6072ed02b5","hash4":"eed14de3907c9aa2550d95550d1a2d5f","hash5":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"9c5bb5e3a46ec28039e8986324e42792","hash2":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_wacking_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","hash0":"9c5bb5e3a46ec28039e8986324e42792","hash1":"44542e5c3e9790815c49d5f9beffbbf2","hash2":"09609851caa129e40b0d56e90dfc476c","hash3":"38fd7e45f9c11a37463c3ded1c76af4c","rule":"_wacking_php_php_1_SpecialShell_99_php_php_c100_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"8023394542cddf8aee5dec6072ed02b5","hash3":"eed14de3907c9aa2550d95550d1a2d5f","hash4":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files multiple_php_webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files multiple_php_webshells","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"be0f67f3e995517d18859ed57b4b4389","hash3":"eddf7a8fde1e50a7f2a817ef7cece24f","hash4":"8023394542cddf8aee5dec6072ed02b5","hash5":"eed14de3907c9aa2550d95550d1a2d5f","hash6":"817671e1bdc85e04cc3440bbd9288800","hash7":"7101fe72421402029e2629f3aaed6de7","hash8":"f618f41f7ebeb5e5076986a66593afd1","rule":"multiple_php_webshells","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"d8ae5819a0a2349ec552cbcf3a62c975","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"ef8828e0bc0641a655de3932199c0527","hash2":"17a07bb84e137b8aa60f87cd6bfab748","hash3":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"44542e5c3e9790815c49d5f9beffbbf2","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"eed14de3907c9aa2550d95550d1a2d5f","hash3":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"40a3e86a63d3d7f063a86aab5b5f92c6","hash1":"d8ae5819a0a2349ec552cbcf3a62c975","hash2":"9e9ae0332ada9c3797d6cee92c2ede62","hash3":"f3ca29b7999643507081caab926e2e74","rule":"_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xFvioC","rule":"PHP_Cloaked_Webshell_SuperFetchExec","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","hash":"1b2a4a7174ca170b4e3a8cdf4814c92695134c8a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_dC3_Security_Crew_Shell_PRiV"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file simattacker.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simattacker.php","hash":"258297b62aeaf4650ce04642ad5f19be25ec29c9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simattacker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file DTool Pro.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file DTool Pro.php","hash":"e2ee1c7ba7b05994f65710b7bbf935954f2c3353","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_DTool_Pro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file ironshell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ironshell.php","hash":"d47b8ba98ea8061404defc6b3a30839c4444a262","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ironshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","hash":"afb88635fbdd9ebe86b650cc220d3012a8c35143","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_mini_shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Sincap 1.0.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Sincap 1.0.php","hash":"9b72635ff1410fa40c4e15513ae3a496d54f971c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Sincap_1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file b374k.php.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k.php.php","hash":"04c99efd187cf29dc4e5603c51be44170987bce2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","hash":"6454cc5ab73143d72cf0025a81bd1fe710351b44","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","hash":"cbca8cd000e705357e2a7e0cf8262678706f18f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file MyShell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file MyShell.php","hash":"42e283c594c4d061f80a18f5ade0717d3fb2f76d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_MyShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file pws.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pws.php","hash":"7a405f1c179a84ff8ac09a42177a2bcd8a1a481b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pws"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file reader.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file reader.asp.php.txt","hash":"70656f3495e2b3ad391a77d5208eec0fb9e2d931","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_reader_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","hash":"b2b797707e09c12ff5e632af84b394ad41a46fa4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file php-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-backdoor.php","hash":"b190c03af4f3fb52adc20eb0f5d4d151020c74fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file pHpINJ.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pHpINJ.php","hash":"75116bee1ab122861b155cc1ce45a112c28b9596","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pHpINJ"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NGH.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NGH.php","hash":"c05b5deecfc6de972aa4652cb66da89cfb3e1645","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_NGH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file matamu.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file matamu.php","hash":"d477aae6bd2f288b578dbf05c1c46b3aaa474733","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_matamu"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file ru24_post_sh.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ru24_post_sh.php","hash":"d2c18766a1cd4dda928c12ff7b519578ccec0769","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ru24_post_sh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file hiddens shell v1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file hiddens shell v1.php","hash":"1674bd40eb98b48427c547bf9143aa7fbe2f4a59","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_hiddens_shell_v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file c99_locus7s.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file c99_locus7s.php","hash":"d413d4700daed07561c9f95e1468fb80238fbf3c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_c99_locus7s"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file safe0ver.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file safe0ver.php","hash":"366639526d92bd38ff7218b8539ac0f154190eb8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_safe0ver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file kral.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file kral.php","hash":"4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_kral"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file cgitelnet.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cgitelnet.php","hash":"72e5f0e4cd438e47b6454de297267770a36cbeb3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_cgitelnet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NTDaddy v1.9.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NTDaddy v1.9.php","hash":"79519aa407fff72b7510c6a63c877f2e07d7554b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NTDaddy_v1_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lamashell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lamashell.php","hash":"b71181e0d899b2b07bc55aebb27da6706ea1b560","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_lamashell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","hash":"03f6215548ed370bec0332199be7c4f68105274e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Simple_PHP_backdoor_by_DK"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","hash":"cb18e1ac11e37e236e244b96c2af2d313feda696","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CmdAsp_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NCC-Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NCC-Shell.php","hash":"64d4495875a809b2730bd93bec2e33902ea80a53","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NCC_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file README.md","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file README.md","hash":"ef2c567b4782c994db48de0168deb29c812f7204","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_README"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file backupsql.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file backupsql.php","hash":"863e017545ec8e16a0df5f420f2d708631020dd4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_backupsql"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","hash":"c90b0ba575f432ecc08f8f292f3013b5532fe2c4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_AK_74_Security_Team_Web_Shell_Beta_Version"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file cpanel.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cpanel.php","hash":"433dab17106b175c7cf73f4f094e835d453c0874","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_cpanel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file 529.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file 529.php","hash":"ba3fb2995528307487dff7d5b624d9f4c94c75d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_529"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file qsd-php-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file qsd-php-backdoor.php","hash":"4856bce45fc5b3f938d8125f7cdd35a8bbae380f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_qsd_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php","hash":"5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Gamma Web Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Gamma Web Shell.php","hash":"7ef773df7a2f221468cc8f7683e1ace6b1e8139a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Gamma_Web_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file WinX Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file WinX Shell.php","hash":"a94d65c168344ad9fa406d219bdf60150c02010e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_WinX_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file php-include-w-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-include-w-shell.php","hash":"1a7f4868691410830ad954360950e37c582b0292","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_include_w_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","hash":"34a89e0ab896c3518d9a474b71ee636ca595625d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_PhpSpy_Ver_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file myshell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file myshell.php","hash":"5bd52749872d1083e7be076a5e65ffcde210e524","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_myshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lolipop.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lolipop.php","hash":"86f23baabb90c93465e6851e40104ded5a5164cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lolipop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file simple_cmd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simple_cmd.php","hash":"466a8caf03cdebe07aa16ad490e54744f82e32c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simple_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file go-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file go-shell.php","hash":"3dd85981bec33de42c04c53d081c230b5fc0e94f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_go_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","hash":"a2c609d1a8c8ba3d706d1d70bef69e63f239782b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_aZRaiLPhp_v1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Github Archive - file zehir4","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Github Archive - file zehir4","hash":"788928ae87551f286d189e163e55410acbb90a64","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_webshells_zehir4","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file zehir4.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file zehir4.asp.php.txt","hash":"1d9b78b5b14b821139541cc0deb4cbbd994ce157","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_zehir4_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lostDC.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lostDC.php","hash":"d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lostDC"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file CasuS 1.5.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CasuS 1.5.php","hash":"7eee8882ad9b940407acc0146db018c302696341","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CasuS_1_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","hash0":"fa11deaee821ca3de7ad1caafa2a585ee1bc8d82","hash1":"c0a4ba3e834fb63e0a220a43caaf55c654f97429","hash2":"16fa789b20409c1f2ffec74484a30d0491904064","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","hash0":"b148ead15d34a55771894424ace2a92983351dda","hash1":"e4ba288f6d46dc77b403adf7d411a280601c635b","hash2":"e5713d6d231c844011e9a74175a77e8eb835c856","hash3":"1b836517164c18caf2c92ee2a06c645e26936a0c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Dive Shell 1.0","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/04/06","description":"PHP Webshells Github Archive - from files Dive Shell 1.0","hash0":"3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b","hash1":"2558e728184b8efcdb57cfab918d95b06d45de04","hash2":"203a8021192531d454efbc98a3bbb8cabe09c85c","hash3":"b79709eb7801a28d02919c41cc75ac695884db27","modified":"2022-12-06","rule":"WebShell_Generic_PHP_1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","hash0":"335a0851304acedc3f117782b61479bbc0fd655a","hash1":"6eb4ab630bd25bec577b39fb8a657350bf425687","hash2":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__CrystalShell_v_1_erne_stres","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","hash0":"5622c9841d76617bfc3cd4cab1932d8349b7044f","hash1":"4a20f36035bbae8e342aab0418134e750b881d05","hash2":"40dbdc0bdf5218af50741ba011c5286a723fa9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__findsock_php_findsock_shell_php_reverse_shell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive","hash0":"1a08f5260c4a2614636dfc108091927799776b13","hash1":"335a0851304acedc3f117782b61479bbc0fd655a","hash2":"ca9fcfb50645dc0712abdf18d613ed2196e66241","hash3":"36d8782d749638fdcaeed540d183dd3c8edc6791","hash4":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Generic_PHP_6","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Injectt.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Injectt.exe","hash":"8a5d2158a566c87edc999771e12d42c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Unpack_Injectt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ssh.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ssh.php","hash":"1aa5307790d72941589079989b4f900e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_ssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Client.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"5f91a5b46d155cacf0cc6673a2a5461b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bin_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ZXshell.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ZXshell.exe","hash":"246ce44502d2f6002d720d350e26c288","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_ZXshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file RkNTLoad.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNTLoad.exe","hash":"262317c95ced56224f136ba532b8b34f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"RkNTLoad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file binder2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file binder2.exe","hash":"d594e90ad23ae0bc0b65b59189c12f11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"binder2_binder2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file orice2.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file orice2.php","hash":"aa63ffb27bde8d03d00dda04421237ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"thelast_orice2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file sendmail.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file sendmail.exe","hash":"75b86f4a21d8adefaf34b3a94629bd17","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sendmail"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file zehir4.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zehir4.asp","hash":"5b496a61363d304532bcf52ee21f5d55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_zehir4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkshell.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkshell.exe","hash":"168cab58cee59dc4706b3be988312580","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file DarkSpy105.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file DarkSpy105.exe","hash":"f0b85e7bec90dba829a3ede1ab7d8722","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DarkSpy105"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"f945de25e0eba3bdaf1455b3a62b9832","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_EXE"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file reader.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file reader.asp","hash":"b598c8b662f2a1f6cc61f291fb0a6fa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file svchostdll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file svchostdll.dll","hash":"0f6756c8cb0b454c452055f189e4c3f4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"svchostdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file server.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file server.asp","hash":"1d38526a215df13c7373da4635541b43","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file vanquish.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.dll","hash":"684450adde37a93e8bb362994efc898c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Client.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"9f0a74ec81bc2f26f16c5c172b80eca7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","hash":"a401132363eecc3a1040774bec9cb24f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Simple_PHP_BackDooR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkrmv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkrmv.exe","hash":"bd3a0b7a6b5536f8d96f50956560e9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkrmv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file phpft.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpft.php","hash":"60ef80175fcc6a879ca57c54226646b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_phpft"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file bdcli100.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file bdcli100.exe","hash":"b12163ac53789fb4f62e4f17a8c2e028","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bdcli100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file rdrbs084.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs084.exe","hash":"ed30327b255816bdd7590bf891aa0020","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs084"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file 2005.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2005.exe","hash":"8bf667ee9e21366bc0bd3491cb614f41","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_CaseSwitch_2005"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file casus15.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file casus15.php","hash":"8d155b4239d922367af5d0a1b89533a3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_casus15_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file installer.cmd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file installer.cmd","hash":"a507919ae701cf7e42fa441d3ad95f8f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"installer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file elmaliseker.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file elmaliseker.asp","hash":"ccf48af0c8c09bbd038e610a49c9862e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"elmaliseker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file resolve.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file resolve.exe","hash":"69bf9aa296238610a0e05f99b5540297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_resolve"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Fport.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Fport.exe","hash":"dbb75488aa2fa22ba6950aead1ef30d5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_Fport"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file upload.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file upload.asp","hash":"b09852bda534627949f0259828c967de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_upload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file PasswordReminder.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PasswordReminder.exe","hash":"ea49d754dc609e8bfa4c0f95d14ef9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PasswordReminder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file RkNT.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNT.dll","hash":"5f97386dfde148942b7584aeb6512b85","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rknt_zip_Folder_RkNT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dbgntboot.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgntboot.dll","hash":"4d87543d4d7f73c1529c9f8066b475ab","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgntboot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file shell.php","hash":"45e8a00567f8a34ab1cccc86b4bc74b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file rdrbs100.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs100.exe","hash":"7c752bcd6da796d80a6830c61a632bff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Mithril.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Mithril.exe","hash":"017191562d72ab0ca551eb89256650bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_Mithril"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkdoordll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkdoordll.dll","hash":"b715c009d47686c0e62d0981efce2552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkdoordll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"1b9e518aaa62b15079ff6edb412b21e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_v1_45_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dbgiis6cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgiis6cli.exe","hash":"3044dceb632b636563f66fee3aaaf8f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgiis6cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file cress.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file cress.exe","hash":"36a416186fe010574c9be68002a7286a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Debug_cress"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file usr.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file usr.php","hash":"ade3357520325af50c9098dc8a21a024","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_usr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file phpinj.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpinj.php","hash":"dd39d17e9baca0363cc1c3664e608929","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_phpinj"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file db.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file db.asp","hash":"cb62e2ec40addd4b9930a9e270f5b318","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_db"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"5c1f25a4d206c83cdfb006b3eb4c09ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file by064cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by064cli.exe","hash":"10e0dff366968b770ae929505d2a9885","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by064cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"a8d25d794d8f08cd4de0c3d6bf389e6d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file connector.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file connector.asp","hash":"3ba1827fca7be37c8296cd60be9dc884","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"connector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file HideRun.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HideRun.exe","hash":"45436d9bfd8ff94b71eeaeb280025afe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_HideRun"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file PHP_Shell_v1.7.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PHP_Shell_v1.7.php","hash":"b5978501c7112584532b4ca6fb77cba5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_Shell_v1_7"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file save.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file save.asp","hash":"865da1b3974e940936fe38e8e1964980","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_save"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file screencap.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file screencap.exe","hash":"51139091dea7a9418a50f2712ea72aa6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"screencap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file zxrecv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zxrecv.exe","hash":"5d3d12a39f41d51341ef4cb7ce69d30f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_zxrecv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file deploy.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file deploy.exe","hash":"2c9f9c58999256c73a5ebdb10a9be269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_root_040_zip_Folder_deploy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file by063cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by063cli.exe","hash":"49ce26eb97fd13b6d92a5e5d169db859","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by063cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file asp.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file asp.asp","hash":"2c412400b146b7b98d6e7755f7159bb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"icyfox007v1_10_rar_Folder_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ntboot.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ntboot.dll","hash":"cb9eb5a6ff327f4d6c46aacbbe9dda9d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"byshell063_ntboot_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file xwhois.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file xwhois.exe","hash":"0bc98bd576c80d921a3460f8be8816b4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_xwhois"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file vanquish.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.exe","hash":"2dcb9055785a2ee01567f52b5a62b071","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file nc.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file nc.exe","hash":"2cd1bf15ae84c5f6917ddb128827ae8b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_nc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Server.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Server.exe","hash":"1d5aa9cbf1429bb5b8bf600335916dcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file 2006.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2006.asp","hash":"c19d6f4e069188f19b08fa94d44bc283","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop2006_rar_Folder_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file HDConfig.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HDConfig.exe","hash":"7d60e552fdca57642fd30462416347bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HDConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Webshell_and_Exploit_CN_APT_HK","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"13.01.2015","description":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/7dbyZs","rule":"Pastebin_Webshell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a web shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-10","description":"Detects a web shell","hash1":"027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/bartblaze/PHP-backdoors","rule":"webshell_e8eaf8da94012e866e51547cd63bb996379690bf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a simple cloaked PHP web shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-28","description":"Detects a simple cloaked PHP web shell","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127","rule":"PHP_Webshell_1_Feb17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-21","description":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","reference":"https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/","rule":"VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects JQuery File Upload vulnerability CVE-2018-9206","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-19","description":"Detects JQuery File Upload vulnerability CVE-2018-9206","reference":"https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/","reference2":"https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f","reference3":"https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html","rule":"VUL_JQuery_FileUpload_CVE_2018_9206"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-03","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali","date":"2023-06-13","description":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","reference":"https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-11-17","description":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","reference":"https://github.com/testanull/ProxyNotShell-PoC","rule":"LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Filter for 2nd stage malware used in VPNfilter attack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Christiaan Beek @ McAfee Advanced Threat Research","date":"2018-05-23","description":"Filter for 2nd stage malware used in VPNfilter attack","hash":"9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387","malware_family":"Backdoor:W32/VPNfilter","malware_type":"backdoor","reference":"https://blog.talosintelligence.com/2018/05/VPNFilter.html","rule":"VPNFilter","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Monero mining software","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Trellix ATR team","date":"2018-04-05","description":"Monero mining software","malware_family":"Ransom:W32/MoneroMiner","malware_type":"miner","rule":"MINER_monero_mining_detection","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"CTB_Locker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"ISG","date":"2015-01-20","description":"CTB_Locker","malware_family":"Ransom:W32/CTBLocker","malware_type":"ransomware","reference":"https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker","rule":"BackdoorFCKG","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Detect GPGQwerty ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"McAfee Labs","date":"2018-03-21","description":"Detect GPGQwerty ransomware","malware_family":"Ransom:W32/GPGQwerty","malware_type":"ransomware","reference":"https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/","rule":"crime_ransomware_windows_GPGQwerty","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Rule to detect the Kraken Cryptor Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Marc Rivero | McAfee ATR Team","date":"2018-09-30","description":"Rule to detect the Kraken Cryptor Ransomware","hash":"564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd","malware_family":"Ransom:W32/Kraken","malware_type":"ransomware","reference":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/","rule":"kraken_cryptor_ransomware","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"rule to detect Linux variant of the Hello Kitty Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"Rule_Version":"v1","author":"Christiaan @ ATR","date":"2021-07-19","description":"rule to detect Linux variant of the Hello Kitty Ransomware","hash1":"ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041","hash2":"556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed","malware_family":"Ransom:Linux/HelloKitty","malware_type":"ransomware","rule":"ransom_Linux_HelloKitty_0721"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Mount Locker ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"McAfee ATR Team","date":"2020-09-25","description":"Rule to detect Mount Locker ransomware","hash1":"4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273","hash2":"f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963","malware_family":"Ransomware:W32/MountLocker","malware_type":"ransomware","rule":"RANSOM_mountlocker","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Credentials Stealing Attack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Christiaan Beek | McAfee ATR Team","date":"2013-06-30","description":"Credentials Stealing Attack","hash":"7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57","malware_family":"Stealer:W32/DarkSide","malware_type":"stealer","rule":"STEALER_emirates_statement","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detect basics of ItsSoEasy Ransomware (Itssoeasy-A)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"bstnbuck","date":"2023-11-02","description":"Detect basics of ItsSoEasy Ransomware (Itssoeasy-A)","rule":"ItsSoEasy_Ransomware_basic","yarahub_author_twitter":"@bstnbuck","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://github.com/bstnbuck/ItsSoEasy","yarahub_reference_md5":"1ce280542553dc383b768b9189808e27","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a2564e9f-e5f9-459c-ae4b-7656fa9df9c3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Lucasstealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Chat3ux","date":"2022-09-08","description":"Lucasstealer","rule":"LucaStealer","yarahub_author_twitter":"@Chat3ux_","yarahub_license":"CC0 1.0","yarahub_reference_md5":"c73c38662b7283befc65c87a2d82ac94","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71c9c97e-161a-41c8-8014-4ee186c92a22"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detects QBOT HTML smuggling variants","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Ankit Anubhav - ankitanubhav.info","date":"2022-06-26","description":"Detects QBOT HTML smuggling variants","malpedia_family":"win.qakbot","rule":"QBOT_HTMLSmuggling_a","yarahub_author_email":"ankit.yara@inbox.ru","yarahub_author_twitter":"@ankit_anubhav","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://twitter.com/ankit_anubhav","yarahub_reference_md5":"1807f10ee386d0702bbfcd1a4da76fd1","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"8db8aecd-53ae-4772-8d9c-38b121cfe0e0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"RABBITHUNT_cls","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"RABBITHUNT_cls","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"22a968beda8a033eb31ae175b7e0a937","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"d7c6a7d6-20d9-40d0-a63c-2c780bee821e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detects the ESXiArgs Ransomware encryption python script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"SECUINFRA Falcon Team (@SI_FalconTeam)","date":"2023-02-07","description":"Detects the ESXiArgs Ransomware encryption python script","reference":"https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/","rule":"RANSOM_ESXiArgs_Ransomware_Python_Feb23","tlp":"CLEAR","yarahub_author_twitter":"@SI_FalconTeam","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"c358fe0e8837cc577315fc38892b937d","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e79d0764-bf61-4e71-b181-8ed13edfcb98"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"yarahub_win_remcos_rat_unpacked_aug_2023","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Matthew @ Embee_Research","date":"2023-08-27","desc":"Detects bytecodes present in Amadey Bot Samples","malpedia_family":"win.remcos","rule":"yarahub_win_remcos_rat_unpacked_aug_2023","sha_256":"ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784","yarahub_author_twitter":"@embee_research","yarahub_license":"CC BY-NC 4.0","yarahub_reference_md5":"57b00a449fc132c2f5d139c6d1cee7cd","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"f701cf05-ac09-44f3-b4ee-3ea944bd5533"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Adfind, a Command line Active Directory query tool.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"HACKTOOL","creation_date":"2020-08-01","description":"Identifies Adfind, a Command line Active Directory query tool.","fingerprint":"296292e4e665d7eb2d36b2ad655d451cdf89bc27d2705bb8cb97fa34afcd16cb","first_imported":"2021-12-30","id":"369wFVCBXsVYywgZZJhUjW","last_modified":"2021-12-30","mitre_att":"S0552","reference":"http://www.joeware.net/freetools/tools/adfind/","rule":"Adfind","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"ADFIND","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Aurora Stealer.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","description":"Identifies Aurora Stealer.","fingerprint":"06f893451d74f7cc924b9988443338ed9d86d8afb3b1facdfee040bce0c45289","first_imported":"2023-05-26","id":"6Z1CVWsCBgJV6aRbfDFvlr","last_modified":"2023-05-26","malware":"Aurora Stealer","reference":" https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer","rule":"AuroraStealer","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies AveMaria aka WarZone RAT.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-11-01","description":"Identifies AveMaria aka WarZone RAT.","fingerprint":"6cf820532d1616bf7e0a16d2ccf0fb4c31df30e775fd9de1622ac840f55b2fee","first_imported":"2021-12-30","id":"7kTjKOPEjKKZRVTPh5LCPf","last_modified":"2021-12-30","malware":"WARZONERAT","malware_type":"RAT","mitre_att":"S0534","rule":"AveMaria","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies CryLock aka Cryakl ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies CryLock aka Cryakl ransomware.","fingerprint":"f3084da9bc523ee78f0a85e439326c2f4a348330bf228192ca07c543f5fb04ed","first_imported":"2021-12-30","id":"2l4H1zr9CK35G8zGAmRQAk","last_modified":"2021-12-30","malware":"CRYLOCK","malware_type":"RANSOMWARE","rule":"CryLock","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Darkside ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-05-01","description":"Identifies Darkside ransomware.","fingerprint":"57bc5c7353c8c518e057456b2317e1dbf59ee17ce69cd336f1bacaf627e9efd5","first_imported":"2021-12-30","id":"5qjcs58k9iHd3EU3xv66sV","last_modified":"2021-12-30","malware":"DARKSIDE","malware_type":"RANSOMWARE","rule":"Darkside","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Hidden Windows driver, used by malware such as PurpleFox.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-11-01","description":"Identifies Hidden Windows driver, used by malware such as PurpleFox.","fingerprint":"0fc71baad34741d864ec596e89fc873a01974d7ab6bea912d572c2bd2ae2e0da","first_imported":"2021-12-30","id":"568PgDjhUwg620xlbE6vMk","last_modified":"2021-12-30","reference":"https://github.com/JKornev/hidden","rule":"Hidden","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies IcedID (stage 1 and 2, initial loaders).","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-01-01","description":"Identifies IcedID (stage 1 and 2, initial loaders).","fingerprint":"b86460e97101c23cf11ff9fb43f6fcdce444fcfa301b1308c2f4d6aa2f01986a","first_imported":"2021-12-30","id":"1GXBmGKG0zu5DhEKiZK0Kx","last_modified":"2021-12-30","malware":"ICEDID","malware_type":"LOADER","mitre_att":"S0483","rule":"IcedID_init_loader","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies LaZagne, credentials recovery project.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-01-01","description":"Identifies LaZagne, credentials recovery project.","fingerprint":"81ef321369e94e5cb5bbf735ab7db8c6aafc1fc7564c76d53b3f0e0adb9e5c81","first_imported":"2021-12-30","id":"3DeKZTrvc1lTK9vNaoj7LG","last_modified":"2021-12-30","mitre_att":"S0349","reference":"https://github.com/AlessandroZ/LaZagne","rule":"LaZagne","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"LAZAGNE","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Maze ransomware in memory or unpacked.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2019-11-01","description":"Identifies Maze ransomware in memory or unpacked.","fingerprint":"305df5e5f0a4d5660dff22073881e65ff25528895abf26308ecd06dd70a97ec2","first_imported":"2021-12-30","id":"4sTbmIEE40nSKc9rOEz4po","last_modified":"2021-12-30","malware":"MAZE","malware_type":"RANSOMWARE","mitre_att":"S0449","rule":"Maze","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Parallax RAT.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies Parallax RAT.","fingerprint":"3ae9c820e411829619984c5e5311e8940248a771cfde3f22d2789ccb3c099be8","first_imported":"2021-12-30","id":"7AHV77y7ZoCjGyFbljjWV6","last_modified":"2021-12-30","malware":"PARALLAX","malware_type":"RAT","rule":"Parallax","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Pysa aka Mespinoza ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-03-01","description":"Identifies Pysa aka Mespinoza ransomware.","fingerprint":"7f8819e9f76b9c97e90cd5da7ea788c9bb1eb135d8e1cb8974d6f17ecf51b3c3","first_imported":"2021-12-30","id":"240byxdCwyzaTk3xgjzbEa","last_modified":"2021-12-30","malware":"PYSA","malware_type":"RANSOMWARE","mitre_att":"S0583","rule":"Pysa","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies RagnarLocker ransomware unpacked or in memory.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-07-01","description":"Identifies RagnarLocker ransomware unpacked or in memory.","fingerprint":"fd403ea38a9c6c269ff7b72dea1525010f44253a41e72bf3fce55fa4623245a3","first_imported":"2021-12-30","id":"5066KiqBNrcicJGfWPfDx5","last_modified":"2021-12-30","malware":"RAGNAR LOCKER","malware_type":"RANSOMWARE","mitre_att":"S0481","rule":"RagnarLocker","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies SystemBC RAT, decrypted config.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-07-01","description":"Identifies SystemBC RAT, decrypted config.","fingerprint":"8de029e2f4fc81742a3e04976a58360e403ce5737098c14e0a007c306a1e0f01","first_imported":"2021-12-30","id":"70WDDM1D5xtPBqsUdBiPTK","last_modified":"2021-12-30","malware_type":"RAT","rule":"SystemBC_Config","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Windows Credentials Editor (WCE), post-exploitation tool.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"HACKTOOL","creation_date":"2020-01-01","description":"Identifies Windows Credentials Editor (WCE), post-exploitation tool.","fingerprint":"2ba3672c391e1426f01f623538f85bc377eec8ff60eda61c1af70f191ab683a3","first_imported":"2021-12-30","id":"3Q5yGnr66Sy8HikXBcYqKN","last_modified":"2021-12-30","mitre_att":"S0005","reference":"https://www.ampliasecurity.com/research/windows-credentials-editor/","rule":"Windows_Credentials_Editor","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"WINDOWS CREDENTIAL EDITOR","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Zeppelin ransomware and variants (Buran, Vega etc.)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2019-11-01","description":"Identifies Zeppelin ransomware and variants (Buran, Vega etc.)","fingerprint":"a4da7defafa7f510df1c771e3d67bf5d99f3684a44f56d2b0e6f40f0a7fea84f","first_imported":"2021-12-30","id":"RIttcGgKqwaotJyTgah7j","last_modified":"2021-12-30","malware":"ZEPPELIN","malware_type":"RANSOMWARE","rule":"Zeppelin","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Detecting HTML strings used by Agent Tesla malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"Stormshield","description":"Detecting HTML strings used by Agent Tesla malware","rule":"agent_tesla","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"AgenetTesla Type 2 Keylogger payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen","cape_type":"AgentTesla Payload","description":"AgenetTesla Type 2 Keylogger payload","rule":"AgentTeslaV2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"AgentTeslaV3 infostealer payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen","cape_type":"AgentTesla payload","description":"AgentTeslaV3 infostealer payload","rule":"AgentTeslaV3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Cobalt Strike Beacon Payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen, enzo \u0026 Elastic","cape_type":"CobaltStrikeBeacon Payload","description":"Cobalt Strike Beacon Payload","rule":"CobaltStrikeBeacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"TrickBot Payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"sysopfb \u0026 kevoreilly","cape_type":"TrickBot Payload","description":"TrickBot Payload","rule":"TrickBot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Detects TrickBot Banking module permaDll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"@VK_Intel | Advanced Intelligence","description":"Detects TrickBot Banking module permaDll","md5":"491115422a6b94dc952982e6914adc39","rule":"Trickbot_PermaDll_UEFI_Module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Backdoor.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"85f16dd4a127737501863ccba006a444d899c6edc6ab03af5dddef2d39edc483","id":"fe916a45-75cc-40e4-94ad-6ac0f5d815b9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee","rule":"Linux_Backdoor_Fontonlake_fe916a45","scan_context":"file, memory","severity":"100","threat_name":"Linux.Backdoor.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Backdoor.Tinyshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"f71ce364fb607ee6f4422864674ae3d053453b488c139679aa485466893c563d","id":"67ee6fae-304b-47f5-93b6-4086a864d433","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d","rule":"Linux_Backdoor_Tinyshell_67ee6fae","scan_context":"file, memory","severity":"100","threat_name":"Linux.Backdoor.Tinyshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3156","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"66aca7d13fb9c5495f17b7891e388db0a746d8827c8ae302a6cb8d86f7630bbb","id":"f3fb10cd-1d49-420f-8740-5c8990560943","last_modified":"2021-09-21","license":"Elastic License v2","os":"linux","reference_sample":"65fb8baa5ec3bfb4473e4b2f565b461dd59989d43c72b1c5ec2e1a68baa8b51a","rule":"Linux_Exploit_CVE_2021_3156_f3fb10cd","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3156"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3156","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"71e90dd36342686bb4be7ef86e1ceb2e915c70f437f4733ddcc5175860ca4084","id":"7f5672d0-73f1-4143-b3e2-3aed110779e3","last_modified":"2021-09-21","license":"Elastic License v2","os":"linux","reference_sample":"1a4517d2582ac97b88ae568c23e75beba93daf8518bd3971985d6a798049fd61","rule":"Linux_Exploit_CVE_2021_3156_7f5672d0","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3156"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3490","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-12","fingerprint":"4f8f4c7fabe32a023f8aafb817e2c27c5a5e0e9246ddccacf99a47f2ab850014","id":"d369d615-d2a3-4f9d-b5c7-eb0fac5d43e7","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"e65ba616942fd1e893e10898d546fe54458debbc42e0d6826aff7a4bb4b2cf19","rule":"Linux_Exploit_CVE_2021_3490_d369d615","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3490"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-4034","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-26","fingerprint":"b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6","id":"1c8f235d-1345-4d5f-a5db-427dbbe6fc9a","last_modified":"2022-07-22","license":"Elastic License v2","os":"linux","reference_sample":"94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b","rule":"Linux_Exploit_CVE_2021_4034_1c8f235d","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-4034"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2022-0847","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-10","fingerprint":"376b791f9bb5f48d0f41ead4e48b5bcc74cb68002bb7c170760428ace169457e","id":"e831c285-b2b9-49f3-a87c-3deb806e31e4","last_modified":"2022-03-14","license":"Elastic License v2","os":"linux","reference_sample":"c6b2cef2f2bc04e3ae33e0d368eb39eb5ea38d1bca390df47f7096117c1aecca","rule":"Linux_Exploit_CVE_2022_0847_e831c285","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.CVE-2022-0847"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"7fc4d480-5354-4b0b-93ee-2937ddd1565c","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","rule":"Linux_Exploit_Log4j_7fc4d480","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Hacktool.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"81936e696a525cf02070fa7cfa27574cdad37e1b3d8f278950390a1945c21611","id":"68ad8568-2b00-4680-a83f-1689eff6099c","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"717953f52318e7687fc95626561cc607d4875d77ff7e3cf5c7b21cf91f576fa4","rule":"Linux_Hacktool_Fontonlake_68ad8568","scan_context":"file, memory","severity":"100","threat_name":"Linux.Hacktool.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Hacktool.Wipelog","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-17","fingerprint":"93f899e14e6331c2149ba5c0c1e9dd8def5a7d1b6d2a7af66eade991dea77b3c","id":"daea1aa4-0df7-4308-83e1-0707dcda2e54","last_modified":"2022-07-22","license":"Elastic License v2","os":"linux","reference_sample":"39b3a95928326012c3b2f64e2663663adde4b028d940c7e804ac4d3953677ea6","rule":"Linux_Hacktool_Wipelog_daea1aa4","scan_context":"file, memory","severity":"100","threat_name":"Linux.Hacktool.Wipelog"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Proxy.Frp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-20","fingerprint":"70bb186a9719767a9a60786fbe10bf4cc2f04c19ea58aaaa90018ec89a9f9b84","id":"4213778f-d05e-4af8-9650-2d813d5a64e5","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2","rule":"Linux_Proxy_Frp_4213778f","scan_context":"file, memory","severity":"100","threat_name":"Linux.Proxy.Frp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Rootkit.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"187aae8e659061a06b44e0d353e35e22ada9076c78d8a7e4493e1e4cc600bc9d","id":"8fa41f5e-d03d-4647-86fb-335e056c1c0d","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"826222d399e2fb17ae6bc6a4e1493003881b1406154c4b817f0216249d04a234","rule":"Linux_Rootkit_Fontonlake_8fa41f5e","scan_context":"file, memory","severity":"100","threat_name":"Linux.Rootkit.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"cc9b75b1f1230e3e2ed289ef5b8fa2deec51197e270ec5d64ff73722c43bb4e8","id":"59e029c3-a57c-44ad-a554-432efc6b591a","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","rule":"Linux_Trojan_BPFDoor_59e029c3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"55097020a70d792e480542da40b91fd9ab0cc23f8736427f398998962e22348e","id":"0f768f60-1d6c-4af9-8ae3-c1c8fbbd32f4","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155","rule":"Linux_Trojan_BPFDoor_0f768f60","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"b9d07bda8909e7afb1a1411a3bad1e6cffec4a81eb47d42f2292a2c4c0d97fa7","id":"8453771b-a78f-439d-be36-60439051586a","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78","rule":"Linux_Trojan_BPFDoor_8453771b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"e7f92df3e3929b8296320300bb341ccc69e00d89e0d503a41190d7c84a29bce2","id":"1a7d804b-9d39-4855-abe9-47b72bd28f07","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925","rule":"Linux_Trojan_BPFDoor_1a7d804b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"1c4cb6c8a255840c5a2cb7674283678686e228dc2f2a9304fa118bb5bdc73968","id":"e14b0b79-a6f3-4fb3-a314-0ec20dcd242c","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a","rule":"Linux_Trojan_BPFDoor_e14b0b79","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Mirai","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"e2ef1c60e21f18e54694bcfc874094a941e5f61fa6144c5a0e44548dafa315be","id":"7c88acbc-8b98-4508-ac53-ab8af858660d","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Mirai_7c88acbc","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Mirai","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1","id":"b9a9d04b-a997-46c4-b893-e89a3813efd3","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Mirai_b9a9d04b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Orbit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-07-20","fingerprint":"0bb1c74f872ea8778a442aafc2c6f3f04e331b7f743ba726257e36b09ef33da4","id":"57c23178-1345-47b7-97b1-aa2075d9d69d","last_modified":"2022-08-16","license":"Elastic License v2","os":"linux","reference_sample":"40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020","rule":"Linux_Trojan_Orbit_57c23178","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Orbit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Fakeflashlxk","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"a0e6763428616b46536c6a4eb080bae0cc58ef27678616aa432eb43a3d9c77a1","id":"06fd8071-0370-4ae8-819a-846fa0a79b3d","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"107f844f19e638866d8249e6f735daf650168a48a322d39e39d5e36cfc1c8659","rule":"MacOS_Backdoor_Fakeflashlxk_06fd8071","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Fakeflashlxk"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Kagent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"b8086b08a019a733bee38cebdc4e25cdae9d3c238cfe7b341d8f0cd4db204d27","id":"64ca1865-0a99-49dc-b138-02b17ed47f60","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4","rule":"MacOS_Backdoor_Kagent_64ca1865","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Kagent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Keyboardrecord","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"27aa4380bda0335c672e957ba2ce6fd1f42ccf0acd2eff757e30210c3b4fb2fa","id":"832f7bac-3896-4934-b05f-8215a41cca74","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6","rule":"MacOS_Backdoor_Keyboardrecord_832f7bac","scan_context":"file","severity":"100","threat_name":"MacOS.Backdoor.Keyboardrecord"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Useragent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"22afa14a3dc6f8053b93bf3e971d57808a9cc19e676f9ed358ba5f1db9292ba4","id":"1a02fc3a-a394-457b-8af5-99f7f22b0a3b","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a","rule":"MacOS_Backdoor_Useragent_1a02fc3a","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Useragent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Cryptominer.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"733dadf5a09f4972629f331682fca167ebf9a438004cb686d032f69e32971bd4","id":"d3f68e29-830d-4d40-a285-ac29aed732fa","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"d9c78c822dfd29a1d9b1909bf95cab2a9550903e8f5f178edeb7a5a80129fbdb","rule":"MacOS_Cryptominer_Generic_d3f68e29","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Cryptominer.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Cryptominer.Xmrig","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8","id":"241780a1-ad50-4ded-b85a-26339ae5a632","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f","rule":"MacOS_Cryptominer_Xmrig_241780a1","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Cryptominer.Xmrig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"75a13888-7650-4ef3-adec-15378c8479bd","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","rule":"MacOS_Exploit_Log4j_75a13888","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Hacktool.Bifrost","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"e11f6f3a847817644d40fee863e168cd2a18e8e0452482c1e652c11fe8dd769e","id":"39bcbdf8-86dc-480e-8822-dc9832bb9b55","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"e2b64df0add316240b010db7d34d83fc9ac7001233259193e5a72b6e04aece46","rule":"MacOS_Hacktool_Bifrost_39bcbdf8","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Hacktool.Bifrost"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Hacktool.Swiftbelt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"98d14dba562ad68c8ecc00780ab7ee2ecbe912cd00603fff0eb887df1cd12fdb","id":"bc62ede6-e6f1-4c9e-bff2-ef55a5d12ba1","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1","rule":"MacOS_Hacktool_Swiftbelt_bc62ede6","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Hacktool.Swiftbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Eggshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"2e6284c8e44809d5f88781dcf7779d1e24ce3aedd5e8db8598e49c01da63fe62","id":"ddacf7b9-8479-47ef-9df2-17060578a8e5","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b","rule":"MacOS_Trojan_Eggshell_ddacf7b9","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Eggshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Electrorat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"fa65fc0a8f5b1f63957c586e6ca8e8fbdb811970f25a378a4ff6edf5e5c44da7","id":"b4dbfd1d-4968-4121-a4c2-5935b7f76fc1","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"b1028b38fcce0d54f2013c89a9c0605ccb316c36c27faf3a35adf435837025a4","rule":"MacOS_Trojan_Electrorat_b4dbfd1d","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Electrorat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"e13c605d8f16b2b2e65c717a4716c25b3adaec069926385aff88b37e3db6e767","id":"6cab0ec0-0ac5-4f43-8a10-1f46822a152b","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_6cab0ec0","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"d47e8083268190465124585412aaa2b30da126083f26f3eda4620682afd1d66e","id":"293bfea9-c5cf-4711-bec0-17a02ddae6f2","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_293bfea9","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"ff040211f664f3f35cd4f4da0e5eb607ae3e490aae75ee97a8fb3cb0b08ecc1f","id":"448fa81d-14c7-479b-8d1e-c245ee261ef6","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_448fa81d","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.RustBucket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-26","fingerprint":"f9907f46c345a874b683809f155691723e3a6df7c48f6f4e6eb627fb3dd7904d","id":"e64f7a92-e530-4d0b-8ecb-fe5756ad648c","last_modified":"2023-06-29","license":"Elastic License v2","os":"macos","reference_sample":"9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747","rule":"MacOS_Trojan_RustBucket_e64f7a92","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.RustBucket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Thiefquest","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"38916235c68a329eea6d41dbfba466367ecc9aad2b8ae324da682a9970ec4930","id":"9130c0f3-5926-4153-87d8-85a591eed929","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"bed3561210e44c290cd410adadcdc58462816a03c15d20b5be45d227cd7dca6b","rule":"MacOS_Trojan_Thiefquest_9130c0f3","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Thiefquest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Macos.Hacktool.JokerSpy","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-19","fingerprint":"71423d5c4c917917281b7e0f644142a0570df7a5a7ea568506753cb6eabef1c0","id":"58a6b26d-13dd-485a-bac3-77a1053c3a02","last_modified":"2023-06-19","license":"Elastic License v2","os":"macos","reference_sample":"d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8","rule":"Macos_Hacktool_JokerSpy_58a6b26d","scan_context":"file, memory","severity":"100","threat_name":"Macos.Hacktool.JokerSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Ransomware.Luna","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-02","fingerprint":"90c97ecfce451e1373af0d7538cf12991cc844d05c99ee18570e176143ccd899","id":"8614d3d7-7fd2-4cf9-aa97-48a8d9333f38","last_modified":"2022-08-16","license":"Elastic License v2","os":"multi","reference_sample":"1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51","rule":"Multi_Ransomware_Luna_8614d3d7","scan_context":"file, memory","severity":"100","threat_name":"Multi.Ransomware.Luna"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Coreimpact","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"5a4d7af7d0fecc05f87ba51f976d78e77622f8afb1eafc175444f45839490109","id":"37703dc3-9485-4026-a8b7-82e753993757","last_modified":"2022-09-29","license":"Elastic License v2","os":"multi","reference_sample":"2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7","rule":"Multi_Trojan_Coreimpact_37703dc3","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Coreimpact"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Sliver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-20","fingerprint":"0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a","id":"42298c4a-fcea-4c5a-b213-32db00e4eb5a","last_modified":"2022-01-14","license":"Elastic License v2","os":"multi","reference_sample":"3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007","rule":"Multi_Trojan_Sliver_42298c4a","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Sliver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Sliver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-31","fingerprint":"e52e39644274e3077769da4d04488963c85a0b691dc9973ad12d51eb34ba388b","id":"3bde542d-df52-4f05-84ff-de67e90592a9","last_modified":"2022-09-29","license":"Elastic License v2","os":"multi","reference_sample":"05461e1c2a2e581a7c30e14d04bd3d09670e281f9f7c60f4169e9614d22ce1b3","rule":"Multi_Trojan_Sliver_3bde542d","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Sliver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Backdoor.TeamViewer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-29","fingerprint":"0f2406e98fa1383e39672bd4ec32a111363f7d33f8bc33c2bd7ea36353faab45","id":"df8e7326-5879-48d7-8a5f-1c9a2d8b7f8d","last_modified":"2022-12-20","license":"Elastic License v2","os":"windows","reference":"https://vms.drweb.com/virus/?i=8172096","reference_sample":"68d9ffb6e00c2694d0d827108d0410d5a66d4f8cf839afddd17c5887b0149350","rule":"Windows_Backdoor_TeamViewer_df8e7326","scan_context":"file, memory","severity":"100","threat_name":"Windows.Backdoor.TeamViewer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Exploit.Dcom","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8","id":"7a1bcec7-e177-4adf-97a7-0d876bf65abc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5","rule":"Windows_Exploit_Dcom_7a1bcec7","scan_context":"file","severity":"100","threat_name":"Windows.Exploit.Dcom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"dbac7698-906c-44a2-9795-f04ec07d7fcc","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","rule":"Windows_Exploit_Log4j_dbac7698","scan_context":"file, memory","severity":"100","threat_name":"Windows.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.AskCreds","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-16","fingerprint":"e00dd2496045d1b71119b35c30c4c010c0ad57f67691649c0f4d206f837bd05d","id":"34e3e3d4-7516-4e0e-b3e7-5bc84404bd08","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Hacktool_AskCreds_34e3e3d4","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.AskCreds"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.DarkLoadLibrary","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-02","fingerprint":"a73ca4c615d3567c48cc9ec3eedb0497de67960e9610fd1d0ad136075005d10b","id":"c25ee4eb-8ea6-40e2-a1a3-ec60491ced03","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"5546194a71bc449789c3697f9c106860ac0a21e1ccf2b1196120b3f92f4b5306","rule":"Windows_Hacktool_DarkLoadLibrary_c25ee4eb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.DarkLoadLibrary"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Mimikatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Rubeus","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SafetyKatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Seatbelt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Sharpersist","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpAppLocker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"720a96f7baa8af4e6189709ee906350c291e175ac861c83d425b235d9217bb32","id":"9645cf22-f9b3-45ff-a5d8-513c59ad3d53","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"0f7390905abc132889f7b9a6d5b42701173aafbff5b8f8882397af35d8c10965","rule":"Windows_Hacktool_SharpAppLocker_9645cf22","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpAppLocker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpChromium","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"b6695ded1a6f647812c7f355e089a2ed7209ac59f51a97d8f6b1897bb1e7d9ad","id":"41ce5080-7d84-4a56-8de8-86959eb92057","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"9dd65aa53728d51f0f3b9aaf51a24f8a2c3f84b4a4024245575975cf9ad7f2e5","rule":"Windows_Hacktool_SharpChromium_41ce5080","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpChromium"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpDump","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cf1e23fc0a317959fceadae8984240b174dac22a1bcabccf43c34f0186a3ac23","id":"7c17d8b1-35cf-440e-8f4e-44abdc2054bb","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca","rule":"Windows_Hacktool_SharpDump_7c17d8b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpHound","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpLAPS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-22","fingerprint":"556b9ba9c0a2f08ff0b27e38e273f5817011de335436feb2a30cac74285d7e4f","id":"381c3f40-b6c6-4e50-be28-3d34ba07b644","last_modified":"2022-12-22","license":"Elastic License v2","os":"windows","reference_sample":"ef0d508b3051fe6f99ba55202a17237f29fdbc0085e3f5c99b1aef52c8ebe425","rule":"Windows_Hacktool_SharpLAPS_381c3f40","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpLAPS"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpMove","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"634efb2dedbb181a31ea41ff34d1d0810d1ab4823c8611737d68cb56601a052d","id":"05e28928-6109-4afe-bd86-908d354ddd80","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b","rule":"Windows_Hacktool_SharpMove_05e28928","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpMove"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpRDP","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"a7eb084004fce79efc39781044bad501a731163fa3ad6f9b8b334611d03f5379","id":"80895fcb-b98e-4865-a1f6-87cbea327cea","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876","rule":"Windows_Hacktool_SharpRDP_80895fcb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpRDP"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpShares","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"ae0cf8bbdfecfebf69d718dc0ccc8402ed7f2f949e2b6bab606bbf69aa6c2518","id":"88cdcd52-9f5b-4ab6-8f20-137c8569d112","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41","rule":"Windows_Hacktool_SharpShares_88cdcd52","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpShares"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpStay","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"346e6cf9d85c737b171914b331bb1837f90696301dbe144cbf8996b8a8cb3adb","id":"eac706c5-975e-43f2-b106-149f884a2e9a","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa","rule":"Windows_Hacktool_SharpStay_eac706c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpStay"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpUp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"4c6e70b7ce3eb3fc05966af6c3847f4b7282059e05c089c20f39f226efb9bf87","id":"e5c87c9a-6b4d-49af-85d1-6bb60123c057","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27","rule":"Windows_Hacktool_SharpUp_e5c87c9a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpUp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpView","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpWMI","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"20719ea15d4dee90c95b474689752172a6b6fb941dced81803f9f726ddc26d29","id":"a67d6fe5-3ce5-4e63-979e-3fb799d9d173","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15","rule":"Windows_Hacktool_SharpWMI_a67d6fe5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpWMI"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, application module","fingerprint":"951f0ca036a0ab0cf2299382049eecb78f35325470f222c6db90a819b9414083","id":"66197d54-3cd2-4006-807d-24d0e0d9e25a","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_66197d54","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, checks module","fingerprint":"7b6ede4d95b2d6d2a43e729365adb9de3fde74ed731cafdb88916ac3925f9164","id":"e8ed269c-3191-44c0-a9c6-55172fb59c8c","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_e8ed269c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, event module","fingerprint":"80b32022a69be8fc1d7e146c3c03623b51e2ee4206eb5f70be753477d68800d5","id":"413caa6b-90b7-4763-97b3-49aeb5a97cf6","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_413caa6b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, File analysis module","fingerprint":"4420faa4da440a9e2b1d8eadef2a1864c078fccf391ac3d7872abe1d738c926e","id":"23fee092-f1ff-4d9e-9873-0a68360efb42","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_23fee092","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, File Info module","fingerprint":"03803621b6c9856443809889a14f1d2fa217812007878dd6cf9c3dc9e5f78f65","id":"861d3264-34c3-4ff0-bdd3-44cb5ecce2c8","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_861d3264","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Network module","fingerprint":"9938c60113963da342dcb7de2252cffbeaa21d36f518e203f19a43da74d85f2d","id":"57587f8c-8fc6-41cc-bcb3-3d1d77c74222","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_57587f8c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Process info module","fingerprint":"3e407824b258ef66ac6883d4c5dd3efeb0f744f8f64b099313cf83e96f9e968a","id":"cae025b1-bc2a-4eea-a1c1-c82d6e4fd71f","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_cae025b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Services info module","fingerprint":"2a7b0e1d850fa6a24f590755ae5610309741e520e4b2bc067f54a8e086444da2","id":"4a9b9603-7b42-4a85-b66a-7f4ec0013338","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_4a9b9603","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, System info module","fingerprint":"f05862b7b74cb4741aa953d725336005cdb9b1d50a92ce8bb295114e27f81b2a","id":"4db2c852-6c03-4672-9250-f80671b93e1b","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_4db2c852","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, User info module","fingerprint":"039ea2f11596d6a8d5da05944796424ee6be66e16742676bbb2dc3fcf274cf4a","id":"bcedc8b2-d9e1-45cd-94b4-a19a3ed8c0f9","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_bcedc8b2","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Windows credentials module","fingerprint":"ecc2217349244cd78fa5be040653c02096ee8b6a2f2691309fd7f9f62612fa79","id":"b6bb3e7c-29f6-4bc6-8082-558a56512fc3","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_b6bb3e7c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the bat script","fingerprint":"06e184fb837274271711288994a3e6bfcc2a50472ca05c8af9f1e4d8efd9091d","id":"94474b0b-c3dc-4585-afb3-3afe4c3ec525","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_94474b0b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.PUP.MediaArena","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-02","fingerprint":"0535228889b1d2a7c317a7ce939621d3d20e2a454ec6d31915c25884931d62b9","id":"a9e3b4a1-fd87-4f8f-a9d4-d93f9c018270","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"c071e0b67e4c105c87b876183900f97a4e8bc1a7c18e61c028dee59ce690b1ac","rule":"Windows_PUP_MediaArena_a9e3b4a1","scan_context":"file, memory","severity":"100","threat_name":"Windows.PUP.MediaArena"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Bitpaymer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-25","description":"Identifies BITPAYMER ransomware","fingerprint":"2ecc7884d47ca7dbba30ba171b632859914d6152601ea7b463c0f52be79ebb8c","id":"bca25ac6-e351-4823-be75-b0661c89588a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/","rule":"Windows_Ransomware_Bitpaymer_bca25ac6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Bitpaymer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.BlackBasta","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-06","fingerprint":"27602cb05c054a1aa9e27b91675d57707f4a63fa91badc83ad86229839778f4e","id":"494d3c54-4690-4334-b64d-ebeeb305de0e","last_modified":"2022-08-16","license":"Elastic License v2","os":"windows","reference_sample":"357fe8c56e246ffacd54d12f4deb9f1adb25cb772b5cd2436246da3f2d01c222","rule":"Windows_Ransomware_BlackBasta_494d3c54","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.BlackBasta"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Clop","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies CLOP ransomware in unpacked state","fingerprint":"7367b90772ce6db0d639835a0a54a994ef8ed351b6dadff42517ed5fbc3d0d1a","id":"e04959b5-f3da-428d-8b56-8a9817fdebe0","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.clop","rule":"Windows_Ransomware_Clop_e04959b5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Clop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Dharma","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-25","description":"Identifies DHARMA ransomware","fingerprint":"25d23d045c57758dbb14092cff3cc190755ceb3a21c8a80505bd316a430e21fc","id":"b31cac3f-6e04-48b2-9d16-1a6b66fa8012","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/","rule":"Windows_Ransomware_Dharma_b31cac3f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Dharma"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Egregor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-10-15","description":"Identifies EGREGOR (Sekhemt) ransomware","fingerprint":"3a82a548658e0823678ec9d633774018ddc6588f5e2fbce74826a46ce9c43c40","id":"f24023f3-c887-42fc-8927-cdbd04b5f84f","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110","rule":"Windows_Ransomware_Egregor_f24023f3","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Egregor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-24","fingerprint":"84ab8d177e50bce1a3eceb99befcf05c7a73ebde2f7ea4010617bf4908257fdb","id":"99f5a632-8562-4321-b707-c5f583b14511","last_modified":"2022-02-24","license":"Elastic License v2","os":"windows","reference_sample":"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382","rule":"Windows_Ransomware_Generic_99f5a632","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Helloxd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-14","fingerprint":"462d8c231d608e28e66d810b811f9fdf82d0b3770d21267a4375669a26bbaafd","id":"0c50f01b-5f3d-4112-9930-ca1150fc12fa","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589","rule":"Windows_Ransomware_Helloxd_0c50f01b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Helloxd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Hive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-26","fingerprint":"04df3169c50fbab4e2b495de5500c62ddf5e76aa8b4a7fc8435f39526f69c52b","id":"55619cd0-6013-45e2-b15e-0dceff9571ab","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609","rule":"Windows_Ransomware_Hive_55619cd0","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Hive"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Hive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-26","fingerprint":"a15acde0841f08fc44fdc1fea01c140e9e8af6275a65bec4a7b762494c9e6185","id":"3ed67fe6-6347-4aef-898d-4cb267bcbfc7","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609","rule":"Windows_Ransomware_Hive_3ed67fe6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Hive"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"e2a8eabb08cb99c4999e05a06d0d0dce46d7e6375a72a6a5e69d718c3d54a3ad","id":"1cab7ea1-8d26-4478-ab41-659c193b5baa","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_1cab7ea1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"a1535bc01756ac9e986eb564d712b739df980ddd61cfde5a7b001849a6b07b57","id":"efafbe48-7740-4c21-b585-467f7ad76f8d","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_efafbe48","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"5c0a4e2683991929ff6307855bf895e3f13a61bbcc6b3c4b47d895f818d25343","id":"5625d3f6-7071-4a09-8ddf-faa2d081b539","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_5625d3f6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Snake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-30","description":"Identifies SNAKE ransomware","fingerprint":"f2796560ddc85ad98a5ef4f0d7323948d57116813c8a26ab902fdfde849704e0","id":"550e0265-fca9-46df-9d5a-cf3ef7efc7ff","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/","rule":"Windows_Ransomware_Snake_550e0265","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Snake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Thanos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-11-03","description":"Identifies THANOS (Hakbit) ransomware","fingerprint":"d6654d0b3155d9c64fd4e599ba34d51f110d9dfda6fa1520b686602d9f608f92","id":"e19feca1-b131-4045-be0c-d69d55f9a83e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/","rule":"Windows_Ransomware_Thanos_e19feca1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Thanos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.AgentTesla","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-22","fingerprint":"cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc","id":"d3ac2b2f-14fc-4851-8a57-41032e386aeb","last_modified":"2022-06-20","license":"Elastic License v2","os":"windows","reference_sample":"65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4","rule":"Windows_Trojan_AgentTesla_d3ac2b2f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.AgentTesla"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Backoff","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"a45fc701844e6e0cfba5d8ef90d00960b5817af66e6b3d889a54d33539cd5d41","id":"22798f00-ff2a-4f5f-a9ef-fab6d04ca679","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Backoff_22798f00","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Backoff"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bandook","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"b6debea805a8952b9b7473ad7347645e4aced3ecde8d6e53fa2d82c35b285b3c","id":"38497690-6663-47c9-a864-0bbe6a3f7a8b","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","reference_sample":"4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97","rule":"Windows_Trojan_Bandook_38497690","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bandook"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Behinder","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-02","description":"Webshell found in REF2924, either Behinder or Godzilla based shell in C#","fingerprint":"cb7856a7d3e792cc60837587fe4afc04448af74cb5ce0478a09eb129e53bf7f1","id":"b9a49f4b-5923-420e-a9e6-9bfa05c93bbf","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b","rule":"Windows_Trojan_Behinder_b9a49f4b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Behinder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bitrat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"bc4a5fad1810ad971277a455030eed3377901a33068bb994e235346cfe5a524f","id":"34bd6c83-9a71-43d5-b0b1-1646a8fb66e8","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a","rule":"Windows_Trojan_Bitrat_34bd6c83","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bitrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.BruteRatel","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-23","fingerprint":"f20cbaf39dc68460a2612298a5df9efdf5bdb152159d38f4696aedf35862bbb6","id":"9b267f96-11b3-48e6-9d38-ecfd72cb7e3e","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_BruteRatel_9b267f96","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.BruteRatel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bughatch","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-09","fingerprint":"1ac6b1285e1925349e4e578de0b2f1cf8a008cddbb1a20eb8768b1fcc4b0c8d3","id":"98f3c0be-1327-4ba2-9320-c1a9ce90b4a4","last_modified":"2022-06-09","license":"Elastic License v2","os":"windows","reference_sample":"b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f","rule":"Windows_Trojan_Bughatch_98f3c0be","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bughatch"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Carberp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-02-07","description":"Identifies VNC module from the leaked Carberp source code. This could exist in other malware families.","fingerprint":"7ce34f1000749a938b78508c93371d3339cd49f73eeec36b25da13c9d129b85c","id":"d6de82ae-9846-40cb-925d-e0a371e1c44c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342","reference_sample":"f98fadb6feab71930bd5c08e85153898d686cc96c84fe349c00bf6d482de9b53","rule":"Windows_Trojan_Carberp_d6de82ae","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Carberp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC Bypass module from Cobalt Strike","fingerprint":"70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10","id":"c851687a-aac6-43e7-a0b6-6aed36dcf12e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_c851687a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Keylogger module from Cobalt Strike","fingerprint":"8ecd5bdce925ae5d4f90cecb9bc8c3901b54ba1c899a33354bcf529eeb2485d4","id":"0b58325e-2538-434d-9a2c-26e2c32db039","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_0b58325e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies dll load module from Cobalt Strike","fingerprint":"0d7d28d79004ca61b0cfdcda29bd95e3333e6fc6e6646a3f6ba058aa01bee188","id":"2b8cddf8-ca7a-4f85-be9d-6d8534d0482e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_2b8cddf8","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies getsystem module from Cobalt Strike","fingerprint":"882886a282ec78623a0d3096be3d324a8a1b8a23bcb88ea0548df2fae5e27aa5","id":"59b44767-c9a5-42c0-b177-7fe49afd7dfb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_59b44767","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Hashdump module from Cobalt Strike","fingerprint":"9e7c7c9a7436f5ee4c27fd46d6f06e7c88f4e4d1166759573cedc3ed666e1838","id":"7efd3c3f-1104-4b46-9d1e-dc2c62381b8c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_7efd3c3f","scan_context":"file, memory","severity":"70","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Interfaces module from Cobalt Strike","fingerprint":"62d97cf73618a1b4d773d5494b2761714be53d5cda774f9a96eaa512c8d5da12","id":"6e971281-3ee3-402f-8a72-745ec8fb91fb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_6e971281","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Invoke Assembly module from Cobalt Strike","fingerprint":"04ef6555e8668c56c528dc62184331a6562f47652c73de732e5f7c82779f2fd8","id":"09b79efa-55d7-481d-9ee0-74ac5f787cef","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_09b79efa","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Kerberos module from Cobalt Strike","fingerprint":"cef2949eae78b1c321c2ec4010749a5ac0551d680bd5eb85493fc88c5227d285","id":"6e77233e-7fb4-4295-823d-f97786c5d9c4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_6e77233e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Netdomain module from Cobalt Strike","fingerprint":"ecc28f414b2c347722b681589da8529c6f3af0491845453874f8fd87c2ae86d7","id":"72f68375-35ab-49cc-905d-15302389a236","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_72f68375","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Netview module from Cobalt Strike","fingerprint":"0ecb8e41c01bf97d6dea4cf6456b769c6dd2a037b37d754f38580bcf561e1d2c","id":"15f680fb-a04f-472d-a182-0b9bee111351","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_15f680fb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Portscan module from Cobalt Strike","fingerprint":"283d3d2924e92b31f26ec4fc6b79c51bd652fb1377b6985b003f09f8c3dba66c","id":"5b4383ec-3c93-4e91-850e-d43cc3a86710","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_5b4383ec","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Post Ex module from Cobalt Strike","fingerprint":"d8baacb58a3db00489827275ad6a2d007c018eaecbce469356b068d8a758634b","id":"91e08059-46a8-47d0-91c9-e86874951a4a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_91e08059","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies PowerShell Runner module from Cobalt Strike","fingerprint":"01d53fcdb320f0cd468a2521c3e96dcb0b9aa00e7a7a9442069773c6b3759059","id":"9c0d5561-5b09-44ae-8e8c-336dee606199","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_9c0d5561","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies PsExec module from Cobalt Strike","fingerprint":"7823e3b98e55a83bf94b0f07e4c116dbbda35adc09fa0b367f8a978a80c2efff","id":"59ed9124-bc20-4ea6-b0a7-63ee3359e69c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_59ed9124","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Registry module from Cobalt Strike","fingerprint":"4967886ba5e663f2e2dc0631939308d7d8f2194a30590a230973e1b91bd625e1","id":"8a791eb7-dc0c-4150-9e5b-2dc21af0c77d","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_8a791eb7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Screenshot module from Cobalt Strike","fingerprint":"b6fa0792b99ea55f359858d225685647f54b55caabe53f58b413083b8ad60e79","id":"d00573a3-db26-4e6b-aabf-7af4a818f383","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_d00573a3","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Timestomp module from Cobalt Strike","fingerprint":"5418e695bcb1c37e72a7ff24a39219dc12b3fe06c29cedefd500c5e82c362b6d","id":"a56b820f-0a20-4054-9c2d-008862646a78","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_a56b820f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC cmstp module from Cobalt Strike","fingerprint":"09b1f7087d45fb4247a33ae3112910bf5426ed750e1e8fe7ba24a9047b76cc82","id":"92f05172-f15c-4077-a958-b8490378bf08","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_92f05172","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC token module from Cobalt Strike","fingerprint":"292afee829e838f9623547f94d0561e8a9115ce7f4c40ae96c6493f3cc5ffa9b","id":"417239b5-cf2d-4c85-a022-7a8459c26793","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_417239b5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-21","description":"Rule for browser pivot ","fingerprint":"c15cf6aa7719dac6ed21c10117f28eb4ec56335f80a811b11ab2901ad36f8cf0","id":"a3fb2616-b03d-4399-9342-0fc684fb472e","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a","rule":"Windows_Trojan_CobaltStrike_a3fb2616","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-09","fingerprint":"c375492960a6277bf665bea86302cec774c0d79506e5cb2e456ce59f5e68aa2e","id":"7f8da98a-3336-482b-91da-82c7cef34c62","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d","rule":"Windows_Trojan_CobaltStrike_7f8da98a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CyberGate","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-28","fingerprint":"3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825","id":"517aac7d-2737-4917-9aa1-c0bd1c3e9801","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365","rule":"Windows_Trojan_CyberGate_517aac7d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CyberGate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DCRat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-15","fingerprint":"fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9","id":"1aeea1ac-69b9-4cc6-91af-18b7a79f35ce","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_DCRat_1aeea1ac","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DCRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Darkcomet","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-16","fingerprint":"63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b","id":"1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569","rule":"Windows_Trojan_Darkcomet_1df27bcc","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Darkcomet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DoorMe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-09","fingerprint":"aa8c2ae2e966bf4e0c79faa90b14fd77d07b7c68076f39c56b384dada9dd0e96","id":"246eda61-23b5-49b8-8409-623f2722c289","last_modified":"2022-12-15","license":"Elastic License v2","os":"windows","reference_sample":"96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f","rule":"Windows_Trojan_DoorMe_246eda61","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DoorMe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DoubleBack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-29","fingerprint":"949f8d30125fad133f4b897c945c6aa0eccda5456dc887bde4c0a5affece5195","id":"d2246a35-e582-4707-acd0-f04bb66df722","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"03d2a0747d06458ccddf65ff5847a511a105e0ad4dcb5134082623af6f705012","rule":"Windows_Trojan_DoubleBack_d2246a35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DoubleBack"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DownTown","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"1ef6dfd9be1e6fa2d1c6b5ce32ad13252f5becf709493a7cceff3519750e0b1e","id":"901c4fdd-858c-4ad8-be12-f88799d591b9","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_DownTown_901c4fdd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DownTown"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Dridex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-07","fingerprint":"7b4c5fde8e107a67ff22f3012200e56ec452e0a57a49edb2e06ee225ecfe228c","id":"63ddf193-31a6-4139-b452-960fe742da93","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"b1d66350978808577159acc7dc7faaa273e82c103487a90bf0d040afa000cb0d","rule":"Windows_Trojan_Dridex_63ddf193","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Dridex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-17","fingerprint":"dc14cd519b3bbad7c2e655180a584db0a4e2ad4eea073a52c94b0a88152b37ba","id":"c7fd8d38-eaba-424d-b91a-098c439dab6b","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"a1702ec12c2bf4a52e11fbdab6156358084ad2c662c8b3691918ef7eabacde96","rule":"Windows_Trojan_Generic_c7fd8d38","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Gh0st","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","description":"Identifies a variant of Gh0st Rat","fingerprint":"3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455","id":"ee6de6bc-1648-4a77-9607-e2a211c7bda4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d","rule":"Windows_Trojan_Gh0st_ee6de6bc","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Gh0st"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Gozi","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2019-08-02","fingerprint":"cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c","id":"261f5ac5-7800-4580-ac37-80b71c47c270","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f","rule":"Windows_Trojan_Gozi_261f5ac5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Gozi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Guloader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-17","fingerprint":"53a2d6f895cdd1a6384a55756711d9d758b3b20dd0b87d62a89111fd1a20d1d6","id":"c4d9dd33-b7e7-4ff4-a2f3-62316d064f5a","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e","rule":"Windows_Trojan_Guloader_c4d9dd33","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Guloader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Hancitor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-17","fingerprint":"44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912","id":"6738d84a-7393-4db2-97cc-66f471b5699a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40","rule":"Windows_Trojan_Hancitor_6738d84a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Hancitor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Hawkeye","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-23","fingerprint":"5bbdb07fa6dd3e415f49d7f4fbc249c078ae42ebd81cad3015e32dfdc8f7cda6","id":"975d546c-286b-4753-b894-d6ed0aa832f3","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"aca133bf1d72cf379101e6877871979d6e6e8bc4cc692a5ba815289735014340","rule":"Windows_Trojan_Hawkeye_975d546c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Hawkeye"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.IcedID","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-16","fingerprint":"155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e","id":"11d24d35-6bff-4fac-83d8-4d152aa0be57","last_modified":"2022-04-06","license":"Elastic License v2","os":"windows","reference_sample":"b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982","rule":"Windows_Trojan_IcedID_11d24d35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.IcedID","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-21","description":"IcedID Gzip Variant Core","fingerprint":"503bfa6800e0f4ff1a0b56eb8a145e67fa0f387c84aee7bd2eca3cf7074be709","id":"56459277-432c-437c-9350-f5efaa60ffca","last_modified":"2023-03-02","license":"Elastic License v2","os":"windows","reference_sample":"21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c","rule":"Windows_Trojan_IcedID_56459277","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Jupyter","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-07-22","fingerprint":"9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01","id":"56152e31-77c6-49fa-bbc5-c3630f11e633","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601","rule":"Windows_Trojan_Jupyter_56152e31","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Jupyter"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Kronos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-02-07","description":"Strings used by the Kronos banking trojan and variants.","fingerprint":"0e124d42a6741a095b66928303731e7060788bc1035b98b729ca91e4f7b6bc44","id":"cdd2e2c5-17fc-4cec-aece-0b19c54faccf","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects","reference_sample":"baa9cedbbe0f5689be8f8028a6537c39e9ea8b0815ad76cb98f365ca5a41653f","rule":"Windows_Trojan_Kronos_cdd2e2c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Kronos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Lokibot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-22","fingerprint":"a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b","id":"1f885282-b60e-491e-ae1b-d26825e5aadb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409","rule":"Windows_Trojan_Lokibot_1f885282","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Lokibot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Identifies Meterpreter DLL used by Metasploit","fingerprint":"4fc7c309dca197f4626d6dba8afcd576e520dbe2a2dd6f7d38d7ba33ee371d55","id":"dd5ce989-3925-4e27-97c1-3b8927c557e9","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/","reference_sample":"86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360","rule":"Windows_Trojan_Metasploit_dd5ce989","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Nanocore","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4","id":"d8c4e3c5-8bcc-43d2-9104-fa3774282da5","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd","rule":"Windows_Trojan_Nanocore_d8c4e3c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Nanocore"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.NapListener","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-02-28","fingerprint":"460b21638f200bf909e9e47bc716acfcb323540fbaa9ea9d0196361696ffa294","id":"414180a7-ca8d-4cf8-a346-08c3e0e1ed8a","last_modified":"2023-03-20","license":"Elastic License v2","os":"windows","reference_sample":"6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4","rule":"Windows_Trojan_NapListener_414180a7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.NapListener"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Netwire","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-28","fingerprint":"4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76","id":"1b43df38-886e-4f58-954a-a09f30f19907","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254","rule":"Windows_Trojan_Netwire_1b43df38","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Netwire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Netwire","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-14","fingerprint":"a52d2be082d57d07ab9bb9087dd258c29ef0528c4207ac6b31832f975a1395b6","id":"f42cb379-ac8c-4790-a6d3-aad6dc4acef6","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","reference_sample":"ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776","rule":"Windows_Trojan_Netwire_f42cb379","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Netwire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.OnlyLogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-22","fingerprint":"5c8c98b250252d178c8dbad60bf398489d9396968e33b3e004219a4f323eeed8","id":"b9e88336-9719-4f43-afc9-b0e6c7d72b6f","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"69876ee4d89ba68ee86f1a4eaf0a7cb51a012752e14c952a177cd5ffd8190986","rule":"Windows_Trojan_OnlyLogger_b9e88336","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.OnlyLogger"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Pandastealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-02","fingerprint":"873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487","id":"8b333e76-f723-4093-ad72-2f5d42aaa9c9","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935","rule":"Windows_Trojan_Pandastealer_8b333e76","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Pandastealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Parallax","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-09-08","fingerprint":"5c695f6b1bb0e72a070e076402cd94a77b178809617223b6caac6f6ec46f2ea1","id":"b4ea4f1a-4b78-4bb8-878e-40fe753018e9","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Parallax_b4ea4f1a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Parallax"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Pingpull","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-16","fingerprint":"b471e0f40780523bf396323a3b70fd285944fef2960ae43a36068eaf2f2fea4f","id":"09dd9559-ce77-4f55-9e81-3b90add40103","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761","rule":"Windows_Trojan_Pingpull_09dd9559","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Pingpull"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.PoshC2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-29","fingerprint":"30a9161077a90068acf756dcc2354bd04186f87717e32cccdcacc9521c41ddde","id":"e2d3881e-d849-4ec8-a560-000a9b29814f","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"7a718a4f74656346bd9a2e29e008705fc2b1c4d167a52bd4f6ff10b3f2cd9395","rule":"Windows_Trojan_PoshC2_e2d3881e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.PoshC2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.PowerSeal","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"9b7beb5af64bc57d78cfb8f5bf8134461d8f2fbe7c935a0fa2b44fb51160a28d","id":"2e50f393-40c0-49f7-882e-33f914eff32d","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_PowerSeal_2e50f393","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.PowerSeal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Qbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-04","fingerprint":"ab80d96a454e0aad56621e70be4d55f099c41b538a380feb09192d252b4db5aa","id":"7d5dc64a-a597-44ac-a0fd-cefffc5e9cff","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56","rule":"Windows_Trojan_Qbot_7d5dc64a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Qbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.RedLineStealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-12","fingerprint":"a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580","id":"17ee6a17-161e-454a-baf1-2734995c82cd","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382","rule":"Windows_Trojan_RedLineStealer_17ee6a17","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.RedLineStealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.RedLineStealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-12","fingerprint":"6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0","id":"f54632eb-2c66-4aff-802d-ad1c076e5a5e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25","rule":"Windows_Trojan_RedLineStealer_f54632eb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.RedLineStealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Remcos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","fingerprint":"a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d","id":"b296e965-a99e-4446-b969-ba233a2a8af4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed","rule":"Windows_Trojan_Remcos_b296e965","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Remcos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Revcoderat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-02","fingerprint":"bc259d888e913dffb4272e2f871592238eb78922989d30ac4dc23cdeb988cc78","id":"8e6d4182-4ea8-4d4c-ad3a-d16b42e387f4","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210","rule":"Windows_Trojan_Revcoderat_8e6d4182","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Revcoderat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SVCReady","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-12","fingerprint":"6e30d9977698c7864a8c264a7fe8c9a558f6e51dda9c887bda94261ce187645f","id":"af498d39-6ae8-46de-ad6c-81b346d80139","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273","rule":"Windows_Trojan_SVCReady_af498d39","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SVCReady"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.ShadowPad","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-01-31","description":"Target ShadowPad loader","fingerprint":"629f1502ce9f429ba6d497b8f2b0b35e57ca928a764ee6f3cb43521bfa6b5af4","id":"be71209d-b1c0-4922-87ae-47d0930d8755","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"452b08d6d2aa673fb6ccc4af6cebdcb12b5df8722f4d70d1c3491479e7b39c05","rule":"Windows_Trojan_ShadowPad_be71209d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.ShadowPad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.ShadowPad","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-01-31","description":"Target ShadowPad payload","fingerprint":"7070eb3608c2c39804ccad4a05e4de12ec4eb47388589ef72c723b353b920a68","id":"0d899241-6ef8-4524-a728-4ed53e4d2cec","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"cb3a425565b854f7b892e6ebfb3734c92418c83cd590fc1ee9506bcf4d8e02ea","rule":"Windows_Trojan_ShadowPad_0d899241","scan_context":"memory","severity":"100","threat_name":"Windows.Trojan.ShadowPad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SnakeKeylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-06","fingerprint":"15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d","id":"af3faa65-b19d-4267-ac02-1a3b50cdc700","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_SnakeKeylogger_af3faa65","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SnakeKeylogger"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Squirrelwaffle","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-20","fingerprint":"94c0d8ce3e06cf02a6fb57c074ff0ef60346babcde43c61371d099b011d9fcf9","id":"88033ff1-f9b1-4cdc-bb68-bd3a10027584","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c","rule":"Windows_Trojan_Squirrelwaffle_88033ff1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Squirrelwaffle"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SysJoker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-17","fingerprint":"9123af8b8b27ebfb9199e70eb34d43378b1796319186d5d848d650a8be02d5d5","id":"1ef19a12-ee26-47da-8d65-272f6749b476","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc","rule":"Windows_Trojan_SysJoker_1ef19a12","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SysJoker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SysJoker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-21","fingerprint":"b1e01d0b94a60f6f5632a14d3d32f78bbe3049886ea3a3e838a29fb790a45918","id":"34559bcd-661a-4213-b896-2d7f882a16ef","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c","rule":"Windows_Trojan_SysJoker_34559bcd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SysJoker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Sythe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"4dd9764e285985fbea5361e5edfa04e75fb8e3e7945cbbf712ea0183471e67ae","id":"02b2811a-2ced-42b6-a9f1-6d983d1dc986","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"2d54a8ba40cc9a1c74db7a889bc75a38f16ae2d025268aa07851c1948daa1b4d","rule":"Windows_Trojan_Sythe_02b2811a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Sythe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-28","description":"Targets importDll64 containing Browser data stealer module","fingerprint":"d382a99e5eed87cf2eab5e238e445ca0bf7852e40b0dd06a392057e76144699f","id":"23d77ae5-80de-4bb0-8701-ddcaff443dcc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"844974A2D3266E1F9BA275520C0E8A5D176DF69A0CCD5135B99FACF798A5D209","rule":"Windows_Trojan_Trickbot_23d77ae5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets injectDll64 containing injection functionality to steal banking credentials","fingerprint":"23d9b89917a0fc5aad903595b89b650f6dbb0f82ce28ce8bcc891904f62ccf1b","id":"5574be7d-7502-4357-8110-2fb4a661b2bd","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"8c5c0d27153f60ef8aec57def2f88e3d5f9a7385b5e8b8177bab55fa7fac7b18","rule":"Windows_Trojan_Trickbot_5574be7d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets mailsearcher64.dll module","fingerprint":"15438ae141a2ac886b1ba406ba45119da1a616c3b2b88da3f432253421aa8e8b","id":"1473f0b4-a6b5-4b19-a07e-83d32a7e44a0","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"9cfb441eb5c60ab1c90b58d4878543ee554ada2cceee98d6b867e73490d30fec","rule":"Windows_Trojan_Trickbot_1473f0b4","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets pwgrab64.dll module containing functionality use to retrieve local passwords","fingerprint":"7d5dcb60526a80926bbaa7e3cd9958719e326a160455095ff9f0315e85b8adf6","id":"217b9c97-a637-49b8-a652-5a42ea19ee8e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"1E90A73793017720C9A020069ED1C87879174C19C3B619E5B78DB8220A63E9B7","rule":"Windows_Trojan_Trickbot_217b9c97","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets shareDll64.dll module containing functionality use to spread Trickbot across local networks","fingerprint":"55dbbcbc77ec51a378ad2ba8d56cb0811d23b121cacd037503fd75d08529c5b5","id":"d2110921-b957-49b7-8a26-4c0b7d1d58ad","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"05EF40F7745DB836DE735AC73D6101406E1D9E58C6B5F5322254EB75B98D236A","rule":"Windows_Trojan_Trickbot_d2110921","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets vncDll64.dll module containing remote control VNC functionality","fingerprint":"32d63b8db4307fd67e2c9068e22f843f920f19279c4a40e17cd14943577e7c81","id":"07239dad-7f9e-4b20-a691-d9538405b931","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"DBD534F2B5739F89E99782563062169289F23AA335639A9552173BEDC98BB834","rule":"Windows_Trojan_Trickbot_07239dad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets tabDll64.dll module containing functionality using SMB for lateral movement","fingerprint":"e6eea38858cfbbe5441b1f69c5029ff9279e7affa51615f6c91981fe656294fc","id":"2d89e9cd-2941-4b20-ab4e-a487d329ff76","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"3963649ebfabe8f6277190be4300ecdb68d4b497ac5f81f38231d3e6c862a0a8","rule":"Windows_Trojan_Trickbot_2d89e9cd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets cookiesdll.dll module containing functionality used to retrieve browser cookie data","fingerprint":"0aeb68977f4926272f27d5fba44e66bdbb9d6a113da5d7b4133a379b06df4474","id":"32930807-30bb-4c57-8e17-0da99a816405","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d","rule":"Windows_Trojan_Trickbot_32930807","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets Outlook.dll module containing functionality used to retrieve Outlook data","fingerprint":"df4336e5cbca495dac4fe110bd7a727e91bb3d465f76d3f3796078332c13633c","id":"618b27d2-22ad-4542-86ed-7148f17971da","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e","rule":"Windows_Trojan_Trickbot_618b27d2","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets DomainDll module containing functionality using LDAP to retrieve credentials and configuration information","fingerprint":"d145b7c95bca0dc0c46a8dff60341a21dce474edd169dd0ee5ea2396dad60b92","id":"6eb31e7b-9dc3-48ff-91fe-8c584729c415","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"3e3d82ea4764b117b71119e7c2eecf46b7c2126617eafccdfc6e96e13da973b1","rule":"Windows_Trojan_Trickbot_6eb31e7b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Generic signature used to identify Trickbot module usage","fingerprint":"2667c7181fb4db3f5765369fc2ec010b807a7bf6e2878fc42af410f036c61cbe","id":"91516cf4-c826-4d5d-908f-e1c0b3bccec5","last_modified":"2021-08-31","license":"Elastic License v2","os":"windows","reference_sample":"6cd0d4666553fd7184895502d48c960294307d57be722ebb2188b004fc1a8066","rule":"Windows_Trojan_Trickbot_91516cf4","scan_context":"file, memory","severity":"80","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets permadll module used to fingerprint BIOS/firmaware data","fingerprint":"047b1c64b8be17d4a6030ab2944ad715380f53a8a6dd9c8887f198693825a81d","id":"be718af9-5995-4ae2-ba55-504e88693c96","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"c1f1bc58456cff7413d7234e348d47a8acfdc9d019ae7a4aba1afc1b3ed55ffa","rule":"Windows_Trojan_Trickbot_be718af9","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Xworm","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-04-03","fingerprint":"afbef8e590105e16bbd87bd726f4a3391cd6a4489f7a4255ba78a3af761ad2f0","id":"732e6c12-9ee0-4d04-a6e4-9eef874e2716","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2","rule":"Windows_Trojan_Xworm_732e6c12","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Xworm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla Agent.BTZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-06-16","description":"Detects Turla Agent.BTZ","hash1":"c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615","reference":"Internal Research","rule":"APT_Turla_Agent_BTZ_Gen_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Find generic data potentially relating to AP15 tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Find generic data potentially relating to AP15 tools","rule":"malware_apt15_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2022-02-07","description":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","hash1":"624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27","rule":"HvS_APT27_HyperBro_Stage3_C2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NSA / FBI","date":"2020-08-13","description":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","reference":"https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/","rule":"APT_APT28_drovorub_unique_network_comms_strings","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-29","description":"Auto-generated rule","hash1":"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0","hash2":"55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/WVflzO","rule":"GRIZZLY_STEPPE_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-25","description":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","hash":"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT29_Win_FlipFlop_LDR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-27","description":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","hash":"ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT28_Win_FreshFire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BoomBox malware as described in APT29 NOBELIUM report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-27","description":"Detects BoomBox malware as described in APT29 NOBELIUM report","reference":"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/","rule":"APT_APT29_NOBELIUM_BoomBox_May21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects stageless loader as used by APT29 / NOBELIUM","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects stageless loader as used by APT29 / NOBELIUM","hash1":"a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf","hash2":"c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_Stageless_Loader_May21_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"North Korean origin malware which uses a custom Google App for c2 communications.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-21","description":"North Korean origin malware which uses a custom Google App for c2 communications.","hash1":"837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/","rule":"APT_MAL_Win_BlueLight_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Speculoos Backdoor used by APT41","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-14","description":"Detects Speculoos Backdoor used by APT41","hash1":"6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167","hash2":"99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28","reference":"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/","rule":"APT_APT41_CN_ELF_Speculoos_Backdoor","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","hash1":"1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b","hash2":"510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_LazyCat_LogEraser"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_PowerKatz_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_Unknown_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Custome SSH backdoor based on python and paramiko - file server.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-05-14","description":"Custome SSH backdoor based on python and paramiko - file server.py","hash":"0953b6c2181249b94282ca5736471f85d80d41c9","modified":"2022-08-18","reference":"https://goo.gl/S46L3o","rule":"custom_ssh_backdoor_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_Included_Strings","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_SystemInformation_Output","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Chinese APT by Proofpoint ZeroT RAT  - file Mcutil.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Chinese APT by Proofpoint ZeroT RAT  - file Mcutil.dll","hash1":"266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"CN_APT_ZeroT_extracted_Mcutil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Delta samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc","hash2":"42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2","hash3":"480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa","hash4":"7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Delta samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b","hash2":"9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5","hash3":"b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Identifies strings used in Cobalt Strike Beacon DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Elastic","date":"2021-03-16","description":"Identifies strings used in Cobalt Strike Beacon DLL","reference":"https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures","rule":"HKTL_CobaltStrike_Beacon_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unmodified CobaltStrike beacon DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yara@s3c.za.net","date":"2019-08-16","description":"Detects unmodified CobaltStrike beacon DLL","rule":"CobaltStrike_Unmodifed_Beacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT CustomTCP Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT CustomTCP Malware","hash1":"ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0","hash2":"130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8","hash3":"3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa","hash4":"02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_CustomTCP_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT Gh0st Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash":"bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT Gh0st Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash1":"5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841","hash2":"7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8","hash3":"d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Codoso APT PGV PVID Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT PGV PVID Malware","hash1":"41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824","hash2":"58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3","hash3":"934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7","hash4":"ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266","hash5":"e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_PGV_PVID_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a malware sysdll.exe from the Rocket Kitten APT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"27.12.2014","description":"Detects a malware sysdll.exe from the Rocket Kitten APT","hash":"f89a4d4ae5cca6d69a5256c96111e707","modified":"2023-01-06","rule":"CoreImpact_sysdll_exe","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects trojan from APT report named http.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects trojan from APT report named http.exe","hash1":"ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/13Wgy1","rule":"Mal_http_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a malicious PotPlayer.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects a malicious PotPlayer.dll","hash1":"705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/13Wgy1","rule":"Mal_PotPlayer_DLL","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack Deep Panda - lot1.tmp-pwdump","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - lot1.tmp-pwdump","hash":"5d201a0fb0f4a96cefc5f73effb61acff9c818e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_lot1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack Deep Panda - htran-exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DTRACK malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects DTRACK malware","hash1":"c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c","hash2":"a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68","hash3":"93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9","hash4":"3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682","hash5":"bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364","hash6":"58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb","hash7":"9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21","rule":"APT_MAL_DTRACK_Oct19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file create_dns_injection.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file create_dns_injection.py","hash1":"488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_create_dns_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file screamingplow.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file screamingplow.sh","hash1":"c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_screamingplow"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file MixText.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file MixText.py","hash1":"e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_MixText"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file tunnel_state_reader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tunnel_state_reader","hash1":"49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tunnel_state_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file payload.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file payload.py","hash1":"21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_payload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file eligiblecandidate.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file eligiblecandidate.py","hash1":"c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_eligiblecandidate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","hash1":"d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_2211_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","hash1":"ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_networkProfiler_orderScans"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","hash1":"4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_epicbanana_2_1_0_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file sniffer_xml2pcap","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sniffer_xml2pcap","hash1":"f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sniffer_xml2pcap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BananaAid","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BananaAid","hash1":"7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaAid"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file config_jp1_UA.pl","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file config_jp1_UA.pl","hash1":"2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_config_jp1_UA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file userscript.FW","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file userscript.FW","hash1":"5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_userscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","hash1":"6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_3001_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file workit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file workit.py","hash1":"fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Research","rule":"EQGRP_workit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","hash1":"3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tinyhttp_setup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file EPBA.script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file EPBA.script","hash1":"53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_EPBA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file jetplow.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file jetplow.sh","hash1":"ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_jetplow_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","hash1":"59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_extrabacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file sploit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file uninstallPBD.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file uninstallPBD.bat","hash1":"692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_uninstallPBD"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BICECREAM-2140","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BICECREAM-2140","hash1":"4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BICECREAM"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BFLEA-2201.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BFLEA-2201.exe","hash1":"15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BFLEA_2201"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file StoreFc.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file StoreFc.py","hash1":"f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_StoreFc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","hash1":"498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BBALL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BARPUNCH_BPICKER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","hash1":"1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f","hash2":"c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_pandarock","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaUsurper_writeJetPlow","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash3":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash4":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BLIAR_BLIQUER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","hash2":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7","hash9":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","hash1":"630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e","hash2":"07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_ssh_telnet_29","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Callback addresses","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Callback addresses","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_callbacks"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Extrabacon exploit output","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Extrabacon exploit output","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Extrabacon_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EQGRP Toolset Firewall - Unique strings","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Unique strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Unique_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","hash1":"0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","hash1":"634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","hash1":"eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbshave"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","hash1":"b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_eggbasket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file sambal","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file sambal","hash1":"2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_sambal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","hash1":"2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file DUL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file DUL","hash1":"24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_DUL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","hash1":"a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_slugger2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","hash1":"0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_jackpop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","hash1":"eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_epoxyresin_v1_0_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","hash1":"33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estesfox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash2":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell_ftshell_v3_10_3_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","hash2":"9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__scanner_scanner_v2_1_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","hash1":"d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1","hash2":"82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ghost_sparc_ghost_x86_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","hash1":"8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984","hash2":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__jparsescan_parsescan_5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash4":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d","hash2":"b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Eternalromance","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5","hash2":"561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e","hash3":"f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b","hash4":"8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927","hash2":"5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EquationGroup Tool - April Leak","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6","hash2":"c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd","hash3":"9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556","hash4":"c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674","hash5":"5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"netadr, modified by Florian Roth for performance reasons","date":"2023-04-02","description":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","modified":"2023-05-08","reference":"https://netadr.github.io/blog/a-quick-glimpse-sbz/","rule":"SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware Redosdru - file systemHome.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-04","description":"Detects malware Redosdru - file systemHome.exe","hash1":"4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/OOB3mH","rule":"Backdoor_Redosdru_Jun17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a string found in memory of malware cedt370r(3).exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-09","description":"Detects a string found in memory of malware cedt370r(3).exe","reference":"http://goo.gl/ZjJyti","rule":"Fidelis_Advisory_cedt370"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from FIN7 report in August 2018","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-08-01","description":"Detects strings from FIN7 report in August 2018","hash1":"b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html","rule":"APT_FIN7_Strings_Aug18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Word Dropper from Proofpoint FIN7 Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-04","description":"Detects Word Dropper from Proofpoint FIN7 Report","reference":"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor","rule":"FIN7_Backdoor_Aug17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FourElementSword Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_Config_File"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FourElementSword Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_ElevateDLL_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file violetspirit.README","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_violetspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file gr.notes","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file gr.notes","hash1":"b2b60dce7a4cfdddbd3d3f1825f1885728956bae009de3a307342fbdeeafcb79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_gr_gr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.yellowspirit.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.yellowspirit.COMMON","hash1":"a7c4b718fa92934a9182567288146ffa3312d9f3edc3872478c90e0e2814078c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_yellowspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file opscript.se","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file opscript.se","hash1":"275c91531a9ac5a240336714093b6aa146b8d7463cb2780cfeeceaea4c789682","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_opscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.epichero.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.epichero.COMMON","hash1":"679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_epichero"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.elatedmonkey","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elatedmonkey","hash1":"98ae935dd9515529a34478cb82644828d94a2d273816d50485665535454e37cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.dubmoat.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.dubmoat.COMMON","hash1":"bcd4ee336050488f5ffeb850d8eaa11eec34d8ba099b370d94d2c83f08a4d881","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_dubmoat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file strifeworld.1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file strifeworld.1","hash1":"222b00235bf143645ad0d55b2b6839febc5b570e3def00b77699915a7c9cb670","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_strifeworld"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.pork.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.pork.COMMON","hash1":"9c400aab74e75be8770387d35ca219285e2cedc0c7895225bbe567ce9c9dc078","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_pork"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.ebbisland.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.ebbisland.COMMON","hash1":"390e776ae15fadad2e3825a5e2e06c4f8de6d71813bef42052c7fd8494146222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.elgingamble.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elgingamble.COMMON","hash1":"4130284727ddef4610d63bfa8330cdafcb6524d3d2e7e8e0cb34fde8864c8118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file README.cup.NOPEN","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file README.cup.NOPEN","hash1":"98aaad31663b89120eb781b25d6f061037aecaeb20cf5e32c36c68f34807e271","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_README_cup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file oneshot.example","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file oneshot.example","hash1":"a85b260d6a53ceec63ad5f09e1308b158da31062047dc0e4d562d2683a82bf9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_nopen_oneshot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.earlyshovel.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.earlyshovel.COMMON","hash1":"504e7a376c21ffbfb375353c5451dc69a35a10d7e2a5d0358f9ce2df34edf256","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_earlyshovel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file user.tool.envisioncollision.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.envisioncollision.COMMON","hash1":"2f04f078a8f0fdfc864d3d2e37d123f55ecc1d5e401a87eccd0c3846770f9e02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_envisioncollision"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash2":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash3":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash3":"3fe78949a9f3068db953b475177bcad3c76d16169469afd72791b4312f60cfb3","hash4":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash5":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","hash6":"89748906d1c574a75fe030645c7572d7d4145b143025aa74c9b5e2be69df8773","hash7":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files violetspirit.README, violetspirit.README","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files violetspirit.README, violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","hash2":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197","hash2":"99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2","hash3":"6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df","hash4":"b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT_Sample2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ISMDoor Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Detects ISMDoor Backdoor","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"BlackEnergy / Voodoo Bear Implant by APT28","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"BlackEnergy / Voodoo Bear Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_4_v9","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Unidentified Implant by APT29","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"Unidentified Implant by APT29","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"Unidentified_Malware_Two","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts found in HAFNIUM intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"APT_HAFNIUM_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerCat hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects PowerCat hacktool","hash1":"c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2","reference":"https://github.com/besimorhino/powercat","rule":"HKTL_PS1_PowerCat_Mar21"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell Oneliner in Nishang's repository","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-03","description":"Detects PowerShell Oneliner in Nishang's repository","hash1":"2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32","reference":"https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1","rule":"HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"variation on reGeorgtunnel","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"variation on reGeorgtunnel","hash":"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928","reference":"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx","rule":"WEBSHELL_ASPX_reGeorgTunnel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","hash":"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"WEBSHELL_ASPX_SportsBall"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CVE-2021-27065 Webshellz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"CISA Code \u0026 Media Analysis","date":"2021-03-17","description":"Detects CVE-2021-27065 Webshellz","hash":"c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5","reference":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a","rule":"WEBSHELL_HAFNIUM_CISA_10328929_01"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Chopper like ASPX Webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75","reference":"Internal Research","rule":"WEBSHELL_ASPX_FileExplorer_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Chopper like ASPX Webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"ac44513e5ef93d8cbc17219350682c2246af6d5eb85c1b4302141d94c3b06c90","reference":"Internal Research","rule":"WEBSHELL_ASPX_Chopper_Like_Mar21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-08","description":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","reference":"https://twitter.com/jdferrell3/status/1368626281970024448","rule":"LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Zach Stanford - @svch0st, Florian Roth","date":"2021-03-10","description":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","modified":"2021-03-15","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log","reference_2":"https://www.praetorian.com/blog/reproducing-proxylogon-exploit/","rule":"EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Tofu Trojan","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-28","description":"Detects Tofu Trojan","reference":"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html","rule":"Tofu_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"detection for Hellsing implants","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Costin Raiu, Kaspersky Lab","copyright":"Kaspersky Lab","date":"2015-04-07","description":"detection for Hellsing implants","filetype":"PE","rule":"apt_hellsing_implantstrings","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Industroyer related custom port scaner output file","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related custom port scaner output file","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Portscan_3_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Industroyer related malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related malware","hash1":"7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects IronGate APT Malware - Step7ProSim DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-04","description":"Detects IronGate APT Malware - Step7ProSim DLL","hash1":"0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3","hash2":"fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f","hash3":"5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/Mr6M2J","rule":"IronGate_APT_Step7ProSim_Gen","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Panda malware DnsTunClient - file named.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda malware DnsTunClient - file named.exe","hash":"a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_DNSTunClient","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Panda Malware Htran","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda Malware Htran","hash":"7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_Malware_Htran"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"ASPXSpy detection. It might be used by other fraudsters","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"ASPXSpy detection. It might be used by other fraudsters","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_ASPXSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Iron Tiger Tool - wmi.vbs detection","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"Iron Tiger Tool - wmi.vbs detection","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_wmiexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keylogger - generic rule for a Chinese variant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Keylogger - generic rule for a Chinese variant","hash":"3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Keylogger_CN_APT","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LinaDoor Linux Rootkit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-05-19","description":"Detects LinaDoor Linux Rootkit","hash1":"25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9","hash2":"4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7","hash3":"9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7","hash4":"940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff","hash5":"a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044","hash6":"c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27","hash7":"c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7","modified":"2023-05-16","reference":"Internal Research","rule":"MAL_LNX_LinaDoor_Rootkit_May22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pupy RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-04-03","description":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","hash1":"69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf","hash3":"bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9","hash4":"dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9","hash5":"fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e","reference":"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/","rule":"APT_NK_MAL_DLL_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-28","description":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","reference":"https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/","rule":"APT_MAL_HP_iLO_Firmware_Dec21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware sample mentioned in Microcin technical report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-26","description":"Malware sample mentioned in Microcin technical report by Kaspersky","hash1":"b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf","rule":"Microcin_Sample_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CommentCrew Malware MiniASP APT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"CommentCrew Malware MiniASP APT","hash0":"0af4360a5ae54d789a8814bf7791d5c77136d625","hash1":"777bf8def279942a25750feffc11d8a36cc0acf9","hash2":"173f20b126cb57fc8ab04d01ae223071e2345f97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_CommentCrew_MiniASP","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShimRat and the ShimRat loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRat and the ShimRat loader","rule":"shimrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShimRatReporter","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRatReporter","rule":"shimratreporter"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze sniffer tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze sniffer tools","hash":"927426b558888ad680829bd34b0ad0e7","original_filename":"ora;tdn","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customsniffer","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","hash":"8b56e8552a74133da4bc5939b5f74243","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_de_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'cle' log cleaning tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'cle' log cleaning tool","hash":"647d7b711f7b4434145ea30d0ef207b0","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_cle_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Moonlight Maze 'xk' keylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'xk' keylogger","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_xk_keylogger","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs the Nanocore RAT and similar malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT and similar malware","hash1":"e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detetcs the Nanocore RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT","hash1":"755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_2","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects user function string from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects user function string from NCSC report","hash":"b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"User_Function_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malicious batch file from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Script_To_Run_PsExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malicious batch file from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Powershell_Invoke_Inveigh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects RDP brute forcer from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects RDP brute forcer from NCSC report","hash":"8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"RDP_Brute_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Z Webshell from NCSC report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects Z Webshell from NCSC report","hash":"ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Z_WebShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ruby loader seen loading the ROKRAT malware family.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-22","description":"Ruby loader seen loading the ROKRAT malware family.","hash1":"5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/","rule":"APT_RUBY_RokRat_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings found in POOLRAT malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2023-04-20","description":"Detects strings found in POOLRAT malware","disclaimer":"This rule is meant for hunting and is not tested to run in a production environment","hash1":"451c23709ecd5a8461ad060f6346930c","old_rule_name":"APT_NK_MAL_M_Hunting_POOLRAT","reference":"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise","rule":"SUSP_NK_MAL_M_Hunting_POOLRAT","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Oilrig malware samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-12","description":"Detects Oilrig malware samples","hash1":"c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d","hash2":"293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb","modified":"2023-01-07","reference":"https://goo.gl/QMRZ8K","rule":"OilRig_Malware_Campaign_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects OilRig malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela (slightly modified by Florian Roth)","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager_macro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects APT34 PowerShell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects APT34 PowerShell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed","modified":"2023-01-06","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-12","description":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","hash1":"30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97","hash2":"94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340","hash3":"a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd","hash4":"c202e9d5b99f6137c7c07305c7314e55f52bae832d460c44efc8f2a90ff03615","hash5":"dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6","hash6":"f0954774c91603fc2595f0ba0727b9af4e80f6f9be7bb629e7fb6ba4309ed4ea","hash7":"f3906be01d51e2e1ae9b03cd09702b6e0794b9c9fd7dc04024f897e96bb13232","hash8":"f65ae9ccf988a06a152f27a4c0d7992100a2d9d23d80efe8d8c2a5c9bd78a3a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/p32Ozf","rule":"ONHAT_Proxy_Hacktool","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keylogger used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keylogger used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_BackDoorLogger","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"ARP cache poisoner used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"ARP cache poisoner used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_Jasus","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ShellCreator2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SmartCopy2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SynFlooder","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tiny Bot used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Tiny Bot used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_TinyZBot","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Keywords used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keywords used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ZhoupinExploitCrew","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_antivirusdetector","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_csext","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_kagent","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Mimikatz Wrapper used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz Wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_mimikatzWrapper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Parviz tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Parviz tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_pvz_in","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhLookUp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Mimikatz wrapper used by attackers in Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhmimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CCProxy config known from Operation Cleaver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/02","description":"CCProxy config known from Operation Cleaver","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_CCProxy_Config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from Operation Cloud Hopper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-03","description":"Detects malware from Operation Cloud Hopper","hash1":"beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"OpCloudHopper_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware related to Operation Cloud Hopper - Page 25","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Malware related to Operation Cloud Hopper - Page 25","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"OpCloudHopper_WmiDLL_inMemory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tools related to Operation Cloud Hopper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Tools related to Operation Cloud Hopper","hash1":"21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"VBS_WMIExec_Tool_Apr17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from CSharp version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_Agent_Csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from PowerShell dropper of CSharp version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from PowerShell dropper of CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from Agent CSharp version","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent CSharp version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from Python version of Agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from Agent Python version","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent Python version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from Python keylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python keylogger","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_keylogger_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the CSharp version of XServer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the CSharp version of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Piece of Base64 encoded data from the XServer PowerShell dropper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from the XServer PowerShell dropper","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the PowerShell dropper of XServer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the PowerShell dropper of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Process injector/launcher","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Process injector/launcher","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_injector_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Timeliner utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Timeliner utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_timeliner_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Checkadmin utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Checkadmin utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_checkadmin_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Python getos utility","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Python getos utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_getos_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the information grabber VBS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the information grabber VBS","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_info_vbs"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the console.jsp webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the console.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_console_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings from the ver.jsp webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the ver.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_ver_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Generic strings from webinfo.war webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Generic strings from webinfo.war webshells","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_webinfo"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PassCV Malware mentioned in Cylance Report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-20","description":"PassCV Malware mentioned in Cylance Report","hash1":"475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4","hash2":"009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78","hash3":"92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b","hash4":"0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies","rule":"PassCV_Sabre_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PoisonIvy RAT sample set","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects PoisonIvy RAT sample set","hash1":"8c2630ab9b56c00fd748a631098fa4339f46d42b","hash2":"36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"PoisonIvy_Sample_6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Poseidon Group Malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-09","description":"Detects Poseidon Group Malware","hash1":"337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4","hash2":"344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3","hash3":"432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61","hash4":"8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47","hash5":"d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f","hash6":"d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb","hash7":"ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/","rule":"PoseidonGroup_Malware","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-15","description":"Detects","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html","rule":"POSHSPY_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_Scripts"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Dsniff hack tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-19","description":"Detects Dsniff hack tool","reference":"https://goo.gl/eFoP4A","rule":"HKTL_Dsniff","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from arping module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from arping module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_arping_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from kblogi module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from kblogi module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_kblogi_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from basex module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from basex module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_basex_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects strings from dext module - Project Sauron report by Kaspersky","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from dext module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_dext_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"1aef507c385a234e8b10db12852ad1bd66a04730451547b2dcb26f7fae16e01f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an APT malware related to PutterPanda","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects an APT malware related to PutterPanda","hash":"5367e183df155e3133d916f7080ef973f7741d34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Rel","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects all QuarksPWDump versions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-29","description":"Detects all QuarksPWDump versions","hash1":"2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa","hash2":"87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f","hash3":"a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9","hash4":"c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab","hash5":"677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa","hash6":"d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674","hash7":"8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"QuarksPwDump_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Quasar RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Detects Quasar RAT","hash1":"0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740","hash2":"515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89","hash3":"f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"Quasar_RAT_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found in DarkBit ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-13","description":"Detects indicators found in DarkBit ransomware","reference":"https://twitter.com/idonaor1/status/1624703255770005506?s=12\u0026t=mxHaauzwR6YOj5Px8cIeIw","rule":"MAL_RANSOM_DarkBit_Feb23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware from Rehashed RAT incident","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-08","description":"Detects malware from Rehashed RAT incident","hash1":"49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations","rule":"Rehashed_RAT_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects RevengeRAT malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-04","description":"Detects RevengeRAT malware","hash1":"2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a","hash2":"7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213","hash3":"fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2020-07-27","reference":"Internal Research","rule":"RevengeRAT_Sep17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Sakula malware - strings after unpacking (memory rule)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Sakula malware - strings after unpacking (memory rule)","md5":"b3852b9e7f2b8954be447121bb6b65c3","rule":"malware_sakula_memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an archive file created by P.A.S. for download operation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (modified by Florian Roth)","date":"2021-02-15","description":"Detects an archive file created by P.A.S. for download operation","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_ZIPArchiveFile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SQL dump file created by P.A.S. webshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects SQL dump file created by P.A.S. webshell","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_SQLDumpFile","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Key","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects names of the tasks received from the CC server in Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects names of the tasks received from the CC server in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Task_Names","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Strings used by Exaramel malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)","date":"2021-02-15","description":"Detects Strings used by Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Strings","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects shell script used by Sandworm in attack against Exim mail server","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects shell script used by Sandworm in attack against Exim mail server","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_SH_Sandworm_Shell_Script_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sandworm Python loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects Sandworm Python loader","hash1":"c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca","reference":"https://twitter.com/billyleonard/status/1266054881225236482","rule":"APT_RU_Sandworm_PY_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/28","description":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","hash1":"8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9","hash2":"d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d","hash3":"3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference1":"http://goo.gl/MUUfjv","reference2":"http://goo.gl/WXUQcP","rule":"ScanBox_Malware_Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-09-14","description":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","hash1":"1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00","hash2":"6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4","hash3":"6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c","license":"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt","memory_suitable":"1","reference":"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/","rule":"APT_SharpTongue_JS_SharpExt_Chrome_Extension","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-09","description":"Detects a ","reference":"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar","rule":"StreamEx_ShellCrew","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware sample mentioned in the Silence report on Securelist","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-01","description":"Detects malware sample mentioned in the Silence report on Securelist","hash1":"75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/the-silence/83009/","rule":"Silence_malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sofacy Fysbis Linux Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-13","description":"Detects Sofacy Fysbis Linux Backdoor","hash1":"02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592","hash2":"8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/","rule":"Sofacy_Fybis_ELF_Backdoor_Gen1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects webshell access mentioned in FireEye's SUNBURST report","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-21","description":"Detects webshell access mentioned in FireEye's SUNBURST report","reference":"https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/","rule":"LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"STUXSHOP_config","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"JAG-S (turla@chronicle.security)","desc":"Stuxshop standalone sample configuration","hash":"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579","reference":"https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0","rule":"STUXSHOP_config"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"inveigh pen testing tools \u0026 related artifacts","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US-CERT Code Analysis Team (modified by Florian Roth)","date":"2017/07/17","description":"inveigh pen testing tools \u0026 related artifacts","hash0":"61C909D2F625223DB2FB858BBDF42A76","hash1":"A07AA521E7CAFB360294E56969EDA5D6","hash10":"4595DBE00A538DF127E0079294C87DA0","hash2":"BA756DD64C1147515BA2298B6A760260","hash3":"8943E71A8C73B5E343AA9D2E19002373","hash4":"04738CA02F59A5CD394998A99FCD9613","hash5":"038A97B4E2F37F34B255F0643E49FC9D","hash6":"65A1A73253F04354886F375B59550B46","hash7":"AA905A3508D9309A93AD5C0EC26EBC9B","hash8":"5DBEF7BDDAF50624E840CCBCE2816594","hash9":"722154A36F32BA10E98020A8AD758A7A","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_malware_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects TeleBots malware - IntercepterNG","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects TeleBots malware - IntercepterNG","hash1":"5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4if3HG","rule":"TeleBots_IntercepterNG"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Liudoor daemon backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"RSA FirstWatch","date":"2015-07-23","description":"Detects Liudoor daemon backdoor","hash0":"78b56bc3edbee3a425c96738760ee406","hash1":"5aa0510f6f1b0e48f0303b9a4bfc641e","hash2":"531d30c8ee27d62e6fbe855299d0e7de","hash3":"2be2ac65fd97ccc97027184f0310f2f3","hash4":"6093505c7f7ec25b1934d3657649ef07","rule":"APT_Liudoor","type":"Win32 DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash10":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash5":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash6":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash7":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash8":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash9":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware used in the RUAG APT case","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects malware used in the RUAG APT case","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","modified":"2023-01-06","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"RUAG_APT_Malware_Gen2","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash2":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash3":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash4":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash5":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash6":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","hash7":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash8":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash9":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule for detection of Nautilus related strings","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC UK / Florian Roth","date":"2017/11/23","description":"Rule for detection of Nautilus related strings","reference":"https://www.ncsc.gov.uk/alerts/turla-group-malware","rule":"Nautilus_forensic_artificats","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects artefacts found in Hermetic Wiper malware related intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects artefacts found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Artefacts_Feb22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SombRAT samples from UNC2447 campaign","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects SombRAT samples from UNC2447 campaign","hash1":"61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9","hash2":"99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e","modified":"2023-01-07","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_MAL_SOMBRAT_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects WARPRISM PowerShell samples from UNC2447 campaign","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects WARPRISM PowerShell samples from UNC2447 campaign","hash1":"3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80","hash2":"63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806","hash3":"b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_PS1_WARPRISM_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DEWMODE webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-02-22","description":"Detects DEWMODE webshells","hash1":"2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7","hash2":"5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b","reference":"https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html","rule":"WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-24","description":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","hash1":"2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac","hash2":"5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://threatconnect.com/camerashy/?utm_campaign=CameraShy","rule":"Unit78020_Malware_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"REDLEAVES_CoreImplant_UniqueStrings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects specific RedLeaves and PlugX binaries","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"MD5_1":"598FF82EA4FB52717ACAFB227C83D474","MD5_2":"7D10708A518B26CC8C3CBFBAA224E032","MD5_3":"AF406D35C77B1E0DF17F839E36BCE630","MD5_4":"6EB9E889B091A5647F6095DCD4DE7C83","MD5_5":"566291B277534B63EAFC938CDAAB8A399E41AF7D","author":"US-CERT Code Analysis Team","date":"2017-04-03","description":"Detects specific RedLeaves and PlugX binaries","incident":"10118538","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"PLUGX_RedLeaves"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Symantec Security Response","date":"22.01.2015","description":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","reference":"http://t.co/rF35OaAXrl","rule":"WaterBug_wipbot_2013_dll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects powershell script used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell script used in Operation Wilted Tulip","hash1":"e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_powershell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Windows scheduled task as used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects a Windows scheduled task as used in Operation Wilted Tulip","hash1":"4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_Windows_UM_Task"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","hash1":"c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c","hash2":"340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d","hash3":"b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01","hash4":"5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a","hash5":"984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_WindowsTask"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PlugX Malware Samples from June 2016","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects PlugX Malware Samples from June 2016","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Research","rule":"PlugX_J16_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Winnti sample - file NlaifSvc.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Winnti sample - file NlaifSvc.dll","hash1":"964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/VbvJtL","rule":"Winnti_NlaifSvc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash":"7ad0eb113bc575363a058f4bf21dbab8c8f7073a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Sample_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash1":"86222ef166474e53f1eb6d7e6701713834e6fee7","hash2":"e8dbcde49c7f760165ebb0cb3452e4f1c24981f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Generic_3","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a ZxShell - CN threat group","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell - CN threat group","hash1":"5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Jul17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"BernhardPOS Credit Card dumping tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Hoffman / Jeremy Humble","description":"BernhardPOS Credit Card dumping tool","last_update":"2015-07-14","md5":"e49820ef02ba5308ff84e4c8c12e7c3d","reference":"http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick","rule":"BernhardPOS","score":"70","source":"Morphick Inc."}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Bluenoroff POS malware - hkp.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"http://blog.trex.re.kr/","date":"2018-06-07","description":"Bluenoroff POS malware - hkp.dll","reference":"http://blog.trex.re.kr/3?category=737685","rule":"BluenoroffPoS_DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Find documents saved from the same potential Cobalt Gang PDF template","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Palo Alto Networks Unit 42","date":"2018-10-25","description":"Find documents saved from the same potential Cobalt Gang PDF template","reference":"https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/","rule":"Cobaltgang_PDF_Metadata_Rev_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Triggers on strings of known DearCry samples","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nils Kuhnert","date":"2021-03-12","description":"Triggers on strings of known DearCry samples","hash1":"2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff","hash2":"e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6","hash3":"feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede","reference":"https://twitter.com/phillip_misner/status/1370197696280027136","rule":"MAL_RANSOM_Crime_DearCry_Mar2021_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unpacked SystemBC module as used by Emotet in March 2022","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Deutsche Telekom Security","date":"2022-03-11","description":"Detects unpacked SystemBC module as used by Emotet in March 2022","hash1":"c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5","malpedia_reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc","reference":"https://twitter.com/Cryptolaemus1/status/1502069552246575105","reference2":"https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6","rule":"EXT_MAL_SystemBC_Mar22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects EternalRocks Malware - file taskhost.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-05-18","description":"Detects EternalRocks Malware - file taskhost.exe","hash1":"cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/stamparm/status/864865144748298242","rule":"EternalRocks_taskhost"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Fireball malware - file clearlog.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-02","description":"Detects Fireball malware - file clearlog.dll","hash1":"14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4pTkGQ","rule":"clearlog"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"2021 loader for Bokbot / Icedid core (license.dat)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Telekom Security","date":"2021-04-13","description":"2021 loader for Bokbot / Icedid core (license.dat)","reference":"https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240","rule":"MAL_IcedId_Core_LDR_202104"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Match protocol, process injects and windows exploit present in KINS dropper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"AlienVault Labs aortega@alienvault.com","description":"Match protocol, process injects and windows exploit present in KINS dropper","reference":"http://goo.gl/arPhm3","rule":"KINS_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Darkside Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-10","description":"Detects Darkside Ransomware","hash1":"ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce","reference":"https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/","rule":"MAL_RANSOM_Darkside_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-01","description":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","reference":"https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md","rule":"LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-12","description":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","reference":"https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b","rule":"EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-10","description":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","modified":"2021-12-17","reference":"https://twitter.com/marcioalm/status/1470361495405875200?s=20","rule":"SUSP_JDNIExploit_Error_Indicators_Dec21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-13","description":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","reference":"https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/","rule":"EXPL_ManageEngine_CVE_2022_47966_Jan23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects webshells dropped by DropHell malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-01","description":"Detects webshells dropped by DropHell malware","reference":"https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside","rule":"WEBSHELL_ProxyShell_Exploitation_Nov21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found after SpringCore exploitation attempts and in the POC script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects indicators found after SpringCore exploitation attempts and in the POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Indicators_Mar22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-30","description":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","reference":"https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server","rule":"LOG_EXPL_ProxyToken_Exploitation_Aug21_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-04-08","description":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","modified":"2022-04-12","reference":"https://github.com/sherlocksecurity/VMware-CVE-2022-22954","reference2":"https://twitter.com/rwincey/status/1512241638994853891/photo/1","rule":"EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-20","description":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","reference":"https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/","rule":"LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects signs of exploitation of GitLab CE CVE-2021-22205","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-26","description":"Detects signs of exploitation of GitLab CE CVE-2021-22205","reference":"https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/","rule":"EXPL_GitLab_CE_RCE_CVE_2021_22205","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detection for Dimorf ransomeware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Silas Cutler","date":"2023-01-03","description":"Detection for Dimorf ransomeware","reference":"https://github.com/Ort0x36/Dimorf","rule":"MAL_PY_Dimorf","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CobaltStrike payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Payload_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CobaltStrike payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Get-SecurityPackages.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-SecurityPackages.ps1","hash1":"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_SecurityPackages"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-PowerDump.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PowerDump.ps1","hash1":"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PowerDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","hash1":"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_ShellcodeMSIL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-SmbScanner.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SmbScanner.ps1","hash1":"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SmbScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-EgressCheck.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-EgressCheck.ps1","hash1":"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_EgressCheck"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-PostExfil.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PostExfil.ps1","hash1":"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PostExfil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","hash1":"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SMBAutoBrute"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Get-Keystrokes.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-Keystrokes.ps1","hash1":"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_Keystrokes"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file Invoke-DllInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-DllInjection.ps1","hash1":"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_DllInjection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - file KeePassConfig.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file KeePassConfig.ps1","hash1":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash3":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash4":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash5":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","hash1":"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerUp_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash3":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash5":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash6":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash8":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","hash2":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","hash2":"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Portscan_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","hash1":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash2":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash3":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","md5":"7af24305a409a2b8f83ece27bb0f7900","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"Hunting_GadgetToJScript_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"HackTool_MSIL_SharPersist_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"98ecf58d48a3eae43899b45cec0fc6b7","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SharPersist_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"CredTheft_MSIL_ADPassHunt_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"6efb58cf54d1bb45c057efcfbbd68a93","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"CredTheft_MSIL_ADPassHunt_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Identifies GoRat malware in memory based on strings.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"Identifies GoRat malware in memory based on strings.","md5":"3b926b5762e13ceec7ac3a61e85c93bb","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Backdoor_Win_GoRat_Memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"APT_Builder_PY_REDFLARE_2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-12-01","md5":"4410e95de247d7f1ab649aa640ee86fb","modified":"2020-12-01","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects FireEye's Python Redflar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-11-27","description":"Detects FireEye's Python Redflar","md5":"d0a830403e56ebaa4bfbe87dbfdee44f","modified":"2020-11-27","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects CactusTorch Hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-31","description":"Detects CactusTorch Hacktool","hash1":"314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c","hash2":"0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea","hash3":"a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mdsecactivebreach/CACTUSTORCH","rule":"CACTUSTORCH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects URL mentioned in report on compromised Github repositories in August 2022","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-08-03","description":"Detects URL mentioned in report on compromised Github repositories in August 2022","reference":"https://twitter.com/stephenlacy/status/1554697077430505473","rule":"MAL_Github_Repo_Compromise_MyJino_Ru_Aug22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects HawkEye Keylogger Reborn","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-10","description":"Detects HawkEye Keylogger Reborn","hash1":"b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad","reference":"https://twitter.com/James_inthe_box/status/1072116224652324870","rule":"MAL_HawkEye_Keylogger_Gen_Dec18"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Ido Veltzman, Florian Roth","date":"2022-12-17","description":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","reference":"https://github.com/Idov31/Venom","rule":"HKTL_Venom_LIB_Dec22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Compiled Impacket Tools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Compiled Impacket Tools","hash1":"4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3","hash10":"4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a","hash11":"47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d","hash12":"7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2","hash13":"9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f","hash14":"d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7","hash15":"8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699","hash16":"efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769","hash17":"e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b","hash18":"19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4","hash19":"2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086","hash2":"d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3","hash20":"202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094","hash3":"2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1","hash4":"ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6","hash5":"e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742","hash6":"27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364","hash7":"dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98","hash8":"0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b","hash9":"21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"Impacket_Tools_Generic_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Invoke-Mimikatz String","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97","hash2":"7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_WMIExec_Gen_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file kerberoast.py","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-21","description":"Auto-generated rule - file kerberoast.py","hash1":"73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/skelsec/PyKerberoast","rule":"kerberoast_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Khepri C2 framework beacons","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-08","description":"Detects Khepri C2 framework beacons","hash1":"86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431","reference":"https://github.com/geemion/Khepri/","rule":"HKTL_Khepri_Beacon_Sep21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","hash1":"c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae","hash2":"b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Reflective DLL Loader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell AMSI Bypass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects PowerShell AMSI Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1","rule":"PS_AMSI_Bypass","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects MSHTA Bypass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects MSHTA Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/887705105239343104","rule":"JS_Suspicious_MSHTA_Bypass","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious Javascript Run command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-23","description":"Detects a suspicious Javascript Run command","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/craiu/status/900314063560998912","rule":"JavaScript_Run_Suspicious","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"VT Research QA uploaded malware - file vqgk.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-29","description":"VT Research QA uploaded malware - file vqgk.dll","hash1":"99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"VT Research QA","rule":"Malware_QA_vqgk","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Merlin agent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Hilko Bengen","date":"2017-12-26","description":"Detects Merlin agent","filetype":"pe, elf, mach","reference":"https://github.com/Ne0nd0g/merlin","rule":"merlinAgent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Metasploit Loader by RSMudge - file loader.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-20","description":"Detects a Metasploit Loader by RSMudge - file loader.exe","hash1":"afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/rsmudge/metasploit-loader","rule":"Metasploit_Loader_RSMudge"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-psh.vba","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-psh.vba","hash1":"5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_psh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-exe.vba","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-exe.vba","hash1":"321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf.psh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.psh","hash1":"335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf.aspx","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.aspx","hash1":"26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-cmd.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-cmd.ps1","hash1":"9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Metasploit Payloads - file msf-ref.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-ref.ps1","hash1":"4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_ref"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PowerShell with PE Reflective Injection","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"PowerShell with PE Reflective Injection","rule":"power_pe_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a log file generated by malicious hack tool mimikatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/31","description":"Detects a log file generated by malicious hack tool mimikatz","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mimikatz_Logfile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-19","description":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","hash1":"14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/putterpanda/mimikittenz","rule":"Invoke_mimikittenz","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Mimipenguin Password Extractor - Linux","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-01","description":"Detects Mimipenguin Password Extractor - Linux","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/huntergregal/mimipenguin","rule":"Mimipenguin_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Bella MacOS/OSX backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"Bella MacOS/OSX backdoor","hash":"4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be","reference":"https://twitter.com/JohnLaTwC/status/911998777182924801","rule":"OSX_backdoor_Bella"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","hash1":"6a3ba991d3b5d127c4325bc194b3241dde5b3a5853b78b4df1bce7cbe87c0fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPowerCat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","hash1":"aff2b694a01b48ef96c82daf387b25845abbe01073b76316f1aab3142fdb235b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPotato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","hash1":"54548e7848e742566f5596d8f02eca1fd2cbfeae88648b01efb7bab014b9301b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedExploits"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","hash1":"fd7014625b58d00c6e54ad0e587c6dba5d50f8ca4b0f162d5af3357c2183c7a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedBinaries"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","hash1":"345e8e6f38b2914f4533c4c16421d372d61564a4275537e674a2ac3360b19284","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedAmsiBypass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedShell_outputs","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-29","description":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","hash1":"caaa5c5733fca95804fffe70af82ee505a8ca2991e4cc05bc97a022e5f5b331c","hash2":"a746d8c41609a70ce10bc69d459f9abb42957cc9626f2e83810c1af412cb8729","reference":"https://twitter.com/0xtoxin/status/1540524891623014400?s=12\u0026t=IQ0OgChk8tAIdTHaPxh0Vg","rule":"SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pirpi Backdoor - and other malware (generic rule)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor - and other malware (generic rule)","hash1":"2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c","hash2":"8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pirpi Backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor","hash1":"498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects hack tool PowerShdll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-03","description":"Detects hack tool PowerShdll","hash1":"4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a","hash2":"f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p3nt4/PowerShdll","rule":"PowerShdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects PowerShell ISESteroids obfuscation","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-23","description":"Detects PowerShell ISESteroids obfuscation","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/danielhbohannon/status/877953970437844993","rule":"PowerShell_ISESteroids_Obfuscation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-Shellcode.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Shellcode.ps1","hash1":"24abe9f3f366a3d269f8681be80c99504dea51e50318d83ee42f9a4c7435999a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Shellcode","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-Mimikatz.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Mimikatz.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","hash1":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_RelfectivePEInjection","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file Persistence.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","hash2":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash1":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Persistence.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash3":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_3","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Pupy backdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects Pupy backdoor","hash1":"ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153","hash2":"83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4","hash3":"90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc","hash4":"20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8","hash5":"06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e","hash6":"be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2","hash7":"8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/n1nj4sec/pupy-binaries","rule":"Pupy_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Adzok RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"Versions":"Free 1.0.0.3,","author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.05.2015","description":"Detects Adzok RAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Adzok","rule":"RAT_Adzok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Ap0calypse RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Ap0calypse RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Ap0calypse","rule":"RAT_Ap0calypse"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BlackShades RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Brian Wallace (@botnet_hunter)","date":"01.04.2014","description":"Detects BlackShades RAT","family":"blackshades","reference":"http://blog.cylance.com/a-study-in-bots-blackshades-net","rule":"RAT_BlackShades"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BlueBanana RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects BlueBanana RAT","filetype":"Java","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/BlueBanana","rule":"RAT_BlueBanana"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Bozok RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Bozok RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Bozok","rule":"RAT_Bozok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ClientMesh RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.06.2014","description":"Detects ClientMesh RAT","family":"torct","reference":"http://malwareconfig.com/stats/ClientMesh","rule":"RAT_ClientMesh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DarkComet RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkComet RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkComet","rule":"RAT_DarkComet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects DarkRAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkRAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkRAT","rule":"RAT_DarkRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects JavaDropper RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LostDoor RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects LostDoor RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/LostDoor","rule":"RAT_LostDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Paradox RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Paradox RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Paradox","rule":"RAT_Paradox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects QRAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen @KevTheHermit","date":"01.08.2015","description":"Detects QRAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com","rule":"RAT_QRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ShadowTech RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects ShadowTech RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/ShadowTech","rule":"RAT_ShadowTech"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Sub7Nation RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.04.2014","description":"Detects Sub7Nation RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Sub7Nation","rule":"RAT_Sub7Nation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Vertex RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Vertex RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Vertex","rule":"RAT_Vertex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Adwind RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Adwind RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/adWind","rule":"RAT_adWind"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects unrecom RAT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects unrecom RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/unrecom","rule":"RAT_unrecom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Red Sails Hacktool - Python","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-02","description":"Detects Red Sails Hacktool - Python","hash1":"6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661","hash2":"5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/BeetleChunks/redsails","rule":"redSails_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects code which uses the python lib sectools","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-01-27","description":"Detects code which uses the python lib sectools","hash":"8cd205d5380278cff6673520439057e78fb8bf3d2b1c3c9be8463e949e5be4a1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p0dalirius/sectools","rule":"HKTL_Python_sectools","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an executable that has been encoded with base64 twice","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-29","description":"Detects an executable that has been encoded with base64 twice","hash1":"1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9","reference":"https://twitter.com/TweeterCyber/status/1189073238803877889","rule":"SUSP_Double_Base64_Encoded_Executable"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects a suspicious ","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100","rule":"Suspicious_Script_Running_from_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious command line with netsh and the portproxy command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-20","description":"Detects a suspicious command line with netsh and the portproxy command","hash1":"9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09","reference":"https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy","rule":"SUSP_Netsh_PortProxy_Command","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects method to disable ETW in ENV vars before executing a program","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-06","description":"Detects method to disable ETW in ENV vars before executing a program","reference":"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3","rule":"SUSP_Disable_ETW_Jun20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","hash1":"7d34e214ef2ca33516875fb91a72d5798f89b9ea8964d3990f99863c79530c06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/","rule":"Win_PrivEsc_gp3finder_v4_0","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","hash1":"1aa87df34826b1081c40bb4b702750587b32d717ea6df3c29715eb7fc04db755","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.greyhathacker.net/?p=738","rule":"Win_PrivEsc_folderperm","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - file s3.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s3.exe","hash":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_s3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - file s1.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s1.exe","hash":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindosShell_s1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","hash1":"a7c3d85eabac01e7a7ec914477ea9f17e3020b3b2f8584a46a98eb6a2a7611c5","hash2":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","hash3":"df0693caae2e5914e63e9ee1a14c1e9506f13060faed67db5797c9e61f3907f0","hash4":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash5":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects simple Windows shell - from files s3.exe, s4.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files s3.exe, s4.exe","hash1":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash2":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file WMImplant.ps1","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-24","description":"Auto-generated rule - file WMImplant.ps1","hash1":"860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html","rule":"WMImplant"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads - file Spring1.bin","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - file Spring1.bin","hash1":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash2":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash3":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash6":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash7":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_Spring1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads","hash1":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash10":"0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8","hash11":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash12":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash13":"f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e","hash2":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","hash3":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4","hash6":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash7":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","hash8":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash9":"1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","hash1":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash2":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"NTML Hash Dump output file - John/LC format","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"NTML Hash Dump output file - John/LC format","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"NTLM_Dump_Output","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects payload generated by exe2hex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-15","description":"Detects payload generated by exe2hex","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/g0tmi1k/exe2hex","rule":"Payload_Exe2Hex","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects NatBypass tool (also used by APT41)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-27","description":"Detects NatBypass tool (also used by APT41)","hash1":"4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff","reference":"https://github.com/cw1997/NATBypass","rule":"HKTL_NATBypass_Dec22_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","limit":"Logscan","modified":"2020-12-16","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Chinese_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","limit":"Logscan","modified":"2022-12-07","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Russian_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-07","description":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","hash1":"601f44cc102ae5a113c0b5fe5d18350db8a24d780c0ff289880cc45de28e2b80","reference":"https://www.barracuda.com/company/legal/esg-vulnerability","rule":"MAL_ELF_SALTWATER_Jun23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-05-11","description":"Detects BPFDoor malware","hash1":"afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7","reference":"https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game","rule":"MAL_LNX_RedMenshen_BPFDoor_May23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor implants used by Chinese actor Red Menshen","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-05-08","description":"Detects BPFDoor implants used by Chinese actor Red Menshen","hash1":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","hash2":"fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73","reference":"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Exatrack","date":"2022-05-09","description":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","reference":"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Tricephalic_Implant_May22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects LockBit ransomware samples for Linux and macOS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-15","description":"Detects LockBit ransomware samples for Linux and macOS","hash1":"0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e","hash2":"9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66","hash3":"a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442","hash4":"c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8","hash5":"dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf","hash6":"e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096","hash7":"0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde","hash8":"3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79","reference":"https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20","rule":"MAL_RANSOM_LNX_macOS_LockBit_Apr23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects indicators found in LockBit ransomware log files","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware log files","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Locker_LOG_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects forensic artifacts found in LockBit intrusions","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects forensic artifacts found in LockBit intrusions","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","hash1":"10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_SH_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects ransomware exploiting and encrypting ESXi servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects ransomware exploiting and encrypting ESXi servers","hash1":"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Python backdoor found on ESXi servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects Python backdoor found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_PY_ESXi_Backdoor_Dec22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Rule to detect the EquationLaser malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"copyright":"Kaspersky Lab","description":"Rule to detect the EquationLaser malware","last_modified":"2015-02-16","reference":"https://securelist.com/blog/","rule":"apt_equation_equationlaser_runtimeclasses","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","hash":"7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20123_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20123.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123.xml","hash":"edc7228b2e27df9e7ff9286bddbf4e46adb51ed9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwareqwerty_20123"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","hash":"cda9ceaf0a39d6b8211ce96307302a53dfbd71ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20120_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","hash":"64ac06aa4e8d93ea6063eade7ce9687b1d035907","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20121_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Malware Sample - maybe Regin related","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Malware Sample - maybe Regin related","hash":"76c355bfeb859a347e38da89e3d30a6ff1f94229","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"Regin_Related_Malware","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Windows Credential Editor","rule":"WindowsCredentialEditor","score":"90","threat_level":"10"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Amplia Security Tool like Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2013-01-01","description":"Detects Amplia Security Tool like Windows Credential Editor","modified":"2023-02-14","nodeepdive":"1","rule":"HKTL_Amplia_Security_Tool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PwDump 6 variant","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2014-04-24","description":"PwDump 6 variant","rule":"PwDump","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PScan - Port Scanner","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"F. Roth","description":"PScan - Port Scanner","rule":"PScan_Portscan_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the Fierce2 domain scanner","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Fierce2 domain scanner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Fierce2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the Ncrack brute force tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Ncrack brute force tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncrack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"This signature detects the SQLMap SQL injection tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the SQLMap SQL injection tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SQLMap","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file PortScanner.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortScanner.exe","hash":"b381b9212282c0c650cb4b0323436c63","rule":"PortScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file NetBIOS Name Scanner.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file NetBIOS Name Scanner.exe","hash":"888ba1d391e14c0a9c829f5a1964ca2c","rule":"NetBIOS_Name_Scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ipscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"6c1bcf0b1297689c8c4c12cc70996a75","rule":"FeliksPack3___Scanners_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file IP Stealing Utilities.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file IP Stealing Utilities.exe","hash":"65646e10fb15a2940a37c5ab9f59c7fc","rule":"IP_Stealing_Utilities"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file PortRacer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortRacer.exe","hash":"2834a872a0a8da5b1be5db65dfdef388","rule":"PortRacer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file scanarator.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file scanarator.exe","hash":"848bd5a518e0b6c05bd29aceb8536c46","rule":"scanarator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file =Bitchin Threads=.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file =Bitchin Threads=.exe","hash":"7491b138c1ee5a0d9d141fbfd1f0071b","rule":"_Bitchin_Threads_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file portscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file portscan.exe","hash":"a8bfdb2a925e89a281956b1e3bb32348","rule":"portscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ProPort.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ProPort.exe","hash":"c1937a86939d4d12d10fc44b7ab9ab27","rule":"ProPort_zip_Folder_ProPort"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","hash":"7c0f2cab134534cd35964fe4c6a1ff00","rule":"StealthWasp_s_Basic_PortScanner_v1_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file BluesPortScan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file BluesPortScan.exe","hash":"6292f5fc737511f91af5e35643fc9eef","rule":"BluesPortScan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file iis.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file iis.exe","hash":"3a8fc02c62c8dd65e038cc03e5451b6e","rule":"scanarator_iis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file ipscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"70cf2c09776a29c3e837cb79d291514a","rule":"Angry_IP_Scanner_v2_08_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule on file Loader.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file Loader.exe","hash":"f4f79358a6c600c1f0ba1f7e4879a16d","rule":"crack_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects the backdoor Beastdoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Detects the backdoor Beastdoor","hash":"5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Beastdoor_Backdoor","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Powershell version of the Netcat network hacking tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Detects a Powershell version of the Netcat network hacking tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Powershell_Netcat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a chinese Portscanner named MilkT","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"12.10.2014","description":"Detects a chinese Portscanner named MilkT","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CN_Hacktool_MilkT_Scanner","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Modified (packed) version of Windows Credential Editor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Modified (packed) version of Windows Credential Editor","hash":"09a412ac3c85cedce2642a19e99d8f903a2e0354","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WCE_Modified_1_1014","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"iKAT hack tools set agent - file ikat.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"iKAT hack tools set agent - file ikat.exe","hash":"c802ee1e49c0eae2a3fc22d2e82589d857f96d94","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_command_lines_agent","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","hash":"0cac59b80b5427a8780168e1b85c540efffaf74f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_startbar","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Auto-generated rule - file BypassUac2.zip","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac2.zip","hash":"ef3e7dd2d1384ecec1a37254303959a43695df61","rule":"BypassUac2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"APT Malware - Proxy","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FRoth","date":"2014-11-10","description":"APT Malware - Proxy","hash":"6b6a86ceeab64a6cb273debfa82aec58","rule":"APT_Proxy_Malware_Packed_dev","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file nc.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file nc.exe","hash":"001c0c01c96fa56216159f83f6f298755366e528","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncat_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file cs.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file cs.exe","hash":"a3e9e0655447494253a1a60dbc763d9661181322","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"MS08_067_Exploit_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file sql.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file sql.exe","hash":"d5139b865e99b7a276af7ae11b14096adb928245","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_sql","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file 445TOOL.rar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file 445TOOL.rar","hash":"92050ba43029f914696289598cf3b18e34457a11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_445TOOL","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file s.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file s.exe","hash":"7665011742ce01f57e8dc0a85d35ec556035145d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_WinEggDrop","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Burst.rar","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Burst.rar","hash":"ce8e3d95f89fb887d284015ff2953dbdb1f16776","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_Burst","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file GOGOGO.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file GOGOGO.bat","hash":"4bd4f5b070acf7fe70460d7eefb3623366074bbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_GOGOGO_Bat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file pass.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file pass.txt","hash":"55a05cf93dbd274355d798534be471dff26803f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_pass","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","hash":"d157f9a76f9d72dba020887d7b861a05f2e56b6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_JoHor_Posts_Killer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Start.bat - DoS tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-11-17","description":"Disclosed hacktool set - file Start.bat - DoS tool","hash":"75d194d53ccc37a68286d246f2a84af6b070e30c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"Hacktools_CN_Burst_Start","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set - file Blast.bat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Blast.bat","hash":"b07702a381fa2eaee40b96ae2443918209674051","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_Blast","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","hash":"166fa8c5a0ebb216c832ab61bf8872da556576a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VUBrute_VUBrute","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","hash":"b9f66b9265d2370dab887604921167c11f7d93e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xiIphp","rule":"VUBrute_config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file listip.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file listip.exe","hash":"f32a0c5bf787c10eb494eb3b83d0c7a035e7172b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_listip","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","hash":"4867214a3d96095d14aa8575f0adbb81a9381e6c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ArtTrayHookDll","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditServer.exe","hash":"87b29c9121cac6ae780237f7e04ee3bc1a9777d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file letmein.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file letmein.exe","hash":"74d223a56f97b223a640e4139bb9b94d8faa895d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_letmein","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file token.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file token.exe","hash":"c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_token","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file webget.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file webget.exe","hash":"36b5a5dee093aa846f906bbecf872a4e66989e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_webget","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","hash":"02a9394bc2ec385876c4b4f61d72471ac8251a8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ASPack_Chinese","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","hash":"dfa90540b0e58346f4b6ea12e30c1404e15fbe5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLogReadMe","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","hash":"a450c31f13c23426b24624f53873e4fc3777dc6b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","hash":"dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","hash":"820674b59f32f2cf72df50ba4411d7132d863ad2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Jc_WinEggDrop_Shell","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file TBack.DLL","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file TBack.DLL","hash":"30fc9b00c093cec54fcbd753f96d0ca9e1b2660f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_TBack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file Inject.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Inject.exe","hash":"34f564301da528ce2b3e5907fd4b1acb7cb70728","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ByPassFireWall_zip_Folder_Inject","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","hash":"b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_sqlcmd","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file 2323.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file 2323.exe","hash":"21812186a9e92ee7ddc6e91e4ec42991f0143763","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_2323","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","hash":"827cd898bfe8aa7e9aaefbe949d26298f9e24094","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CleanIISLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","hash":"5a5778ac200078b627db84fdc35bf5bcee232dc7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sqlcheck","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","hash":"a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_RunAsEx","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file splitjoin.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file splitjoin.exe","hash":"21409117b536664a913dcd159d6f4d8758f43435","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SplitJoin_V1_3_3_rar_Folder_3","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InstGina.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InstGina.exe","hash":"5317fbc39508708534246ef4241e78da41a4f31c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"InstGina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file findoor.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file findoor.exe","hash":"cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_findoor","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"516e80e4a25660954de8c12313e2d7642bdb79dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WinEggDropShellFinal_zip_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file gina.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file gina.dll","hash":"e0429e1b59989cbab6646ba905ac312710f5ed30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"gina_zip_Folder_gina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file xsniff.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file xsniff.exe","hash":"d61d7329ac74f66245a92c4505a327c85875c577","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_xsniff","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - file fscan.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file fscan.exe","hash":"d5646e86b5257f9c83ea23eca3d86de336224e55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_fscan","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","hash0":"9d4e7611a328eb430a8bb6dc7832440713926f5f","hash1":"ae23522a3529d3313dd883727c341331a1fb1ab9","hash2":"7ffc496cd4a1017485dfb571329523a52c9032d8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_FsHttp_FsPop_FsSniffer","score":"60","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/22","description":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","hash1":"b130611c92788337c4f6bb9e9454ff06eb409166","hash2":"07539abb2623fe24b9a05e240f675fa2d15268cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/gkAg2E","rule":"Ammyy_Admin_AA_v3","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file scanssh","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file scanssh","hash":"467398a6994e2c1a66a3d39859cde41f090623ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_scanssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file pscan2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file pscan2","hash":"56b476cba702a4423a2d805a412cae8ef4330905","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_pscan2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file a","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file a","hash":"458ada1e37b90569b0b36afebba5ade337ea8695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Linux hack tools - file mass","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file mass","hash":"2054cb427daaca9e267b252307dad03830475f15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_mass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","hash0":"af419603ac28257134e39683419966ab3d600ed2","hash1":"c5cb4f75cf241f5a9aea324783193433a42a13b0","hash2":"135f6a28e958c8f6a275d8677cfa7cb502c8a822","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset__XScanLib_XScanLib_XScanLib","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","hash":"a931d65de66e1468fe2362f7f2e0ee546f225c4e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_NTscan_PipeCmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","hash":"8542c7fb8291b02db54d2dc58cd608e612bfdc57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_sig_1433_135_sqlr","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VSSown_VBS","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Network domain enumeration tool - often used by attackers - file Nv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool - often used by attackers - file Nv.exe","hash":"52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Network domain enumeration tool output - often used by attackers - file filename.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool output - often used by attackers - file filename.txt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool_Output","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Linux Port Scanner Shark","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-01","description":"Detects Linux Port Scanner Shark","hash1":"5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986","hash2":"90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35","rule":"Linux_Portscan_Shark_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects dnscat2 - from files dnscat, dnscat2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-15","description":"Detects dnscat2 - from files dnscat, dnscat2.exe","hash1":"8bc8d6c735937c9c040cbbdcfc15f17720a7ecef202a19a7bf43e9e1c66fe66a","hash2":"4a882f013419695c8c0ac41d8a0fde1cf48172a89e342c504138bc6f1d13c7c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://downloads.skullsecurity.org/dnscat2/","rule":"dnscat2_Hacktool","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-28","description":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"WCE_in_memory","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file pstgdump.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file pstgdump.exe","hash1":"65d48a2f868ff5757c10ed796e03621961954c523c71eac1c5e044862893a106","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"pstgdump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups","hash1":"efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5","hash2":"e0327c1218fd3723e20acc780e20135f41abca35c35e0f97f7eccac265f4f44e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"lsremora"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file fgexec.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file fgexec.exe","hash1":"8697897bee415f213ce7bc24f22c14002d660b8aaffab807490ddbf4f3f20249","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"fgexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","hash1":"cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4","hash2":"e38edac8c838a043d0d9d28c71a96fe8f7b7f61c5edf69f1ce0c13e141be281f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"cachedump","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a tool used by APT groups - file PwDump.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file PwDump.exe","hash1":"3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"PwDump_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-07","description":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml","rule":"MSBuild_Mimikatz_Execution_via_XML"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects POC code from disclosed 0day hacktool set","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects POC code from disclosed 0day hacktool set","hash1":"ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed 0day Repos","rule":"Disclosed_0day_POCs_injector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a process injection utility that can be used ofr good and bad purposes","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-23","description":"Detects a process injection utility that can be used ofr good and bad purposes","hash1":"456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c","rule":"ProcessInjector_Gen","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Lazagne PW Dumper","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis / Florian Roth","date":"2018-03-22","description":"Detects Lazagne PW Dumper","reference":"https://github.com/AlessandroZ/LaZagne/releases/","rule":"Lazagne_PW_Dumper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects susupicious bash command","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski","date":"2018-05-18","description":"Detects susupicious bash command","hash1":"36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b","reference":"https://github.com/0x00-0x00/ShellPop","rule":"SUSP_shellpop_Bash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects Lazagne password extractor hacktool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-11","description":"Detects Lazagne password extractor hacktool","hash1":"51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://github.com/AlessandroZ/LaZagne","rule":"HKTL_Lazagne_Gen_18","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects NoPowerShell hack tool","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-28","description":"Detects NoPowerShell hack tool","hash1":"2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70","modified":"2022-12-21","reference":"https://github.com/bitsadmin/nopowershell","rule":"HKTL_NoPowerShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file iMHaPFtp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file iMHaPFtp.php","hash":"12911b73bc6a5d313b494102abcf5c57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_iMHaPFtp_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file guo.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file guo.php","hash":"9e69a8f499c660ee0b4796af14dc08f0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_guo","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file redcod.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file redcod.php","hash":"5c1c8120d82f46ff9d813fbe3354bac5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_redcod","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file server.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file server.php","hash":"d87b019e74064aa90e2bb143e5e16cfa","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_sh_server","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cihshell_fix.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cihshell_fix.php","hash":"3823ac218032549b86ee7c26f10c4cb5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_cihshell_fix","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.php","hash":"7edefb8bd0876c41906f4b39b52cd0ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file EFSO_2.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file EFSO_2.asp","hash":"a341270f9ebd01320a7490c12cb2e64c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_EFSO_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.jsp","hash":"515a5dd86fe48f673b72422cccf5a585","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Server Variables.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Server Variables.asp","hash":"47fb8a647e441488b30f92b4d39003d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Server_Variables","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file ice.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.php","hash":"1d6335247f58e0a5b03e17977888f5f2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_ice_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file phpspy2010.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file phpspy2010.php","hash":"14ae0e4f5349924a5047fed9f3b105c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy2010","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file ice.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.asp","hash":"d141e011a92f48da72728c35f1934a2b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_ice","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.asp","hash":"d9fa1e8513dbf59fa5d130f389032a2d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file webshell-cnseay02-1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay02-1.php","hash":"95fc76081a42c4f26912826cb1bd24b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay02_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file fbi.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file fbi.php","hash":"1fb32f8e58c8deb168c06297a04a21f1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_fbi","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file B374k.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file B374k.php","hash":"bed7388976f8f1d90422e8795dff1ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_B374kPHP_B374k","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file list.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file list.php","hash":"922b128ddd90e1dc2f73088956c548ed","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_list","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ee94952dc53d9a29bdf4ece54c7a7aa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file aspydrv.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file aspydrv.asp","hash":"de0a58f7d1e200d0b2c801a94ebce330","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ASP_aspydrv","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Dx.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Dx.php","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dx_Dx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file MySQL Web Interface Version 0.8.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file MySQL Web Interface Version 0.8.php","hash":"36d4f34d0a22080f47bb1cb94107c60f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_MySQL_Web_Interface_Version_0_8","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file odd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"594d1b1311bbef38a0eb3d6cbb1ab538","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_1_0_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file idc.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file idc.php","hash":"7c5b1b30196c51f1accbffb80296395f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_wsb_idc","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 404.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ced050df5ca42064056a7ad610a191b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file webshell-cnseay-x.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay-x.php","hash":"a0f9f7f5cd405a514a7f3be329f380e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay_x","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file up.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.asp","hash":"f775e721cfe85019fe41c34f47c0d67c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file odd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"3c30399e7480c09276f412271f60ed01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_0_1a_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file k81.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file k81.jsp","hash":"41efc5c71b6885add9c1d516371bd6af","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_k81","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cmdjsp.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmdjsp.jsp","hash":"b815611cc39f17f05a73444d699341d4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_cmdjsp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file Java Shell.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Java Shell.jsp","hash":"36403bc776eb12e8b7cc0eb47c8aac83","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Java_Shell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file r57142.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file r57142.php","hash":"0911b6e6b8f4bcb05599b2885a7fe8a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_r57142","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file simple-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file simple-backdoor.php","hash":"f091d1b9274c881f8e41b2f96e6b9936","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_simple_backdoor","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file cmd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmd.php","hash":"c38ae5ba61fd84f6bbbab98d89d8a346","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_cmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file co.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file co.php","hash":"62199f5ac721a0cb9b28f465a513874c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_co","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file 150.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 150.php","hash":"400c4b0bed5c90f048398e1d268ce4dc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_150","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file c37.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file c37.php","hash":"d01144c04e7a46870a8dd823eb2fe5c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_c37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file b37.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file b37.php","hash":"0421445303cfd0ec6bc20b3846e30ff0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_b37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - file bug (1).php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file bug (1).php","hash":"91c5fae02ab16d51fc5af9354ac2f015","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_bug_1_","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files ghost_source.php, icesword.php, silic.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files ghost_source.php, icesword.php, silic.php","hash0":"cbf64a56306c1b5d98898468fc1fdbd8","hash1":"6e20b41c040efb453d57780025a292ae","hash2":"437d30c94f8eef92dc2f064de4998695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ghost_source_icesword_silic","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"37603e44ee6dc1c359feb68a0d566f76","hash1":"a7e25b8ac605753ed0c438db93f6c498","hash10":"e9a5280f77537e23da2545306f6a19ad","hash11":"598eef7544935cf2139d1eada4375bb5","hash12":"fa87bbd7201021c1aefee6fcc5b8e25a","hash2":"fb8c6c3a69b93e5e7193036fd31a958d","hash3":"36331f2c81bad763528d0ae00edf55be","hash4":"793b3d0a740dbf355df3e6f68b8217a4","hash5":"8979594423b68489024447474d113894","hash6":"ec482fc969d182e5440521c913bab9bd","hash7":"f98d2b33cd777e160d1489afed96de39","hash8":"4b4c12b3002fad88ca6346a873855209","hash9":"4cc68fa572e88b669bce606c7ace0ae9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"1b5102bdc41a7bc439eea8f0010310a5","hash1":"f8a6d5306fb37414c5c772315a27832f","hash2":"37cb1db26b1b0161a4bf678a6b4565bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","hash0":"8b0e6779f25a17f0ffb3df14122ba594","hash1":"ea87f0c1f0535610becadf5a98aca2fc","hash2":"7d5e9732766cf5b8edca9b7ae2b6028f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_reverse_jsp_reverse_jspbd","score":"50","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"a2516ac6ee41a7cf931cbaef1134a9e4","hash1":"ef43fef943e9df90ddb6257950b3538f","hash10":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ae025c886fbe7f9ed159f49593674832","hash3":"911195a9b7c010f61b66439d9048f400","hash4":"697dae78c040150daff7db751fc0c03c","hash5":"513b7be8bd0595c377283a7c87b44b2e","hash6":"1d912c55b96e2efe8ca873d6040e3b30","hash7":"e5b2131dd1db0dbdb43b53c5ce99016a","hash8":"4108f28a9792b50d95f95b9e5314fa1e","hash9":"41af6fd253648885c7ad2ed524e0692d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","hash0":"8ae9d2b50dc382f0571cd7492f079836","hash1":"e2830d3286001d1455479849aacbbb38","hash2":"bd6d3b2763c705a01cc2b3f105a25fa4","hash3":"40c6ecf77253e805ace85f119fe1cebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_itsec_PHPJackal_itsecteam_shell_jHn","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"0b19e9de790cd2f4325f8c24b22af540","hash1":"f3ca29b7999643507081caab926e2e74","hash2":"527cf81f9272919bf872007e21c4bdda","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"3e4ba470d4c38765e4b16ed930facf2c","hash1":"aa17b71bb93c6789911bd1c9df834ff9","hash2":"b68bfafc6059fd26732fa07fb6f7f640","hash3":"40a1f840111996ff7200d18968e42cfe","hash4":"e0202adff532b28ef1ba206cf95962f2","hash5":"802f5cae46d394b297482fd0c27cb2fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash2":"8b457934da3821ba58b06a113e0d53d9","hash3":"d44df8b1543b837e57cc8f25a0a68d92","hash4":"e0354099bee243702eb11df8d0e046df","hash5":"90a5ba0c94199269ba33a58bc6a4ad99","hash6":"655722eaa6c646437c8ae93daac46ae0","hash7":"591ca89a25f06cf01e4345f98a22845c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"513b7be8bd0595c377283a7c87b44b2e","hash2":"1d912c55b96e2efe8ca873d6040e3b30","hash3":"4108f28a9792b50d95f95b9e5314fa1e","hash4":"3f71175985848ee46cc13282fbed2269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash10":"341298482cf90febebb8616426080d1d","hash11":"29aebe333d6332f0ebc2258def94d57e","hash12":"42654af68e5d4ea217e6ece5389eb302","hash13":"88fc87e7c58249a398efd5ceae636073","hash14":"4a812678308475c64132a9b56254edbc","hash15":"9626eef1a8b9b8d773a3b2af09306a10","hash16":"e0354099bee243702eb11df8d0e046df","hash17":"344f9073576a066142b2023629539ebd","hash18":"32dea47d9c13f9000c4c807561341bee","hash19":"90a5ba0c94199269ba33a58bc6a4ad99","hash2":"ae76c77fb7a234380cd0ebb6fe1bcddf","hash20":"655722eaa6c646437c8ae93daac46ae0","hash21":"b9744f6876919c46a29ea05b1d95b1c3","hash22":"6acc82544be056580c3a1caaa4999956","hash23":"6aa32a6392840e161a018f3907a86968","hash24":"591ca89a25f06cf01e4345f98a22845c","hash25":"349ec229e3f8eda0f9eb918c74a8bf4c","hash26":"3ea688e3439a1f56b16694667938316d","hash27":"ab77e4d1006259d7cbc15884416ca88c","hash28":"71097537a91fac6b01f46f66ee2d7749","hash29":"2434a7a07cb47ce25b41d30bc291cacc","hash3":"76037ebd781ad0eac363d56fc81f4b4f","hash30":"7a4b090619ecce6f7bd838fe5c58554b","hash4":"8b457934da3821ba58b06a113e0d53d9","hash5":"d44df8b1543b837e57cc8f25a0a68d92","hash6":"fc44f6b4387a2cb50e1a63c66a8cb81c","hash7":"14e9688c86b454ed48171a9d4f48ace8","hash8":"b330a6c2d49124ef0729539761d6ef0b","hash9":"d71716df5042880ef84427acee8b121e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_807_a_c5_config_css_dm_he1p_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","hash0":"b68bfafc6059fd26732fa07fb6f7f640","hash1":"42f211cec8032eb0881e87ebdb3d7224","hash2":"40a1f840111996ff7200d18968e42cfe","hash3":"0712e3dc262b4e1f98ed25760b206836","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"38fd7e45f9c11a37463c3ded1c76af4c","hash1":"9c34adbc8fd8d908cbb341734830f971","hash10":"b8f261a3cdf23398d573aaf55eaf63b5","hash11":"0d2c2c151ed839e6bafc7aa9c69be715","hash12":"41af6fd253648885c7ad2ed524e0692d","hash13":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ef43fef943e9df90ddb6257950b3538f","hash3":"ae025c886fbe7f9ed159f49593674832","hash4":"911195a9b7c010f61b66439d9048f400","hash5":"697dae78c040150daff7db751fc0c03c","hash6":"513b7be8bd0595c377283a7c87b44b2e","hash7":"1d912c55b96e2efe8ca873d6040e3b30","hash8":"e5b2131dd1db0dbdb43b53c5ce99016a","hash9":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_c99_locus7s_c99_w4cking_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"1d912c55b96e2efe8ca873d6040e3b30","hash2":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_kartal_r57","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file con2.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file con2.asp","hash":"d3584159ab299d546bd77c9654932ae3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_con2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file Expdoor.com ASP.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Expdoor.com ASP.asp","hash":"caef01bb8906d909f24d1fa109ea18a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Expdoor_com_ASP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php2.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php2.php","hash":"fbf2e76e6f897f6f42b896c855069276","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file bypass-iisuser-p.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file bypass-iisuser-p.asp","hash":"924d294400a64fa888a79316fb3ccd90","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_bypass_iisuser_p","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file 404super.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file 404super.php","hash":"7ed63176226f83d36dce47ce82507b28","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_sig_404super","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file JSP.jsp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file JSP.jsp","hash":"495f1a0a4c82f986f4bdf51ae1898ee7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_JSP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file webshell-123.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-03-28","description":"Web shells - generated from file webshell-123.php","hash":"2782bb170acaed3829ea9a04f0ac7218","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"webshell_webshell_123","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file dev_core.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file dev_core.php","hash":"55ad9309b006884f660c41e53150fc2e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_dev_core","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file pHp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pHp.php","hash":"b0e842bdf83396c3ef8c71ff94e64167","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file pppp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pppp.php","hash":"cf01cb6e09ee594545693c5d327bdd50","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pppp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file code.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file code.php","hash":"a444014c134ff24c0be5a05c02b81a79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_code","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file xxxx.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file xxxx.php","hash":"5bcba70b2137375225d8eedcde2c0ebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_xxxx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file PHP1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP1.php","hash":"14c7281fdaf2ae004ca5fec8753ce3cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file asp1.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file asp1.asp","hash":"b63e708cd58ae1ec85cf784060b69cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php6.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php6.php","hash":"ea75280224a735f1e445d244acdfeb7b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file GetPostpHp.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file GetPostpHp.php","hash":"20ede5b8182d952728d594e6f2bb5c76","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_GetPostpHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file php5.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php5.php","hash":"cf2ab009cbd2576a806bfefb74906fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php5","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file PHP.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP.php","hash":"a524e7ae8d71e37d2fd3e5fbdab405ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Web shells - generated from file Asp.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Asp.asp","hash":"32c87744ea404d0ea0debd55915010b7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_Asp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file perlbot.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file perlbot.pl.txt","hash":"7e4deb9884ffffa5d82c22f8dc533a45","rule":"perlbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file php-backdoor.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file php-backdoor.php.txt","hash":"2b5cb105c4ea9b5ebc64705b4bd86bf7","rule":"php_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shankar.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Casus15.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Casus15.php.php.txt","hash":"5e2ede2d1c4fa1fcc3cbfe0c005d7b13","rule":"Casus15_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file small.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file small.php.php.txt","hash":"fcee6226d09d150bfa5f103bee61fbde","rule":"small_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shellbot.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shellbot.pl.txt","hash":"b2a883bc3c03a35cfd020dd2ace4bab8","rule":"shellbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file fuckphpshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file fuckphpshell.php.txt","hash":"554e50c1265bb0934fcc8247ec3b9052","rule":"fuckphpshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ngh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ngh.php.php.txt","hash":"c372b725419cdfd3f8a6371cfeebc2fd","rule":"ngh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file jsp-reverse.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file jsp-reverse.jsp.txt","hash":"8b0e6779f25a17f0ffb3df14122ba594","rule":"jsp_reverse_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Tool.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Tool.asp.txt","hash":"8febea6ca6051ae5e2ad4c78f4b9c1f2","rule":"Tool_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file NT Addy.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file NT Addy.asp.txt","hash":"2e0d1bae844c9a8e6e351297d77a1fec","rule":"NT_Addy_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","hash":"089ff24d978aeff2b4b2869f0c7d38a3","rule":"SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phvayvv.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phvayvv.php.php.txt","hash":"35fb37f3c806718545d97c6559abd262","rule":"phvayvv_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file r57shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file r57shell.php.php.txt","hash":"d28445de424594a5f14d0fe2a7c4e94f","rule":"r57shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file rst_sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file rst_sql.php.php.txt","hash":"0961641a4ab2b8cb4d2beca593a92010","rule":"rst_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file wh_bindshell.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file wh_bindshell.py.txt","hash":"fab20902862736e24aaae275af5e049c","rule":"wh_bindshell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file lurm_safemod_on.cgi.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file lurm_safemod_on.cgi.txt","hash":"5ea4f901ce1abdf20870c214b3231db3","rule":"lurm_safemod_on_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt","hash":"d27292895da9afa5b60b9d3014f39294","rule":"c99madshell_v2_0_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file w3d.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file w3d.php.php.txt","hash":"987f66b29bfb209a0b4f097f84f57c3b","rule":"w3d_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file WinX Shell.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file WinX Shell.html.txt","hash":"17ab5086aef89d4951fe9b7c7a561dda","rule":"WinX_Shell_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Dx.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Dx.php.php.txt","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","rule":"Dx_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file csh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file csh.php.php.txt","hash":"194a9d3f3eac8bc56d9a7c55c016af96","rule":"csh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file pHpINJ.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file pHpINJ.php.php.txt","hash":"d7a4b0df45d34888d5a09f745e85733f","rule":"pHpINJ_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file 2008.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file 2008.php.php.txt","hash":"3e4ba470d4c38765e4b16ed930facf2c","rule":"sig_2008_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ak74shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ak74shell.php.php.txt","hash":"7f83adcb4c1111653d30c6427a94f66f","rule":"ak74shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Rem View.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Rem View.php.php.txt","hash":"29420106d9a81553ef0d1ca72b9934d9","rule":"Rem_View_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Java Shell.js.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Java Shell.js.txt","hash":"36403bc776eb12e8b7cc0eb47c8aac83","rule":"Java_Shell_js"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file STNC.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt","hash":"26b2d3943395682e36da06ed493a3715","rule":"aZRaiLPhp_v1_0_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file zacosmall.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file zacosmall.php.txt","hash":"5295ee8dc2f5fd416be442548d68f7a6","rule":"zacosmall_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file CmdAsp.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file CmdAsp.asp.txt","hash":"64f24f09ec6efaa904e2492dffc518b9","rule":"CmdAsp_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file simple-backdoor.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file simple-backdoor.php.txt","hash":"f091d1b9274c881f8e41b2f96e6b9936","rule":"simple_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file mysql_shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file mysql_shell.php.txt","hash":"d42aec2891214cace99b3eb9f3e21a63","rule":"mysql_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","hash":"1b5102bdc41a7bc439eea8f0010310a5","rule":"Dive_Shell_1_0___Emperor_Hacking_Team_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Asmodeus v0.1.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Asmodeus v0.1.pl.txt","hash":"0978b672db0657103c79505df69cb4bb","rule":"Asmodeus_v0_1_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Reader.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Reader.asp.txt","hash":"ad1a362e0a24c4475335e3e891a01731","rule":"Reader_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phpshell17.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phpshell17.php.txt","hash":"9a928d741d12ea08a624ee9ed5a8c39d","rule":"phpshell17_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt","hash":"37cb1db26b1b0161a4bf678a6b4565bd","rule":"SimShell_1_0___Simorgh_Security_MGZ_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file jspshall.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file jspshall.jsp.txt","hash":"efe0f6edaa512c4e1fdca4eeda77b7ee","rule":"jspshall_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file rootshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file rootshell.php.txt","hash":"265f3319075536030e59ba2f9ef3eac6","rule":"rootshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file connectback2.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file connectback2.pl.txt","hash":"473b7d226ea6ebaacc24504bd740822e","rule":"connectback2_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file wso.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file wso.txt","hash":"33e2891c13b78328da9062fbfcf898b6","rule":"shells_PHP_wso"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file backdoor1.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file backdoor1.php.txt","hash":"e1adda1f866367f52de001257b4d6c98","rule":"backdoor1_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file elmaliseker.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file elmaliseker.asp.txt","hash":"b32d1730d23a660fd6aa8e60c3dc549f","rule":"elmaliseker_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt","hash":"c2e8346a5515c81797af36e7e4a3828e","rule":"s72_Shell_v1_1_Coding_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file kacak.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file kacak.asp.txt","hash":"907d95d46785db21331a0324972dda8c","rule":"kacak_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt","hash":"57fcd9560dac244aeaf95fd606621900","rule":"PHP_Backdoor_Connect_pl_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt","hash":"cbe9eafbc4d86842a61a54d98e5b61f1","rule":"Antichat_Socks5_Server_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Antichat Shell v1.3.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Antichat Shell v1.3.php.txt","hash":"40d0abceba125868be7f3f990f031521","rule":"Antichat_Shell_v1_3_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","hash":"49ad9117c96419c35987aaa7e2230f63","rule":"Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cyberlords_sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cyberlords_sql.php.php.txt","hash":"03b06b4183cb9947ccda2c3d636406d4","rule":"cyberlords_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt","hash":"8a8c8bb153bd1ee097559041f2e5cf0a","rule":"Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file EFSO_2.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file EFSO_2.asp.txt","hash":"b5fde9682fd63415ae211d53c6bfaa4d","rule":"EFSO_2_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file lamashell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file lamashell.php.txt","hash":"de9abc2e38420cad729648e93dfc6687","rule":"lamashell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt","hash":"93d1a2e13a3368a2472043bd6331afe9","rule":"Ajax_PHP_Command_Shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt","hash":"70a0ee2624e5bbe5525ccadc467519f6","rule":"JspWebshell_1_2_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Sincap.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Sincap.php.php.txt","hash":"b68b90ff6012a103e57d141ed38a7ee9","rule":"Sincap_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Phyton Shell.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Phyton Shell.py.txt","hash":"92b3c897090867c65cc169ab037a0f55","rule":"Phyton_Shell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file sh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file sh.php.php.txt","hash":"330af9337ae51d0bac175ba7076d6299","rule":"sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file phpjackal.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file phpjackal.php.txt","hash":"ab230817bcc99acb9bdc0ec6d264d76f","rule":"phpjackal_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file sql.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file sql.php.php.txt","hash":"8334249cbb969f2d33d678fec2b680c5","rule":"sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cgi-python.py.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cgi-python.py.txt","hash":"0a15f473e2232b89dae1075e1afdac97","rule":"cgi_python_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ru24_post_sh.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ru24_post_sh.php.php.txt","hash":"5b334d494564393f419af745dc1eeec7","rule":"ru24_post_sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file telnetd.pl.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file telnetd.pl.txt","hash":"5f61136afd17eb025109304bd8d6d414","rule":"telnetd_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file php-include-w-shell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file php-include-w-shell.php.txt","hash":"4e913f159e33867be729631a7ca46850","rule":"php_include_w_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file shell.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file shell.php.php.txt","hash":"1a95f0163b6dea771da1694de13a3d8d","rule":"shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file telnet.cgi.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file telnet.cgi.txt","hash":"dee697481383052980c20c48de1598d1","rule":"telnet_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file ironshell.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file ironshell.php.txt","hash":"8bfa2eeb8a3ff6afc619258e39fded56","rule":"ironshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file backdoorfr.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file backdoorfr.php.txt","hash":"91e4afc7444ed258640e85bcaf0fecfc","rule":"backdoorfr_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file aspydrv.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file aspydrv.asp.txt","hash":"1c01f8a88baee39aa1cebec644bbcb99","rule":"aspydrv_asp","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file cmdjsp.jsp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file cmdjsp.jsp.txt","hash":"b815611cc39f17f05a73444d699341d4","rule":"cmdjsp_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file Ajan.asp.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file Ajan.asp.txt","hash":"b6f468252407efc2318639da22b08af0","rule":"Ajan_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file PHANTASMA.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file PHANTASMA.php.txt","hash":"52779a27fa377ae404761a7ce76a5da7","rule":"PHANTASMA_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt","hash":"36d4f34d0a22080f47bb1cb94107c60f","rule":"MySQL_Web_Interface_Version_0_8_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"17a07bb84e137b8aa60f87cd6bfab748","hash2":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","hash0":"acdbba993a5a4186fd864c5e4ea0ba4f","hash1":"2601b6fc1579f263d2f3960ce775df70","hash2":"401fbae5f10283051c39e640b77e4c26","rule":"_network_php_php_xinfo_php_php_nfm_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","hash3":"8023394542cddf8aee5dec6072ed02b5","hash4":"eed14de3907c9aa2550d95550d1a2d5f","hash5":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"9c5bb5e3a46ec28039e8986324e42792","hash2":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_wacking_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","hash0":"9c5bb5e3a46ec28039e8986324e42792","hash1":"44542e5c3e9790815c49d5f9beffbbf2","hash2":"09609851caa129e40b0d56e90dfc476c","hash3":"38fd7e45f9c11a37463c3ded1c76af4c","rule":"_wacking_php_php_1_SpecialShell_99_php_php_c100_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"8023394542cddf8aee5dec6072ed02b5","hash3":"eed14de3907c9aa2550d95550d1a2d5f","hash4":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files multiple_php_webshells","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files multiple_php_webshells","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"be0f67f3e995517d18859ed57b4b4389","hash3":"eddf7a8fde1e50a7f2a817ef7cece24f","hash4":"8023394542cddf8aee5dec6072ed02b5","hash5":"eed14de3907c9aa2550d95550d1a2d5f","hash6":"817671e1bdc85e04cc3440bbd9288800","hash7":"7101fe72421402029e2629f3aaed6de7","hash8":"f618f41f7ebeb5e5076986a66593afd1","rule":"multiple_php_webshells","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"d8ae5819a0a2349ec552cbcf3a62c975","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"ef8828e0bc0641a655de3932199c0527","hash2":"17a07bb84e137b8aa60f87cd6bfab748","hash3":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"44542e5c3e9790815c49d5f9beffbbf2","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"eed14de3907c9aa2550d95550d1a2d5f","hash3":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Semi-Auto-generated ","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"40a3e86a63d3d7f063a86aab5b5f92c6","hash1":"d8ae5819a0a2349ec552cbcf3a62c975","hash2":"9e9ae0332ada9c3797d6cee92c2ede62","hash3":"f3ca29b7999643507081caab926e2e74","rule":"_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xFvioC","rule":"PHP_Cloaked_Webshell_SuperFetchExec","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","hash":"1b2a4a7174ca170b4e3a8cdf4814c92695134c8a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_dC3_Security_Crew_Shell_PRiV"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file simattacker.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simattacker.php","hash":"258297b62aeaf4650ce04642ad5f19be25ec29c9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simattacker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file DTool Pro.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file DTool Pro.php","hash":"e2ee1c7ba7b05994f65710b7bbf935954f2c3353","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_DTool_Pro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file ironshell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ironshell.php","hash":"d47b8ba98ea8061404defc6b3a30839c4444a262","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ironshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","hash":"afb88635fbdd9ebe86b650cc220d3012a8c35143","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_mini_shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Sincap 1.0.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Sincap 1.0.php","hash":"9b72635ff1410fa40c4e15513ae3a496d54f971c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Sincap_1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file b374k.php.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k.php.php","hash":"04c99efd187cf29dc4e5603c51be44170987bce2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","hash":"6454cc5ab73143d72cf0025a81bd1fe710351b44","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","hash":"cbca8cd000e705357e2a7e0cf8262678706f18f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file MyShell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file MyShell.php","hash":"42e283c594c4d061f80a18f5ade0717d3fb2f76d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_MyShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file pws.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pws.php","hash":"7a405f1c179a84ff8ac09a42177a2bcd8a1a481b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pws"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file reader.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file reader.asp.php.txt","hash":"70656f3495e2b3ad391a77d5208eec0fb9e2d931","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_reader_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","hash":"b2b797707e09c12ff5e632af84b394ad41a46fa4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file php-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-backdoor.php","hash":"b190c03af4f3fb52adc20eb0f5d4d151020c74fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file pHpINJ.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pHpINJ.php","hash":"75116bee1ab122861b155cc1ce45a112c28b9596","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pHpINJ"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NGH.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NGH.php","hash":"c05b5deecfc6de972aa4652cb66da89cfb3e1645","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_NGH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file matamu.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file matamu.php","hash":"d477aae6bd2f288b578dbf05c1c46b3aaa474733","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_matamu"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file ru24_post_sh.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ru24_post_sh.php","hash":"d2c18766a1cd4dda928c12ff7b519578ccec0769","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ru24_post_sh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file hiddens shell v1.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file hiddens shell v1.php","hash":"1674bd40eb98b48427c547bf9143aa7fbe2f4a59","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_hiddens_shell_v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file c99_locus7s.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file c99_locus7s.php","hash":"d413d4700daed07561c9f95e1468fb80238fbf3c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_c99_locus7s"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file safe0ver.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file safe0ver.php","hash":"366639526d92bd38ff7218b8539ac0f154190eb8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_safe0ver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file kral.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file kral.php","hash":"4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_kral"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file cgitelnet.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cgitelnet.php","hash":"72e5f0e4cd438e47b6454de297267770a36cbeb3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_cgitelnet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NTDaddy v1.9.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NTDaddy v1.9.php","hash":"79519aa407fff72b7510c6a63c877f2e07d7554b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NTDaddy_v1_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lamashell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lamashell.php","hash":"b71181e0d899b2b07bc55aebb27da6706ea1b560","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_lamashell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","hash":"03f6215548ed370bec0332199be7c4f68105274e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Simple_PHP_backdoor_by_DK"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","hash":"cb18e1ac11e37e236e244b96c2af2d313feda696","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CmdAsp_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file NCC-Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NCC-Shell.php","hash":"64d4495875a809b2730bd93bec2e33902ea80a53","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NCC_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file README.md","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file README.md","hash":"ef2c567b4782c994db48de0168deb29c812f7204","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_README"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file backupsql.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file backupsql.php","hash":"863e017545ec8e16a0df5f420f2d708631020dd4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_backupsql"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","hash":"c90b0ba575f432ecc08f8f292f3013b5532fe2c4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_AK_74_Security_Team_Web_Shell_Beta_Version"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file cpanel.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cpanel.php","hash":"433dab17106b175c7cf73f4f094e835d453c0874","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_cpanel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file 529.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file 529.php","hash":"ba3fb2995528307487dff7d5b624d9f4c94c75d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_529"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file qsd-php-backdoor.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file qsd-php-backdoor.php","hash":"4856bce45fc5b3f938d8125f7cdd35a8bbae380f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_qsd_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php","hash":"5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file Gamma Web Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Gamma Web Shell.php","hash":"7ef773df7a2f221468cc8f7683e1ace6b1e8139a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Gamma_Web_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file WinX Shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file WinX Shell.php","hash":"a94d65c168344ad9fa406d219bdf60150c02010e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_WinX_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file php-include-w-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-include-w-shell.php","hash":"1a7f4868691410830ad954360950e37c582b0292","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_include_w_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","hash":"34a89e0ab896c3518d9a474b71ee636ca595625d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_PhpSpy_Ver_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file myshell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file myshell.php","hash":"5bd52749872d1083e7be076a5e65ffcde210e524","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_myshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lolipop.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lolipop.php","hash":"86f23baabb90c93465e6851e40104ded5a5164cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lolipop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file simple_cmd.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simple_cmd.php","hash":"466a8caf03cdebe07aa16ad490e54744f82e32c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simple_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file go-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file go-shell.php","hash":"3dd85981bec33de42c04c53d081c230b5fc0e94f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_go_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","hash":"a2c609d1a8c8ba3d706d1d70bef69e63f239782b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_aZRaiLPhp_v1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Github Archive - file zehir4","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Github Archive - file zehir4","hash":"788928ae87551f286d189e163e55410acbb90a64","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_webshells_zehir4","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file zehir4.asp.php.txt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file zehir4.asp.php.txt","hash":"1d9b78b5b14b821139541cc0deb4cbbd994ce157","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_zehir4_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file lostDC.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lostDC.php","hash":"d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lostDC"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - file CasuS 1.5.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CasuS 1.5.php","hash":"7eee8882ad9b940407acc0146db018c302696341","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CasuS_1_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","hash0":"fa11deaee821ca3de7ad1caafa2a585ee1bc8d82","hash1":"c0a4ba3e834fb63e0a220a43caaf55c654f97429","hash2":"16fa789b20409c1f2ffec74484a30d0491904064","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","hash0":"b148ead15d34a55771894424ace2a92983351dda","hash1":"e4ba288f6d46dc77b403adf7d411a280601c635b","hash2":"e5713d6d231c844011e9a74175a77e8eb835c856","hash3":"1b836517164c18caf2c92ee2a06c645e26936a0c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files Dive Shell 1.0","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/04/06","description":"PHP Webshells Github Archive - from files Dive Shell 1.0","hash0":"3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b","hash1":"2558e728184b8efcdb57cfab918d95b06d45de04","hash2":"203a8021192531d454efbc98a3bbb8cabe09c85c","hash3":"b79709eb7801a28d02919c41cc75ac695884db27","modified":"2022-12-06","rule":"WebShell_Generic_PHP_1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","hash0":"335a0851304acedc3f117782b61479bbc0fd655a","hash1":"6eb4ab630bd25bec577b39fb8a657350bf425687","hash2":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__CrystalShell_v_1_erne_stres","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","hash0":"5622c9841d76617bfc3cd4cab1932d8349b7044f","hash1":"4a20f36035bbae8e342aab0418134e750b881d05","hash2":"40dbdc0bdf5218af50741ba011c5286a723fa9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__findsock_php_findsock_shell_php_reverse_shell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"PHP Webshells Github Archive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive","hash0":"1a08f5260c4a2614636dfc108091927799776b13","hash1":"335a0851304acedc3f117782b61479bbc0fd655a","hash2":"ca9fcfb50645dc0712abdf18d613ed2196e66241","hash3":"36d8782d749638fdcaeed540d183dd3c8edc6791","hash4":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Generic_PHP_6","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Injectt.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Injectt.exe","hash":"8a5d2158a566c87edc999771e12d42c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Unpack_Injectt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ssh.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ssh.php","hash":"1aa5307790d72941589079989b4f900e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_ssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Client.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"5f91a5b46d155cacf0cc6673a2a5461b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bin_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ZXshell.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ZXshell.exe","hash":"246ce44502d2f6002d720d350e26c288","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_ZXshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file RkNTLoad.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNTLoad.exe","hash":"262317c95ced56224f136ba532b8b34f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"RkNTLoad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file binder2.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file binder2.exe","hash":"d594e90ad23ae0bc0b65b59189c12f11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"binder2_binder2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file orice2.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file orice2.php","hash":"aa63ffb27bde8d03d00dda04421237ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"thelast_orice2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file sendmail.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file sendmail.exe","hash":"75b86f4a21d8adefaf34b3a94629bd17","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sendmail"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file zehir4.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zehir4.asp","hash":"5b496a61363d304532bcf52ee21f5d55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_zehir4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkshell.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkshell.exe","hash":"168cab58cee59dc4706b3be988312580","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file DarkSpy105.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file DarkSpy105.exe","hash":"f0b85e7bec90dba829a3ede1ab7d8722","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DarkSpy105"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"f945de25e0eba3bdaf1455b3a62b9832","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_EXE"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file reader.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file reader.asp","hash":"b598c8b662f2a1f6cc61f291fb0a6fa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file svchostdll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file svchostdll.dll","hash":"0f6756c8cb0b454c452055f189e4c3f4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"svchostdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file server.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file server.asp","hash":"1d38526a215df13c7373da4635541b43","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file vanquish.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.dll","hash":"684450adde37a93e8bb362994efc898c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Client.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"9f0a74ec81bc2f26f16c5c172b80eca7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","hash":"a401132363eecc3a1040774bec9cb24f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Simple_PHP_BackDooR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkrmv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkrmv.exe","hash":"bd3a0b7a6b5536f8d96f50956560e9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkrmv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file phpft.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpft.php","hash":"60ef80175fcc6a879ca57c54226646b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_phpft"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file bdcli100.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file bdcli100.exe","hash":"b12163ac53789fb4f62e4f17a8c2e028","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bdcli100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file rdrbs084.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs084.exe","hash":"ed30327b255816bdd7590bf891aa0020","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs084"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file 2005.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2005.exe","hash":"8bf667ee9e21366bc0bd3491cb614f41","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_CaseSwitch_2005"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file casus15.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file casus15.php","hash":"8d155b4239d922367af5d0a1b89533a3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_casus15_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file installer.cmd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file installer.cmd","hash":"a507919ae701cf7e42fa441d3ad95f8f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"installer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file elmaliseker.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file elmaliseker.asp","hash":"ccf48af0c8c09bbd038e610a49c9862e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"elmaliseker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file resolve.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file resolve.exe","hash":"69bf9aa296238610a0e05f99b5540297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_resolve"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Fport.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Fport.exe","hash":"dbb75488aa2fa22ba6950aead1ef30d5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_Fport"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file upload.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file upload.asp","hash":"b09852bda534627949f0259828c967de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_upload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file PasswordReminder.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PasswordReminder.exe","hash":"ea49d754dc609e8bfa4c0f95d14ef9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PasswordReminder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file RkNT.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNT.dll","hash":"5f97386dfde148942b7584aeb6512b85","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rknt_zip_Folder_RkNT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dbgntboot.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgntboot.dll","hash":"4d87543d4d7f73c1529c9f8066b475ab","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgntboot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file shell.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file shell.php","hash":"45e8a00567f8a34ab1cccc86b4bc74b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file rdrbs100.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs100.exe","hash":"7c752bcd6da796d80a6830c61a632bff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Mithril.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Mithril.exe","hash":"017191562d72ab0ca551eb89256650bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_Mithril"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file hkdoordll.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkdoordll.dll","hash":"b715c009d47686c0e62d0981efce2552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkdoordll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"1b9e518aaa62b15079ff6edb412b21e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_v1_45_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dbgiis6cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgiis6cli.exe","hash":"3044dceb632b636563f66fee3aaaf8f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgiis6cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file cress.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file cress.exe","hash":"36a416186fe010574c9be68002a7286a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Debug_cress"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file usr.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file usr.php","hash":"ade3357520325af50c9098dc8a21a024","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_usr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file phpinj.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpinj.php","hash":"dd39d17e9baca0363cc1c3664e608929","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_phpinj"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file db.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file db.asp","hash":"cb62e2ec40addd4b9930a9e270f5b318","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_db"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"5c1f25a4d206c83cdfb006b3eb4c09ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file by064cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by064cli.exe","hash":"10e0dff366968b770ae929505d2a9885","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by064cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"a8d25d794d8f08cd4de0c3d6bf389e6d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file connector.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file connector.asp","hash":"3ba1827fca7be37c8296cd60be9dc884","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"connector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file HideRun.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HideRun.exe","hash":"45436d9bfd8ff94b71eeaeb280025afe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_HideRun"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file PHP_Shell_v1.7.php","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PHP_Shell_v1.7.php","hash":"b5978501c7112584532b4ca6fb77cba5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_Shell_v1_7"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file save.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file save.asp","hash":"865da1b3974e940936fe38e8e1964980","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_save"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file screencap.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file screencap.exe","hash":"51139091dea7a9418a50f2712ea72aa6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"screencap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file zxrecv.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zxrecv.exe","hash":"5d3d12a39f41d51341ef4cb7ce69d30f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_zxrecv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file deploy.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file deploy.exe","hash":"2c9f9c58999256c73a5ebdb10a9be269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_root_040_zip_Folder_deploy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file by063cli.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by063cli.exe","hash":"49ce26eb97fd13b6d92a5e5d169db859","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by063cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file asp.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file asp.asp","hash":"2c412400b146b7b98d6e7755f7159bb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"icyfox007v1_10_rar_Folder_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file ntboot.dll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ntboot.dll","hash":"cb9eb5a6ff327f4d6c46aacbbe9dda9d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"byshell063_ntboot_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file xwhois.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file xwhois.exe","hash":"0bc98bd576c80d921a3460f8be8816b4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_xwhois"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file vanquish.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.exe","hash":"2dcb9055785a2ee01567f52b5a62b071","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file nc.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file nc.exe","hash":"2cd1bf15ae84c5f6917ddb128827ae8b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_nc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file Server.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Server.exe","hash":"1d5aa9cbf1429bb5b8bf600335916dcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file 2006.asp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2006.asp","hash":"c19d6f4e069188f19b08fa94d44bc283","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop2006_rar_Folder_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshells Auto-generated - file HDConfig.exe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HDConfig.exe","hash":"7d60e552fdca57642fd30462416347bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HDConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Webshell_and_Exploit_CN_APT_HK","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"13.01.2015","description":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/7dbyZs","rule":"Pastebin_Webshell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a web shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-10","description":"Detects a web shell","hash1":"027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/bartblaze/PHP-backdoors","rule":"webshell_e8eaf8da94012e866e51547cd63bb996379690bf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a simple cloaked PHP web shell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-28","description":"Detects a simple cloaked PHP web shell","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127","rule":"PHP_Webshell_1_Feb17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-21","description":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","reference":"https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/","rule":"VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects JQuery File Upload vulnerability CVE-2018-9206","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-19","description":"Detects JQuery File Upload vulnerability CVE-2018-9206","reference":"https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/","reference2":"https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f","reference3":"https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html","rule":"VUL_JQuery_FileUpload_CVE_2018_9206"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-03","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali","date":"2023-06-13","description":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","reference":"https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-28","alert":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-11-17","description":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","reference":"https://github.com/testanull/ProxyNotShell-PoC","rule":"LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Filter for 2nd stage malware used in VPNfilter attack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Christiaan Beek @ McAfee Advanced Threat Research","date":"2018-05-23","description":"Filter for 2nd stage malware used in VPNfilter attack","hash":"9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387","malware_family":"Backdoor:W32/VPNfilter","malware_type":"backdoor","reference":"https://blog.talosintelligence.com/2018/05/VPNFilter.html","rule":"VPNFilter","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Monero mining software","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Trellix ATR team","date":"2018-04-05","description":"Monero mining software","malware_family":"Ransom:W32/MoneroMiner","malware_type":"miner","rule":"MINER_monero_mining_detection","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"CTB_Locker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"ISG","date":"2015-01-20","description":"CTB_Locker","malware_family":"Ransom:W32/CTBLocker","malware_type":"ransomware","reference":"https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker","rule":"BackdoorFCKG","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Detect GPGQwerty ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"McAfee Labs","date":"2018-03-21","description":"Detect GPGQwerty ransomware","malware_family":"Ransom:W32/GPGQwerty","malware_type":"ransomware","reference":"https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/","rule":"crime_ransomware_windows_GPGQwerty","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Rule to detect the Kraken Cryptor Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Marc Rivero | McAfee ATR Team","date":"2018-09-30","description":"Rule to detect the Kraken Cryptor Ransomware","hash":"564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd","malware_family":"Ransom:W32/Kraken","malware_type":"ransomware","reference":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/","rule":"kraken_cryptor_ransomware","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"rule to detect Linux variant of the Hello Kitty Ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"Rule_Version":"v1","author":"Christiaan @ ATR","date":"2021-07-19","description":"rule to detect Linux variant of the Hello Kitty Ransomware","hash1":"ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041","hash2":"556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed","malware_family":"Ransom:Linux/HelloKitty","malware_type":"ransomware","rule":"ransom_Linux_HelloKitty_0721"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Rule to detect Mount Locker ransomware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"McAfee ATR Team","date":"2020-09-25","description":"Rule to detect Mount Locker ransomware","hash1":"4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273","hash2":"f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963","malware_family":"Ransomware:W32/MountLocker","malware_type":"ransomware","rule":"RANSOM_mountlocker","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Trellix Threat Reasearch YARA rules","scan_date":"2024-03-28","alert":"Credentials Stealing Attack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/advanced-threat-research/Yara-Rules/tree/master","meta":{"actor_group":"Unknown","actor_type":"Cybercrime","author":"Christiaan Beek | McAfee ATR Team","date":"2013-06-30","description":"Credentials Stealing Attack","hash":"7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57","malware_family":"Stealer:W32/DarkSide","malware_type":"stealer","rule":"STEALER_emirates_statement","rule_version":"v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detect basics of ItsSoEasy Ransomware (Itssoeasy-A)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"bstnbuck","date":"2023-11-02","description":"Detect basics of ItsSoEasy Ransomware (Itssoeasy-A)","rule":"ItsSoEasy_Ransomware_basic","yarahub_author_twitter":"@bstnbuck","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://github.com/bstnbuck/ItsSoEasy","yarahub_reference_md5":"1ce280542553dc383b768b9189808e27","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a2564e9f-e5f9-459c-ae4b-7656fa9df9c3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Lucasstealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Chat3ux","date":"2022-09-08","description":"Lucasstealer","rule":"LucaStealer","yarahub_author_twitter":"@Chat3ux_","yarahub_license":"CC0 1.0","yarahub_reference_md5":"c73c38662b7283befc65c87a2d82ac94","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71c9c97e-161a-41c8-8014-4ee186c92a22"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detects QBOT HTML smuggling variants","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Ankit Anubhav - ankitanubhav.info","date":"2022-06-26","description":"Detects QBOT HTML smuggling variants","malpedia_family":"win.qakbot","rule":"QBOT_HTMLSmuggling_a","yarahub_author_email":"ankit.yara@inbox.ru","yarahub_author_twitter":"@ankit_anubhav","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://twitter.com/ankit_anubhav","yarahub_reference_md5":"1807f10ee386d0702bbfcd1a4da76fd1","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"8db8aecd-53ae-4772-8d9c-38b121cfe0e0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"RABBITHUNT_cls","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"RABBITHUNT_cls","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"22a968beda8a033eb31ae175b7e0a937","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"d7c6a7d6-20d9-40d0-a63c-2c780bee821e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"Detects the ESXiArgs Ransomware encryption python script","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"SECUINFRA Falcon Team (@SI_FalconTeam)","date":"2023-02-07","description":"Detects the ESXiArgs Ransomware encryption python script","reference":"https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/","rule":"RANSOM_ESXiArgs_Ransomware_Python_Feb23","tlp":"CLEAR","yarahub_author_twitter":"@SI_FalconTeam","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"c358fe0e8837cc577315fc38892b937d","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e79d0764-bf61-4e71-b181-8ed13edfcb98"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-03-28","alert":"yarahub_win_remcos_rat_unpacked_aug_2023","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Matthew @ Embee_Research","date":"2023-08-27","desc":"Detects bytecodes present in Amadey Bot Samples","malpedia_family":"win.remcos","rule":"yarahub_win_remcos_rat_unpacked_aug_2023","sha_256":"ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784","yarahub_author_twitter":"@embee_research","yarahub_license":"CC BY-NC 4.0","yarahub_reference_md5":"57b00a449fc132c2f5d139c6d1cee7cd","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"f701cf05-ac09-44f3-b4ee-3ea944bd5533"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Adfind, a Command line Active Directory query tool.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"HACKTOOL","creation_date":"2020-08-01","description":"Identifies Adfind, a Command line Active Directory query tool.","fingerprint":"296292e4e665d7eb2d36b2ad655d451cdf89bc27d2705bb8cb97fa34afcd16cb","first_imported":"2021-12-30","id":"369wFVCBXsVYywgZZJhUjW","last_modified":"2021-12-30","mitre_att":"S0552","reference":"http://www.joeware.net/freetools/tools/adfind/","rule":"Adfind","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"ADFIND","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Aurora Stealer.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","description":"Identifies Aurora Stealer.","fingerprint":"06f893451d74f7cc924b9988443338ed9d86d8afb3b1facdfee040bce0c45289","first_imported":"2023-05-26","id":"6Z1CVWsCBgJV6aRbfDFvlr","last_modified":"2023-05-26","malware":"Aurora Stealer","reference":" https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer","rule":"AuroraStealer","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies AveMaria aka WarZone RAT.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-11-01","description":"Identifies AveMaria aka WarZone RAT.","fingerprint":"6cf820532d1616bf7e0a16d2ccf0fb4c31df30e775fd9de1622ac840f55b2fee","first_imported":"2021-12-30","id":"7kTjKOPEjKKZRVTPh5LCPf","last_modified":"2021-12-30","malware":"WARZONERAT","malware_type":"RAT","mitre_att":"S0534","rule":"AveMaria","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies CryLock aka Cryakl ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies CryLock aka Cryakl ransomware.","fingerprint":"f3084da9bc523ee78f0a85e439326c2f4a348330bf228192ca07c543f5fb04ed","first_imported":"2021-12-30","id":"2l4H1zr9CK35G8zGAmRQAk","last_modified":"2021-12-30","malware":"CRYLOCK","malware_type":"RANSOMWARE","rule":"CryLock","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Darkside ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-05-01","description":"Identifies Darkside ransomware.","fingerprint":"57bc5c7353c8c518e057456b2317e1dbf59ee17ce69cd336f1bacaf627e9efd5","first_imported":"2021-12-30","id":"5qjcs58k9iHd3EU3xv66sV","last_modified":"2021-12-30","malware":"DARKSIDE","malware_type":"RANSOMWARE","rule":"Darkside","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Hidden Windows driver, used by malware such as PurpleFox.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-11-01","description":"Identifies Hidden Windows driver, used by malware such as PurpleFox.","fingerprint":"0fc71baad34741d864ec596e89fc873a01974d7ab6bea912d572c2bd2ae2e0da","first_imported":"2021-12-30","id":"568PgDjhUwg620xlbE6vMk","last_modified":"2021-12-30","reference":"https://github.com/JKornev/hidden","rule":"Hidden","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies IcedID (stage 1 and 2, initial loaders).","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-01-01","description":"Identifies IcedID (stage 1 and 2, initial loaders).","fingerprint":"b86460e97101c23cf11ff9fb43f6fcdce444fcfa301b1308c2f4d6aa2f01986a","first_imported":"2021-12-30","id":"1GXBmGKG0zu5DhEKiZK0Kx","last_modified":"2021-12-30","malware":"ICEDID","malware_type":"LOADER","mitre_att":"S0483","rule":"IcedID_init_loader","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies LaZagne, credentials recovery project.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-01-01","description":"Identifies LaZagne, credentials recovery project.","fingerprint":"81ef321369e94e5cb5bbf735ab7db8c6aafc1fc7564c76d53b3f0e0adb9e5c81","first_imported":"2021-12-30","id":"3DeKZTrvc1lTK9vNaoj7LG","last_modified":"2021-12-30","mitre_att":"S0349","reference":"https://github.com/AlessandroZ/LaZagne","rule":"LaZagne","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"LAZAGNE","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Maze ransomware in memory or unpacked.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2019-11-01","description":"Identifies Maze ransomware in memory or unpacked.","fingerprint":"305df5e5f0a4d5660dff22073881e65ff25528895abf26308ecd06dd70a97ec2","first_imported":"2021-12-30","id":"4sTbmIEE40nSKc9rOEz4po","last_modified":"2021-12-30","malware":"MAZE","malware_type":"RANSOMWARE","mitre_att":"S0449","rule":"Maze","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Parallax RAT.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies Parallax RAT.","fingerprint":"3ae9c820e411829619984c5e5311e8940248a771cfde3f22d2789ccb3c099be8","first_imported":"2021-12-30","id":"7AHV77y7ZoCjGyFbljjWV6","last_modified":"2021-12-30","malware":"PARALLAX","malware_type":"RAT","rule":"Parallax","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Pysa aka Mespinoza ransomware.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-03-01","description":"Identifies Pysa aka Mespinoza ransomware.","fingerprint":"7f8819e9f76b9c97e90cd5da7ea788c9bb1eb135d8e1cb8974d6f17ecf51b3c3","first_imported":"2021-12-30","id":"240byxdCwyzaTk3xgjzbEa","last_modified":"2021-12-30","malware":"PYSA","malware_type":"RANSOMWARE","mitre_att":"S0583","rule":"Pysa","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies RagnarLocker ransomware unpacked or in memory.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-07-01","description":"Identifies RagnarLocker ransomware unpacked or in memory.","fingerprint":"fd403ea38a9c6c269ff7b72dea1525010f44253a41e72bf3fce55fa4623245a3","first_imported":"2021-12-30","id":"5066KiqBNrcicJGfWPfDx5","last_modified":"2021-12-30","malware":"RAGNAR LOCKER","malware_type":"RANSOMWARE","mitre_att":"S0481","rule":"RagnarLocker","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies SystemBC RAT, decrypted config.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-07-01","description":"Identifies SystemBC RAT, decrypted config.","fingerprint":"8de029e2f4fc81742a3e04976a58360e403ce5737098c14e0a007c306a1e0f01","first_imported":"2021-12-30","id":"70WDDM1D5xtPBqsUdBiPTK","last_modified":"2021-12-30","malware_type":"RAT","rule":"SystemBC_Config","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Windows Credentials Editor (WCE), post-exploitation tool.","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"HACKTOOL","creation_date":"2020-01-01","description":"Identifies Windows Credentials Editor (WCE), post-exploitation tool.","fingerprint":"2ba3672c391e1426f01f623538f85bc377eec8ff60eda61c1af70f191ab683a3","first_imported":"2021-12-30","id":"3Q5yGnr66Sy8HikXBcYqKN","last_modified":"2021-12-30","mitre_att":"S0005","reference":"https://www.ampliasecurity.com/research/windows-credentials-editor/","rule":"Windows_Credentials_Editor","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"WINDOWS CREDENTIAL EDITOR","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-03-28","alert":"Identifies Zeppelin ransomware and variants (Buran, Vega etc.)","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2019-11-01","description":"Identifies Zeppelin ransomware and variants (Buran, Vega etc.)","fingerprint":"a4da7defafa7f510df1c771e3d67bf5d99f3684a44f56d2b0e6f40f0a7fea84f","first_imported":"2021-12-30","id":"RIttcGgKqwaotJyTgah7j","last_modified":"2021-12-30","malware":"ZEPPELIN","malware_type":"RANSOMWARE","rule":"Zeppelin","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Detecting HTML strings used by Agent Tesla malware","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"Stormshield","description":"Detecting HTML strings used by Agent Tesla malware","rule":"agent_tesla","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"AgenetTesla Type 2 Keylogger payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen","cape_type":"AgentTesla Payload","description":"AgenetTesla Type 2 Keylogger payload","rule":"AgentTeslaV2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"AgentTeslaV3 infostealer payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen","cape_type":"AgentTesla payload","description":"AgentTeslaV3 infostealer payload","rule":"AgentTeslaV3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Cobalt Strike Beacon Payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen, enzo \u0026 Elastic","cape_type":"CobaltStrikeBeacon Payload","description":"Cobalt Strike Beacon Payload","rule":"CobaltStrikeBeacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"TrickBot Payload","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"sysopfb \u0026 kevoreilly","cape_type":"TrickBot Payload","description":"TrickBot Payload","rule":"TrickBot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-03-28","alert":"Detects TrickBot Banking module permaDll","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"@VK_Intel | Advanced Intelligence","description":"Detects TrickBot Banking module permaDll","md5":"491115422a6b94dc952982e6914adc39","rule":"Trickbot_PermaDll_UEFI_Module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Backdoor.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"85f16dd4a127737501863ccba006a444d899c6edc6ab03af5dddef2d39edc483","id":"fe916a45-75cc-40e4-94ad-6ac0f5d815b9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee","rule":"Linux_Backdoor_Fontonlake_fe916a45","scan_context":"file, memory","severity":"100","threat_name":"Linux.Backdoor.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Backdoor.Tinyshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"f71ce364fb607ee6f4422864674ae3d053453b488c139679aa485466893c563d","id":"67ee6fae-304b-47f5-93b6-4086a864d433","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d","rule":"Linux_Backdoor_Tinyshell_67ee6fae","scan_context":"file, memory","severity":"100","threat_name":"Linux.Backdoor.Tinyshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3156","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"66aca7d13fb9c5495f17b7891e388db0a746d8827c8ae302a6cb8d86f7630bbb","id":"f3fb10cd-1d49-420f-8740-5c8990560943","last_modified":"2021-09-21","license":"Elastic License v2","os":"linux","reference_sample":"65fb8baa5ec3bfb4473e4b2f565b461dd59989d43c72b1c5ec2e1a68baa8b51a","rule":"Linux_Exploit_CVE_2021_3156_f3fb10cd","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3156"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3156","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"71e90dd36342686bb4be7ef86e1ceb2e915c70f437f4733ddcc5175860ca4084","id":"7f5672d0-73f1-4143-b3e2-3aed110779e3","last_modified":"2021-09-21","license":"Elastic License v2","os":"linux","reference_sample":"1a4517d2582ac97b88ae568c23e75beba93daf8518bd3971985d6a798049fd61","rule":"Linux_Exploit_CVE_2021_3156_7f5672d0","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3156"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-3490","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-12","fingerprint":"4f8f4c7fabe32a023f8aafb817e2c27c5a5e0e9246ddccacf99a47f2ab850014","id":"d369d615-d2a3-4f9d-b5c7-eb0fac5d43e7","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"e65ba616942fd1e893e10898d546fe54458debbc42e0d6826aff7a4bb4b2cf19","rule":"Linux_Exploit_CVE_2021_3490_d369d615","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.CVE-2021-3490"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2021-4034","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-26","fingerprint":"b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6","id":"1c8f235d-1345-4d5f-a5db-427dbbe6fc9a","last_modified":"2022-07-22","license":"Elastic License v2","os":"linux","reference_sample":"94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b","rule":"Linux_Exploit_CVE_2021_4034_1c8f235d","scan_context":"file","severity":"100","threat_name":"Linux.Exploit.CVE-2021-4034"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.CVE-2022-0847","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-10","fingerprint":"376b791f9bb5f48d0f41ead4e48b5bcc74cb68002bb7c170760428ace169457e","id":"e831c285-b2b9-49f3-a87c-3deb806e31e4","last_modified":"2022-03-14","license":"Elastic License v2","os":"linux","reference_sample":"c6b2cef2f2bc04e3ae33e0d368eb39eb5ea38d1bca390df47f7096117c1aecca","rule":"Linux_Exploit_CVE_2022_0847_e831c285","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.CVE-2022-0847"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"7fc4d480-5354-4b0b-93ee-2937ddd1565c","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","rule":"Linux_Exploit_Log4j_7fc4d480","scan_context":"file, memory","severity":"100","threat_name":"Linux.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Hacktool.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"81936e696a525cf02070fa7cfa27574cdad37e1b3d8f278950390a1945c21611","id":"68ad8568-2b00-4680-a83f-1689eff6099c","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"717953f52318e7687fc95626561cc607d4875d77ff7e3cf5c7b21cf91f576fa4","rule":"Linux_Hacktool_Fontonlake_68ad8568","scan_context":"file, memory","severity":"100","threat_name":"Linux.Hacktool.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Hacktool.Wipelog","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-17","fingerprint":"93f899e14e6331c2149ba5c0c1e9dd8def5a7d1b6d2a7af66eade991dea77b3c","id":"daea1aa4-0df7-4308-83e1-0707dcda2e54","last_modified":"2022-07-22","license":"Elastic License v2","os":"linux","reference_sample":"39b3a95928326012c3b2f64e2663663adde4b028d940c7e804ac4d3953677ea6","rule":"Linux_Hacktool_Wipelog_daea1aa4","scan_context":"file, memory","severity":"100","threat_name":"Linux.Hacktool.Wipelog"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Proxy.Frp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-20","fingerprint":"70bb186a9719767a9a60786fbe10bf4cc2f04c19ea58aaaa90018ec89a9f9b84","id":"4213778f-d05e-4af8-9650-2d813d5a64e5","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2","rule":"Linux_Proxy_Frp_4213778f","scan_context":"file, memory","severity":"100","threat_name":"Linux.Proxy.Frp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Rootkit.Fontonlake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"187aae8e659061a06b44e0d353e35e22ada9076c78d8a7e4493e1e4cc600bc9d","id":"8fa41f5e-d03d-4647-86fb-335e056c1c0d","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"826222d399e2fb17ae6bc6a4e1493003881b1406154c4b817f0216249d04a234","rule":"Linux_Rootkit_Fontonlake_8fa41f5e","scan_context":"file, memory","severity":"100","threat_name":"Linux.Rootkit.Fontonlake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"cc9b75b1f1230e3e2ed289ef5b8fa2deec51197e270ec5d64ff73722c43bb4e8","id":"59e029c3-a57c-44ad-a554-432efc6b591a","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","rule":"Linux_Trojan_BPFDoor_59e029c3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"55097020a70d792e480542da40b91fd9ab0cc23f8736427f398998962e22348e","id":"0f768f60-1d6c-4af9-8ae3-c1c8fbbd32f4","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155","rule":"Linux_Trojan_BPFDoor_0f768f60","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"b9d07bda8909e7afb1a1411a3bad1e6cffec4a81eb47d42f2292a2c4c0d97fa7","id":"8453771b-a78f-439d-be36-60439051586a","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78","rule":"Linux_Trojan_BPFDoor_8453771b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"e7f92df3e3929b8296320300bb341ccc69e00d89e0d503a41190d7c84a29bce2","id":"1a7d804b-9d39-4855-abe9-47b72bd28f07","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925","rule":"Linux_Trojan_BPFDoor_1a7d804b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.BPFDoor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-10","fingerprint":"1c4cb6c8a255840c5a2cb7674283678686e228dc2f2a9304fa118bb5bdc73968","id":"e14b0b79-a6f3-4fb3-a314-0ec20dcd242c","last_modified":"2022-05-10","license":"Elastic License v2","os":"linux","reference_sample":"dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a","rule":"Linux_Trojan_BPFDoor_e14b0b79","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.BPFDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Mirai","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"e2ef1c60e21f18e54694bcfc874094a941e5f61fa6144c5a0e44548dafa315be","id":"7c88acbc-8b98-4508-ac53-ab8af858660d","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Mirai_7c88acbc","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Mirai","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1","id":"b9a9d04b-a997-46c4-b893-e89a3813efd3","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Mirai_b9a9d04b","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Linux.Trojan.Orbit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-07-20","fingerprint":"0bb1c74f872ea8778a442aafc2c6f3f04e331b7f743ba726257e36b09ef33da4","id":"57c23178-1345-47b7-97b1-aa2075d9d69d","last_modified":"2022-08-16","license":"Elastic License v2","os":"linux","reference_sample":"40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020","rule":"Linux_Trojan_Orbit_57c23178","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Orbit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Fakeflashlxk","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"a0e6763428616b46536c6a4eb080bae0cc58ef27678616aa432eb43a3d9c77a1","id":"06fd8071-0370-4ae8-819a-846fa0a79b3d","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"107f844f19e638866d8249e6f735daf650168a48a322d39e39d5e36cfc1c8659","rule":"MacOS_Backdoor_Fakeflashlxk_06fd8071","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Fakeflashlxk"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Kagent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"b8086b08a019a733bee38cebdc4e25cdae9d3c238cfe7b341d8f0cd4db204d27","id":"64ca1865-0a99-49dc-b138-02b17ed47f60","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4","rule":"MacOS_Backdoor_Kagent_64ca1865","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Kagent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Keyboardrecord","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"27aa4380bda0335c672e957ba2ce6fd1f42ccf0acd2eff757e30210c3b4fb2fa","id":"832f7bac-3896-4934-b05f-8215a41cca74","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6","rule":"MacOS_Backdoor_Keyboardrecord_832f7bac","scan_context":"file","severity":"100","threat_name":"MacOS.Backdoor.Keyboardrecord"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Backdoor.Useragent","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-11-11","fingerprint":"22afa14a3dc6f8053b93bf3e971d57808a9cc19e676f9ed358ba5f1db9292ba4","id":"1a02fc3a-a394-457b-8af5-99f7f22b0a3b","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","reference_sample":"623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a","rule":"MacOS_Backdoor_Useragent_1a02fc3a","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Backdoor.Useragent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Cryptominer.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"733dadf5a09f4972629f331682fca167ebf9a438004cb686d032f69e32971bd4","id":"d3f68e29-830d-4d40-a285-ac29aed732fa","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"d9c78c822dfd29a1d9b1909bf95cab2a9550903e8f5f178edeb7a5a80129fbdb","rule":"MacOS_Cryptominer_Generic_d3f68e29","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Cryptominer.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Cryptominer.Xmrig","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8","id":"241780a1-ad50-4ded-b85a-26339ae5a632","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f","rule":"MacOS_Cryptominer_Xmrig_241780a1","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Cryptominer.Xmrig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"75a13888-7650-4ef3-adec-15378c8479bd","last_modified":"2022-07-22","license":"Elastic License v2","os":"macos","rule":"MacOS_Exploit_Log4j_75a13888","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Hacktool.Bifrost","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"e11f6f3a847817644d40fee863e168cd2a18e8e0452482c1e652c11fe8dd769e","id":"39bcbdf8-86dc-480e-8822-dc9832bb9b55","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"e2b64df0add316240b010db7d34d83fc9ac7001233259193e5a72b6e04aece46","rule":"MacOS_Hacktool_Bifrost_39bcbdf8","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Hacktool.Bifrost"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Hacktool.Swiftbelt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-12","fingerprint":"98d14dba562ad68c8ecc00780ab7ee2ecbe912cd00603fff0eb887df1cd12fdb","id":"bc62ede6-e6f1-4c9e-bff2-ef55a5d12ba1","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1","rule":"MacOS_Hacktool_Swiftbelt_bc62ede6","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Hacktool.Swiftbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Eggshell","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"2e6284c8e44809d5f88781dcf7779d1e24ce3aedd5e8db8598e49c01da63fe62","id":"ddacf7b9-8479-47ef-9df2-17060578a8e5","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b","rule":"MacOS_Trojan_Eggshell_ddacf7b9","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Eggshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Electrorat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"fa65fc0a8f5b1f63957c586e6ca8e8fbdb811970f25a378a4ff6edf5e5c44da7","id":"b4dbfd1d-4968-4121-a4c2-5935b7f76fc1","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"b1028b38fcce0d54f2013c89a9c0605ccb316c36c27faf3a35adf435837025a4","rule":"MacOS_Trojan_Electrorat_b4dbfd1d","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Electrorat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"e13c605d8f16b2b2e65c717a4716c25b3adaec069926385aff88b37e3db6e767","id":"6cab0ec0-0ac5-4f43-8a10-1f46822a152b","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_6cab0ec0","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"d47e8083268190465124585412aaa2b30da126083f26f3eda4620682afd1d66e","id":"293bfea9-c5cf-4711-bec0-17a02ddae6f2","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_293bfea9","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"ff040211f664f3f35cd4f4da0e5eb607ae3e490aae75ee97a8fb3cb0b08ecc1f","id":"448fa81d-14c7-479b-8d1e-c245ee261ef6","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42","rule":"MacOS_Trojan_Metasploit_448fa81d","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.RustBucket","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-26","fingerprint":"f9907f46c345a874b683809f155691723e3a6df7c48f6f4e6eb627fb3dd7904d","id":"e64f7a92-e530-4d0b-8ecb-fe5756ad648c","last_modified":"2023-06-29","license":"Elastic License v2","os":"macos","reference_sample":"9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747","rule":"MacOS_Trojan_RustBucket_e64f7a92","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.RustBucket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"MacOS.Trojan.Thiefquest","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-30","fingerprint":"38916235c68a329eea6d41dbfba466367ecc9aad2b8ae324da682a9970ec4930","id":"9130c0f3-5926-4153-87d8-85a591eed929","last_modified":"2021-10-25","license":"Elastic License v2","os":"macos","reference_sample":"bed3561210e44c290cd410adadcdc58462816a03c15d20b5be45d227cd7dca6b","rule":"MacOS_Trojan_Thiefquest_9130c0f3","scan_context":"file, memory","severity":"100","threat_name":"MacOS.Trojan.Thiefquest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Macos.Hacktool.JokerSpy","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-19","fingerprint":"71423d5c4c917917281b7e0f644142a0570df7a5a7ea568506753cb6eabef1c0","id":"58a6b26d-13dd-485a-bac3-77a1053c3a02","last_modified":"2023-06-19","license":"Elastic License v2","os":"macos","reference_sample":"d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8","rule":"Macos_Hacktool_JokerSpy_58a6b26d","scan_context":"file, memory","severity":"100","threat_name":"Macos.Hacktool.JokerSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Ransomware.Luna","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-02","fingerprint":"90c97ecfce451e1373af0d7538cf12991cc844d05c99ee18570e176143ccd899","id":"8614d3d7-7fd2-4cf9-aa97-48a8d9333f38","last_modified":"2022-08-16","license":"Elastic License v2","os":"multi","reference_sample":"1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51","rule":"Multi_Ransomware_Luna_8614d3d7","scan_context":"file, memory","severity":"100","threat_name":"Multi.Ransomware.Luna"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Coreimpact","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"5a4d7af7d0fecc05f87ba51f976d78e77622f8afb1eafc175444f45839490109","id":"37703dc3-9485-4026-a8b7-82e753993757","last_modified":"2022-09-29","license":"Elastic License v2","os":"multi","reference_sample":"2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7","rule":"Multi_Trojan_Coreimpact_37703dc3","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Coreimpact"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Sliver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-20","fingerprint":"0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a","id":"42298c4a-fcea-4c5a-b213-32db00e4eb5a","last_modified":"2022-01-14","license":"Elastic License v2","os":"multi","reference_sample":"3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007","rule":"Multi_Trojan_Sliver_42298c4a","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Sliver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Multi.Trojan.Sliver","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-31","fingerprint":"e52e39644274e3077769da4d04488963c85a0b691dc9973ad12d51eb34ba388b","id":"3bde542d-df52-4f05-84ff-de67e90592a9","last_modified":"2022-09-29","license":"Elastic License v2","os":"multi","reference_sample":"05461e1c2a2e581a7c30e14d04bd3d09670e281f9f7c60f4169e9614d22ce1b3","rule":"Multi_Trojan_Sliver_3bde542d","scan_context":"file, memory","severity":"100","threat_name":"Multi.Trojan.Sliver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Backdoor.TeamViewer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-29","fingerprint":"0f2406e98fa1383e39672bd4ec32a111363f7d33f8bc33c2bd7ea36353faab45","id":"df8e7326-5879-48d7-8a5f-1c9a2d8b7f8d","last_modified":"2022-12-20","license":"Elastic License v2","os":"windows","reference":"https://vms.drweb.com/virus/?i=8172096","reference_sample":"68d9ffb6e00c2694d0d827108d0410d5a66d4f8cf839afddd17c5887b0149350","rule":"Windows_Backdoor_TeamViewer_df8e7326","scan_context":"file, memory","severity":"100","threat_name":"Windows.Backdoor.TeamViewer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Exploit.Dcom","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8","id":"7a1bcec7-e177-4adf-97a7-0d876bf65abc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5","rule":"Windows_Exploit_Dcom_7a1bcec7","scan_context":"file","severity":"100","threat_name":"Windows.Exploit.Dcom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Exploit.Log4j","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-12-13","fingerprint":"cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159","id":"dbac7698-906c-44a2-9795-f04ec07d7fcc","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","rule":"Windows_Exploit_Log4j_dbac7698","scan_context":"file, memory","severity":"100","threat_name":"Windows.Exploit.Log4j"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.AskCreds","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-16","fingerprint":"e00dd2496045d1b71119b35c30c4c010c0ad57f67691649c0f4d206f837bd05d","id":"34e3e3d4-7516-4e0e-b3e7-5bc84404bd08","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Hacktool_AskCreds_34e3e3d4","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.AskCreds"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.DarkLoadLibrary","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-02","fingerprint":"a73ca4c615d3567c48cc9ec3eedb0497de67960e9610fd1d0ad136075005d10b","id":"c25ee4eb-8ea6-40e2-a1a3-ec60491ced03","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"5546194a71bc449789c3697f9c106860ac0a21e1ccf2b1196120b3f92f4b5306","rule":"Windows_Hacktool_DarkLoadLibrary_c25ee4eb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.DarkLoadLibrary"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Mimikatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Rubeus","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SafetyKatz","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Seatbelt","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.Sharpersist","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpAppLocker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"720a96f7baa8af4e6189709ee906350c291e175ac861c83d425b235d9217bb32","id":"9645cf22-f9b3-45ff-a5d8-513c59ad3d53","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"0f7390905abc132889f7b9a6d5b42701173aafbff5b8f8882397af35d8c10965","rule":"Windows_Hacktool_SharpAppLocker_9645cf22","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpAppLocker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpChromium","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"b6695ded1a6f647812c7f355e089a2ed7209ac59f51a97d8f6b1897bb1e7d9ad","id":"41ce5080-7d84-4a56-8de8-86959eb92057","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"9dd65aa53728d51f0f3b9aaf51a24f8a2c3f84b4a4024245575975cf9ad7f2e5","rule":"Windows_Hacktool_SharpChromium_41ce5080","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpChromium"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpDump","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cf1e23fc0a317959fceadae8984240b174dac22a1bcabccf43c34f0186a3ac23","id":"7c17d8b1-35cf-440e-8f4e-44abdc2054bb","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca","rule":"Windows_Hacktool_SharpDump_7c17d8b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpHound","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpLAPS","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-22","fingerprint":"556b9ba9c0a2f08ff0b27e38e273f5817011de335436feb2a30cac74285d7e4f","id":"381c3f40-b6c6-4e50-be28-3d34ba07b644","last_modified":"2022-12-22","license":"Elastic License v2","os":"windows","reference_sample":"ef0d508b3051fe6f99ba55202a17237f29fdbc0085e3f5c99b1aef52c8ebe425","rule":"Windows_Hacktool_SharpLAPS_381c3f40","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpLAPS"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpMove","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"634efb2dedbb181a31ea41ff34d1d0810d1ab4823c8611737d68cb56601a052d","id":"05e28928-6109-4afe-bd86-908d354ddd80","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b","rule":"Windows_Hacktool_SharpMove_05e28928","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpMove"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpRDP","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"a7eb084004fce79efc39781044bad501a731163fa3ad6f9b8b334611d03f5379","id":"80895fcb-b98e-4865-a1f6-87cbea327cea","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876","rule":"Windows_Hacktool_SharpRDP_80895fcb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpRDP"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpShares","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"ae0cf8bbdfecfebf69d718dc0ccc8402ed7f2f949e2b6bab606bbf69aa6c2518","id":"88cdcd52-9f5b-4ab6-8f20-137c8569d112","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41","rule":"Windows_Hacktool_SharpShares_88cdcd52","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpShares"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpStay","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"346e6cf9d85c737b171914b331bb1837f90696301dbe144cbf8996b8a8cb3adb","id":"eac706c5-975e-43f2-b106-149f884a2e9a","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa","rule":"Windows_Hacktool_SharpStay_eac706c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpStay"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpUp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"4c6e70b7ce3eb3fc05966af6c3847f4b7282059e05c089c20f39f226efb9bf87","id":"e5c87c9a-6b4d-49af-85d1-6bb60123c057","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27","rule":"Windows_Hacktool_SharpUp_e5c87c9a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpUp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpView","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.SharpWMI","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"20719ea15d4dee90c95b474689752172a6b6fb941dced81803f9f726ddc26d29","id":"a67d6fe5-3ce5-4e63-979e-3fb799d9d173","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15","rule":"Windows_Hacktool_SharpWMI_a67d6fe5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpWMI"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, application module","fingerprint":"951f0ca036a0ab0cf2299382049eecb78f35325470f222c6db90a819b9414083","id":"66197d54-3cd2-4006-807d-24d0e0d9e25a","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_66197d54","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, checks module","fingerprint":"7b6ede4d95b2d6d2a43e729365adb9de3fde74ed731cafdb88916ac3925f9164","id":"e8ed269c-3191-44c0-a9c6-55172fb59c8c","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_e8ed269c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, event module","fingerprint":"80b32022a69be8fc1d7e146c3c03623b51e2ee4206eb5f70be753477d68800d5","id":"413caa6b-90b7-4763-97b3-49aeb5a97cf6","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_413caa6b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, File analysis module","fingerprint":"4420faa4da440a9e2b1d8eadef2a1864c078fccf391ac3d7872abe1d738c926e","id":"23fee092-f1ff-4d9e-9873-0a68360efb42","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_23fee092","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, File Info module","fingerprint":"03803621b6c9856443809889a14f1d2fa217812007878dd6cf9c3dc9e5f78f65","id":"861d3264-34c3-4ff0-bdd3-44cb5ecce2c8","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_861d3264","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Network module","fingerprint":"9938c60113963da342dcb7de2252cffbeaa21d36f518e203f19a43da74d85f2d","id":"57587f8c-8fc6-41cc-bcb3-3d1d77c74222","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_57587f8c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Process info module","fingerprint":"3e407824b258ef66ac6883d4c5dd3efeb0f744f8f64b099313cf83e96f9e968a","id":"cae025b1-bc2a-4eea-a1c1-c82d6e4fd71f","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_cae025b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Services info module","fingerprint":"2a7b0e1d850fa6a24f590755ae5610309741e520e4b2bc067f54a8e086444da2","id":"4a9b9603-7b42-4a85-b66a-7f4ec0013338","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_4a9b9603","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, System info module","fingerprint":"f05862b7b74cb4741aa953d725336005cdb9b1d50a92ce8bb295114e27f81b2a","id":"4db2c852-6c03-4672-9250-f80671b93e1b","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_4db2c852","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, User info module","fingerprint":"039ea2f11596d6a8d5da05944796424ee6be66e16742676bbb2dc3fcf274cf4a","id":"bcedc8b2-d9e1-45cd-94b4-a19a3ed8c0f9","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_bcedc8b2","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the dotNet binary, Windows credentials module","fingerprint":"ecc2217349244cd78fa5be040653c02096ee8b6a2f2691309fd7f9f62612fa79","id":"b6bb3e7c-29f6-4bc6-8082-558a56512fc3","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_b6bb3e7c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Hacktool.WinPEAS-ng","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-21","description":"WinPEAS detection based on the bat script","fingerprint":"06e184fb837274271711288994a3e6bfcc2a50472ca05c8af9f1e4d8efd9091d","id":"94474b0b-c3dc-4585-afb3-3afe4c3ec525","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195","rule":"Windows_Hacktool_WinPEAS_ng_94474b0b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.WinPEAS-ng"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.PUP.MediaArena","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-06-02","fingerprint":"0535228889b1d2a7c317a7ce939621d3d20e2a454ec6d31915c25884931d62b9","id":"a9e3b4a1-fd87-4f8f-a9d4-d93f9c018270","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"c071e0b67e4c105c87b876183900f97a4e8bc1a7c18e61c028dee59ce690b1ac","rule":"Windows_PUP_MediaArena_a9e3b4a1","scan_context":"file, memory","severity":"100","threat_name":"Windows.PUP.MediaArena"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Bitpaymer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-25","description":"Identifies BITPAYMER ransomware","fingerprint":"2ecc7884d47ca7dbba30ba171b632859914d6152601ea7b463c0f52be79ebb8c","id":"bca25ac6-e351-4823-be75-b0661c89588a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/","rule":"Windows_Ransomware_Bitpaymer_bca25ac6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Bitpaymer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.BlackBasta","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-06","fingerprint":"27602cb05c054a1aa9e27b91675d57707f4a63fa91badc83ad86229839778f4e","id":"494d3c54-4690-4334-b64d-ebeeb305de0e","last_modified":"2022-08-16","license":"Elastic License v2","os":"windows","reference_sample":"357fe8c56e246ffacd54d12f4deb9f1adb25cb772b5cd2436246da3f2d01c222","rule":"Windows_Ransomware_BlackBasta_494d3c54","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.BlackBasta"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Clop","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies CLOP ransomware in unpacked state","fingerprint":"7367b90772ce6db0d639835a0a54a994ef8ed351b6dadff42517ed5fbc3d0d1a","id":"e04959b5-f3da-428d-8b56-8a9817fdebe0","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.clop","rule":"Windows_Ransomware_Clop_e04959b5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Clop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Dharma","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-25","description":"Identifies DHARMA ransomware","fingerprint":"25d23d045c57758dbb14092cff3cc190755ceb3a21c8a80505bd316a430e21fc","id":"b31cac3f-6e04-48b2-9d16-1a6b66fa8012","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/","rule":"Windows_Ransomware_Dharma_b31cac3f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Dharma"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Egregor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-10-15","description":"Identifies EGREGOR (Sekhemt) ransomware","fingerprint":"3a82a548658e0823678ec9d633774018ddc6588f5e2fbce74826a46ce9c43c40","id":"f24023f3-c887-42fc-8927-cdbd04b5f84f","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110","rule":"Windows_Ransomware_Egregor_f24023f3","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Egregor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-24","fingerprint":"84ab8d177e50bce1a3eceb99befcf05c7a73ebde2f7ea4010617bf4908257fdb","id":"99f5a632-8562-4321-b707-c5f583b14511","last_modified":"2022-02-24","license":"Elastic License v2","os":"windows","reference_sample":"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382","rule":"Windows_Ransomware_Generic_99f5a632","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Helloxd","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-14","fingerprint":"462d8c231d608e28e66d810b811f9fdf82d0b3770d21267a4375669a26bbaafd","id":"0c50f01b-5f3d-4112-9930-ca1150fc12fa","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589","rule":"Windows_Ransomware_Helloxd_0c50f01b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Helloxd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Hive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-26","fingerprint":"04df3169c50fbab4e2b495de5500c62ddf5e76aa8b4a7fc8435f39526f69c52b","id":"55619cd0-6013-45e2-b15e-0dceff9571ab","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609","rule":"Windows_Ransomware_Hive_55619cd0","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Hive"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Hive","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-26","fingerprint":"a15acde0841f08fc44fdc1fea01c140e9e8af6275a65bec4a7b762494c9e6185","id":"3ed67fe6-6347-4aef-898d-4cb267bcbfc7","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609","rule":"Windows_Ransomware_Hive_3ed67fe6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Hive"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"e2a8eabb08cb99c4999e05a06d0d0dce46d7e6375a72a6a5e69d718c3d54a3ad","id":"1cab7ea1-8d26-4478-ab41-659c193b5baa","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_1cab7ea1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"a1535bc01756ac9e986eb564d712b739df980ddd61cfde5a7b001849a6b07b57","id":"efafbe48-7740-4c21-b585-467f7ad76f8d","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_efafbe48","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Ragnarok","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-05-03","description":"Identifies RAGNAROK ransomware","fingerprint":"5c0a4e2683991929ff6307855bf895e3f13a61bbcc6b3c4b47d895f818d25343","id":"5625d3f6-7071-4a09-8ddf-faa2d081b539","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20","rule":"Windows_Ransomware_Ragnarok_5625d3f6","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Ragnarok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Snake","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-06-30","description":"Identifies SNAKE ransomware","fingerprint":"f2796560ddc85ad98a5ef4f0d7323948d57116813c8a26ab902fdfde849704e0","id":"550e0265-fca9-46df-9d5a-cf3ef7efc7ff","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/","rule":"Windows_Ransomware_Snake_550e0265","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Snake"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Ransomware.Thanos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2020-11-03","description":"Identifies THANOS (Hakbit) ransomware","fingerprint":"d6654d0b3155d9c64fd4e599ba34d51f110d9dfda6fa1520b686602d9f608f92","id":"e19feca1-b131-4045-be0c-d69d55f9a83e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/","rule":"Windows_Ransomware_Thanos_e19feca1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Ransomware.Thanos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.AgentTesla","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-22","fingerprint":"cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc","id":"d3ac2b2f-14fc-4851-8a57-41032e386aeb","last_modified":"2022-06-20","license":"Elastic License v2","os":"windows","reference_sample":"65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4","rule":"Windows_Trojan_AgentTesla_d3ac2b2f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.AgentTesla"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Backoff","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"a45fc701844e6e0cfba5d8ef90d00960b5817af66e6b3d889a54d33539cd5d41","id":"22798f00-ff2a-4f5f-a9ef-fab6d04ca679","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Backoff_22798f00","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Backoff"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bandook","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-10","fingerprint":"b6debea805a8952b9b7473ad7347645e4aced3ecde8d6e53fa2d82c35b285b3c","id":"38497690-6663-47c9-a864-0bbe6a3f7a8b","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","reference_sample":"4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97","rule":"Windows_Trojan_Bandook_38497690","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bandook"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Behinder","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-02","description":"Webshell found in REF2924, either Behinder or Godzilla based shell in C#","fingerprint":"cb7856a7d3e792cc60837587fe4afc04448af74cb5ce0478a09eb129e53bf7f1","id":"b9a49f4b-5923-420e-a9e6-9bfa05c93bbf","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b","rule":"Windows_Trojan_Behinder_b9a49f4b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Behinder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bitrat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"bc4a5fad1810ad971277a455030eed3377901a33068bb994e235346cfe5a524f","id":"34bd6c83-9a71-43d5-b0b1-1646a8fb66e8","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a","rule":"Windows_Trojan_Bitrat_34bd6c83","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bitrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.BruteRatel","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-23","fingerprint":"f20cbaf39dc68460a2612298a5df9efdf5bdb152159d38f4696aedf35862bbb6","id":"9b267f96-11b3-48e6-9d38-ecfd72cb7e3e","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_BruteRatel_9b267f96","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.BruteRatel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Bughatch","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-09","fingerprint":"1ac6b1285e1925349e4e578de0b2f1cf8a008cddbb1a20eb8768b1fcc4b0c8d3","id":"98f3c0be-1327-4ba2-9320-c1a9ce90b4a4","last_modified":"2022-06-09","license":"Elastic License v2","os":"windows","reference_sample":"b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f","rule":"Windows_Trojan_Bughatch_98f3c0be","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Bughatch"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Carberp","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-02-07","description":"Identifies VNC module from the leaked Carberp source code. This could exist in other malware families.","fingerprint":"7ce34f1000749a938b78508c93371d3339cd49f73eeec36b25da13c9d129b85c","id":"d6de82ae-9846-40cb-925d-e0a371e1c44c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342","reference_sample":"f98fadb6feab71930bd5c08e85153898d686cc96c84fe349c00bf6d482de9b53","rule":"Windows_Trojan_Carberp_d6de82ae","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Carberp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC Bypass module from Cobalt Strike","fingerprint":"70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10","id":"c851687a-aac6-43e7-a0b6-6aed36dcf12e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_c851687a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Keylogger module from Cobalt Strike","fingerprint":"8ecd5bdce925ae5d4f90cecb9bc8c3901b54ba1c899a33354bcf529eeb2485d4","id":"0b58325e-2538-434d-9a2c-26e2c32db039","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_0b58325e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies dll load module from Cobalt Strike","fingerprint":"0d7d28d79004ca61b0cfdcda29bd95e3333e6fc6e6646a3f6ba058aa01bee188","id":"2b8cddf8-ca7a-4f85-be9d-6d8534d0482e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_2b8cddf8","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies getsystem module from Cobalt Strike","fingerprint":"882886a282ec78623a0d3096be3d324a8a1b8a23bcb88ea0548df2fae5e27aa5","id":"59b44767-c9a5-42c0-b177-7fe49afd7dfb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_59b44767","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Hashdump module from Cobalt Strike","fingerprint":"9e7c7c9a7436f5ee4c27fd46d6f06e7c88f4e4d1166759573cedc3ed666e1838","id":"7efd3c3f-1104-4b46-9d1e-dc2c62381b8c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_7efd3c3f","scan_context":"file, memory","severity":"70","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Interfaces module from Cobalt Strike","fingerprint":"62d97cf73618a1b4d773d5494b2761714be53d5cda774f9a96eaa512c8d5da12","id":"6e971281-3ee3-402f-8a72-745ec8fb91fb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_6e971281","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Invoke Assembly module from Cobalt Strike","fingerprint":"04ef6555e8668c56c528dc62184331a6562f47652c73de732e5f7c82779f2fd8","id":"09b79efa-55d7-481d-9ee0-74ac5f787cef","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_09b79efa","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Kerberos module from Cobalt Strike","fingerprint":"cef2949eae78b1c321c2ec4010749a5ac0551d680bd5eb85493fc88c5227d285","id":"6e77233e-7fb4-4295-823d-f97786c5d9c4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_6e77233e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Netdomain module from Cobalt Strike","fingerprint":"ecc28f414b2c347722b681589da8529c6f3af0491845453874f8fd87c2ae86d7","id":"72f68375-35ab-49cc-905d-15302389a236","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_72f68375","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Netview module from Cobalt Strike","fingerprint":"0ecb8e41c01bf97d6dea4cf6456b769c6dd2a037b37d754f38580bcf561e1d2c","id":"15f680fb-a04f-472d-a182-0b9bee111351","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_15f680fb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Portscan module from Cobalt Strike","fingerprint":"283d3d2924e92b31f26ec4fc6b79c51bd652fb1377b6985b003f09f8c3dba66c","id":"5b4383ec-3c93-4e91-850e-d43cc3a86710","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_5b4383ec","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Post Ex module from Cobalt Strike","fingerprint":"d8baacb58a3db00489827275ad6a2d007c018eaecbce469356b068d8a758634b","id":"91e08059-46a8-47d0-91c9-e86874951a4a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_91e08059","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies PowerShell Runner module from Cobalt Strike","fingerprint":"01d53fcdb320f0cd468a2521c3e96dcb0b9aa00e7a7a9442069773c6b3759059","id":"9c0d5561-5b09-44ae-8e8c-336dee606199","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_9c0d5561","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies PsExec module from Cobalt Strike","fingerprint":"7823e3b98e55a83bf94b0f07e4c116dbbda35adc09fa0b367f8a978a80c2efff","id":"59ed9124-bc20-4ea6-b0a7-63ee3359e69c","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_59ed9124","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Registry module from Cobalt Strike","fingerprint":"4967886ba5e663f2e2dc0631939308d7d8f2194a30590a230973e1b91bd625e1","id":"8a791eb7-dc0c-4150-9e5b-2dc21af0c77d","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_8a791eb7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Screenshot module from Cobalt Strike","fingerprint":"b6fa0792b99ea55f359858d225685647f54b55caabe53f58b413083b8ad60e79","id":"d00573a3-db26-4e6b-aabf-7af4a818f383","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_d00573a3","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies Timestomp module from Cobalt Strike","fingerprint":"5418e695bcb1c37e72a7ff24a39219dc12b3fe06c29cedefd500c5e82c362b6d","id":"a56b820f-0a20-4054-9c2d-008862646a78","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_a56b820f","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC cmstp module from Cobalt Strike","fingerprint":"09b1f7087d45fb4247a33ae3112910bf5426ed750e1e8fe7ba24a9047b76cc82","id":"92f05172-f15c-4077-a958-b8490378bf08","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_92f05172","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC token module from Cobalt Strike","fingerprint":"292afee829e838f9623547f94d0561e8a9115ce7f4c40ae96c6493f3cc5ffa9b","id":"417239b5-cf2d-4c85-a022-7a8459c26793","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_417239b5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-21","description":"Rule for browser pivot ","fingerprint":"c15cf6aa7719dac6ed21c10117f28eb4ec56335f80a811b11ab2901ad36f8cf0","id":"a3fb2616-b03d-4399-9342-0fc684fb472e","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a","rule":"Windows_Trojan_CobaltStrike_a3fb2616","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CobaltStrike","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-09","fingerprint":"c375492960a6277bf665bea86302cec774c0d79506e5cb2e456ce59f5e68aa2e","id":"7f8da98a-3336-482b-91da-82c7cef34c62","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d","rule":"Windows_Trojan_CobaltStrike_7f8da98a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.CyberGate","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-28","fingerprint":"3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825","id":"517aac7d-2737-4917-9aa1-c0bd1c3e9801","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365","rule":"Windows_Trojan_CyberGate_517aac7d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CyberGate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DCRat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-15","fingerprint":"fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9","id":"1aeea1ac-69b9-4cc6-91af-18b7a79f35ce","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_DCRat_1aeea1ac","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DCRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Darkcomet","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-16","fingerprint":"63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b","id":"1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569","rule":"Windows_Trojan_Darkcomet_1df27bcc","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Darkcomet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DoorMe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-12-09","fingerprint":"aa8c2ae2e966bf4e0c79faa90b14fd77d07b7c68076f39c56b384dada9dd0e96","id":"246eda61-23b5-49b8-8409-623f2722c289","last_modified":"2022-12-15","license":"Elastic License v2","os":"windows","reference_sample":"96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f","rule":"Windows_Trojan_DoorMe_246eda61","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DoorMe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DoubleBack","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-05-29","fingerprint":"949f8d30125fad133f4b897c945c6aa0eccda5456dc887bde4c0a5affece5195","id":"d2246a35-e582-4707-acd0-f04bb66df722","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"03d2a0747d06458ccddf65ff5847a511a105e0ad4dcb5134082623af6f705012","rule":"Windows_Trojan_DoubleBack_d2246a35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DoubleBack"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.DownTown","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"1ef6dfd9be1e6fa2d1c6b5ce32ad13252f5becf709493a7cceff3519750e0b1e","id":"901c4fdd-858c-4ad8-be12-f88799d591b9","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_DownTown_901c4fdd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.DownTown"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Dridex","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-07","fingerprint":"7b4c5fde8e107a67ff22f3012200e56ec452e0a57a49edb2e06ee225ecfe228c","id":"63ddf193-31a6-4139-b452-960fe742da93","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"b1d66350978808577159acc7dc7faaa273e82c103487a90bf0d040afa000cb0d","rule":"Windows_Trojan_Dridex_63ddf193","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Dridex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Generic","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-17","fingerprint":"dc14cd519b3bbad7c2e655180a584db0a4e2ad4eea073a52c94b0a88152b37ba","id":"c7fd8d38-eaba-424d-b91a-098c439dab6b","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"a1702ec12c2bf4a52e11fbdab6156358084ad2c662c8b3691918ef7eabacde96","rule":"Windows_Trojan_Generic_c7fd8d38","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Gh0st","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","description":"Identifies a variant of Gh0st Rat","fingerprint":"3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455","id":"ee6de6bc-1648-4a77-9607-e2a211c7bda4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d","rule":"Windows_Trojan_Gh0st_ee6de6bc","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Gh0st"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Gozi","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2019-08-02","fingerprint":"cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c","id":"261f5ac5-7800-4580-ac37-80b71c47c270","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f","rule":"Windows_Trojan_Gozi_261f5ac5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Gozi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Guloader","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-08-17","fingerprint":"53a2d6f895cdd1a6384a55756711d9d758b3b20dd0b87d62a89111fd1a20d1d6","id":"c4d9dd33-b7e7-4ff4-a2f3-62316d064f5a","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e","rule":"Windows_Trojan_Guloader_c4d9dd33","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Guloader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Hancitor","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-17","fingerprint":"44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912","id":"6738d84a-7393-4db2-97cc-66f471b5699a","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40","rule":"Windows_Trojan_Hancitor_6738d84a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Hancitor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Hawkeye","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-23","fingerprint":"5bbdb07fa6dd3e415f49d7f4fbc249c078ae42ebd81cad3015e32dfdc8f7cda6","id":"975d546c-286b-4753-b894-d6ed0aa832f3","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"aca133bf1d72cf379101e6877871979d6e6e8bc4cc692a5ba815289735014340","rule":"Windows_Trojan_Hawkeye_975d546c","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Hawkeye"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.IcedID","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-16","fingerprint":"155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e","id":"11d24d35-6bff-4fac-83d8-4d152aa0be57","last_modified":"2022-04-06","license":"Elastic License v2","os":"windows","reference_sample":"b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982","rule":"Windows_Trojan_IcedID_11d24d35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.IcedID","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-21","description":"IcedID Gzip Variant Core","fingerprint":"503bfa6800e0f4ff1a0b56eb8a145e67fa0f387c84aee7bd2eca3cf7074be709","id":"56459277-432c-437c-9350-f5efaa60ffca","last_modified":"2023-03-02","license":"Elastic License v2","os":"windows","reference_sample":"21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c","rule":"Windows_Trojan_IcedID_56459277","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Jupyter","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-07-22","fingerprint":"9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01","id":"56152e31-77c6-49fa-bbc5-c3630f11e633","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601","rule":"Windows_Trojan_Jupyter_56152e31","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Jupyter"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Kronos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-02-07","description":"Strings used by the Kronos banking trojan and variants.","fingerprint":"0e124d42a6741a095b66928303731e7060788bc1035b98b729ca91e4f7b6bc44","id":"cdd2e2c5-17fc-4cec-aece-0b19c54faccf","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects","reference_sample":"baa9cedbbe0f5689be8f8028a6537c39e9ea8b0815ad76cb98f365ca5a41653f","rule":"Windows_Trojan_Kronos_cdd2e2c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Kronos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Lokibot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-22","fingerprint":"a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b","id":"1f885282-b60e-491e-ae1b-d26825e5aadb","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409","rule":"Windows_Trojan_Lokibot_1f885282","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Lokibot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Metasploit","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Identifies Meterpreter DLL used by Metasploit","fingerprint":"4fc7c309dca197f4626d6dba8afcd576e520dbe2a2dd6f7d38d7ba33ee371d55","id":"dd5ce989-3925-4e27-97c1-3b8927c557e9","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/","reference_sample":"86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360","rule":"Windows_Trojan_Metasploit_dd5ce989","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Nanocore","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4","id":"d8c4e3c5-8bcc-43d2-9104-fa3774282da5","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd","rule":"Windows_Trojan_Nanocore_d8c4e3c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Nanocore"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.NapListener","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-02-28","fingerprint":"460b21638f200bf909e9e47bc716acfcb323540fbaa9ea9d0196361696ffa294","id":"414180a7-ca8d-4cf8-a346-08c3e0e1ed8a","last_modified":"2023-03-20","license":"Elastic License v2","os":"windows","reference_sample":"6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4","rule":"Windows_Trojan_NapListener_414180a7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.NapListener"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Netwire","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-28","fingerprint":"4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76","id":"1b43df38-886e-4f58-954a-a09f30f19907","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254","rule":"Windows_Trojan_Netwire_1b43df38","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Netwire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Netwire","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-08-14","fingerprint":"a52d2be082d57d07ab9bb9087dd258c29ef0528c4207ac6b31832f975a1395b6","id":"f42cb379-ac8c-4790-a6d3-aad6dc4acef6","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","reference_sample":"ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776","rule":"Windows_Trojan_Netwire_f42cb379","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Netwire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.OnlyLogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-03-22","fingerprint":"5c8c98b250252d178c8dbad60bf398489d9396968e33b3e004219a4f323eeed8","id":"b9e88336-9719-4f43-afc9-b0e6c7d72b6f","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"69876ee4d89ba68ee86f1a4eaf0a7cb51a012752e14c952a177cd5ffd8190986","rule":"Windows_Trojan_OnlyLogger_b9e88336","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.OnlyLogger"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Pandastealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-02","fingerprint":"873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487","id":"8b333e76-f723-4093-ad72-2f5d42aaa9c9","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935","rule":"Windows_Trojan_Pandastealer_8b333e76","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Pandastealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Parallax","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-09-08","fingerprint":"5c695f6b1bb0e72a070e076402cd94a77b178809617223b6caac6f6ec46f2ea1","id":"b4ea4f1a-4b78-4bb8-878e-40fe753018e9","last_modified":"2022-09-29","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Parallax_b4ea4f1a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Parallax"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Pingpull","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-16","fingerprint":"b471e0f40780523bf396323a3b70fd285944fef2960ae43a36068eaf2f2fea4f","id":"09dd9559-ce77-4f55-9e81-3b90add40103","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761","rule":"Windows_Trojan_Pingpull_09dd9559","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Pingpull"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.PoshC2","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-03-29","fingerprint":"30a9161077a90068acf756dcc2354bd04186f87717e32cccdcacc9521c41ddde","id":"e2d3881e-d849-4ec8-a560-000a9b29814f","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"7a718a4f74656346bd9a2e29e008705fc2b1c4d167a52bd4f6ff10b3f2cd9395","rule":"Windows_Trojan_PoshC2_e2d3881e","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.PoshC2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.PowerSeal","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"9b7beb5af64bc57d78cfb8f5bf8134461d8f2fbe7c935a0fa2b44fb51160a28d","id":"2e50f393-40c0-49f7-882e-33f914eff32d","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_PowerSeal_2e50f393","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.PowerSeal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Qbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-10-04","fingerprint":"ab80d96a454e0aad56621e70be4d55f099c41b538a380feb09192d252b4db5aa","id":"7d5dc64a-a597-44ac-a0fd-cefffc5e9cff","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56","rule":"Windows_Trojan_Qbot_7d5dc64a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Qbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.RedLineStealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-12","fingerprint":"a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580","id":"17ee6a17-161e-454a-baf1-2734995c82cd","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382","rule":"Windows_Trojan_RedLineStealer_17ee6a17","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.RedLineStealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.RedLineStealer","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-12","fingerprint":"6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0","id":"f54632eb-2c66-4aff-802d-ad1c076e5a5e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25","rule":"Windows_Trojan_RedLineStealer_f54632eb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.RedLineStealer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Remcos","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","fingerprint":"a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d","id":"b296e965-a99e-4446-b969-ba233a2a8af4","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed","rule":"Windows_Trojan_Remcos_b296e965","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Remcos"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Revcoderat","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-02","fingerprint":"bc259d888e913dffb4272e2f871592238eb78922989d30ac4dc23cdeb988cc78","id":"8e6d4182-4ea8-4d4c-ad3a-d16b42e387f4","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210","rule":"Windows_Trojan_Revcoderat_8e6d4182","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Revcoderat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SVCReady","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-06-12","fingerprint":"6e30d9977698c7864a8c264a7fe8c9a558f6e51dda9c887bda94261ce187645f","id":"af498d39-6ae8-46de-ad6c-81b346d80139","last_modified":"2022-07-18","license":"Elastic License v2","os":"windows","reference_sample":"08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273","rule":"Windows_Trojan_SVCReady_af498d39","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SVCReady"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.ShadowPad","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-01-31","description":"Target ShadowPad loader","fingerprint":"629f1502ce9f429ba6d497b8f2b0b35e57ca928a764ee6f3cb43521bfa6b5af4","id":"be71209d-b1c0-4922-87ae-47d0930d8755","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"452b08d6d2aa673fb6ccc4af6cebdcb12b5df8722f4d70d1c3491479e7b39c05","rule":"Windows_Trojan_ShadowPad_be71209d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.ShadowPad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.ShadowPad","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-01-31","description":"Target ShadowPad payload","fingerprint":"7070eb3608c2c39804ccad4a05e4de12ec4eb47388589ef72c723b353b920a68","id":"0d899241-6ef8-4524-a728-4ed53e4d2cec","last_modified":"2023-02-01","license":"Elastic License v2","os":"windows","reference_sample":"cb3a425565b854f7b892e6ebfb3734c92418c83cd590fc1ee9506bcf4d8e02ea","rule":"Windows_Trojan_ShadowPad_0d899241","scan_context":"memory","severity":"100","threat_name":"Windows.Trojan.ShadowPad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SnakeKeylogger","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-06","fingerprint":"15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d","id":"af3faa65-b19d-4267-ac02-1a3b50cdc700","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_SnakeKeylogger_af3faa65","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SnakeKeylogger"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Squirrelwaffle","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-20","fingerprint":"94c0d8ce3e06cf02a6fb57c074ff0ef60346babcde43c61371d099b011d9fcf9","id":"88033ff1-f9b1-4cdc-bb68-bd3a10027584","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","reference_sample":"00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c","rule":"Windows_Trojan_Squirrelwaffle_88033ff1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Squirrelwaffle"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SysJoker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-17","fingerprint":"9123af8b8b27ebfb9199e70eb34d43378b1796319186d5d848d650a8be02d5d5","id":"1ef19a12-ee26-47da-8d65-272f6749b476","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc","rule":"Windows_Trojan_SysJoker_1ef19a12","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SysJoker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.SysJoker","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-21","fingerprint":"b1e01d0b94a60f6f5632a14d3d32f78bbe3049886ea3a3e838a29fb790a45918","id":"34559bcd-661a-4213-b896-2d7f882a16ef","last_modified":"2022-04-12","license":"Elastic License v2","os":"windows","reference_sample":"1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c","rule":"Windows_Trojan_SysJoker_34559bcd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.SysJoker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Sythe","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-10","fingerprint":"4dd9764e285985fbea5361e5edfa04e75fb8e3e7945cbbf712ea0183471e67ae","id":"02b2811a-2ced-42b6-a9f1-6d983d1dc986","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"2d54a8ba40cc9a1c74db7a889bc75a38f16ae2d025268aa07851c1948daa1b4d","rule":"Windows_Trojan_Sythe_02b2811a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Sythe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-28","description":"Targets importDll64 containing Browser data stealer module","fingerprint":"d382a99e5eed87cf2eab5e238e445ca0bf7852e40b0dd06a392057e76144699f","id":"23d77ae5-80de-4bb0-8701-ddcaff443dcc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"844974A2D3266E1F9BA275520C0E8A5D176DF69A0CCD5135B99FACF798A5D209","rule":"Windows_Trojan_Trickbot_23d77ae5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets injectDll64 containing injection functionality to steal banking credentials","fingerprint":"23d9b89917a0fc5aad903595b89b650f6dbb0f82ce28ce8bcc891904f62ccf1b","id":"5574be7d-7502-4357-8110-2fb4a661b2bd","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"8c5c0d27153f60ef8aec57def2f88e3d5f9a7385b5e8b8177bab55fa7fac7b18","rule":"Windows_Trojan_Trickbot_5574be7d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets mailsearcher64.dll module","fingerprint":"15438ae141a2ac886b1ba406ba45119da1a616c3b2b88da3f432253421aa8e8b","id":"1473f0b4-a6b5-4b19-a07e-83d32a7e44a0","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"9cfb441eb5c60ab1c90b58d4878543ee554ada2cceee98d6b867e73490d30fec","rule":"Windows_Trojan_Trickbot_1473f0b4","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets pwgrab64.dll module containing functionality use to retrieve local passwords","fingerprint":"7d5dcb60526a80926bbaa7e3cd9958719e326a160455095ff9f0315e85b8adf6","id":"217b9c97-a637-49b8-a652-5a42ea19ee8e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"1E90A73793017720C9A020069ED1C87879174C19C3B619E5B78DB8220A63E9B7","rule":"Windows_Trojan_Trickbot_217b9c97","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets shareDll64.dll module containing functionality use to spread Trickbot across local networks","fingerprint":"55dbbcbc77ec51a378ad2ba8d56cb0811d23b121cacd037503fd75d08529c5b5","id":"d2110921-b957-49b7-8a26-4c0b7d1d58ad","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"05EF40F7745DB836DE735AC73D6101406E1D9E58C6B5F5322254EB75B98D236A","rule":"Windows_Trojan_Trickbot_d2110921","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets vncDll64.dll module containing remote control VNC functionality","fingerprint":"32d63b8db4307fd67e2c9068e22f843f920f19279c4a40e17cd14943577e7c81","id":"07239dad-7f9e-4b20-a691-d9538405b931","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"DBD534F2B5739F89E99782563062169289F23AA335639A9552173BEDC98BB834","rule":"Windows_Trojan_Trickbot_07239dad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-29","description":"Targets tabDll64.dll module containing functionality using SMB for lateral movement","fingerprint":"e6eea38858cfbbe5441b1f69c5029ff9279e7affa51615f6c91981fe656294fc","id":"2d89e9cd-2941-4b20-ab4e-a487d329ff76","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"3963649ebfabe8f6277190be4300ecdb68d4b497ac5f81f38231d3e6c862a0a8","rule":"Windows_Trojan_Trickbot_2d89e9cd","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets cookiesdll.dll module containing functionality used to retrieve browser cookie data","fingerprint":"0aeb68977f4926272f27d5fba44e66bdbb9d6a113da5d7b4133a379b06df4474","id":"32930807-30bb-4c57-8e17-0da99a816405","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d","rule":"Windows_Trojan_Trickbot_32930807","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets Outlook.dll module containing functionality used to retrieve Outlook data","fingerprint":"df4336e5cbca495dac4fe110bd7a727e91bb3d465f76d3f3796078332c13633c","id":"618b27d2-22ad-4542-86ed-7148f17971da","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e","rule":"Windows_Trojan_Trickbot_618b27d2","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets DomainDll module containing functionality using LDAP to retrieve credentials and configuration information","fingerprint":"d145b7c95bca0dc0c46a8dff60341a21dce474edd169dd0ee5ea2396dad60b92","id":"6eb31e7b-9dc3-48ff-91fe-8c584729c415","last_modified":"2021-10-04","license":"Elastic License v2","os":"windows","reference_sample":"3e3d82ea4764b117b71119e7c2eecf46b7c2126617eafccdfc6e96e13da973b1","rule":"Windows_Trojan_Trickbot_6eb31e7b","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Generic signature used to identify Trickbot module usage","fingerprint":"2667c7181fb4db3f5765369fc2ec010b807a7bf6e2878fc42af410f036c61cbe","id":"91516cf4-c826-4d5d-908f-e1c0b3bccec5","last_modified":"2021-08-31","license":"Elastic License v2","os":"windows","reference_sample":"6cd0d4666553fd7184895502d48c960294307d57be722ebb2188b004fc1a8066","rule":"Windows_Trojan_Trickbot_91516cf4","scan_context":"file, memory","severity":"80","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Trickbot","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-30","description":"Targets permadll module used to fingerprint BIOS/firmaware data","fingerprint":"047b1c64b8be17d4a6030ab2944ad715380f53a8a6dd9c8887f198693825a81d","id":"be718af9-5995-4ae2-ba55-504e88693c96","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"c1f1bc58456cff7413d7234e348d47a8acfdc9d019ae7a4aba1afc1b3ed55ffa","rule":"Windows_Trojan_Trickbot_be718af9","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Trickbot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-03-28","alert":"Windows.Trojan.Xworm","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-04-03","fingerprint":"afbef8e590105e16bbd87bd726f4a3391cd6a4489f7a4255ba78a3af761ad2f0","id":"732e6c12-9ee0-4d04-a6e4-9eef874e2716","last_modified":"2023-04-23","license":"Elastic License v2","os":"windows","reference_sample":"bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2","rule":"Windows_Trojan_Xworm_732e6c12","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Xworm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-03-28","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"packages/full/yara-rules-full.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"github.com/YARAHQ/yara-forge/releases/download/20240324/yara-forge-rules-full.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-03-28T19:25:12.115Z","timestamp":1711653912115,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 07 Mar 2024 00:00:00 GMT","end":"Fri, 07 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"E7:03:5B:CC:1C:18:77:1F:79:2F:90:86:6B:6C:1D:F8:DF:AA:BD:C0","sha256":"FD:6E:9B:0E:F3:98:BC:D9:04:C3:B2:EC:16:7A:7B:0F:DA:72:01:C9:03:C5:3A:6A:6A:E5:D0:41:43:63:EF:65"}}},"request":{"raw":"GET /YARAHQ/yara-forge/releases/download/20240324/yara-forge-rules-full.zip HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\nserver: GitHub.com\r\ndate: Thu, 28 Mar 2024 19:25:02 GMT\r\ncontent-type: text/html; charset=utf-8\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With\r\nlocation: https://objects.githubusercontent.com/github-production-release-asset-2e65be/711268411/cfbb9c85-58d3-4c78-a4b9-96e498ca23c7?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240328%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20240328T192502Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=967bddb61f2143a1c7f0d08f39d01e570aa4df718f97cf724675aeab6029f589\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=711268411\u0026response-content-disposition=attachment%3B%20filename%3Dyara-forge-rules-full.zip\u0026response-content-type=application%2Foctet-stream\r\ncache-control: no-cache\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/\r\ncontent-length: 0\r\nx-github-request-id: F0F9:369FA7:1816A99:184E17C:6605C418\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/octet-stream","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-08T04:57:21.974577Z","times_seen":14821524,"resource_available":true,"data":null}},"time_used":284,"timings":{"blocked":122,"dns":0,"connect":24,"send":0,"wait":40,"receive":0,"ssl":93},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"objects.githubusercontent.com/github-production-release-asset-2e65be/711268411/cfbb9c85-58d3-4c78-a4b9-96e498ca23c7?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240328%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20240328T192502Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=967bddb61f2143a1c7f0d08f39d01e570aa4df718f97cf724675aeab6029f589\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=711268411\u0026response-content-disposition=attachment%3B%20filename%3Dyara-forge-rules-full.zip\u0026response-content-type=application%2Foctet-stream","fqdn":"objects.githubusercontent.com","domain":"objects.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.109.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-03-28T19:25:12.288Z","timestamp":1711653912288,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.github.io","organization":"GitHub, Inc."},"issuer":{"commonName":"DigiCert Global G2 TLS RSA SHA256 2020 CA1","organization":"DigiCert Inc"},"validity":{"start":"Fri, 15 Mar 2024 00:00:00 GMT","end":"Fri, 14 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"97:D8:C5:70:0F:12:24:6C:88:BC:FA:06:7E:8C:A7:4D:A8:62:67:28","sha256":"09:01:0C:CE:9B:72:21:55:C7:E6:86:B0:77:39:D3:D2:DC:06:05:DE:A1:A4:98:4A:0B:96:5E:18:77:77:26:B5"}}},"request":{"raw":"GET /github-production-release-asset-2e65be/711268411/cfbb9c85-58d3-4c78-a4b9-96e498ca23c7?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240328%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20240328T192502Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=967bddb61f2143a1c7f0d08f39d01e570aa4df718f97cf724675aeab6029f589\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=711268411\u0026response-content-disposition=attachment%3B%20filename%3Dyara-forge-rules-full.zip\u0026response-content-type=application%2Foctet-stream HTTP/1.1\r\nHost: objects.githubusercontent.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: application/octet-stream\r\ncontent-md5: xE86MwyS3a/qjUD1JnDsTg==\r\nlast-modified: Sun, 24 Mar 2024 02:01:12 GMT\r\netag: \"0x8DC4BA64841E31B\"\r\nserver: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0\r\nx-ms-request-id: c7906960-a01e-006e-2992-7db47a000000\r\nx-ms-version: 2020-10-02\r\nx-ms-creation-time: Sun, 24 Mar 2024 02:01:12 GMT\r\nx-ms-lease-status: unlocked\r\nx-ms-lease-state: available\r\nx-ms-blob-type: BlockBlob\r\ncontent-disposition: attachment; filename=yara-forge-rules-full.zip\r\nx-ms-server-encrypted: true\r\nvia: 1.1 varnish, 1.1 varnish\r\naccept-ranges: bytes\r\ndate: Thu, 28 Mar 2024 19:25:12 GMT\r\nage: 10\r\nx-served-by: cache-iad-kcgs7200179-IAD, cache-hel1410033-HEL\r\nx-cache: HIT, HIT\r\nx-cache-hits: 101, 1\r\nx-timer: S1711653912.330151,VS0,VE461\r\ncontent-length: 3634228\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":3634228,"size_decoded":3634228,"mime_type":"application/octet-stream","magic":"Zip archive data, at least v1.0 to extract, compression method=store","md5":"c44f3a330c92ddafea8d40f52670ec4e","sha1":"acb1332410ebf8626d75db32815b5be51f5a6cc8","sha256":"09f46a1fa84e7a26de7e64f6f28c13202dd2a3031c1e1963da82a27cce3d3af8","sha512":"ebb2d1a913e628e683de4c4462b712bb539105ba46a3a835c1b5b4a4241cf39161c216aa3ea73c0130551f5a3b4fb06138e69f587b3eb4f13f92b7e3288c49e4","ssdeep":"98304:CvDpOA0xxeTvq6M3P5/UOMhWMwvN/Ac7TnB9hS:CbpOrTOvi3GOM9w1B7jBXS","tlshash":"faf533afab9115843428a393fe0a2e358186abf6f46c8765005f57f7303f17b4896f25","first_seen":"2024-08-20T06:44:15.789087Z","last_seen":"2024-08-20T06:44:15.88306Z","times_seen":2,"resource_available":false,"data":null}},"time_used":881,"timings":{"blocked":38,"dns":0,"connect":14,"send":0,"wait":476,"receive":329,"ssl":20},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}